# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Jun 3 2020 08:38:37 # Log Creation Date: 11.11.2020 08:42:22.735 Process: id = "1" image_name = "build.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\build.exe" page_root = "0x1baf3000" os_pid = "0x5bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\build.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x43c [0060.544] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28ff50 | out: lpSystemTimeAsFileTime=0x28ff50*(dwLowDateTime=0xb35d40e0, dwHighDateTime=0x1d6b806)) [0060.544] GetCurrentProcessId () returned 0x5bc [0060.544] GetCurrentThreadId () returned 0x43c [0060.544] GetTickCount () returned 0x114a352 [0060.544] QueryPerformanceCounter (in: lpPerformanceCount=0x28ff58 | out: lpPerformanceCount=0x28ff58*=18083430569) returned 1 [0060.582] __set_app_type (_Type=0x1) [0060.582] __p__fmode () returned 0x770331f4 [0060.827] __getmainargs (in: _Argc=0x478018, _Argv=0x478014, _Env=0x478010, _DoWildCard=-1, _StartInfo=0x478000 | out: _Argc=0x478018, _Argv=0x478014, _Env=0x478010) returned 0 [0060.831] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x473730) returned 0x0 [0060.832] __p__acmdln () returned 0x770304d8*="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\build.exe\" " [0060.832] malloc (_Size=0x8) returned 0x791300 [0060.833] strlen (_Str="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\build.exe") returned 0x2f [0060.833] malloc (_Size=0x30) returned 0x791320 [0060.833] _onexit (_Func=0x401500) returned 0x401500 [0060.833] _onexit (_Func=0x472f50) returned 0x472f50 [0060.833] GetSystemInfo (in: lpSystemInfo=0x28fdc4 | out: lpSystemInfo=0x28fdc4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0060.833] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0060.833] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0060.834] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0060.834] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0060.834] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0060.834] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0060.834] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0060.835] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0060.835] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0060.835] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0060.835] GetDriveTypeW (lpRootPathName="A:\\") returned 0x1 [0060.835] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0060.836] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0060.836] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0060.836] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0060.836] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0060.836] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0060.836] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0060.837] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0060.837] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0060.837] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0060.837] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.837] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0060.837] GetDriveTypeW (lpRootPathName="B:\\") returned 0x1 [0060.838] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0060.838] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0060.838] GetProcessHeap () returned 0x4c0000 [0060.838] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x4d4918 [0060.841] GetProcessHeap () returned 0x4c0000 [0060.841] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x4e4920 [0060.842] FindFirstVolumeW (in: lpszVolumeName=0x4d4918, cchBufferLength=0x8000 | out: lpszVolumeName="\\\\?\\Volume{92eb13a2-4a1d-11e7-bae1-806e6f6e6963}\\") returned 0x4f4928 [0060.843] GetVolumePathNamesForVolumeNameW (in: lpszVolumeName="\\\\?\\Volume{92eb13a2-4a1d-11e7-bae1-806e6f6e6963}\\", lpszVolumePathNames=0x28f750, cchBufferLength=0x78, lpcchReturnLength=0x28f840 | out: lpszVolumePathNames=0x28f750, lpcchReturnLength=0x28f840) returned 1 [0060.844] lstrlenW (lpString="C:\\") returned 3 [0060.844] FindNextVolumeW (in: hFindVolume=0x4f4928, lpszVolumeName=0x4d4918, cchBufferLength=0x7fff | out: hFindVolume=0x4f4928, lpszVolumeName="\\\\?\\Volume{92eb13a2-4a1d-11e7-bae1-806e6f6e6963}\\") returned 0 [0060.844] FindVolumeClose (hFindVolume=0x4f4928) returned 1 [0060.844] GetProcessHeap () returned 0x4c0000 [0060.844] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4e4920 | out: hHeap=0x4c0000) returned 1 [0060.844] GetProcessHeap () returned 0x4c0000 [0060.844] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4d4918 | out: hHeap=0x4c0000) returned 1 [0060.844] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x94 [0060.844] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x423a80, lpParameter=0x94, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x98 [0060.845] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x423a80, lpParameter=0x94, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x9c [0060.846] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x423a80, lpParameter=0x94, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xa0 [0060.846] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x423a80, lpParameter=0x94, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xa4 [0060.847] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x423a80, lpParameter=0x94, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xa8 [0060.848] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x423a80, lpParameter=0x94, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xac [0060.849] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x423a80, lpParameter=0x94, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xb0 [0060.850] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x423a80, lpParameter=0x94, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xb4 [0060.851] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x0, lphEnum=0x28f5b8 | out: lphEnum=0x28f5b8*=0x4d5718) returned 0x0 [0062.953] GetProcessHeap () returned 0x4c0000 [0062.953] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x4000) returned 0x4d7f68 [0062.953] WNetEnumResourceW (in: hEnum=0x4d5718, lpcCount=0x28f5b4, lpBuffer=0x4d7f68, lpBufferSize=0x28f5b0 | out: lpcCount=0x28f5b4, lpBuffer=0x4d7f68, lpBufferSize=0x28f5b0) returned 0x0 [0062.953] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x4d7f68, lphEnum=0x28f0f8 | out: lphEnum=0x28f0f8*=0x4dc158) returned 0x0 [0062.962] GetProcessHeap () returned 0x4c0000 [0062.962] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x4000) returned 0x4e0700 [0062.962] WNetEnumResourceW (in: hEnum=0x4dc158, lpcCount=0x28f0f4, lpBuffer=0x4e0700, lpBufferSize=0x28f0f0 | out: lpcCount=0x28f0f4, lpBuffer=0x4e0700, lpBufferSize=0x28f0f0) returned 0x103 [0062.962] GetProcessHeap () returned 0x4c0000 [0062.962] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4e0700 | out: hHeap=0x4c0000) returned 1 [0062.962] WNetCloseEnum (hEnum=0x4dc158) returned 0x0 [0062.962] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x4d7f88, lphEnum=0x28f0f8 | out: lphEnum=0x28f0f8*=0x2) returned 0x4b8 [0076.014] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x4d7fa8, lphEnum=0x28f0f8 | out: lphEnum=0x28f0f8*=0x2) returned 0x4c6 [0076.025] WNetEnumResourceW (in: hEnum=0x4d5718, lpcCount=0x28f5b4, lpBuffer=0x4d7f68, lpBufferSize=0x28f5b0 | out: lpcCount=0x28f5b4, lpBuffer=0x4d7f68, lpBufferSize=0x28f5b0) returned 0x103 [0076.025] GetProcessHeap () returned 0x4c0000 [0076.025] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4d7f68 | out: hHeap=0x4c0000) returned 1 [0076.026] WNetCloseEnum (hEnum=0x4d5718) returned 0x0 [0076.026] GetLogicalDrives () returned 0x4 [0076.026] GetProcessHeap () returned 0x4c0000 [0076.026] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x4e2a78 [0076.028] wnsprintfW (in: pszDest=0x4e2a78, cchDest=32768, pszFmt="\\\\?\\%c:" | out: pszDest="\\\\?\\C:") returned 6 [0076.028] GetDriveTypeW (lpRootPathName="\\\\?\\C:") returned 0x1 [0076.028] GetProcessHeap () returned 0x4c0000 [0076.028] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x4f2a80 [0076.029] lstrcpyW (in: lpString1=0x4f2a80, lpString2="\\\\?\\C:" | out: lpString1="\\\\?\\C:") returned="\\\\?\\C:" [0076.029] lstrcatW (in: lpString1="\\\\?\\C:", lpString2="\\*" | out: lpString1="\\\\?\\C:\\*") returned="\\\\?\\C:\\*" [0076.029] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x4d5718 [0076.030] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Windows") returned -1 [0076.033] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Program Files") returned -1 [0076.033] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Program Files (x86)") returned -1 [0076.033] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$Recycle.bin") returned 0 [0076.033] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0076.033] lstrcmpiW (lpString1="Boot", lpString2="Windows") returned -1 [0076.033] lstrcmpiW (lpString1="Boot", lpString2="Program Files") returned -1 [0076.033] lstrcmpiW (lpString1="Boot", lpString2="Program Files (x86)") returned -1 [0076.033] lstrcmpiW (lpString1="Boot", lpString2="$Recycle.bin") returned 1 [0076.033] lstrcmpiW (lpString1="Boot", lpString2="System Volume Information") returned -1 [0076.033] lstrcmpiW (lpString1="Boot", lpString2=".") returned 1 [0076.033] lstrcmpiW (lpString1="Boot", lpString2="..") returned 1 [0076.033] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot") returned 11 [0076.033] GetProcessHeap () returned 0x4c0000 [0076.033] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0076.034] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Boot" | out: lpString1="\\\\?\\C:\\Boot") returned="\\\\?\\C:\\Boot" [0076.034] lstrcatW (in: lpString1="\\\\?\\C:\\Boot", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\*") returned="\\\\?\\C:\\Boot\\*" [0076.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*", lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName=".", cAlternateFileName="")) returned 0x4e22d0 [0076.034] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.034] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.034] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.034] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.034] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.034] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.034] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="..", cAlternateFileName="")) returned 1 [0076.035] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.035] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.035] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.035] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.035] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.035] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.035] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.035] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x90cd45e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x90cd45e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="BCD", cAlternateFileName="")) returned 1 [0076.035] lstrcmpiW (lpString1="BCD", lpString2="Windows") returned -1 [0076.035] lstrcmpiW (lpString1="BCD", lpString2="Program Files") returned -1 [0076.035] lstrcmpiW (lpString1="BCD", lpString2="Program Files (x86)") returned -1 [0076.035] lstrcmpiW (lpString1="BCD", lpString2="$Recycle.bin") returned 1 [0076.035] lstrcmpiW (lpString1="BCD", lpString2="System Volume Information") returned -1 [0076.035] lstrcmpiW (lpString1="BCD", lpString2=".") returned 1 [0076.035] lstrcmpiW (lpString1="BCD", lpString2="..") returned 1 [0076.035] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BCD") returned 15 [0076.035] lstrcmpW (lpString1="BCD", lpString2="PUSSY.TXT") returned -1 [0076.035] PathFindExtensionW (pszPath="BCD") returned="" [0076.035] lstrlenW (lpString="") returned 0 [0076.035] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0076.035] GetProcAddress (hModule=0x77710000, lpProcName="SystemFunction036") returned 0x77711919 [0076.036] SystemFunction036 (in: RandomBuffer=0x28ea24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ea24) returned 1 [0076.036] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.037] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac2e8a60, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x9098e7a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5400, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0076.037] lstrcmpiW (lpString1="BCD.LOG", lpString2="Windows") returned -1 [0076.037] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files") returned -1 [0076.037] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files (x86)") returned -1 [0076.037] lstrcmpiW (lpString1="BCD.LOG", lpString2="$Recycle.bin") returned 1 [0076.037] lstrcmpiW (lpString1="BCD.LOG", lpString2="System Volume Information") returned -1 [0076.037] lstrcmpiW (lpString1="BCD.LOG", lpString2=".") returned 1 [0076.037] lstrcmpiW (lpString1="BCD.LOG", lpString2="..") returned 1 [0076.037] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG") returned 19 [0076.037] lstrcmpW (lpString1="BCD.LOG", lpString2="PUSSY.TXT") returned -1 [0076.037] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0076.037] lstrlenW (lpString=".LOG") returned 4 [0076.037] SystemFunction036 (in: RandomBuffer=0x28ea24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ea24) returned 1 [0076.037] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.037] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0076.037] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Windows") returned -1 [0076.037] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files") returned -1 [0076.037] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files (x86)") returned -1 [0076.037] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$Recycle.bin") returned 1 [0076.037] lstrcmpiW (lpString1="BCD.LOG1", lpString2="System Volume Information") returned -1 [0076.037] lstrcmpiW (lpString1="BCD.LOG1", lpString2=".") returned 1 [0076.037] lstrcmpiW (lpString1="BCD.LOG1", lpString2="..") returned 1 [0076.037] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0076.037] lstrcmpW (lpString1="BCD.LOG1", lpString2="PUSSY.TXT") returned -1 [0076.037] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0076.037] lstrlenW (lpString=".LOG1") returned 5 [0076.037] SystemFunction036 (in: RandomBuffer=0x28ea24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ea24) returned 1 [0076.038] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x168 [0076.038] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x28ea18 | out: lpFileSize=0x28ea18*=0) returned 1 [0076.038] CloseHandle (hObject=0x168) returned 1 [0076.038] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0076.038] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Windows") returned -1 [0076.038] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files") returned -1 [0076.038] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files (x86)") returned -1 [0076.038] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$Recycle.bin") returned 1 [0076.038] lstrcmpiW (lpString1="BCD.LOG2", lpString2="System Volume Information") returned -1 [0076.038] lstrcmpiW (lpString1="BCD.LOG2", lpString2=".") returned 1 [0076.038] lstrcmpiW (lpString1="BCD.LOG2", lpString2="..") returned 1 [0076.038] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0076.038] lstrcmpW (lpString1="BCD.LOG2", lpString2="PUSSY.TXT") returned -1 [0076.038] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0076.038] lstrlenW (lpString=".LOG2") returned 5 [0076.038] SystemFunction036 (in: RandomBuffer=0x28ea24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ea24) returned 1 [0076.038] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x168 [0076.039] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x28ea18 | out: lpFileSize=0x28ea18*=0) returned 1 [0076.039] CloseHandle (hObject=0x168) returned 1 [0076.039] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0076.039] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Windows") returned -1 [0076.039] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files") returned -1 [0076.039] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files (x86)") returned -1 [0076.039] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$Recycle.bin") returned 1 [0076.039] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="System Volume Information") returned -1 [0076.039] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2=".") returned 1 [0076.039] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="..") returned 1 [0076.039] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0076.039] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="PUSSY.TXT") returned -1 [0076.039] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0076.039] lstrlenW (lpString=".DAT") returned 4 [0076.039] SystemFunction036 (in: RandomBuffer=0x28ea24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ea24) returned 1 [0076.039] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x168 [0076.052] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x28ea18 | out: lpFileSize=0x28ea18*=65536) returned 1 [0076.052] GetProcessHeap () returned 0x4c0000 [0076.052] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x512a90 [0076.068] wsprintfW (in: param_1=0x28ea66, param_2="%02X" | out: param_1="1F") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea6a, param_2="%02X" | out: param_1="10") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea6e, param_2="%02X" | out: param_1="99") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea72, param_2="%02X" | out: param_1="84") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea76, param_2="%02X" | out: param_1="4B") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea7a, param_2="%02X" | out: param_1="0C") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea7e, param_2="%02X" | out: param_1="55") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea82, param_2="%02X" | out: param_1="43") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea86, param_2="%02X" | out: param_1="F8") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea8a, param_2="%02X" | out: param_1="9C") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea8e, param_2="%02X" | out: param_1="76") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea92, param_2="%02X" | out: param_1="11") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea96, param_2="%02X" | out: param_1="B7") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea9a, param_2="%02X" | out: param_1="4A") returned 2 [0076.069] wsprintfW (in: param_1=0x28ea9e, param_2="%02X" | out: param_1="8C") returned 2 [0076.069] wsprintfW (in: param_1=0x28eaa2, param_2="%02X" | out: param_1="75") returned 2 [0076.069] wsprintfW (in: param_1=0x28eaa6, param_2="%02X" | out: param_1="6C") returned 2 [0076.069] wsprintfW (in: param_1=0x28eaaa, param_2="%02X" | out: param_1="AA") returned 2 [0076.069] wsprintfW (in: param_1=0x28eaae, param_2="%02X" | out: param_1="2B") returned 2 [0076.069] wsprintfW (in: param_1=0x28eab2, param_2="%02X" | out: param_1="E0") returned 2 [0076.069] wsprintfW (in: param_1=0x28eab6, param_2="%02X" | out: param_1="94") returned 2 [0076.069] wsprintfW (in: param_1=0x28eaba, param_2="%02X" | out: param_1="D2") returned 2 [0076.069] wsprintfW (in: param_1=0x28eabe, param_2="%02X" | out: param_1="FB") returned 2 [0076.069] wsprintfW (in: param_1=0x28eac2, param_2="%02X" | out: param_1="E0") returned 2 [0076.069] wsprintfW (in: param_1=0x28eac6, param_2="%02X" | out: param_1="AB") returned 2 [0076.069] wsprintfW (in: param_1=0x28eaca, param_2="%02X" | out: param_1="A2") returned 2 [0076.069] wsprintfW (in: param_1=0x28eace, param_2="%02X" | out: param_1="37") returned 2 [0076.069] wsprintfW (in: param_1=0x28ead2, param_2="%02X" | out: param_1="31") returned 2 [0076.069] wsprintfW (in: param_1=0x28ead6, param_2="%02X" | out: param_1="10") returned 2 [0076.069] wsprintfW (in: param_1=0x28eada, param_2="%02X" | out: param_1="A1") returned 2 [0076.070] wsprintfW (in: param_1=0x28eade, param_2="%02X" | out: param_1="A4") returned 2 [0076.070] wsprintfW (in: param_1=0x28eae2, param_2="%02X" | out: param_1="72") returned 2 [0076.080] lstrcpyW (in: lpString1=0x522ac4, lpString2="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" | out: lpString1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" [0076.080] lstrcpyW (in: lpString1=0x512ac4, lpString2="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" | out: lpString1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" [0076.080] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT", lpString2=".1F1099844B0C5543F89C7611B74A8C756CAA2BE094D2FBE0ABA2373110A1A472" | out: lpString1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.1F1099844B0C5543F89C7611B74A8C756CAA2BE094D2FBE0ABA2373110A1A472") returned="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.1F1099844B0C5543F89C7611B74A8C756CAA2BE094D2FBE0ABA2373110A1A472" [0076.080] CreateIoCompletionPort (FileHandle=0x168, ExistingCompletionPort=0x94, CompletionKey=0x512a90, NumberOfConcurrentThreads=0x0) returned 0x94 [0076.080] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x512a90, lpOverlapped=0x512a90) returned 1 [0076.115] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0076.115] lstrcmpiW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0076.115] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files") returned -1 [0076.115] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files (x86)") returned -1 [0076.115] lstrcmpiW (lpString1="cs-CZ", lpString2="$Recycle.bin") returned 1 [0076.115] lstrcmpiW (lpString1="cs-CZ", lpString2="System Volume Information") returned -1 [0076.115] lstrcmpiW (lpString1="cs-CZ", lpString2=".") returned 1 [0076.115] lstrcmpiW (lpString1="cs-CZ", lpString2="..") returned 1 [0076.115] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ") returned 17 [0076.115] GetProcessHeap () returned 0x4c0000 [0076.115] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.116] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\cs-CZ" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ") returned="\\\\?\\C:\\Boot\\cs-CZ" [0076.116] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\*") returned="\\\\?\\C:\\Boot\\cs-CZ\\*" [0076.116] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.116] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.116] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.116] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.116] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.116] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.116] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.116] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.116] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.116] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.117] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.117] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.117] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.117] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.117] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.117] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.117] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.117] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.117] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.117] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.117] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.117] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.117] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.117] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 33 [0076.117] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.117] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.117] lstrlenW (lpString=".mui") returned 4 [0076.117] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.117] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.118] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.118] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.118] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\PUSSY.TXT") returned 27 [0076.118] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\PUSSY.TXT" (normalized: "c:\\boot\\cs-cz\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.119] lstrlenA (lpString="abcd") returned 4 [0076.119] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.119] CloseHandle (hObject=0x16c) returned 1 [0076.121] GetProcessHeap () returned 0x4c0000 [0076.121] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.121] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="da-DK", cAlternateFileName="")) returned 1 [0076.121] lstrcmpiW (lpString1="da-DK", lpString2="Windows") returned -1 [0076.121] lstrcmpiW (lpString1="da-DK", lpString2="Program Files") returned -1 [0076.121] lstrcmpiW (lpString1="da-DK", lpString2="Program Files (x86)") returned -1 [0076.121] lstrcmpiW (lpString1="da-DK", lpString2="$Recycle.bin") returned 1 [0076.121] lstrcmpiW (lpString1="da-DK", lpString2="System Volume Information") returned -1 [0076.121] lstrcmpiW (lpString1="da-DK", lpString2=".") returned 1 [0076.121] lstrcmpiW (lpString1="da-DK", lpString2="..") returned 1 [0076.121] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\da-DK") returned 17 [0076.121] GetProcessHeap () returned 0x4c0000 [0076.122] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.122] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\da-DK" | out: lpString1="\\\\?\\C:\\Boot\\da-DK") returned="\\\\?\\C:\\Boot\\da-DK" [0076.122] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\*") returned="\\\\?\\C:\\Boot\\da-DK\\*" [0076.122] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.122] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.122] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.122] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.122] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.122] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.122] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.122] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.122] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.122] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.122] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.122] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.122] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.122] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.122] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.122] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.122] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.123] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.123] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.123] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.123] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.123] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.123] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.123] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 33 [0076.123] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.123] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.123] lstrlenW (lpString=".mui") returned 4 [0076.123] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.123] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.124] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.124] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.124] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\PUSSY.TXT") returned 27 [0076.124] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\PUSSY.TXT" (normalized: "c:\\boot\\da-dk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.124] lstrlenA (lpString="abcd") returned 4 [0076.124] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.125] CloseHandle (hObject=0x16c) returned 1 [0076.125] GetProcessHeap () returned 0x4c0000 [0076.125] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.125] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="de-DE", cAlternateFileName="")) returned 1 [0076.125] lstrcmpiW (lpString1="de-DE", lpString2="Windows") returned -1 [0076.125] lstrcmpiW (lpString1="de-DE", lpString2="Program Files") returned -1 [0076.125] lstrcmpiW (lpString1="de-DE", lpString2="Program Files (x86)") returned -1 [0076.125] lstrcmpiW (lpString1="de-DE", lpString2="$Recycle.bin") returned 1 [0076.125] lstrcmpiW (lpString1="de-DE", lpString2="System Volume Information") returned -1 [0076.126] lstrcmpiW (lpString1="de-DE", lpString2=".") returned 1 [0076.126] lstrcmpiW (lpString1="de-DE", lpString2="..") returned 1 [0076.126] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\de-DE") returned 17 [0076.126] GetProcessHeap () returned 0x4c0000 [0076.126] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.126] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\de-DE" | out: lpString1="\\\\?\\C:\\Boot\\de-DE") returned="\\\\?\\C:\\Boot\\de-DE" [0076.126] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\*") returned="\\\\?\\C:\\Boot\\de-DE\\*" [0076.126] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.126] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.126] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.126] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.126] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.126] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.126] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.126] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.126] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.126] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.126] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.126] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.126] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.126] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.127] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.127] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.127] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 33 [0076.127] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.127] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.127] lstrlenW (lpString=".mui") returned 4 [0076.127] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.127] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.127] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.127] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.127] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\PUSSY.TXT") returned 27 [0076.127] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\PUSSY.TXT" (normalized: "c:\\boot\\de-de\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.128] lstrlenA (lpString="abcd") returned 4 [0076.128] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.129] CloseHandle (hObject=0x16c) returned 1 [0076.129] GetProcessHeap () returned 0x4c0000 [0076.129] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.129] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="el-GR", cAlternateFileName="")) returned 1 [0076.129] lstrcmpiW (lpString1="el-GR", lpString2="Windows") returned -1 [0076.129] lstrcmpiW (lpString1="el-GR", lpString2="Program Files") returned -1 [0076.129] lstrcmpiW (lpString1="el-GR", lpString2="Program Files (x86)") returned -1 [0076.129] lstrcmpiW (lpString1="el-GR", lpString2="$Recycle.bin") returned 1 [0076.129] lstrcmpiW (lpString1="el-GR", lpString2="System Volume Information") returned -1 [0076.129] lstrcmpiW (lpString1="el-GR", lpString2=".") returned 1 [0076.129] lstrcmpiW (lpString1="el-GR", lpString2="..") returned 1 [0076.129] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\el-GR") returned 17 [0076.129] GetProcessHeap () returned 0x4c0000 [0076.129] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.129] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\el-GR" | out: lpString1="\\\\?\\C:\\Boot\\el-GR") returned="\\\\?\\C:\\Boot\\el-GR" [0076.129] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\*") returned="\\\\?\\C:\\Boot\\el-GR\\*" [0076.129] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.130] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.130] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.130] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.130] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.130] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.130] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.130] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.130] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.130] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.130] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.130] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.130] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.130] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.130] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.130] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.130] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.130] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.130] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.130] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.130] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.130] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.130] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.130] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 33 [0076.130] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.130] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.130] lstrlenW (lpString=".mui") returned 4 [0076.131] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.131] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.131] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.131] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.131] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\PUSSY.TXT") returned 27 [0076.131] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\PUSSY.TXT" (normalized: "c:\\boot\\el-gr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.132] lstrlenA (lpString="abcd") returned 4 [0076.132] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.133] CloseHandle (hObject=0x16c) returned 1 [0076.133] GetProcessHeap () returned 0x4c0000 [0076.133] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.133] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="en-US", cAlternateFileName="")) returned 1 [0076.133] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0076.133] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0076.133] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0076.133] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0076.133] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0076.133] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0076.133] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0076.133] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-US") returned 17 [0076.133] GetProcessHeap () returned 0x4c0000 [0076.133] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.133] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\en-US" | out: lpString1="\\\\?\\C:\\Boot\\en-US") returned="\\\\?\\C:\\Boot\\en-US" [0076.133] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*") returned="\\\\?\\C:\\Boot\\en-US\\*" [0076.133] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.134] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.134] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.134] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.134] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.134] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.134] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.134] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.134] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.134] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.134] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.134] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.134] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.134] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.134] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.134] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.134] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned 33 [0076.134] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.134] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.134] lstrlenW (lpString=".mui") returned 4 [0076.134] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.134] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.135] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0076.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0076.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0076.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0076.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0076.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0076.135] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned 33 [0076.135] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.135] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0076.135] lstrlenW (lpString=".mui") returned 4 [0076.135] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.135] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.135] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0076.135] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.135] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\PUSSY.TXT") returned 27 [0076.135] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\PUSSY.TXT" (normalized: "c:\\boot\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.136] lstrlenA (lpString="abcd") returned 4 [0076.136] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.136] CloseHandle (hObject=0x16c) returned 1 [0076.137] GetProcessHeap () returned 0x4c0000 [0076.137] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.137] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="es-ES", cAlternateFileName="")) returned 1 [0076.137] lstrcmpiW (lpString1="es-ES", lpString2="Windows") returned -1 [0076.137] lstrcmpiW (lpString1="es-ES", lpString2="Program Files") returned -1 [0076.137] lstrcmpiW (lpString1="es-ES", lpString2="Program Files (x86)") returned -1 [0076.137] lstrcmpiW (lpString1="es-ES", lpString2="$Recycle.bin") returned 1 [0076.137] lstrcmpiW (lpString1="es-ES", lpString2="System Volume Information") returned -1 [0076.137] lstrcmpiW (lpString1="es-ES", lpString2=".") returned 1 [0076.137] lstrcmpiW (lpString1="es-ES", lpString2="..") returned 1 [0076.137] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-ES") returned 17 [0076.137] GetProcessHeap () returned 0x4c0000 [0076.137] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.137] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\es-ES" | out: lpString1="\\\\?\\C:\\Boot\\es-ES") returned="\\\\?\\C:\\Boot\\es-ES" [0076.137] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\*") returned="\\\\?\\C:\\Boot\\es-ES\\*" [0076.137] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.139] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.139] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.139] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.139] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.139] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.139] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.139] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.139] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.139] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.139] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.139] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.140] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.140] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.140] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.140] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.140] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 33 [0076.140] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.140] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.140] lstrlenW (lpString=".mui") returned 4 [0076.140] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.140] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.140] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.140] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.140] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\PUSSY.TXT") returned 27 [0076.140] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\PUSSY.TXT" (normalized: "c:\\boot\\es-es\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.141] lstrlenA (lpString="abcd") returned 4 [0076.141] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.142] CloseHandle (hObject=0x16c) returned 1 [0076.142] GetProcessHeap () returned 0x4c0000 [0076.142] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.142] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0076.142] lstrcmpiW (lpString1="fi-FI", lpString2="Windows") returned -1 [0076.142] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files") returned -1 [0076.142] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files (x86)") returned -1 [0076.142] lstrcmpiW (lpString1="fi-FI", lpString2="$Recycle.bin") returned 1 [0076.142] lstrcmpiW (lpString1="fi-FI", lpString2="System Volume Information") returned -1 [0076.142] lstrcmpiW (lpString1="fi-FI", lpString2=".") returned 1 [0076.142] lstrcmpiW (lpString1="fi-FI", lpString2="..") returned 1 [0076.142] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI") returned 17 [0076.142] GetProcessHeap () returned 0x4c0000 [0076.142] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.142] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\fi-FI" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI") returned="\\\\?\\C:\\Boot\\fi-FI" [0076.142] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\*") returned="\\\\?\\C:\\Boot\\fi-FI\\*" [0076.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.142] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.142] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.143] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.143] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.143] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.143] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.143] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.143] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.143] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.143] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.143] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.143] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.143] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.143] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.143] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.143] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.143] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.143] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.143] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.143] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.143] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.143] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.143] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 33 [0076.143] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.143] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.143] lstrlenW (lpString=".mui") returned 4 [0076.143] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.143] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.143] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.144] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.144] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\PUSSY.TXT") returned 27 [0076.144] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\PUSSY.TXT" (normalized: "c:\\boot\\fi-fi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.144] lstrlenA (lpString="abcd") returned 4 [0076.144] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.145] CloseHandle (hObject=0x16c) returned 1 [0076.145] GetProcessHeap () returned 0x4c0000 [0076.145] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.145] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="Fonts", cAlternateFileName="")) returned 1 [0076.145] lstrcmpiW (lpString1="Fonts", lpString2="Windows") returned -1 [0076.145] lstrcmpiW (lpString1="Fonts", lpString2="Program Files") returned -1 [0076.145] lstrcmpiW (lpString1="Fonts", lpString2="Program Files (x86)") returned -1 [0076.145] lstrcmpiW (lpString1="Fonts", lpString2="$Recycle.bin") returned 1 [0076.145] lstrcmpiW (lpString1="Fonts", lpString2="System Volume Information") returned -1 [0076.145] lstrcmpiW (lpString1="Fonts", lpString2=".") returned 1 [0076.145] lstrcmpiW (lpString1="Fonts", lpString2="..") returned 1 [0076.145] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts") returned 17 [0076.145] GetProcessHeap () returned 0x4c0000 [0076.145] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.145] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\Fonts" | out: lpString1="\\\\?\\C:\\Boot\\Fonts") returned="\\\\?\\C:\\Boot\\Fonts" [0076.145] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*") returned="\\\\?\\C:\\Boot\\Fonts\\*" [0076.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.146] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.146] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.146] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.146] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.146] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.147] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.147] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.147] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.147] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.147] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.147] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.147] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.147] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.147] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.147] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0076.147] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Windows") returned -1 [0076.147] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files") returned -1 [0076.147] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files (x86)") returned -1 [0076.147] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$Recycle.bin") returned 1 [0076.147] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="System Volume Information") returned -1 [0076.147] lstrcmpiW (lpString1="chs_boot.ttf", lpString2=".") returned 1 [0076.147] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="..") returned 1 [0076.147] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned 30 [0076.147] lstrcmpW (lpString1="chs_boot.ttf", lpString2="PUSSY.TXT") returned -1 [0076.147] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0076.147] lstrlenW (lpString=".ttf") returned 4 [0076.147] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.147] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.147] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac191e00, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac191e00, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6505f253, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0076.147] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Windows") returned -1 [0076.148] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files") returned -1 [0076.148] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files (x86)") returned -1 [0076.148] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$Recycle.bin") returned 1 [0076.148] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="System Volume Information") returned -1 [0076.148] lstrcmpiW (lpString1="cht_boot.ttf", lpString2=".") returned 1 [0076.148] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="..") returned 1 [0076.148] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned 30 [0076.148] lstrcmpW (lpString1="cht_boot.ttf", lpString2="PUSSY.TXT") returned -1 [0076.148] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0076.148] lstrlenW (lpString=".ttf") returned 4 [0076.148] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.148] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.149] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac204220, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac204220, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65274577, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0076.149] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Windows") returned -1 [0076.149] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files") returned -1 [0076.149] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0076.149] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0076.149] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="System Volume Information") returned -1 [0076.149] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2=".") returned 1 [0076.149] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="..") returned 1 [0076.149] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned 30 [0076.149] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="PUSSY.TXT") returned -1 [0076.149] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0076.149] lstrlenW (lpString=".ttf") returned 4 [0076.149] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.149] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.149] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac22a380, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac22a380, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6530caef, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0076.150] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Windows") returned -1 [0076.150] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files") returned -1 [0076.150] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files (x86)") returned -1 [0076.150] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$Recycle.bin") returned 1 [0076.150] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="System Volume Information") returned -1 [0076.150] lstrcmpiW (lpString1="kor_boot.ttf", lpString2=".") returned 1 [0076.150] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="..") returned 1 [0076.150] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned 30 [0076.150] lstrcmpW (lpString1="kor_boot.ttf", lpString2="PUSSY.TXT") returned -1 [0076.150] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0076.150] lstrlenW (lpString=".ttf") returned 4 [0076.150] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.150] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.150] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0076.150] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Windows") returned -1 [0076.150] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files") returned 1 [0076.150] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files (x86)") returned 1 [0076.150] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$Recycle.bin") returned 1 [0076.150] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="System Volume Information") returned 1 [0076.151] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2=".") returned 1 [0076.151] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="..") returned 1 [0076.151] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 31 [0076.151] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="PUSSY.TXT") returned 1 [0076.151] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0076.151] lstrlenW (lpString=".ttf") returned 4 [0076.151] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.151] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.151] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0076.151] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.153] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\PUSSY.TXT") returned 27 [0076.153] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\PUSSY.TXT" (normalized: "c:\\boot\\fonts\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.155] lstrlenA (lpString="abcd") returned 4 [0076.155] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.156] CloseHandle (hObject=0x16c) returned 1 [0076.156] GetProcessHeap () returned 0x4c0000 [0076.156] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.156] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0076.157] lstrcmpiW (lpString1="fr-FR", lpString2="Windows") returned -1 [0076.157] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files") returned -1 [0076.157] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files (x86)") returned -1 [0076.157] lstrcmpiW (lpString1="fr-FR", lpString2="$Recycle.bin") returned 1 [0076.157] lstrcmpiW (lpString1="fr-FR", lpString2="System Volume Information") returned -1 [0076.157] lstrcmpiW (lpString1="fr-FR", lpString2=".") returned 1 [0076.157] lstrcmpiW (lpString1="fr-FR", lpString2="..") returned 1 [0076.157] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR") returned 17 [0076.157] GetProcessHeap () returned 0x4c0000 [0076.157] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.157] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\fr-FR" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR") returned="\\\\?\\C:\\Boot\\fr-FR" [0076.157] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\*") returned="\\\\?\\C:\\Boot\\fr-FR\\*" [0076.157] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.158] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.158] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.158] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.158] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.158] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.159] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.159] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.159] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.159] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.159] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.159] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.159] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.159] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.159] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.159] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.159] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.159] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.159] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.159] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.159] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.159] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.159] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.159] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 33 [0076.159] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.159] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.159] lstrlenW (lpString=".mui") returned 4 [0076.159] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.160] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.160] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.160] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.160] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\PUSSY.TXT") returned 27 [0076.160] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\PUSSY.TXT" (normalized: "c:\\boot\\fr-fr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.160] lstrlenA (lpString="abcd") returned 4 [0076.160] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.161] CloseHandle (hObject=0x16c) returned 1 [0076.162] GetProcessHeap () returned 0x4c0000 [0076.162] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.162] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0076.162] lstrcmpiW (lpString1="hu-HU", lpString2="Windows") returned -1 [0076.162] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files") returned -1 [0076.162] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files (x86)") returned -1 [0076.162] lstrcmpiW (lpString1="hu-HU", lpString2="$Recycle.bin") returned 1 [0076.162] lstrcmpiW (lpString1="hu-HU", lpString2="System Volume Information") returned -1 [0076.162] lstrcmpiW (lpString1="hu-HU", lpString2=".") returned 1 [0076.162] lstrcmpiW (lpString1="hu-HU", lpString2="..") returned 1 [0076.162] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU") returned 17 [0076.162] GetProcessHeap () returned 0x4c0000 [0076.162] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.162] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\hu-HU" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU") returned="\\\\?\\C:\\Boot\\hu-HU" [0076.162] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\*") returned="\\\\?\\C:\\Boot\\hu-HU\\*" [0076.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.163] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.163] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.163] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.163] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.163] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.163] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.163] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.163] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.163] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.163] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.163] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.163] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.163] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.163] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.163] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.163] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 33 [0076.164] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.164] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.164] lstrlenW (lpString=".mui") returned 4 [0076.164] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.164] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.164] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.164] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.164] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\PUSSY.TXT") returned 27 [0076.164] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\PUSSY.TXT" (normalized: "c:\\boot\\hu-hu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.164] lstrlenA (lpString="abcd") returned 4 [0076.164] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.165] CloseHandle (hObject=0x16c) returned 1 [0076.166] GetProcessHeap () returned 0x4c0000 [0076.166] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.166] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="it-IT", cAlternateFileName="")) returned 1 [0076.166] lstrcmpiW (lpString1="it-IT", lpString2="Windows") returned -1 [0076.166] lstrcmpiW (lpString1="it-IT", lpString2="Program Files") returned -1 [0076.166] lstrcmpiW (lpString1="it-IT", lpString2="Program Files (x86)") returned -1 [0076.166] lstrcmpiW (lpString1="it-IT", lpString2="$Recycle.bin") returned 1 [0076.166] lstrcmpiW (lpString1="it-IT", lpString2="System Volume Information") returned -1 [0076.166] lstrcmpiW (lpString1="it-IT", lpString2=".") returned 1 [0076.166] lstrcmpiW (lpString1="it-IT", lpString2="..") returned 1 [0076.166] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\it-IT") returned 17 [0076.166] GetProcessHeap () returned 0x4c0000 [0076.166] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.166] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\it-IT" | out: lpString1="\\\\?\\C:\\Boot\\it-IT") returned="\\\\?\\C:\\Boot\\it-IT" [0076.166] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\*") returned="\\\\?\\C:\\Boot\\it-IT\\*" [0076.166] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.167] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.167] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.167] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.168] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.168] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.168] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.168] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.168] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.168] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.168] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.168] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.168] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.168] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.168] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.168] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.168] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 33 [0076.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.168] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.168] lstrlenW (lpString=".mui") returned 4 [0076.169] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.169] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.169] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.169] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.169] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\PUSSY.TXT") returned 27 [0076.169] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\PUSSY.TXT" (normalized: "c:\\boot\\it-it\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.169] lstrlenA (lpString="abcd") returned 4 [0076.169] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.170] CloseHandle (hObject=0x16c) returned 1 [0076.171] GetProcessHeap () returned 0x4c0000 [0076.171] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.171] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0076.171] lstrcmpiW (lpString1="ja-JP", lpString2="Windows") returned -1 [0076.171] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files") returned -1 [0076.171] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files (x86)") returned -1 [0076.171] lstrcmpiW (lpString1="ja-JP", lpString2="$Recycle.bin") returned 1 [0076.171] lstrcmpiW (lpString1="ja-JP", lpString2="System Volume Information") returned -1 [0076.171] lstrcmpiW (lpString1="ja-JP", lpString2=".") returned 1 [0076.171] lstrcmpiW (lpString1="ja-JP", lpString2="..") returned 1 [0076.171] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP") returned 17 [0076.171] GetProcessHeap () returned 0x4c0000 [0076.171] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.171] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\ja-JP" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP") returned="\\\\?\\C:\\Boot\\ja-JP" [0076.171] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\*") returned="\\\\?\\C:\\Boot\\ja-JP\\*" [0076.171] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.171] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.171] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.171] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.172] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.172] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.172] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.172] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.172] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.172] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.172] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.172] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.172] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.172] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.172] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.172] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.172] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.172] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.172] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.172] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.172] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.172] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.172] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.172] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 33 [0076.172] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.172] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.172] lstrlenW (lpString=".mui") returned 4 [0076.172] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.172] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.172] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.173] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.173] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\PUSSY.TXT") returned 27 [0076.173] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\PUSSY.TXT" (normalized: "c:\\boot\\ja-jp\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.173] lstrlenA (lpString="abcd") returned 4 [0076.173] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.174] CloseHandle (hObject=0x16c) returned 1 [0076.174] GetProcessHeap () returned 0x4c0000 [0076.174] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.174] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0076.174] lstrcmpiW (lpString1="ko-KR", lpString2="Windows") returned -1 [0076.174] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files") returned -1 [0076.174] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files (x86)") returned -1 [0076.174] lstrcmpiW (lpString1="ko-KR", lpString2="$Recycle.bin") returned 1 [0076.174] lstrcmpiW (lpString1="ko-KR", lpString2="System Volume Information") returned -1 [0076.174] lstrcmpiW (lpString1="ko-KR", lpString2=".") returned 1 [0076.174] lstrcmpiW (lpString1="ko-KR", lpString2="..") returned 1 [0076.174] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR") returned 17 [0076.174] GetProcessHeap () returned 0x4c0000 [0076.174] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.174] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\ko-KR" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR") returned="\\\\?\\C:\\Boot\\ko-KR" [0076.174] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\*") returned="\\\\?\\C:\\Boot\\ko-KR\\*" [0076.174] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.175] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.175] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.175] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.175] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.175] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.175] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.175] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0076.176] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.176] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.176] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.176] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.176] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.176] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.176] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.176] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.176] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.176] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.176] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.176] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.176] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.176] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.176] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.176] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 33 [0076.176] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.176] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.176] lstrlenW (lpString=".mui") returned 4 [0076.176] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.176] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.176] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x28e3d0, dwReserved1=0x77c61b06, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.176] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.177] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\PUSSY.TXT") returned 27 [0076.177] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\PUSSY.TXT" (normalized: "c:\\boot\\ko-kr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.177] lstrlenA (lpString="abcd") returned 4 [0076.177] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.178] CloseHandle (hObject=0x16c) returned 1 [0076.178] GetProcessHeap () returned 0x4c0000 [0076.178] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.178] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0076.178] lstrcmpiW (lpString1="memtest.exe", lpString2="Windows") returned -1 [0076.178] lstrcmpiW (lpString1="memtest.exe", lpString2="Program Files") returned -1 [0076.178] lstrcmpiW (lpString1="memtest.exe", lpString2="Program Files (x86)") returned -1 [0076.178] lstrcmpiW (lpString1="memtest.exe", lpString2="$Recycle.bin") returned 1 [0076.178] lstrcmpiW (lpString1="memtest.exe", lpString2="System Volume Information") returned -1 [0076.178] lstrcmpiW (lpString1="memtest.exe", lpString2=".") returned 1 [0076.178] lstrcmpiW (lpString1="memtest.exe", lpString2="..") returned 1 [0076.178] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\memtest.exe") returned 23 [0076.178] lstrcmpW (lpString1="memtest.exe", lpString2="PUSSY.TXT") returned -1 [0076.178] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0076.178] lstrlenW (lpString=".exe") returned 4 [0076.178] SystemFunction036 (in: RandomBuffer=0x28ea24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ea24) returned 1 [0076.178] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.178] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0076.179] lstrcmpiW (lpString1="nb-NO", lpString2="Windows") returned -1 [0076.179] lstrcmpiW (lpString1="nb-NO", lpString2="Program Files") returned -1 [0076.179] lstrcmpiW (lpString1="nb-NO", lpString2="Program Files (x86)") returned -1 [0076.179] lstrcmpiW (lpString1="nb-NO", lpString2="$Recycle.bin") returned 1 [0076.179] lstrcmpiW (lpString1="nb-NO", lpString2="System Volume Information") returned -1 [0076.179] lstrcmpiW (lpString1="nb-NO", lpString2=".") returned 1 [0076.179] lstrcmpiW (lpString1="nb-NO", lpString2="..") returned 1 [0076.179] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO") returned 17 [0076.179] GetProcessHeap () returned 0x4c0000 [0076.179] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.179] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\nb-NO" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO") returned="\\\\?\\C:\\Boot\\nb-NO" [0076.179] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\*") returned="\\\\?\\C:\\Boot\\nb-NO\\*" [0076.179] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nb-NO\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.179] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.179] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.179] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.179] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.179] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.179] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.179] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.179] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.179] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.180] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.180] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.180] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.180] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.180] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.180] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.180] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.180] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.180] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.180] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.180] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.180] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.180] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.180] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 33 [0076.180] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.180] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.180] lstrlenW (lpString=".mui") returned 4 [0076.180] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.180] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.181] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.181] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.181] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\PUSSY.TXT") returned 27 [0076.181] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\PUSSY.TXT" (normalized: "c:\\boot\\nb-no\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.182] lstrlenA (lpString="abcd") returned 4 [0076.182] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.183] CloseHandle (hObject=0x16c) returned 1 [0076.183] GetProcessHeap () returned 0x4c0000 [0076.183] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.183] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0076.183] lstrcmpiW (lpString1="nl-NL", lpString2="Windows") returned -1 [0076.183] lstrcmpiW (lpString1="nl-NL", lpString2="Program Files") returned -1 [0076.183] lstrcmpiW (lpString1="nl-NL", lpString2="Program Files (x86)") returned -1 [0076.183] lstrcmpiW (lpString1="nl-NL", lpString2="$Recycle.bin") returned 1 [0076.183] lstrcmpiW (lpString1="nl-NL", lpString2="System Volume Information") returned -1 [0076.183] lstrcmpiW (lpString1="nl-NL", lpString2=".") returned 1 [0076.183] lstrcmpiW (lpString1="nl-NL", lpString2="..") returned 1 [0076.183] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL") returned 17 [0076.183] GetProcessHeap () returned 0x4c0000 [0076.183] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.183] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\nl-NL" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL") returned="\\\\?\\C:\\Boot\\nl-NL" [0076.183] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\*") returned="\\\\?\\C:\\Boot\\nl-NL\\*" [0076.183] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nl-NL\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.184] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.184] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.184] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.184] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.184] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.184] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.184] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.184] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.184] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.184] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.184] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.184] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.184] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.184] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.184] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.184] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.184] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.184] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.184] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.184] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.184] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.185] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.185] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 33 [0076.185] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.185] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.185] lstrlenW (lpString=".mui") returned 4 [0076.185] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.185] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.185] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.185] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.185] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\PUSSY.TXT") returned 27 [0076.185] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\PUSSY.TXT" (normalized: "c:\\boot\\nl-nl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.185] lstrlenA (lpString="abcd") returned 4 [0076.185] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.186] CloseHandle (hObject=0x16c) returned 1 [0076.187] GetProcessHeap () returned 0x4c0000 [0076.187] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.187] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0076.187] lstrcmpiW (lpString1="pl-PL", lpString2="Windows") returned -1 [0076.187] lstrcmpiW (lpString1="pl-PL", lpString2="Program Files") returned -1 [0076.187] lstrcmpiW (lpString1="pl-PL", lpString2="Program Files (x86)") returned -1 [0076.187] lstrcmpiW (lpString1="pl-PL", lpString2="$Recycle.bin") returned 1 [0076.187] lstrcmpiW (lpString1="pl-PL", lpString2="System Volume Information") returned -1 [0076.187] lstrcmpiW (lpString1="pl-PL", lpString2=".") returned 1 [0076.187] lstrcmpiW (lpString1="pl-PL", lpString2="..") returned 1 [0076.187] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL") returned 17 [0076.187] GetProcessHeap () returned 0x4c0000 [0076.187] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.187] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\pl-PL" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL") returned="\\\\?\\C:\\Boot\\pl-PL" [0076.187] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\*") returned="\\\\?\\C:\\Boot\\pl-PL\\*" [0076.187] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pl-PL\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.188] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.188] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.188] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.188] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.188] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.188] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.188] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.188] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.188] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.188] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.188] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.188] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.188] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.188] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.188] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.188] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 33 [0076.189] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.189] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.189] lstrlenW (lpString=".mui") returned 4 [0076.189] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.189] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.190] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.190] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.190] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\PUSSY.TXT") returned 27 [0076.190] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\PUSSY.TXT" (normalized: "c:\\boot\\pl-pl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.190] lstrlenA (lpString="abcd") returned 4 [0076.190] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.191] CloseHandle (hObject=0x16c) returned 1 [0076.192] GetProcessHeap () returned 0x4c0000 [0076.192] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.192] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0076.192] lstrcmpiW (lpString1="pt-BR", lpString2="Windows") returned -1 [0076.192] lstrcmpiW (lpString1="pt-BR", lpString2="Program Files") returned 1 [0076.192] lstrcmpiW (lpString1="pt-BR", lpString2="Program Files (x86)") returned 1 [0076.192] lstrcmpiW (lpString1="pt-BR", lpString2="$Recycle.bin") returned 1 [0076.192] lstrcmpiW (lpString1="pt-BR", lpString2="System Volume Information") returned -1 [0076.192] lstrcmpiW (lpString1="pt-BR", lpString2=".") returned 1 [0076.192] lstrcmpiW (lpString1="pt-BR", lpString2="..") returned 1 [0076.192] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR") returned 17 [0076.192] GetProcessHeap () returned 0x4c0000 [0076.192] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.192] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\pt-BR" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR") returned="\\\\?\\C:\\Boot\\pt-BR" [0076.192] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\*") returned="\\\\?\\C:\\Boot\\pt-BR\\*" [0076.192] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-BR\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.193] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.193] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.193] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.193] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.193] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.193] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.193] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.193] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.193] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.193] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.193] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.193] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.193] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.193] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.193] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.194] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 33 [0076.194] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.194] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.194] lstrlenW (lpString=".mui") returned 4 [0076.194] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.194] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.194] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.194] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.194] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\PUSSY.TXT") returned 27 [0076.194] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\PUSSY.TXT" (normalized: "c:\\boot\\pt-br\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.194] lstrlenA (lpString="abcd") returned 4 [0076.194] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.196] CloseHandle (hObject=0x16c) returned 1 [0076.196] GetProcessHeap () returned 0x4c0000 [0076.196] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.196] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0076.196] lstrcmpiW (lpString1="pt-PT", lpString2="Windows") returned -1 [0076.196] lstrcmpiW (lpString1="pt-PT", lpString2="Program Files") returned 1 [0076.196] lstrcmpiW (lpString1="pt-PT", lpString2="Program Files (x86)") returned 1 [0076.196] lstrcmpiW (lpString1="pt-PT", lpString2="$Recycle.bin") returned 1 [0076.196] lstrcmpiW (lpString1="pt-PT", lpString2="System Volume Information") returned -1 [0076.196] lstrcmpiW (lpString1="pt-PT", lpString2=".") returned 1 [0076.196] lstrcmpiW (lpString1="pt-PT", lpString2="..") returned 1 [0076.196] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT") returned 17 [0076.196] GetProcessHeap () returned 0x4c0000 [0076.196] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.196] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\pt-PT" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT") returned="\\\\?\\C:\\Boot\\pt-PT" [0076.196] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\*") returned="\\\\?\\C:\\Boot\\pt-PT\\*" [0076.196] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-PT\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.197] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.197] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.197] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.197] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.197] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.197] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.197] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.197] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.197] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.197] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.197] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.197] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.197] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.197] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.197] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.197] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.197] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.197] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.198] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.198] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.198] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.198] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.198] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 33 [0076.198] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.198] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.198] lstrlenW (lpString=".mui") returned 4 [0076.198] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.198] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.199] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.199] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.199] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\PUSSY.TXT") returned 27 [0076.199] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\PUSSY.TXT" (normalized: "c:\\boot\\pt-pt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.200] lstrlenA (lpString="abcd") returned 4 [0076.200] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.201] CloseHandle (hObject=0x16c) returned 1 [0076.201] GetProcessHeap () returned 0x4c0000 [0076.201] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.201] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0076.201] lstrcmpiW (lpString1="ru-RU", lpString2="Windows") returned -1 [0076.201] lstrcmpiW (lpString1="ru-RU", lpString2="Program Files") returned 1 [0076.201] lstrcmpiW (lpString1="ru-RU", lpString2="Program Files (x86)") returned 1 [0076.201] lstrcmpiW (lpString1="ru-RU", lpString2="$Recycle.bin") returned 1 [0076.201] lstrcmpiW (lpString1="ru-RU", lpString2="System Volume Information") returned -1 [0076.201] lstrcmpiW (lpString1="ru-RU", lpString2=".") returned 1 [0076.201] lstrcmpiW (lpString1="ru-RU", lpString2="..") returned 1 [0076.201] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU") returned 17 [0076.201] GetProcessHeap () returned 0x4c0000 [0076.201] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.201] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\ru-RU" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU") returned="\\\\?\\C:\\Boot\\ru-RU" [0076.201] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\*") returned="\\\\?\\C:\\Boot\\ru-RU\\*" [0076.202] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ru-RU\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.202] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.202] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.202] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.202] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.202] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.202] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.202] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.202] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.202] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.202] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.202] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.202] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.202] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.202] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.202] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.203] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.203] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.203] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.203] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.203] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.203] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.203] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.203] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 33 [0076.203] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.203] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.203] lstrlenW (lpString=".mui") returned 4 [0076.203] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.203] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.203] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.203] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.204] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\PUSSY.TXT") returned 27 [0076.204] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\PUSSY.TXT" (normalized: "c:\\boot\\ru-ru\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.204] lstrlenA (lpString="abcd") returned 4 [0076.204] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.205] CloseHandle (hObject=0x16c) returned 1 [0076.205] GetProcessHeap () returned 0x4c0000 [0076.205] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.205] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0076.205] lstrcmpiW (lpString1="sv-SE", lpString2="Windows") returned -1 [0076.205] lstrcmpiW (lpString1="sv-SE", lpString2="Program Files") returned 1 [0076.205] lstrcmpiW (lpString1="sv-SE", lpString2="Program Files (x86)") returned 1 [0076.205] lstrcmpiW (lpString1="sv-SE", lpString2="$Recycle.bin") returned 1 [0076.206] lstrcmpiW (lpString1="sv-SE", lpString2="System Volume Information") returned -1 [0076.206] lstrcmpiW (lpString1="sv-SE", lpString2=".") returned 1 [0076.206] lstrcmpiW (lpString1="sv-SE", lpString2="..") returned 1 [0076.206] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE") returned 17 [0076.206] GetProcessHeap () returned 0x4c0000 [0076.206] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.206] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\sv-SE" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE") returned="\\\\?\\C:\\Boot\\sv-SE" [0076.206] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\*") returned="\\\\?\\C:\\Boot\\sv-SE\\*" [0076.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sv-SE\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.206] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.206] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.206] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.206] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.206] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.206] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.206] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.207] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.207] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.207] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.207] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.207] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.207] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.207] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.207] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.207] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.207] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.207] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.207] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.207] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.207] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.207] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.207] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 33 [0076.207] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.207] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.207] lstrlenW (lpString=".mui") returned 4 [0076.207] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.207] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.208] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.208] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.208] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\PUSSY.TXT") returned 27 [0076.208] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\PUSSY.TXT" (normalized: "c:\\boot\\sv-se\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.209] lstrlenA (lpString="abcd") returned 4 [0076.209] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.210] CloseHandle (hObject=0x16c) returned 1 [0076.210] GetProcessHeap () returned 0x4c0000 [0076.210] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.210] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0076.210] lstrcmpiW (lpString1="tr-TR", lpString2="Windows") returned -1 [0076.210] lstrcmpiW (lpString1="tr-TR", lpString2="Program Files") returned 1 [0076.210] lstrcmpiW (lpString1="tr-TR", lpString2="Program Files (x86)") returned 1 [0076.210] lstrcmpiW (lpString1="tr-TR", lpString2="$Recycle.bin") returned 1 [0076.210] lstrcmpiW (lpString1="tr-TR", lpString2="System Volume Information") returned 1 [0076.210] lstrcmpiW (lpString1="tr-TR", lpString2=".") returned 1 [0076.210] lstrcmpiW (lpString1="tr-TR", lpString2="..") returned 1 [0076.210] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR") returned 17 [0076.210] GetProcessHeap () returned 0x4c0000 [0076.210] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.211] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\tr-TR" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR") returned="\\\\?\\C:\\Boot\\tr-TR" [0076.211] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\*") returned="\\\\?\\C:\\Boot\\tr-TR\\*" [0076.211] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\tr-TR\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.211] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.211] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.211] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.211] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.211] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.211] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.211] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.211] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.211] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.211] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.211] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.211] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.211] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.211] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.212] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.212] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.212] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.212] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.212] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.212] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.212] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.212] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.212] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 33 [0076.212] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.212] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.212] lstrlenW (lpString=".mui") returned 4 [0076.212] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.212] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.212] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.212] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.212] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\PUSSY.TXT") returned 27 [0076.212] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\PUSSY.TXT" (normalized: "c:\\boot\\tr-tr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.213] lstrlenA (lpString="abcd") returned 4 [0076.213] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.214] CloseHandle (hObject=0x16c) returned 1 [0076.214] GetProcessHeap () returned 0x4c0000 [0076.214] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.214] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0076.214] lstrcmpiW (lpString1="zh-CN", lpString2="Windows") returned 1 [0076.214] lstrcmpiW (lpString1="zh-CN", lpString2="Program Files") returned 1 [0076.214] lstrcmpiW (lpString1="zh-CN", lpString2="Program Files (x86)") returned 1 [0076.214] lstrcmpiW (lpString1="zh-CN", lpString2="$Recycle.bin") returned 1 [0076.214] lstrcmpiW (lpString1="zh-CN", lpString2="System Volume Information") returned 1 [0076.214] lstrcmpiW (lpString1="zh-CN", lpString2=".") returned 1 [0076.214] lstrcmpiW (lpString1="zh-CN", lpString2="..") returned 1 [0076.214] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN") returned 17 [0076.214] GetProcessHeap () returned 0x4c0000 [0076.214] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.215] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\zh-CN" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN") returned="\\\\?\\C:\\Boot\\zh-CN" [0076.215] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\*") returned="\\\\?\\C:\\Boot\\zh-CN\\*" [0076.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-CN\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.215] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.215] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.215] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.215] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.215] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.215] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.215] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.215] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.215] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.215] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.215] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.215] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.215] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.215] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.215] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.216] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 33 [0076.216] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.216] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.216] lstrlenW (lpString=".mui") returned 4 [0076.216] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.216] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.217] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.217] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.217] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\PUSSY.TXT") returned 27 [0076.217] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\PUSSY.TXT" (normalized: "c:\\boot\\zh-cn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.217] lstrlenA (lpString="abcd") returned 4 [0076.217] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.218] CloseHandle (hObject=0x16c) returned 1 [0076.219] GetProcessHeap () returned 0x4c0000 [0076.219] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.219] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0076.219] lstrcmpiW (lpString1="zh-HK", lpString2="Windows") returned 1 [0076.219] lstrcmpiW (lpString1="zh-HK", lpString2="Program Files") returned 1 [0076.219] lstrcmpiW (lpString1="zh-HK", lpString2="Program Files (x86)") returned 1 [0076.219] lstrcmpiW (lpString1="zh-HK", lpString2="$Recycle.bin") returned 1 [0076.219] lstrcmpiW (lpString1="zh-HK", lpString2="System Volume Information") returned 1 [0076.219] lstrcmpiW (lpString1="zh-HK", lpString2=".") returned 1 [0076.219] lstrcmpiW (lpString1="zh-HK", lpString2="..") returned 1 [0076.219] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK") returned 17 [0076.219] GetProcessHeap () returned 0x4c0000 [0076.219] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.219] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\zh-HK" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK") returned="\\\\?\\C:\\Boot\\zh-HK" [0076.219] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\*") returned="\\\\?\\C:\\Boot\\zh-HK\\*" [0076.219] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-HK\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.220] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.220] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.220] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.220] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.220] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.220] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.220] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.220] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.220] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.220] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.220] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.220] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.220] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.220] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.220] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.220] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.220] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.220] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.221] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.221] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.221] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.221] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.221] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 33 [0076.221] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.221] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.221] lstrlenW (lpString=".mui") returned 4 [0076.221] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.221] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.221] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.221] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.221] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\PUSSY.TXT") returned 27 [0076.221] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\PUSSY.TXT" (normalized: "c:\\boot\\zh-hk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.222] lstrlenA (lpString="abcd") returned 4 [0076.222] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.223] CloseHandle (hObject=0x16c) returned 1 [0076.223] GetProcessHeap () returned 0x4c0000 [0076.223] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.223] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0076.223] lstrcmpiW (lpString1="zh-TW", lpString2="Windows") returned 1 [0076.223] lstrcmpiW (lpString1="zh-TW", lpString2="Program Files") returned 1 [0076.223] lstrcmpiW (lpString1="zh-TW", lpString2="Program Files (x86)") returned 1 [0076.223] lstrcmpiW (lpString1="zh-TW", lpString2="$Recycle.bin") returned 1 [0076.223] lstrcmpiW (lpString1="zh-TW", lpString2="System Volume Information") returned 1 [0076.223] lstrcmpiW (lpString1="zh-TW", lpString2=".") returned 1 [0076.223] lstrcmpiW (lpString1="zh-TW", lpString2="..") returned 1 [0076.223] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW") returned 17 [0076.223] GetProcessHeap () returned 0x4c0000 [0076.223] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.223] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\Boot\\zh-TW" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW") returned="\\\\?\\C:\\Boot\\zh-TW" [0076.223] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\*") returned="\\\\?\\C:\\Boot\\zh-TW\\*" [0076.223] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-TW\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.224] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.224] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.224] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.224] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.224] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.224] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.224] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.224] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.224] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.224] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.224] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.224] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.224] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.224] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.224] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0076.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0076.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0076.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0076.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0076.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0076.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0076.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0076.225] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 33 [0076.225] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PUSSY.TXT") returned -1 [0076.225] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0076.225] lstrlenW (lpString=".mui") returned 4 [0076.225] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0076.225] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.225] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0076.225] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0076.225] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\PUSSY.TXT") returned 27 [0076.225] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\PUSSY.TXT" (normalized: "c:\\boot\\zh-tw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0076.225] lstrlenA (lpString="abcd") returned 4 [0076.225] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0076.226] CloseHandle (hObject=0x16c) returned 1 [0076.227] GetProcessHeap () returned 0x4c0000 [0076.227] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0076.227] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ecb0, dwReserved1=0x45, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0076.227] FindClose (in: hFindFile=0x4e22d0 | out: hFindFile=0x4e22d0) returned 1 [0076.227] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\PUSSY.TXT") returned 21 [0076.227] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\PUSSY.TXT" (normalized: "c:\\boot\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0076.227] lstrlenA (lpString="abcd") returned 4 [0076.227] WriteFile (in: hFile=0x160, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28ed8c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28ed8c*=0x4, lpOverlapped=0x0) returned 1 [0076.228] CloseHandle (hObject=0x160) returned 1 [0076.229] GetProcessHeap () returned 0x4c0000 [0076.229] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0076.229] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x4, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0076.229] lstrcmpiW (lpString1="bootmgr", lpString2="Windows") returned -1 [0076.229] lstrcmpiW (lpString1="bootmgr", lpString2="Program Files") returned -1 [0076.229] lstrcmpiW (lpString1="bootmgr", lpString2="Program Files (x86)") returned -1 [0076.229] lstrcmpiW (lpString1="bootmgr", lpString2="$Recycle.bin") returned 1 [0076.229] lstrcmpiW (lpString1="bootmgr", lpString2="System Volume Information") returned -1 [0076.229] lstrcmpiW (lpString1="bootmgr", lpString2=".") returned 1 [0076.229] lstrcmpiW (lpString1="bootmgr", lpString2="..") returned 1 [0076.229] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\bootmgr") returned 14 [0076.229] lstrcmpW (lpString1="bootmgr", lpString2="PUSSY.TXT") returned -1 [0076.229] PathFindExtensionW (pszPath="bootmgr") returned="" [0076.229] lstrlenW (lpString="") returned 0 [0076.229] SystemFunction036 (in: RandomBuffer=0x28f1c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28f1c4) returned 1 [0076.229] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.229] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x4, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0076.230] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Windows") returned -1 [0076.230] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Program Files") returned -1 [0076.230] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Program Files (x86)") returned -1 [0076.230] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="$Recycle.bin") returned 1 [0076.230] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="System Volume Information") returned -1 [0076.230] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0076.230] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0076.230] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\BOOTSECT.BAK") returned 19 [0076.230] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="PUSSY.TXT") returned -1 [0076.230] PathFindExtensionW (pszPath="BOOTSECT.BAK") returned=".BAK" [0076.230] lstrlenW (lpString=".BAK") returned 4 [0076.230] SystemFunction036 (in: RandomBuffer=0x28f1c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28f1c4) returned 1 [0076.230] CreateFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.231] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0076.231] lstrcmpiW (lpString1="Config.Msi", lpString2="Windows") returned -1 [0076.231] lstrcmpiW (lpString1="Config.Msi", lpString2="Program Files") returned -1 [0076.231] lstrcmpiW (lpString1="Config.Msi", lpString2="Program Files (x86)") returned -1 [0076.231] lstrcmpiW (lpString1="Config.Msi", lpString2="$Recycle.bin") returned 1 [0076.231] lstrcmpiW (lpString1="Config.Msi", lpString2="System Volume Information") returned -1 [0076.231] lstrcmpiW (lpString1="Config.Msi", lpString2=".") returned 1 [0076.231] lstrcmpiW (lpString1="Config.Msi", lpString2="..") returned 1 [0076.231] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Config.Msi") returned 17 [0076.231] GetProcessHeap () returned 0x4c0000 [0076.231] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0076.231] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Config.Msi" | out: lpString1="\\\\?\\C:\\Config.Msi") returned="\\\\?\\C:\\Config.Msi" [0076.231] lstrcatW (in: lpString1="\\\\?\\C:\\Config.Msi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Config.Msi\\*") returned="\\\\?\\C:\\Config.Msi\\*" [0076.231] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Config.Msi\\*", lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e22d0 [0076.232] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.232] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.232] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.232] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.232] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.232] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.232] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.232] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.232] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.232] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.232] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.232] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.232] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.232] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.232] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0076.232] FindClose (in: hFindFile=0x4e22d0 | out: hFindFile=0x4e22d0) returned 1 [0076.233] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Config.Msi\\PUSSY.TXT") returned 27 [0076.233] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\PUSSY.TXT" (normalized: "c:\\config.msi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0076.233] lstrlenA (lpString="abcd") returned 4 [0076.233] WriteFile (in: hFile=0x160, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28ed8c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28ed8c*=0x4, lpOverlapped=0x0) returned 1 [0076.234] CloseHandle (hObject=0x160) returned 1 [0076.234] GetProcessHeap () returned 0x4c0000 [0076.234] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0076.234] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0076.234] lstrcmpiW (lpString1="Documents and Settings", lpString2="Windows") returned -1 [0076.234] lstrcmpiW (lpString1="Documents and Settings", lpString2="Program Files") returned -1 [0076.235] lstrcmpiW (lpString1="Documents and Settings", lpString2="Program Files (x86)") returned -1 [0076.235] lstrcmpiW (lpString1="Documents and Settings", lpString2="$Recycle.bin") returned 1 [0076.235] lstrcmpiW (lpString1="Documents and Settings", lpString2="System Volume Information") returned -1 [0076.235] lstrcmpiW (lpString1="Documents and Settings", lpString2=".") returned 1 [0076.235] lstrcmpiW (lpString1="Documents and Settings", lpString2="..") returned 1 [0076.235] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Documents and Settings") returned 29 [0076.235] GetProcessHeap () returned 0x4c0000 [0076.235] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0076.235] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Documents and Settings" | out: lpString1="\\\\?\\C:\\Documents and Settings") returned="\\\\?\\C:\\Documents and Settings" [0076.235] lstrcatW (in: lpString1="\\\\?\\C:\\Documents and Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Documents and Settings\\*") returned="\\\\?\\C:\\Documents and Settings\\*" [0076.235] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*", lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="s")) returned 0xffffffff [0076.235] GetProcessHeap () returned 0x4c0000 [0076.235] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0076.235] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0076.236] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Windows") returned -1 [0076.236] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Program Files") returned -1 [0076.236] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Program Files (x86)") returned -1 [0076.236] lstrcmpiW (lpString1="hiberfil.sys", lpString2="$Recycle.bin") returned 1 [0076.236] lstrcmpiW (lpString1="hiberfil.sys", lpString2="System Volume Information") returned -1 [0076.236] lstrcmpiW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0076.236] lstrcmpiW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0076.236] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\hiberfil.sys") returned 19 [0076.236] lstrcmpW (lpString1="hiberfil.sys", lpString2="PUSSY.TXT") returned -1 [0076.236] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0076.236] lstrlenW (lpString=".sys") returned 4 [0076.236] SystemFunction036 (in: RandomBuffer=0x28f1c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28f1c4) returned 1 [0076.236] CreateFileW (lpFileName="\\\\?\\C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0076.236] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0076.236] lstrcmpiW (lpString1="MSOCache", lpString2="Windows") returned -1 [0076.236] lstrcmpiW (lpString1="MSOCache", lpString2="Program Files") returned -1 [0076.236] lstrcmpiW (lpString1="MSOCache", lpString2="Program Files (x86)") returned -1 [0076.236] lstrcmpiW (lpString1="MSOCache", lpString2="$Recycle.bin") returned 1 [0076.236] lstrcmpiW (lpString1="MSOCache", lpString2="System Volume Information") returned -1 [0076.236] lstrcmpiW (lpString1="MSOCache", lpString2=".") returned 1 [0076.237] lstrcmpiW (lpString1="MSOCache", lpString2="..") returned 1 [0076.237] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache") returned 15 [0076.237] GetProcessHeap () returned 0x4c0000 [0076.237] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0076.237] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\MSOCache" | out: lpString1="\\\\?\\C:\\MSOCache") returned="\\\\?\\C:\\MSOCache" [0076.237] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\*") returned="\\\\?\\C:\\MSOCache\\*" [0076.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\*", lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e22d0 [0076.237] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.237] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.237] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.237] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.237] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.237] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.237] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.238] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.238] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.238] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.238] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.238] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0076.238] lstrcmpiW (lpString1="All Users", lpString2="Windows") returned -1 [0076.238] lstrcmpiW (lpString1="All Users", lpString2="Program Files") returned -1 [0076.238] lstrcmpiW (lpString1="All Users", lpString2="Program Files (x86)") returned -1 [0076.238] lstrcmpiW (lpString1="All Users", lpString2="$Recycle.bin") returned 1 [0076.238] lstrcmpiW (lpString1="All Users", lpString2="System Volume Information") returned -1 [0076.238] lstrcmpiW (lpString1="All Users", lpString2=".") returned 1 [0076.238] lstrcmpiW (lpString1="All Users", lpString2="..") returned 1 [0076.238] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users") returned 25 [0076.238] GetProcessHeap () returned 0x4c0000 [0076.238] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0076.238] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\MSOCache\\All Users" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users") returned="\\\\?\\C:\\MSOCache\\All Users" [0076.238] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\*" [0076.238] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0076.251] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.251] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.251] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.251] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.251] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.251] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.251] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.299] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.299] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.299] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.299] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.299] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.299] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.299] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.299] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0076.299] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0076.299] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0076.299] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0076.299] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0076.299] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0076.299] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0076.299] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0076.299] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C") returned 66 [0076.299] GetProcessHeap () returned 0x4c0000 [0076.299] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0076.300] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C" [0076.300] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*" [0076.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0076.301] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.301] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.301] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.301] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.301] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.301] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.301] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.301] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.301] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.301] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.301] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.301] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.301] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.301] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.301] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0076.301] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Windows") returned -1 [0076.301] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Program Files") returned -1 [0076.301] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Program Files (x86)") returned -1 [0076.301] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="$Recycle.bin") returned 1 [0076.301] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="System Volume Information") returned -1 [0076.302] lstrcmpiW (lpString1="ExcelLR.cab", lpString2=".") returned 1 [0076.302] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="..") returned 1 [0076.302] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0076.302] lstrcmpW (lpString1="ExcelLR.cab", lpString2="PUSSY.TXT") returned -1 [0076.302] PathFindExtensionW (pszPath="ExcelLR.cab") returned=".cab" [0076.302] lstrlenW (lpString=".cab") returned 4 [0076.302] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0076.302] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0076.303] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=16972987) returned 1 [0076.303] GetProcessHeap () returned 0x4c0000 [0076.303] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0076.315] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="91") returned 2 [0076.315] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B9") returned 2 [0076.315] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="41") returned 2 [0076.315] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="EC") returned 2 [0076.315] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="74") returned 2 [0076.315] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="D5") returned 2 [0076.315] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="26") returned 2 [0076.315] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="57") returned 2 [0076.315] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="EA") returned 2 [0076.315] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="B3") returned 2 [0076.316] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="58") returned 2 [0076.316] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="3F") returned 2 [0076.316] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="8A") returned 2 [0076.316] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="CD") returned 2 [0076.316] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="96") returned 2 [0076.316] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="2E") returned 2 [0076.316] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="C4") returned 2 [0076.316] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="3E") returned 2 [0076.316] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="DD") returned 2 [0076.316] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="5D") returned 2 [0076.316] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="9E") returned 2 [0076.316] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="52") returned 2 [0076.316] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="3D") returned 2 [0076.316] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="AF") returned 2 [0076.316] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="01") returned 2 [0076.316] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="9A") returned 2 [0076.316] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="BE") returned 2 [0076.316] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="4C") returned 2 [0076.316] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="22") returned 2 [0076.316] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="71") returned 2 [0076.316] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="6D") returned 2 [0076.316] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="2D") returned 2 [0076.328] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" [0076.328] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" [0076.328] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpString2=".91B941EC74D52657EAB3583F8ACD962EC43EDD5D9E523DAF019ABE4C22716D2D" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.91B941EC74D52657EAB3583F8ACD962EC43EDD5D9E523DAF019ABE4C22716D2D") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.91B941EC74D52657EAB3583F8ACD962EC43EDD5D9E523DAF019ABE4C22716D2D" [0076.328] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0076.328] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0076.329] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xece1ee80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263e00, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ExcelMUI.msi", cAlternateFileName="")) returned 1 [0076.329] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Windows") returned -1 [0076.329] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Program Files") returned -1 [0076.329] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Program Files (x86)") returned -1 [0076.329] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="$Recycle.bin") returned 1 [0076.329] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="System Volume Information") returned -1 [0076.329] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2=".") returned 1 [0076.329] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="..") returned 1 [0076.329] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0076.329] lstrcmpW (lpString1="ExcelMUI.msi", lpString2="PUSSY.TXT") returned -1 [0076.329] PathFindExtensionW (pszPath="ExcelMUI.msi") returned=".msi" [0076.329] lstrlenW (lpString=".msi") returned 4 [0076.329] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0076.329] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0076.329] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2506240) returned 1 [0076.329] GetProcessHeap () returned 0x4c0000 [0076.330] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0076.343] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="D2") returned 2 [0076.343] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="F8") returned 2 [0076.343] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="9B") returned 2 [0076.343] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="88") returned 2 [0076.343] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="F6") returned 2 [0076.343] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="0A") returned 2 [0076.343] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="38") returned 2 [0076.343] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="DB") returned 2 [0076.343] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B9") returned 2 [0076.343] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="E1") returned 2 [0076.343] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="73") returned 2 [0076.343] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="DD") returned 2 [0076.343] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="36") returned 2 [0076.343] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="7F") returned 2 [0076.343] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="35") returned 2 [0076.343] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="8E") returned 2 [0076.343] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="32") returned 2 [0076.343] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="41") returned 2 [0076.343] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="F7") returned 2 [0076.343] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="DA") returned 2 [0076.343] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="5D") returned 2 [0076.343] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="EA") returned 2 [0076.343] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="E6") returned 2 [0076.343] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="42") returned 2 [0076.343] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="AD") returned 2 [0076.343] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="8D") returned 2 [0076.343] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="38") returned 2 [0076.343] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="C2") returned 2 [0076.343] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="48") returned 2 [0076.344] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="CD") returned 2 [0076.344] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="06") returned 2 [0076.344] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="1F") returned 2 [0076.352] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" [0076.352] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" [0076.352] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi", lpString2=".D2F89B88F60A38DBB9E173DD367F358E3241F7DA5DEAE642AD8D38C248CD061F" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.D2F89B88F60A38DBB9E173DD367F358E3241F7DA5DEAE642AD8D38C248CD061F") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.D2F89B88F60A38DBB9E173DD367F358E3241F7DA5DEAE642AD8D38C248CD061F" [0076.352] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0076.352] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0076.352] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ExcelMUI.xml", cAlternateFileName="")) returned 1 [0076.353] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Windows") returned -1 [0076.353] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Program Files") returned -1 [0076.353] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Program Files (x86)") returned -1 [0076.353] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="$Recycle.bin") returned 1 [0076.353] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="System Volume Information") returned -1 [0076.353] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2=".") returned 1 [0076.353] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="..") returned 1 [0076.353] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0076.353] lstrcmpW (lpString1="ExcelMUI.xml", lpString2="PUSSY.TXT") returned -1 [0076.353] PathFindExtensionW (pszPath="ExcelMUI.xml") returned=".xml" [0076.353] lstrlenW (lpString=".xml") returned 4 [0076.353] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0076.353] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0076.353] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1565) returned 1 [0076.353] GetProcessHeap () returned 0x4c0000 [0076.353] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0076.364] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="98") returned 2 [0076.364] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="D1") returned 2 [0076.364] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="BC") returned 2 [0076.364] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="21") returned 2 [0076.364] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="EF") returned 2 [0076.364] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="9A") returned 2 [0076.364] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="3E") returned 2 [0076.364] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="7E") returned 2 [0076.364] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="FA") returned 2 [0076.364] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="4C") returned 2 [0076.364] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="3E") returned 2 [0076.364] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="28") returned 2 [0076.364] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="81") returned 2 [0076.364] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="BA") returned 2 [0076.364] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="CA") returned 2 [0076.364] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="C4") returned 2 [0076.364] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="51") returned 2 [0076.364] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="E3") returned 2 [0076.364] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="9C") returned 2 [0076.365] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="92") returned 2 [0076.365] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="51") returned 2 [0076.365] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="90") returned 2 [0076.365] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="40") returned 2 [0076.365] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="37") returned 2 [0076.365] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="02") returned 2 [0076.365] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="09") returned 2 [0076.365] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="AD") returned 2 [0076.365] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="07") returned 2 [0076.365] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="3C") returned 2 [0076.365] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="B1") returned 2 [0076.365] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="B0") returned 2 [0076.365] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="64") returned 2 [0076.378] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" [0076.378] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" [0076.378] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpString2=".98D1BC21EF9A3E7EFA4C3E2881BACAC451E39C92519040370209AD073CB1B064" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.98D1BC21EF9A3E7EFA4C3E2881BACAC451E39C92519040370209AD073CB1B064") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.98D1BC21EF9A3E7EFA4C3E2881BACAC451E39C92519040370209AD073CB1B064" [0076.378] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0076.378] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0076.378] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0076.378] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0076.379] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0076.379] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0076.379] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0076.379] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0076.379] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0076.379] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0076.379] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0076.379] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0076.379] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0076.379] lstrlenW (lpString=".xml") returned 4 [0076.379] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0076.379] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0076.381] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2296) returned 1 [0076.381] GetProcessHeap () returned 0x4c0000 [0076.381] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28098 [0076.395] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="A7") returned 2 [0076.396] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="04") returned 2 [0076.396] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="86") returned 2 [0076.396] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="30") returned 2 [0076.396] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="A7") returned 2 [0076.396] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="B3") returned 2 [0076.396] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="0D") returned 2 [0076.396] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="D8") returned 2 [0076.396] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="1D") returned 2 [0076.396] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="9C") returned 2 [0076.396] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="9A") returned 2 [0076.396] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="67") returned 2 [0076.396] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="5F") returned 2 [0076.396] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="BB") returned 2 [0076.396] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="50") returned 2 [0076.396] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="A2") returned 2 [0076.396] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="9E") returned 2 [0076.396] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="83") returned 2 [0076.396] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="1F") returned 2 [0076.396] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="FD") returned 2 [0076.396] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="F1") returned 2 [0076.397] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="F9") returned 2 [0076.397] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="57") returned 2 [0076.397] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="7B") returned 2 [0076.397] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="B9") returned 2 [0076.397] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="C1") returned 2 [0076.397] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="56") returned 2 [0076.397] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="44") returned 2 [0076.397] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="36") returned 2 [0076.397] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="7C") returned 2 [0076.397] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="A9") returned 2 [0076.397] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="5E") returned 2 [0076.485] lstrcpyW (in: lpString1=0x3b380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" [0076.485] lstrcpyW (in: lpString1=0x3b280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" [0076.485] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".A7048630A7B30DD81D9C9A675FBB50A29E831FFDF1F9577BB9C15644367CA95E" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.A7048630A7B30DD81D9C9A675FBB50A29E831FFDF1F9577BB9C15644367CA95E") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.A7048630A7B30DD81D9C9A675FBB50A29E831FFDF1F9577BB9C15644367CA95E" [0076.485] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3b28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0076.485] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28098, lpOverlapped=0x3b28098) returned 1 [0076.486] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0076.486] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0076.486] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0076.486] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0076.488] lstrlenA (lpString="abcd") returned 4 [0076.488] WriteFile (in: hFile=0x168, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0076.489] CloseHandle (hObject=0x168) returned 1 [0076.490] GetProcessHeap () returned 0x4c0000 [0076.490] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0076.490] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0076.490] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0076.490] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0076.490] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0076.490] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0076.490] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0076.490] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0076.490] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0076.490] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C") returned 66 [0076.490] GetProcessHeap () returned 0x4c0000 [0076.490] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0076.490] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C" [0076.490] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*" [0076.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0076.572] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.572] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.572] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.572] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.572] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.572] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.572] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0076.572] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.572] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.572] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.572] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.572] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.572] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0076.572] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.572] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0076.573] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Windows") returned -1 [0076.573] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Program Files") returned -1 [0076.573] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Program Files (x86)") returned -1 [0076.573] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="$Recycle.bin") returned 1 [0076.573] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="System Volume Information") returned -1 [0076.573] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2=".") returned 1 [0076.573] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="..") returned 1 [0076.573] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0076.573] lstrcmpW (lpString1="PowerPointMUI.msi", lpString2="PUSSY.TXT") returned -1 [0076.573] PathFindExtensionW (pszPath="PowerPointMUI.msi") returned=".msi" [0076.573] lstrlenW (lpString=".msi") returned 4 [0076.573] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0076.573] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0076.573] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2503680) returned 1 [0076.574] GetProcessHeap () returned 0x4c0000 [0076.574] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0076.587] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="49") returned 2 [0076.587] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="EF") returned 2 [0076.587] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="08") returned 2 [0076.587] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="D9") returned 2 [0076.587] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="D8") returned 2 [0076.587] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="A8") returned 2 [0076.587] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="CB") returned 2 [0076.587] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="45") returned 2 [0076.587] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="58") returned 2 [0076.587] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="D6") returned 2 [0076.587] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="9D") returned 2 [0076.587] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="B5") returned 2 [0076.587] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="74") returned 2 [0076.587] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="80") returned 2 [0076.587] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="83") returned 2 [0076.587] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="5E") returned 2 [0076.587] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="2E") returned 2 [0076.587] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="72") returned 2 [0076.588] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="32") returned 2 [0076.588] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="21") returned 2 [0076.588] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="04") returned 2 [0076.588] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="64") returned 2 [0076.588] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="AA") returned 2 [0076.588] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="EA") returned 2 [0076.588] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="86") returned 2 [0076.588] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="ED") returned 2 [0076.588] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="2F") returned 2 [0076.588] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="DE") returned 2 [0076.588] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A9") returned 2 [0076.588] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="EF") returned 2 [0076.588] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="19") returned 2 [0076.588] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="7D") returned 2 [0076.601] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" [0076.601] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" [0076.601] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi", lpString2=".49EF08D9D8A8CB4558D69DB57480835E2E7232210464AAEA86ED2FDEA9EF197D" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.49EF08D9D8A8CB4558D69DB57480835E2E7232210464AAEA86ED2FDEA9EF197D") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.49EF08D9D8A8CB4558D69DB57480835E2E7232210464AAEA86ED2FDEA9EF197D" [0076.601] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0076.602] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0076.602] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PowerPointMUI.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0076.602] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Windows") returned -1 [0076.602] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Program Files") returned -1 [0076.602] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Program Files (x86)") returned -1 [0076.602] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="$Recycle.bin") returned 1 [0076.602] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="System Volume Information") returned -1 [0076.602] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2=".") returned 1 [0076.602] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="..") returned 1 [0076.602] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0076.602] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2="PUSSY.TXT") returned -1 [0076.602] PathFindExtensionW (pszPath="PowerPointMUI.xml") returned=".xml" [0076.602] lstrlenW (lpString=".xml") returned 4 [0076.602] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0076.602] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0076.603] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1450) returned 1 [0076.603] GetProcessHeap () returned 0x4c0000 [0076.603] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500e8 [0076.618] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="58") returned 2 [0076.618] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="42") returned 2 [0076.618] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="4D") returned 2 [0076.618] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="39") returned 2 [0076.618] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="F8") returned 2 [0076.618] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="44") returned 2 [0076.618] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C7") returned 2 [0076.618] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="52") returned 2 [0076.618] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="82") returned 2 [0076.618] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="A2") returned 2 [0076.618] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="D4") returned 2 [0076.618] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="84") returned 2 [0076.619] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="00") returned 2 [0076.619] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="87") returned 2 [0076.619] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="DC") returned 2 [0076.619] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="AF") returned 2 [0076.619] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="6D") returned 2 [0076.619] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="01") returned 2 [0076.619] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="64") returned 2 [0076.619] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="69") returned 2 [0076.619] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="CB") returned 2 [0076.619] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="FA") returned 2 [0076.619] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="D8") returned 2 [0076.619] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="01") returned 2 [0076.619] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="17") returned 2 [0076.619] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="73") returned 2 [0076.619] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="D4") returned 2 [0076.619] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="01") returned 2 [0076.619] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="0C") returned 2 [0076.619] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="4A") returned 2 [0076.619] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="2D") returned 2 [0076.619] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="70") returned 2 [0076.633] lstrcpyW (in: lpString1=0x3b6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" [0076.633] lstrcpyW (in: lpString1=0x3b5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" [0076.633] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpString2=".58424D39F844C75282A2D4840087DCAF6D016469CBFAD8011773D4010C4A2D70" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.58424D39F844C75282A2D4840087DCAF6D016469CBFAD8011773D4010C4A2D70") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.58424D39F844C75282A2D4840087DCAF6D016469CBFAD8011773D4010C4A2D70" [0076.633] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x3b500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0076.633] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500e8, lpOverlapped=0x3b500e8) returned 1 [0076.662] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d523500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2d523500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8b079d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x431a290, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PptLR.cab", cAlternateFileName="")) returned 1 [0076.662] lstrcmpiW (lpString1="PptLR.cab", lpString2="Windows") returned -1 [0076.662] lstrcmpiW (lpString1="PptLR.cab", lpString2="Program Files") returned -1 [0076.662] lstrcmpiW (lpString1="PptLR.cab", lpString2="Program Files (x86)") returned -1 [0076.662] lstrcmpiW (lpString1="PptLR.cab", lpString2="$Recycle.bin") returned 1 [0076.662] lstrcmpiW (lpString1="PptLR.cab", lpString2="System Volume Information") returned -1 [0076.662] lstrcmpiW (lpString1="PptLR.cab", lpString2=".") returned 1 [0076.662] lstrcmpiW (lpString1="PptLR.cab", lpString2="..") returned 1 [0076.662] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0076.663] lstrcmpW (lpString1="PptLR.cab", lpString2="PUSSY.TXT") returned -1 [0076.663] PathFindExtensionW (pszPath="PptLR.cab") returned=".cab" [0076.663] lstrlenW (lpString=".cab") returned 4 [0076.663] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0076.663] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0076.665] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=70361744) returned 1 [0076.665] GetProcessHeap () returned 0x4c0000 [0076.665] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b78138 [0076.680] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="40") returned 2 [0076.680] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="D1") returned 2 [0076.680] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="DE") returned 2 [0076.680] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="CB") returned 2 [0076.680] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="85") returned 2 [0076.680] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="53") returned 2 [0076.680] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="4C") returned 2 [0076.680] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="BC") returned 2 [0076.680] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="C3") returned 2 [0076.680] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="46") returned 2 [0076.680] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="3A") returned 2 [0076.680] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A7") returned 2 [0076.681] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="F3") returned 2 [0076.681] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="80") returned 2 [0076.681] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="0C") returned 2 [0076.681] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="C6") returned 2 [0076.681] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="67") returned 2 [0076.681] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="6E") returned 2 [0076.681] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="53") returned 2 [0076.681] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="78") returned 2 [0076.681] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="3C") returned 2 [0076.681] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="6F") returned 2 [0076.681] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="A0") returned 2 [0076.681] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="26") returned 2 [0076.681] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="19") returned 2 [0076.681] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="9E") returned 2 [0076.681] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="EA") returned 2 [0076.681] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="0C") returned 2 [0076.681] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="81") returned 2 [0076.681] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E1") returned 2 [0076.681] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="A1") returned 2 [0076.681] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6C") returned 2 [0076.695] lstrcpyW (in: lpString1=0x3b8816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" [0076.695] lstrcpyW (in: lpString1=0x3b7816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" [0076.695] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpString2=".40D1DECB85534CBCC3463AA7F3800CC6676E53783C6FA026199EEA0C81E1A16C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.40D1DECB85534CBCC3463AA7F3800CC6676E53783C6FA026199EEA0C81E1A16C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.40D1DECB85534CBCC3463AA7F3800CC6676E53783C6FA026199EEA0C81E1A16C" [0076.695] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b78138, NumberOfConcurrentThreads=0x0) returned 0x94 [0076.695] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b78138, lpOverlapped=0x3b78138) returned 1 [0076.696] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0076.696] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0076.696] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0076.696] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0076.696] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0076.696] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0076.696] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0076.696] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0076.696] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0076.696] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0076.696] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0076.696] lstrlenW (lpString=".xml") returned 4 [0076.696] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0076.697] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0076.697] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1886) returned 1 [0076.697] GetProcessHeap () returned 0x4c0000 [0076.697] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ba0188 [0076.712] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="7F") returned 2 [0076.712] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="5E") returned 2 [0076.712] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="D4") returned 2 [0076.712] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="39") returned 2 [0076.712] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="68") returned 2 [0076.712] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="21") returned 2 [0076.712] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="98") returned 2 [0076.713] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="3C") returned 2 [0076.713] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="65") returned 2 [0076.713] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="72") returned 2 [0076.713] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="65") returned 2 [0076.713] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="1B") returned 2 [0076.713] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="2C") returned 2 [0076.713] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="9D") returned 2 [0076.713] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="27") returned 2 [0076.713] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="D6") returned 2 [0076.713] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="F1") returned 2 [0076.713] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="87") returned 2 [0076.713] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="4B") returned 2 [0076.713] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="59") returned 2 [0076.713] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="2D") returned 2 [0076.713] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="7D") returned 2 [0076.713] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="B0") returned 2 [0076.713] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="04") returned 2 [0076.713] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="F5") returned 2 [0076.713] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="E7") returned 2 [0076.713] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="59") returned 2 [0076.713] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="B0") returned 2 [0076.714] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="1A") returned 2 [0076.714] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="C3") returned 2 [0076.714] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="5A") returned 2 [0076.714] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6D") returned 2 [0076.727] lstrcpyW (in: lpString1=0x3bb01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" [0076.727] lstrcpyW (in: lpString1=0x3ba01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" [0076.727] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".7F5ED4396821983C6572651B2C9D27D6F1874B592D7DB004F5E759B01AC35A6D" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.7F5ED4396821983C6572651B2C9D27D6F1874B592D7DB004F5E759B01AC35A6D") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.7F5ED4396821983C6572651B2C9D27D6F1874B592D7DB004F5E759B01AC35A6D" [0076.727] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x3ba0188, NumberOfConcurrentThreads=0x0) returned 0x94 [0076.727] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ba0188, lpOverlapped=0x3ba0188) returned 1 [0076.737] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0076.738] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0076.738] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0076.738] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0076.738] lstrlenA (lpString="abcd") returned 4 [0076.738] WriteFile (in: hFile=0x168, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0076.739] CloseHandle (hObject=0x168) returned 1 [0076.739] GetProcessHeap () returned 0x4c0000 [0076.739] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0076.741] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0076.741] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0076.741] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0076.741] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0076.741] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0076.742] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0076.742] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0076.742] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0076.742] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C") returned 66 [0076.742] GetProcessHeap () returned 0x4c0000 [0076.742] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0076.742] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C" [0076.742] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*" [0076.742] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0077.141] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.141] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.141] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.141] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.141] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.141] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0077.141] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0077.141] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.141] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.141] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.141] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.141] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.141] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0077.141] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0077.141] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0077.142] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Windows") returned -1 [0077.142] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Program Files") returned 1 [0077.142] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Program Files (x86)") returned 1 [0077.142] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="$Recycle.bin") returned 1 [0077.142] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="System Volume Information") returned -1 [0077.142] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2=".") returned 1 [0077.142] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="..") returned 1 [0077.142] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0077.142] lstrcmpW (lpString1="PublisherMUI.msi", lpString2="PUSSY.TXT") returned -1 [0077.142] PathFindExtensionW (pszPath="PublisherMUI.msi") returned=".msi" [0077.142] lstrlenW (lpString=".msi") returned 4 [0077.142] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0077.142] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0077.144] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2513920) returned 1 [0077.144] GetProcessHeap () returned 0x4c0000 [0077.144] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28098 [0077.156] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="4C") returned 2 [0077.156] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="02") returned 2 [0077.156] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="D1") returned 2 [0077.157] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="12") returned 2 [0077.157] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="E3") returned 2 [0077.157] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="61") returned 2 [0077.157] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="03") returned 2 [0077.157] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="8F") returned 2 [0077.157] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="A8") returned 2 [0077.157] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="3F") returned 2 [0077.157] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="48") returned 2 [0077.157] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="9F") returned 2 [0077.157] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="73") returned 2 [0077.157] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="16") returned 2 [0077.157] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="4C") returned 2 [0077.157] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="AC") returned 2 [0077.157] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="8A") returned 2 [0077.157] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="31") returned 2 [0077.157] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="09") returned 2 [0077.157] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="9B") returned 2 [0077.157] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="82") returned 2 [0077.157] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="CE") returned 2 [0077.157] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="51") returned 2 [0077.157] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="22") returned 2 [0077.157] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="4F") returned 2 [0077.157] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="78") returned 2 [0077.157] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="19") returned 2 [0077.157] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="10") returned 2 [0077.157] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D5") returned 2 [0077.157] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="4F") returned 2 [0077.158] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="43") returned 2 [0077.158] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="50") returned 2 [0077.170] lstrcpyW (in: lpString1=0x3b380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" [0077.170] lstrcpyW (in: lpString1=0x3b280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" [0077.170] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi", lpString2=".4C02D112E361038FA83F489F73164CAC8A31099B82CE51224F781910D54F4350" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.4C02D112E361038FA83F489F73164CAC8A31099B82CE51224F781910D54F4350") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.4C02D112E361038FA83F489F73164CAC8A31099B82CE51224F781910D54F4350" [0077.170] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3b28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0077.170] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28098, lpOverlapped=0x3b28098) returned 1 [0077.214] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PublisherMUI.xml", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0077.214] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Windows") returned -1 [0077.214] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Program Files") returned 1 [0077.214] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Program Files (x86)") returned 1 [0077.214] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="$Recycle.bin") returned 1 [0077.214] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="System Volume Information") returned -1 [0077.214] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2=".") returned 1 [0077.214] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="..") returned 1 [0077.215] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0077.215] lstrcmpW (lpString1="PublisherMUI.xml", lpString2="PUSSY.TXT") returned -1 [0077.215] PathFindExtensionW (pszPath="PublisherMUI.xml") returned=".xml" [0077.215] lstrlenW (lpString=".xml") returned 4 [0077.215] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0077.215] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0077.215] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1450) returned 1 [0077.215] GetProcessHeap () returned 0x4c0000 [0077.215] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ba0188 [0077.230] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="C5") returned 2 [0077.230] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B6") returned 2 [0077.230] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B2") returned 2 [0077.230] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="D2") returned 2 [0077.230] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="08") returned 2 [0077.230] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="6F") returned 2 [0077.230] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="F7") returned 2 [0077.230] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="F7") returned 2 [0077.230] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="0D") returned 2 [0077.230] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="67") returned 2 [0077.230] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="84") returned 2 [0077.230] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="50") returned 2 [0077.230] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="AD") returned 2 [0077.230] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="7C") returned 2 [0077.230] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="AB") returned 2 [0077.231] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="7A") returned 2 [0077.231] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="4A") returned 2 [0077.231] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="AC") returned 2 [0077.231] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="5C") returned 2 [0077.231] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="7D") returned 2 [0077.231] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="37") returned 2 [0077.231] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="83") returned 2 [0077.231] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="BD") returned 2 [0077.231] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="73") returned 2 [0077.231] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="93") returned 2 [0077.231] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="3C") returned 2 [0077.231] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="5D") returned 2 [0077.231] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="AF") returned 2 [0077.231] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="78") returned 2 [0077.231] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="3D") returned 2 [0077.231] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="1F") returned 2 [0077.231] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="49") returned 2 [0077.244] lstrcpyW (in: lpString1=0x3bb01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" [0077.244] lstrcpyW (in: lpString1=0x3ba01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" [0077.244] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpString2=".C5B6B2D2086FF7F70D678450AD7CAB7A4AAC5C7D3783BD73933C5DAF783D1F49" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.C5B6B2D2086FF7F70D678450AD7CAB7A4AAC5C7D3783BD73933C5DAF783D1F49") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.C5B6B2D2086FF7F70D678450AD7CAB7A4AAC5C7D3783BD73933C5DAF783D1F49" [0077.244] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3ba0188, NumberOfConcurrentThreads=0x0) returned 0x94 [0077.244] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ba0188, lpOverlapped=0x3ba0188) returned 1 [0077.244] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc47e320, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x97f3f4, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PubLR.cab", cAlternateFileName="")) returned 1 [0077.244] lstrcmpiW (lpString1="PubLR.cab", lpString2="Windows") returned -1 [0077.244] lstrcmpiW (lpString1="PubLR.cab", lpString2="Program Files") returned 1 [0077.244] lstrcmpiW (lpString1="PubLR.cab", lpString2="Program Files (x86)") returned 1 [0077.244] lstrcmpiW (lpString1="PubLR.cab", lpString2="$Recycle.bin") returned 1 [0077.244] lstrcmpiW (lpString1="PubLR.cab", lpString2="System Volume Information") returned -1 [0077.244] lstrcmpiW (lpString1="PubLR.cab", lpString2=".") returned 1 [0077.244] lstrcmpiW (lpString1="PubLR.cab", lpString2="..") returned 1 [0077.245] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0077.245] lstrcmpW (lpString1="PubLR.cab", lpString2="PUSSY.TXT") returned -1 [0077.245] PathFindExtensionW (pszPath="PubLR.cab") returned=".cab" [0077.245] lstrlenW (lpString=".cab") returned 4 [0077.245] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0077.245] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0077.245] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=9958388) returned 1 [0077.245] GetProcessHeap () returned 0x4c0000 [0077.245] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0077.599] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="B7") returned 2 [0077.599] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="8B") returned 2 [0077.599] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="11") returned 2 [0077.599] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="BA") returned 2 [0077.599] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="68") returned 2 [0077.599] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="62") returned 2 [0077.599] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="AD") returned 2 [0077.599] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="7E") returned 2 [0077.599] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="E8") returned 2 [0077.599] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="70") returned 2 [0077.599] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="C4") returned 2 [0077.599] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="B1") returned 2 [0077.599] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="E8") returned 2 [0077.599] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E8") returned 2 [0077.599] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="8D") returned 2 [0077.599] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="95") returned 2 [0077.599] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="FC") returned 2 [0077.599] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="E5") returned 2 [0077.599] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="92") returned 2 [0077.599] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="EB") returned 2 [0077.599] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="DA") returned 2 [0077.599] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="AC") returned 2 [0077.599] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="31") returned 2 [0077.599] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="9D") returned 2 [0077.599] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="76") returned 2 [0077.599] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="5C") returned 2 [0077.599] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="7B") returned 2 [0077.599] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="7B") returned 2 [0077.600] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="92") returned 2 [0077.600] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="AA") returned 2 [0077.600] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="09") returned 2 [0077.600] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="22") returned 2 [0077.609] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" [0077.609] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" [0077.609] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpString2=".B78B11BA6862AD7EE870C4B1E8E88D95FCE592EBDAAC319D765C7B7B92AA0922" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.B78B11BA6862AD7EE870C4B1E8E88D95FCE592EBDAAC319D765C7B7B92AA0922") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.B78B11BA6862AD7EE870C4B1E8E88D95FCE592EBDAAC319D765C7B7B92AA0922" [0077.609] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0077.609] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0077.609] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0077.609] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0077.609] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0077.609] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0077.610] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0077.641] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0077.641] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0077.641] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0077.641] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0077.641] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0077.641] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0077.641] lstrlenW (lpString=".xml") returned 4 [0077.641] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0077.641] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0077.641] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1608) returned 1 [0077.641] GetProcessHeap () returned 0x4c0000 [0077.642] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ba0188 [0077.653] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="01") returned 2 [0077.653] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="7C") returned 2 [0077.653] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="5F") returned 2 [0077.653] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="3B") returned 2 [0077.653] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="CC") returned 2 [0077.653] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="20") returned 2 [0077.653] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="F4") returned 2 [0077.653] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="CA") returned 2 [0077.653] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="07") returned 2 [0077.653] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="82") returned 2 [0077.653] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="DA") returned 2 [0077.653] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="73") returned 2 [0077.653] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="99") returned 2 [0077.653] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="01") returned 2 [0077.653] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="99") returned 2 [0077.654] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="64") returned 2 [0077.654] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="5D") returned 2 [0077.654] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="4E") returned 2 [0077.654] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="B5") returned 2 [0077.654] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="B3") returned 2 [0077.654] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="DC") returned 2 [0077.654] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="D9") returned 2 [0077.654] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="F5") returned 2 [0077.654] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="8B") returned 2 [0077.654] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="80") returned 2 [0077.654] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="5B") returned 2 [0077.654] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="27") returned 2 [0077.654] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="CF") returned 2 [0077.654] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D1") returned 2 [0077.654] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="DB") returned 2 [0077.654] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="75") returned 2 [0077.654] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="1D") returned 2 [0077.665] lstrcpyW (in: lpString1=0x3bb01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" [0077.666] lstrcpyW (in: lpString1=0x3ba01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" [0077.666] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".017C5F3BCC20F4CA0782DA73990199645D4EB5B3DCD9F58B805B27CFD1DB751D" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.017C5F3BCC20F4CA0782DA73990199645D4EB5B3DCD9F58B805B27CFD1DB751D") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.017C5F3BCC20F4CA0782DA73990199645D4EB5B3DCD9F58B805B27CFD1DB751D" [0077.666] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3ba0188, NumberOfConcurrentThreads=0x0) returned 0x94 [0077.666] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ba0188, lpOverlapped=0x3ba0188) returned 1 [0077.666] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0077.666] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0077.666] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0077.667] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0077.678] lstrlenA (lpString="abcd") returned 4 [0077.678] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0077.679] CloseHandle (hObject=0x17c) returned 1 [0077.680] GetProcessHeap () returned 0x4c0000 [0077.680] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0077.680] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0077.680] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0077.680] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0077.681] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0077.681] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0077.681] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0077.681] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0077.681] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0077.681] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C") returned 66 [0077.681] GetProcessHeap () returned 0x4c0000 [0077.681] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0077.681] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C" [0077.681] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*" [0077.681] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0077.684] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.684] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.684] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.684] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.684] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.684] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0077.684] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0077.684] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.684] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.684] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.684] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.684] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.684] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0077.684] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0077.684] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0077.685] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Windows") returned -1 [0077.685] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Program Files") returned -1 [0077.685] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Program Files (x86)") returned -1 [0077.685] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="$Recycle.bin") returned 1 [0077.685] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="System Volume Information") returned -1 [0077.685] lstrcmpiW (lpString1="OutlkLR.cab", lpString2=".") returned 1 [0077.685] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="..") returned 1 [0077.685] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0077.685] lstrcmpW (lpString1="OutlkLR.cab", lpString2="PUSSY.TXT") returned -1 [0077.685] PathFindExtensionW (pszPath="OutlkLR.cab") returned=".cab" [0077.685] lstrlenW (lpString=".cab") returned 4 [0077.685] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0077.685] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x168 [0077.685] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=14819276) returned 1 [0077.686] GetProcessHeap () returned 0x4c0000 [0077.686] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ba0188 [0077.697] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="EC") returned 2 [0077.697] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="91") returned 2 [0077.697] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="6C") returned 2 [0077.697] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="D0") returned 2 [0077.697] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="3B") returned 2 [0077.697] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="48") returned 2 [0077.697] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="5B") returned 2 [0077.697] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="53") returned 2 [0077.697] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="12") returned 2 [0077.698] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="43") returned 2 [0077.698] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="42") returned 2 [0077.698] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="DF") returned 2 [0077.698] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="0B") returned 2 [0077.698] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="82") returned 2 [0077.698] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="8F") returned 2 [0077.698] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="DC") returned 2 [0077.698] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="6D") returned 2 [0077.698] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="89") returned 2 [0077.698] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="0B") returned 2 [0077.698] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="1C") returned 2 [0077.698] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="21") returned 2 [0077.698] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="B2") returned 2 [0077.698] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="76") returned 2 [0077.698] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="26") returned 2 [0077.698] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="AE") returned 2 [0077.698] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="7D") returned 2 [0077.698] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="AD") returned 2 [0077.698] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="BB") returned 2 [0077.698] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="84") returned 2 [0077.698] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="B6") returned 2 [0077.698] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="49") returned 2 [0077.698] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6C") returned 2 [0077.710] lstrcpyW (in: lpString1=0x3bb01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" [0077.710] lstrcpyW (in: lpString1=0x3ba01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" [0077.710] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpString2=".EC916CD03B485B53124342DF0B828FDC6D890B1C21B27626AE7DADBB84B6496C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.EC916CD03B485B53124342DF0B828FDC6D890B1C21B27626AE7DADBB84B6496C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.EC916CD03B485B53124342DF0B828FDC6D890B1C21B27626AE7DADBB84B6496C" [0077.710] CreateIoCompletionPort (FileHandle=0x168, ExistingCompletionPort=0x94, CompletionKey=0x3ba0188, NumberOfConcurrentThreads=0x0) returned 0x94 [0077.710] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ba0188, lpOverlapped=0x3ba0188) returned 1 [0077.710] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2bba00, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OutlookMUI.msi", cAlternateFileName="OUTLOO~1.MSI")) returned 1 [0077.710] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Windows") returned -1 [0077.710] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Program Files") returned -1 [0077.710] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Program Files (x86)") returned -1 [0077.711] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="$Recycle.bin") returned 1 [0077.711] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="System Volume Information") returned -1 [0077.711] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2=".") returned 1 [0077.711] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="..") returned 1 [0077.711] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0077.711] lstrcmpW (lpString1="OutlookMUI.msi", lpString2="PUSSY.TXT") returned -1 [0077.711] PathFindExtensionW (pszPath="OutlookMUI.msi") returned=".msi" [0077.711] lstrlenW (lpString=".msi") returned 4 [0077.711] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0077.711] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0077.711] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2865664) returned 1 [0077.711] GetProcessHeap () returned 0x4c0000 [0077.711] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0077.726] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="52") returned 2 [0077.726] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="A3") returned 2 [0077.726] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="55") returned 2 [0077.726] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="7A") returned 2 [0077.727] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="29") returned 2 [0077.727] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="81") returned 2 [0077.727] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="4C") returned 2 [0077.727] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="25") returned 2 [0077.727] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="82") returned 2 [0077.727] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="DD") returned 2 [0077.727] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="E9") returned 2 [0077.727] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="20") returned 2 [0077.727] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="DC") returned 2 [0077.727] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="4E") returned 2 [0077.727] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="07") returned 2 [0077.727] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="59") returned 2 [0077.727] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="05") returned 2 [0077.727] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="83") returned 2 [0077.727] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="61") returned 2 [0077.727] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="82") returned 2 [0077.727] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="68") returned 2 [0077.727] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="11") returned 2 [0077.727] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="D9") returned 2 [0077.727] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="FB") returned 2 [0077.727] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="65") returned 2 [0077.727] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="50") returned 2 [0077.727] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="2B") returned 2 [0077.727] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="71") returned 2 [0077.727] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="12") returned 2 [0077.727] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="C2") returned 2 [0077.727] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="F2") returned 2 [0077.728] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="05") returned 2 [0078.172] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" [0078.172] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" [0078.173] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi", lpString2=".52A3557A29814C2582DDE920DC4E0759058361826811D9FB65502B7112C2F205" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.52A3557A29814C2582DDE920DC4E0759058361826811D9FB65502B7112C2F205") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.52A3557A29814C2582DDE920DC4E0759058361826811D9FB65502B7112C2F205" [0078.173] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0078.173] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0078.173] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OutlookMUI.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0078.173] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Windows") returned -1 [0078.173] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Program Files") returned -1 [0078.173] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Program Files (x86)") returned -1 [0078.173] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="$Recycle.bin") returned 1 [0078.173] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="System Volume Information") returned -1 [0078.212] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2=".") returned 1 [0078.212] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="..") returned 1 [0078.212] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0078.212] lstrcmpW (lpString1="OutlookMUI.xml", lpString2="PUSSY.TXT") returned -1 [0078.212] PathFindExtensionW (pszPath="OutlookMUI.xml") returned=".xml" [0078.212] lstrlenW (lpString=".xml") returned 4 [0078.212] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0078.212] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0078.213] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=3186) returned 1 [0078.213] GetProcessHeap () returned 0x4c0000 [0078.213] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0078.221] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="03") returned 2 [0078.221] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="A8") returned 2 [0078.221] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="65") returned 2 [0078.221] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="DC") returned 2 [0078.221] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="3D") returned 2 [0078.221] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="97") returned 2 [0078.221] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="2F") returned 2 [0078.221] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="27") returned 2 [0078.221] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="F4") returned 2 [0078.221] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="0F") returned 2 [0078.221] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="2B") returned 2 [0078.221] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="5A") returned 2 [0078.221] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="90") returned 2 [0078.221] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="5B") returned 2 [0078.221] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="8C") returned 2 [0078.221] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="09") returned 2 [0078.221] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="28") returned 2 [0078.221] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="59") returned 2 [0078.221] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="3D") returned 2 [0078.222] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="02") returned 2 [0078.222] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="99") returned 2 [0078.222] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="48") returned 2 [0078.222] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="DC") returned 2 [0078.222] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="4B") returned 2 [0078.222] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="2E") returned 2 [0078.222] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="03") returned 2 [0078.222] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="14") returned 2 [0078.222] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="5E") returned 2 [0078.222] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="0B") returned 2 [0078.222] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="80") returned 2 [0078.222] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="44") returned 2 [0078.222] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="66") returned 2 [0078.231] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" [0078.231] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" [0078.231] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpString2=".03A865DC3D972F27F40F2B5A905B8C0928593D029948DC4B2E03145E0B804466" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.03A865DC3D972F27F40F2B5A905B8C0928593D029948DC4B2E03145E0B804466") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.03A865DC3D972F27F40F2B5A905B8C0928593D029948DC4B2E03145E0B804466" [0078.231] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0078.231] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0078.232] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0078.232] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0078.232] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0078.232] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0078.232] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0078.232] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0078.232] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0078.236] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0078.236] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0078.236] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0078.236] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0078.236] lstrlenW (lpString=".xml") returned 4 [0078.236] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0078.236] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0078.241] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=4207) returned 1 [0078.241] GetProcessHeap () returned 0x4c0000 [0078.241] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0078.249] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="23") returned 2 [0078.249] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="EA") returned 2 [0078.249] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="63") returned 2 [0078.249] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="1E") returned 2 [0078.249] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="2C") returned 2 [0078.250] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="F9") returned 2 [0078.250] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="D4") returned 2 [0078.250] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A3") returned 2 [0078.250] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="43") returned 2 [0078.250] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="70") returned 2 [0078.250] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="96") returned 2 [0078.250] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="16") returned 2 [0078.250] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="C0") returned 2 [0078.250] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="82") returned 2 [0078.250] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="97") returned 2 [0078.250] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="30") returned 2 [0078.250] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="B1") returned 2 [0078.250] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="3D") returned 2 [0078.250] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="8C") returned 2 [0078.250] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="74") returned 2 [0078.250] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="3C") returned 2 [0078.250] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="E6") returned 2 [0078.250] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="9B") returned 2 [0078.250] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="3A") returned 2 [0078.250] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="38") returned 2 [0078.250] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="20") returned 2 [0078.250] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="5E") returned 2 [0078.250] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="CA") returned 2 [0078.250] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A4") returned 2 [0078.250] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="5F") returned 2 [0078.250] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="24") returned 2 [0078.250] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="48") returned 2 [0078.258] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" [0078.258] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" [0078.259] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".23EA631E2CF9D4A343709616C0829730B13D8C743CE69B3A38205ECAA45F2448" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.23EA631E2CF9D4A343709616C0829730B13D8C743CE69B3A38205ECAA45F2448") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.23EA631E2CF9D4A343709616C0829730B13D8C743CE69B3A38205ECAA45F2448" [0078.259] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0078.259] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0078.259] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0078.259] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0078.264] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0078.264] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0078.265] lstrlenA (lpString="abcd") returned 4 [0078.265] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0078.270] CloseHandle (hObject=0x17c) returned 1 [0078.271] GetProcessHeap () returned 0x4c0000 [0078.271] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0078.271] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0078.271] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0078.271] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0078.271] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0078.271] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0078.271] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0078.271] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0078.271] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0078.271] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C") returned 66 [0078.271] GetProcessHeap () returned 0x4c0000 [0078.271] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0078.271] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C" [0078.271] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*" [0078.271] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0078.272] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.272] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.272] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.272] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.272] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.272] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0078.272] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0078.272] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.272] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.272] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.272] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.272] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.272] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0078.272] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0078.272] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0078.272] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0078.272] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0078.272] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0078.272] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0078.273] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0078.273] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0078.273] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0078.273] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0078.273] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0078.273] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0078.273] lstrlenW (lpString=".xml") returned 4 [0078.273] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0078.273] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0078.273] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2424) returned 1 [0078.273] GetProcessHeap () returned 0x4c0000 [0078.273] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0078.281] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="31") returned 2 [0078.281] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B3") returned 2 [0078.282] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="39") returned 2 [0078.282] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="47") returned 2 [0078.282] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="29") returned 2 [0078.282] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="61") returned 2 [0078.282] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="38") returned 2 [0078.282] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="99") returned 2 [0078.282] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="01") returned 2 [0078.282] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="47") returned 2 [0078.282] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="8D") returned 2 [0078.282] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="63") returned 2 [0078.282] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="96") returned 2 [0078.282] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="7E") returned 2 [0078.282] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="17") returned 2 [0078.282] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="4B") returned 2 [0078.282] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="CE") returned 2 [0078.282] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="C5") returned 2 [0078.282] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="B4") returned 2 [0078.282] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="DD") returned 2 [0078.282] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="3E") returned 2 [0078.282] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="B8") returned 2 [0078.282] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="8A") returned 2 [0078.282] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E8") returned 2 [0078.282] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="32") returned 2 [0078.282] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="D8") returned 2 [0078.282] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="98") returned 2 [0078.282] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F7") returned 2 [0078.282] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="64") returned 2 [0078.282] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="40") returned 2 [0078.282] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="AB") returned 2 [0078.282] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="5D") returned 2 [0078.293] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" [0078.293] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" [0078.293] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".31B339472961389901478D63967E174BCEC5B4DD3EB88AE832D898F76440AB5D" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.31B339472961389901478D63967E174BCEC5B4DD3EB88AE832D898F76440AB5D") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.31B339472961389901478D63967E174BCEC5B4DD3EB88AE832D898F76440AB5D" [0078.293] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0078.294] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0078.294] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fb48f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2fb48f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc967850, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x29c6dbd, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="WordLR.cab", cAlternateFileName="")) returned 1 [0078.294] lstrcmpiW (lpString1="WordLR.cab", lpString2="Windows") returned 1 [0078.294] lstrcmpiW (lpString1="WordLR.cab", lpString2="Program Files") returned 1 [0078.294] lstrcmpiW (lpString1="WordLR.cab", lpString2="Program Files (x86)") returned 1 [0078.294] lstrcmpiW (lpString1="WordLR.cab", lpString2="$Recycle.bin") returned 1 [0078.294] lstrcmpiW (lpString1="WordLR.cab", lpString2="System Volume Information") returned 1 [0078.294] lstrcmpiW (lpString1="WordLR.cab", lpString2=".") returned 1 [0078.298] lstrcmpiW (lpString1="WordLR.cab", lpString2="..") returned 1 [0078.298] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0078.298] lstrcmpW (lpString1="WordLR.cab", lpString2="PUSSY.TXT") returned 1 [0078.298] PathFindExtensionW (pszPath="WordLR.cab") returned=".cab" [0078.298] lstrlenW (lpString=".cab") returned 4 [0078.298] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0078.305] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0078.306] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=43806141) returned 1 [0078.306] GetProcessHeap () returned 0x4c0000 [0078.306] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0078.314] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="35") returned 2 [0078.315] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="7A") returned 2 [0078.315] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="C7") returned 2 [0078.315] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="E0") returned 2 [0078.315] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="B4") returned 2 [0078.315] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="12") returned 2 [0078.315] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="8A") returned 2 [0078.315] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A3") returned 2 [0078.315] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="2C") returned 2 [0078.315] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="59") returned 2 [0078.315] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="7E") returned 2 [0078.315] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="E1") returned 2 [0078.315] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="25") returned 2 [0078.315] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="DC") returned 2 [0078.315] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="86") returned 2 [0078.315] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="AF") returned 2 [0078.315] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="98") returned 2 [0078.315] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="77") returned 2 [0078.315] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="27") returned 2 [0078.315] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="27") returned 2 [0078.315] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="61") returned 2 [0078.315] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="85") returned 2 [0078.315] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="68") returned 2 [0078.315] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="01") returned 2 [0078.315] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="E8") returned 2 [0078.315] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="97") returned 2 [0078.315] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="15") returned 2 [0078.315] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="0D") returned 2 [0078.315] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D0") returned 2 [0078.316] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="F5") returned 2 [0078.316] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="69") returned 2 [0078.316] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="62") returned 2 [0078.324] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" [0078.324] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" [0078.324] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpString2=".357AC7E0B4128AA32C597EE125DC86AF9877272761856801E897150DD0F56962" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.357AC7E0B4128AA32C597EE125DC86AF9877272761856801E897150DD0F56962") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.357AC7E0B4128AA32C597EE125DC86AF9877272761856801E897150DD0F56962" [0078.324] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0078.324] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0078.325] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x267e00, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="WordMUI.msi", cAlternateFileName="")) returned 1 [0078.325] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Windows") returned 1 [0078.325] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Program Files") returned 1 [0078.325] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Program Files (x86)") returned 1 [0078.365] lstrcmpiW (lpString1="WordMUI.msi", lpString2="$Recycle.bin") returned 1 [0078.365] lstrcmpiW (lpString1="WordMUI.msi", lpString2="System Volume Information") returned 1 [0078.365] lstrcmpiW (lpString1="WordMUI.msi", lpString2=".") returned 1 [0078.365] lstrcmpiW (lpString1="WordMUI.msi", lpString2="..") returned 1 [0078.365] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0078.365] lstrcmpW (lpString1="WordMUI.msi", lpString2="PUSSY.TXT") returned 1 [0078.365] PathFindExtensionW (pszPath="WordMUI.msi") returned=".msi" [0078.365] lstrlenW (lpString=".msi") returned 4 [0078.365] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0078.365] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0078.366] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2522624) returned 1 [0078.366] GetProcessHeap () returned 0x4c0000 [0078.366] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28098 [0078.975] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="98") returned 2 [0078.975] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="89") returned 2 [0078.975] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="7C") returned 2 [0078.975] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="83") returned 2 [0078.975] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="AD") returned 2 [0078.975] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="DC") returned 2 [0078.975] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E7") returned 2 [0078.975] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="1F") returned 2 [0078.975] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="3F") returned 2 [0078.975] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="E5") returned 2 [0078.975] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="AA") returned 2 [0078.975] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="17") returned 2 [0078.975] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="65") returned 2 [0078.975] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="7E") returned 2 [0078.975] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="43") returned 2 [0078.975] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="D9") returned 2 [0078.975] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="55") returned 2 [0078.975] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="4E") returned 2 [0078.975] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="27") returned 2 [0078.975] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="CF") returned 2 [0078.975] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="BD") returned 2 [0078.975] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="68") returned 2 [0078.976] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="AA") returned 2 [0078.976] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="CB") returned 2 [0078.976] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="AD") returned 2 [0078.976] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="81") returned 2 [0078.976] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="55") returned 2 [0078.976] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F6") returned 2 [0078.976] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D0") returned 2 [0078.976] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="55") returned 2 [0078.976] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="4E") returned 2 [0078.976] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="21") returned 2 [0078.984] lstrcpyW (in: lpString1=0x3b380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" [0078.984] lstrcpyW (in: lpString1=0x3b280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" [0078.984] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi", lpString2=".98897C83ADDCE71F3FE5AA17657E43D9554E27CFBD68AACBAD8155F6D0554E21" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.98897C83ADDCE71F3FE5AA17657E43D9554E27CFBD68AACBAD8155F6D0554E21") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.98897C83ADDCE71F3FE5AA17657E43D9554E27CFBD68AACBAD8155F6D0554E21" [0078.984] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x3b28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0078.984] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28098, lpOverlapped=0x3b28098) returned 1 [0078.985] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="WordMUI.xml", cAlternateFileName="")) returned 1 [0078.985] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Windows") returned 1 [0078.985] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Program Files") returned 1 [0078.985] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Program Files (x86)") returned 1 [0078.985] lstrcmpiW (lpString1="WordMUI.xml", lpString2="$Recycle.bin") returned 1 [0079.040] lstrcmpiW (lpString1="WordMUI.xml", lpString2="System Volume Information") returned 1 [0079.040] lstrcmpiW (lpString1="WordMUI.xml", lpString2=".") returned 1 [0079.041] lstrcmpiW (lpString1="WordMUI.xml", lpString2="..") returned 1 [0079.041] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0079.041] lstrcmpW (lpString1="WordMUI.xml", lpString2="PUSSY.TXT") returned 1 [0079.041] PathFindExtensionW (pszPath="WordMUI.xml") returned=".xml" [0079.041] lstrlenW (lpString=".xml") returned 4 [0079.041] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0079.041] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0079.041] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1800) returned 1 [0079.041] GetProcessHeap () returned 0x4c0000 [0079.041] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500e8 [0079.053] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="3E") returned 2 [0079.053] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="6F") returned 2 [0079.053] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="36") returned 2 [0079.053] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="F7") returned 2 [0079.053] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="1A") returned 2 [0079.053] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="1B") returned 2 [0079.053] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="B9") returned 2 [0079.053] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="41") returned 2 [0079.053] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="38") returned 2 [0079.053] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="7E") returned 2 [0079.053] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="C8") returned 2 [0079.053] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="15") returned 2 [0079.053] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="04") returned 2 [0079.053] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="03") returned 2 [0079.053] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="46") returned 2 [0079.053] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="76") returned 2 [0079.053] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="49") returned 2 [0079.053] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="F2") returned 2 [0079.053] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="FD") returned 2 [0079.053] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="E7") returned 2 [0079.053] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="AB") returned 2 [0079.053] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="CD") returned 2 [0079.053] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="9D") returned 2 [0079.053] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="B5") returned 2 [0079.054] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="65") returned 2 [0079.054] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="C2") returned 2 [0079.054] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="7B") returned 2 [0079.054] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F1") returned 2 [0079.054] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="7B") returned 2 [0079.054] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="F8") returned 2 [0079.054] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="83") returned 2 [0079.054] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6F") returned 2 [0079.066] lstrcpyW (in: lpString1=0x3b6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" [0079.066] lstrcpyW (in: lpString1=0x3b5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" [0079.066] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpString2=".3E6F36F71A1BB941387EC8150403467649F2FDE7ABCD9DB565C27BF17BF8836F" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.3E6F36F71A1BB941387EC8150403467649F2FDE7ABCD9DB565C27BF17BF8836F") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.3E6F36F71A1BB941387EC8150403467649F2FDE7ABCD9DB565C27BF17BF8836F" [0079.066] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0079.067] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500e8, lpOverlapped=0x3b500e8) returned 1 [0079.082] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="WordMUI.xml", cAlternateFileName="")) returned 0 [0079.082] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0079.082] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0079.082] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0079.082] lstrlenA (lpString="abcd") returned 4 [0079.083] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0079.083] CloseHandle (hObject=0x17c) returned 1 [0079.084] GetProcessHeap () returned 0x4c0000 [0079.084] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0079.086] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0079.087] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0079.087] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0079.087] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0079.087] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0079.087] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0079.087] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0079.087] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0079.087] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C") returned 66 [0079.087] GetProcessHeap () returned 0x4c0000 [0079.087] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0079.088] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C" [0079.088] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*" [0079.088] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0079.091] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.091] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.091] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.091] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.091] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.091] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0079.091] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0079.091] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.091] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.091] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.091] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.091] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.091] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0079.091] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0079.091] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0079.091] lstrcmpiW (lpString1="Proof.en", lpString2="Windows") returned -1 [0079.091] lstrcmpiW (lpString1="Proof.en", lpString2="Program Files") returned 1 [0079.091] lstrcmpiW (lpString1="Proof.en", lpString2="Program Files (x86)") returned 1 [0079.091] lstrcmpiW (lpString1="Proof.en", lpString2="$Recycle.bin") returned 1 [0079.091] lstrcmpiW (lpString1="Proof.en", lpString2="System Volume Information") returned -1 [0079.091] lstrcmpiW (lpString1="Proof.en", lpString2=".") returned 1 [0079.091] lstrcmpiW (lpString1="Proof.en", lpString2="..") returned 1 [0079.091] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en") returned 75 [0079.091] GetProcessHeap () returned 0x4c0000 [0079.091] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x522a98 [0079.092] lstrcpyW (in: lpString1=0x522a98, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en" [0079.092] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*" [0079.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0079.093] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.093] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.093] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.093] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.093] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.093] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0079.093] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0079.093] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.093] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.093] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.093] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.094] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.094] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0079.094] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0079.094] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x219b4a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x219b4a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf07b1ad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xaf35ed, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0079.094] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0079.094] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files") returned 1 [0079.094] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files (x86)") returned 1 [0079.094] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0079.094] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0079.094] lstrcmpiW (lpString1="Proof.cab", lpString2=".") returned 1 [0079.094] lstrcmpiW (lpString1="Proof.cab", lpString2="..") returned 1 [0079.094] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0079.094] lstrcmpW (lpString1="Proof.cab", lpString2="PUSSY.TXT") returned -1 [0079.094] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0079.094] lstrlenW (lpString=".cab") returned 4 [0079.094] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0079.094] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0079.095] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=11482605) returned 1 [0079.095] GetProcessHeap () returned 0x4c0000 [0079.095] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500e8 [0079.110] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="D8") returned 2 [0079.111] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="5A") returned 2 [0079.111] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="98") returned 2 [0079.111] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="F1") returned 2 [0079.111] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="89") returned 2 [0079.111] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="3F") returned 2 [0079.111] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="70") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="CB") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="34") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="64") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="58") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="DE") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="2C") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="81") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="A6") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="88") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="56") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="47") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="31") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="05") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="C5") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="64") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="0E") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="31") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="4C") returned 2 [0079.111] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="9D") returned 2 [0079.112] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="21") returned 2 [0079.112] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="03") returned 2 [0079.112] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="62") returned 2 [0079.112] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="49") returned 2 [0079.112] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="C9") returned 2 [0079.112] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="01") returned 2 [0079.142] lstrcpyW (in: lpString1=0x3b6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" [0079.142] lstrcpyW (in: lpString1=0x3b5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" [0079.142] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab", lpString2=".D85A98F1893F70CB346458DE2C81A68856473105C5640E314C9D21036249C901" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.D85A98F1893F70CB346458DE2C81A68856473105C5640E314C9D21036249C901") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.D85A98F1893F70CB346458DE2C81A68856473105C5640E314C9D21036249C901" [0079.142] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x3b500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0079.142] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500e8, lpOverlapped=0x3b500e8) returned 1 [0079.142] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4db6cb00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x4db6cb00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf020c5d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5c00, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0079.142] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0079.142] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files") returned 1 [0079.142] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files (x86)") returned 1 [0079.142] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0079.142] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0079.142] lstrcmpiW (lpString1="Proof.msi", lpString2=".") returned 1 [0079.142] lstrcmpiW (lpString1="Proof.msi", lpString2="..") returned 1 [0079.142] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0079.142] lstrcmpW (lpString1="Proof.msi", lpString2="PUSSY.TXT") returned -1 [0079.142] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0079.142] lstrlenW (lpString=".msi") returned 4 [0079.143] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0079.143] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0079.143] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=875520) returned 1 [0079.143] GetProcessHeap () returned 0x4c0000 [0079.143] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b78138 [0079.157] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="DB") returned 2 [0079.158] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="96") returned 2 [0079.158] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="51") returned 2 [0079.158] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="1C") returned 2 [0079.158] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="0C") returned 2 [0079.158] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="77") returned 2 [0079.158] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="60") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="84") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="5A") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="E4") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="A5") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="63") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="88") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="28") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="52") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="6C") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="D0") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="29") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="D1") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="0C") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="94") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="9C") returned 2 [0079.158] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="21") returned 2 [0079.159] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="DA") returned 2 [0079.159] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="C8") returned 2 [0079.159] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="3A") returned 2 [0079.159] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="D3") returned 2 [0079.159] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="FE") returned 2 [0079.159] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="16") returned 2 [0079.159] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="F4") returned 2 [0079.159] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="78") returned 2 [0079.159] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="4A") returned 2 [0080.200] lstrcpyW (in: lpString1=0x3b8816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" [0080.200] lstrcpyW (in: lpString1=0x3b7816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" [0080.200] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi", lpString2=".DB96511C0C7760845AE4A5638828526CD029D10C949C21DAC83AD3FE16F4784A" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.DB96511C0C7760845AE4A5638828526CD029D10C949C21DAC83AD3FE16F4784A") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.DB96511C0C7760845AE4A5638828526CD029D10C949C21DAC83AD3FE16F4784A" [0080.200] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b78138, NumberOfConcurrentThreads=0x0) returned 0x94 [0080.200] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b78138, lpOverlapped=0x3b78138) returned 1 [0080.201] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0080.201] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0080.201] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files") returned 1 [0080.201] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files (x86)") returned 1 [0080.201] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0080.201] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0080.201] lstrcmpiW (lpString1="Proof.xml", lpString2=".") returned 1 [0080.201] lstrcmpiW (lpString1="Proof.xml", lpString2="..") returned 1 [0080.201] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0080.254] lstrcmpW (lpString1="Proof.xml", lpString2="PUSSY.TXT") returned -1 [0080.254] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0080.254] lstrlenW (lpString=".xml") returned 4 [0080.254] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0080.254] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0080.254] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=1347) returned 1 [0080.254] GetProcessHeap () returned 0x4c0000 [0080.254] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0080.268] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="E4") returned 2 [0080.268] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="10") returned 2 [0080.268] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="D7") returned 2 [0080.268] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="C6") returned 2 [0080.269] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="51") returned 2 [0080.269] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="2B") returned 2 [0080.269] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="17") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="20") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="8D") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="E3") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="D3") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="0B") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="8A") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="F1") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="D0") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="E8") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="67") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="1A") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="B7") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="A8") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="B1") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="93") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="21") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="0D") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="AD") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="04") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="90") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="6C") returned 2 [0080.269] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="C0") returned 2 [0080.270] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="51") returned 2 [0080.270] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="2D") returned 2 [0080.270] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="48") returned 2 [0080.283] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" [0080.284] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" [0080.284] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpString2=".E410D7C6512B17208DE3D30B8AF1D0E8671AB7A8B193210DAD04906CC0512D48" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.E410D7C6512B17208DE3D30B8AF1D0E8671AB7A8B193210DAD04906CC0512D48") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.E410D7C6512B17208DE3D30B8AF1D0E8671AB7A8B193210DAD04906CC0512D48" [0080.284] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0080.284] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0080.285] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0080.285] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0080.285] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\PUSSY.TXT") returned 85 [0080.288] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0080.298] lstrlenA (lpString="abcd") returned 4 [0080.298] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0080.299] CloseHandle (hObject=0x178) returned 1 [0080.299] GetProcessHeap () returned 0x4c0000 [0080.299] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x522a98 | out: hHeap=0x4c0000) returned 1 [0080.300] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0080.300] lstrcmpiW (lpString1="Proof.es", lpString2="Windows") returned -1 [0080.300] lstrcmpiW (lpString1="Proof.es", lpString2="Program Files") returned 1 [0080.300] lstrcmpiW (lpString1="Proof.es", lpString2="Program Files (x86)") returned 1 [0080.300] lstrcmpiW (lpString1="Proof.es", lpString2="$Recycle.bin") returned 1 [0080.300] lstrcmpiW (lpString1="Proof.es", lpString2="System Volume Information") returned -1 [0080.300] lstrcmpiW (lpString1="Proof.es", lpString2=".") returned 1 [0080.300] lstrcmpiW (lpString1="Proof.es", lpString2="..") returned 1 [0080.300] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es") returned 75 [0080.300] GetProcessHeap () returned 0x4c0000 [0080.300] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x522a98 [0080.300] lstrcpyW (in: lpString1=0x522a98, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es" [0080.300] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*" [0080.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0080.301] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.301] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.301] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.301] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.301] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.301] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0080.301] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0080.301] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.301] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.301] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.301] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.301] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.301] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0080.301] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0080.301] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd02aea, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0080.301] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0080.301] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files") returned 1 [0080.301] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files (x86)") returned 1 [0080.302] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0080.302] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0080.302] lstrcmpiW (lpString1="Proof.cab", lpString2=".") returned 1 [0080.302] lstrcmpiW (lpString1="Proof.cab", lpString2="..") returned 1 [0080.302] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0080.302] lstrcmpW (lpString1="Proof.cab", lpString2="PUSSY.TXT") returned -1 [0080.302] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0080.302] lstrlenW (lpString=".cab") returned 4 [0080.302] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0080.302] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0080.303] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=13642474) returned 1 [0080.303] GetProcessHeap () returned 0x4c0000 [0080.303] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0080.319] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="EF") returned 2 [0080.319] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="97") returned 2 [0080.319] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="47") returned 2 [0080.319] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="99") returned 2 [0080.319] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="9F") returned 2 [0080.319] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="FE") returned 2 [0080.319] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="CE") returned 2 [0080.319] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="B7") returned 2 [0080.319] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="52") returned 2 [0080.319] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="3B") returned 2 [0080.319] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="E2") returned 2 [0080.319] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="89") returned 2 [0080.319] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="AB") returned 2 [0080.319] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="D4") returned 2 [0080.319] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="62") returned 2 [0080.319] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="14") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="6B") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="54") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="CE") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="FF") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="65") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="64") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="26") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="39") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="44") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="9F") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="9B") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="E5") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="46") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="63") returned 2 [0080.320] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="43") returned 2 [0080.320] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="4D") returned 2 [0080.334] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" [0080.334] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" [0080.334] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab", lpString2=".EF9747999FFECEB7523BE289ABD462146B54CEFF65642639449F9BE54663434D" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.EF9747999FFECEB7523BE289ABD462146B54CEFF65642639449F9BE54663434D") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.EF9747999FFECEB7523BE289ABD462146B54CEFF65642639449F9BE54663434D" [0080.334] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0080.334] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0080.334] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e5c7f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd7200, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0080.334] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0080.334] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files") returned 1 [0080.335] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files (x86)") returned 1 [0080.335] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0080.335] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0080.335] lstrcmpiW (lpString1="Proof.msi", lpString2=".") returned 1 [0080.335] lstrcmpiW (lpString1="Proof.msi", lpString2="..") returned 1 [0080.335] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0080.335] lstrcmpW (lpString1="Proof.msi", lpString2="PUSSY.TXT") returned -1 [0080.335] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0080.335] lstrlenW (lpString=".msi") returned 4 [0080.335] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0080.335] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0080.335] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=881152) returned 1 [0080.335] GetProcessHeap () returned 0x4c0000 [0080.335] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0080.351] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="41") returned 2 [0080.351] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="A0") returned 2 [0080.351] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="E3") returned 2 [0080.351] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="01") returned 2 [0080.351] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="46") returned 2 [0080.351] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="71") returned 2 [0080.352] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="1B") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="38") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="7E") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="0A") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="8A") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="CE") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="38") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="C3") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="E8") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="43") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="34") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="8E") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="86") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="43") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="00") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="EE") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="3E") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="06") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="C8") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="6B") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="55") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="8C") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="24") returned 2 [0080.352] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="B7") returned 2 [0080.353] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="45") returned 2 [0080.353] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="24") returned 2 [0080.367] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" [0080.367] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" [0080.367] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi", lpString2=".41A0E30146711B387E0A8ACE38C3E843348E864300EE3E06C86B558C24B74524" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.41A0E30146711B387E0A8ACE38C3E843348E864300EE3E06C86B558C24B74524") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.41A0E30146711B387E0A8ACE38C3E843348E864300EE3E06C86B558C24B74524" [0080.367] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0080.367] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0080.367] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0080.367] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0080.367] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files") returned 1 [0080.367] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files (x86)") returned 1 [0080.367] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0080.367] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0080.367] lstrcmpiW (lpString1="Proof.xml", lpString2=".") returned 1 [0080.367] lstrcmpiW (lpString1="Proof.xml", lpString2="..") returned 1 [0080.367] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0080.367] lstrcmpW (lpString1="Proof.xml", lpString2="PUSSY.TXT") returned -1 [0080.367] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0080.368] lstrlenW (lpString=".xml") returned 4 [0080.368] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0080.368] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0080.368] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=1457) returned 1 [0080.368] GetProcessHeap () returned 0x4c0000 [0080.368] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc91e0 [0080.834] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="FA") returned 2 [0080.834] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="F8") returned 2 [0080.834] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="0D") returned 2 [0080.834] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="E7") returned 2 [0080.834] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="10") returned 2 [0080.834] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="AB") returned 2 [0080.834] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="7E") returned 2 [0080.834] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="F8") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="92") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="B2") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="FD") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="7C") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="43") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="D0") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="28") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="66") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="4A") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="F8") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="9D") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="B7") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="63") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="44") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="EA") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="6A") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="36") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="C0") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="48") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="0B") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="A7") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="82") returned 2 [0080.835] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="CC") returned 2 [0080.836] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="6F") returned 2 [0080.848] lstrcpyW (in: lpString1=0x3bd9214, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" [0080.848] lstrcpyW (in: lpString1=0x3bc9214, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" [0080.848] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpString2=".FAF80DE710AB7EF892B2FD7C43D028664AF89DB76344EA6A36C0480BA782CC6F" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.FAF80DE710AB7EF892B2FD7C43D028664AF89DB76344EA6A36C0480BA782CC6F") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.FAF80DE710AB7EF892B2FD7C43D028664AF89DB76344EA6A36C0480BA782CC6F" [0080.848] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x3bc91e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0080.848] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc91e0, lpOverlapped=0x3bc91e0) returned 1 [0080.849] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0080.849] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0080.850] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\PUSSY.TXT") returned 85 [0080.850] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0080.850] lstrlenA (lpString="abcd") returned 4 [0080.851] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0080.852] CloseHandle (hObject=0x178) returned 1 [0080.852] GetProcessHeap () returned 0x4c0000 [0080.852] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x522a98 | out: hHeap=0x4c0000) returned 1 [0080.855] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0080.855] lstrcmpiW (lpString1="Proof.fr", lpString2="Windows") returned -1 [0080.855] lstrcmpiW (lpString1="Proof.fr", lpString2="Program Files") returned 1 [0080.855] lstrcmpiW (lpString1="Proof.fr", lpString2="Program Files (x86)") returned 1 [0080.855] lstrcmpiW (lpString1="Proof.fr", lpString2="$Recycle.bin") returned 1 [0080.855] lstrcmpiW (lpString1="Proof.fr", lpString2="System Volume Information") returned -1 [0080.855] lstrcmpiW (lpString1="Proof.fr", lpString2=".") returned 1 [0080.855] lstrcmpiW (lpString1="Proof.fr", lpString2="..") returned 1 [0080.855] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr") returned 75 [0080.855] GetProcessHeap () returned 0x4c0000 [0080.855] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x522a98 [0080.856] lstrcpyW (in: lpString1=0x522a98, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr" [0080.856] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*" [0080.856] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0080.857] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.857] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.857] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.857] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.857] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.857] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0080.857] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0080.858] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.858] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.858] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.858] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.858] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.858] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0080.858] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0080.858] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x35aa7000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x35aa7000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf3076b00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1416b54, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0080.858] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0080.858] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files") returned 1 [0080.858] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files (x86)") returned 1 [0080.858] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0080.858] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0080.858] lstrcmpiW (lpString1="Proof.cab", lpString2=".") returned 1 [0080.858] lstrcmpiW (lpString1="Proof.cab", lpString2="..") returned 1 [0080.858] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0080.858] lstrcmpW (lpString1="Proof.cab", lpString2="PUSSY.TXT") returned -1 [0080.858] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0080.858] lstrlenW (lpString=".cab") returned 4 [0080.858] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0080.858] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0080.859] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=21064532) returned 1 [0080.859] GetProcessHeap () returned 0x4c0000 [0080.859] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28098 [0080.873] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="E7") returned 2 [0080.873] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="5F") returned 2 [0080.873] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="D0") returned 2 [0080.873] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="80") returned 2 [0080.873] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="9E") returned 2 [0080.873] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="4A") returned 2 [0080.873] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="25") returned 2 [0080.873] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="9A") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="98") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="EE") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="E0") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="04") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="CA") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="75") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="98") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="70") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="35") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="CF") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="6E") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="AE") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="D5") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="31") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="21") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="BD") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="CC") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="91") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="CC") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="AB") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="30") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="20") returned 2 [0080.874] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="BE") returned 2 [0080.875] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="69") returned 2 [0080.888] lstrcpyW (in: lpString1=0x3b380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" [0080.888] lstrcpyW (in: lpString1=0x3b280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" [0080.888] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab", lpString2=".E75FD0809E4A259A98EEE004CA75987035CF6EAED53121BDCC91CCAB3020BE69" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.E75FD0809E4A259A98EEE004CA75987035CF6EAED53121BDCC91CCAB3020BE69") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.E75FD0809E4A259A98EEE004CA75987035CF6EAED53121BDCC91CCAB3020BE69" [0080.888] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x3b28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0080.888] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28098, lpOverlapped=0x3b28098) returned 1 [0080.889] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2e3b660, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd8400, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0080.889] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0080.889] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files") returned 1 [0080.889] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files (x86)") returned 1 [0080.889] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0080.889] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0080.889] lstrcmpiW (lpString1="Proof.msi", lpString2=".") returned 1 [0080.889] lstrcmpiW (lpString1="Proof.msi", lpString2="..") returned 1 [0080.889] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0080.889] lstrcmpW (lpString1="Proof.msi", lpString2="PUSSY.TXT") returned -1 [0080.889] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0080.889] lstrlenW (lpString=".msi") returned 4 [0080.889] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0080.889] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0080.891] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=885760) returned 1 [0080.891] GetProcessHeap () returned 0x4c0000 [0080.891] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0080.909] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="8D") returned 2 [0080.909] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="34") returned 2 [0080.909] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="90") returned 2 [0080.909] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="C8") returned 2 [0080.909] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="70") returned 2 [0080.909] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="AE") returned 2 [0080.909] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="CD") returned 2 [0080.909] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="FD") returned 2 [0080.909] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="04") returned 2 [0080.909] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="F2") returned 2 [0080.909] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="0E") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="29") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="CD") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="79") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="FB") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="B5") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="9E") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="50") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="19") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="75") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="06") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="E2") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="BC") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="F3") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="C5") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="75") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="3F") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="DC") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="26") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="E9") returned 2 [0080.910] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="93") returned 2 [0080.910] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="1E") returned 2 [0080.936] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" [0080.936] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" [0080.936] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi", lpString2=".8D3490C870AECDFD04F20E29CD79FBB59E50197506E2BCF3C5753FDC26E9931E" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.8D3490C870AECDFD04F20E29CD79FBB59E50197506E2BCF3C5753FDC26E9931E") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.8D3490C870AECDFD04F20E29CD79FBB59E50197506E2BCF3C5753FDC26E9931E" [0080.936] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0080.937] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0080.937] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0080.937] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0080.937] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files") returned 1 [0080.937] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files (x86)") returned 1 [0080.937] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0080.937] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0080.937] lstrcmpiW (lpString1="Proof.xml", lpString2=".") returned 1 [0080.937] lstrcmpiW (lpString1="Proof.xml", lpString2="..") returned 1 [0080.937] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0080.937] lstrcmpW (lpString1="Proof.xml", lpString2="PUSSY.TXT") returned -1 [0080.937] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0080.938] lstrlenW (lpString=".xml") returned 4 [0080.938] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0080.938] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0080.938] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=1458) returned 1 [0080.938] GetProcessHeap () returned 0x4c0000 [0080.938] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ba0188 [0081.038] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="3D") returned 2 [0081.038] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="9A") returned 2 [0081.038] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="76") returned 2 [0081.038] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="00") returned 2 [0081.038] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="19") returned 2 [0081.038] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="F3") returned 2 [0081.038] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="0A") returned 2 [0081.038] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="AD") returned 2 [0081.038] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="6F") returned 2 [0081.038] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="CA") returned 2 [0081.038] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="98") returned 2 [0081.038] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="72") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="E0") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="4A") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="1F") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="FA") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="47") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="38") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="68") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="FC") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="BD") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="6F") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="A2") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="D0") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="5B") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="D6") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="1D") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="FC") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="A3") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="A5") returned 2 [0081.039] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="01") returned 2 [0081.039] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="31") returned 2 [0081.051] lstrcpyW (in: lpString1=0x3bb01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" [0081.051] lstrcpyW (in: lpString1=0x3ba01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" [0081.051] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpString2=".3D9A760019F30AAD6FCA9872E04A1FFA473868FCBD6FA2D05BD61DFCA3A50131" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.3D9A760019F30AAD6FCA9872E04A1FFA473868FCBD6FA2D05BD61DFCA3A50131") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.3D9A760019F30AAD6FCA9872E04A1FFA473868FCBD6FA2D05BD61DFCA3A50131" [0081.051] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x3ba0188, NumberOfConcurrentThreads=0x0) returned 0x94 [0081.051] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ba0188, lpOverlapped=0x3ba0188) returned 1 [0081.051] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0081.051] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0081.052] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\PUSSY.TXT") returned 85 [0081.052] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0081.052] lstrlenA (lpString="abcd") returned 4 [0081.052] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0081.053] CloseHandle (hObject=0x178) returned 1 [0081.054] GetProcessHeap () returned 0x4c0000 [0081.054] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x522a98 | out: hHeap=0x4c0000) returned 1 [0081.056] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0081.056] lstrcmpiW (lpString1="Proofing.msi", lpString2="Windows") returned -1 [0081.056] lstrcmpiW (lpString1="Proofing.msi", lpString2="Program Files") returned 1 [0081.056] lstrcmpiW (lpString1="Proofing.msi", lpString2="Program Files (x86)") returned 1 [0081.056] lstrcmpiW (lpString1="Proofing.msi", lpString2="$Recycle.bin") returned 1 [0081.056] lstrcmpiW (lpString1="Proofing.msi", lpString2="System Volume Information") returned -1 [0081.056] lstrcmpiW (lpString1="Proofing.msi", lpString2=".") returned 1 [0081.056] lstrcmpiW (lpString1="Proofing.msi", lpString2="..") returned 1 [0081.056] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0081.056] lstrcmpW (lpString1="Proofing.msi", lpString2="PUSSY.TXT") returned -1 [0081.056] PathFindExtensionW (pszPath="Proofing.msi") returned=".msi" [0081.056] lstrlenW (lpString=".msi") returned 4 [0081.056] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0081.056] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0081.057] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=868864) returned 1 [0081.057] GetProcessHeap () returned 0x4c0000 [0081.057] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc81d8 [0081.070] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="27") returned 2 [0081.070] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="C7") returned 2 [0081.070] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="7A") returned 2 [0081.070] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="2D") returned 2 [0081.070] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="13") returned 2 [0081.070] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="BD") returned 2 [0081.070] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="71") returned 2 [0081.070] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="3D") returned 2 [0081.070] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="FB") returned 2 [0081.070] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="87") returned 2 [0081.070] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="C4") returned 2 [0081.070] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="F7") returned 2 [0081.070] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="45") returned 2 [0081.070] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="D5") returned 2 [0081.070] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="BC") returned 2 [0081.070] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="6B") returned 2 [0081.071] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="71") returned 2 [0081.071] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="57") returned 2 [0081.071] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="5B") returned 2 [0081.071] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="B3") returned 2 [0081.071] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="8A") returned 2 [0081.071] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="86") returned 2 [0081.071] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="24") returned 2 [0081.071] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="AD") returned 2 [0081.071] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="17") returned 2 [0081.071] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="93") returned 2 [0081.071] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="EF") returned 2 [0081.071] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="8C") returned 2 [0081.071] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="08") returned 2 [0081.071] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="EC") returned 2 [0081.071] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="6C") returned 2 [0081.071] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="59") returned 2 [0081.083] lstrcpyW (in: lpString1=0x3bd820c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" [0081.083] lstrcpyW (in: lpString1=0x3bc820c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" [0081.083] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi", lpString2=".27C77A2D13BD713DFB87C4F745D5BC6B71575BB38A8624AD1793EF8C08EC6C59" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.27C77A2D13BD713DFB87C4F745D5BC6B71575BB38A8624AD1793EF8C08EC6C59") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.27C77A2D13BD713DFB87C4F745D5BC6B71575BB38A8624AD1793EF8C08EC6C59" [0081.083] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3bc81d8, NumberOfConcurrentThreads=0x0) returned 0x94 [0081.083] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc81d8, lpOverlapped=0x3bc81d8) returned 1 [0081.083] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Proofing.xml", cAlternateFileName="")) returned 1 [0081.083] lstrcmpiW (lpString1="Proofing.xml", lpString2="Windows") returned -1 [0081.083] lstrcmpiW (lpString1="Proofing.xml", lpString2="Program Files") returned 1 [0081.083] lstrcmpiW (lpString1="Proofing.xml", lpString2="Program Files (x86)") returned 1 [0081.083] lstrcmpiW (lpString1="Proofing.xml", lpString2="$Recycle.bin") returned 1 [0081.083] lstrcmpiW (lpString1="Proofing.xml", lpString2="System Volume Information") returned -1 [0081.083] lstrcmpiW (lpString1="Proofing.xml", lpString2=".") returned 1 [0081.083] lstrcmpiW (lpString1="Proofing.xml", lpString2="..") returned 1 [0081.083] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0081.083] lstrcmpW (lpString1="Proofing.xml", lpString2="PUSSY.TXT") returned -1 [0081.083] PathFindExtensionW (pszPath="Proofing.xml") returned=".xml" [0081.083] lstrlenW (lpString=".xml") returned 4 [0081.084] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0081.084] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0081.084] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=811) returned 1 [0081.084] GetProcessHeap () returned 0x4c0000 [0081.084] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0081.098] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="86") returned 2 [0081.098] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="43") returned 2 [0081.098] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="93") returned 2 [0081.098] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="B7") returned 2 [0081.098] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="53") returned 2 [0081.098] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="CB") returned 2 [0081.098] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="37") returned 2 [0081.098] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="5B") returned 2 [0081.098] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="A3") returned 2 [0081.098] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="96") returned 2 [0081.098] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="C0") returned 2 [0081.098] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="57") returned 2 [0081.098] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="DA") returned 2 [0081.098] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C2") returned 2 [0081.098] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="7E") returned 2 [0081.099] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="D2") returned 2 [0081.099] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="07") returned 2 [0081.099] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="2C") returned 2 [0081.099] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="DA") returned 2 [0081.099] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="97") returned 2 [0081.099] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="EA") returned 2 [0081.099] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="5B") returned 2 [0081.099] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="EF") returned 2 [0081.099] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="D9") returned 2 [0081.099] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="47") returned 2 [0081.099] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="E2") returned 2 [0081.099] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="11") returned 2 [0081.099] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="2C") returned 2 [0081.099] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="58") returned 2 [0081.099] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="54") returned 2 [0081.099] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="BB") returned 2 [0081.099] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="14") returned 2 [0081.111] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" [0081.111] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" [0081.111] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpString2=".864393B753CB375BA396C057DAC27ED2072CDA97EA5BEFD947E2112C5854BB14" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.864393B753CB375BA396C057DAC27ED2072CDA97EA5BEFD947E2112C5854BB14") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.864393B753CB375BA396C057DAC27ED2072CDA97EA5BEFD947E2112C5854BB14" [0081.111] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0081.111] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0081.111] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0081.111] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0081.111] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0081.111] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0081.111] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0081.111] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0081.111] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0081.111] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0081.111] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.112] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0081.112] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0081.112] lstrlenW (lpString=".xml") returned 4 [0081.112] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0081.112] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0081.112] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=5884) returned 1 [0081.112] GetProcessHeap () returned 0x4c0000 [0081.112] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0081.126] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="16") returned 2 [0081.126] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="0A") returned 2 [0081.126] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="0C") returned 2 [0081.126] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="AA") returned 2 [0081.126] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="EF") returned 2 [0081.126] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="59") returned 2 [0081.126] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="F2") returned 2 [0081.126] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="FC") returned 2 [0081.126] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="0E") returned 2 [0081.126] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="1E") returned 2 [0081.126] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="0D") returned 2 [0081.126] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="CB") returned 2 [0081.126] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="9A") returned 2 [0081.126] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="CF") returned 2 [0081.126] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="CB") returned 2 [0081.126] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="73") returned 2 [0081.126] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="6A") returned 2 [0081.126] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="62") returned 2 [0081.126] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="AA") returned 2 [0081.126] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="7D") returned 2 [0081.126] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="3E") returned 2 [0081.126] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="C9") returned 2 [0081.126] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="82") returned 2 [0081.126] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="B1") returned 2 [0081.127] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="E0") returned 2 [0081.127] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="5F") returned 2 [0081.127] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="CA") returned 2 [0081.127] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="30") returned 2 [0081.127] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="DD") returned 2 [0081.127] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="5C") returned 2 [0081.127] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="D5") returned 2 [0081.127] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="12") returned 2 [0081.364] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" [0081.364] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" [0081.364] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".160A0CAAEF59F2FC0E1E0DCB9ACFCB736A62AA7D3EC982B1E05FCA30DD5CD512" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.160A0CAAEF59F2FC0E1E0DCB9ACFCB736A62AA7D3EC982B1E05FCA30DD5CD512") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.160A0CAAEF59F2FC0E1E0DCB9ACFCB736A62AA7D3EC982B1E05FCA30DD5CD512" [0081.364] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0081.364] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0081.364] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0081.364] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0081.365] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0081.365] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0081.365] lstrlenA (lpString="abcd") returned 4 [0081.365] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0081.367] CloseHandle (hObject=0x17c) returned 1 [0081.367] GetProcessHeap () returned 0x4c0000 [0081.367] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0081.368] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0081.368] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0081.368] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0081.368] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0081.368] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0081.368] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0081.368] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0081.368] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0081.369] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C") returned 66 [0081.369] GetProcessHeap () returned 0x4c0000 [0081.369] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0081.369] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C" [0081.369] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*" [0081.369] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0082.189] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.190] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.190] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.190] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.190] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.190] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.190] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0082.190] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.190] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.190] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.190] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.190] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.190] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.190] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.190] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0082.190] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Windows") returned -1 [0082.190] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Program Files") returned -1 [0082.190] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Program Files (x86)") returned -1 [0082.190] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="$Recycle.bin") returned 1 [0082.190] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="System Volume Information") returned -1 [0082.190] lstrcmpiW (lpString1="Office32MUI.msi", lpString2=".") returned 1 [0082.190] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="..") returned 1 [0082.190] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0082.190] lstrcmpW (lpString1="Office32MUI.msi", lpString2="PUSSY.TXT") returned -1 [0082.190] PathFindExtensionW (pszPath="Office32MUI.msi") returned=".msi" [0082.190] lstrlenW (lpString=".msi") returned 4 [0082.191] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0082.191] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0082.191] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=873984) returned 1 [0082.191] GetProcessHeap () returned 0x4c0000 [0082.191] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b78138 [0082.203] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="EF") returned 2 [0082.203] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="2A") returned 2 [0082.204] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="D8") returned 2 [0082.204] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="F3") returned 2 [0082.204] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="34") returned 2 [0082.204] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="BD") returned 2 [0082.204] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="F1") returned 2 [0082.204] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="47") returned 2 [0082.204] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="D9") returned 2 [0082.204] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="C8") returned 2 [0082.204] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="DB") returned 2 [0082.204] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="9C") returned 2 [0082.204] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="0F") returned 2 [0082.204] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="30") returned 2 [0082.204] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="E1") returned 2 [0082.204] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="2B") returned 2 [0082.204] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="2E") returned 2 [0082.204] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="50") returned 2 [0082.204] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="04") returned 2 [0082.204] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="9C") returned 2 [0082.204] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="2A") returned 2 [0082.204] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="3F") returned 2 [0082.204] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="7B") returned 2 [0082.204] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6D") returned 2 [0082.204] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="8F") returned 2 [0082.204] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="E2") returned 2 [0082.204] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="65") returned 2 [0082.204] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="A5") returned 2 [0082.205] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="27") returned 2 [0082.205] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="CC") returned 2 [0082.205] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="D8") returned 2 [0082.205] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="11") returned 2 [0082.217] lstrcpyW (in: lpString1=0x3b8816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" [0082.217] lstrcpyW (in: lpString1=0x3b7816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" [0082.217] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi", lpString2=".EF2AD8F334BDF147D9C8DB9C0F30E12B2E50049C2A3F7B6D8FE265A527CCD811" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.EF2AD8F334BDF147D9C8DB9C0F30E12B2E50049C2A3F7B6D8FE265A527CCD811") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.EF2AD8F334BDF147D9C8DB9C0F30E12B2E50049C2A3F7B6D8FE265A527CCD811" [0082.217] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x3b78138, NumberOfConcurrentThreads=0x0) returned 0x94 [0082.217] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b78138, lpOverlapped=0x3b78138) returned 1 [0082.218] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Office32MUI.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0082.218] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Windows") returned -1 [0082.218] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Program Files") returned -1 [0082.218] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Program Files (x86)") returned -1 [0082.218] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="$Recycle.bin") returned 1 [0082.218] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="System Volume Information") returned -1 [0082.218] lstrcmpiW (lpString1="Office32MUI.xml", lpString2=".") returned 1 [0082.218] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="..") returned 1 [0082.218] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0082.218] lstrcmpW (lpString1="Office32MUI.xml", lpString2="PUSSY.TXT") returned -1 [0082.218] PathFindExtensionW (pszPath="Office32MUI.xml") returned=".xml" [0082.218] lstrlenW (lpString=".xml") returned 4 [0082.218] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0082.218] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0082.219] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1383) returned 1 [0082.219] GetProcessHeap () returned 0x4c0000 [0082.219] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0082.235] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="80") returned 2 [0082.235] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="50") returned 2 [0082.235] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="1B") returned 2 [0082.235] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="3F") returned 2 [0082.235] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="AC") returned 2 [0082.235] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="F9") returned 2 [0082.235] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="9B") returned 2 [0082.235] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="AF") returned 2 [0082.236] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="61") returned 2 [0082.236] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="A5") returned 2 [0082.236] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="A1") returned 2 [0082.236] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A5") returned 2 [0082.236] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="FF") returned 2 [0082.236] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="01") returned 2 [0082.236] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="CE") returned 2 [0082.236] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="EB") returned 2 [0082.236] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="89") returned 2 [0082.236] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="9D") returned 2 [0082.236] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="97") returned 2 [0082.236] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="83") returned 2 [0082.236] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="DE") returned 2 [0082.236] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="E4") returned 2 [0082.236] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="14") returned 2 [0082.236] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="32") returned 2 [0082.236] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="2C") returned 2 [0082.236] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="C2") returned 2 [0082.236] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="E8") returned 2 [0082.236] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="9D") returned 2 [0082.236] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="8E") returned 2 [0082.236] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="C1") returned 2 [0082.236] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="7C") returned 2 [0082.236] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="73") returned 2 [0082.249] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" [0082.249] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" [0082.249] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpString2=".80501B3FACF99BAF61A5A1A5FF01CEEB899D9783DEE414322CC2E89D8EC17C73" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.80501B3FACF99BAF61A5A1A5FF01CEEB899D9783DEE414322CC2E89D8EC17C73") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.80501B3FACF99BAF61A5A1A5FF01CEEB899D9783DEE414322CC2E89D8EC17C73" [0082.249] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0082.250] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0082.250] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc301560, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2cb13b, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OWOW32LR.cab", cAlternateFileName="")) returned 1 [0082.250] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Windows") returned -1 [0082.250] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Program Files") returned -1 [0082.250] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Program Files (x86)") returned -1 [0082.250] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="$Recycle.bin") returned 1 [0082.250] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="System Volume Information") returned -1 [0082.250] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2=".") returned 1 [0082.250] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="..") returned 1 [0082.250] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0082.250] lstrcmpW (lpString1="OWOW32LR.cab", lpString2="PUSSY.TXT") returned -1 [0082.250] PathFindExtensionW (pszPath="OWOW32LR.cab") returned=".cab" [0082.250] lstrlenW (lpString=".cab") returned 4 [0082.250] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0082.250] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0082.251] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2928955) returned 1 [0082.251] GetProcessHeap () returned 0x4c0000 [0082.251] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c78138 [0082.267] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="A7") returned 2 [0082.267] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="39") returned 2 [0082.267] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="F1") returned 2 [0082.267] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="26") returned 2 [0082.267] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="49") returned 2 [0082.267] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="7A") returned 2 [0082.267] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="2F") returned 2 [0082.267] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="B9") returned 2 [0082.267] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="7B") returned 2 [0082.267] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="12") returned 2 [0082.267] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="32") returned 2 [0082.268] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="E5") returned 2 [0082.268] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="23") returned 2 [0082.268] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="72") returned 2 [0082.268] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="B9") returned 2 [0082.268] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="3B") returned 2 [0082.268] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="80") returned 2 [0082.268] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="2A") returned 2 [0082.268] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="B4") returned 2 [0082.268] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="E0") returned 2 [0082.268] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="B4") returned 2 [0082.268] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="F9") returned 2 [0082.268] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="50") returned 2 [0082.268] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="AD") returned 2 [0082.268] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="60") returned 2 [0082.268] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="0E") returned 2 [0082.268] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="32") returned 2 [0082.268] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="00") returned 2 [0082.268] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="E5") returned 2 [0082.268] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="1C") returned 2 [0082.268] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="AC") returned 2 [0082.268] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="22") returned 2 [0082.284] lstrcpyW (in: lpString1=0x3c8816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" [0082.284] lstrcpyW (in: lpString1=0x3c7816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" [0082.284] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpString2=".A739F126497A2FB97B1232E52372B93B802AB4E0B4F950AD600E3200E51CAC22" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.A739F126497A2FB97B1232E52372B93B802AB4E0B4F950AD600E3200E51CAC22") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.A739F126497A2FB97B1232E52372B93B802AB4E0B4F950AD600E3200E51CAC22" [0082.284] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c78138, NumberOfConcurrentThreads=0x0) returned 0x94 [0082.284] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c78138, lpOverlapped=0x3c78138) returned 1 [0082.285] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0082.285] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0082.285] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0082.285] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0082.285] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0082.285] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0082.285] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0082.285] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0082.285] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0082.285] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0082.285] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0082.285] lstrlenW (lpString=".xml") returned 4 [0082.285] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0082.286] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0082.286] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2362) returned 1 [0082.286] GetProcessHeap () returned 0x4c0000 [0082.286] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0188 [0082.800] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="AF") returned 2 [0082.800] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="85") returned 2 [0082.800] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="BE") returned 2 [0082.800] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="AB") returned 2 [0082.800] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="36") returned 2 [0082.800] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="18") returned 2 [0082.800] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="D2") returned 2 [0082.800] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A8") returned 2 [0082.800] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="1B") returned 2 [0082.800] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="38") returned 2 [0082.800] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="4F") returned 2 [0082.800] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="7A") returned 2 [0082.800] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="37") returned 2 [0082.800] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="42") returned 2 [0082.801] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="AF") returned 2 [0082.801] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="05") returned 2 [0082.801] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="7A") returned 2 [0082.801] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="AC") returned 2 [0082.801] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="55") returned 2 [0082.801] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="D5") returned 2 [0082.801] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="6E") returned 2 [0082.801] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="E6") returned 2 [0082.801] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="CB") returned 2 [0082.801] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="00") returned 2 [0082.801] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="1B") returned 2 [0082.801] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="BD") returned 2 [0082.801] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="7C") returned 2 [0082.801] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="74") returned 2 [0082.801] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="BF") returned 2 [0082.801] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="8E") returned 2 [0082.801] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="5C") returned 2 [0082.801] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="5C") returned 2 [0082.815] lstrcpyW (in: lpString1=0x3cb01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" [0082.815] lstrcpyW (in: lpString1=0x3ca01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" [0082.815] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".AF85BEAB3618D2A81B384F7A3742AF057AAC55D56EE6CB001BBD7C74BF8E5C5C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.AF85BEAB3618D2A81B384F7A3742AF057AAC55D56EE6CB001BBD7C74BF8E5C5C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.AF85BEAB3618D2A81B384F7A3742AF057AAC55D56EE6CB001BBD7C74BF8E5C5C" [0082.815] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3ca0188, NumberOfConcurrentThreads=0x0) returned 0x94 [0082.815] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0188, lpOverlapped=0x3ca0188) returned 1 [0082.815] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0082.815] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0082.815] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0082.815] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0082.828] lstrlenA (lpString="abcd") returned 4 [0082.828] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0082.829] CloseHandle (hObject=0x17c) returned 1 [0082.829] GetProcessHeap () returned 0x4c0000 [0082.829] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0082.830] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0082.830] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0082.830] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0082.830] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0082.830] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0082.830] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0082.830] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0082.830] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0082.830] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C") returned 66 [0082.830] GetProcessHeap () returned 0x4c0000 [0082.830] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0082.831] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C" [0082.831] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*" [0082.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0083.907] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.907] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.907] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.907] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.907] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.907] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0083.907] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0083.907] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.907] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.907] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.907] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.907] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.907] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0083.907] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0083.907] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0083.907] lstrcmpiW (lpString1="InfLR.cab", lpString2="Windows") returned -1 [0083.907] lstrcmpiW (lpString1="InfLR.cab", lpString2="Program Files") returned -1 [0083.907] lstrcmpiW (lpString1="InfLR.cab", lpString2="Program Files (x86)") returned -1 [0083.907] lstrcmpiW (lpString1="InfLR.cab", lpString2="$Recycle.bin") returned 1 [0083.907] lstrcmpiW (lpString1="InfLR.cab", lpString2="System Volume Information") returned -1 [0083.908] lstrcmpiW (lpString1="InfLR.cab", lpString2=".") returned 1 [0083.908] lstrcmpiW (lpString1="InfLR.cab", lpString2="..") returned 1 [0083.908] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0083.908] lstrcmpW (lpString1="InfLR.cab", lpString2="PUSSY.TXT") returned -1 [0083.908] PathFindExtensionW (pszPath="InfLR.cab") returned=".cab" [0083.908] lstrlenW (lpString=".cab") returned 4 [0083.908] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0083.908] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0083.908] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=18874884) returned 1 [0083.908] GetProcessHeap () returned 0x4c0000 [0083.909] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500e8 [0083.925] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="00") returned 2 [0083.925] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="67") returned 2 [0083.925] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="83") returned 2 [0083.925] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="06") returned 2 [0083.925] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="F9") returned 2 [0083.925] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="CD") returned 2 [0083.925] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E8") returned 2 [0083.925] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A7") returned 2 [0083.925] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="E0") returned 2 [0083.925] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="B8") returned 2 [0083.925] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="8F") returned 2 [0083.925] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="64") returned 2 [0083.925] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="62") returned 2 [0083.926] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="9E") returned 2 [0083.926] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="09") returned 2 [0083.926] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="69") returned 2 [0083.926] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="56") returned 2 [0083.926] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="9A") returned 2 [0083.926] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="06") returned 2 [0083.926] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="FF") returned 2 [0083.926] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="41") returned 2 [0083.926] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="55") returned 2 [0083.926] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="E5") returned 2 [0083.926] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="77") returned 2 [0083.926] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="9C") returned 2 [0083.926] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="39") returned 2 [0083.926] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="D3") returned 2 [0083.926] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="16") returned 2 [0083.926] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="5C") returned 2 [0083.926] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="34") returned 2 [0083.927] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="52") returned 2 [0083.927] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="40") returned 2 [0083.941] lstrcpyW (in: lpString1=0x3b6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" [0083.941] lstrcpyW (in: lpString1=0x3b5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" [0083.941] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpString2=".00678306F9CDE8A7E0B88F64629E0969569A06FF4155E5779C39D3165C345240" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.00678306F9CDE8A7E0B88F64629E0969569A06FF4155E5779C39D3165C345240") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.00678306F9CDE8A7E0B88F64629E0969569A06FF4155E5779C39D3165C345240" [0083.941] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0083.941] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500e8, lpOverlapped=0x3b500e8) returned 1 [0083.942] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e58f90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2fac00, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="InfoPathMUI.msi", cAlternateFileName="INFOPA~1.MSI")) returned 1 [0083.942] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Windows") returned -1 [0083.942] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Program Files") returned -1 [0083.942] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Program Files (x86)") returned -1 [0083.942] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="$Recycle.bin") returned 1 [0083.942] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="System Volume Information") returned -1 [0083.942] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2=".") returned 1 [0083.942] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="..") returned 1 [0083.942] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0083.942] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2="PUSSY.TXT") returned -1 [0083.942] PathFindExtensionW (pszPath="InfoPathMUI.msi") returned=".msi" [0083.942] lstrlenW (lpString=".msi") returned 4 [0083.942] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0083.942] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0083.943] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=3124224) returned 1 [0083.943] GetProcessHeap () returned 0x4c0000 [0083.943] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ba0188 [0083.964] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="58") returned 2 [0083.964] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="CE") returned 2 [0083.964] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="6A") returned 2 [0083.964] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="07") returned 2 [0083.964] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="11") returned 2 [0083.964] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="D2") returned 2 [0083.964] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="37") returned 2 [0083.964] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="9D") returned 2 [0083.964] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="2F") returned 2 [0083.964] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="A5") returned 2 [0083.964] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="F7") returned 2 [0083.964] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D0") returned 2 [0083.964] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="D3") returned 2 [0083.965] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="DF") returned 2 [0083.965] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="07") returned 2 [0083.965] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="AF") returned 2 [0083.965] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="0F") returned 2 [0083.965] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="14") returned 2 [0083.965] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="56") returned 2 [0083.965] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="EE") returned 2 [0083.965] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="33") returned 2 [0083.965] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="72") returned 2 [0083.965] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="ED") returned 2 [0083.965] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="73") returned 2 [0083.965] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="A9") returned 2 [0083.965] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="12") returned 2 [0083.965] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="E5") returned 2 [0083.965] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="FB") returned 2 [0083.965] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="92") returned 2 [0083.965] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E6") returned 2 [0083.965] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="A1") returned 2 [0083.965] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="64") returned 2 [0084.438] lstrcpyW (in: lpString1=0x3bb01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" [0084.438] lstrcpyW (in: lpString1=0x3ba01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" [0084.438] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi", lpString2=".58CE6A0711D2379D2FA5F7D0D3DF07AF0F1456EE3372ED73A912E5FB92E6A164" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.58CE6A0711D2379D2FA5F7D0D3DF07AF0F1456EE3372ED73A912E5FB92E6A164") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.58CE6A0711D2379D2FA5F7D0D3DF07AF0F1456EE3372ED73A912E5FB92E6A164" [0084.438] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3ba0188, NumberOfConcurrentThreads=0x0) returned 0x94 [0084.438] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ba0188, lpOverlapped=0x3ba0188) returned 1 [0084.439] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="InfoPathMUI.xml", cAlternateFileName="INFOPA~1.XML")) returned 1 [0084.439] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Windows") returned -1 [0084.439] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Program Files") returned -1 [0084.439] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Program Files (x86)") returned -1 [0084.439] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="$Recycle.bin") returned 1 [0084.439] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="System Volume Information") returned -1 [0084.439] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2=".") returned 1 [0084.439] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="..") returned 1 [0084.439] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0084.439] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2="PUSSY.TXT") returned -1 [0084.439] PathFindExtensionW (pszPath="InfoPathMUI.xml") returned=".xml" [0084.439] lstrlenW (lpString=".xml") returned 4 [0084.440] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0084.440] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0084.440] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1231) returned 1 [0084.440] GetProcessHeap () returned 0x4c0000 [0084.440] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0188 [0084.466] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="0E") returned 2 [0084.466] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="BC") returned 2 [0084.466] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="13") returned 2 [0084.466] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="BF") returned 2 [0084.467] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="42") returned 2 [0084.467] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="D5") returned 2 [0084.467] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="41") returned 2 [0084.467] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="29") returned 2 [0084.467] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="33") returned 2 [0084.467] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="E6") returned 2 [0084.467] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="F1") returned 2 [0084.467] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="87") returned 2 [0084.467] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="9A") returned 2 [0084.467] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="13") returned 2 [0084.467] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="A7") returned 2 [0084.467] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="BD") returned 2 [0084.467] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="FD") returned 2 [0084.467] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="FB") returned 2 [0084.467] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="B8") returned 2 [0084.467] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="E7") returned 2 [0084.467] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="59") returned 2 [0084.467] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="F5") returned 2 [0084.467] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="A8") returned 2 [0084.467] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="A9") returned 2 [0084.467] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="3B") returned 2 [0084.467] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="A9") returned 2 [0084.468] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="5D") returned 2 [0084.468] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="49") returned 2 [0084.468] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="BF") returned 2 [0084.468] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="D3") returned 2 [0084.468] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="23") returned 2 [0084.468] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="18") returned 2 [0084.482] lstrcpyW (in: lpString1=0x3cb01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" [0084.482] lstrcpyW (in: lpString1=0x3ca01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" [0084.482] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpString2=".0EBC13BF42D5412933E6F1879A13A7BDFDFBB8E759F5A8A93BA95D49BFD32318" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.0EBC13BF42D5412933E6F1879A13A7BDFDFBB8E759F5A8A93BA95D49BFD32318") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.0EBC13BF42D5412933E6F1879A13A7BDFDFBB8E759F5A8A93BA95D49BFD32318" [0084.482] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3ca0188, NumberOfConcurrentThreads=0x0) returned 0x94 [0084.482] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0188, lpOverlapped=0x3ca0188) returned 1 [0084.484] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0084.484] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0084.484] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0084.484] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0084.484] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0084.484] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0084.484] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0084.484] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0084.484] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0084.484] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0084.484] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0084.484] lstrlenW (lpString=".xml") returned 4 [0084.484] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0084.485] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0084.487] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1852) returned 1 [0084.487] GetProcessHeap () returned 0x4c0000 [0084.487] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0084.504] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="EE") returned 2 [0084.504] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="0E") returned 2 [0084.504] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="01") returned 2 [0084.504] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="6A") returned 2 [0084.504] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="FC") returned 2 [0084.504] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="2D") returned 2 [0084.504] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="33") returned 2 [0084.504] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="47") returned 2 [0084.504] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="AC") returned 2 [0084.504] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="B4") returned 2 [0084.504] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="28") returned 2 [0084.504] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="2A") returned 2 [0084.504] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="1C") returned 2 [0084.504] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="3B") returned 2 [0084.504] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="44") returned 2 [0084.504] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="A6") returned 2 [0084.504] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="56") returned 2 [0084.504] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="5A") returned 2 [0084.504] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="F2") returned 2 [0084.504] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="0B") returned 2 [0084.504] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="E7") returned 2 [0084.504] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="C7") returned 2 [0084.504] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="03") returned 2 [0084.505] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="C9") returned 2 [0084.505] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="A0") returned 2 [0084.505] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="46") returned 2 [0084.505] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="89") returned 2 [0084.505] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="08") returned 2 [0084.505] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="90") returned 2 [0084.505] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="A8") returned 2 [0084.505] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="E4") returned 2 [0084.505] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="44") returned 2 [0084.519] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.519] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.519] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".EE0E016AFC2D3347ACB4282A1C3B44A6565AF20BE7C703C9A046890890A8E444" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.EE0E016AFC2D3347ACB4282A1C3B44A6565AF20BE7C703C9A046890890A8E444") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.EE0E016AFC2D3347ACB4282A1C3B44A6565AF20BE7C703C9A046890890A8E444" [0084.519] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0084.519] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0084.520] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0084.520] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0084.520] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0084.520] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0085.230] lstrlenA (lpString="abcd") returned 4 [0085.230] WriteFile (in: hFile=0x170, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0085.232] CloseHandle (hObject=0x170) returned 1 [0085.233] GetProcessHeap () returned 0x4c0000 [0085.233] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0085.233] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0085.233] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0085.233] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0085.234] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0085.234] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0085.234] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0085.234] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0085.234] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0085.234] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C") returned 66 [0085.234] GetProcessHeap () returned 0x4c0000 [0085.234] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0085.234] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C" [0085.234] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*" [0085.234] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e1d00 [0085.234] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.234] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.235] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.235] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.235] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.235] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0085.235] FindNextFileW (in: hFindFile=0x4e1d00, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0085.235] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.235] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.235] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.235] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.235] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.235] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0085.235] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0085.235] FindNextFileW (in: hFindFile=0x4e1d00, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0085.235] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0085.235] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0085.235] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0085.235] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0085.235] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0085.235] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0085.236] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0085.236] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0085.236] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0085.236] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0085.236] lstrlenW (lpString=".xml") returned 4 [0085.236] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0085.236] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0085.237] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=6241) returned 1 [0085.237] GetProcessHeap () returned 0x4c0000 [0085.237] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0085.251] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="2E") returned 2 [0085.251] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="1F") returned 2 [0085.251] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="53") returned 2 [0085.251] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="64") returned 2 [0085.251] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="26") returned 2 [0085.251] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="53") returned 2 [0085.251] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="56") returned 2 [0085.251] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="88") returned 2 [0085.251] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="E5") returned 2 [0085.251] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="57") returned 2 [0085.251] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="D5") returned 2 [0085.251] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="99") returned 2 [0085.251] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="A1") returned 2 [0085.252] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="24") returned 2 [0085.252] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="44") returned 2 [0085.252] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="32") returned 2 [0085.252] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="68") returned 2 [0085.252] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="67") returned 2 [0085.252] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="52") returned 2 [0085.252] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="00") returned 2 [0085.252] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="8E") returned 2 [0085.252] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="E1") returned 2 [0085.252] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C4") returned 2 [0085.252] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="8C") returned 2 [0085.252] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="79") returned 2 [0085.252] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="A9") returned 2 [0085.252] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="07") returned 2 [0085.252] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="E3") returned 2 [0085.252] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="B4") returned 2 [0085.252] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0C") returned 2 [0085.252] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="5E") returned 2 [0085.253] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6C") returned 2 [0085.266] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" [0085.266] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" [0085.266] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".2E1F536426535688E557D599A1244432686752008EE1C48C79A907E3B40C5E6C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.2E1F536426535688E557D599A1244432686752008EE1C48C79A907E3B40C5E6C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.2E1F536426535688E557D599A1244432686752008EE1C48C79A907E3B40C5E6C" [0085.266] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0085.267] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0085.267] FindNextFileW (in: hFindFile=0x4e1d00, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fb9f9e0, ftCreationTime.dwHighDateTime=0x1cbe575, ftLastAccessTime.dwLowDateTime=0x7fb9f9e0, ftLastAccessTime.dwHighDateTime=0x1cbe575, ftLastWriteTime.dwLowDateTime=0x437179c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x30780dd, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="VisioLR.cab", cAlternateFileName="")) returned 1 [0085.267] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Windows") returned -1 [0085.267] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Program Files") returned 1 [0085.267] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Program Files (x86)") returned 1 [0085.267] lstrcmpiW (lpString1="VisioLR.cab", lpString2="$Recycle.bin") returned 1 [0085.267] lstrcmpiW (lpString1="VisioLR.cab", lpString2="System Volume Information") returned 1 [0085.267] lstrcmpiW (lpString1="VisioLR.cab", lpString2=".") returned 1 [0085.267] lstrcmpiW (lpString1="VisioLR.cab", lpString2="..") returned 1 [0085.267] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0085.267] lstrcmpW (lpString1="VisioLR.cab", lpString2="PUSSY.TXT") returned 1 [0085.267] PathFindExtensionW (pszPath="VisioLR.cab") returned=".cab" [0085.267] lstrlenW (lpString=".cab") returned 4 [0085.267] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0085.267] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0085.268] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=50823389) returned 1 [0085.268] GetProcessHeap () returned 0x4c0000 [0085.268] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0085.413] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="41") returned 2 [0085.413] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B9") returned 2 [0085.564] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="03") returned 2 [0085.564] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="B5") returned 2 [0085.564] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="05") returned 2 [0085.565] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="E2") returned 2 [0085.565] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="62") returned 2 [0085.565] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="C8") returned 2 [0085.565] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="C1") returned 2 [0085.565] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="4F") returned 2 [0085.565] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="AF") returned 2 [0085.565] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="29") returned 2 [0085.565] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="2A") returned 2 [0085.565] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="5A") returned 2 [0085.565] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="51") returned 2 [0085.565] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="4C") returned 2 [0085.565] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="F1") returned 2 [0085.565] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="A2") returned 2 [0085.565] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="07") returned 2 [0085.565] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="C5") returned 2 [0085.565] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="A9") returned 2 [0085.565] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="F9") returned 2 [0085.565] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="9A") returned 2 [0085.566] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="50") returned 2 [0085.566] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="2B") returned 2 [0085.566] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="8E") returned 2 [0085.566] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="D4") returned 2 [0085.566] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="D3") returned 2 [0085.566] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="57") returned 2 [0085.566] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="F6") returned 2 [0085.566] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="B3") returned 2 [0085.566] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="60") returned 2 [0085.581] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" [0085.582] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" [0085.582] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpString2=".41B903B505E262C8C14FAF292A5A514CF1A207C5A9F99A502B8ED4D357F6B360" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.41B903B505E262C8C14FAF292A5A514CF1A207C5A9F99A502B8ED4D357F6B360") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.41B903B505E262C8C14FAF292A5A514CF1A207C5A9F99A502B8ED4D357F6B360" [0085.582] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0085.582] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0085.582] FindNextFileW (in: hFindFile=0x4e1d00, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x272b1e70, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x272b1e70, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x435c1d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2ab000, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="VisioMUI.msi", cAlternateFileName="")) returned 1 [0085.582] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Windows") returned -1 [0085.582] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Program Files") returned 1 [0085.582] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Program Files (x86)") returned 1 [0085.582] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="$Recycle.bin") returned 1 [0085.583] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="System Volume Information") returned 1 [0085.583] lstrcmpiW (lpString1="VisioMUI.msi", lpString2=".") returned 1 [0085.583] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="..") returned 1 [0085.583] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0085.583] lstrcmpW (lpString1="VisioMUI.msi", lpString2="PUSSY.TXT") returned 1 [0085.583] PathFindExtensionW (pszPath="VisioMUI.msi") returned=".msi" [0085.583] lstrlenW (lpString=".msi") returned 4 [0085.583] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0085.583] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0085.591] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2797568) returned 1 [0085.591] GetProcessHeap () returned 0x4c0000 [0085.592] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0085.607] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="E9") returned 2 [0085.607] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="47") returned 2 [0085.607] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="1E") returned 2 [0085.607] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="2C") returned 2 [0085.607] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="85") returned 2 [0085.607] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="5F") returned 2 [0085.607] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="12") returned 2 [0085.607] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="06") returned 2 [0085.607] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="14") returned 2 [0085.607] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="F2") returned 2 [0085.607] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="EA") returned 2 [0085.607] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="16") returned 2 [0085.607] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="8B") returned 2 [0085.607] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="7A") returned 2 [0085.607] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="DF") returned 2 [0085.607] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="98") returned 2 [0085.607] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="77") returned 2 [0085.607] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="ED") returned 2 [0085.607] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E0") returned 2 [0085.607] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="79") returned 2 [0085.607] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="AC") returned 2 [0085.607] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="70") returned 2 [0085.607] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="1F") returned 2 [0085.608] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="B4") returned 2 [0085.608] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="3B") returned 2 [0085.608] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="3C") returned 2 [0085.608] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="75") returned 2 [0085.608] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="37") returned 2 [0085.608] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="7E") returned 2 [0085.608] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="2D") returned 2 [0085.608] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="A3") returned 2 [0085.608] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6A") returned 2 [0085.802] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" [0085.802] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" [0085.802] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi", lpString2=".E9471E2C855F120614F2EA168B7ADF9877EDE079AC701FB43B3C75377E2DA36A" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.E9471E2C855F120614F2EA168B7ADF9877EDE079AC701FB43B3C75377E2DA36A") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.E9471E2C855F120614F2EA168B7ADF9877EDE079AC701FB43B3C75377E2DA36A" [0085.802] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0085.802] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0085.802] FindNextFileW (in: hFindFile=0x4e1d00, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 1 [0085.802] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Windows") returned -1 [0085.802] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Program Files") returned 1 [0085.802] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Program Files (x86)") returned 1 [0085.802] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="$Recycle.bin") returned 1 [0085.802] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="System Volume Information") returned 1 [0085.802] lstrcmpiW (lpString1="VisioMUI.xml", lpString2=".") returned 1 [0085.802] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="..") returned 1 [0085.802] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0085.802] lstrcmpW (lpString1="VisioMUI.xml", lpString2="PUSSY.TXT") returned 1 [0085.803] PathFindExtensionW (pszPath="VisioMUI.xml") returned=".xml" [0085.803] lstrlenW (lpString=".xml") returned 4 [0085.803] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0085.803] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0085.803] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=9503) returned 1 [0085.803] GetProcessHeap () returned 0x4c0000 [0085.803] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0085.819] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="5E") returned 2 [0085.819] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="11") returned 2 [0085.819] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="BE") returned 2 [0085.819] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="09") returned 2 [0085.819] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="E1") returned 2 [0085.819] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="3D") returned 2 [0085.819] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="93") returned 2 [0085.819] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="95") returned 2 [0085.819] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="AE") returned 2 [0085.819] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="A8") returned 2 [0085.819] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="E2") returned 2 [0085.819] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="3D") returned 2 [0085.819] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="AF") returned 2 [0085.819] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="A5") returned 2 [0085.819] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="65") returned 2 [0085.819] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E0") returned 2 [0085.819] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="E3") returned 2 [0085.819] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="FE") returned 2 [0085.819] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="9B") returned 2 [0085.819] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="D9") returned 2 [0085.820] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="5F") returned 2 [0085.820] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="AE") returned 2 [0085.820] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="CD") returned 2 [0085.820] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="EC") returned 2 [0085.820] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="04") returned 2 [0085.820] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="7B") returned 2 [0085.820] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="69") returned 2 [0085.820] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="4B") returned 2 [0085.820] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="39") returned 2 [0085.820] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="17") returned 2 [0085.820] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="61") returned 2 [0085.820] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="3A") returned 2 [0085.828] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" [0085.828] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" [0085.828] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpString2=".5E11BE09E13D9395AEA8E23DAFA565E0E3FE9BD95FAECDEC047B694B3917613A" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.5E11BE09E13D9395AEA8E23DAFA565E0E3FE9BD95FAECDEC047B694B3917613A") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.5E11BE09E13D9395AEA8E23DAFA565E0E3FE9BD95FAECDEC047B694B3917613A" [0085.828] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0085.829] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0085.829] FindNextFileW (in: hFindFile=0x4e1d00, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 0 [0085.829] FindClose (in: hFindFile=0x4e1d00 | out: hFindFile=0x4e1d00) returned 1 [0085.829] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0085.829] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0085.842] lstrlenA (lpString="abcd") returned 4 [0085.842] WriteFile (in: hFile=0x170, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0085.843] CloseHandle (hObject=0x170) returned 1 [0085.843] GetProcessHeap () returned 0x4c0000 [0085.843] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0085.844] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0085.844] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0085.844] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0085.844] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0085.844] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0085.844] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0085.844] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0085.844] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0085.844] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C") returned 66 [0085.845] GetProcessHeap () returned 0x4c0000 [0085.845] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0085.845] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C" [0085.845] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*" [0085.845] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0085.851] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.852] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.852] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.852] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.852] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.852] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0085.852] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0085.852] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.852] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.852] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.852] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.852] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.852] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0085.852] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0085.852] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0085.852] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Windows") returned -1 [0085.852] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Program Files") returned -1 [0085.852] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Program Files (x86)") returned -1 [0085.852] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="$Recycle.bin") returned 1 [0085.852] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="System Volume Information") returned -1 [0085.852] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2=".") returned 1 [0085.852] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="..") returned 1 [0085.852] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0085.853] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2="PUSSY.TXT") returned -1 [0085.853] PathFindExtensionW (pszPath="OneNoteMUI.msi") returned=".msi" [0085.853] lstrlenW (lpString=".msi") returned 4 [0085.853] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0085.853] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0085.853] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2503680) returned 1 [0085.853] GetProcessHeap () returned 0x4c0000 [0085.853] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0085.864] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="76") returned 2 [0085.864] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="D6") returned 2 [0085.864] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="A8") returned 2 [0085.865] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="7C") returned 2 [0085.865] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="8E") returned 2 [0085.865] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="EA") returned 2 [0085.865] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="DF") returned 2 [0085.865] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="D9") returned 2 [0085.865] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="79") returned 2 [0085.865] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="9A") returned 2 [0085.865] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="02") returned 2 [0085.865] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="73") returned 2 [0085.865] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="02") returned 2 [0085.865] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="43") returned 2 [0085.865] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="F1") returned 2 [0085.865] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="D7") returned 2 [0085.865] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="96") returned 2 [0085.865] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="42") returned 2 [0085.865] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="7A") returned 2 [0085.865] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="91") returned 2 [0085.865] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="33") returned 2 [0085.865] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="40") returned 2 [0085.865] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="1E") returned 2 [0085.865] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="EE") returned 2 [0085.865] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="10") returned 2 [0085.865] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="01") returned 2 [0085.865] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="B9") returned 2 [0085.865] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="DC") returned 2 [0085.865] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="89") returned 2 [0085.865] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="33") returned 2 [0085.865] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="DA") returned 2 [0085.866] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="31") returned 2 [0085.874] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" [0085.874] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" [0085.874] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi", lpString2=".76D6A87C8EEADFD9799A02730243F1D796427A9133401EEE1001B9DC8933DA31" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.76D6A87C8EEADFD9799A02730243F1D796427A9133401EEE1001B9DC8933DA31") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.76D6A87C8EEADFD9799A02730243F1D796427A9133401EEE1001B9DC8933DA31" [0085.874] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0085.874] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0085.875] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OneNoteMUI.xml", cAlternateFileName="ONENOT~1.XML")) returned 1 [0085.875] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Windows") returned -1 [0085.875] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Program Files") returned -1 [0085.875] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Program Files (x86)") returned -1 [0085.875] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="$Recycle.bin") returned 1 [0085.875] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="System Volume Information") returned -1 [0085.875] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2=".") returned 1 [0085.875] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="..") returned 1 [0085.875] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0085.875] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2="PUSSY.TXT") returned -1 [0085.875] PathFindExtensionW (pszPath="OneNoteMUI.xml") returned=".xml" [0085.875] lstrlenW (lpString=".xml") returned 4 [0085.875] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0085.875] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0085.875] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1606) returned 1 [0085.876] GetProcessHeap () returned 0x4c0000 [0085.876] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc81d8 [0085.885] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="E9") returned 2 [0085.885] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="61") returned 2 [0085.885] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="90") returned 2 [0085.885] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="8D") returned 2 [0085.885] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="DB") returned 2 [0085.885] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="4C") returned 2 [0085.885] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C7") returned 2 [0085.885] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="97") returned 2 [0085.885] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="56") returned 2 [0085.885] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="36") returned 2 [0085.885] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="7E") returned 2 [0085.885] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="71") returned 2 [0085.885] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="5D") returned 2 [0085.886] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="6E") returned 2 [0085.886] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="A9") returned 2 [0085.886] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="A6") returned 2 [0085.886] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="AE") returned 2 [0085.886] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="ED") returned 2 [0085.886] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="C1") returned 2 [0085.886] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="EF") returned 2 [0085.886] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="23") returned 2 [0085.886] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="25") returned 2 [0085.886] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="84") returned 2 [0085.886] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="59") returned 2 [0085.886] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="39") returned 2 [0085.886] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="FB") returned 2 [0085.886] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="18") returned 2 [0085.886] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="98") returned 2 [0085.886] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="08") returned 2 [0085.886] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="C2") returned 2 [0085.886] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="4D") returned 2 [0085.886] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="5C") returned 2 [0085.894] lstrcpyW (in: lpString1=0x3bd820c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" [0085.894] lstrcpyW (in: lpString1=0x3bc820c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" [0085.894] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpString2=".E961908DDB4CC79756367E715D6EA9A6AEEDC1EF2325845939FB189808C24D5C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.E961908DDB4CC79756367E715D6EA9A6AEEDC1EF2325845939FB189808C24D5C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.E961908DDB4CC79756367E715D6EA9A6AEEDC1EF2325845939FB189808C24D5C" [0085.895] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x3bc81d8, NumberOfConcurrentThreads=0x0) returned 0x94 [0085.895] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc81d8, lpOverlapped=0x3bc81d8) returned 1 [0085.895] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36db9d00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x36db9d00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5e95540, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10a5df8, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OnoteLR.cab", cAlternateFileName="")) returned 1 [0085.895] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Windows") returned -1 [0085.895] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Program Files") returned -1 [0085.895] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Program Files (x86)") returned -1 [0085.895] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="$Recycle.bin") returned 1 [0085.895] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="System Volume Information") returned -1 [0085.895] lstrcmpiW (lpString1="OnoteLR.cab", lpString2=".") returned 1 [0085.895] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="..") returned 1 [0085.895] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0085.895] lstrcmpW (lpString1="OnoteLR.cab", lpString2="PUSSY.TXT") returned -1 [0085.895] PathFindExtensionW (pszPath="OnoteLR.cab") returned=".cab" [0085.895] lstrlenW (lpString=".cab") returned 4 [0085.895] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0085.895] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0085.897] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=17456632) returned 1 [0085.897] GetProcessHeap () returned 0x4c0000 [0085.897] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28098 [0085.907] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="34") returned 2 [0085.907] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="23") returned 2 [0085.908] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="35") returned 2 [0085.908] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="2A") returned 2 [0085.908] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="36") returned 2 [0085.908] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="8E") returned 2 [0085.908] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="22") returned 2 [0085.908] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="17") returned 2 [0085.908] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="96") returned 2 [0085.908] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="D1") returned 2 [0085.908] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="FB") returned 2 [0085.908] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C7") returned 2 [0085.908] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="AE") returned 2 [0085.908] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C2") returned 2 [0085.908] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="C2") returned 2 [0085.908] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="2E") returned 2 [0085.908] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="10") returned 2 [0085.908] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="DF") returned 2 [0085.908] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="66") returned 2 [0085.908] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="77") returned 2 [0085.908] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="20") returned 2 [0085.908] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="7D") returned 2 [0085.908] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="EE") returned 2 [0085.908] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E4") returned 2 [0085.908] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="A4") returned 2 [0085.908] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="C1") returned 2 [0085.909] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="47") returned 2 [0085.909] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="00") returned 2 [0085.909] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="1B") returned 2 [0085.909] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="F5") returned 2 [0085.909] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="A4") returned 2 [0085.909] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="78") returned 2 [0085.917] lstrcpyW (in: lpString1=0x3b380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" [0085.917] lstrcpyW (in: lpString1=0x3b280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" [0085.917] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpString2=".3423352A368E221796D1FBC7AEC2C22E10DF6677207DEEE4A4C147001BF5A478" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.3423352A368E221796D1FBC7AEC2C22E10DF6677207DEEE4A4C147001BF5A478") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.3423352A368E221796D1FBC7AEC2C22E10DF6677207DEEE4A4C147001BF5A478" [0085.917] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3b28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0085.917] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28098, lpOverlapped=0x3b28098) returned 1 [0085.917] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0085.917] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0085.917] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0085.918] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0085.918] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0085.918] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0085.918] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0085.918] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0085.918] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0085.918] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0085.918] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0085.918] lstrlenW (lpString=".xml") returned 4 [0085.918] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0085.918] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0085.918] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1988) returned 1 [0085.918] GetProcessHeap () returned 0x4c0000 [0085.918] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500e8 [0096.549] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="9F") returned 2 [0096.549] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="63") returned 2 [0096.549] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E7") returned 2 [0096.549] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="31") returned 2 [0096.549] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="AC") returned 2 [0096.549] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="4B") returned 2 [0096.549] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="D0") returned 2 [0096.549] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="D8") returned 2 [0096.549] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="79") returned 2 [0096.549] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="19") returned 2 [0096.549] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="7A") returned 2 [0096.549] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="0E") returned 2 [0096.549] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="9C") returned 2 [0096.549] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="6C") returned 2 [0096.549] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="2B") returned 2 [0096.549] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="9D") returned 2 [0096.549] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="61") returned 2 [0096.549] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="5B") returned 2 [0096.549] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="90") returned 2 [0096.549] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="30") returned 2 [0096.549] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="B4") returned 2 [0096.549] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="04") returned 2 [0096.549] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="4B") returned 2 [0096.549] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6B") returned 2 [0096.549] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="26") returned 2 [0096.549] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="F2") returned 2 [0096.550] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="8E") returned 2 [0096.550] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="CE") returned 2 [0096.550] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="06") returned 2 [0096.550] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="99") returned 2 [0096.550] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="7D") returned 2 [0096.550] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4D") returned 2 [0096.581] lstrcpyW (in: lpString1=0x3b6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" [0096.581] lstrcpyW (in: lpString1=0x3b5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" [0096.581] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".9F63E731AC4BD0D879197A0E9C6C2B9D615B9030B4044B6B26F28ECE06997D4D" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.9F63E731AC4BD0D879197A0E9C6C2B9D615B9030B4044B6B26F28ECE06997D4D") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.9F63E731AC4BD0D879197A0E9C6C2B9D615B9030B4044B6B26F28ECE06997D4D" [0096.581] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3b500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0096.581] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500e8, lpOverlapped=0x3b500e8) returned 1 [0096.582] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0096.586] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0096.596] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0096.596] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0096.597] lstrlenA (lpString="abcd") returned 4 [0096.597] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0096.598] CloseHandle (hObject=0x1a4) returned 1 [0096.601] GetProcessHeap () returned 0x4c0000 [0096.601] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0096.601] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0096.601] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0096.602] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0096.602] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0096.602] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0096.602] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0096.602] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0096.602] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0096.602] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C") returned 66 [0096.602] GetProcessHeap () returned 0x4c0000 [0096.602] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0096.602] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C" [0096.602] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*" [0096.602] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0096.608] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.608] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0096.608] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0096.608] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.608] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.608] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.608] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0096.608] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.608] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0096.608] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0096.608] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.608] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.608] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.608] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.609] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0096.609] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Windows") returned -1 [0096.609] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Program Files") returned 1 [0096.609] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Program Files (x86)") returned 1 [0096.609] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="$Recycle.bin") returned 1 [0096.609] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="System Volume Information") returned -1 [0096.609] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2=".") returned 1 [0096.609] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="..") returned 1 [0096.609] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0096.609] lstrcmpW (lpString1="ProjectMUI.msi", lpString2="PUSSY.TXT") returned -1 [0096.609] PathFindExtensionW (pszPath="ProjectMUI.msi") returned=".msi" [0096.609] lstrlenW (lpString=".msi") returned 4 [0096.609] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0096.609] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0096.610] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2511872) returned 1 [0096.611] GetProcessHeap () returned 0x4c0000 [0096.611] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0096.620] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="96") returned 2 [0096.620] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="92") returned 2 [0096.620] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="71") returned 2 [0096.620] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="CF") returned 2 [0096.621] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="AD") returned 2 [0096.621] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="9B") returned 2 [0096.621] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="29") returned 2 [0096.621] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="39") returned 2 [0096.621] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="0B") returned 2 [0096.621] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="8F") returned 2 [0096.621] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="6F") returned 2 [0096.621] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C6") returned 2 [0096.621] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="4F") returned 2 [0096.621] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="9F") returned 2 [0096.621] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="38") returned 2 [0096.621] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="AB") returned 2 [0096.621] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="4C") returned 2 [0096.621] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="2B") returned 2 [0096.621] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="A3") returned 2 [0096.621] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="BC") returned 2 [0096.621] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="47") returned 2 [0096.621] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="44") returned 2 [0096.621] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="E8") returned 2 [0096.621] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="26") returned 2 [0096.621] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="14") returned 2 [0096.621] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="59") returned 2 [0096.621] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="68") returned 2 [0096.621] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="4A") returned 2 [0096.621] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="6F") returned 2 [0096.621] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="21") returned 2 [0096.621] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="85") returned 2 [0096.621] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="05") returned 2 [0096.631] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" [0096.631] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" [0096.631] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi", lpString2=".969271CFAD9B29390B8F6FC64F9F38AB4C2BA3BC4744E8261459684A6F218505" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.969271CFAD9B29390B8F6FC64F9F38AB4C2BA3BC4744E8261459684A6F218505") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.969271CFAD9B29390B8F6FC64F9F38AB4C2BA3BC4744E8261459684A6F218505" [0096.631] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0096.631] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0096.631] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ProjectMUI.xml", cAlternateFileName="PROJEC~1.XML")) returned 1 [0096.631] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Windows") returned -1 [0096.631] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Program Files") returned 1 [0096.631] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Program Files (x86)") returned 1 [0096.631] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="$Recycle.bin") returned 1 [0096.631] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="System Volume Information") returned -1 [0096.631] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2=".") returned 1 [0096.631] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="..") returned 1 [0096.631] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0096.632] lstrcmpW (lpString1="ProjectMUI.xml", lpString2="PUSSY.TXT") returned -1 [0096.632] PathFindExtensionW (pszPath="ProjectMUI.xml") returned=".xml" [0096.632] lstrlenW (lpString=".xml") returned 4 [0096.632] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0096.632] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0096.633] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1452) returned 1 [0096.633] GetProcessHeap () returned 0x4c0000 [0096.633] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0096.642] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="19") returned 2 [0096.642] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="2C") returned 2 [0096.642] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="0E") returned 2 [0096.642] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="4D") returned 2 [0096.642] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="3F") returned 2 [0096.643] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="D8") returned 2 [0096.643] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C1") returned 2 [0096.643] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="55") returned 2 [0096.643] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="C7") returned 2 [0096.643] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="62") returned 2 [0096.643] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="BE") returned 2 [0096.643] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="56") returned 2 [0096.643] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="E5") returned 2 [0096.643] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E3") returned 2 [0096.643] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="8E") returned 2 [0096.643] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="52") returned 2 [0096.643] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="CC") returned 2 [0096.643] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="CB") returned 2 [0096.643] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="42") returned 2 [0096.643] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="64") returned 2 [0096.643] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="B2") returned 2 [0096.643] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="57") returned 2 [0096.643] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="16") returned 2 [0096.643] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="FC") returned 2 [0096.643] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="B1") returned 2 [0096.643] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="59") returned 2 [0096.643] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="55") returned 2 [0096.643] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="BF") returned 2 [0096.643] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="57") returned 2 [0096.643] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="2A") returned 2 [0096.643] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="E4") returned 2 [0096.643] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="2C") returned 2 [0096.652] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" [0096.652] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" [0096.652] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpString2=".192C0E4D3FD8C155C762BE56E5E38E52CCCB4264B25716FCB15955BF572AE42C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.192C0E4D3FD8C155C762BE56E5E38E52CCCB4264B25716FCB15955BF572AE42C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.192C0E4D3FD8C155C762BE56E5E38E52CCCB4264B25716FCB15955BF572AE42C" [0096.652] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0096.652] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0096.652] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30306de0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30306de0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b7cde0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x7e1dcd, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ProjLR.cab", cAlternateFileName="")) returned 1 [0096.652] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Windows") returned -1 [0096.652] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Program Files") returned 1 [0096.652] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Program Files (x86)") returned 1 [0096.653] lstrcmpiW (lpString1="ProjLR.cab", lpString2="$Recycle.bin") returned 1 [0096.653] lstrcmpiW (lpString1="ProjLR.cab", lpString2="System Volume Information") returned -1 [0096.653] lstrcmpiW (lpString1="ProjLR.cab", lpString2=".") returned 1 [0096.653] lstrcmpiW (lpString1="ProjLR.cab", lpString2="..") returned 1 [0096.653] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0096.653] lstrcmpW (lpString1="ProjLR.cab", lpString2="PUSSY.TXT") returned -1 [0096.653] PathFindExtensionW (pszPath="ProjLR.cab") returned=".cab" [0096.653] lstrlenW (lpString=".cab") returned 4 [0096.653] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0096.653] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0096.659] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=8265165) returned 1 [0096.659] GetProcessHeap () returned 0x4c0000 [0096.659] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0188 [0096.668] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="B3") returned 2 [0096.668] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="1C") returned 2 [0096.668] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="92") returned 2 [0096.669] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="5F") returned 2 [0096.669] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="E4") returned 2 [0096.669] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="D2") returned 2 [0096.669] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="FD") returned 2 [0096.669] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="5D") returned 2 [0096.669] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="D0") returned 2 [0096.669] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="2D") returned 2 [0096.669] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="93") returned 2 [0096.669] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="11") returned 2 [0096.669] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="08") returned 2 [0096.669] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="CB") returned 2 [0096.669] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="9F") returned 2 [0096.669] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="25") returned 2 [0096.669] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="6F") returned 2 [0096.669] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="17") returned 2 [0096.669] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="0F") returned 2 [0096.669] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="80") returned 2 [0096.669] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="3B") returned 2 [0096.669] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="66") returned 2 [0096.669] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="4A") returned 2 [0096.669] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E5") returned 2 [0096.669] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="5B") returned 2 [0096.669] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="C5") returned 2 [0096.669] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="5F") returned 2 [0096.669] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="9A") returned 2 [0096.669] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="57") returned 2 [0096.669] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="AE") returned 2 [0096.670] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="D5") returned 2 [0096.670] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="3C") returned 2 [0096.681] lstrcpyW (in: lpString1=0x3cb01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" [0096.681] lstrcpyW (in: lpString1=0x3ca01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" [0096.681] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpString2=".B31C925FE4D2FD5DD02D931108CB9F256F170F803B664AE55BC55F9A57AED53C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.B31C925FE4D2FD5DD02D931108CB9F256F170F803B664AE55BC55F9A57AED53C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.B31C925FE4D2FD5DD02D931108CB9F256F170F803B664AE55BC55F9A57AED53C" [0096.681] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3ca0188, NumberOfConcurrentThreads=0x0) returned 0x94 [0096.681] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0188, lpOverlapped=0x3ca0188) returned 1 [0096.720] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0096.720] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0096.720] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0096.720] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0096.720] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0096.720] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0096.720] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0096.720] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0096.720] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0096.721] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0096.721] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0096.721] lstrlenW (lpString=".xml") returned 4 [0096.721] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0096.721] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0096.722] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1872) returned 1 [0096.722] GetProcessHeap () returned 0x4c0000 [0096.722] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0096.734] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="00") returned 2 [0096.734] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="C5") returned 2 [0096.734] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="BF") returned 2 [0096.734] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="4F") returned 2 [0096.734] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="67") returned 2 [0096.734] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="F1") returned 2 [0096.734] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="5E") returned 2 [0096.734] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="C2") returned 2 [0096.734] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="E0") returned 2 [0096.734] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="04") returned 2 [0096.734] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="9C") returned 2 [0096.734] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="47") returned 2 [0096.734] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="BA") returned 2 [0096.734] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="03") returned 2 [0096.734] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="16") returned 2 [0096.734] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="FA") returned 2 [0096.734] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="65") returned 2 [0096.734] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="F0") returned 2 [0096.734] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="9E") returned 2 [0096.734] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="E9") returned 2 [0096.734] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="A9") returned 2 [0096.735] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="C5") returned 2 [0096.735] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="65") returned 2 [0096.735] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6D") returned 2 [0096.735] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="F2") returned 2 [0096.735] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="FF") returned 2 [0096.735] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="ED") returned 2 [0096.735] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="81") returned 2 [0096.735] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="82") returned 2 [0096.735] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="10") returned 2 [0096.735] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="D3") returned 2 [0096.735] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="69") returned 2 [0096.744] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" [0096.744] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" [0096.744] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".00C5BF4F67F15EC2E0049C47BA0316FA65F09EE9A9C5656DF2FFED818210D369" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.00C5BF4F67F15EC2E0049C47BA0316FA65F09EE9A9C5656DF2FFED818210D369") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.00C5BF4F67F15EC2E0049C47BA0316FA65F09EE9A9C5656DF2FFED818210D369" [0096.744] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0096.744] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0096.752] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0096.752] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0096.752] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0096.752] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0096.752] lstrlenA (lpString="abcd") returned 4 [0096.752] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0096.753] CloseHandle (hObject=0x1a4) returned 1 [0096.754] GetProcessHeap () returned 0x4c0000 [0096.754] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0096.754] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0096.754] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0096.754] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0096.754] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0096.754] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0096.754] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0096.754] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0096.754] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0096.754] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C") returned 66 [0096.754] GetProcessHeap () returned 0x4c0000 [0096.754] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0096.754] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C" [0096.754] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*" [0096.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0096.771] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.771] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0096.771] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0096.771] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.771] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.772] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.772] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0096.772] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.772] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0096.772] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0096.772] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.772] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.772] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.772] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.772] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0096.772] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Windows") returned -1 [0096.772] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Program Files") returned -1 [0096.772] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Program Files (x86)") returned -1 [0096.772] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="$Recycle.bin") returned 1 [0096.772] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="System Volume Information") returned -1 [0096.772] lstrcmpiW (lpString1="GrooveLR.cab", lpString2=".") returned 1 [0096.772] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="..") returned 1 [0096.772] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0096.772] lstrcmpW (lpString1="GrooveLR.cab", lpString2="PUSSY.TXT") returned -1 [0096.772] PathFindExtensionW (pszPath="GrooveLR.cab") returned=".cab" [0096.772] lstrlenW (lpString=".cab") returned 4 [0096.772] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0096.773] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0096.774] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=4095519) returned 1 [0096.774] GetProcessHeap () returned 0x4c0000 [0096.774] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0096.795] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="1F") returned 2 [0096.795] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="F5") returned 2 [0096.795] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="A9") returned 2 [0096.795] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="2E") returned 2 [0096.795] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="CF") returned 2 [0096.795] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="74") returned 2 [0096.795] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="EE") returned 2 [0096.795] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="AF") returned 2 [0096.795] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="CF") returned 2 [0096.795] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="CF") returned 2 [0096.795] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="7D") returned 2 [0096.795] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="5C") returned 2 [0096.795] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="E9") returned 2 [0096.795] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="45") returned 2 [0096.795] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="B4") returned 2 [0096.795] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="09") returned 2 [0096.795] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="DC") returned 2 [0096.795] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="7B") returned 2 [0096.795] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="6B") returned 2 [0096.795] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="0E") returned 2 [0096.796] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="20") returned 2 [0096.796] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="7C") returned 2 [0096.796] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="97") returned 2 [0096.796] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="60") returned 2 [0096.796] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="C4") returned 2 [0096.796] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="D4") returned 2 [0096.796] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="54") returned 2 [0096.796] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="D8") returned 2 [0096.796] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="35") returned 2 [0096.796] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E9") returned 2 [0096.796] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="51") returned 2 [0096.796] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="3A") returned 2 [0096.805] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" [0096.805] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" [0096.805] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab", lpString2=".1FF5A92ECF74EEAFCFCF7D5CE945B409DC7B6B0E207C9760C4D454D835E9513A" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.1FF5A92ECF74EEAFCFCF7D5CE945B409DC7B6B0E207C9760C4D454D835E9513A") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.1FF5A92ECF74EEAFCFCF7D5CE945B409DC7B6B0E207C9760C4D454D835E9513A" [0096.805] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0096.805] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0096.805] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee3b15e0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x264400, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="GrooveMUI.msi", cAlternateFileName="GROOVE~1.MSI")) returned 1 [0096.805] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Windows") returned -1 [0096.805] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Program Files") returned -1 [0096.805] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Program Files (x86)") returned -1 [0096.805] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="$Recycle.bin") returned 1 [0096.805] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="System Volume Information") returned -1 [0096.805] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2=".") returned 1 [0096.805] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="..") returned 1 [0096.805] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0096.805] lstrcmpW (lpString1="GrooveMUI.msi", lpString2="PUSSY.TXT") returned -1 [0096.805] PathFindExtensionW (pszPath="GrooveMUI.msi") returned=".msi" [0096.805] lstrlenW (lpString=".msi") returned 4 [0096.805] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0096.806] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0096.806] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2507776) returned 1 [0096.806] GetProcessHeap () returned 0x4c0000 [0096.806] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0188 [0096.815] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="20") returned 2 [0096.815] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="A1") returned 2 [0096.815] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="1E") returned 2 [0096.815] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="93") returned 2 [0096.815] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="DA") returned 2 [0096.815] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="DF") returned 2 [0096.815] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C2") returned 2 [0096.816] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="57") returned 2 [0096.816] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="71") returned 2 [0096.816] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="41") returned 2 [0096.816] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="41") returned 2 [0096.816] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C9") returned 2 [0096.816] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="8F") returned 2 [0096.816] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="DC") returned 2 [0096.816] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="36") returned 2 [0096.816] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="5A") returned 2 [0096.816] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="87") returned 2 [0096.816] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="62") returned 2 [0096.816] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="79") returned 2 [0096.816] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="E6") returned 2 [0096.816] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="A1") returned 2 [0096.816] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="41") returned 2 [0096.816] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="18") returned 2 [0096.816] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="CE") returned 2 [0096.816] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="57") returned 2 [0096.816] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="0F") returned 2 [0096.816] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="51") returned 2 [0096.816] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="AD") returned 2 [0096.816] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="69") returned 2 [0096.816] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="3A") returned 2 [0096.816] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="47") returned 2 [0096.816] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="7C") returned 2 [0096.825] lstrcpyW (in: lpString1=0x3cb01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" [0096.825] lstrcpyW (in: lpString1=0x3ca01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" [0096.825] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi", lpString2=".20A11E93DADFC257714141C98FDC365A876279E6A14118CE570F51AD693A477C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.20A11E93DADFC257714141C98FDC365A876279E6A14118CE570F51AD693A477C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.20A11E93DADFC257714141C98FDC365A876279E6A14118CE570F51AD693A477C" [0096.825] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3ca0188, NumberOfConcurrentThreads=0x0) returned 0x94 [0096.825] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0188, lpOverlapped=0x3ca0188) returned 1 [0096.825] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="GrooveMUI.xml", cAlternateFileName="GROOVE~1.XML")) returned 1 [0096.825] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Windows") returned -1 [0096.825] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Program Files") returned -1 [0096.825] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Program Files (x86)") returned -1 [0096.825] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="$Recycle.bin") returned 1 [0096.826] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="System Volume Information") returned -1 [0096.826] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2=".") returned 1 [0096.826] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="..") returned 1 [0096.826] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0096.826] lstrcmpW (lpString1="GrooveMUI.xml", lpString2="PUSSY.TXT") returned -1 [0096.826] PathFindExtensionW (pszPath="GrooveMUI.xml") returned=".xml" [0096.826] lstrlenW (lpString=".xml") returned 4 [0096.826] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0096.826] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0096.826] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=913) returned 1 [0096.826] GetProcessHeap () returned 0x4c0000 [0096.826] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0096.838] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="B6") returned 2 [0096.838] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="28") returned 2 [0096.839] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="1D") returned 2 [0096.839] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="1F") returned 2 [0096.839] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="9C") returned 2 [0096.839] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="B9") returned 2 [0096.839] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="70") returned 2 [0096.839] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="C4") returned 2 [0096.839] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="A1") returned 2 [0096.839] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="F0") returned 2 [0096.839] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="8F") returned 2 [0096.839] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="32") returned 2 [0096.839] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="55") returned 2 [0096.839] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="60") returned 2 [0096.839] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="BC") returned 2 [0096.839] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="49") returned 2 [0096.839] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="46") returned 2 [0096.839] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="2D") returned 2 [0096.839] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="4B") returned 2 [0096.839] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="59") returned 2 [0096.839] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="7E") returned 2 [0096.839] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="66") returned 2 [0096.839] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="D9") returned 2 [0096.839] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="F5") returned 2 [0096.840] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="51") returned 2 [0096.840] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="CF") returned 2 [0096.840] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="B1") returned 2 [0096.840] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="6E") returned 2 [0096.840] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="52") returned 2 [0096.840] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="83") returned 2 [0096.840] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="7F") returned 2 [0096.840] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="75") returned 2 [0096.852] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" [0096.852] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" [0096.852] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpString2=".B6281D1F9CB970C4A1F08F325560BC49462D4B597E66D9F551CFB16E52837F75" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.B6281D1F9CB970C4A1F08F325560BC49462D4B597E66D9F551CFB16E52837F75") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.B6281D1F9CB970C4A1F08F325560BC49462D4B597E66D9F551CFB16E52837F75" [0096.853] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0096.853] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0096.853] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0096.853] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0096.853] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0096.853] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0096.853] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0096.853] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0096.853] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0096.853] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0096.853] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0096.853] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0096.853] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0096.853] lstrlenW (lpString=".xml") returned 4 [0096.853] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0096.853] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0096.854] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1452) returned 1 [0096.854] GetProcessHeap () returned 0x4c0000 [0096.854] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0096.950] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="2A") returned 2 [0096.950] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="57") returned 2 [0096.950] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="4D") returned 2 [0096.950] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="84") returned 2 [0096.950] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="42") returned 2 [0096.950] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="85") returned 2 [0096.950] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="EB") returned 2 [0096.950] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="CF") returned 2 [0096.950] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="94") returned 2 [0096.950] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="10") returned 2 [0096.950] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="41") returned 2 [0096.950] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="10") returned 2 [0096.950] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="8B") returned 2 [0096.950] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="74") returned 2 [0096.950] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="1C") returned 2 [0096.950] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="8D") returned 2 [0096.950] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="55") returned 2 [0096.950] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="97") returned 2 [0096.950] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="F7") returned 2 [0096.950] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="87") returned 2 [0096.951] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="F5") returned 2 [0096.951] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="DA") returned 2 [0096.951] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="7B") returned 2 [0096.951] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="0F") returned 2 [0096.951] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="43") returned 2 [0096.951] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="EF") returned 2 [0096.951] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="DB") returned 2 [0096.951] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="B4") returned 2 [0096.951] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="05") returned 2 [0096.951] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="AE") returned 2 [0096.951] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="C6") returned 2 [0096.951] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="0F") returned 2 [0096.961] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" [0096.961] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" [0096.961] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".2A574D844285EBCF941041108B741C8D5597F787F5DA7B0F43EFDBB405AEC60F" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.2A574D844285EBCF941041108B741C8D5597F787F5DA7B0F43EFDBB405AEC60F") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.2A574D844285EBCF941041108B741C8D5597F787F5DA7B0F43EFDBB405AEC60F" [0096.961] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0096.961] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0096.962] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0096.962] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0096.962] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0096.962] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0096.963] lstrlenA (lpString="abcd") returned 4 [0096.963] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0096.964] CloseHandle (hObject=0x1a4) returned 1 [0096.964] GetProcessHeap () returned 0x4c0000 [0096.964] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0096.967] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0096.967] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0096.967] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0096.967] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0096.967] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0096.967] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0096.967] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0096.967] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0096.967] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C") returned 66 [0096.967] GetProcessHeap () returned 0x4c0000 [0096.967] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0096.968] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C" [0096.968] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*" [0096.968] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0096.976] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.976] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0096.977] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0096.977] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.977] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.977] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.977] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0096.977] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.977] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0096.977] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0096.977] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.977] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.977] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.977] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.977] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="1033", cAlternateFileName="")) returned 1 [0096.979] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0096.979] lstrcmpiW (lpString1="1033", lpString2="Program Files") returned -1 [0096.979] lstrcmpiW (lpString1="1033", lpString2="Program Files (x86)") returned -1 [0096.979] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0096.979] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0096.980] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0096.980] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0096.980] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033") returned 71 [0096.980] GetProcessHeap () returned 0x4c0000 [0096.980] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x522a98 [0096.980] lstrcpyW (in: lpString1=0x522a98, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033" [0096.980] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*" [0096.980] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0096.981] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.981] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0096.981] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0096.981] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.981] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.981] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.981] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0096.982] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.982] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0096.982] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0096.982] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.982] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.982] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.982] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.982] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0096.982] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Windows") returned -1 [0096.982] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Program Files") returned -1 [0096.982] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Program Files (x86)") returned -1 [0096.982] lstrcmpiW (lpString1="dwintl20.dll", lpString2="$Recycle.bin") returned 1 [0096.982] lstrcmpiW (lpString1="dwintl20.dll", lpString2="System Volume Information") returned -1 [0096.982] lstrcmpiW (lpString1="dwintl20.dll", lpString2=".") returned 1 [0096.982] lstrcmpiW (lpString1="dwintl20.dll", lpString2="..") returned 1 [0096.982] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0096.982] lstrcmpW (lpString1="dwintl20.dll", lpString2="PUSSY.TXT") returned -1 [0096.982] PathFindExtensionW (pszPath="dwintl20.dll") returned=".dll" [0096.982] lstrlenW (lpString=".dll") returned 4 [0096.982] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0096.982] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0096.983] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=107912) returned 1 [0096.983] GetProcessHeap () returned 0x4c0000 [0096.983] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0097.004] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="A2") returned 2 [0097.004] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="88") returned 2 [0097.004] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="34") returned 2 [0097.004] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="FE") returned 2 [0097.004] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="32") returned 2 [0097.004] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="9E") returned 2 [0097.004] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="2B") returned 2 [0097.004] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="F7") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="35") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="10") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="BC") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="2E") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="9F") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="12") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="B1") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="08") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="71") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="9E") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="85") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="E6") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="CE") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="B4") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="87") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="80") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="FE") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="B1") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="98") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="2A") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="DE") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="B8") returned 2 [0097.005] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="61") returned 2 [0097.005] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="35") returned 2 [0097.016] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" [0097.016] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" [0097.016] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll", lpString2=".A28834FE329E2BF73510BC2E9F12B108719E85E6CEB48780FEB1982ADEB86135" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.A28834FE329E2BF73510BC2E9F12B108719E85E6CEB48780FEB1982ADEB86135") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.A28834FE329E2BF73510BC2E9F12B108719E85E6CEB48780FEB1982ADEB86135" [0097.016] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.016] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0097.017] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="dwintl20.dll", cAlternateFileName="")) returned 0 [0097.017] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0097.053] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\PUSSY.TXT") returned 81 [0097.053] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0097.053] lstrlenA (lpString="abcd") returned 4 [0097.053] WriteFile (in: hFile=0x1a0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0097.054] CloseHandle (hObject=0x1a0) returned 1 [0097.055] GetProcessHeap () returned 0x4c0000 [0097.055] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x522a98 | out: hHeap=0x4c0000) returned 1 [0097.056] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0097.056] lstrcmpiW (lpString1="branding.xml", lpString2="Windows") returned -1 [0097.056] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files") returned -1 [0097.056] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files (x86)") returned -1 [0097.057] lstrcmpiW (lpString1="branding.xml", lpString2="$Recycle.bin") returned 1 [0097.057] lstrcmpiW (lpString1="branding.xml", lpString2="System Volume Information") returned -1 [0097.057] lstrcmpiW (lpString1="branding.xml", lpString2=".") returned 1 [0097.057] lstrcmpiW (lpString1="branding.xml", lpString2="..") returned 1 [0097.057] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0097.057] lstrcmpW (lpString1="branding.xml", lpString2="PUSSY.TXT") returned -1 [0097.057] PathFindExtensionW (pszPath="branding.xml") returned=".xml" [0097.057] lstrlenW (lpString=".xml") returned 4 [0097.057] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.057] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0097.058] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=596341) returned 1 [0097.058] GetProcessHeap () returned 0x4c0000 [0097.058] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0097.069] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="B5") returned 2 [0097.069] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="6B") returned 2 [0097.069] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="BF") returned 2 [0097.069] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="C7") returned 2 [0097.069] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="0D") returned 2 [0097.069] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="38") returned 2 [0097.069] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="72") returned 2 [0097.070] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="03") returned 2 [0097.070] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B6") returned 2 [0097.070] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="CE") returned 2 [0097.070] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="73") returned 2 [0097.070] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="F1") returned 2 [0097.070] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="0E") returned 2 [0097.070] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="54") returned 2 [0097.070] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="AB") returned 2 [0097.070] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="A1") returned 2 [0097.070] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="2D") returned 2 [0097.070] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="CE") returned 2 [0097.070] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="51") returned 2 [0097.070] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="9C") returned 2 [0097.070] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="E0") returned 2 [0097.070] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="86") returned 2 [0097.070] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="85") returned 2 [0097.070] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6F") returned 2 [0097.070] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="E7") returned 2 [0097.070] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="B4") returned 2 [0097.070] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="44") returned 2 [0097.070] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="79") returned 2 [0097.070] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="7A") returned 2 [0097.070] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="AA") returned 2 [0097.070] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="3C") returned 2 [0097.070] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="46") returned 2 [0097.079] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" [0097.079] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" [0097.079] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpString2=".B56BBFC70D387203B6CE73F10E54ABA12DCE519CE086856FE7B444797AAA3C46" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.B56BBFC70D387203B6CE73F10E54ABA12DCE519CE086856FE7B444797AAA3C46") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.B56BBFC70D387203B6CE73F10E54ABA12DCE519CE086856FE7B444797AAA3C46" [0097.114] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.114] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0097.116] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa26c9d00, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xa26c9d00, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85142d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xccb88, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0097.116] lstrcmpiW (lpString1="DW20.EXE", lpString2="Windows") returned -1 [0097.117] lstrcmpiW (lpString1="DW20.EXE", lpString2="Program Files") returned -1 [0097.117] lstrcmpiW (lpString1="DW20.EXE", lpString2="Program Files (x86)") returned -1 [0097.117] lstrcmpiW (lpString1="DW20.EXE", lpString2="$Recycle.bin") returned 1 [0097.117] lstrcmpiW (lpString1="DW20.EXE", lpString2="System Volume Information") returned -1 [0097.117] lstrcmpiW (lpString1="DW20.EXE", lpString2=".") returned 1 [0097.117] lstrcmpiW (lpString1="DW20.EXE", lpString2="..") returned 1 [0097.117] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0097.117] lstrcmpW (lpString1="DW20.EXE", lpString2="PUSSY.TXT") returned -1 [0097.117] PathFindExtensionW (pszPath="DW20.EXE") returned=".EXE" [0097.117] lstrlenW (lpString=".EXE") returned 4 [0097.117] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.117] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0097.198] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=838536) returned 1 [0097.198] GetProcessHeap () returned 0x4c0000 [0097.198] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0097.209] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="65") returned 2 [0097.209] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="13") returned 2 [0097.209] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B0") returned 2 [0097.209] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="88") returned 2 [0097.210] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="1F") returned 2 [0097.210] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="03") returned 2 [0097.210] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="DC") returned 2 [0097.210] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="94") returned 2 [0097.210] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="90") returned 2 [0097.210] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="76") returned 2 [0097.210] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="68") returned 2 [0097.210] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="4E") returned 2 [0097.210] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="86") returned 2 [0097.210] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="32") returned 2 [0097.210] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="B0") returned 2 [0097.210] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E8") returned 2 [0097.210] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="7F") returned 2 [0097.210] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="5C") returned 2 [0097.210] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E2") returned 2 [0097.210] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="A8") returned 2 [0097.210] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="1B") returned 2 [0097.210] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="FA") returned 2 [0097.210] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="52") returned 2 [0097.210] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="84") returned 2 [0097.210] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="BA") returned 2 [0097.210] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="78") returned 2 [0097.210] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="6D") returned 2 [0097.210] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="1A") returned 2 [0097.210] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="97") returned 2 [0097.211] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="55") returned 2 [0097.211] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="0C") returned 2 [0097.211] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="12") returned 2 [0097.219] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" [0097.219] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" [0097.219] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE", lpString2=".6513B0881F03DC949076684E8632B0E87F5CE2A81BFA5284BA786D1A97550C12" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.6513B0881F03DC949076684E8632B0E87F5CE2A81BFA5284BA786D1A97550C12") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.6513B0881F03DC949076684E8632B0E87F5CE2A81BFA5284BA786D1A97550C12" [0097.219] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.219] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0097.219] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85ab8b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x80760, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="dwdcw20.dll", cAlternateFileName="")) returned 1 [0097.219] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Windows") returned -1 [0097.219] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Program Files") returned -1 [0097.219] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Program Files (x86)") returned -1 [0097.220] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="$Recycle.bin") returned 1 [0097.220] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="System Volume Information") returned -1 [0097.220] lstrcmpiW (lpString1="dwdcw20.dll", lpString2=".") returned 1 [0097.220] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="..") returned 1 [0097.220] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0097.220] lstrcmpW (lpString1="dwdcw20.dll", lpString2="PUSSY.TXT") returned -1 [0097.220] PathFindExtensionW (pszPath="dwdcw20.dll") returned=".dll" [0097.220] lstrlenW (lpString=".dll") returned 4 [0097.220] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.220] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0097.220] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=526176) returned 1 [0097.220] GetProcessHeap () returned 0x4c0000 [0097.221] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0097.229] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="51") returned 2 [0097.229] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="E3") returned 2 [0097.229] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="94") returned 2 [0097.229] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="BB") returned 2 [0097.229] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="DB") returned 2 [0097.229] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="67") returned 2 [0097.229] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E8") returned 2 [0097.229] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="37") returned 2 [0097.229] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="C5") returned 2 [0097.229] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="62") returned 2 [0097.229] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="60") returned 2 [0097.229] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="2C") returned 2 [0097.229] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="CE") returned 2 [0097.229] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="41") returned 2 [0097.229] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="2B") returned 2 [0097.229] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="8C") returned 2 [0097.229] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="21") returned 2 [0097.229] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="85") returned 2 [0097.229] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="C8") returned 2 [0097.229] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="49") returned 2 [0097.229] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="F5") returned 2 [0097.229] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="B5") returned 2 [0097.229] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="A4") returned 2 [0097.229] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="73") returned 2 [0097.229] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="74") returned 2 [0097.230] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="0E") returned 2 [0097.230] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="A3") returned 2 [0097.230] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="DF") returned 2 [0097.230] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="F3") returned 2 [0097.230] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="9F") returned 2 [0097.230] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="64") returned 2 [0097.230] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="22") returned 2 [0097.238] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" [0097.238] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" [0097.239] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll", lpString2=".51E394BBDB67E837C562602CCE412B8C2185C849F5B5A473740EA3DFF39F6422" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.51E394BBDB67E837C562602CCE412B8C2185C849F5B5A473740EA3DFF39F6422") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.51E394BBDB67E837C562602CCE412B8C2185C849F5B5A473740EA3DFF39F6422" [0097.239] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.239] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0097.239] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85f73a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7eda0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="dwtrig20.exe", cAlternateFileName="")) returned 1 [0097.239] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Windows") returned -1 [0097.239] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Program Files") returned -1 [0097.239] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Program Files (x86)") returned -1 [0097.239] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="$Recycle.bin") returned 1 [0097.239] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="System Volume Information") returned -1 [0097.239] lstrcmpiW (lpString1="dwtrig20.exe", lpString2=".") returned 1 [0097.239] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="..") returned 1 [0097.239] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0097.239] lstrcmpW (lpString1="dwtrig20.exe", lpString2="PUSSY.TXT") returned -1 [0097.239] PathFindExtensionW (pszPath="dwtrig20.exe") returned=".exe" [0097.239] lstrlenW (lpString=".exe") returned 4 [0097.239] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.239] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0097.240] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=519584) returned 1 [0097.240] GetProcessHeap () returned 0x4c0000 [0097.240] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0097.251] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="06") returned 2 [0097.251] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="E2") returned 2 [0097.251] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="7A") returned 2 [0097.251] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="E0") returned 2 [0097.251] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="C7") returned 2 [0097.251] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="BA") returned 2 [0097.251] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="B1") returned 2 [0097.251] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="86") returned 2 [0097.251] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="18") returned 2 [0097.251] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="48") returned 2 [0097.251] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="F0") returned 2 [0097.251] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="F5") returned 2 [0097.251] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="80") returned 2 [0097.251] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="87") returned 2 [0097.251] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="E3") returned 2 [0097.251] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="90") returned 2 [0097.251] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="C2") returned 2 [0097.251] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="28") returned 2 [0097.251] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="0D") returned 2 [0097.251] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="EF") returned 2 [0097.251] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="98") returned 2 [0097.252] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="97") returned 2 [0097.252] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="94") returned 2 [0097.252] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="A8") returned 2 [0097.252] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="97") returned 2 [0097.252] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="B3") returned 2 [0097.252] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="92") returned 2 [0097.252] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="FC") returned 2 [0097.252] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="BF") returned 2 [0097.252] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="59") returned 2 [0097.252] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="E7") returned 2 [0097.252] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="12") returned 2 [0097.261] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" [0097.261] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" [0097.261] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe", lpString2=".06E27AE0C7BAB1861848F0F58087E390C2280DEF989794A897B392FCBF59E712" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.06E27AE0C7BAB1861848F0F58087E390C2280DEF989794A897B392FCBF59E712") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.06E27AE0C7BAB1861848F0F58087E390C2280DEF989794A897B392FCBF59E712" [0097.261] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.261] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0097.261] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d646800, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8d646800, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x741, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Microsoft.VC90.CRT.manifest", cAlternateFileName="MICROS~1.MAN")) returned 1 [0097.261] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Windows") returned -1 [0097.261] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Program Files") returned -1 [0097.261] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Program Files (x86)") returned -1 [0097.261] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="$Recycle.bin") returned 1 [0097.261] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="System Volume Information") returned -1 [0097.261] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2=".") returned 1 [0097.261] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="..") returned 1 [0097.261] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0097.261] lstrcmpW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="PUSSY.TXT") returned -1 [0097.261] PathFindExtensionW (pszPath="Microsoft.VC90.CRT.manifest") returned=".manifest" [0097.261] lstrlenW (lpString=".manifest") returned 9 [0097.261] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.262] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0097.363] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1857) returned 1 [0097.363] GetProcessHeap () returned 0x4c0000 [0097.363] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28098 [0097.374] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="5A") returned 2 [0097.374] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="F8") returned 2 [0097.374] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="DC") returned 2 [0097.375] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="2C") returned 2 [0097.375] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="05") returned 2 [0097.375] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="38") returned 2 [0097.375] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="A4") returned 2 [0097.375] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A4") returned 2 [0097.375] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="E8") returned 2 [0097.375] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="BC") returned 2 [0097.375] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="E2") returned 2 [0097.375] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="9A") returned 2 [0097.375] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="C0") returned 2 [0097.375] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="73") returned 2 [0097.375] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="68") returned 2 [0097.375] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="65") returned 2 [0097.375] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="C1") returned 2 [0097.375] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="74") returned 2 [0097.375] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="FB") returned 2 [0097.375] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="3F") returned 2 [0097.375] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="AD") returned 2 [0097.375] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="88") returned 2 [0097.375] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="A9") returned 2 [0097.375] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="64") returned 2 [0097.375] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="97") returned 2 [0097.375] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="33") returned 2 [0097.375] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="1A") returned 2 [0097.375] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="A8") returned 2 [0097.375] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="5C") returned 2 [0097.375] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="34") returned 2 [0097.375] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="8F") returned 2 [0097.375] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="49") returned 2 [0097.384] lstrcpyW (in: lpString1=0x3b380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" [0097.384] lstrcpyW (in: lpString1=0x3b280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" [0097.384] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpString2=".5AF8DC2C0538A4A4E8BCE29AC0736865C174FB3FAD88A96497331AA85C348F49" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.5AF8DC2C0538A4A4E8BCE29AC0736865C174FB3FAD88A96497331AA85C348F49") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.5AF8DC2C0538A4A4E8BCE29AC0736865C174FB3FAD88A96497331AA85C348F49" [0097.384] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.384] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28098, lpOverlapped=0x3b28098) returned 1 [0097.384] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c333b00, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8c333b00, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe86b5a80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa0200, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="msvcr90.dll", cAlternateFileName="")) returned 1 [0097.384] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Windows") returned -1 [0097.384] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Program Files") returned -1 [0097.384] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Program Files (x86)") returned -1 [0097.384] lstrcmpiW (lpString1="msvcr90.dll", lpString2="$Recycle.bin") returned 1 [0097.384] lstrcmpiW (lpString1="msvcr90.dll", lpString2="System Volume Information") returned -1 [0097.384] lstrcmpiW (lpString1="msvcr90.dll", lpString2=".") returned 1 [0097.384] lstrcmpiW (lpString1="msvcr90.dll", lpString2="..") returned 1 [0097.384] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0097.384] lstrcmpW (lpString1="msvcr90.dll", lpString2="PUSSY.TXT") returned -1 [0097.384] PathFindExtensionW (pszPath="msvcr90.dll") returned=".dll" [0097.384] lstrlenW (lpString=".dll") returned 4 [0097.385] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.385] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0097.385] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=655872) returned 1 [0097.385] GetProcessHeap () returned 0x4c0000 [0097.385] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500e8 [0097.395] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="04") returned 2 [0097.395] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="EA") returned 2 [0097.395] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="7A") returned 2 [0097.396] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="E8") returned 2 [0097.396] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="70") returned 2 [0097.396] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="D4") returned 2 [0097.396] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="68") returned 2 [0097.396] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="3D") returned 2 [0097.396] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="D7") returned 2 [0097.396] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="72") returned 2 [0097.396] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="2B") returned 2 [0097.396] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="CB") returned 2 [0097.396] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="EF") returned 2 [0097.396] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="39") returned 2 [0097.396] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="2D") returned 2 [0097.396] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="90") returned 2 [0097.396] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="7C") returned 2 [0097.396] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="BB") returned 2 [0097.396] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="D9") returned 2 [0097.397] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="96") returned 2 [0097.397] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="55") returned 2 [0097.397] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="12") returned 2 [0097.397] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="81") returned 2 [0097.397] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="3E") returned 2 [0097.397] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="5A") returned 2 [0097.397] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="4D") returned 2 [0097.397] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="FC") returned 2 [0097.397] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="6F") returned 2 [0097.397] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="5A") returned 2 [0097.397] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="1E") returned 2 [0097.397] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="AD") returned 2 [0097.397] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="1B") returned 2 [0097.471] lstrcpyW (in: lpString1=0x3b6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" [0097.471] lstrcpyW (in: lpString1=0x3b5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" [0097.471] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll", lpString2=".04EA7AE870D4683DD7722BCBEF392D907CBBD9965512813E5A4DFC6F5A1EAD1B" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.04EA7AE870D4683DD7722BCBEF392D907CBBD9965512813E5A4DFC6F5A1EAD1B") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.04EA7AE870D4683DD7722BCBEF392D907CBBD9965512813E5A4DFC6F5A1EAD1B" [0097.471] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3b500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.472] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500e8, lpOverlapped=0x3b500e8) returned 1 [0097.472] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7e3b3f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd79282, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OfficeLR.cab", cAlternateFileName="")) returned 1 [0097.472] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Windows") returned -1 [0097.472] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Program Files") returned -1 [0097.472] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Program Files (x86)") returned -1 [0097.509] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="$Recycle.bin") returned 1 [0097.510] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="System Volume Information") returned -1 [0097.510] lstrcmpiW (lpString1="OfficeLR.cab", lpString2=".") returned 1 [0097.510] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="..") returned 1 [0097.510] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0097.510] lstrcmpW (lpString1="OfficeLR.cab", lpString2="PUSSY.TXT") returned -1 [0097.510] PathFindExtensionW (pszPath="OfficeLR.cab") returned=".cab" [0097.510] lstrlenW (lpString=".cab") returned 4 [0097.510] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.510] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0097.510] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=14127746) returned 1 [0097.510] GetProcessHeap () returned 0x4c0000 [0097.510] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28098 [0097.519] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="6C") returned 2 [0097.519] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="7B") returned 2 [0097.519] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="34") returned 2 [0097.519] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="BB") returned 2 [0097.519] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="BE") returned 2 [0097.519] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="6B") returned 2 [0097.519] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="5B") returned 2 [0097.519] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="38") returned 2 [0097.519] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="CB") returned 2 [0097.519] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="FE") returned 2 [0097.519] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="E8") returned 2 [0097.519] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="BF") returned 2 [0097.519] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="85") returned 2 [0097.519] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="F4") returned 2 [0097.520] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="05") returned 2 [0097.520] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="93") returned 2 [0097.520] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="F5") returned 2 [0097.520] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D1") returned 2 [0097.520] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="81") returned 2 [0097.520] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="09") returned 2 [0097.520] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="8C") returned 2 [0097.520] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="E5") returned 2 [0097.520] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="6E") returned 2 [0097.520] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="C0") returned 2 [0097.520] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="A6") returned 2 [0097.520] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="2F") returned 2 [0097.520] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="47") returned 2 [0097.520] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="27") returned 2 [0097.520] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D9") returned 2 [0097.520] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="AD") returned 2 [0097.520] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="71") returned 2 [0097.520] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4F") returned 2 [0097.529] lstrcpyW (in: lpString1=0x3b380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" [0097.529] lstrcpyW (in: lpString1=0x3b280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" [0097.529] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab", lpString2=".6C7B34BBBE6B5B38CBFEE8BF85F40593F5D181098CE56EC0A62F4727D9AD714F" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.6C7B34BBBE6B5B38CBFEE8BF85F40593F5D181098CE56EC0A62F4727D9AD714F") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.6C7B34BBBE6B5B38CBFEE8BF85F40593F5D181098CE56EC0A62F4727D9AD714F" [0097.529] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x3b28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.529] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28098, lpOverlapped=0x3b28098) returned 1 [0097.531] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c4ba40, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x387e00, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OfficeMUI.msi", cAlternateFileName="OFFICE~2.MSI")) returned 1 [0097.531] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Windows") returned -1 [0097.531] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Program Files") returned -1 [0097.531] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Program Files (x86)") returned -1 [0097.531] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="$Recycle.bin") returned 1 [0097.531] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="System Volume Information") returned -1 [0097.568] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2=".") returned 1 [0097.568] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="..") returned 1 [0097.568] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0097.568] lstrcmpW (lpString1="OfficeMUI.msi", lpString2="PUSSY.TXT") returned -1 [0097.568] PathFindExtensionW (pszPath="OfficeMUI.msi") returned=".msi" [0097.568] lstrlenW (lpString=".msi") returned 4 [0097.568] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.568] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0097.568] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=3702272) returned 1 [0097.569] GetProcessHeap () returned 0x4c0000 [0097.569] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0097.581] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="AF") returned 2 [0097.581] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="15") returned 2 [0097.581] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="F1") returned 2 [0097.581] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="A1") returned 2 [0097.581] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="6F") returned 2 [0097.581] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="F6") returned 2 [0097.581] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E8") returned 2 [0097.581] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="95") returned 2 [0097.581] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="4C") returned 2 [0097.581] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="57") returned 2 [0097.581] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="C1") returned 2 [0097.581] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="19") returned 2 [0097.581] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="47") returned 2 [0097.581] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="71") returned 2 [0097.581] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="B5") returned 2 [0097.582] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="91") returned 2 [0097.582] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="B5") returned 2 [0097.582] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="E9") returned 2 [0097.582] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="8F") returned 2 [0097.582] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="BF") returned 2 [0097.582] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="CA") returned 2 [0097.582] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="43") returned 2 [0097.582] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="2E") returned 2 [0097.582] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="BE") returned 2 [0097.582] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="CD") returned 2 [0097.582] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="11") returned 2 [0097.582] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="80") returned 2 [0097.582] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="00") returned 2 [0097.582] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="28") returned 2 [0097.582] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="C9") returned 2 [0097.582] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="39") returned 2 [0097.582] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="2D") returned 2 [0097.592] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" [0097.592] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" [0097.592] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi", lpString2=".AF15F1A16FF6E8954C57C1194771B591B5E98FBFCA432EBECD11800028C9392D" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.AF15F1A16FF6E8954C57C1194771B591B5E98FBFCA432EBECD11800028C9392D") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.AF15F1A16FF6E8954C57C1194771B591B5E98FBFCA432EBECD11800028C9392D" [0097.593] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.593] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0097.593] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OfficeMUI.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0097.593] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Windows") returned -1 [0097.593] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Program Files") returned -1 [0097.593] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Program Files (x86)") returned -1 [0097.593] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="$Recycle.bin") returned 1 [0097.593] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="System Volume Information") returned -1 [0097.593] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2=".") returned 1 [0097.593] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="..") returned 1 [0097.594] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0097.594] lstrcmpW (lpString1="OfficeMUI.xml", lpString2="PUSSY.TXT") returned -1 [0097.594] PathFindExtensionW (pszPath="OfficeMUI.xml") returned=".xml" [0097.594] lstrlenW (lpString=".xml") returned 4 [0097.594] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.594] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0097.625] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=5557) returned 1 [0097.625] GetProcessHeap () returned 0x4c0000 [0097.625] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0097.643] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="49") returned 2 [0097.643] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="60") returned 2 [0097.643] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="AE") returned 2 [0097.643] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="31") returned 2 [0097.643] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="4A") returned 2 [0097.643] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="AF") returned 2 [0097.643] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="50") returned 2 [0097.643] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="8A") returned 2 [0097.643] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="3F") returned 2 [0097.643] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="D0") returned 2 [0097.643] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="05") returned 2 [0097.643] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="8A") returned 2 [0097.643] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="A0") returned 2 [0097.643] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="78") returned 2 [0097.643] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="6A") returned 2 [0097.643] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="DF") returned 2 [0097.643] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="71") returned 2 [0097.643] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="71") returned 2 [0097.644] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="3A") returned 2 [0097.644] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="34") returned 2 [0097.644] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="EC") returned 2 [0097.644] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="F8") returned 2 [0097.644] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="AC") returned 2 [0097.644] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="93") returned 2 [0097.644] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="31") returned 2 [0097.644] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="8C") returned 2 [0097.644] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="45") returned 2 [0097.644] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="1B") returned 2 [0097.644] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="02") returned 2 [0097.644] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="EE") returned 2 [0097.644] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="15") returned 2 [0097.644] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="34") returned 2 [0097.658] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" [0097.658] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" [0097.658] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpString2=".4960AE314AAF508A3FD0058AA0786ADF71713A34ECF8AC93318C451B02EE1534" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.4960AE314AAF508A3FD0058AA0786ADF71713A34ECF8AC93318C451B02EE1534") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.4960AE314AAF508A3FD0058AA0786ADF71713A34ECF8AC93318C451B02EE1534" [0097.658] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.658] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0097.658] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OfficeMUISet.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0097.659] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Windows") returned -1 [0097.659] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Program Files") returned -1 [0097.659] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Program Files (x86)") returned -1 [0097.659] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="$Recycle.bin") returned 1 [0097.659] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="System Volume Information") returned -1 [0097.659] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2=".") returned 1 [0097.659] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="..") returned 1 [0097.659] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0097.659] lstrcmpW (lpString1="OfficeMUISet.msi", lpString2="PUSSY.TXT") returned -1 [0097.659] PathFindExtensionW (pszPath="OfficeMUISet.msi") returned=".msi" [0097.659] lstrlenW (lpString=".msi") returned 4 [0097.659] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.659] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0097.660] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=868864) returned 1 [0097.660] GetProcessHeap () returned 0x4c0000 [0097.660] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0097.673] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="13") returned 2 [0097.673] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="43") returned 2 [0097.674] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="07") returned 2 [0097.674] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="50") returned 2 [0097.674] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="B3") returned 2 [0097.674] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="05") returned 2 [0097.674] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="63") returned 2 [0097.674] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="AA") returned 2 [0097.674] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="25") returned 2 [0097.674] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="06") returned 2 [0097.674] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="AA") returned 2 [0097.674] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="4B") returned 2 [0097.674] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="72") returned 2 [0097.674] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="66") returned 2 [0097.674] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="3A") returned 2 [0097.674] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="DF") returned 2 [0097.674] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="6B") returned 2 [0097.674] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="4C") returned 2 [0097.674] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="9F") returned 2 [0097.674] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="1B") returned 2 [0097.674] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="49") returned 2 [0097.674] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="D8") returned 2 [0097.674] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="0B") returned 2 [0097.674] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="7D") returned 2 [0097.674] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="30") returned 2 [0097.674] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="D6") returned 2 [0097.675] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="DE") returned 2 [0097.675] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="68") returned 2 [0097.675] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="02") returned 2 [0097.675] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="8B") returned 2 [0097.675] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="F0") returned 2 [0097.675] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="23") returned 2 [0097.720] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" [0097.720] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" [0097.720] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi", lpString2=".13430750B30563AA2506AA4B72663ADF6B4C9F1B49D80B7D30D6DE68028BF023" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.13430750B30563AA2506AA4B72663ADF6B4C9F1B49D80B7D30D6DE68028BF023") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.13430750B30563AA2506AA4B72663ADF6B4C9F1B49D80B7D30D6DE68028BF023" [0097.720] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.720] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0097.720] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OfficeMUISet.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0097.721] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Windows") returned -1 [0097.761] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Program Files") returned -1 [0097.761] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Program Files (x86)") returned -1 [0097.761] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="$Recycle.bin") returned 1 [0097.761] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="System Volume Information") returned -1 [0097.762] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2=".") returned 1 [0097.762] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="..") returned 1 [0097.762] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0097.762] lstrcmpW (lpString1="OfficeMUISet.xml", lpString2="PUSSY.TXT") returned -1 [0097.762] PathFindExtensionW (pszPath="OfficeMUISet.xml") returned=".xml" [0097.762] lstrlenW (lpString=".xml") returned 4 [0097.762] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.762] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0097.762] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=819) returned 1 [0097.762] GetProcessHeap () returned 0x4c0000 [0097.762] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0097.775] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="58") returned 2 [0097.775] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="9F") returned 2 [0097.775] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="D1") returned 2 [0097.775] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="6C") returned 2 [0097.775] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="66") returned 2 [0097.775] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="BA") returned 2 [0097.775] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="3D") returned 2 [0097.775] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="6F") returned 2 [0097.775] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="8B") returned 2 [0097.775] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="6D") returned 2 [0097.775] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="94") returned 2 [0097.775] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="48") returned 2 [0097.775] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="17") returned 2 [0097.775] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="B1") returned 2 [0097.775] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="5E") returned 2 [0097.775] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="F3") returned 2 [0097.775] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="AF") returned 2 [0097.775] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="5A") returned 2 [0097.775] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="DB") returned 2 [0097.775] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="86") returned 2 [0097.775] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="EF") returned 2 [0097.775] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="CF") returned 2 [0097.775] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="1E") returned 2 [0097.775] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="D9") returned 2 [0097.775] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="3B") returned 2 [0097.776] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="FD") returned 2 [0097.776] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="AF") returned 2 [0097.776] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="4A") returned 2 [0097.776] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="4B") returned 2 [0097.776] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="DC") returned 2 [0097.776] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="14") returned 2 [0097.776] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="7B") returned 2 [0097.812] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" [0097.812] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" [0097.812] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpString2=".589FD16C66BA3D6F8B6D944817B15EF3AF5ADB86EFCF1ED93BFDAF4A4BDC147B" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.589FD16C66BA3D6F8B6D944817B15EF3AF5ADB86EFCF1ED93BFDAF4A4BDC147B") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.589FD16C66BA3D6F8B6D944817B15EF3AF5ADB86EFCF1ED93BFDAF4A4BDC147B" [0097.812] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.812] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0097.812] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8b16200, ftCreationTime.dwHighDateTime=0x1cac190, ftLastAccessTime.dwLowDateTime=0xc8b16200, ftLastAccessTime.dwHighDateTime=0x1cac190, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="osetupui.dll", cAlternateFileName="")) returned 1 [0097.813] lstrcmpiW (lpString1="osetupui.dll", lpString2="Windows") returned -1 [0097.813] lstrcmpiW (lpString1="osetupui.dll", lpString2="Program Files") returned -1 [0097.813] lstrcmpiW (lpString1="osetupui.dll", lpString2="Program Files (x86)") returned -1 [0097.813] lstrcmpiW (lpString1="osetupui.dll", lpString2="$Recycle.bin") returned 1 [0097.813] lstrcmpiW (lpString1="osetupui.dll", lpString2="System Volume Information") returned -1 [0097.813] lstrcmpiW (lpString1="osetupui.dll", lpString2=".") returned 1 [0097.813] lstrcmpiW (lpString1="osetupui.dll", lpString2="..") returned 1 [0097.813] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0097.813] lstrcmpW (lpString1="osetupui.dll", lpString2="PUSSY.TXT") returned -1 [0097.813] PathFindExtensionW (pszPath="osetupui.dll") returned=".dll" [0097.813] lstrlenW (lpString=".dll") returned 4 [0097.813] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.813] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0097.814] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=191872) returned 1 [0097.814] GetProcessHeap () returned 0x4c0000 [0097.814] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0097.829] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="FE") returned 2 [0097.829] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="2C") returned 2 [0097.829] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="66") returned 2 [0097.829] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="8C") returned 2 [0097.829] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="6C") returned 2 [0097.829] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="59") returned 2 [0097.829] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="65") returned 2 [0097.829] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="85") returned 2 [0097.829] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B2") returned 2 [0097.830] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="92") returned 2 [0097.830] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B4") returned 2 [0097.830] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="77") returned 2 [0097.830] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="75") returned 2 [0097.830] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="EA") returned 2 [0097.830] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="2D") returned 2 [0097.830] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="F1") returned 2 [0097.830] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="9E") returned 2 [0097.830] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="10") returned 2 [0097.830] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="38") returned 2 [0097.830] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="80") returned 2 [0097.830] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="05") returned 2 [0097.830] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="1E") returned 2 [0097.830] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="37") returned 2 [0097.830] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="C7") returned 2 [0097.830] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="5A") returned 2 [0097.830] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="F2") returned 2 [0097.830] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="58") returned 2 [0097.830] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="0D") returned 2 [0097.830] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="DA") returned 2 [0097.830] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="FC") returned 2 [0097.830] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="91") returned 2 [0097.831] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="15") returned 2 [0097.843] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" [0097.843] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" [0097.843] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll", lpString2=".FE2C668C6C596585B292B47775EA2DF19E103880051E37C75AF2580DDAFC9115" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.FE2C668C6C596585B292B47775EA2DF19E103880051E37C75AF2580DDAFC9115") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.FE2C668C6C596585B292B47775EA2DF19E103880051E37C75AF2580DDAFC9115" [0097.843] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.843] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0097.844] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x77cbb000, ftCreationTime.dwHighDateTime=0x1cac57a, ftLastAccessTime.dwLowDateTime=0x77cbb000, ftLastAccessTime.dwHighDateTime=0x1cac57a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="pss10r.chm", cAlternateFileName="")) returned 1 [0097.844] lstrcmpiW (lpString1="pss10r.chm", lpString2="Windows") returned -1 [0097.844] lstrcmpiW (lpString1="pss10r.chm", lpString2="Program Files") returned 1 [0097.889] lstrcmpiW (lpString1="pss10r.chm", lpString2="Program Files (x86)") returned 1 [0097.889] lstrcmpiW (lpString1="pss10r.chm", lpString2="$Recycle.bin") returned 1 [0097.889] lstrcmpiW (lpString1="pss10r.chm", lpString2="System Volume Information") returned -1 [0097.889] lstrcmpiW (lpString1="pss10r.chm", lpString2=".") returned 1 [0097.889] lstrcmpiW (lpString1="pss10r.chm", lpString2="..") returned 1 [0097.889] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0097.890] lstrcmpW (lpString1="pss10r.chm", lpString2="PUSSY.TXT") returned -1 [0097.890] PathFindExtensionW (pszPath="pss10r.chm") returned=".chm" [0097.890] lstrlenW (lpString=".chm") returned 4 [0097.890] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.890] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0097.890] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=27195) returned 1 [0097.890] GetProcessHeap () returned 0x4c0000 [0097.890] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28098 [0097.904] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="4C") returned 2 [0097.904] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="77") returned 2 [0097.904] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="1C") returned 2 [0097.904] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="F9") returned 2 [0097.904] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="D3") returned 2 [0097.904] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="A7") returned 2 [0097.904] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="2A") returned 2 [0097.904] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="01") returned 2 [0097.904] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="AA") returned 2 [0097.904] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="7A") returned 2 [0097.904] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="C7") returned 2 [0097.904] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="12") returned 2 [0097.904] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="FF") returned 2 [0097.904] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="11") returned 2 [0097.905] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="DF") returned 2 [0097.905] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="7D") returned 2 [0097.905] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="FB") returned 2 [0097.905] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="6F") returned 2 [0097.905] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="7B") returned 2 [0097.905] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="84") returned 2 [0097.905] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="C9") returned 2 [0097.905] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="15") returned 2 [0097.905] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="75") returned 2 [0097.905] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="C7") returned 2 [0097.905] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="26") returned 2 [0097.905] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="88") returned 2 [0097.905] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="12") returned 2 [0097.905] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="0E") returned 2 [0097.905] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="7E") returned 2 [0097.905] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="44") returned 2 [0097.905] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="12") returned 2 [0097.905] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="2C") returned 2 [0097.918] lstrcpyW (in: lpString1=0x3b380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" [0097.918] lstrcpyW (in: lpString1=0x3b280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" [0097.919] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm", lpString2=".4C771CF9D3A72A01AA7AC712FF11DF7DFB6F7B84C91575C72688120E7E44122C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.4C771CF9D3A72A01AA7AC712FF11DF7DFB6F7B84C91575C72688120E7E44122C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.4C771CF9D3A72A01AA7AC712FF11DF7DFB6F7B84C91575C72688120E7E44122C" [0097.919] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3b28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0097.927] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28098, lpOverlapped=0x3b28098) returned 1 [0097.989] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cab9f00, ftCreationTime.dwHighDateTime=0x1cac8ad, ftLastAccessTime.dwLowDateTime=0x7cab9f00, ftLastAccessTime.dwHighDateTime=0x1cac8ad, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="setup.chm", cAlternateFileName="")) returned 1 [0097.989] lstrcmpiW (lpString1="setup.chm", lpString2="Windows") returned -1 [0097.989] lstrcmpiW (lpString1="setup.chm", lpString2="Program Files") returned 1 [0097.989] lstrcmpiW (lpString1="setup.chm", lpString2="Program Files (x86)") returned 1 [0097.989] lstrcmpiW (lpString1="setup.chm", lpString2="$Recycle.bin") returned 1 [0097.989] lstrcmpiW (lpString1="setup.chm", lpString2="System Volume Information") returned -1 [0097.989] lstrcmpiW (lpString1="setup.chm", lpString2=".") returned 1 [0097.989] lstrcmpiW (lpString1="setup.chm", lpString2="..") returned 1 [0097.989] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0097.989] lstrcmpW (lpString1="setup.chm", lpString2="PUSSY.TXT") returned 1 [0097.989] PathFindExtensionW (pszPath="setup.chm") returned=".chm" [0097.989] lstrlenW (lpString=".chm") returned 4 [0097.989] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0097.989] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0097.990] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=67190) returned 1 [0097.990] GetProcessHeap () returned 0x4c0000 [0097.990] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0098.004] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="25") returned 2 [0098.004] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="80") returned 2 [0098.004] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E1") returned 2 [0098.004] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="13") returned 2 [0098.004] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="90") returned 2 [0098.005] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="A0") returned 2 [0098.005] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="69") returned 2 [0098.005] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="19") returned 2 [0098.005] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="0A") returned 2 [0098.005] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="0B") returned 2 [0098.005] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="FC") returned 2 [0098.005] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="88") returned 2 [0098.005] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="CB") returned 2 [0098.005] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="DD") returned 2 [0098.005] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="9E") returned 2 [0098.005] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="6C") returned 2 [0098.005] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="7E") returned 2 [0098.005] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="DA") returned 2 [0098.005] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="D3") returned 2 [0098.005] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="DE") returned 2 [0098.005] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="EC") returned 2 [0098.005] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="A2") returned 2 [0098.005] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C8") returned 2 [0098.005] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="84") returned 2 [0098.005] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="47") returned 2 [0098.005] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="3F") returned 2 [0098.005] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="72") returned 2 [0098.005] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F9") returned 2 [0098.005] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="71") returned 2 [0098.005] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="F6") returned 2 [0098.005] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="7E") returned 2 [0098.006] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="30") returned 2 [0098.019] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" [0098.019] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" [0098.019] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm", lpString2=".2580E11390A069190A0BFC88CBDD9E6C7EDAD3DEECA2C884473F72F971F67E30" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.2580E11390A069190A0BFC88CBDD9E6C7EDAD3DEECA2C884473F72F971F67E30") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.2580E11390A069190A0BFC88CBDD9E6C7EDAD3DEECA2C884473F72F971F67E30" [0098.019] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.019] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0098.020] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0098.020] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0098.020] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0098.068] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0098.068] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0098.068] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0098.068] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0098.068] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0098.068] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0098.069] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0098.069] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0098.069] lstrlenW (lpString=".xml") returned 4 [0098.069] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0098.069] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0098.069] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=9352) returned 1 [0098.069] GetProcessHeap () returned 0x4c0000 [0098.069] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500e8 [0098.084] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="D4") returned 2 [0098.084] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="98") returned 2 [0098.084] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="15") returned 2 [0098.084] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="34") returned 2 [0098.084] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="D9") returned 2 [0098.084] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="B1") returned 2 [0098.084] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C2") returned 2 [0098.084] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="80") returned 2 [0098.084] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="77") returned 2 [0098.084] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="33") returned 2 [0098.084] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="49") returned 2 [0098.084] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="FA") returned 2 [0098.084] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="61") returned 2 [0098.084] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="FB") returned 2 [0098.085] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="E0") returned 2 [0098.085] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E1") returned 2 [0098.085] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="C8") returned 2 [0098.085] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="3B") returned 2 [0098.085] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="6D") returned 2 [0098.085] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="6B") returned 2 [0098.085] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="13") returned 2 [0098.085] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="D6") returned 2 [0098.085] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="BB") returned 2 [0098.085] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="2E") returned 2 [0098.085] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="E1") returned 2 [0098.085] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="9C") returned 2 [0098.085] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="54") returned 2 [0098.085] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="8A") returned 2 [0098.085] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="DC") returned 2 [0098.085] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E8") returned 2 [0098.085] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="E7") returned 2 [0098.085] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="58") returned 2 [0098.096] lstrcpyW (in: lpString1=0x3b6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" [0098.096] lstrcpyW (in: lpString1=0x3b5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" [0098.096] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".D4981534D9B1C280773349FA61FBE0E1C83B6D6B13D6BB2EE19C548ADCE8E758" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.D4981534D9B1C280773349FA61FBE0E1C83B6D6B13D6BB2EE19C548ADCE8E758") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.D4981534D9B1C280773349FA61FBE0E1C83B6D6B13D6BB2EE19C548ADCE8E758" [0098.096] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3b500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.096] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500e8, lpOverlapped=0x3b500e8) returned 1 [0098.097] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ShellUI.MST", cAlternateFileName="")) returned 1 [0098.097] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Windows") returned -1 [0098.097] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Program Files") returned 1 [0098.097] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Program Files (x86)") returned 1 [0098.097] lstrcmpiW (lpString1="ShellUI.MST", lpString2="$Recycle.bin") returned 1 [0098.107] lstrcmpiW (lpString1="ShellUI.MST", lpString2="System Volume Information") returned -1 [0098.107] lstrcmpiW (lpString1="ShellUI.MST", lpString2=".") returned 1 [0098.108] lstrcmpiW (lpString1="ShellUI.MST", lpString2="..") returned 1 [0098.108] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0098.108] lstrcmpW (lpString1="ShellUI.MST", lpString2="PUSSY.TXT") returned 1 [0098.108] PathFindExtensionW (pszPath="ShellUI.MST") returned=".MST" [0098.108] lstrlenW (lpString=".MST") returned 4 [0098.108] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0098.108] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0098.108] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=3584) returned 1 [0098.108] GetProcessHeap () returned 0x4c0000 [0098.108] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b78138 [0098.124] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="95") returned 2 [0098.124] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="30") returned 2 [0098.124] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="63") returned 2 [0098.124] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="14") returned 2 [0098.124] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="A5") returned 2 [0098.124] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="35") returned 2 [0098.124] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="60") returned 2 [0098.124] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="B2") returned 2 [0098.124] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="33") returned 2 [0098.124] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="AF") returned 2 [0098.124] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="BE") returned 2 [0098.124] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="74") returned 2 [0098.124] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="A2") returned 2 [0098.124] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="D0") returned 2 [0098.124] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="80") returned 2 [0098.125] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="BC") returned 2 [0098.125] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="E3") returned 2 [0098.125] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="E5") returned 2 [0098.125] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="D0") returned 2 [0098.125] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="16") returned 2 [0098.125] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="9F") returned 2 [0098.125] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="21") returned 2 [0098.125] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="62") returned 2 [0098.125] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="EC") returned 2 [0098.125] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="D6") returned 2 [0098.125] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="60") returned 2 [0098.125] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="72") returned 2 [0098.125] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F8") returned 2 [0098.125] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="89") returned 2 [0098.125] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="AF") returned 2 [0098.125] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="F2") returned 2 [0098.125] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="28") returned 2 [0098.137] lstrcpyW (in: lpString1=0x3b8816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" [0098.137] lstrcpyW (in: lpString1=0x3b7816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" [0098.137] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST", lpString2=".95306314A53560B233AFBE74A2D080BCE3E5D0169F2162ECD66072F889AFF228" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.95306314A53560B233AFBE74A2D080BCE3E5D0169F2162ECD66072F889AFF228") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.95306314A53560B233AFBE74A2D080BCE3E5D0169F2162ECD66072F889AFF228" [0098.137] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3b78138, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.137] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b78138, lpOverlapped=0x3b78138) returned 1 [0098.138] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ShellUI.MST", cAlternateFileName="")) returned 0 [0098.145] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0098.147] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0098.147] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0098.148] lstrlenA (lpString="abcd") returned 4 [0098.148] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0098.149] CloseHandle (hObject=0x1a4) returned 1 [0098.149] GetProcessHeap () returned 0x4c0000 [0098.149] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0098.154] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0098.154] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0098.154] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0098.154] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0098.154] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0098.154] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0098.154] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0098.154] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0098.154] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C") returned 66 [0098.154] GetProcessHeap () returned 0x4c0000 [0098.154] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0098.156] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C" [0098.156] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*" [0098.156] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0098.207] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0098.207] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0098.207] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0098.207] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0098.207] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0098.207] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0098.207] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0098.208] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0098.208] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0098.208] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0098.208] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0098.208] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0098.208] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0098.208] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0098.208] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0098.208] lstrcmpiW (lpString1="Access.en-us", lpString2="Windows") returned -1 [0098.208] lstrcmpiW (lpString1="Access.en-us", lpString2="Program Files") returned -1 [0098.208] lstrcmpiW (lpString1="Access.en-us", lpString2="Program Files (x86)") returned -1 [0098.208] lstrcmpiW (lpString1="Access.en-us", lpString2="$Recycle.bin") returned 1 [0098.208] lstrcmpiW (lpString1="Access.en-us", lpString2="System Volume Information") returned -1 [0098.208] lstrcmpiW (lpString1="Access.en-us", lpString2=".") returned 1 [0098.208] lstrcmpiW (lpString1="Access.en-us", lpString2="..") returned 1 [0098.208] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned 79 [0098.208] GetProcessHeap () returned 0x4c0000 [0098.208] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x522a98 [0098.209] lstrcpyW (in: lpString1=0x522a98, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us" [0098.209] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*" [0098.209] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0098.212] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0098.212] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0098.212] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0098.212] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0098.212] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0098.212] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0098.212] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0098.213] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0098.213] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0098.213] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0098.213] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0098.213] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0098.213] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0098.213] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0098.213] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0098.213] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Windows") returned -1 [0098.213] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Program Files") returned -1 [0098.213] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Program Files (x86)") returned -1 [0098.213] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="$Recycle.bin") returned 1 [0098.213] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="System Volume Information") returned -1 [0098.213] lstrcmpiW (lpString1="AccessMUI.msi", lpString2=".") returned 1 [0098.213] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="..") returned 1 [0098.213] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0098.213] lstrcmpW (lpString1="AccessMUI.msi", lpString2="PUSSY.TXT") returned -1 [0098.213] PathFindExtensionW (pszPath="AccessMUI.msi") returned=".msi" [0098.213] lstrlenW (lpString=".msi") returned 4 [0098.213] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0098.213] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0098.214] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=2517504) returned 1 [0098.214] GetProcessHeap () returned 0x4c0000 [0098.215] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0098.223] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="B5") returned 2 [0098.223] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="1C") returned 2 [0098.223] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="B1") returned 2 [0098.223] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="06") returned 2 [0098.223] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="33") returned 2 [0098.223] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="41") returned 2 [0098.223] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="15") returned 2 [0098.223] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="D1") returned 2 [0098.223] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="00") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="9D") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="11") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="DA") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="EF") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="8C") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="54") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="B1") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="BF") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="4A") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="B4") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="2E") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="2C") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="7A") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="45") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="F4") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="75") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="18") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="97") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="0D") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="5D") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="AB") returned 2 [0098.224] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="CD") returned 2 [0098.224] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="68") returned 2 [0098.233] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" [0098.233] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" [0098.233] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi", lpString2=".B51CB106334115D1009D11DAEF8C54B1BF4AB42E2C7A45F47518970D5DABCD68" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.B51CB106334115D1009D11DAEF8C54B1BF4AB42E2C7A45F47518970D5DABCD68") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.B51CB106334115D1009D11DAEF8C54B1BF4AB42E2C7A45F47518970D5DABCD68" [0098.233] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.233] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0098.233] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="AccessMUI.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0098.233] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Windows") returned -1 [0098.233] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Program Files") returned -1 [0098.233] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Program Files (x86)") returned -1 [0098.233] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="$Recycle.bin") returned 1 [0098.233] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="System Volume Information") returned -1 [0098.233] lstrcmpiW (lpString1="AccessMUI.xml", lpString2=".") returned 1 [0098.233] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="..") returned 1 [0098.233] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0098.234] lstrcmpW (lpString1="AccessMUI.xml", lpString2="PUSSY.TXT") returned -1 [0098.234] PathFindExtensionW (pszPath="AccessMUI.xml") returned=".xml" [0098.234] lstrlenW (lpString=".xml") returned 4 [0098.234] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0098.234] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0098.266] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=1349) returned 1 [0098.266] GetProcessHeap () returned 0x4c0000 [0098.266] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0098.276] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="A8") returned 2 [0098.276] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="D7") returned 2 [0098.276] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="1D") returned 2 [0098.276] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="1E") returned 2 [0098.276] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="C7") returned 2 [0098.276] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="9E") returned 2 [0098.276] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="C4") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="FF") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="DF") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="1E") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="64") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="06") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="28") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="E7") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="C1") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="B8") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="48") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="D1") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="FA") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="9B") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="5C") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="01") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="0C") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="95") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="7C") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="7B") returned 2 [0098.276] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="3C") returned 2 [0098.277] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="E7") returned 2 [0098.277] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="8B") returned 2 [0098.277] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="17") returned 2 [0098.277] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="3B") returned 2 [0098.277] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="3F") returned 2 [0098.286] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" [0098.286] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" [0098.286] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpString2=".A8D71D1EC79EC4FFDF1E640628E7C1B848D1FA9B5C010C957C7B3CE78B173B3F" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.A8D71D1EC79EC4FFDF1E640628E7C1B848D1FA9B5C010C957C7B3CE78B173B3F") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.A8D71D1EC79EC4FFDF1E640628E7C1B848D1FA9B5C010C957C7B3CE78B173B3F" [0098.286] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.287] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0098.287] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3216e900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3216e900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa64a430, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1ab7e94, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="AccLR.cab", cAlternateFileName="")) returned 1 [0098.287] lstrcmpiW (lpString1="AccLR.cab", lpString2="Windows") returned -1 [0098.287] lstrcmpiW (lpString1="AccLR.cab", lpString2="Program Files") returned -1 [0098.287] lstrcmpiW (lpString1="AccLR.cab", lpString2="Program Files (x86)") returned -1 [0098.287] lstrcmpiW (lpString1="AccLR.cab", lpString2="$Recycle.bin") returned 1 [0098.287] lstrcmpiW (lpString1="AccLR.cab", lpString2="System Volume Information") returned -1 [0098.287] lstrcmpiW (lpString1="AccLR.cab", lpString2=".") returned 1 [0098.287] lstrcmpiW (lpString1="AccLR.cab", lpString2="..") returned 1 [0098.287] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0098.287] lstrcmpW (lpString1="AccLR.cab", lpString2="PUSSY.TXT") returned -1 [0098.287] PathFindExtensionW (pszPath="AccLR.cab") returned=".cab" [0098.287] lstrlenW (lpString=".cab") returned 4 [0098.287] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0098.287] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0098.289] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=28016276) returned 1 [0098.289] GetProcessHeap () returned 0x4c0000 [0098.289] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0098.299] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="E4") returned 2 [0098.299] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="9D") returned 2 [0098.299] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="CA") returned 2 [0098.299] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="29") returned 2 [0098.300] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="A8") returned 2 [0098.300] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="EA") returned 2 [0098.300] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="35") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="B5") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="06") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="AF") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="64") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="9F") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="1D") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="C9") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="6F") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="44") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="37") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="5B") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="3D") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="CD") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="A5") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="27") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="0E") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="1B") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="AD") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="D2") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="7E") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="D7") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="52") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="C5") returned 2 [0098.300] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="B3") returned 2 [0098.300] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="20") returned 2 [0098.313] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" [0098.313] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" [0098.313] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab", lpString2=".E49DCA29A8EA35B506AF649F1DC96F44375B3DCDA5270E1BADD27ED752C5B320" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.E49DCA29A8EA35B506AF649F1DC96F44375B3DCDA5270E1BADD27ED752C5B320") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.E49DCA29A8EA35B506AF649F1DC96F44375B3DCDA5270E1BADD27ED752C5B320" [0098.313] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.313] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0098.313] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0098.313] lstrcmpiW (lpString1="branding.xml", lpString2="Windows") returned -1 [0098.313] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files") returned -1 [0098.313] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files (x86)") returned -1 [0098.313] lstrcmpiW (lpString1="branding.xml", lpString2="$Recycle.bin") returned 1 [0098.313] lstrcmpiW (lpString1="branding.xml", lpString2="System Volume Information") returned -1 [0098.314] lstrcmpiW (lpString1="branding.xml", lpString2=".") returned 1 [0098.314] lstrcmpiW (lpString1="branding.xml", lpString2="..") returned 1 [0098.314] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0098.314] lstrcmpW (lpString1="branding.xml", lpString2="PUSSY.TXT") returned -1 [0098.314] PathFindExtensionW (pszPath="branding.xml") returned=".xml" [0098.314] lstrlenW (lpString=".xml") returned 4 [0098.314] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0098.314] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0098.345] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=596341) returned 1 [0098.345] GetProcessHeap () returned 0x4c0000 [0098.346] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0098.356] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="1C") returned 2 [0098.356] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="07") returned 2 [0098.356] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="6F") returned 2 [0098.356] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="F3") returned 2 [0098.356] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="C8") returned 2 [0098.356] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="AB") returned 2 [0098.356] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="9B") returned 2 [0098.356] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="F0") returned 2 [0098.356] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="77") returned 2 [0098.356] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="37") returned 2 [0098.356] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="6F") returned 2 [0098.356] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="08") returned 2 [0098.356] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="D2") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="FF") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="6B") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="DC") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="72") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="83") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="B3") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="28") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="22") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="C3") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="DB") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="EC") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="C5") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="B6") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="6E") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="3C") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="FB") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="C5") returned 2 [0098.357] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="DF") returned 2 [0098.357] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="58") returned 2 [0098.367] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" [0098.367] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" [0098.367] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpString2=".1C076FF3C8AB9BF077376F08D2FF6BDC7283B32822C3DBECC5B66E3CFBC5DF58" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.1C076FF3C8AB9BF077376F08D2FF6BDC7283B32822C3DBECC5B66E3CFBC5DF58") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.1C076FF3C8AB9BF077376F08D2FF6BDC7283B32822C3DBECC5B66E3CFBC5DF58" [0098.367] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.368] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0098.382] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="branding.xml", cAlternateFileName="")) returned 0 [0098.382] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0098.382] wnsprintfW (in: pszDest=0x522a98, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\PUSSY.TXT") returned 89 [0098.382] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0098.420] lstrlenA (lpString="abcd") returned 4 [0098.420] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0098.421] CloseHandle (hObject=0x198) returned 1 [0098.421] GetProcessHeap () returned 0x4c0000 [0098.421] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x522a98 | out: hHeap=0x4c0000) returned 1 [0098.423] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0098.423] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Windows") returned -1 [0098.423] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Program Files") returned -1 [0098.423] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Program Files (x86)") returned -1 [0098.423] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="$Recycle.bin") returned 1 [0098.423] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="System Volume Information") returned -1 [0098.424] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2=".") returned 1 [0098.424] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="..") returned 1 [0098.424] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0098.424] lstrcmpW (lpString1="AccessMUISet.msi", lpString2="PUSSY.TXT") returned -1 [0098.424] PathFindExtensionW (pszPath="AccessMUISet.msi") returned=".msi" [0098.424] lstrlenW (lpString=".msi") returned 4 [0098.424] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0098.424] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0098.425] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=868864) returned 1 [0098.425] GetProcessHeap () returned 0x4c0000 [0098.425] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28098 [0098.440] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="44") returned 2 [0098.440] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="06") returned 2 [0098.440] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="3D") returned 2 [0098.440] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="DE") returned 2 [0098.440] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="A5") returned 2 [0098.440] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="11") returned 2 [0098.440] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="DB") returned 2 [0098.440] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="AF") returned 2 [0098.440] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="A1") returned 2 [0098.440] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="80") returned 2 [0098.440] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="4B") returned 2 [0098.440] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="13") returned 2 [0098.440] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="BD") returned 2 [0098.440] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="4A") returned 2 [0098.440] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="40") returned 2 [0098.440] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="BA") returned 2 [0098.441] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="D4") returned 2 [0098.441] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="EA") returned 2 [0098.441] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="2C") returned 2 [0098.441] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="08") returned 2 [0098.441] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="DA") returned 2 [0098.441] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="2C") returned 2 [0098.441] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="42") returned 2 [0098.441] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="F5") returned 2 [0098.441] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="9D") returned 2 [0098.441] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="CD") returned 2 [0098.441] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="21") returned 2 [0098.441] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="33") returned 2 [0098.441] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D9") returned 2 [0098.441] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="2E") returned 2 [0098.441] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="E6") returned 2 [0098.441] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="00") returned 2 [0098.454] lstrcpyW (in: lpString1=0x3b380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" [0098.454] lstrcpyW (in: lpString1=0x3b280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" [0098.454] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi", lpString2=".44063DDEA511DBAFA1804B13BD4A40BAD4EA2C08DA2C42F59DCD2133D92EE600" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.44063DDEA511DBAFA1804B13BD4A40BAD4EA2C08DA2C42F59DCD2133D92EE600") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.44063DDEA511DBAFA1804B13BD4A40BAD4EA2C08DA2C42F59DCD2133D92EE600" [0098.454] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3b28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.454] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28098, lpOverlapped=0x3b28098) returned 1 [0098.454] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="AccessMUISet.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0098.454] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Windows") returned -1 [0098.454] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Program Files") returned -1 [0098.454] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Program Files (x86)") returned -1 [0098.454] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="$Recycle.bin") returned 1 [0098.454] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="System Volume Information") returned -1 [0098.454] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2=".") returned 1 [0098.454] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="..") returned 1 [0098.455] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0098.455] lstrcmpW (lpString1="AccessMUISet.xml", lpString2="PUSSY.TXT") returned -1 [0098.455] PathFindExtensionW (pszPath="AccessMUISet.xml") returned=".xml" [0098.455] lstrlenW (lpString=".xml") returned 4 [0098.455] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0098.455] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0098.455] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=819) returned 1 [0098.455] GetProcessHeap () returned 0x4c0000 [0098.455] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500e8 [0098.471] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="95") returned 2 [0098.471] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="67") returned 2 [0098.471] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="D9") returned 2 [0098.471] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="A3") returned 2 [0098.471] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="DB") returned 2 [0098.471] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="1C") returned 2 [0098.471] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="6D") returned 2 [0098.471] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A3") returned 2 [0098.471] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="10") returned 2 [0098.471] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="BA") returned 2 [0098.472] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="98") returned 2 [0098.472] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="87") returned 2 [0098.472] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="DB") returned 2 [0098.472] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="6C") returned 2 [0098.472] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="0D") returned 2 [0098.472] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="09") returned 2 [0098.472] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="15") returned 2 [0098.472] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="68") returned 2 [0098.472] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="92") returned 2 [0098.472] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="E7") returned 2 [0098.472] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="E4") returned 2 [0098.472] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="5B") returned 2 [0098.472] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="A4") returned 2 [0098.472] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="17") returned 2 [0098.472] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="50") returned 2 [0098.472] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="82") returned 2 [0098.472] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="60") returned 2 [0098.472] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="88") returned 2 [0098.472] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="C6") returned 2 [0098.472] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E8") returned 2 [0098.472] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="2C") returned 2 [0098.472] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="66") returned 2 [0098.486] lstrcpyW (in: lpString1=0x3b6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" [0098.486] lstrcpyW (in: lpString1=0x3b5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" [0098.486] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpString2=".9567D9A3DB1C6DA310BA9887DB6C0D09156892E7E45BA41750826088C6E82C66" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.9567D9A3DB1C6DA310BA9887DB6C0D09156892E7E45BA41750826088C6E82C66") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.9567D9A3DB1C6DA310BA9887DB6C0D09156892E7E45BA41750826088C6E82C66" [0098.486] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3b500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.486] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500e8, lpOverlapped=0x3b500e8) returned 1 [0098.486] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0098.486] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0098.486] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0098.486] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0098.486] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0098.486] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0098.486] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0098.486] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0098.486] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0098.486] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0098.486] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0098.486] lstrlenW (lpString=".xml") returned 4 [0098.486] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0098.487] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0098.487] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2624) returned 1 [0098.487] GetProcessHeap () returned 0x4c0000 [0098.487] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b78138 [0098.497] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="6B") returned 2 [0098.497] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="FF") returned 2 [0098.497] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B8") returned 2 [0098.497] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="5D") returned 2 [0098.498] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="40") returned 2 [0098.498] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="1C") returned 2 [0098.498] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="BC") returned 2 [0098.498] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="72") returned 2 [0098.498] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="F0") returned 2 [0098.498] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="20") returned 2 [0098.498] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="FE") returned 2 [0098.498] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A1") returned 2 [0098.498] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="70") returned 2 [0098.498] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="FD") returned 2 [0098.498] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="8C") returned 2 [0098.498] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="9F") returned 2 [0098.498] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="B8") returned 2 [0098.498] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="7C") returned 2 [0098.498] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="47") returned 2 [0098.498] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="18") returned 2 [0098.498] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="3B") returned 2 [0098.498] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="1D") returned 2 [0098.498] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="04") returned 2 [0098.498] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="EE") returned 2 [0098.498] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="89") returned 2 [0098.498] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="64") returned 2 [0098.498] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="35") returned 2 [0098.498] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="39") returned 2 [0098.498] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="18") returned 2 [0098.498] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="BC") returned 2 [0098.498] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="46") returned 2 [0098.498] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="48") returned 2 [0098.507] lstrcpyW (in: lpString1=0x3b8816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" [0098.507] lstrcpyW (in: lpString1=0x3b7816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" [0098.507] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".6BFFB85D401CBC72F020FEA170FD8C9FB87C47183B1D04EE8964353918BC4648" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.6BFFB85D401CBC72F020FEA170FD8C9FB87C47183B1D04EE8964353918BC4648") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.6BFFB85D401CBC72F020FEA170FD8C9FB87C47183B1D04EE8964353918BC4648" [0098.507] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3b78138, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.508] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b78138, lpOverlapped=0x3b78138) returned 1 [0098.508] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0098.508] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0098.508] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0098.508] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0098.509] lstrlenA (lpString="abcd") returned 4 [0098.509] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0098.510] CloseHandle (hObject=0x174) returned 1 [0098.510] GetProcessHeap () returned 0x4c0000 [0098.510] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0098.510] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0098.510] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0098.510] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0098.510] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0098.510] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0098.510] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0098.510] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0098.511] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0098.511] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C") returned 66 [0098.511] GetProcessHeap () returned 0x4c0000 [0098.511] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0098.511] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C" [0098.511] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*" [0098.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0098.548] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0098.548] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0098.548] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0098.548] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0098.548] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0098.548] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0098.552] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0098.552] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0098.552] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0098.552] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0098.552] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0098.552] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0098.552] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0098.552] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0098.552] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0098.552] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0098.552] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files") returned -1 [0098.552] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files (x86)") returned -1 [0098.552] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0098.552] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0098.552] lstrcmpiW (lpString1="Office32WW.msi", lpString2=".") returned 1 [0098.552] lstrcmpiW (lpString1="Office32WW.msi", lpString2="..") returned 1 [0098.552] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0098.552] lstrcmpW (lpString1="Office32WW.msi", lpString2="PUSSY.TXT") returned -1 [0098.552] PathFindExtensionW (pszPath="Office32WW.msi") returned=".msi" [0098.553] lstrlenW (lpString=".msi") returned 4 [0098.553] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0098.553] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0098.554] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1992192) returned 1 [0098.554] GetProcessHeap () returned 0x4c0000 [0098.554] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500e8 [0098.568] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="94") returned 2 [0098.568] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="D7") returned 2 [0098.568] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="98") returned 2 [0098.568] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="D0") returned 2 [0098.568] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="F1") returned 2 [0098.568] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="20") returned 2 [0098.568] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C7") returned 2 [0098.568] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="74") returned 2 [0098.568] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="9D") returned 2 [0098.568] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="C7") returned 2 [0098.568] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B5") returned 2 [0098.568] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="52") returned 2 [0098.568] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="E1") returned 2 [0098.568] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="D1") returned 2 [0098.568] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="42") returned 2 [0098.568] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="9B") returned 2 [0098.568] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="6A") returned 2 [0098.568] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="9E") returned 2 [0098.568] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="47") returned 2 [0098.568] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="11") returned 2 [0098.568] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="F9") returned 2 [0098.569] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="AD") returned 2 [0098.569] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="B1") returned 2 [0098.569] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="AF") returned 2 [0098.569] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="39") returned 2 [0098.569] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="3A") returned 2 [0098.569] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="8F") returned 2 [0098.569] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="38") returned 2 [0098.569] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D0") returned 2 [0098.569] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="EF") returned 2 [0098.569] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="F1") returned 2 [0098.569] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="01") returned 2 [0098.578] lstrcpyW (in: lpString1=0x3b6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0098.578] lstrcpyW (in: lpString1=0x3b5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0098.578] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpString2=".94D798D0F120C7749DC7B552E1D1429B6A9E4711F9ADB1AF393A8F38D0EFF101" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.94D798D0F120C7749DC7B552E1D1429B6A9E4711F9ADB1AF393A8F38D0EFF101") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.94D798D0F120C7749DC7B552E1D1429B6A9E4711F9ADB1AF393A8F38D0EFF101" [0098.578] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3b500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.578] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500e8, lpOverlapped=0x3b500e8) returned 1 [0098.578] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0098.578] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0098.578] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files") returned -1 [0098.578] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files (x86)") returned -1 [0098.578] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0098.578] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0098.578] lstrcmpiW (lpString1="Office32WW.xml", lpString2=".") returned 1 [0098.578] lstrcmpiW (lpString1="Office32WW.xml", lpString2="..") returned 1 [0098.578] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0098.578] lstrcmpW (lpString1="Office32WW.xml", lpString2="PUSSY.TXT") returned -1 [0098.578] PathFindExtensionW (pszPath="Office32WW.xml") returned=".xml" [0098.578] lstrlenW (lpString=".xml") returned 4 [0098.578] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0098.579] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0098.579] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=4274) returned 1 [0098.579] GetProcessHeap () returned 0x4c0000 [0098.579] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ba0188 [0098.589] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="CD") returned 2 [0098.589] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="E4") returned 2 [0098.589] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="5F") returned 2 [0098.589] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="E9") returned 2 [0098.589] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="17") returned 2 [0098.589] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="EB") returned 2 [0098.589] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="A5") returned 2 [0098.589] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="27") returned 2 [0098.589] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B6") returned 2 [0098.589] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="02") returned 2 [0098.589] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B6") returned 2 [0098.589] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="38") returned 2 [0098.589] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="FD") returned 2 [0098.589] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E6") returned 2 [0098.590] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="1E") returned 2 [0098.590] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="85") returned 2 [0098.590] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="1E") returned 2 [0098.590] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="86") returned 2 [0098.590] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="0A") returned 2 [0098.590] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="24") returned 2 [0098.590] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="D0") returned 2 [0098.590] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="B8") returned 2 [0098.590] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="F2") returned 2 [0098.590] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="75") returned 2 [0098.590] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="33") returned 2 [0098.590] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="96") returned 2 [0098.590] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="62") returned 2 [0098.590] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="45") returned 2 [0098.590] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D7") returned 2 [0098.590] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="66") returned 2 [0098.590] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="37") returned 2 [0098.590] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="68") returned 2 [0098.599] lstrcpyW (in: lpString1=0x3bb01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0098.599] lstrcpyW (in: lpString1=0x3ba01bc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0098.599] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".CDE45FE917EBA527B602B638FDE61E851E860A24D0B8F27533966245D7663768" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.CDE45FE917EBA527B602B638FDE61E851E860A24D0B8F27533966245D7663768") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.CDE45FE917EBA527B602B638FDE61E851E860A24D0B8F27533966245D7663768" [0098.599] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x3ba0188, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.599] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ba0188, lpOverlapped=0x3ba0188) returned 1 [0098.599] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf885a000, ftCreationTime.dwHighDateTime=0x1cac4d7, ftLastAccessTime.dwLowDateTime=0xf885a000, ftLastAccessTime.dwHighDateTime=0x1cac4d7, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0098.599] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0098.599] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files") returned -1 [0098.599] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files (x86)") returned -1 [0098.599] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0098.599] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0098.599] lstrcmpiW (lpString1="ose.exe", lpString2=".") returned 1 [0098.599] lstrcmpiW (lpString1="ose.exe", lpString2="..") returned 1 [0098.600] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0098.600] lstrcmpW (lpString1="ose.exe", lpString2="PUSSY.TXT") returned -1 [0098.600] PathFindExtensionW (pszPath="ose.exe") returned=".exe" [0098.600] lstrlenW (lpString=".exe") returned 4 [0098.600] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0098.600] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0098.644] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=174440) returned 1 [0098.644] GetProcessHeap () returned 0x4c0000 [0098.644] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0098.654] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="37") returned 2 [0098.654] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="65") returned 2 [0098.654] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="24") returned 2 [0098.654] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="B8") returned 2 [0098.654] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="55") returned 2 [0098.654] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="12") returned 2 [0098.654] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="BB") returned 2 [0098.654] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A0") returned 2 [0098.654] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B2") returned 2 [0098.654] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="18") returned 2 [0098.654] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="41") returned 2 [0098.654] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="5F") returned 2 [0098.654] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="27") returned 2 [0098.654] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="8B") returned 2 [0098.654] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="79") returned 2 [0098.654] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="7A") returned 2 [0098.654] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="B1") returned 2 [0098.655] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="EF") returned 2 [0098.655] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="FB") returned 2 [0098.655] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="24") returned 2 [0098.655] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="93") returned 2 [0098.655] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="47") returned 2 [0098.655] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="45") returned 2 [0098.655] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="B3") returned 2 [0098.655] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="3A") returned 2 [0098.655] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="DE") returned 2 [0098.655] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="3B") returned 2 [0098.655] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F8") returned 2 [0098.655] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D4") returned 2 [0098.655] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="DE") returned 2 [0098.655] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="07") returned 2 [0098.655] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="30") returned 2 [0098.663] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" [0098.663] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" [0098.663] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe", lpString2=".376524B85512BBA0B218415F278B797AB1EFFB24934745B33ADE3BF8D4DE0730" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.376524B85512BBA0B218415F278B797AB1EFFB24934745B33ADE3BF8D4DE0730") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.376524B85512BBA0B218415F278B797AB1EFFB24934745B33ADE3BF8D4DE0730" [0098.663] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.663] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0098.664] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd900f00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbd900f00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x16854390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0098.664] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0098.664] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files") returned -1 [0098.664] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files (x86)") returned -1 [0098.664] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0098.664] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0098.694] lstrcmpiW (lpString1="osetup.dll", lpString2=".") returned 1 [0098.694] lstrcmpiW (lpString1="osetup.dll", lpString2="..") returned 1 [0098.694] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0098.694] lstrcmpW (lpString1="osetup.dll", lpString2="PUSSY.TXT") returned -1 [0098.694] PathFindExtensionW (pszPath="osetup.dll") returned=".dll" [0098.694] lstrlenW (lpString=".dll") returned 4 [0098.694] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0098.694] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0098.699] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=7378792) returned 1 [0098.699] GetProcessHeap () returned 0x4c0000 [0098.699] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0098.709] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="DF") returned 2 [0098.709] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="47") returned 2 [0098.709] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="34") returned 2 [0098.709] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="81") returned 2 [0098.709] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="9A") returned 2 [0098.709] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="99") returned 2 [0098.709] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C6") returned 2 [0098.709] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="59") returned 2 [0098.709] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="45") returned 2 [0098.709] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="94") returned 2 [0098.709] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="9A") returned 2 [0098.709] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="68") returned 2 [0098.709] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="04") returned 2 [0098.710] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="13") returned 2 [0098.710] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="A4") returned 2 [0098.710] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="EC") returned 2 [0098.710] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="13") returned 2 [0098.710] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="CE") returned 2 [0098.710] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="67") returned 2 [0098.710] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="F1") returned 2 [0098.710] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="1E") returned 2 [0098.710] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="CA") returned 2 [0098.710] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="78") returned 2 [0098.710] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="75") returned 2 [0098.710] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="6C") returned 2 [0098.710] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="37") returned 2 [0098.710] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="37") returned 2 [0098.710] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="B8") returned 2 [0098.710] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="85") returned 2 [0098.710] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="3A") returned 2 [0098.710] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="47") returned 2 [0098.710] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4D") returned 2 [0098.719] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" [0098.719] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" [0098.719] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll", lpString2=".DF4734819A99C65945949A680413A4EC13CE67F11ECA78756C3737B8853A474D" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.DF4734819A99C65945949A680413A4EC13CE67F11ECA78756C3737B8853A474D") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.DF4734819A99C65945949A680413A4EC13CE67F11ECA78756C3737B8853A474D" [0098.719] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.719] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0098.719] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x147e5b00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x147e5b00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xff654fc0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0098.719] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0098.719] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files") returned -1 [0098.719] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files (x86)") returned -1 [0098.719] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0098.719] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0098.720] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2=".") returned 1 [0098.720] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="..") returned 1 [0098.720] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0098.720] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="PUSSY.TXT") returned -1 [0098.720] PathFindExtensionW (pszPath="OWOW32WW.cab") returned=".cab" [0098.720] lstrlenW (lpString=".cab") returned 4 [0098.720] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0098.720] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0098.720] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=36233052) returned 1 [0098.720] GetProcessHeap () returned 0x4c0000 [0098.720] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c78138 [0098.839] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="1F") returned 2 [0098.839] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="06") returned 2 [0098.839] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="93") returned 2 [0098.839] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="02") returned 2 [0098.840] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="F1") returned 2 [0098.840] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="12") returned 2 [0098.840] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="4C") returned 2 [0098.840] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="FD") returned 2 [0098.840] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="86") returned 2 [0098.840] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="81") returned 2 [0098.840] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="4A") returned 2 [0098.840] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A0") returned 2 [0098.840] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="A0") returned 2 [0098.840] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="64") returned 2 [0098.840] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="81") returned 2 [0098.840] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="17") returned 2 [0098.840] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="E6") returned 2 [0098.840] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D7") returned 2 [0098.840] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="16") returned 2 [0098.840] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="ED") returned 2 [0098.840] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="48") returned 2 [0098.840] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="78") returned 2 [0098.840] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="BE") returned 2 [0098.840] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="19") returned 2 [0098.840] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="46") returned 2 [0098.840] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="69") returned 2 [0098.840] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="97") returned 2 [0098.840] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="51") returned 2 [0098.840] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="BD") returned 2 [0098.840] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="27") returned 2 [0098.841] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="4E") returned 2 [0098.841] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6C") returned 2 [0098.853] lstrcpyW (in: lpString1=0x3c8816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0098.853] lstrcpyW (in: lpString1=0x3c7816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0098.853] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpString2=".1F069302F1124CFD86814AA0A0648117E6D716ED4878BE1946699751BD274E6C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.1F069302F1124CFD86814AA0A0648117E6D716ED4878BE1946699751BD274E6C") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.1F069302F1124CFD86814AA0A0648117E6D716ED4878BE1946699751BD274E6C" [0098.853] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3c78138, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.853] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c78138, lpOverlapped=0x3c78138) returned 1 [0098.853] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3a02e00, ftCreationTime.dwHighDateTime=0x1cac5f7, ftLastAccessTime.dwLowDateTime=0xe3a02e00, ftLastAccessTime.dwHighDateTime=0x1cac5f7, ftLastWriteTime.dwLowDateTime=0x17e0dbf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0098.854] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0098.854] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files") returned -1 [0098.897] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files (x86)") returned -1 [0098.897] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0098.897] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0098.898] lstrcmpiW (lpString1="PidGenX.dll", lpString2=".") returned 1 [0098.898] lstrcmpiW (lpString1="PidGenX.dll", lpString2="..") returned 1 [0098.898] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0098.898] lstrcmpW (lpString1="PidGenX.dll", lpString2="PUSSY.TXT") returned -1 [0098.898] PathFindExtensionW (pszPath="PidGenX.dll") returned=".dll" [0098.898] lstrlenW (lpString=".dll") returned 4 [0098.898] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0098.898] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0098.899] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1463568) returned 1 [0098.899] GetProcessHeap () returned 0x4c0000 [0098.899] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0098.913] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="1C") returned 2 [0098.913] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="6F") returned 2 [0098.913] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E3") returned 2 [0098.913] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="CD") returned 2 [0098.913] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="1A") returned 2 [0098.913] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="39") returned 2 [0098.913] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="4F") returned 2 [0098.913] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="AC") returned 2 [0098.913] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="34") returned 2 [0098.913] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="01") returned 2 [0098.913] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="D2") returned 2 [0098.913] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="60") returned 2 [0098.913] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="C9") returned 2 [0098.913] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="CF") returned 2 [0098.913] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="F9") returned 2 [0098.913] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="71") returned 2 [0098.913] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="CE") returned 2 [0098.913] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="6F") returned 2 [0098.913] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="21") returned 2 [0098.913] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="66") returned 2 [0098.913] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="F4") returned 2 [0098.913] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="85") returned 2 [0098.913] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="64") returned 2 [0098.913] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="35") returned 2 [0098.913] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="D4") returned 2 [0098.913] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="AC") returned 2 [0098.914] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="14") returned 2 [0098.914] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="4A") returned 2 [0098.914] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="53") returned 2 [0098.914] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="C1") returned 2 [0098.914] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="3E") returned 2 [0098.914] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="47") returned 2 [0098.926] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0098.926] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0098.926] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpString2=".1C6FE3CD1A394FAC3401D260C9CFF971CE6F2166F4856435D4AC144A53C13E47" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.1C6FE3CD1A394FAC3401D260C9CFF971CE6F2166F4856435D4AC144A53C13E47") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.1C6FE3CD1A394FAC3401D260C9CFF971CE6F2166F4856435D4AC144A53C13E47" [0098.926] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.926] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0098.927] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe06a9500, ftCreationTime.dwHighDateTime=0x1cac7e5, ftLastAccessTime.dwLowDateTime=0xe06a9500, ftLastAccessTime.dwHighDateTime=0x1cac7e5, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0098.927] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0098.927] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files") returned -1 [0098.927] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files (x86)") returned -1 [0098.927] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0098.927] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0098.927] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0098.927] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0098.927] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0098.927] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="PUSSY.TXT") returned -1 [0098.927] PathFindExtensionW (pszPath="pkeyconfig-office.xrm-ms") returned=".xrm-ms" [0098.927] lstrlenW (lpString=".xrm-ms") returned 7 [0098.927] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0098.927] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0098.928] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=715834) returned 1 [0098.928] GetProcessHeap () returned 0x4c0000 [0098.928] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0098.985] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="AD") returned 2 [0098.985] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="0C") returned 2 [0098.985] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="5F") returned 2 [0098.985] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="F4") returned 2 [0098.985] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="20") returned 2 [0098.985] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="AC") returned 2 [0098.985] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="AA") returned 2 [0098.985] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="7F") returned 2 [0098.985] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="05") returned 2 [0098.985] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="BE") returned 2 [0098.985] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="0A") returned 2 [0098.985] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="CC") returned 2 [0098.985] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="44") returned 2 [0098.985] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C9") returned 2 [0098.985] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="7B") returned 2 [0098.985] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="7F") returned 2 [0098.985] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="5A") returned 2 [0098.985] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="90") returned 2 [0098.985] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="4B") returned 2 [0098.985] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="3F") returned 2 [0098.985] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="6B") returned 2 [0098.986] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="DA") returned 2 [0098.986] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="EE") returned 2 [0098.986] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="64") returned 2 [0098.986] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="F9") returned 2 [0098.986] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="3B") returned 2 [0098.986] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="A3") returned 2 [0098.986] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="7C") returned 2 [0098.986] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D0") returned 2 [0098.986] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="69") returned 2 [0098.986] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="D7") returned 2 [0098.986] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="50") returned 2 [0098.998] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0098.998] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0098.998] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".AD0C5FF420ACAA7F05BE0ACC44C97B7F5A904B3F6BDAEE64F93BA37CD069D750" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.AD0C5FF420ACAA7F05BE0ACC44C97B7F5A904B3F6BDAEE64F93BA37CD069D750") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.AD0C5FF420ACAA7F05BE0ACC44C97B7F5A904B3F6BDAEE64F93BA37CD069D750" [0098.998] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0098.998] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0098.999] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb2e2000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbb2e2000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x1a41c00, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ProPlusrWW.msi", cAlternateFileName="PROPLU~1.MSI")) returned 1 [0098.999] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Windows") returned -1 [0098.999] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Program Files") returned 1 [0098.999] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Program Files (x86)") returned 1 [0098.999] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="$Recycle.bin") returned 1 [0098.999] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="System Volume Information") returned -1 [0098.999] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2=".") returned 1 [0099.042] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="..") returned 1 [0099.042] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0099.042] lstrcmpW (lpString1="ProPlusrWW.msi", lpString2="PUSSY.TXT") returned -1 [0099.042] PathFindExtensionW (pszPath="ProPlusrWW.msi") returned=".msi" [0099.042] lstrlenW (lpString=".msi") returned 4 [0099.042] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0099.042] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0099.048] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=27532288) returned 1 [0099.048] GetProcessHeap () returned 0x4c0000 [0099.048] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0099.063] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="1A") returned 2 [0099.063] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="06") returned 2 [0099.063] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="1B") returned 2 [0099.063] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="B0") returned 2 [0099.063] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="67") returned 2 [0099.063] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="69") returned 2 [0099.063] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C7") returned 2 [0099.063] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="62") returned 2 [0099.063] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="98") returned 2 [0099.063] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="76") returned 2 [0099.063] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="9D") returned 2 [0099.063] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="4D") returned 2 [0099.063] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="9E") returned 2 [0099.063] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="9A") returned 2 [0099.063] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="5D") returned 2 [0099.063] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="B0") returned 2 [0099.063] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="6D") returned 2 [0099.063] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="C0") returned 2 [0099.063] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="94") returned 2 [0099.063] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="BA") returned 2 [0099.064] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="38") returned 2 [0099.064] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="C2") returned 2 [0099.064] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="24") returned 2 [0099.064] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="36") returned 2 [0099.064] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="42") returned 2 [0099.064] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="54") returned 2 [0099.064] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="EB") returned 2 [0099.064] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="D1") returned 2 [0099.064] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="4F") returned 2 [0099.064] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="8D") returned 2 [0099.064] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="90") returned 2 [0099.064] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="72") returned 2 [0099.111] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" [0099.112] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" [0099.112] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi", lpString2=".1A061BB06769C76298769D4D9E9A5DB06DC094BA38C224364254EBD14F8D9072" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.1A061BB06769C76298769D4D9E9A5DB06DC094BA38C224364254EBD14F8D9072") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.1A061BB06769C76298769D4D9E9A5DB06DC094BA38C224364254EBD14F8D9072" [0099.112] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0099.112] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0099.113] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ProPlusrWW.xml", cAlternateFileName="PROPLU~1.XML")) returned 1 [0099.113] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Windows") returned -1 [0099.113] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Program Files") returned 1 [0099.113] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Program Files (x86)") returned 1 [0099.113] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="$Recycle.bin") returned 1 [0099.113] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="System Volume Information") returned -1 [0099.113] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2=".") returned 1 [0099.158] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="..") returned 1 [0099.158] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0099.158] lstrcmpW (lpString1="ProPlusrWW.xml", lpString2="PUSSY.TXT") returned -1 [0099.159] PathFindExtensionW (pszPath="ProPlusrWW.xml") returned=".xml" [0099.159] lstrlenW (lpString=".xml") returned 4 [0099.159] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0099.159] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0099.160] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=16852) returned 1 [0099.160] GetProcessHeap () returned 0x4c0000 [0099.160] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0099.173] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="93") returned 2 [0099.173] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="43") returned 2 [0099.174] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="DC") returned 2 [0099.174] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="6B") returned 2 [0099.174] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="AC") returned 2 [0099.174] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="E3") returned 2 [0099.174] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="76") returned 2 [0099.174] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="D2") returned 2 [0099.174] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="22") returned 2 [0099.174] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="07") returned 2 [0099.174] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="DD") returned 2 [0099.174] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A6") returned 2 [0099.174] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="38") returned 2 [0099.174] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="D7") returned 2 [0099.174] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="47") returned 2 [0099.174] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="A1") returned 2 [0099.174] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="3D") returned 2 [0099.174] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="A8") returned 2 [0099.174] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="97") returned 2 [0099.174] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="F6") returned 2 [0099.174] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="AD") returned 2 [0099.174] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="C4") returned 2 [0099.174] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="3A") returned 2 [0099.174] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="AF") returned 2 [0099.174] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="70") returned 2 [0099.174] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="6D") returned 2 [0099.175] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="30") returned 2 [0099.175] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="A3") returned 2 [0099.175] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="2F") returned 2 [0099.175] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="BF") returned 2 [0099.175] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="9E") returned 2 [0099.175] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="70") returned 2 [0099.188] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" [0099.188] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" [0099.188] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpString2=".9343DC6BACE376D22207DDA638D747A13DA897F6ADC43AAF706D30A32FBF9E70" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.9343DC6BACE376D22207DDA638D747A13DA897F6ADC43AAF706D30A32FBF9E70") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.9343DC6BACE376D22207DDA638D747A13DA897F6ADC43AAF706D30A32FBF9E70" [0099.188] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0099.188] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0099.189] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x262b2700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x262b2700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x1ffd0c0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xa97cbdb, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ProPrWW.cab", cAlternateFileName="")) returned 1 [0099.211] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Windows") returned -1 [0099.211] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Program Files") returned 1 [0099.211] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Program Files (x86)") returned 1 [0099.211] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="$Recycle.bin") returned 1 [0099.211] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="System Volume Information") returned -1 [0099.211] lstrcmpiW (lpString1="ProPrWW.cab", lpString2=".") returned 1 [0099.211] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="..") returned 1 [0099.211] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0099.211] lstrcmpW (lpString1="ProPrWW.cab", lpString2="PUSSY.TXT") returned -1 [0099.212] PathFindExtensionW (pszPath="ProPrWW.cab") returned=".cab" [0099.212] lstrlenW (lpString=".cab") returned 4 [0099.212] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0099.212] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0099.213] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=177720283) returned 1 [0099.213] GetProcessHeap () returned 0x4c0000 [0099.213] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0099.227] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="4E") returned 2 [0099.227] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="3F") returned 2 [0099.227] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="1F") returned 2 [0099.227] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="20") returned 2 [0099.227] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="91") returned 2 [0099.227] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="68") returned 2 [0099.227] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="1F") returned 2 [0099.227] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="F6") returned 2 [0099.227] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="17") returned 2 [0099.227] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="16") returned 2 [0099.227] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="11") returned 2 [0099.227] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="20") returned 2 [0099.227] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="8F") returned 2 [0099.227] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="10") returned 2 [0099.227] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="C1") returned 2 [0099.227] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="81") returned 2 [0099.227] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="19") returned 2 [0099.227] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D4") returned 2 [0099.227] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="5A") returned 2 [0099.228] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="33") returned 2 [0099.228] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="75") returned 2 [0099.228] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="43") returned 2 [0099.228] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="A6") returned 2 [0099.228] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="A2") returned 2 [0099.228] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="C9") returned 2 [0099.228] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="5C") returned 2 [0099.228] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="6E") returned 2 [0099.228] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="13") returned 2 [0099.228] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="6F") returned 2 [0099.228] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="FF") returned 2 [0099.228] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="E1") returned 2 [0099.228] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="04") returned 2 [0099.240] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" [0099.240] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" [0099.240] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab", lpString2=".4E3F1F2091681FF6171611208F10C18119D45A337543A6A2C95C6E136FFFE104" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.4E3F1F2091681FF6171611208F10C18119D45A337543A6A2C95C6E136FFFE104") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.4E3F1F2091681FF6171611208F10C18119D45A337543A6A2C95C6E136FFFE104" [0099.240] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0099.240] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0099.240] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf14900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbf14900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xc96ff40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xd49ee31, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ProPrWW2.cab", cAlternateFileName="")) returned 1 [0099.240] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Windows") returned -1 [0099.240] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Program Files") returned 1 [0099.240] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Program Files (x86)") returned 1 [0099.240] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="$Recycle.bin") returned 1 [0099.240] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="System Volume Information") returned -1 [0099.240] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2=".") returned 1 [0099.240] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="..") returned 1 [0099.240] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0099.240] lstrcmpW (lpString1="ProPrWW2.cab", lpString2="PUSSY.TXT") returned -1 [0099.240] PathFindExtensionW (pszPath="ProPrWW2.cab") returned=".cab" [0099.240] lstrlenW (lpString=".cab") returned 4 [0099.241] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0099.241] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0099.287] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=222948913) returned 1 [0099.287] GetProcessHeap () returned 0x4c0000 [0099.287] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0099.300] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="A7") returned 2 [0099.300] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="A0") returned 2 [0099.300] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="67") returned 2 [0099.300] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="73") returned 2 [0099.300] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="86") returned 2 [0099.300] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="74") returned 2 [0099.300] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="6E") returned 2 [0099.300] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A7") returned 2 [0099.300] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B2") returned 2 [0099.300] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="DD") returned 2 [0099.300] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="77") returned 2 [0099.300] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="B3") returned 2 [0099.300] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="2D") returned 2 [0099.300] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="17") returned 2 [0099.300] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="E3") returned 2 [0099.300] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="B3") returned 2 [0099.300] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="38") returned 2 [0099.300] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="E0") returned 2 [0099.301] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="00") returned 2 [0099.301] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="78") returned 2 [0099.301] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="E8") returned 2 [0099.301] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="85") returned 2 [0099.301] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="28") returned 2 [0099.301] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="03") returned 2 [0099.301] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="A2") returned 2 [0099.301] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="CA") returned 2 [0099.301] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="03") returned 2 [0099.301] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="A1") returned 2 [0099.301] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="CD") returned 2 [0099.301] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="97") returned 2 [0099.301] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="40") returned 2 [0099.301] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="13") returned 2 [0099.314] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" [0099.314] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" [0099.314] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab", lpString2=".A7A0677386746EA7B2DD77B32D17E3B338E00078E8852803A2CA03A1CD974013" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.A7A0677386746EA7B2DD77B32D17E3B338E00078E8852803A2CA03A1CD974013") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.A7A0677386746EA7B2DD77B32D17E3B338E00078E8852803A2CA03A1CD974013" [0099.314] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0099.314] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0099.314] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec13c00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbec13c00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x1682d290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0099.314] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0099.314] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files") returned 1 [0099.314] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files (x86)") returned 1 [0099.314] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0099.314] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0099.314] lstrcmpiW (lpString1="setup.exe", lpString2=".") returned 1 [0099.314] lstrcmpiW (lpString1="setup.exe", lpString2="..") returned 1 [0099.314] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0099.314] lstrcmpW (lpString1="setup.exe", lpString2="PUSSY.TXT") returned 1 [0099.314] PathFindExtensionW (pszPath="setup.exe") returned=".exe" [0099.314] lstrlenW (lpString=".exe") returned 4 [0099.315] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0099.315] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0099.315] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1377656) returned 1 [0099.315] GetProcessHeap () returned 0x4c0000 [0099.315] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c78138 [0099.404] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="F4") returned 2 [0099.404] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="68") returned 2 [0099.404] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="11") returned 2 [0099.404] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="E6") returned 2 [0099.404] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="83") returned 2 [0099.404] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="C6") returned 2 [0099.404] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="20") returned 2 [0099.404] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="98") returned 2 [0099.404] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="1E") returned 2 [0099.404] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="CA") returned 2 [0099.404] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B5") returned 2 [0099.404] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="AF") returned 2 [0099.404] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="32") returned 2 [0099.404] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="90") returned 2 [0099.404] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="FD") returned 2 [0099.404] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="32") returned 2 [0099.404] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="F1") returned 2 [0099.404] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D8") returned 2 [0099.404] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="60") returned 2 [0099.404] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="1C") returned 2 [0099.405] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="36") returned 2 [0099.405] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="66") returned 2 [0099.405] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="9C") returned 2 [0099.405] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="F1") returned 2 [0099.405] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="28") returned 2 [0099.405] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="E3") returned 2 [0099.405] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="03") returned 2 [0099.405] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="9E") returned 2 [0099.405] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A3") returned 2 [0099.405] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="F0") returned 2 [0099.405] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="B5") returned 2 [0099.405] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="22") returned 2 [0099.417] lstrcpyW (in: lpString1=0x3c8816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" [0099.417] lstrcpyW (in: lpString1=0x3c7816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" [0099.417] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe", lpString2=".F46811E683C620981ECAB5AF3290FD32F1D8601C36669CF128E3039EA3F0B522" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.F46811E683C620981ECAB5AF3290FD32F1D8601C36669CF128E3039EA3F0B522") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.F46811E683C620981ECAB5AF3290FD32F1D8601C36669CF128E3039EA3F0B522" [0099.417] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3c78138, NumberOfConcurrentThreads=0x0) returned 0x94 [0099.417] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c78138, lpOverlapped=0x3c78138) returned 1 [0099.418] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0099.418] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0099.418] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0099.418] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0099.418] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0099.418] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0099.462] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0099.462] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0099.462] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0099.463] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0099.463] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0099.463] lstrlenW (lpString=".xml") returned 4 [0099.463] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0099.463] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0099.463] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=31094) returned 1 [0099.463] GetProcessHeap () returned 0x4c0000 [0099.463] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0099.476] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="3E") returned 2 [0099.476] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="4E") returned 2 [0099.476] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="45") returned 2 [0099.476] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FF") returned 2 [0099.476] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="DD") returned 2 [0099.477] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="04") returned 2 [0099.477] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="F4") returned 2 [0099.477] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="1D") returned 2 [0099.477] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="3B") returned 2 [0099.477] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="FE") returned 2 [0099.477] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="2B") returned 2 [0099.477] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D1") returned 2 [0099.477] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="C0") returned 2 [0099.477] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="1B") returned 2 [0099.477] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="46") returned 2 [0099.477] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="F1") returned 2 [0099.477] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="FC") returned 2 [0099.477] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="43") returned 2 [0099.477] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="ED") returned 2 [0099.477] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="69") returned 2 [0099.477] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="F6") returned 2 [0099.477] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="21") returned 2 [0099.477] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="A8") returned 2 [0099.477] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E6") returned 2 [0099.477] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="B3") returned 2 [0099.477] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="91") returned 2 [0099.477] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="EB") returned 2 [0099.477] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="5D") returned 2 [0099.477] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A0") returned 2 [0099.478] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="D2") returned 2 [0099.478] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="39") returned 2 [0099.478] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="5B") returned 2 [0099.490] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" [0099.490] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" [0099.490] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".3E4E45FFDD04F41D3BFE2BD1C01B46F1FC43ED69F621A8E6B391EB5DA0D2395B" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.3E4E45FFDD04F41D3BFE2BD1C01B46F1FC43ED69F621A8E6B391EB5DA0D2395B") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.3E4E45FFDD04F41D3BFE2BD1C01B46F1FC43ED69F621A8E6B391EB5DA0D2395B" [0099.490] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0099.490] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0099.491] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0099.491] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0099.531] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0099.531] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0099.534] lstrlenA (lpString="abcd") returned 4 [0099.534] WriteFile (in: hFile=0x1a0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0099.536] CloseHandle (hObject=0x1a0) returned 1 [0099.536] GetProcessHeap () returned 0x4c0000 [0099.536] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0099.536] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0099.536] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0099.536] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0099.536] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0099.537] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0099.537] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0099.537] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0099.537] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0099.537] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C") returned 66 [0099.537] GetProcessHeap () returned 0x4c0000 [0099.537] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0099.537] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C" [0099.537] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*" [0099.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0099.542] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0099.542] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0099.542] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0099.542] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0099.542] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0099.542] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0099.542] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0099.542] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0099.542] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0099.542] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0099.543] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0099.543] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0099.543] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0099.543] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0099.543] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0099.543] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0099.543] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files") returned -1 [0099.543] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files (x86)") returned -1 [0099.543] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0099.543] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0099.543] lstrcmpiW (lpString1="Office32WW.msi", lpString2=".") returned 1 [0099.543] lstrcmpiW (lpString1="Office32WW.msi", lpString2="..") returned 1 [0099.543] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0099.543] lstrcmpW (lpString1="Office32WW.msi", lpString2="PUSSY.TXT") returned -1 [0099.543] PathFindExtensionW (pszPath="Office32WW.msi") returned=".msi" [0099.543] lstrlenW (lpString=".msi") returned 4 [0099.543] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0099.543] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0099.544] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1992192) returned 1 [0099.545] GetProcessHeap () returned 0x4c0000 [0099.545] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0099.557] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="AB") returned 2 [0099.557] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B3") returned 2 [0099.557] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="16") returned 2 [0099.557] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="92") returned 2 [0099.557] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="76") returned 2 [0099.557] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="CF") returned 2 [0099.557] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E3") returned 2 [0099.557] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="BC") returned 2 [0099.557] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="4C") returned 2 [0099.557] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="A3") returned 2 [0099.557] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="BF") returned 2 [0099.557] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="74") returned 2 [0099.557] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="97") returned 2 [0099.557] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="6A") returned 2 [0099.557] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="86") returned 2 [0099.557] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="52") returned 2 [0099.557] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="8E") returned 2 [0099.558] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="B1") returned 2 [0099.558] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="6C") returned 2 [0099.558] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="0D") returned 2 [0099.558] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="B3") returned 2 [0099.558] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="FA") returned 2 [0099.558] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="61") returned 2 [0099.558] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="99") returned 2 [0099.558] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="E8") returned 2 [0099.558] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="C3") returned 2 [0099.558] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="E2") returned 2 [0099.558] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="A4") returned 2 [0099.558] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="B7") returned 2 [0099.558] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0F") returned 2 [0099.558] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="BD") returned 2 [0099.558] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="0C") returned 2 [0099.570] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0099.570] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0099.570] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpString2=".ABB3169276CFE3BC4CA3BF74976A86528EB16C0DB3FA6199E8C3E2A4B70FBD0C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.ABB3169276CFE3BC4CA3BF74976A86528EB16C0DB3FA6199E8C3E2A4B70FBD0C") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.ABB3169276CFE3BC4CA3BF74976A86528EB16C0DB3FA6199E8C3E2A4B70FBD0C" [0099.570] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0099.570] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0099.570] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0099.570] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0099.570] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files") returned -1 [0099.570] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files (x86)") returned -1 [0099.570] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0099.570] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0099.570] lstrcmpiW (lpString1="Office32WW.xml", lpString2=".") returned 1 [0099.571] lstrcmpiW (lpString1="Office32WW.xml", lpString2="..") returned 1 [0099.571] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0099.571] lstrcmpW (lpString1="Office32WW.xml", lpString2="PUSSY.TXT") returned -1 [0099.571] PathFindExtensionW (pszPath="Office32WW.xml") returned=".xml" [0099.571] lstrlenW (lpString=".xml") returned 4 [0099.571] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0099.571] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0099.571] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=4274) returned 1 [0099.571] GetProcessHeap () returned 0x4c0000 [0099.571] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0099.585] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="41") returned 2 [0099.585] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="89") returned 2 [0099.585] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="8F") returned 2 [0099.585] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="BD") returned 2 [0099.585] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="1F") returned 2 [0099.585] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="FA") returned 2 [0099.585] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="5F") returned 2 [0099.585] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="65") returned 2 [0099.585] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="FF") returned 2 [0099.585] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="54") returned 2 [0099.585] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B8") returned 2 [0099.585] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="87") returned 2 [0099.585] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="9B") returned 2 [0099.586] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="73") returned 2 [0099.586] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="EF") returned 2 [0099.586] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="1A") returned 2 [0099.586] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="A8") returned 2 [0099.586] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D6") returned 2 [0099.586] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="57") returned 2 [0099.586] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="C2") returned 2 [0099.586] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="79") returned 2 [0099.586] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="E5") returned 2 [0099.586] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="1E") returned 2 [0099.586] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="F5") returned 2 [0099.586] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="DC") returned 2 [0099.586] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="D7") returned 2 [0099.586] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="BA") returned 2 [0099.586] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="4F") returned 2 [0099.586] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D9") returned 2 [0099.586] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="3A") returned 2 [0099.586] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="7F") returned 2 [0099.586] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="53") returned 2 [0099.661] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0099.661] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0099.661] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".41898FBD1FFA5F65FF54B8879B73EF1AA8D657C279E51EF5DCD7BA4FD93A7F53" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.41898FBD1FFA5F65FF54B8879B73EF1AA8D657C279E51EF5DCD7BA4FD93A7F53") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.41898FBD1FFA5F65FF54B8879B73EF1AA8D657C279E51EF5DCD7BA4FD93A7F53" [0099.661] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0099.661] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0099.662] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe57f8e0, ftCreationTime.dwHighDateTime=0x1cbe1cb, ftLastAccessTime.dwLowDateTime=0xfe57f8e0, ftLastAccessTime.dwHighDateTime=0x1cbe1cb, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0099.662] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0099.662] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files") returned -1 [0099.669] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files (x86)") returned -1 [0099.669] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0099.669] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0099.669] lstrcmpiW (lpString1="ose.exe", lpString2=".") returned 1 [0099.669] lstrcmpiW (lpString1="ose.exe", lpString2="..") returned 1 [0099.669] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0099.670] lstrcmpW (lpString1="ose.exe", lpString2="PUSSY.TXT") returned -1 [0099.670] PathFindExtensionW (pszPath="ose.exe") returned=".exe" [0099.670] lstrlenW (lpString=".exe") returned 4 [0099.670] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0099.670] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0099.670] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=174440) returned 1 [0099.670] GetProcessHeap () returned 0x4c0000 [0099.670] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0099.686] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="0A") returned 2 [0099.686] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="5E") returned 2 [0099.686] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="80") returned 2 [0099.686] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="92") returned 2 [0099.686] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="7D") returned 2 [0099.686] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="87") returned 2 [0099.686] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="34") returned 2 [0099.686] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A3") returned 2 [0099.686] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="21") returned 2 [0099.686] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="CB") returned 2 [0099.686] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="07") returned 2 [0099.686] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="CB") returned 2 [0099.686] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="AB") returned 2 [0099.686] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="FB") returned 2 [0099.686] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="A1") returned 2 [0099.686] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="77") returned 2 [0099.687] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="AD") returned 2 [0099.687] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="F7") returned 2 [0099.687] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="F1") returned 2 [0099.687] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="CF") returned 2 [0099.687] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="38") returned 2 [0099.687] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="1A") returned 2 [0099.687] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="3F") returned 2 [0099.687] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="13") returned 2 [0099.687] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="69") returned 2 [0099.687] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="91") returned 2 [0099.687] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="DE") returned 2 [0099.687] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="5F") returned 2 [0099.687] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D1") returned 2 [0099.687] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="FB") returned 2 [0099.687] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="D8") returned 2 [0099.687] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="63") returned 2 [0099.699] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" [0099.699] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" [0099.699] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe", lpString2=".0A5E80927D8734A321CB07CBABFBA177ADF7F1CF381A3F136991DE5FD1FBD863" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.0A5E80927D8734A321CB07CBABFBA177ADF7F1CF381A3F136991DE5FD1FBD863") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.0A5E80927D8734A321CB07CBABFBA177ADF7F1CF381A3F136991DE5FD1FBD863" [0099.699] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0099.699] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0099.701] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6644b620, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x6644b620, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa81b8770, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0099.701] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0099.701] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files") returned -1 [0099.701] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files (x86)") returned -1 [0099.701] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0099.701] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0099.701] lstrcmpiW (lpString1="osetup.dll", lpString2=".") returned 1 [0099.701] lstrcmpiW (lpString1="osetup.dll", lpString2="..") returned 1 [0099.701] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0099.701] lstrcmpW (lpString1="osetup.dll", lpString2="PUSSY.TXT") returned -1 [0099.701] PathFindExtensionW (pszPath="osetup.dll") returned=".dll" [0099.701] lstrlenW (lpString=".dll") returned 4 [0099.701] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0099.701] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0099.702] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=7378792) returned 1 [0099.702] GetProcessHeap () returned 0x4c0000 [0099.702] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0099.714] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="B6") returned 2 [0099.714] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="FC") returned 2 [0099.714] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="1B") returned 2 [0099.714] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="49") returned 2 [0099.714] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="19") returned 2 [0099.714] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="B7") returned 2 [0099.714] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="9F") returned 2 [0099.714] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="44") returned 2 [0099.714] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="86") returned 2 [0099.714] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="59") returned 2 [0099.714] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="16") returned 2 [0099.714] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="4E") returned 2 [0099.715] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="25") returned 2 [0099.715] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="40") returned 2 [0099.715] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="30") returned 2 [0099.715] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="6E") returned 2 [0099.715] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="39") returned 2 [0099.715] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="C2") returned 2 [0099.715] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="74") returned 2 [0099.715] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="73") returned 2 [0099.715] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="07") returned 2 [0099.715] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="33") returned 2 [0099.715] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="DD") returned 2 [0099.715] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="F9") returned 2 [0099.715] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="ED") returned 2 [0099.715] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="A7") returned 2 [0099.715] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="3A") returned 2 [0099.715] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F9") returned 2 [0099.715] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="34") returned 2 [0099.715] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="87") returned 2 [0099.715] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="D3") returned 2 [0099.715] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="3E") returned 2 [0099.771] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" [0099.771] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" [0099.771] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll", lpString2=".B6FC1B4919B79F448659164E2540306E39C274730733DDF9EDA73AF93487D33E" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.B6FC1B4919B79F448659164E2540306E39C274730733DDF9EDA73AF93487D33E") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.B6FC1B4919B79F448659164E2540306E39C274730733DDF9EDA73AF93487D33E" [0099.771] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0099.771] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0099.772] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8238e540, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x8238e540, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5ddcc70, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0099.772] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0099.772] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files") returned -1 [0099.772] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files (x86)") returned -1 [0099.772] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0099.772] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0099.772] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2=".") returned 1 [0099.772] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="..") returned 1 [0099.772] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0099.772] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="PUSSY.TXT") returned -1 [0099.772] PathFindExtensionW (pszPath="OWOW32WW.cab") returned=".cab" [0099.772] lstrlenW (lpString=".cab") returned 4 [0099.773] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0099.773] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0099.774] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=36233052) returned 1 [0099.774] GetProcessHeap () returned 0x4c0000 [0099.774] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0099.786] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="57") returned 2 [0099.786] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="86") returned 2 [0099.786] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="C0") returned 2 [0099.786] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="07") returned 2 [0099.786] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="69") returned 2 [0099.786] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="1F") returned 2 [0099.786] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="51") returned 2 [0099.786] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="54") returned 2 [0099.786] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="CA") returned 2 [0099.786] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="8E") returned 2 [0099.786] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="9F") returned 2 [0099.786] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="7B") returned 2 [0099.786] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="62") returned 2 [0099.786] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="71") returned 2 [0099.786] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="C7") returned 2 [0099.787] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="6B") returned 2 [0099.787] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="BC") returned 2 [0099.787] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="B3") returned 2 [0099.787] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="05") returned 2 [0099.787] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="4A") returned 2 [0099.787] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="54") returned 2 [0099.787] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="96") returned 2 [0099.787] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="45") returned 2 [0099.787] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="52") returned 2 [0099.787] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="9D") returned 2 [0099.787] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="14") returned 2 [0099.787] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="D6") returned 2 [0099.787] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="CF") returned 2 [0099.787] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="5B") returned 2 [0099.787] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="97") returned 2 [0099.787] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="98") returned 2 [0099.787] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="07") returned 2 [0099.814] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0099.814] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0099.815] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpString2=".5786C007691F5154CA8E9F7B6271C76BBCB3054A549645529D14D6CF5B979807" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.5786C007691F5154CA8E9F7B6271C76BBCB3054A549645529D14D6CF5B979807") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.5786C007691F5154CA8E9F7B6271C76BBCB3054A549645529D14D6CF5B979807" [0099.815] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0099.815] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0099.816] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7bd91af0, ftCreationTime.dwHighDateTime=0x1cb07b2, ftLastAccessTime.dwLowDateTime=0x7bd91af0, ftLastAccessTime.dwHighDateTime=0x1cb07b2, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0099.816] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0099.816] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files") returned -1 [0099.816] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files (x86)") returned -1 [0099.816] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0099.816] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0099.816] lstrcmpiW (lpString1="PidGenX.dll", lpString2=".") returned 1 [0099.816] lstrcmpiW (lpString1="PidGenX.dll", lpString2="..") returned 1 [0099.816] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0099.816] lstrcmpW (lpString1="PidGenX.dll", lpString2="PUSSY.TXT") returned -1 [0099.817] PathFindExtensionW (pszPath="PidGenX.dll") returned=".dll" [0099.817] lstrlenW (lpString=".dll") returned 4 [0099.817] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0099.817] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0099.817] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1463568) returned 1 [0099.817] GetProcessHeap () returned 0x4c0000 [0099.817] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0099.829] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="72") returned 2 [0099.829] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="CE") returned 2 [0099.829] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="08") returned 2 [0099.830] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="B0") returned 2 [0099.830] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="93") returned 2 [0099.830] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="81") returned 2 [0099.830] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C9") returned 2 [0099.830] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="C2") returned 2 [0099.830] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="AC") returned 2 [0099.941] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="A6") returned 2 [0099.941] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="AF") returned 2 [0099.941] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="83") returned 2 [0099.941] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="86") returned 2 [0099.941] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="86") returned 2 [0099.941] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="B5") returned 2 [0099.941] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="B2") returned 2 [0099.941] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="65") returned 2 [0099.942] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="E9") returned 2 [0099.942] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="CA") returned 2 [0099.942] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="64") returned 2 [0099.942] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="0A") returned 2 [0099.942] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="CF") returned 2 [0099.942] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="B2") returned 2 [0099.942] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="BF") returned 2 [0099.942] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="62") returned 2 [0099.942] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="95") returned 2 [0099.942] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="05") returned 2 [0099.942] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="31") returned 2 [0099.942] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="5A") returned 2 [0099.942] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="B1") returned 2 [0099.942] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="70") returned 2 [0099.942] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="3A") returned 2 [0099.955] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0099.955] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0099.955] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpString2=".72CE08B09381C9C2ACA6AF838686B5B265E9CA640ACFB2BF629505315AB1703A" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.72CE08B09381C9C2ACA6AF838686B5B265E9CA640ACFB2BF629505315AB1703A") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.72CE08B09381C9C2ACA6AF838686B5B265E9CA640ACFB2BF629505315AB1703A" [0099.955] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0099.955] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0099.956] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2a2397e0, ftCreationTime.dwHighDateTime=0x1cbe19a, ftLastAccessTime.dwLowDateTime=0x2a2397e0, ftLastAccessTime.dwHighDateTime=0x1cbe19a, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0099.956] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0099.956] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files") returned -1 [0100.014] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files (x86)") returned -1 [0100.014] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0100.014] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0100.014] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0100.014] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0100.014] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0100.014] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="PUSSY.TXT") returned -1 [0100.014] PathFindExtensionW (pszPath="pkeyconfig-office.xrm-ms") returned=".xrm-ms" [0100.015] lstrlenW (lpString=".xrm-ms") returned 7 [0100.016] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.016] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0100.019] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=715834) returned 1 [0100.019] GetProcessHeap () returned 0x4c0000 [0100.019] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0100.032] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="0B") returned 2 [0100.032] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="6C") returned 2 [0100.032] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="DD") returned 2 [0100.032] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="28") returned 2 [0100.032] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="08") returned 2 [0100.032] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="DA") returned 2 [0100.032] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="54") returned 2 [0100.032] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="12") returned 2 [0100.032] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="C5") returned 2 [0100.032] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="50") returned 2 [0100.032] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="A1") returned 2 [0100.032] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C4") returned 2 [0100.032] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="B8") returned 2 [0100.032] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="75") returned 2 [0100.032] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="7C") returned 2 [0100.032] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="0B") returned 2 [0100.032] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="A6") returned 2 [0100.032] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D4") returned 2 [0100.032] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="2C") returned 2 [0100.032] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="68") returned 2 [0100.032] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="C4") returned 2 [0100.033] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="F6") returned 2 [0100.033] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="E9") returned 2 [0100.033] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="C4") returned 2 [0100.033] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="1C") returned 2 [0100.033] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="2C") returned 2 [0100.033] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="0C") returned 2 [0100.033] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="89") returned 2 [0100.033] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="8D") returned 2 [0100.033] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="37") returned 2 [0100.033] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="2F") returned 2 [0100.033] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="27") returned 2 [0100.045] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0100.046] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0100.046] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".0B6CDD2808DA5412C550A1C4B8757C0BA6D42C68C4F6E9C41C2C0C898D372F27" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.0B6CDD2808DA5412C550A1C4B8757C0BA6D42C68C4F6E9C41C2C0C898D372F27") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.0B6CDD2808DA5412C550A1C4B8757C0BA6D42C68C4F6E9C41C2C0C898D372F27" [0100.046] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.046] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0100.046] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7c1614f0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7c1614f0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xa4c400, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PrjProrWW.msi", cAlternateFileName="PRJPRO~1.MSI")) returned 1 [0100.046] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Windows") returned -1 [0100.046] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Program Files") returned -1 [0100.046] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Program Files (x86)") returned -1 [0100.046] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="$Recycle.bin") returned 1 [0100.046] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="System Volume Information") returned -1 [0100.046] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2=".") returned 1 [0100.046] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="..") returned 1 [0100.046] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0100.046] lstrcmpW (lpString1="PrjProrWW.msi", lpString2="PUSSY.TXT") returned -1 [0100.046] PathFindExtensionW (pszPath="PrjProrWW.msi") returned=".msi" [0100.046] lstrlenW (lpString=".msi") returned 4 [0100.046] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.046] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0100.093] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=10798080) returned 1 [0100.093] GetProcessHeap () returned 0x4c0000 [0100.093] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0100.108] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="34") returned 2 [0100.109] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B2") returned 2 [0100.109] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="7F") returned 2 [0100.109] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="A8") returned 2 [0100.109] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="C1") returned 2 [0100.109] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="29") returned 2 [0100.109] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="BC") returned 2 [0100.109] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="CA") returned 2 [0100.109] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="6E") returned 2 [0100.109] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="2F") returned 2 [0100.109] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B6") returned 2 [0100.109] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="FF") returned 2 [0100.109] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="9B") returned 2 [0100.109] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="74") returned 2 [0100.109] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="05") returned 2 [0100.109] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="CC") returned 2 [0100.109] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="29") returned 2 [0100.109] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="6F") returned 2 [0100.109] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="3B") returned 2 [0100.109] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="3E") returned 2 [0100.109] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="CC") returned 2 [0100.109] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="A4") returned 2 [0100.109] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="F0") returned 2 [0100.109] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="C6") returned 2 [0100.109] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="95") returned 2 [0100.109] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="C3") returned 2 [0100.110] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="F7") returned 2 [0100.110] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="9D") returned 2 [0100.110] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="AE") returned 2 [0100.110] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="63") returned 2 [0100.110] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="9B") returned 2 [0100.110] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="3F") returned 2 [0100.122] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" [0100.122] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" [0100.122] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi", lpString2=".34B27FA8C129BCCA6E2FB6FF9B7405CC296F3B3ECCA4F0C695C3F79DAE639B3F" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.34B27FA8C129BCCA6E2FB6FF9B7405CC296F3B3ECCA4F0C695C3F79DAE639B3F") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.34B27FA8C129BCCA6E2FB6FF9B7405CC296F3B3ECCA4F0C695C3F79DAE639B3F" [0100.122] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.122] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0100.122] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cabec50, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7cabec50, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PrjProrWW.xml", cAlternateFileName="PRJPRO~1.XML")) returned 1 [0100.122] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Windows") returned -1 [0100.122] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Program Files") returned -1 [0100.122] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Program Files (x86)") returned -1 [0100.122] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="$Recycle.bin") returned 1 [0100.122] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="System Volume Information") returned -1 [0100.123] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2=".") returned 1 [0100.123] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="..") returned 1 [0100.123] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0100.123] lstrcmpW (lpString1="PrjProrWW.xml", lpString2="PUSSY.TXT") returned -1 [0100.123] PathFindExtensionW (pszPath="PrjProrWW.xml") returned=".xml" [0100.123] lstrlenW (lpString=".xml") returned 4 [0100.123] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.123] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0100.172] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=6421) returned 1 [0100.172] GetProcessHeap () returned 0x4c0000 [0100.173] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0100.186] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="07") returned 2 [0100.186] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="2E") returned 2 [0100.186] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="88") returned 2 [0100.186] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="E2") returned 2 [0100.186] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="9F") returned 2 [0100.186] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="58") returned 2 [0100.186] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="9C") returned 2 [0100.186] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="71") returned 2 [0100.186] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="4F") returned 2 [0100.186] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="0B") returned 2 [0100.186] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="7E") returned 2 [0100.186] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="62") returned 2 [0100.186] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="41") returned 2 [0100.186] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="22") returned 2 [0100.186] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="75") returned 2 [0100.186] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="3A") returned 2 [0100.186] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="0C") returned 2 [0100.186] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="71") returned 2 [0100.186] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="F6") returned 2 [0100.186] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="84") returned 2 [0100.187] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="B3") returned 2 [0100.187] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="AD") returned 2 [0100.187] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="28") returned 2 [0100.187] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6A") returned 2 [0100.187] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="84") returned 2 [0100.187] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="78") returned 2 [0100.187] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="48") returned 2 [0100.187] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="82") returned 2 [0100.187] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="70") returned 2 [0100.187] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="8F") returned 2 [0100.187] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="04") returned 2 [0100.187] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="51") returned 2 [0100.199] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" [0100.199] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" [0100.199] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpString2=".072E88E29F589C714F0B7E624122753A0C71F684B3AD286A84784882708F0451" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.072E88E29F589C714F0B7E624122753A0C71F684B3AD286A84784882708F0451") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.072E88E29F589C714F0B7E624122753A0C71F684B3AD286A84784882708F0451" [0100.199] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.199] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0100.200] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c87b0c0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x6c87b0c0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa6b67930, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x9b6ba9f, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PrjPrrWW.cab", cAlternateFileName="")) returned 1 [0100.209] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Windows") returned -1 [0100.209] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Program Files") returned -1 [0100.209] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Program Files (x86)") returned -1 [0100.209] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="$Recycle.bin") returned 1 [0100.209] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="System Volume Information") returned -1 [0100.210] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2=".") returned 1 [0100.210] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="..") returned 1 [0100.210] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0100.210] lstrcmpW (lpString1="PrjPrrWW.cab", lpString2="PUSSY.TXT") returned -1 [0100.210] PathFindExtensionW (pszPath="PrjPrrWW.cab") returned=".cab" [0100.210] lstrlenW (lpString=".cab") returned 4 [0100.210] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.210] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0100.210] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=162970271) returned 1 [0100.211] GetProcessHeap () returned 0x4c0000 [0100.211] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0100.222] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="86") returned 2 [0100.223] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="8D") returned 2 [0100.223] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="A7") returned 2 [0100.223] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="DF") returned 2 [0100.223] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="91") returned 2 [0100.223] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="B8") returned 2 [0100.223] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="CB") returned 2 [0100.223] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="F9") returned 2 [0100.223] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="8F") returned 2 [0100.223] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="51") returned 2 [0100.223] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="48") returned 2 [0100.223] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="57") returned 2 [0100.223] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="9A") returned 2 [0100.223] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="06") returned 2 [0100.223] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="D3") returned 2 [0100.223] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="CA") returned 2 [0100.223] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="5B") returned 2 [0100.223] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="E1") returned 2 [0100.223] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="9D") returned 2 [0100.223] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="AD") returned 2 [0100.223] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="75") returned 2 [0100.223] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="27") returned 2 [0100.223] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C6") returned 2 [0100.224] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="53") returned 2 [0100.224] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="03") returned 2 [0100.224] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="3C") returned 2 [0100.224] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="F2") returned 2 [0100.224] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="17") returned 2 [0100.224] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="6D") returned 2 [0100.224] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="13") returned 2 [0100.224] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="DC") returned 2 [0100.224] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="28") returned 2 [0100.239] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" [0100.239] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" [0100.239] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab", lpString2=".868DA7DF91B8CBF98F5148579A06D3CA5BE19DAD7527C653033CF2176D13DC28" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.868DA7DF91B8CBF98F5148579A06D3CA5BE19DAD7527C653033CF2176D13DC28") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.868DA7DF91B8CBF98F5148579A06D3CA5BE19DAD7527C653033CF2176D13DC28" [0100.239] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.239] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0100.239] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69dde270, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x69dde270, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa8191670, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0100.239] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0100.239] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files") returned 1 [0100.240] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files (x86)") returned 1 [0100.240] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0100.240] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0100.271] lstrcmpiW (lpString1="setup.exe", lpString2=".") returned 1 [0100.272] lstrcmpiW (lpString1="setup.exe", lpString2="..") returned 1 [0100.272] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0100.272] lstrcmpW (lpString1="setup.exe", lpString2="PUSSY.TXT") returned 1 [0100.272] PathFindExtensionW (pszPath="setup.exe") returned=".exe" [0100.272] lstrlenW (lpString=".exe") returned 4 [0100.272] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.272] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0100.272] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1377656) returned 1 [0100.272] GetProcessHeap () returned 0x4c0000 [0100.272] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0100.283] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="EB") returned 2 [0100.283] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="27") returned 2 [0100.283] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="D3") returned 2 [0100.283] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="1F") returned 2 [0100.283] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="D0") returned 2 [0100.283] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="85") returned 2 [0100.283] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="AD") returned 2 [0100.283] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="7C") returned 2 [0100.283] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="3B") returned 2 [0100.283] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="C8") returned 2 [0100.283] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="D6") returned 2 [0100.283] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="38") returned 2 [0100.283] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="BF") returned 2 [0100.283] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="8E") returned 2 [0100.283] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="4F") returned 2 [0100.283] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="DF") returned 2 [0100.283] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="26") returned 2 [0100.283] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="6E") returned 2 [0100.283] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="8A") returned 2 [0100.283] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="4B") returned 2 [0100.283] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="71") returned 2 [0100.283] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="52") returned 2 [0100.283] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="CD") returned 2 [0100.283] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="2C") returned 2 [0100.283] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="70") returned 2 [0100.283] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="30") returned 2 [0100.283] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="93") returned 2 [0100.284] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="30") returned 2 [0100.284] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="2A") returned 2 [0100.284] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="06") returned 2 [0100.284] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="85") returned 2 [0100.284] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="33") returned 2 [0100.293] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" [0100.293] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" [0100.293] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe", lpString2=".EB27D31FD085AD7C3BC8D638BF8E4FDF266E8A4B7152CD2C703093302A068533" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.EB27D31FD085AD7C3BC8D638BF8E4FDF266E8A4B7152CD2C703093302A068533") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.EB27D31FD085AD7C3BC8D638BF8E4FDF266E8A4B7152CD2C703093302A068533" [0100.293] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.293] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0100.294] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0100.294] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0100.294] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0100.294] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0100.326] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0100.326] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0100.326] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0100.326] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0100.329] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0100.329] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0100.329] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0100.329] lstrlenW (lpString=".xml") returned 4 [0100.329] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.329] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0100.330] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=16683) returned 1 [0100.330] GetProcessHeap () returned 0x4c0000 [0100.330] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0100.344] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="21") returned 2 [0100.344] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="82") returned 2 [0100.344] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B9") returned 2 [0100.344] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="CF") returned 2 [0100.344] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="B4") returned 2 [0100.345] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="63") returned 2 [0100.345] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="8F") returned 2 [0100.345] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="70") returned 2 [0100.345] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="51") returned 2 [0100.345] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="E7") returned 2 [0100.345] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="9A") returned 2 [0100.345] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="EC") returned 2 [0100.345] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="31") returned 2 [0100.345] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="1D") returned 2 [0100.345] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="46") returned 2 [0100.345] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="D3") returned 2 [0100.345] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="AF") returned 2 [0100.345] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="29") returned 2 [0100.345] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="6D") returned 2 [0100.345] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="BF") returned 2 [0100.345] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="EB") returned 2 [0100.345] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="5B") returned 2 [0100.345] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="DC") returned 2 [0100.345] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6C") returned 2 [0100.345] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="1F") returned 2 [0100.345] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="55") returned 2 [0100.345] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="CC") returned 2 [0100.345] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="70") returned 2 [0100.345] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="90") returned 2 [0100.346] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="EE") returned 2 [0100.346] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="1B") returned 2 [0100.346] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="1B") returned 2 [0100.360] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" [0100.360] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" [0100.360] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".2182B9CFB4638F7051E79AEC311D46D3AF296DBFEB5BDC6C1F55CC7090EE1B1B" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.2182B9CFB4638F7051E79AEC311D46D3AF296DBFEB5BDC6C1F55CC7090EE1B1B") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.2182B9CFB4638F7051E79AEC311D46D3AF296DBFEB5BDC6C1F55CC7090EE1B1B" [0100.360] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.360] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0100.413] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0100.413] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0100.413] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0100.413] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0100.414] lstrlenA (lpString="abcd") returned 4 [0100.414] WriteFile (in: hFile=0x1a0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0100.415] CloseHandle (hObject=0x1a0) returned 1 [0100.415] GetProcessHeap () returned 0x4c0000 [0100.415] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0100.415] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0100.415] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0100.415] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0100.415] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0100.415] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0100.415] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0100.415] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0100.415] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0100.416] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C") returned 66 [0100.416] GetProcessHeap () returned 0x4c0000 [0100.416] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0100.416] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C" [0100.416] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*" [0100.416] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0100.418] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0100.418] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0100.418] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0100.419] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0100.419] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0100.419] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0100.419] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0100.419] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0100.419] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0100.419] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0100.419] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0100.419] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0100.419] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0100.419] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0100.419] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0100.419] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0100.419] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files") returned -1 [0100.419] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files (x86)") returned -1 [0100.419] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0100.419] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0100.419] lstrcmpiW (lpString1="Office32WW.msi", lpString2=".") returned 1 [0100.419] lstrcmpiW (lpString1="Office32WW.msi", lpString2="..") returned 1 [0100.419] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0100.419] lstrcmpW (lpString1="Office32WW.msi", lpString2="PUSSY.TXT") returned -1 [0100.419] PathFindExtensionW (pszPath="Office32WW.msi") returned=".msi" [0100.419] lstrlenW (lpString=".msi") returned 4 [0100.419] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.419] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0100.420] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1992192) returned 1 [0100.420] GetProcessHeap () returned 0x4c0000 [0100.420] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0100.435] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="50") returned 2 [0100.435] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="5A") returned 2 [0100.435] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="3C") returned 2 [0100.435] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="D6") returned 2 [0100.435] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="15") returned 2 [0100.435] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="C9") returned 2 [0100.435] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="9F") returned 2 [0100.435] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="02") returned 2 [0100.435] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="EC") returned 2 [0100.435] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="7A") returned 2 [0100.435] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="D6") returned 2 [0100.435] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="8E") returned 2 [0100.436] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="8E") returned 2 [0100.436] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="76") returned 2 [0100.436] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="07") returned 2 [0100.436] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="90") returned 2 [0100.436] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="C0") returned 2 [0100.436] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="9C") returned 2 [0100.436] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="97") returned 2 [0100.436] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="A1") returned 2 [0100.436] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="BF") returned 2 [0100.436] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="0A") returned 2 [0100.436] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="D7") returned 2 [0100.436] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E7") returned 2 [0100.436] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="53") returned 2 [0100.436] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="0D") returned 2 [0100.436] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="55") returned 2 [0100.436] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="DE") returned 2 [0100.436] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="1B") returned 2 [0100.436] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E6") returned 2 [0100.436] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="F8") returned 2 [0100.436] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="31") returned 2 [0100.450] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0100.450] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0100.450] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpString2=".505A3CD615C99F02EC7AD68E8E760790C09C97A1BF0AD7E7530D55DE1BE6F831" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.505A3CD615C99F02EC7AD68E8E760790C09C97A1BF0AD7E7530D55DE1BE6F831") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.505A3CD615C99F02EC7AD68E8E760790C09C97A1BF0AD7E7530D55DE1BE6F831" [0100.450] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.450] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0100.451] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0100.451] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0100.451] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files") returned -1 [0100.451] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files (x86)") returned -1 [0100.451] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0100.451] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0100.451] lstrcmpiW (lpString1="Office32WW.xml", lpString2=".") returned 1 [0100.451] lstrcmpiW (lpString1="Office32WW.xml", lpString2="..") returned 1 [0100.451] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0100.451] lstrcmpW (lpString1="Office32WW.xml", lpString2="PUSSY.TXT") returned -1 [0100.451] PathFindExtensionW (pszPath="Office32WW.xml") returned=".xml" [0100.451] lstrlenW (lpString=".xml") returned 4 [0100.451] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.451] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0100.452] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=4274) returned 1 [0100.452] GetProcessHeap () returned 0x4c0000 [0100.452] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0100.467] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="CE") returned 2 [0100.468] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="6E") returned 2 [0100.468] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="44") returned 2 [0100.468] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="C3") returned 2 [0100.468] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="37") returned 2 [0100.468] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="BC") returned 2 [0100.468] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="10") returned 2 [0100.468] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="98") returned 2 [0100.468] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="31") returned 2 [0100.468] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="6D") returned 2 [0100.468] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="4B") returned 2 [0100.468] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="75") returned 2 [0100.468] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="3B") returned 2 [0100.468] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="77") returned 2 [0100.468] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="B0") returned 2 [0100.468] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E3") returned 2 [0100.468] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="76") returned 2 [0100.468] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="F0") returned 2 [0100.468] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="1C") returned 2 [0100.468] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="1C") returned 2 [0100.468] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="48") returned 2 [0100.468] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="9C") returned 2 [0100.468] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="30") returned 2 [0100.468] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="4C") returned 2 [0100.468] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="8B") returned 2 [0100.469] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="74") returned 2 [0100.469] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="22") returned 2 [0100.469] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="32") returned 2 [0100.469] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="23") returned 2 [0100.469] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="B7") returned 2 [0100.469] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="CB") returned 2 [0100.469] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6A") returned 2 [0100.483] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0100.483] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0100.483] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".CE6E44C337BC1098316D4B753B77B0E376F01C1C489C304C8B74223223B7CB6A" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.CE6E44C337BC1098316D4B753B77B0E376F01C1C489C304C8B74223223B7CB6A") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.CE6E44C337BC1098316D4B753B77B0E376F01C1C489C304C8B74223223B7CB6A" [0100.483] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.483] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0100.483] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec54b6b0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xec54b6b0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x4a687710, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0100.483] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0100.483] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files") returned -1 [0100.483] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files (x86)") returned -1 [0100.483] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0100.483] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0100.483] lstrcmpiW (lpString1="ose.exe", lpString2=".") returned 1 [0100.483] lstrcmpiW (lpString1="ose.exe", lpString2="..") returned 1 [0100.483] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0100.483] lstrcmpW (lpString1="ose.exe", lpString2="PUSSY.TXT") returned -1 [0100.484] PathFindExtensionW (pszPath="ose.exe") returned=".exe" [0100.484] lstrlenW (lpString=".exe") returned 4 [0100.484] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.484] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0100.546] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=174440) returned 1 [0100.546] GetProcessHeap () returned 0x4c0000 [0100.546] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0100.560] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="89") returned 2 [0100.560] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="F5") returned 2 [0100.560] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="7B") returned 2 [0100.560] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="62") returned 2 [0100.560] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="A6") returned 2 [0100.560] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="22") returned 2 [0100.560] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="88") returned 2 [0100.560] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="60") returned 2 [0100.560] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B7") returned 2 [0100.560] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="09") returned 2 [0100.560] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="55") returned 2 [0100.561] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="F7") returned 2 [0100.561] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="3A") returned 2 [0100.561] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="36") returned 2 [0100.561] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="69") returned 2 [0100.561] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="03") returned 2 [0100.561] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="48") returned 2 [0100.561] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D9") returned 2 [0100.561] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="77") returned 2 [0100.561] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="33") returned 2 [0100.561] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="80") returned 2 [0100.561] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="B1") returned 2 [0100.561] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="38") returned 2 [0100.561] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="56") returned 2 [0100.561] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="0E") returned 2 [0100.561] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="F3") returned 2 [0100.561] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="5E") returned 2 [0100.561] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="ED") returned 2 [0100.561] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="61") returned 2 [0100.561] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="B8") returned 2 [0100.561] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="8A") returned 2 [0100.561] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="34") returned 2 [0100.579] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" [0100.579] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" [0100.579] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe", lpString2=".89F57B62A6228860B70955F73A36690348D9773380B138560EF35EED61B88A34" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.89F57B62A6228860B70955F73A36690348D9773380B138560EF35EED61B88A34") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.89F57B62A6228860B70955F73A36690348D9773380B138560EF35EED61B88A34" [0100.579] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.579] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0100.580] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xde72fbf0, ftCreationTime.dwHighDateTime=0x1cb0d0b, ftLastAccessTime.dwLowDateTime=0xde72fbf0, ftLastAccessTime.dwHighDateTime=0x1cb0d0b, ftLastWriteTime.dwLowDateTime=0x49c902c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0100.580] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0100.580] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files") returned -1 [0100.629] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files (x86)") returned -1 [0100.629] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0100.629] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0100.629] lstrcmpiW (lpString1="osetup.dll", lpString2=".") returned 1 [0100.629] lstrcmpiW (lpString1="osetup.dll", lpString2="..") returned 1 [0100.629] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0100.629] lstrcmpW (lpString1="osetup.dll", lpString2="PUSSY.TXT") returned -1 [0100.629] PathFindExtensionW (pszPath="osetup.dll") returned=".dll" [0100.629] lstrlenW (lpString=".dll") returned 4 [0100.629] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.629] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0100.630] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=7378792) returned 1 [0100.630] GetProcessHeap () returned 0x4c0000 [0100.630] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0100.641] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="1C") returned 2 [0100.641] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="38") returned 2 [0100.641] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="EB") returned 2 [0100.641] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="B3") returned 2 [0100.641] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="24") returned 2 [0100.641] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="E0") returned 2 [0100.641] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="B9") returned 2 [0100.641] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="DA") returned 2 [0100.641] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="63") returned 2 [0100.641] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="50") returned 2 [0100.641] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="69") returned 2 [0100.641] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="8B") returned 2 [0100.641] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="C9") returned 2 [0100.641] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="CE") returned 2 [0100.641] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="B7") returned 2 [0100.641] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E3") returned 2 [0100.641] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="18") returned 2 [0100.641] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="5C") returned 2 [0100.641] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="66") returned 2 [0100.641] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="59") returned 2 [0100.641] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="13") returned 2 [0100.641] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="70") returned 2 [0100.641] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="42") returned 2 [0100.641] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="BF") returned 2 [0100.641] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="D7") returned 2 [0100.641] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="E5") returned 2 [0100.641] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="FA") returned 2 [0100.642] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="09") returned 2 [0100.642] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="04") returned 2 [0100.642] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="D2") returned 2 [0100.642] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="8A") returned 2 [0100.642] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="2B") returned 2 [0100.652] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" [0100.652] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" [0100.652] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll", lpString2=".1C38EBB324E0B9DA6350698BC9CEB7E3185C6659137042BFD7E5FA0904D28A2B" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.1C38EBB324E0B9DA6350698BC9CEB7E3185C6659137042BFD7E5FA0904D28A2B") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.1C38EBB324E0B9DA6350698BC9CEB7E3185C6659137042BFD7E5FA0904D28A2B" [0100.652] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.653] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0100.653] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9c380f0, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xc9c380f0, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x465d00f0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0100.653] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0100.653] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files") returned -1 [0100.653] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files (x86)") returned -1 [0100.653] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0100.653] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0100.653] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2=".") returned 1 [0100.653] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="..") returned 1 [0100.653] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0100.653] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="PUSSY.TXT") returned -1 [0100.653] PathFindExtensionW (pszPath="OWOW32WW.cab") returned=".cab" [0100.653] lstrlenW (lpString=".cab") returned 4 [0100.653] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.653] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0100.654] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=36233052) returned 1 [0100.654] GetProcessHeap () returned 0x4c0000 [0100.654] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28098 [0100.694] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="A4") returned 2 [0100.694] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B2") returned 2 [0100.694] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="51") returned 2 [0100.694] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="18") returned 2 [0100.694] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="70") returned 2 [0100.694] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="67") returned 2 [0100.695] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="0D") returned 2 [0100.695] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="26") returned 2 [0100.695] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="D4") returned 2 [0100.695] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="57") returned 2 [0100.695] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="92") returned 2 [0100.695] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="1D") returned 2 [0100.695] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="32") returned 2 [0100.695] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="35") returned 2 [0100.695] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="85") returned 2 [0100.695] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="3A") returned 2 [0100.695] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="01") returned 2 [0100.695] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="84") returned 2 [0100.695] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="92") returned 2 [0100.695] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="0E") returned 2 [0100.695] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="44") returned 2 [0100.695] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="3B") returned 2 [0100.695] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="CC") returned 2 [0100.695] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="07") returned 2 [0100.695] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="21") returned 2 [0100.695] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="BC") returned 2 [0100.695] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="36") returned 2 [0100.695] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="2F") returned 2 [0100.695] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="9B") returned 2 [0100.695] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="6D") returned 2 [0100.695] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="69") returned 2 [0100.695] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="33") returned 2 [0100.705] lstrcpyW (in: lpString1=0x3b380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0100.705] lstrcpyW (in: lpString1=0x3b280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0100.705] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpString2=".A4B2511870670D26D457921D3235853A0184920E443BCC0721BC362F9B6D6933" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.A4B2511870670D26D457921D3235853A0184920E443BCC0721BC362F9B6D6933") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.A4B2511870670D26D457921D3235853A0184920E443BCC0721BC362F9B6D6933" [0100.705] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x3b28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.705] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28098, lpOverlapped=0x3b28098) returned 1 [0100.706] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7c66670, ftCreationTime.dwHighDateTime=0x1cb0ee5, ftLastAccessTime.dwLowDateTime=0xe7c66670, ftLastAccessTime.dwHighDateTime=0x1cb0ee5, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0100.706] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0100.706] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files") returned -1 [0100.706] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files (x86)") returned -1 [0100.706] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0100.706] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0100.706] lstrcmpiW (lpString1="PidGenX.dll", lpString2=".") returned 1 [0100.706] lstrcmpiW (lpString1="PidGenX.dll", lpString2="..") returned 1 [0100.706] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0100.706] lstrcmpW (lpString1="PidGenX.dll", lpString2="PUSSY.TXT") returned -1 [0100.706] PathFindExtensionW (pszPath="PidGenX.dll") returned=".dll" [0100.706] lstrlenW (lpString=".dll") returned 4 [0100.706] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.706] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0100.707] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1463568) returned 1 [0100.707] GetProcessHeap () returned 0x4c0000 [0100.707] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500e8 [0100.721] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="23") returned 2 [0100.721] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="52") returned 2 [0100.721] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B8") returned 2 [0100.721] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="48") returned 2 [0100.721] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="D7") returned 2 [0100.721] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="8F") returned 2 [0100.721] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="40") returned 2 [0100.721] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="43") returned 2 [0100.721] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="5A") returned 2 [0100.721] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="55") returned 2 [0100.721] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="82") returned 2 [0100.721] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="18") returned 2 [0100.721] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="3E") returned 2 [0100.721] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="64") returned 2 [0100.721] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="67") returned 2 [0100.721] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="0B") returned 2 [0100.721] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="92") returned 2 [0100.721] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="C5") returned 2 [0100.721] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="06") returned 2 [0100.721] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="FE") returned 2 [0100.721] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="9E") returned 2 [0100.721] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="02") returned 2 [0100.721] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="D8") returned 2 [0100.722] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="B0") returned 2 [0100.722] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="AF") returned 2 [0100.722] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="3D") returned 2 [0100.722] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="AF") returned 2 [0100.722] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="24") returned 2 [0100.722] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="FF") returned 2 [0100.722] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E0") returned 2 [0100.722] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="2A") returned 2 [0100.722] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="1C") returned 2 [0100.731] lstrcpyW (in: lpString1=0x3b6011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0100.731] lstrcpyW (in: lpString1=0x3b5011c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0100.731] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpString2=".2352B848D78F40435A5582183E64670B92C506FE9E02D8B0AF3DAF24FFE02A1C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.2352B848D78F40435A5582183E64670B92C506FE9E02D8B0AF3DAF24FFE02A1C") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.2352B848D78F40435A5582183E64670B92C506FE9E02D8B0AF3DAF24FFE02A1C" [0100.731] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x3b500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.731] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500e8, lpOverlapped=0x3b500e8) returned 1 [0100.731] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95261510, ftCreationTime.dwHighDateTime=0x1cb048a, ftLastAccessTime.dwLowDateTime=0x95261510, ftLastAccessTime.dwHighDateTime=0x1cb048a, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0100.731] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0100.731] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files") returned -1 [0100.731] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files (x86)") returned -1 [0100.731] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0100.731] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0100.731] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0100.731] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0100.732] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0100.732] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="PUSSY.TXT") returned -1 [0100.732] PathFindExtensionW (pszPath="pkeyconfig-office.xrm-ms") returned=".xrm-ms" [0100.732] lstrlenW (lpString=".xrm-ms") returned 7 [0100.732] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.732] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0100.732] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=715834) returned 1 [0100.732] GetProcessHeap () returned 0x4c0000 [0100.732] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b78138 [0100.815] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="44") returned 2 [0100.815] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="7B") returned 2 [0100.815] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="19") returned 2 [0100.815] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="8E") returned 2 [0100.815] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="D5") returned 2 [0100.815] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="17") returned 2 [0100.815] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="48") returned 2 [0100.815] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="DA") returned 2 [0100.815] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="0C") returned 2 [0100.815] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="AD") returned 2 [0100.815] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="A9") returned 2 [0100.815] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="74") returned 2 [0100.815] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="14") returned 2 [0100.815] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="28") returned 2 [0100.815] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="A5") returned 2 [0100.815] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="8E") returned 2 [0100.815] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="F4") returned 2 [0100.815] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="9E") returned 2 [0100.815] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="29") returned 2 [0100.815] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="22") returned 2 [0100.815] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="2C") returned 2 [0100.815] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="7F") returned 2 [0100.815] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="D4") returned 2 [0100.815] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="DC") returned 2 [0100.816] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="BD") returned 2 [0100.816] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="22") returned 2 [0100.816] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="10") returned 2 [0100.816] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="9B") returned 2 [0100.816] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="80") returned 2 [0100.816] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="CF") returned 2 [0100.816] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="D8") returned 2 [0100.816] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="49") returned 2 [0100.824] lstrcpyW (in: lpString1=0x3b8816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0100.824] lstrcpyW (in: lpString1=0x3b7816c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0100.825] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".447B198ED51748DA0CADA9741428A58EF49E29222C7FD4DCBD22109B80CFD849" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.447B198ED51748DA0CADA9741428A58EF49E29222C7FD4DCBD22109B80CFD849") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.447B198ED51748DA0CADA9741428A58EF49E29222C7FD4DCBD22109B80CFD849" [0100.825] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3b78138, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.825] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b78138, lpOverlapped=0x3b78138) returned 1 [0100.872] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb7e7af0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xeb7e7af0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x49c691c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0100.872] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0100.872] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files") returned 1 [0100.872] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files (x86)") returned 1 [0100.872] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0100.873] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0100.873] lstrcmpiW (lpString1="setup.exe", lpString2=".") returned 1 [0100.873] lstrcmpiW (lpString1="setup.exe", lpString2="..") returned 1 [0100.873] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0100.876] lstrcmpW (lpString1="setup.exe", lpString2="PUSSY.TXT") returned 1 [0100.876] PathFindExtensionW (pszPath="setup.exe") returned=".exe" [0100.876] lstrlenW (lpString=".exe") returned 4 [0100.876] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.876] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0100.877] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1377656) returned 1 [0100.877] GetProcessHeap () returned 0x4c0000 [0100.877] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54aae8 [0100.889] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="3E") returned 2 [0100.889] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="94") returned 2 [0100.889] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="38") returned 2 [0100.889] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FC") returned 2 [0100.889] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="3F") returned 2 [0100.889] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="C1") returned 2 [0100.889] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="A4") returned 2 [0100.889] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="46") returned 2 [0100.889] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="2A") returned 2 [0100.889] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="A6") returned 2 [0100.889] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="76") returned 2 [0100.889] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="9E") returned 2 [0100.889] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="F3") returned 2 [0100.889] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="A2") returned 2 [0100.889] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="52") returned 2 [0100.889] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="4C") returned 2 [0100.889] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="04") returned 2 [0100.889] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="DA") returned 2 [0100.889] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="1B") returned 2 [0100.889] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="09") returned 2 [0100.889] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="70") returned 2 [0100.889] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="FC") returned 2 [0100.890] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="F1") returned 2 [0100.890] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="42") returned 2 [0100.890] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="D2") returned 2 [0100.890] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="CA") returned 2 [0100.890] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="1F") returned 2 [0100.890] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="28") returned 2 [0100.890] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="3C") returned 2 [0100.890] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E4") returned 2 [0100.890] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="2F") returned 2 [0100.890] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="79") returned 2 [0100.898] lstrcpyW (in: lpString1=0x55ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" [0100.898] lstrcpyW (in: lpString1=0x54ab1c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" [0100.898] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe", lpString2=".3E9438FC3FC1A4462AA6769EF3A2524C04DA1B0970FCF142D2CA1F283CE42F79" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.3E9438FC3FC1A4462AA6769EF3A2524C04DA1B0970FCF142D2CA1F283CE42F79") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.3E9438FC3FC1A4462AA6769EF3A2524C04DA1B0970FCF142D2CA1F283CE42F79" [0100.898] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x54aae8, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.898] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54aae8, lpOverlapped=0x54aae8) returned 1 [0100.899] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80aa51d0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80aa51d0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0100.899] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0100.899] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0100.899] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0100.899] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0100.899] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0100.899] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0100.899] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0100.899] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0100.899] lstrcmpW (lpString1="Setup.xml", lpString2="PUSSY.TXT") returned 1 [0100.899] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0100.899] lstrlenW (lpString=".xml") returned 4 [0100.899] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.899] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0100.899] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=20577) returned 1 [0100.899] GetProcessHeap () returned 0x4c0000 [0100.899] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0100.910] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="70") returned 2 [0100.910] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="C3") returned 2 [0100.910] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="9E") returned 2 [0100.910] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FF") returned 2 [0100.910] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="FF") returned 2 [0100.910] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="5A") returned 2 [0100.910] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C6") returned 2 [0100.910] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="FE") returned 2 [0100.910] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="71") returned 2 [0100.910] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="4C") returned 2 [0100.910] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="73") returned 2 [0100.910] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D3") returned 2 [0100.910] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="89") returned 2 [0100.910] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="68") returned 2 [0100.910] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="B8") returned 2 [0100.910] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="26") returned 2 [0100.910] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="22") returned 2 [0100.910] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="B1") returned 2 [0100.910] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E9") returned 2 [0100.910] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="24") returned 2 [0100.910] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="63") returned 2 [0100.910] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="55") returned 2 [0100.910] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="97") returned 2 [0100.910] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E7") returned 2 [0100.910] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="57") returned 2 [0100.910] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="02") returned 2 [0100.910] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="91") returned 2 [0100.910] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="7C") returned 2 [0100.911] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="58") returned 2 [0100.911] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="39") returned 2 [0100.911] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="5A") returned 2 [0100.911] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4E") returned 2 [0100.919] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" [0100.919] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" [0100.919] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".70C39EFFFF5AC6FE714C73D38968B82622B1E924635597E75702917C58395A4E" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.70C39EFFFF5AC6FE714C73D38968B82622B1E924635597E75702917C58395A4E") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.70C39EFFFF5AC6FE714C73D38968B82622B1E924635597E75702917C58395A4E" [0100.919] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.919] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0100.920] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749b0240, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x749b0240, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x46a46a30, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb9fa2f7, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="VisiorWW.cab", cAlternateFileName="")) returned 1 [0100.920] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Windows") returned -1 [0100.920] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Program Files") returned 1 [0100.920] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Program Files (x86)") returned 1 [0100.920] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="$Recycle.bin") returned 1 [0100.920] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="System Volume Information") returned 1 [0100.920] lstrcmpiW (lpString1="VisiorWW.cab", lpString2=".") returned 1 [0100.920] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="..") returned 1 [0100.920] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0100.947] lstrcmpW (lpString1="VisiorWW.cab", lpString2="PUSSY.TXT") returned 1 [0100.947] PathFindExtensionW (pszPath="VisiorWW.cab") returned=".cab" [0100.947] lstrlenW (lpString=".cab") returned 4 [0100.947] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.947] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0100.950] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=195011319) returned 1 [0100.950] GetProcessHeap () returned 0x4c0000 [0100.950] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x572b38 [0100.963] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="C3") returned 2 [0100.963] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="CB") returned 2 [0100.963] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B6") returned 2 [0100.963] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FC") returned 2 [0100.963] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="55") returned 2 [0100.963] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="35") returned 2 [0100.963] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="05") returned 2 [0100.963] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="F0") returned 2 [0100.963] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="45") returned 2 [0100.963] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="85") returned 2 [0100.963] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="BE") returned 2 [0100.963] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A2") returned 2 [0100.964] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="64") returned 2 [0100.964] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="CB") returned 2 [0100.964] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="63") returned 2 [0100.964] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="65") returned 2 [0100.964] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="73") returned 2 [0100.964] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="67") returned 2 [0100.964] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="A1") returned 2 [0100.964] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="C1") returned 2 [0100.964] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="75") returned 2 [0100.964] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="EC") returned 2 [0100.964] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="44") returned 2 [0100.964] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="BA") returned 2 [0100.964] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="21") returned 2 [0100.964] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="6F") returned 2 [0100.964] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="6B") returned 2 [0100.964] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="2F") returned 2 [0100.964] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="AE") returned 2 [0100.964] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="26") returned 2 [0100.964] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="00") returned 2 [0100.964] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="3C") returned 2 [0100.977] lstrcpyW (in: lpString1=0x582b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" [0100.977] lstrcpyW (in: lpString1=0x572b6c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" [0100.977] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab", lpString2=".C3CBB6FC553505F04585BEA264CB63657367A1C175EC44BA216F6B2FAE26003C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.C3CBB6FC553505F04585BEA264CB63657367A1C175EC44BA216F6B2FAE26003C") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.C3CBB6FC553505F04585BEA264CB63657367A1C175EC44BA216F6B2FAE26003C" [0100.977] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x572b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0100.977] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x572b38, lpOverlapped=0x572b38) returned 1 [0100.978] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80711960, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80711960, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468ee660, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb80800, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="VisiorWW.msi", cAlternateFileName="")) returned 1 [0100.978] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Windows") returned -1 [0100.978] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Program Files") returned 1 [0100.978] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Program Files (x86)") returned 1 [0100.978] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="$Recycle.bin") returned 1 [0100.978] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="System Volume Information") returned 1 [0100.978] lstrcmpiW (lpString1="VisiorWW.msi", lpString2=".") returned 1 [0100.978] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="..") returned 1 [0100.978] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0100.978] lstrcmpW (lpString1="VisiorWW.msi", lpString2="PUSSY.TXT") returned 1 [0100.978] PathFindExtensionW (pszPath="VisiorWW.msi") returned=".msi" [0100.978] lstrlenW (lpString=".msi") returned 4 [0100.978] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0100.978] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0100.979] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=12060672) returned 1 [0100.979] GetProcessHeap () returned 0x4c0000 [0100.979] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0100.991] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="AF") returned 2 [0100.991] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="7A") returned 2 [0100.991] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="2A") returned 2 [0100.991] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="DB") returned 2 [0100.991] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="DD") returned 2 [0100.991] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="DA") returned 2 [0100.991] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="79") returned 2 [0100.991] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="FF") returned 2 [0100.991] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="82") returned 2 [0100.991] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="27") returned 2 [0100.991] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="A2") returned 2 [0100.991] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A4") returned 2 [0100.992] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="E8") returned 2 [0100.992] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C8") returned 2 [0100.992] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="A9") returned 2 [0100.992] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="84") returned 2 [0100.992] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="13") returned 2 [0100.992] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="3C") returned 2 [0100.992] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E2") returned 2 [0100.992] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="3D") returned 2 [0100.993] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="96") returned 2 [0100.993] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="DD") returned 2 [0100.993] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="2B") returned 2 [0100.993] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="51") returned 2 [0100.993] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="18") returned 2 [0100.993] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="DB") returned 2 [0100.993] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="4F") returned 2 [0100.993] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="16") returned 2 [0100.993] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="13") returned 2 [0100.993] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0C") returned 2 [0100.993] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="FA") returned 2 [0100.993] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="5B") returned 2 [0101.006] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" [0101.006] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" [0101.006] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi", lpString2=".AF7A2ADBDDDA79FF8227A2A4E8C8A984133CE23D96DD2B5118DB4F16130CFA5B" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.AF7A2ADBDDDA79FF8227A2A4E8C8A984133CE23D96DD2B5118DB4F16130CFA5B") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.AF7A2ADBDDDA79FF8227A2A4E8C8A984133CE23D96DD2B5118DB4F16130CFA5B" [0101.006] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0101.006] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0101.006] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 1 [0101.006] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Windows") returned -1 [0101.006] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Program Files") returned 1 [0101.006] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Program Files (x86)") returned 1 [0101.006] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="$Recycle.bin") returned 1 [0101.006] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="System Volume Information") returned 1 [0101.006] lstrcmpiW (lpString1="VisiorWW.xml", lpString2=".") returned 1 [0101.006] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="..") returned 1 [0101.006] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0101.006] lstrcmpW (lpString1="VisiorWW.xml", lpString2="PUSSY.TXT") returned 1 [0101.006] PathFindExtensionW (pszPath="VisiorWW.xml") returned=".xml" [0101.006] lstrlenW (lpString=".xml") returned 4 [0101.006] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0101.007] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0101.007] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=8723) returned 1 [0101.007] GetProcessHeap () returned 0x4c0000 [0101.007] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28098 [0101.171] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="97") returned 2 [0101.171] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="4C") returned 2 [0101.171] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="5F") returned 2 [0101.171] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="72") returned 2 [0101.171] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="E7") returned 2 [0101.171] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="90") returned 2 [0101.171] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="FD") returned 2 [0101.171] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A4") returned 2 [0101.171] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="2B") returned 2 [0101.171] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="77") returned 2 [0101.171] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="73") returned 2 [0101.171] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D1") returned 2 [0101.171] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="F0") returned 2 [0101.171] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="FB") returned 2 [0101.171] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="94") returned 2 [0101.171] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="D7") returned 2 [0101.171] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="24") returned 2 [0101.171] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="A0") returned 2 [0101.171] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="4D") returned 2 [0101.171] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="0D") returned 2 [0101.171] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="11") returned 2 [0101.171] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="48") returned 2 [0101.171] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="00") returned 2 [0101.172] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="54") returned 2 [0101.172] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="26") returned 2 [0101.172] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="83") returned 2 [0101.172] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="BD") returned 2 [0101.172] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="FC") returned 2 [0101.172] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="9B") returned 2 [0101.172] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="17") returned 2 [0101.172] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="26") returned 2 [0101.172] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="77") returned 2 [0101.191] lstrcpyW (in: lpString1=0x3b380cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" [0101.191] lstrcpyW (in: lpString1=0x3b280cc, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" [0101.191] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", lpString2=".974C5F72E790FDA42B7773D1F0FB94D724A04D0D114800542683BDFC9B172677" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.974C5F72E790FDA42B7773D1F0FB94D724A04D0D114800542683BDFC9B172677") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.974C5F72E790FDA42B7773D1F0FB94D724A04D0D114800542683BDFC9B172677" [0101.191] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3b28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0101.191] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28098, lpOverlapped=0x3b28098) returned 1 [0101.191] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 0 [0101.192] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0101.192] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PUSSY.TXT") returned 76 [0101.192] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0101.192] lstrlenA (lpString="abcd") returned 4 [0101.192] WriteFile (in: hFile=0x1a0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0101.194] CloseHandle (hObject=0x1a0) returned 1 [0101.194] GetProcessHeap () returned 0x4c0000 [0101.194] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0101.194] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 0 [0101.195] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0101.195] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\PUSSY.TXT") returned 35 [0101.195] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\PUSSY.TXT" (normalized: "c:\\msocache\\all users\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0101.195] lstrlenA (lpString="abcd") returned 4 [0101.195] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0101.197] CloseHandle (hObject=0x16c) returned 1 [0101.197] GetProcessHeap () returned 0x4c0000 [0101.197] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0101.197] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 0 [0101.197] FindClose (in: hFindFile=0x4e22d0 | out: hFindFile=0x4e22d0) returned 1 [0101.197] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\MSOCache\\PUSSY.TXT") returned 25 [0101.197] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\PUSSY.TXT" (normalized: "c:\\msocache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0101.200] lstrlenA (lpString="abcd") returned 4 [0101.200] WriteFile (in: hFile=0x160, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28ed8c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28ed8c*=0x4, lpOverlapped=0x0) returned 1 [0101.201] CloseHandle (hObject=0x160) returned 1 [0101.202] GetProcessHeap () returned 0x4c0000 [0101.202] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0101.202] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xaece4da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0101.202] lstrcmpiW (lpString1="pagefile.sys", lpString2="Windows") returned -1 [0101.202] lstrcmpiW (lpString1="pagefile.sys", lpString2="Program Files") returned -1 [0101.202] lstrcmpiW (lpString1="pagefile.sys", lpString2="Program Files (x86)") returned -1 [0101.202] lstrcmpiW (lpString1="pagefile.sys", lpString2="$Recycle.bin") returned 1 [0101.202] lstrcmpiW (lpString1="pagefile.sys", lpString2="System Volume Information") returned -1 [0101.202] lstrcmpiW (lpString1="pagefile.sys", lpString2=".") returned 1 [0101.202] lstrcmpiW (lpString1="pagefile.sys", lpString2="..") returned 1 [0101.202] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\pagefile.sys") returned 19 [0101.202] lstrcmpW (lpString1="pagefile.sys", lpString2="PUSSY.TXT") returned -1 [0101.202] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0101.202] lstrlenW (lpString=".sys") returned 4 [0101.202] SystemFunction036 (in: RandomBuffer=0x28f1c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28f1c4) returned 1 [0101.202] CreateFileW (lpFileName="\\\\?\\C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0101.203] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0101.203] lstrcmpiW (lpString1="PerfLogs", lpString2="Windows") returned -1 [0101.203] lstrcmpiW (lpString1="PerfLogs", lpString2="Program Files") returned -1 [0101.203] lstrcmpiW (lpString1="PerfLogs", lpString2="Program Files (x86)") returned -1 [0101.203] lstrcmpiW (lpString1="PerfLogs", lpString2="$Recycle.bin") returned 1 [0101.203] lstrcmpiW (lpString1="PerfLogs", lpString2="System Volume Information") returned -1 [0101.203] lstrcmpiW (lpString1="PerfLogs", lpString2=".") returned 1 [0101.203] lstrcmpiW (lpString1="PerfLogs", lpString2="..") returned 1 [0101.203] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\PerfLogs") returned 15 [0101.203] GetProcessHeap () returned 0x4c0000 [0101.203] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b500e8 [0101.203] lstrcpyW (in: lpString1=0x3b500e8, lpString2="\\\\?\\C:\\PerfLogs" | out: lpString1="\\\\?\\C:\\PerfLogs") returned="\\\\?\\C:\\PerfLogs" [0101.203] lstrcatW (in: lpString1="\\\\?\\C:\\PerfLogs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\PerfLogs\\*") returned="\\\\?\\C:\\PerfLogs\\*" [0101.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*", lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e22d0 [0101.204] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.204] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.204] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.204] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.204] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.204] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.204] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0101.204] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.204] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.204] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.204] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.204] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.204] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.204] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.204] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="Admin", cAlternateFileName="")) returned 1 [0101.204] lstrcmpiW (lpString1="Admin", lpString2="Windows") returned -1 [0101.205] lstrcmpiW (lpString1="Admin", lpString2="Program Files") returned -1 [0101.205] lstrcmpiW (lpString1="Admin", lpString2="Program Files (x86)") returned -1 [0101.205] lstrcmpiW (lpString1="Admin", lpString2="$Recycle.bin") returned 1 [0101.205] lstrcmpiW (lpString1="Admin", lpString2="System Volume Information") returned -1 [0101.205] lstrcmpiW (lpString1="Admin", lpString2=".") returned 1 [0101.205] lstrcmpiW (lpString1="Admin", lpString2="..") returned 1 [0101.205] wnsprintfW (in: pszDest=0x3b500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin") returned 21 [0101.205] GetProcessHeap () returned 0x4c0000 [0101.205] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0101.205] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\PerfLogs\\Admin" | out: lpString1="\\\\?\\C:\\PerfLogs\\Admin") returned="\\\\?\\C:\\PerfLogs\\Admin" [0101.205] lstrcatW (in: lpString1="\\\\?\\C:\\PerfLogs\\Admin", lpString2="\\*" | out: lpString1="\\\\?\\C:\\PerfLogs\\Admin\\*") returned="\\\\?\\C:\\PerfLogs\\Admin\\*" [0101.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0101.225] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.226] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.226] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.227] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.227] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.230] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.230] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0101.230] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.230] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.230] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.230] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.230] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.230] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.231] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.231] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0101.231] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0101.231] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\PUSSY.TXT") returned 31 [0101.231] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\PUSSY.TXT" (normalized: "c:\\perflogs\\admin\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0101.236] lstrlenA (lpString="abcd") returned 4 [0101.237] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0101.238] CloseHandle (hObject=0x180) returned 1 [0101.238] GetProcessHeap () returned 0x4c0000 [0101.238] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0101.238] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="Admin", cAlternateFileName="")) returned 0 [0101.238] FindClose (in: hFindFile=0x4e22d0 | out: hFindFile=0x4e22d0) returned 1 [0101.238] wnsprintfW (in: pszDest=0x3b500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\PerfLogs\\PUSSY.TXT") returned 25 [0101.238] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\PUSSY.TXT" (normalized: "c:\\perflogs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0101.241] lstrlenA (lpString="abcd") returned 4 [0101.241] WriteFile (in: hFile=0x160, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28ed8c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28ed8c*=0x4, lpOverlapped=0x0) returned 1 [0101.242] CloseHandle (hObject=0x160) returned 1 [0101.243] GetProcessHeap () returned 0x4c0000 [0101.243] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500e8 | out: hHeap=0x4c0000) returned 1 [0101.243] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe87054e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe87054e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0101.243] lstrcmpiW (lpString1="Program Files", lpString2="Windows") returned -1 [0101.243] lstrcmpiW (lpString1="Program Files", lpString2="Program Files") returned 0 [0101.243] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0101.243] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Windows") returned -1 [0101.243] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Program Files") returned 1 [0101.243] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Program Files (x86)") returned 0 [0101.243] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0101.243] lstrcmpiW (lpString1="ProgramData", lpString2="Windows") returned -1 [0101.243] lstrcmpiW (lpString1="ProgramData", lpString2="Program Files") returned 1 [0101.243] lstrcmpiW (lpString1="ProgramData", lpString2="Program Files (x86)") returned 1 [0101.243] lstrcmpiW (lpString1="ProgramData", lpString2="$Recycle.bin") returned 1 [0101.243] lstrcmpiW (lpString1="ProgramData", lpString2="System Volume Information") returned -1 [0101.243] lstrcmpiW (lpString1="ProgramData", lpString2=".") returned 1 [0101.243] lstrcmpiW (lpString1="ProgramData", lpString2="..") returned 1 [0101.243] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData") returned 18 [0101.243] GetProcessHeap () returned 0x4c0000 [0101.243] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b28098 [0101.243] lstrcpyW (in: lpString1=0x3b28098, lpString2="\\\\?\\C:\\ProgramData" | out: lpString1="\\\\?\\C:\\ProgramData") returned="\\\\?\\C:\\ProgramData" [0101.243] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\*") returned="\\\\?\\C:\\ProgramData\\*" [0101.244] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\*", lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e22d0 [0101.244] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.244] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.244] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.244] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.244] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.244] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.244] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0101.244] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.244] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.244] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.244] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.244] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.244] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.244] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.244] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="Adobe", cAlternateFileName="")) returned 1 [0101.244] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0101.244] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0101.244] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0101.244] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0101.245] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0101.245] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0101.245] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0101.245] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe") returned 24 [0101.245] GetProcessHeap () returned 0x4c0000 [0101.245] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b380a0 [0101.245] lstrcpyW (in: lpString1=0x3b380a0, lpString2="\\\\?\\C:\\ProgramData\\Adobe" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe") returned="\\\\?\\C:\\ProgramData\\Adobe" [0101.245] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\*") returned="\\\\?\\C:\\ProgramData\\Adobe\\*" [0101.245] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0101.245] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.245] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.245] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.245] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.246] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.246] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.246] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0101.246] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.246] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.246] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.246] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.246] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.246] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.246] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.246] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0101.246] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0101.246] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0101.246] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0101.246] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0101.246] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0101.246] lstrcmpiW (lpString1="Acrobat", lpString2=".") returned 1 [0101.246] lstrcmpiW (lpString1="Acrobat", lpString2="..") returned 1 [0101.246] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat") returned 32 [0101.246] GetProcessHeap () returned 0x4c0000 [0101.246] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b480a8 [0101.246] lstrcpyW (in: lpString1=0x3b480a8, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat" [0101.246] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*" [0101.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0101.247] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.247] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.247] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.247] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.247] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.247] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.247] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0101.247] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.247] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.247] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.247] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.247] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.247] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.247] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.247] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="10.0", cAlternateFileName="")) returned 1 [0101.247] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0101.247] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0101.248] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0101.248] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0101.248] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0101.248] lstrcmpiW (lpString1="10.0", lpString2=".") returned 1 [0101.248] lstrcmpiW (lpString1="10.0", lpString2="..") returned 1 [0101.248] wnsprintfW (in: pszDest=0x3b480a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0") returned 37 [0101.248] GetProcessHeap () returned 0x4c0000 [0101.248] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b580b0 [0101.248] lstrcpyW (in: lpString1=0x3b580b0, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0" [0101.248] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*" [0101.248] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0101.248] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.248] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.248] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.248] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.248] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.248] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.248] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0101.249] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.249] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.249] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.249] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.249] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.249] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.249] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.249] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 1 [0101.249] lstrcmpiW (lpString1="Replicate", lpString2="Windows") returned -1 [0101.249] lstrcmpiW (lpString1="Replicate", lpString2="Program Files") returned 1 [0101.249] lstrcmpiW (lpString1="Replicate", lpString2="Program Files (x86)") returned 1 [0101.249] lstrcmpiW (lpString1="Replicate", lpString2="$Recycle.bin") returned 1 [0101.249] lstrcmpiW (lpString1="Replicate", lpString2="System Volume Information") returned -1 [0101.249] lstrcmpiW (lpString1="Replicate", lpString2=".") returned 1 [0101.249] lstrcmpiW (lpString1="Replicate", lpString2="..") returned 1 [0101.249] wnsprintfW (in: pszDest=0x3b580b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate") returned 47 [0101.249] GetProcessHeap () returned 0x4c0000 [0101.250] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b680b8 [0101.250] lstrcpyW (in: lpString1=0x3b680b8, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate" [0101.250] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*" [0101.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff8c3455, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0101.251] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.251] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.251] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.251] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.251] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.251] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.251] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff8c3455, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0101.251] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.251] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.251] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.251] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.251] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.251] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.251] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.251] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff8c3455, dwReserved1=0xfe000000, cFileName="Security", cAlternateFileName="")) returned 1 [0101.251] lstrcmpiW (lpString1="Security", lpString2="Windows") returned -1 [0101.251] lstrcmpiW (lpString1="Security", lpString2="Program Files") returned 1 [0101.251] lstrcmpiW (lpString1="Security", lpString2="Program Files (x86)") returned 1 [0101.251] lstrcmpiW (lpString1="Security", lpString2="$Recycle.bin") returned 1 [0101.251] lstrcmpiW (lpString1="Security", lpString2="System Volume Information") returned -1 [0101.252] lstrcmpiW (lpString1="Security", lpString2=".") returned 1 [0101.252] lstrcmpiW (lpString1="Security", lpString2="..") returned 1 [0101.252] wnsprintfW (in: pszDest=0x3b680b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security") returned 56 [0101.252] GetProcessHeap () returned 0x4c0000 [0101.252] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b780c0 [0101.252] lstrcpyW (in: lpString1=0x3b780c0, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security" [0101.252] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*" [0101.252] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x2c17fcd6, cFileName=".", cAlternateFileName="")) returned 0x4e29e0 [0101.252] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.252] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.252] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.252] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.252] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.252] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.252] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x2c17fcd6, cFileName="..", cAlternateFileName="")) returned 1 [0101.253] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.253] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.253] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.253] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.253] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.253] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.253] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.253] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x4e2a18, dwReserved1=0x2c17fcd6, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 1 [0101.253] lstrcmpiW (lpString1="directories.acrodata", lpString2="Windows") returned -1 [0101.253] lstrcmpiW (lpString1="directories.acrodata", lpString2="Program Files") returned -1 [0101.253] lstrcmpiW (lpString1="directories.acrodata", lpString2="Program Files (x86)") returned -1 [0101.253] lstrcmpiW (lpString1="directories.acrodata", lpString2="$Recycle.bin") returned 1 [0101.253] lstrcmpiW (lpString1="directories.acrodata", lpString2="System Volume Information") returned -1 [0101.253] lstrcmpiW (lpString1="directories.acrodata", lpString2=".") returned 1 [0101.253] lstrcmpiW (lpString1="directories.acrodata", lpString2="..") returned 1 [0101.253] wnsprintfW (in: pszDest=0x3b780c0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned 77 [0101.253] lstrcmpW (lpString1="directories.acrodata", lpString2="PUSSY.TXT") returned -1 [0101.253] PathFindExtensionW (pszPath="directories.acrodata") returned=".acrodata" [0101.253] lstrlenW (lpString=".acrodata") returned 9 [0101.253] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0101.253] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0101.254] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=479) returned 1 [0101.254] CloseHandle (hObject=0x174) returned 1 [0101.254] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x4e2a18, dwReserved1=0x2c17fcd6, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 0 [0101.254] FindClose (in: hFindFile=0x4e29e0 | out: hFindFile=0x4e29e0) returned 1 [0101.254] wnsprintfW (in: pszDest=0x3b780c0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\PUSSY.TXT") returned 66 [0101.254] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\PUSSY.TXT" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0101.255] lstrlenA (lpString="abcd") returned 4 [0101.255] WriteFile (in: hFile=0x188, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0101.257] CloseHandle (hObject=0x188) returned 1 [0101.257] GetProcessHeap () returned 0x4c0000 [0101.257] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b780c0 | out: hHeap=0x4c0000) returned 1 [0101.257] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff8c3455, dwReserved1=0xfe000000, cFileName="Security", cAlternateFileName="")) returned 0 [0101.257] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0101.257] wnsprintfW (in: pszDest=0x3b680b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\PUSSY.TXT") returned 57 [0101.257] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\PUSSY.TXT" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0101.258] lstrlenA (lpString="abcd") returned 4 [0101.258] WriteFile (in: hFile=0x1a0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0101.259] CloseHandle (hObject=0x1a0) returned 1 [0101.259] GetProcessHeap () returned 0x4c0000 [0101.259] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b680b8 | out: hHeap=0x4c0000) returned 1 [0101.259] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 0 [0101.259] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0101.259] wnsprintfW (in: pszDest=0x3b580b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\PUSSY.TXT") returned 47 [0101.259] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\PUSSY.TXT" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0101.259] lstrlenA (lpString="abcd") returned 4 [0101.260] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0101.261] CloseHandle (hObject=0x16c) returned 1 [0101.261] GetProcessHeap () returned 0x4c0000 [0101.261] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b580b0 | out: hHeap=0x4c0000) returned 1 [0101.261] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="10.0", cAlternateFileName="")) returned 0 [0101.261] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0101.261] wnsprintfW (in: pszDest=0x3b480a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\PUSSY.TXT") returned 42 [0101.261] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\PUSSY.TXT" (normalized: "c:\\programdata\\adobe\\acrobat\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0101.261] lstrlenA (lpString="abcd") returned 4 [0101.261] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0101.262] CloseHandle (hObject=0x19c) returned 1 [0101.263] GetProcessHeap () returned 0x4c0000 [0101.263] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b480a8 | out: hHeap=0x4c0000) returned 1 [0101.263] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="ARM", cAlternateFileName="")) returned 1 [0101.263] lstrcmpiW (lpString1="ARM", lpString2="Windows") returned -1 [0101.263] lstrcmpiW (lpString1="ARM", lpString2="Program Files") returned -1 [0101.263] lstrcmpiW (lpString1="ARM", lpString2="Program Files (x86)") returned -1 [0101.263] lstrcmpiW (lpString1="ARM", lpString2="$Recycle.bin") returned 1 [0101.263] lstrcmpiW (lpString1="ARM", lpString2="System Volume Information") returned -1 [0101.263] lstrcmpiW (lpString1="ARM", lpString2=".") returned 1 [0101.263] lstrcmpiW (lpString1="ARM", lpString2="..") returned 1 [0101.263] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM") returned 28 [0101.263] GetProcessHeap () returned 0x4c0000 [0101.263] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b480a8 [0101.263] lstrcpyW (in: lpString1=0x3b480a8, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM" [0101.263] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*" [0101.263] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0101.264] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.264] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.264] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.264] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.264] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.264] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.264] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0101.264] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.264] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.264] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.264] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.264] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.264] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.264] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.264] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 1 [0101.264] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Windows") returned -1 [0101.264] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Program Files") returned 1 [0101.264] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Program Files (x86)") returned 1 [0101.264] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="$Recycle.bin") returned 1 [0101.264] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="System Volume Information") returned -1 [0101.264] lstrcmpiW (lpString1="Reader_10.0.0", lpString2=".") returned 1 [0101.264] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="..") returned 1 [0101.264] wnsprintfW (in: pszDest=0x3b480a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0") returned 42 [0101.265] GetProcessHeap () returned 0x4c0000 [0101.265] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b580b0 [0101.265] lstrcpyW (in: lpString1=0x3b580b0, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0" [0101.265] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*" [0101.265] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0101.355] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.355] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.355] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.355] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.355] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.355] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.355] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0101.355] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.355] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.355] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.355] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.355] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.355] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.355] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.355] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e186d00, ftCreationTime.dwHighDateTime=0x1cfb543, ftLastAccessTime.dwLowDateTime=0x7e186d00, ftLastAccessTime.dwHighDateTime=0x1cfb543, ftLastWriteTime.dwLowDateTime=0x7e186d00, ftLastWriteTime.dwHighDateTime=0x1cfb543, nFileSizeHigh=0x0, nFileSizeLow=0x3d800, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="AdbeRdrSecUpd10111.msp", cAlternateFileName="ADBERD~2.MSP")) returned 1 [0101.355] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="Windows") returned -1 [0101.356] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="Program Files") returned -1 [0101.356] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="Program Files (x86)") returned -1 [0101.356] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="$Recycle.bin") returned 1 [0101.356] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="System Volume Information") returned -1 [0101.356] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2=".") returned 1 [0101.356] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="..") returned 1 [0101.356] wnsprintfW (in: pszDest=0x3b580b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned 65 [0101.356] lstrcmpW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="PUSSY.TXT") returned -1 [0101.356] PathFindExtensionW (pszPath="AdbeRdrSecUpd10111.msp") returned=".msp" [0101.356] lstrlenW (lpString=".msp") returned 4 [0101.356] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0101.356] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0101.357] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=251904) returned 1 [0101.357] GetProcessHeap () returned 0x4c0000 [0101.357] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0101.371] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="6E") returned 2 [0101.371] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="FB") returned 2 [0101.372] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="53") returned 2 [0101.372] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="75") returned 2 [0101.372] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="52") returned 2 [0101.372] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="98") returned 2 [0101.372] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="33") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="8D") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="49") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="BC") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="31") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="AD") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="38") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="D0") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="32") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="98") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="15") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="4F") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="0E") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="45") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="C0") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="14") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="21") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="EB") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="29") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="FF") returned 2 [0101.372] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="3B") returned 2 [0101.373] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="62") returned 2 [0101.373] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="59") returned 2 [0101.373] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="B3") returned 2 [0101.373] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="E3") returned 2 [0101.373] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="72") returned 2 [0101.383] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" [0101.383] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" [0101.383] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp", lpString2=".6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372" [0101.383] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0101.383] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0101.383] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4450880, ftCreationTime.dwHighDateTime=0x1cf6c45, ftLastAccessTime.dwLowDateTime=0xb4450880, ftLastAccessTime.dwHighDateTime=0x1cf6c45, ftLastWriteTime.dwLowDateTime=0xb4450880, ftLastWriteTime.dwHighDateTime=0x1cf6c45, nFileSizeHigh=0x0, nFileSizeLow=0x10e3000, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="AdbeRdrUpd10110_MUI.msp", cAlternateFileName="ADBERD~1.MSP")) returned 1 [0101.383] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="Windows") returned -1 [0101.384] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="Program Files") returned -1 [0101.384] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="Program Files (x86)") returned -1 [0101.384] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="$Recycle.bin") returned 1 [0101.384] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="System Volume Information") returned -1 [0101.384] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2=".") returned 1 [0101.384] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="..") returned 1 [0101.384] wnsprintfW (in: pszDest=0x3b580b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned 66 [0101.384] lstrcmpW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="PUSSY.TXT") returned -1 [0101.384] PathFindExtensionW (pszPath="AdbeRdrUpd10110_MUI.msp") returned=".msp" [0101.384] lstrlenW (lpString=".msp") returned 4 [0101.384] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0101.384] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0101.385] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=17707008) returned 1 [0101.385] GetProcessHeap () returned 0x4c0000 [0101.385] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b680b8 [0101.451] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="9B") returned 2 [0101.451] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="94") returned 2 [0101.451] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="FA") returned 2 [0101.451] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="E1") returned 2 [0101.451] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="DE") returned 2 [0101.452] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="8A") returned 2 [0101.452] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="8D") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="1F") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="8B") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="3B") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="7E") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="0A") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="51") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="40") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="F0") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="EC") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="23") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="B0") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="3C") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="51") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="C3") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="70") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="B6") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="26") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="87") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="77") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="A4") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="0E") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="02") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="78") returned 2 [0101.452] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="B1") returned 2 [0101.452] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="59") returned 2 [0101.462] lstrcpyW (in: lpString1=0x3b780ec, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" [0101.463] lstrcpyW (in: lpString1=0x3b680ec, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" [0101.463] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp", lpString2=".9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159" [0101.463] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3b680b8, NumberOfConcurrentThreads=0x0) returned 0x94 [0101.463] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b680b8, lpOverlapped=0x3b680b8) returned 1 [0101.464] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0x2540cc00, ftLastWriteTime.dwHighDateTime=0x1d1056e, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="AdbeRdrUpd10116_MUI.msp", cAlternateFileName="ADBERD~3.MSP")) returned 1 [0101.464] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="Windows") returned -1 [0101.464] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="Program Files") returned -1 [0101.464] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="Program Files (x86)") returned -1 [0101.464] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="$Recycle.bin") returned 1 [0101.464] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="System Volume Information") returned -1 [0101.464] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2=".") returned 1 [0101.464] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="..") returned 1 [0101.464] wnsprintfW (in: pszDest=0x3b580b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned 66 [0101.464] lstrcmpW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="PUSSY.TXT") returned -1 [0101.464] PathFindExtensionW (pszPath="AdbeRdrUpd10116_MUI.msp") returned=".msp" [0101.464] lstrlenW (lpString=".msp") returned 4 [0101.464] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0101.464] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0101.464] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=17420288) returned 1 [0101.464] GetProcessHeap () returned 0x4c0000 [0101.465] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b90108 [0101.506] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="D3") returned 2 [0101.506] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="36") returned 2 [0101.507] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="B8") returned 2 [0101.507] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="7C") returned 2 [0101.507] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="9E") returned 2 [0101.507] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="58") returned 2 [0101.507] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="C5") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="E8") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="3A") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="FB") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="C1") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="DB") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="96") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="D0") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="32") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="1E") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="8B") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="68") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="8F") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="7A") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="76") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="29") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="3F") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="3A") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="F3") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="A7") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="08") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="A9") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="B1") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="D9") returned 2 [0101.507] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="06") returned 2 [0101.508] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="3E") returned 2 [0101.517] lstrcpyW (in: lpString1=0x3ba013c, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" [0101.517] lstrcpyW (in: lpString1=0x3b9013c, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" [0101.517] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp", lpString2=".D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E" [0101.517] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x3b90108, NumberOfConcurrentThreads=0x0) returned 0x94 [0101.517] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b90108, lpOverlapped=0x3b90108) returned 1 [0101.518] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0x2540cc00, ftLastWriteTime.dwHighDateTime=0x1d1056e, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="AdbeRdrUpd10116_MUI.msp", cAlternateFileName="ADBERD~3.MSP")) returned 0 [0101.518] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0101.518] wnsprintfW (in: pszDest=0x3b580b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\PUSSY.TXT") returned 52 [0101.518] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\PUSSY.TXT" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0101.551] lstrlenA (lpString="abcd") returned 4 [0101.551] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0101.552] CloseHandle (hObject=0x16c) returned 1 [0101.552] GetProcessHeap () returned 0x4c0000 [0101.552] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b580b0 | out: hHeap=0x4c0000) returned 1 [0101.553] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 0 [0101.554] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0101.554] wnsprintfW (in: pszDest=0x3b480a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\PUSSY.TXT") returned 38 [0101.554] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\PUSSY.TXT" (normalized: "c:\\programdata\\adobe\\arm\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0101.554] lstrlenA (lpString="abcd") returned 4 [0101.554] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0101.555] CloseHandle (hObject=0x19c) returned 1 [0101.555] GetProcessHeap () returned 0x4c0000 [0101.555] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b480a8 | out: hHeap=0x4c0000) returned 1 [0101.556] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="ARM", cAlternateFileName="")) returned 0 [0101.556] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0101.556] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\PUSSY.TXT") returned 34 [0101.556] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\PUSSY.TXT" (normalized: "c:\\programdata\\adobe\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0101.556] lstrlenA (lpString="abcd") returned 4 [0101.556] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0101.557] CloseHandle (hObject=0x180) returned 1 [0101.558] GetProcessHeap () returned 0x4c0000 [0101.558] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0101.558] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0101.558] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0101.558] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0101.558] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0101.558] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0101.558] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0101.558] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0101.558] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0101.558] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data") returned 35 [0101.558] GetProcessHeap () returned 0x4c0000 [0101.558] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb8158 [0101.559] lstrcpyW (in: lpString1=0x3bb8158, lpString2="\\\\?\\C:\\ProgramData\\Application Data" | out: lpString1="\\\\?\\C:\\ProgramData\\Application Data") returned="\\\\?\\C:\\ProgramData\\Application Data" [0101.559] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Application Data\\*") returned="\\\\?\\C:\\ProgramData\\Application Data\\*" [0101.559] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Application Data\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="ARM", cAlternateFileName="a")) returned 0xffffffff [0101.559] GetProcessHeap () returned 0x4c0000 [0101.560] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb8158 | out: hHeap=0x4c0000) returned 1 [0101.561] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Desktop", cAlternateFileName="")) returned 1 [0101.561] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0101.561] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0101.561] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0101.561] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0101.561] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0101.561] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0101.561] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0101.562] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop") returned 26 [0101.562] GetProcessHeap () returned 0x4c0000 [0101.562] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb8158 [0101.562] lstrcpyW (in: lpString1=0x3bb8158, lpString2="\\\\?\\C:\\ProgramData\\Desktop" | out: lpString1="\\\\?\\C:\\ProgramData\\Desktop") returned="\\\\?\\C:\\ProgramData\\Desktop" [0101.562] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Desktop\\*") returned="\\\\?\\C:\\ProgramData\\Desktop\\*" [0101.562] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Desktop\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="ARM", cAlternateFileName="p")) returned 0xffffffff [0101.563] GetProcessHeap () returned 0x4c0000 [0101.563] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb8158 | out: hHeap=0x4c0000) returned 1 [0101.563] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0101.563] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0101.563] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0101.563] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0101.563] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0101.563] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0101.563] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0101.563] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0101.563] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents") returned 28 [0101.563] GetProcessHeap () returned 0x4c0000 [0101.563] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb8158 [0101.563] lstrcpyW (in: lpString1=0x3bb8158, lpString2="\\\\?\\C:\\ProgramData\\Documents" | out: lpString1="\\\\?\\C:\\ProgramData\\Documents") returned="\\\\?\\C:\\ProgramData\\Documents" [0101.563] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Documents\\*") returned="\\\\?\\C:\\ProgramData\\Documents\\*" [0101.563] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Documents\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="ARM", cAlternateFileName="s")) returned 0xffffffff [0101.563] GetProcessHeap () returned 0x4c0000 [0101.563] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb8158 | out: hHeap=0x4c0000) returned 1 [0101.563] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0101.563] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0101.563] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0101.563] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0101.564] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0101.564] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0101.564] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0101.564] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0101.564] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Favorites") returned 28 [0101.564] GetProcessHeap () returned 0x4c0000 [0101.564] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb8158 [0101.564] lstrcpyW (in: lpString1=0x3bb8158, lpString2="\\\\?\\C:\\ProgramData\\Favorites" | out: lpString1="\\\\?\\C:\\ProgramData\\Favorites") returned="\\\\?\\C:\\ProgramData\\Favorites" [0101.564] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Favorites\\*") returned="\\\\?\\C:\\ProgramData\\Favorites\\*" [0101.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Favorites\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="ARM", cAlternateFileName="s")) returned 0xffffffff [0101.564] GetProcessHeap () returned 0x4c0000 [0101.564] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb8158 | out: hHeap=0x4c0000) returned 1 [0101.564] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0101.564] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0101.564] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0101.564] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0101.564] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0101.564] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0101.564] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0101.565] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0101.565] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft") returned 28 [0101.565] GetProcessHeap () returned 0x4c0000 [0101.565] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb8158 [0101.565] lstrcpyW (in: lpString1=0x3bb8158, lpString2="\\\\?\\C:\\ProgramData\\Microsoft" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft") returned="\\\\?\\C:\\ProgramData\\Microsoft" [0101.565] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*" [0101.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0101.565] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.565] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.565] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.565] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.565] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.565] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.565] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0101.566] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.566] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.566] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.566] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.566] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.566] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.566] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.566] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Assistance", cAlternateFileName="ASSIST~1")) returned 1 [0101.566] lstrcmpiW (lpString1="Assistance", lpString2="Windows") returned -1 [0101.566] lstrcmpiW (lpString1="Assistance", lpString2="Program Files") returned -1 [0101.566] lstrcmpiW (lpString1="Assistance", lpString2="Program Files (x86)") returned -1 [0101.566] lstrcmpiW (lpString1="Assistance", lpString2="$Recycle.bin") returned 1 [0101.566] lstrcmpiW (lpString1="Assistance", lpString2="System Volume Information") returned -1 [0101.566] lstrcmpiW (lpString1="Assistance", lpString2=".") returned 1 [0101.566] lstrcmpiW (lpString1="Assistance", lpString2="..") returned 1 [0101.566] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance") returned 39 [0101.566] GetProcessHeap () returned 0x4c0000 [0101.566] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b380a0 [0101.567] lstrcpyW (in: lpString1=0x3b380a0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance" [0101.567] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*" [0101.567] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0101.568] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.568] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.568] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.568] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.568] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.568] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.568] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0101.568] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.568] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.568] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.568] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.568] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.568] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.568] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.569] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Client", cAlternateFileName="")) returned 1 [0101.569] lstrcmpiW (lpString1="Client", lpString2="Windows") returned -1 [0101.569] lstrcmpiW (lpString1="Client", lpString2="Program Files") returned -1 [0101.569] lstrcmpiW (lpString1="Client", lpString2="Program Files (x86)") returned -1 [0101.569] lstrcmpiW (lpString1="Client", lpString2="$Recycle.bin") returned 1 [0101.569] lstrcmpiW (lpString1="Client", lpString2="System Volume Information") returned -1 [0101.569] lstrcmpiW (lpString1="Client", lpString2=".") returned 1 [0101.569] lstrcmpiW (lpString1="Client", lpString2="..") returned 1 [0101.569] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client") returned 46 [0101.569] GetProcessHeap () returned 0x4c0000 [0101.569] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b480a8 [0101.570] lstrcpyW (in: lpString1=0x3b480a8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client" [0101.570] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*" [0101.570] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0101.570] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.570] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.570] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.570] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.570] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.570] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.570] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0101.570] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.571] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.571] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.571] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.571] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.571] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.571] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.571] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="1.0", cAlternateFileName="")) returned 1 [0101.571] lstrcmpiW (lpString1="1.0", lpString2="Windows") returned -1 [0101.571] lstrcmpiW (lpString1="1.0", lpString2="Program Files") returned -1 [0101.571] lstrcmpiW (lpString1="1.0", lpString2="Program Files (x86)") returned -1 [0101.571] lstrcmpiW (lpString1="1.0", lpString2="$Recycle.bin") returned 1 [0101.571] lstrcmpiW (lpString1="1.0", lpString2="System Volume Information") returned -1 [0101.571] lstrcmpiW (lpString1="1.0", lpString2=".") returned 1 [0101.571] lstrcmpiW (lpString1="1.0", lpString2="..") returned 1 [0101.571] wnsprintfW (in: pszDest=0x3b480a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0") returned 50 [0101.571] GetProcessHeap () returned 0x4c0000 [0101.571] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b580b0 [0101.572] lstrcpyW (in: lpString1=0x3b580b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0" [0101.572] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*" [0101.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0101.572] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.572] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.572] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.572] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.572] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.572] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.572] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0101.572] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.572] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.572] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.573] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.573] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.573] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.573] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.573] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="en-US", cAlternateFileName="")) returned 1 [0101.573] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0101.573] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0101.573] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0101.573] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0101.573] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0101.573] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0101.573] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0101.573] wnsprintfW (in: pszDest=0x3b580b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned 56 [0101.573] GetProcessHeap () returned 0x4c0000 [0101.573] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc8160 [0101.574] lstrcpyW (in: lpString1=0x3bc8160, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US" [0101.574] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*" [0101.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff2f8ed6, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4e29e0 [0101.577] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.577] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.577] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.577] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.577] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.577] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.577] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff2f8ed6, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0101.577] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.577] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.577] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.577] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.577] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.577] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.577] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.577] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x2436abaa, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xabde2c6f, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa65a8bbf, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x2f22, dwReserved0=0xff2f8ed6, dwReserved1=0xfe000000, cFileName="Help_CValidator.H1D", cAlternateFileName="HELP_C~1.H1D")) returned 1 [0101.577] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="Windows") returned -1 [0101.578] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="Program Files") returned -1 [0101.578] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="Program Files (x86)") returned -1 [0101.578] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="$Recycle.bin") returned 1 [0101.578] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="System Volume Information") returned -1 [0101.578] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2=".") returned 1 [0101.578] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="..") returned 1 [0101.578] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 76 [0101.578] lstrcmpW (lpString1="Help_CValidator.H1D", lpString2="PUSSY.TXT") returned -1 [0101.578] PathFindExtensionW (pszPath="Help_CValidator.H1D") returned=".H1D" [0101.578] lstrlenW (lpString=".H1D") returned 4 [0101.578] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0101.578] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0101.579] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=12066) returned 1 [0101.579] GetProcessHeap () returned 0x4c0000 [0101.579] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0101.589] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="39") returned 2 [0101.589] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="74") returned 2 [0101.589] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="1C") returned 2 [0101.589] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="82") returned 2 [0101.589] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="29") returned 2 [0101.589] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="1B") returned 2 [0101.589] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="3A") returned 2 [0101.589] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="55") returned 2 [0101.589] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="75") returned 2 [0101.589] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="3F") returned 2 [0101.589] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="8D") returned 2 [0101.590] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="81") returned 2 [0101.590] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="08") returned 2 [0101.590] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="EB") returned 2 [0101.590] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="76") returned 2 [0101.590] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="81") returned 2 [0101.590] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="E1") returned 2 [0101.590] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="8D") returned 2 [0101.590] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="93") returned 2 [0101.590] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="7F") returned 2 [0101.590] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="EC") returned 2 [0101.590] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="1F") returned 2 [0101.590] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="C4") returned 2 [0101.590] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="48") returned 2 [0101.590] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="F1") returned 2 [0101.590] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="30") returned 2 [0101.590] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="8E") returned 2 [0101.590] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="4E") returned 2 [0101.590] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="E8") returned 2 [0101.590] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="EA") returned 2 [0101.590] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="EC") returned 2 [0101.590] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="68") returned 2 [0101.600] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" [0101.600] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" [0101.600] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D", lpString2=".39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68" [0101.600] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0101.601] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0101.601] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae2660aa, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae2660aa, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x365fc, dwReserved0=0xff2f8ed6, dwReserved1=0xfe000000, cFileName="Help_MKWD_AssetId.H1W", cAlternateFileName="HELP_M~1.H1W")) returned 1 [0101.601] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="Windows") returned -1 [0101.601] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="Program Files") returned -1 [0101.601] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="Program Files (x86)") returned -1 [0101.601] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="$Recycle.bin") returned 1 [0101.601] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="System Volume Information") returned -1 [0101.601] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2=".") returned 1 [0101.601] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="..") returned 1 [0101.601] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 78 [0101.601] lstrcmpW (lpString1="Help_MKWD_AssetId.H1W", lpString2="PUSSY.TXT") returned -1 [0101.601] PathFindExtensionW (pszPath="Help_MKWD_AssetId.H1W") returned=".H1W" [0101.601] lstrlenW (lpString=".H1W") returned 4 [0101.601] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0101.601] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0101.602] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=222716) returned 1 [0101.602] GetProcessHeap () returned 0x4c0000 [0101.602] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52aad8 [0101.611] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="DF") returned 2 [0101.611] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="16") returned 2 [0101.611] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="1A") returned 2 [0101.611] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="83") returned 2 [0101.611] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="E9") returned 2 [0101.611] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="7A") returned 2 [0101.611] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="20") returned 2 [0101.611] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="60") returned 2 [0101.611] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="FE") returned 2 [0101.611] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="00") returned 2 [0101.611] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="68") returned 2 [0101.611] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="80") returned 2 [0101.612] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="C6") returned 2 [0101.612] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="6B") returned 2 [0101.612] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="C5") returned 2 [0101.612] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="DF") returned 2 [0101.612] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="0E") returned 2 [0101.612] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="E7") returned 2 [0101.612] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="CE") returned 2 [0101.612] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="BD") returned 2 [0101.612] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="CE") returned 2 [0101.612] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="D3") returned 2 [0101.612] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="C6") returned 2 [0101.612] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="C6") returned 2 [0101.612] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="FD") returned 2 [0101.612] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="2A") returned 2 [0101.612] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="D2") returned 2 [0101.612] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="4B") returned 2 [0101.612] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="16") returned 2 [0101.612] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="42") returned 2 [0101.612] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="27") returned 2 [0101.612] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="53") returned 2 [0101.622] lstrcpyW (in: lpString1=0x53ab0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" [0101.622] lstrcpyW (in: lpString1=0x52ab0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" [0101.622] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W", lpString2=".DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753" [0101.622] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x52aad8, NumberOfConcurrentThreads=0x0) returned 0x94 [0101.622] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52aad8, lpOverlapped=0x52aad8) returned 1 [0101.622] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae409b6f, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae409b6f, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x325ec, dwReserved0=0xff2f8ed6, dwReserved1=0xfe000000, cFileName="Help_MKWD_BestBet.H1W", cAlternateFileName="HELP_M~2.H1W")) returned 1 [0101.622] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="Windows") returned -1 [0101.622] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="Program Files") returned -1 [0101.622] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="Program Files (x86)") returned -1 [0101.622] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="$Recycle.bin") returned 1 [0101.622] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="System Volume Information") returned -1 [0101.622] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2=".") returned 1 [0101.622] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="..") returned 1 [0101.622] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 78 [0101.622] lstrcmpW (lpString1="Help_MKWD_BestBet.H1W", lpString2="PUSSY.TXT") returned -1 [0101.622] PathFindExtensionW (pszPath="Help_MKWD_BestBet.H1W") returned=".H1W" [0101.622] lstrlenW (lpString=".H1W") returned 4 [0101.622] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0101.623] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0101.671] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=206316) returned 1 [0101.672] GetProcessHeap () returned 0x4c0000 [0101.673] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0101.686] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="50") returned 2 [0101.686] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="F6") returned 2 [0101.686] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="A0") returned 2 [0101.686] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="7C") returned 2 [0101.686] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="60") returned 2 [0101.686] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="D2") returned 2 [0101.686] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="78") returned 2 [0101.686] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="C4") returned 2 [0101.686] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="61") returned 2 [0101.686] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="2A") returned 2 [0101.686] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="96") returned 2 [0101.686] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="43") returned 2 [0101.686] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="16") returned 2 [0101.686] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="DD") returned 2 [0101.686] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="24") returned 2 [0101.686] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="5C") returned 2 [0101.686] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="60") returned 2 [0101.686] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="14") returned 2 [0101.687] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="39") returned 2 [0101.687] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="A9") returned 2 [0101.687] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="DD") returned 2 [0101.687] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="A0") returned 2 [0101.687] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="BA") returned 2 [0101.687] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="E8") returned 2 [0101.687] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="96") returned 2 [0101.687] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="A3") returned 2 [0101.687] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="80") returned 2 [0101.687] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="06") returned 2 [0101.687] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="10") returned 2 [0101.687] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="FF") returned 2 [0101.687] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="33") returned 2 [0101.687] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="2C") returned 2 [0101.697] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" [0101.697] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" [0101.697] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W", lpString2=".50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C" [0101.698] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0101.698] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0101.698] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x79f1a, dwReserved0=0xff2f8ed6, dwReserved1=0xfe000000, cFileName="Help_MTOC_help.H1H", cAlternateFileName="HELP_M~1.H1H")) returned 1 [0101.698] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="Windows") returned -1 [0101.698] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="Program Files") returned -1 [0101.698] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="Program Files (x86)") returned -1 [0101.698] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="$Recycle.bin") returned 1 [0101.698] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="System Volume Information") returned -1 [0101.698] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2=".") returned 1 [0101.698] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="..") returned 1 [0101.698] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 75 [0101.698] lstrcmpW (lpString1="Help_MTOC_help.H1H", lpString2="PUSSY.TXT") returned -1 [0101.698] PathFindExtensionW (pszPath="Help_MTOC_help.H1H") returned=".H1H" [0101.698] lstrlenW (lpString=".H1H") returned 4 [0101.698] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0101.698] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0101.699] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=499482) returned 1 [0101.699] GetProcessHeap () returned 0x4c0000 [0101.699] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52aad8 [0101.712] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="2F") returned 2 [0101.712] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="73") returned 2 [0101.712] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="44") returned 2 [0101.712] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="0F") returned 2 [0101.712] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="24") returned 2 [0101.712] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="E1") returned 2 [0101.712] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="36") returned 2 [0101.712] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="C6") returned 2 [0101.712] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="9E") returned 2 [0101.712] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="A5") returned 2 [0101.712] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="A6") returned 2 [0101.712] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="F8") returned 2 [0101.712] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="2E") returned 2 [0101.712] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="F3") returned 2 [0101.712] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="D8") returned 2 [0101.712] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="8B") returned 2 [0101.712] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="31") returned 2 [0101.712] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="B8") returned 2 [0101.712] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="DE") returned 2 [0101.712] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="D2") returned 2 [0101.712] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="42") returned 2 [0101.712] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="F5") returned 2 [0101.712] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="3C") returned 2 [0101.713] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="BD") returned 2 [0101.713] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="B4") returned 2 [0101.713] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="9D") returned 2 [0101.713] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="02") returned 2 [0101.713] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="88") returned 2 [0101.713] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="E3") returned 2 [0101.713] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="C4") returned 2 [0101.713] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="DC") returned 2 [0101.713] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="44") returned 2 [0101.725] lstrcpyW (in: lpString1=0x53ab0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" [0101.725] lstrcpyW (in: lpString1=0x52ab0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" [0101.725] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H", lpString2=".2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44" [0101.725] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x52aad8, NumberOfConcurrentThreads=0x0) returned 0x94 [0101.726] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52aad8, lpOverlapped=0x52aad8) returned 1 [0101.726] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x26353250, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x3944, dwReserved0=0xff2f8ed6, dwReserved1=0xfe000000, cFileName="Help_MValidator.H1D", cAlternateFileName="HELP_M~1.H1D")) returned 1 [0101.726] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="Windows") returned -1 [0101.726] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="Program Files") returned -1 [0101.726] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="Program Files (x86)") returned -1 [0101.726] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="$Recycle.bin") returned 1 [0101.726] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="System Volume Information") returned -1 [0101.726] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2=".") returned 1 [0101.726] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="..") returned 1 [0101.726] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 76 [0101.726] lstrcmpW (lpString1="Help_MValidator.H1D", lpString2="PUSSY.TXT") returned -1 [0101.726] PathFindExtensionW (pszPath="Help_MValidator.H1D") returned=".H1D" [0101.726] lstrlenW (lpString=".H1D") returned 4 [0101.726] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0101.726] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0101.727] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=14660) returned 1 [0101.727] GetProcessHeap () returned 0x4c0000 [0101.727] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x552b28 [0101.741] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="FF") returned 2 [0101.741] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="57") returned 2 [0101.741] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="DD") returned 2 [0101.741] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="97") returned 2 [0101.741] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="C6") returned 2 [0101.741] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="7F") returned 2 [0101.741] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="02") returned 2 [0101.741] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="A9") returned 2 [0101.741] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="E9") returned 2 [0101.741] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="57") returned 2 [0101.742] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="12") returned 2 [0101.742] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="9C") returned 2 [0101.742] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="80") returned 2 [0101.742] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="1A") returned 2 [0101.742] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="42") returned 2 [0101.742] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="7F") returned 2 [0101.742] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="26") returned 2 [0101.742] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="FC") returned 2 [0101.742] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="85") returned 2 [0101.742] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="43") returned 2 [0101.742] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="4E") returned 2 [0101.742] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="43") returned 2 [0101.742] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="01") returned 2 [0101.742] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="2A") returned 2 [0101.742] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="B3") returned 2 [0101.742] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="04") returned 2 [0101.742] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="E3") returned 2 [0101.742] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="05") returned 2 [0101.742] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="2F") returned 2 [0101.742] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="6A") returned 2 [0101.742] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="3E") returned 2 [0101.742] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="03") returned 2 [0101.754] lstrcpyW (in: lpString1=0x562b5c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" [0101.754] lstrcpyW (in: lpString1=0x552b5c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" [0101.754] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D", lpString2=".FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03" [0101.754] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x552b28, NumberOfConcurrentThreads=0x0) returned 0x94 [0101.754] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x552b28, lpOverlapped=0x552b28) returned 1 [0101.754] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0xff2f8ed6, dwReserved1=0xfe000000, cFileName="Help_MValidator.Lck", cAlternateFileName="HELP_M~1.LCK")) returned 1 [0101.754] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Windows") returned -1 [0101.754] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Program Files") returned -1 [0101.754] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Program Files (x86)") returned -1 [0101.754] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="$Recycle.bin") returned 1 [0101.754] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="System Volume Information") returned -1 [0101.754] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2=".") returned 1 [0101.754] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="..") returned 1 [0101.754] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 76 [0101.755] lstrcmpW (lpString1="Help_MValidator.Lck", lpString2="PUSSY.TXT") returned -1 [0101.755] PathFindExtensionW (pszPath="Help_MValidator.Lck") returned=".Lck" [0101.755] lstrlenW (lpString=".Lck") returned 4 [0101.755] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0101.755] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0101.755] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=4) returned 1 [0101.755] CloseHandle (hObject=0x194) returned 1 [0101.755] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x249fa376, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xd5310, dwReserved0=0xff2f8ed6, dwReserved1=0xfe000000, cFileName="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", cAlternateFileName="HELP{9~1.H1Q")) returned 1 [0101.755] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="Windows") returned -1 [0101.755] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="Program Files") returned -1 [0101.755] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="Program Files (x86)") returned -1 [0101.755] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="$Recycle.bin") returned 1 [0101.755] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="System Volume Information") returned -1 [0101.755] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2=".") returned 1 [0101.755] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="..") returned 1 [0101.755] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 103 [0101.755] lstrcmpW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="PUSSY.TXT") returned -1 [0101.756] PathFindExtensionW (pszPath="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned=".H1Q" [0101.756] lstrlenW (lpString=".H1Q") returned 4 [0101.756] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0101.756] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0101.756] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=873232) returned 1 [0101.756] GetProcessHeap () returned 0x4c0000 [0101.756] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x57ab78 [0101.887] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="68") returned 2 [0101.887] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="43") returned 2 [0101.888] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="B1") returned 2 [0101.888] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="24") returned 2 [0101.888] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="B4") returned 2 [0101.888] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="3D") returned 2 [0101.888] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="72") returned 2 [0101.888] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="E3") returned 2 [0101.888] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="CA") returned 2 [0101.888] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="51") returned 2 [0101.888] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="BC") returned 2 [0101.888] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="77") returned 2 [0101.888] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="8B") returned 2 [0101.888] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="13") returned 2 [0101.888] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="83") returned 2 [0101.888] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="12") returned 2 [0101.888] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="EC") returned 2 [0101.888] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="A7") returned 2 [0101.888] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="D0") returned 2 [0101.888] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="C8") returned 2 [0101.888] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="04") returned 2 [0101.888] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="08") returned 2 [0101.888] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="A0") returned 2 [0101.888] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="A0") returned 2 [0101.888] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="7A") returned 2 [0101.888] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="89") returned 2 [0101.888] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="D3") returned 2 [0101.889] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="A3") returned 2 [0101.889] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="C2") returned 2 [0101.889] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="76") returned 2 [0101.889] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="66") returned 2 [0101.889] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="3F") returned 2 [0101.898] lstrcpyW (in: lpString1=0x58abac, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" [0101.898] lstrcpyW (in: lpString1=0x57abac, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" [0101.898] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2=".6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F" [0101.898] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x57ab78, NumberOfConcurrentThreads=0x0) returned 0x94 [0101.898] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x57ab78, lpOverlapped=0x57ab78) returned 1 [0101.899] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x249fa376, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xd5310, dwReserved0=0xff2f8ed6, dwReserved1=0xfe000000, cFileName="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", cAlternateFileName="HELP{9~1.H1Q")) returned 0 [0101.899] FindClose (in: hFindFile=0x4e29e0 | out: hFindFile=0x4e29e0) returned 1 [0101.929] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\PUSSY.TXT") returned 66 [0101.930] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0101.931] lstrlenA (lpString="abcd") returned 4 [0101.931] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0101.932] CloseHandle (hObject=0x18c) returned 1 [0101.932] GetProcessHeap () returned 0x4c0000 [0101.932] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0101.935] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="en-US", cAlternateFileName="")) returned 0 [0101.935] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0101.936] wnsprintfW (in: pszDest=0x3b580b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\PUSSY.TXT") returned 60 [0101.936] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0101.936] lstrlenA (lpString="abcd") returned 4 [0101.936] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0101.937] CloseHandle (hObject=0x174) returned 1 [0101.937] GetProcessHeap () returned 0x4c0000 [0101.937] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b580b0 | out: hHeap=0x4c0000) returned 1 [0101.938] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="1.0", cAlternateFileName="")) returned 0 [0101.938] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0101.938] wnsprintfW (in: pszDest=0x3b480a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\PUSSY.TXT") returned 56 [0101.938] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0101.938] lstrlenA (lpString="abcd") returned 4 [0101.938] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0101.939] CloseHandle (hObject=0x16c) returned 1 [0101.940] GetProcessHeap () returned 0x4c0000 [0101.940] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b480a8 | out: hHeap=0x4c0000) returned 1 [0101.940] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Client", cAlternateFileName="")) returned 0 [0101.940] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0101.940] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\PUSSY.TXT") returned 49 [0101.940] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\assistance\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0101.940] lstrlenA (lpString="abcd") returned 4 [0101.940] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0101.941] CloseHandle (hObject=0x19c) returned 1 [0101.941] GetProcessHeap () returned 0x4c0000 [0101.941] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0101.943] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Crypto", cAlternateFileName="")) returned 1 [0101.943] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0101.943] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0101.943] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0101.943] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0101.943] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0101.943] lstrcmpiW (lpString1="Crypto", lpString2=".") returned 1 [0101.943] lstrcmpiW (lpString1="Crypto", lpString2="..") returned 1 [0101.943] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned 35 [0101.943] GetProcessHeap () returned 0x4c0000 [0101.943] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc8160 [0101.944] lstrcpyW (in: lpString1=0x3bc8160, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto" [0101.944] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*" [0101.944] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0101.945] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.945] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.945] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.945] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.945] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.945] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.945] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0101.945] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.945] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.945] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.945] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.945] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.945] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.945] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.945] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="DSS", cAlternateFileName="")) returned 1 [0101.945] lstrcmpiW (lpString1="DSS", lpString2="Windows") returned -1 [0101.945] lstrcmpiW (lpString1="DSS", lpString2="Program Files") returned -1 [0101.945] lstrcmpiW (lpString1="DSS", lpString2="Program Files (x86)") returned -1 [0101.945] lstrcmpiW (lpString1="DSS", lpString2="$Recycle.bin") returned 1 [0101.945] lstrcmpiW (lpString1="DSS", lpString2="System Volume Information") returned -1 [0101.945] lstrcmpiW (lpString1="DSS", lpString2=".") returned 1 [0101.945] lstrcmpiW (lpString1="DSS", lpString2="..") returned 1 [0101.945] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned 39 [0101.945] GetProcessHeap () returned 0x4c0000 [0101.945] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0101.946] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS" [0101.946] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*" [0101.946] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0101.947] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.947] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.947] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.947] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.947] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.947] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.947] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0101.947] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.947] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.947] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.947] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.947] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.947] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.947] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.947] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0101.947] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0101.947] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0101.947] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0101.947] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0101.947] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0101.947] lstrcmpiW (lpString1="MachineKeys", lpString2=".") returned 1 [0101.947] lstrcmpiW (lpString1="MachineKeys", lpString2="..") returned 1 [0101.947] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 51 [0101.947] GetProcessHeap () returned 0x4c0000 [0101.947] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0101.948] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys" [0101.948] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*" [0101.948] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0101.948] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.948] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.948] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.948] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.948] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.948] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.948] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0101.948] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.948] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.948] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.949] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.949] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.949] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.949] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.949] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0101.949] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0101.949] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\PUSSY.TXT") returned 61 [0101.949] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0101.950] lstrlenA (lpString="abcd") returned 4 [0101.950] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0101.951] CloseHandle (hObject=0x174) returned 1 [0101.952] GetProcessHeap () returned 0x4c0000 [0101.952] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0101.953] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0 [0101.953] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0101.953] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\PUSSY.TXT") returned 49 [0101.953] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0101.954] lstrlenA (lpString="abcd") returned 4 [0101.954] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0101.955] CloseHandle (hObject=0x16c) returned 1 [0101.955] GetProcessHeap () returned 0x4c0000 [0101.955] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0101.955] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Keys", cAlternateFileName="")) returned 1 [0101.955] lstrcmpiW (lpString1="Keys", lpString2="Windows") returned -1 [0101.955] lstrcmpiW (lpString1="Keys", lpString2="Program Files") returned -1 [0101.955] lstrcmpiW (lpString1="Keys", lpString2="Program Files (x86)") returned -1 [0101.955] lstrcmpiW (lpString1="Keys", lpString2="$Recycle.bin") returned 1 [0101.955] lstrcmpiW (lpString1="Keys", lpString2="System Volume Information") returned -1 [0101.955] lstrcmpiW (lpString1="Keys", lpString2=".") returned 1 [0101.955] lstrcmpiW (lpString1="Keys", lpString2="..") returned 1 [0101.956] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned 40 [0101.956] GetProcessHeap () returned 0x4c0000 [0101.956] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0101.956] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys" [0101.956] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*" [0101.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0101.957] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.957] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.957] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.957] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.957] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.957] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.957] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0101.957] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.957] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.957] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.957] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.957] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.957] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.957] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.957] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0101.957] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0101.957] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\PUSSY.TXT") returned 50 [0101.957] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0101.958] lstrlenA (lpString="abcd") returned 4 [0101.958] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0101.959] CloseHandle (hObject=0x16c) returned 1 [0101.959] GetProcessHeap () returned 0x4c0000 [0101.959] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0101.959] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="RSA", cAlternateFileName="")) returned 1 [0101.959] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0101.959] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0101.959] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0101.959] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0101.959] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0101.959] lstrcmpiW (lpString1="RSA", lpString2=".") returned 1 [0101.959] lstrcmpiW (lpString1="RSA", lpString2="..") returned 1 [0101.959] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned 39 [0101.959] GetProcessHeap () returned 0x4c0000 [0101.959] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0101.959] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA" [0101.959] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*" [0101.959] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0101.960] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.960] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.960] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.960] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.960] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.960] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.960] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0101.960] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.960] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.960] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.960] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.960] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.960] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.960] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.960] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0101.960] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0101.960] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0101.960] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0101.960] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0101.960] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0101.960] lstrcmpiW (lpString1="MachineKeys", lpString2=".") returned 1 [0101.960] lstrcmpiW (lpString1="MachineKeys", lpString2="..") returned 1 [0101.960] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 51 [0101.960] GetProcessHeap () returned 0x4c0000 [0101.960] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0101.961] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys" [0101.961] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*" [0101.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0101.961] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.961] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.961] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.961] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.961] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.961] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.962] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0101.962] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.962] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.962] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.962] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.962] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.962] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.962] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.962] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0101.962] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0101.962] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\PUSSY.TXT") returned 61 [0101.962] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0101.962] lstrlenA (lpString="abcd") returned 4 [0101.962] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0101.963] CloseHandle (hObject=0x174) returned 1 [0101.963] GetProcessHeap () returned 0x4c0000 [0101.964] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0101.964] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0101.964] lstrcmpiW (lpString1="S-1-5-18", lpString2="Windows") returned -1 [0101.964] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files") returned 1 [0101.964] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files (x86)") returned 1 [0101.964] lstrcmpiW (lpString1="S-1-5-18", lpString2="$Recycle.bin") returned 1 [0101.964] lstrcmpiW (lpString1="S-1-5-18", lpString2="System Volume Information") returned -1 [0101.964] lstrcmpiW (lpString1="S-1-5-18", lpString2=".") returned 1 [0101.964] lstrcmpiW (lpString1="S-1-5-18", lpString2="..") returned 1 [0101.964] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned 48 [0101.964] GetProcessHeap () returned 0x4c0000 [0101.964] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0101.964] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18" [0101.964] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*" [0101.964] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0101.965] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0101.965] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0101.965] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0101.965] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0101.965] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0101.965] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0101.965] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0101.965] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0101.965] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0101.965] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0101.965] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0101.965] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0101.965] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0101.965] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0101.965] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xfc767af0, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xfc767af0, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc767af0, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="6D14E4~1")) returned 1 [0101.966] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0101.966] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0101.966] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0101.966] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0101.966] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0101.966] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".") returned 1 [0101.966] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="..") returned 1 [0101.966] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0101.966] lstrcmpW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="PUSSY.TXT") returned -1 [0101.966] PathFindExtensionW (pszPath="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="" [0101.966] lstrlenW (lpString="") returned 0 [0101.966] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0101.966] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0101.966] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=47) returned 1 [0101.966] CloseHandle (hObject=0x18c) returned 1 [0101.966] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe5bc2f0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x41d, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="D42CC0~1")) returned 1 [0101.966] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0101.966] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0101.966] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0101.967] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0101.967] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0101.967] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".") returned 1 [0101.967] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="..") returned 1 [0101.967] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0101.967] lstrcmpW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="PUSSY.TXT") returned -1 [0101.967] PathFindExtensionW (pszPath="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="" [0101.967] lstrlenW (lpString="") returned 0 [0101.967] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0101.967] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0101.967] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=1053) returned 1 [0101.967] GetProcessHeap () returned 0x4c0000 [0101.967] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52aad8 [0101.978] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="B5") returned 2 [0101.978] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="61") returned 2 [0101.978] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="E2") returned 2 [0101.978] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="56") returned 2 [0101.978] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="3A") returned 2 [0101.978] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="1A") returned 2 [0101.978] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="68") returned 2 [0101.978] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="E9") returned 2 [0101.978] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="5F") returned 2 [0101.978] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="57") returned 2 [0101.978] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="15") returned 2 [0101.978] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="D7") returned 2 [0101.978] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="BA") returned 2 [0101.978] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="C0") returned 2 [0101.978] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="D4") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="A7") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="C5") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="0D") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="24") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="7E") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="8D") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="D6") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="23") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="1A") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="CE") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="B4") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="56") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="97") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="85") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="CA") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="E9") returned 2 [0101.979] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="34") returned 2 [0101.990] lstrcpyW (in: lpString1=0x53ab0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" [0101.990] lstrcpyW (in: lpString1=0x52ab0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" [0101.990] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934" [0101.990] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x52aad8, NumberOfConcurrentThreads=0x0) returned 0x94 [0101.990] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52aad8, lpOverlapped=0x52aad8) returned 1 [0101.990] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe5bc2f0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x41d, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="D42CC0~1")) returned 0 [0101.992] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0101.992] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\PUSSY.TXT") returned 58 [0101.992] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0102.005] lstrlenA (lpString="abcd") returned 4 [0102.005] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0102.007] CloseHandle (hObject=0x18c) returned 1 [0102.007] GetProcessHeap () returned 0x4c0000 [0102.007] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0102.009] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="S-1-5-18", cAlternateFileName="")) returned 0 [0102.009] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0102.010] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\PUSSY.TXT") returned 49 [0102.010] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0102.010] lstrlenA (lpString="abcd") returned 4 [0102.010] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0102.011] CloseHandle (hObject=0x16c) returned 1 [0102.011] GetProcessHeap () returned 0x4c0000 [0102.011] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.012] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="RSA", cAlternateFileName="")) returned 0 [0102.012] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0102.012] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PUSSY.TXT") returned 45 [0102.012] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\crypto\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0102.012] lstrlenA (lpString="abcd") returned 4 [0102.012] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0102.013] CloseHandle (hObject=0x19c) returned 1 [0102.013] GetProcessHeap () returned 0x4c0000 [0102.014] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0102.015] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0102.015] lstrcmpiW (lpString1="Device Stage", lpString2="Windows") returned -1 [0102.015] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files") returned -1 [0102.015] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files (x86)") returned -1 [0102.015] lstrcmpiW (lpString1="Device Stage", lpString2="$Recycle.bin") returned 1 [0102.016] lstrcmpiW (lpString1="Device Stage", lpString2="System Volume Information") returned -1 [0102.016] lstrcmpiW (lpString1="Device Stage", lpString2=".") returned 1 [0102.016] lstrcmpiW (lpString1="Device Stage", lpString2="..") returned 1 [0102.016] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned 41 [0102.016] GetProcessHeap () returned 0x4c0000 [0102.016] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc8160 [0102.017] lstrcpyW (in: lpString1=0x3bc8160, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage" [0102.017] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*" [0102.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0102.017] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.017] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.017] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.017] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.017] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.017] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.017] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.017] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.017] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.017] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.017] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.017] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.018] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.018] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.018] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Device", cAlternateFileName="")) returned 1 [0102.018] lstrcmpiW (lpString1="Device", lpString2="Windows") returned -1 [0102.018] lstrcmpiW (lpString1="Device", lpString2="Program Files") returned -1 [0102.018] lstrcmpiW (lpString1="Device", lpString2="Program Files (x86)") returned -1 [0102.018] lstrcmpiW (lpString1="Device", lpString2="$Recycle.bin") returned 1 [0102.018] lstrcmpiW (lpString1="Device", lpString2="System Volume Information") returned -1 [0102.018] lstrcmpiW (lpString1="Device", lpString2=".") returned 1 [0102.018] lstrcmpiW (lpString1="Device", lpString2="..") returned 1 [0102.018] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned 48 [0102.018] GetProcessHeap () returned 0x4c0000 [0102.018] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.019] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device" [0102.019] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*" [0102.019] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0102.026] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.026] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.026] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.026] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.026] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.026] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.026] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.026] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.026] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.026] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.026] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.026] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.026] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.027] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.027] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0102.027] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Windows") returned -1 [0102.027] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files") returned -1 [0102.027] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files (x86)") returned -1 [0102.027] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="$Recycle.bin") returned 1 [0102.027] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="System Volume Information") returned -1 [0102.027] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2=".") returned 1 [0102.027] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="..") returned 1 [0102.027] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 87 [0102.027] GetProcessHeap () returned 0x4c0000 [0102.027] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0102.027] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" [0102.028] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*" [0102.028] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0102.030] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.030] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.030] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.030] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.030] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.030] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.030] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.030] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.036] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.036] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.036] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.036] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.036] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.036] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.036] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="background.png", cAlternateFileName="")) returned 1 [0102.036] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0102.036] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0102.036] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0102.036] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0102.036] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0102.036] lstrcmpiW (lpString1="background.png", lpString2=".") returned 1 [0102.036] lstrcmpiW (lpString1="background.png", lpString2="..") returned 1 [0102.036] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 102 [0102.036] lstrcmpW (lpString1="background.png", lpString2="PUSSY.TXT") returned -1 [0102.036] PathFindExtensionW (pszPath="background.png") returned=".png" [0102.037] lstrlenW (lpString=".png") returned 4 [0102.037] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.037] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.037] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7c5b0d9, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xc7c5b0d9, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xc7c5b0d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0102.037] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0102.037] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0102.037] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0102.037] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0102.037] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0102.037] lstrcmpiW (lpString1="behavior.xml", lpString2=".") returned 1 [0102.037] lstrcmpiW (lpString1="behavior.xml", lpString2="..") returned 1 [0102.037] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 100 [0102.037] lstrcmpW (lpString1="behavior.xml", lpString2="PUSSY.TXT") returned -1 [0102.037] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0102.037] lstrlenW (lpString=".xml") returned 4 [0102.037] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.037] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.038] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="device.png", cAlternateFileName="")) returned 1 [0102.038] lstrcmpiW (lpString1="device.png", lpString2="Windows") returned -1 [0102.038] lstrcmpiW (lpString1="device.png", lpString2="Program Files") returned -1 [0102.038] lstrcmpiW (lpString1="device.png", lpString2="Program Files (x86)") returned -1 [0102.038] lstrcmpiW (lpString1="device.png", lpString2="$Recycle.bin") returned 1 [0102.038] lstrcmpiW (lpString1="device.png", lpString2="System Volume Information") returned -1 [0102.038] lstrcmpiW (lpString1="device.png", lpString2=".") returned 1 [0102.038] lstrcmpiW (lpString1="device.png", lpString2="..") returned 1 [0102.038] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 98 [0102.038] lstrcmpW (lpString1="device.png", lpString2="PUSSY.TXT") returned -1 [0102.039] PathFindExtensionW (pszPath="device.png") returned=".png" [0102.039] lstrlenW (lpString=".png") returned 4 [0102.039] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.039] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.039] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0a07cc, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0a07cc, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0102.039] lstrcmpiW (lpString1="overlay.png", lpString2="Windows") returned -1 [0102.039] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files") returned -1 [0102.039] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files (x86)") returned -1 [0102.039] lstrcmpiW (lpString1="overlay.png", lpString2="$Recycle.bin") returned 1 [0102.039] lstrcmpiW (lpString1="overlay.png", lpString2="System Volume Information") returned -1 [0102.039] lstrcmpiW (lpString1="overlay.png", lpString2=".") returned 1 [0102.039] lstrcmpiW (lpString1="overlay.png", lpString2="..") returned 1 [0102.039] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 99 [0102.039] lstrcmpW (lpString1="overlay.png", lpString2="PUSSY.TXT") returned -1 [0102.039] PathFindExtensionW (pszPath="overlay.png") returned=".png" [0102.039] lstrlenW (lpString=".png") returned 4 [0102.039] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.039] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.039] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0c6929, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0c6929, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0102.039] lstrcmpiW (lpString1="superbar.png", lpString2="Windows") returned -1 [0102.039] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files") returned 1 [0102.040] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files (x86)") returned 1 [0102.040] lstrcmpiW (lpString1="superbar.png", lpString2="$Recycle.bin") returned 1 [0102.040] lstrcmpiW (lpString1="superbar.png", lpString2="System Volume Information") returned -1 [0102.040] lstrcmpiW (lpString1="superbar.png", lpString2=".") returned 1 [0102.040] lstrcmpiW (lpString1="superbar.png", lpString2="..") returned 1 [0102.040] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 100 [0102.040] lstrcmpW (lpString1="superbar.png", lpString2="PUSSY.TXT") returned 1 [0102.040] PathFindExtensionW (pszPath="superbar.png") returned=".png" [0102.040] lstrlenW (lpString=".png") returned 4 [0102.040] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.040] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.041] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0c6929, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0c6929, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="superbar.png", cAlternateFileName="")) returned 0 [0102.041] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0102.042] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\PUSSY.TXT") returned 97 [0102.042] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0102.044] lstrlenA (lpString="abcd") returned 4 [0102.044] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0102.045] CloseHandle (hObject=0x16c) returned 1 [0102.045] GetProcessHeap () returned 0x4c0000 [0102.045] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0102.045] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0102.045] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Windows") returned -1 [0102.045] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files") returned -1 [0102.045] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files (x86)") returned -1 [0102.045] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="$Recycle.bin") returned 1 [0102.045] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="System Volume Information") returned -1 [0102.045] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2=".") returned 1 [0102.045] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="..") returned 1 [0102.045] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 87 [0102.045] GetProcessHeap () returned 0x4c0000 [0102.045] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0102.045] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" [0102.045] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*" [0102.045] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0102.046] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.046] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.046] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.046] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.046] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.046] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.046] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.046] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.046] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.046] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.046] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.046] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.046] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.046] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.046] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0af2f7, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x9c0af2f7, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x9c0af2f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="background.png", cAlternateFileName="")) returned 1 [0102.046] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0102.046] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0102.046] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0102.046] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0102.046] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0102.046] lstrcmpiW (lpString1="background.png", lpString2=".") returned 1 [0102.047] lstrcmpiW (lpString1="background.png", lpString2="..") returned 1 [0102.047] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 102 [0102.047] lstrcmpW (lpString1="background.png", lpString2="PUSSY.TXT") returned -1 [0102.047] PathFindExtensionW (pszPath="background.png") returned=".png" [0102.047] lstrlenW (lpString=".png") returned 4 [0102.047] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.047] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.047] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2feb941, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2feb941, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x769, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0102.047] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0102.047] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0102.047] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0102.047] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0102.047] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0102.047] lstrcmpiW (lpString1="behavior.xml", lpString2=".") returned 1 [0102.047] lstrcmpiW (lpString1="behavior.xml", lpString2="..") returned 1 [0102.047] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 100 [0102.047] lstrcmpW (lpString1="behavior.xml", lpString2="PUSSY.TXT") returned -1 [0102.047] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0102.047] lstrlenW (lpString=".xml") returned 4 [0102.047] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.047] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.048] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0102.048] lstrcmpiW (lpString1="watermark.png", lpString2="Windows") returned -1 [0102.048] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files") returned 1 [0102.048] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files (x86)") returned 1 [0102.048] lstrcmpiW (lpString1="watermark.png", lpString2="$Recycle.bin") returned 1 [0102.048] lstrcmpiW (lpString1="watermark.png", lpString2="System Volume Information") returned 1 [0102.048] lstrcmpiW (lpString1="watermark.png", lpString2=".") returned 1 [0102.048] lstrcmpiW (lpString1="watermark.png", lpString2="..") returned 1 [0102.048] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 101 [0102.048] lstrcmpW (lpString1="watermark.png", lpString2="PUSSY.TXT") returned 1 [0102.048] PathFindExtensionW (pszPath="watermark.png") returned=".png" [0102.048] lstrlenW (lpString=".png") returned 4 [0102.048] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.048] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.048] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="watermark.png", cAlternateFileName="")) returned 0 [0102.048] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0102.048] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\PUSSY.TXT") returned 97 [0102.048] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0102.049] lstrlenA (lpString="abcd") returned 4 [0102.049] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0102.050] CloseHandle (hObject=0x16c) returned 1 [0102.050] GetProcessHeap () returned 0x4c0000 [0102.050] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0102.050] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0102.050] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0102.050] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\PUSSY.TXT") returned 58 [0102.050] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0102.051] lstrlenA (lpString="abcd") returned 4 [0102.051] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0102.052] CloseHandle (hObject=0x1a4) returned 1 [0102.052] GetProcessHeap () returned 0x4c0000 [0102.052] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.052] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Task", cAlternateFileName="")) returned 1 [0102.052] lstrcmpiW (lpString1="Task", lpString2="Windows") returned -1 [0102.052] lstrcmpiW (lpString1="Task", lpString2="Program Files") returned 1 [0102.052] lstrcmpiW (lpString1="Task", lpString2="Program Files (x86)") returned 1 [0102.052] lstrcmpiW (lpString1="Task", lpString2="$Recycle.bin") returned 1 [0102.052] lstrcmpiW (lpString1="Task", lpString2="System Volume Information") returned 1 [0102.053] lstrcmpiW (lpString1="Task", lpString2=".") returned 1 [0102.053] lstrcmpiW (lpString1="Task", lpString2="..") returned 1 [0102.053] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned 46 [0102.053] GetProcessHeap () returned 0x4c0000 [0102.053] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.053] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task" [0102.053] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*" [0102.053] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0102.053] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.053] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.053] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.053] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.053] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.053] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.053] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.054] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.054] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.054] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.054] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.054] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.054] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.054] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.054] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0102.054] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Windows") returned -1 [0102.054] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files") returned -1 [0102.054] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files (x86)") returned -1 [0102.054] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="$Recycle.bin") returned 1 [0102.054] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="System Volume Information") returned -1 [0102.054] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2=".") returned 1 [0102.054] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="..") returned 1 [0102.054] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 85 [0102.054] GetProcessHeap () returned 0x4c0000 [0102.054] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0102.054] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" [0102.054] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*" [0102.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0102.057] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.057] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.057] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.057] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.057] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.057] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.057] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.057] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.057] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.057] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.057] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.057] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.057] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.057] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.057] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="en-US", cAlternateFileName="")) returned 1 [0102.057] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0102.057] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0102.057] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0102.057] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0102.057] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0102.057] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0102.058] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0102.058] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 91 [0102.058] GetProcessHeap () returned 0x4c0000 [0102.058] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd8168 [0102.059] lstrcpyW (in: lpString1=0x3bd8168, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" [0102.059] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*" [0102.059] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bb8150, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e29e0 [0102.059] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.059] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.059] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.059] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.059] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.059] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.059] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bb8150, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.059] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.059] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.059] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.060] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.060] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.060] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.060] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.060] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x932b6af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x932b6af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x3bb8150, dwReserved1=0xc0100080, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0102.060] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0102.060] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0102.060] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0102.060] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0102.060] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0102.060] lstrcmpiW (lpString1="resource.xml", lpString2=".") returned 1 [0102.060] lstrcmpiW (lpString1="resource.xml", lpString2="..") returned 1 [0102.060] wnsprintfW (in: pszDest=0x3bd8168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 104 [0102.060] lstrcmpW (lpString1="resource.xml", lpString2="PUSSY.TXT") returned 1 [0102.060] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0102.060] lstrlenW (lpString=".xml") returned 4 [0102.060] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0102.060] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.061] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x932b6af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x932b6af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x3bb8150, dwReserved1=0xc0100080, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0102.061] FindClose (in: hFindFile=0x4e29e0 | out: hFindFile=0x4e29e0) returned 1 [0102.061] wnsprintfW (in: pszDest=0x3bd8168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\PUSSY.TXT") returned 101 [0102.061] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0102.062] lstrlenA (lpString="abcd") returned 4 [0102.062] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0102.063] CloseHandle (hObject=0x194) returned 1 [0102.064] GetProcessHeap () returned 0x4c0000 [0102.064] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd8168 | out: hHeap=0x4c0000) returned 1 [0102.064] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c7f9e6, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2c7f9e6, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c0e93d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0102.064] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0102.064] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0102.064] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0102.064] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0102.064] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0102.064] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0102.064] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0102.064] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 96 [0102.064] lstrcmpW (lpString1="folder.ico", lpString2="PUSSY.TXT") returned -1 [0102.064] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0102.064] lstrlenW (lpString=".ico") returned 4 [0102.064] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.064] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.064] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2db04ce, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2db04ce, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c0e93d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0102.065] lstrcmpiW (lpString1="netfol.ico", lpString2="Windows") returned -1 [0102.065] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files") returned -1 [0102.065] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files (x86)") returned -1 [0102.065] lstrcmpiW (lpString1="netfol.ico", lpString2="$Recycle.bin") returned 1 [0102.065] lstrcmpiW (lpString1="netfol.ico", lpString2="System Volume Information") returned -1 [0102.065] lstrcmpiW (lpString1="netfol.ico", lpString2=".") returned 1 [0102.065] lstrcmpiW (lpString1="netfol.ico", lpString2="..") returned 1 [0102.065] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 96 [0102.065] lstrcmpW (lpString1="netfol.ico", lpString2="PUSSY.TXT") returned -1 [0102.065] PathFindExtensionW (pszPath="netfol.ico") returned=".ico" [0102.065] lstrlenW (lpString=".ico") returned 4 [0102.065] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.065] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.065] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2ca5b43, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2ca5b43, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c10f535, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0102.065] lstrcmpiW (lpString1="pictures.ico", lpString2="Windows") returned -1 [0102.065] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files") returned -1 [0102.065] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files (x86)") returned -1 [0102.065] lstrcmpiW (lpString1="pictures.ico", lpString2="$Recycle.bin") returned 1 [0102.065] lstrcmpiW (lpString1="pictures.ico", lpString2="System Volume Information") returned -1 [0102.065] lstrcmpiW (lpString1="pictures.ico", lpString2=".") returned 1 [0102.065] lstrcmpiW (lpString1="pictures.ico", lpString2="..") returned 1 [0102.065] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 98 [0102.065] lstrcmpW (lpString1="pictures.ico", lpString2="PUSSY.TXT") returned -1 [0102.065] PathFindExtensionW (pszPath="pictures.ico") returned=".ico" [0102.066] lstrlenW (lpString=".ico") returned 4 [0102.066] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.066] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.066] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c59889, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2c59889, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1cdc0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0102.066] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0102.066] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0102.066] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0102.066] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0102.066] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0102.066] lstrcmpiW (lpString1="resource.xml", lpString2=".") returned 1 [0102.066] lstrcmpiW (lpString1="resource.xml", lpString2="..") returned 1 [0102.066] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 98 [0102.066] lstrcmpW (lpString1="resource.xml", lpString2="PUSSY.TXT") returned 1 [0102.066] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0102.066] lstrlenW (lpString=".xml") returned 4 [0102.066] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.066] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.067] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2cf1dfd, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2cf1dfd, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1f3d69, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0102.067] lstrcmpiW (lpString1="ringtones.ico", lpString2="Windows") returned -1 [0102.067] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files") returned 1 [0102.067] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files (x86)") returned 1 [0102.067] lstrcmpiW (lpString1="ringtones.ico", lpString2="$Recycle.bin") returned 1 [0102.067] lstrcmpiW (lpString1="ringtones.ico", lpString2="System Volume Information") returned -1 [0102.067] lstrcmpiW (lpString1="ringtones.ico", lpString2=".") returned 1 [0102.067] lstrcmpiW (lpString1="ringtones.ico", lpString2="..") returned 1 [0102.067] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 99 [0102.067] lstrcmpW (lpString1="ringtones.ico", lpString2="PUSSY.TXT") returned 1 [0102.067] PathFindExtensionW (pszPath="ringtones.ico") returned=".ico" [0102.067] lstrlenW (lpString=".ico") returned 4 [0102.067] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.068] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.068] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d17f5a, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d17f5a, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1f3d69, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0102.068] lstrcmpiW (lpString1="settings.ico", lpString2="Windows") returned -1 [0102.068] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files") returned 1 [0102.068] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files (x86)") returned 1 [0102.068] lstrcmpiW (lpString1="settings.ico", lpString2="$Recycle.bin") returned 1 [0102.068] lstrcmpiW (lpString1="settings.ico", lpString2="System Volume Information") returned -1 [0102.068] lstrcmpiW (lpString1="settings.ico", lpString2=".") returned 1 [0102.068] lstrcmpiW (lpString1="settings.ico", lpString2="..") returned 1 [0102.068] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 98 [0102.068] lstrcmpW (lpString1="settings.ico", lpString2="PUSSY.TXT") returned 1 [0102.068] PathFindExtensionW (pszPath="settings.ico") returned=".ico" [0102.068] lstrlenW (lpString=".ico") returned 4 [0102.068] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.068] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.068] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d3e0b7, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d3e0b7, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0102.068] lstrcmpiW (lpString1="sync.ico", lpString2="Windows") returned -1 [0102.068] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files") returned 1 [0102.068] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files (x86)") returned 1 [0102.068] lstrcmpiW (lpString1="sync.ico", lpString2="$Recycle.bin") returned 1 [0102.068] lstrcmpiW (lpString1="sync.ico", lpString2="System Volume Information") returned -1 [0102.069] lstrcmpiW (lpString1="sync.ico", lpString2=".") returned 1 [0102.069] lstrcmpiW (lpString1="sync.ico", lpString2="..") returned 1 [0102.069] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 94 [0102.069] lstrcmpW (lpString1="sync.ico", lpString2="PUSSY.TXT") returned 1 [0102.069] PathFindExtensionW (pszPath="sync.ico") returned=".ico" [0102.069] lstrlenW (lpString=".ico") returned 4 [0102.069] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.069] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.069] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c219ec7, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x7c219ec7, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3473, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0102.069] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0102.069] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0102.069] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0102.069] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0102.069] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0102.069] lstrcmpiW (lpString1="tasks.xml", lpString2=".") returned 1 [0102.069] lstrcmpiW (lpString1="tasks.xml", lpString2="..") returned 1 [0102.069] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 95 [0102.069] lstrcmpW (lpString1="tasks.xml", lpString2="PUSSY.TXT") returned 1 [0102.069] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0102.069] lstrlenW (lpString=".xml") returned 4 [0102.069] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.069] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.070] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d64214, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d64214, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0102.070] lstrcmpiW (lpString1="wmp.ico", lpString2="Windows") returned 1 [0102.070] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files") returned 1 [0102.070] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files (x86)") returned 1 [0102.070] lstrcmpiW (lpString1="wmp.ico", lpString2="$Recycle.bin") returned 1 [0102.070] lstrcmpiW (lpString1="wmp.ico", lpString2="System Volume Information") returned 1 [0102.070] lstrcmpiW (lpString1="wmp.ico", lpString2=".") returned 1 [0102.070] lstrcmpiW (lpString1="wmp.ico", lpString2="..") returned 1 [0102.070] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 93 [0102.071] lstrcmpW (lpString1="wmp.ico", lpString2="PUSSY.TXT") returned 1 [0102.071] PathFindExtensionW (pszPath="wmp.ico") returned=".ico" [0102.071] lstrlenW (lpString=".ico") returned 4 [0102.071] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.071] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.071] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d64214, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d64214, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="wmp.ico", cAlternateFileName="")) returned 0 [0102.071] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0102.071] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\PUSSY.TXT") returned 95 [0102.071] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0102.072] lstrlenA (lpString="abcd") returned 4 [0102.072] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0102.073] CloseHandle (hObject=0x16c) returned 1 [0102.074] GetProcessHeap () returned 0x4c0000 [0102.074] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0102.074] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0102.074] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Windows") returned -1 [0102.074] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files") returned -1 [0102.074] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files (x86)") returned -1 [0102.074] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="$Recycle.bin") returned 1 [0102.074] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="System Volume Information") returned -1 [0102.074] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2=".") returned 1 [0102.074] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="..") returned 1 [0102.074] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 85 [0102.074] GetProcessHeap () returned 0x4c0000 [0102.074] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0102.074] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" [0102.074] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*" [0102.074] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0102.076] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.076] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.076] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.076] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.076] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.076] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.076] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.076] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.076] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.076] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.076] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.076] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.076] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.076] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.076] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="en-US", cAlternateFileName="")) returned 1 [0102.076] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0102.076] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0102.076] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0102.077] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0102.077] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0102.077] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0102.077] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0102.077] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 91 [0102.077] GetProcessHeap () returned 0x4c0000 [0102.077] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd8168 [0102.077] lstrcpyW (in: lpString1=0x3bd8168, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" [0102.077] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*" [0102.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bb8150, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e29e0 [0102.077] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.077] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.077] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.077] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.077] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.077] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.077] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bb8150, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.077] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.078] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.078] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.078] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.078] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.078] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.078] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.078] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x3bb8150, dwReserved1=0xc0100080, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0102.078] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0102.078] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0102.078] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0102.078] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0102.078] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0102.078] lstrcmpiW (lpString1="resource.xml", lpString2=".") returned 1 [0102.078] lstrcmpiW (lpString1="resource.xml", lpString2="..") returned 1 [0102.078] wnsprintfW (in: pszDest=0x3bd8168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 104 [0102.078] lstrcmpW (lpString1="resource.xml", lpString2="PUSSY.TXT") returned 1 [0102.078] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0102.078] lstrlenW (lpString=".xml") returned 4 [0102.078] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0102.078] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.079] FindNextFileW (in: hFindFile=0x4e29e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x3bb8150, dwReserved1=0xc0100080, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0102.079] FindClose (in: hFindFile=0x4e29e0 | out: hFindFile=0x4e29e0) returned 1 [0102.079] wnsprintfW (in: pszDest=0x3bd8168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\PUSSY.TXT") returned 101 [0102.079] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0102.080] lstrlenA (lpString="abcd") returned 4 [0102.080] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0102.081] CloseHandle (hObject=0x194) returned 1 [0102.081] GetProcessHeap () returned 0x4c0000 [0102.081] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd8168 | out: hHeap=0x4c0000) returned 1 [0102.081] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f15ee9d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f15ee9d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78a2eab, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0102.081] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0102.081] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0102.081] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0102.081] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0102.081] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0102.081] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0102.081] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0102.081] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 96 [0102.081] lstrcmpW (lpString1="folder.ico", lpString2="PUSSY.TXT") returned -1 [0102.081] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0102.081] lstrlenW (lpString=".ico") returned 4 [0102.081] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.081] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.081] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0eca86, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0eca86, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78c9009, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0102.082] lstrcmpiW (lpString1="print_pref.ico", lpString2="Windows") returned -1 [0102.082] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files") returned -1 [0102.082] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files (x86)") returned -1 [0102.082] lstrcmpiW (lpString1="print_pref.ico", lpString2="$Recycle.bin") returned 1 [0102.082] lstrcmpiW (lpString1="print_pref.ico", lpString2="System Volume Information") returned -1 [0102.082] lstrcmpiW (lpString1="print_pref.ico", lpString2=".") returned 1 [0102.082] lstrcmpiW (lpString1="print_pref.ico", lpString2="..") returned 1 [0102.082] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 100 [0102.082] lstrcmpW (lpString1="print_pref.ico", lpString2="PUSSY.TXT") returned -1 [0102.082] PathFindExtensionW (pszPath="print_pref.ico") returned=".ico" [0102.082] lstrlenW (lpString=".ico") returned 4 [0102.082] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.082] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.082] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0eca86, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0eca86, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78c9009, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0102.082] lstrcmpiW (lpString1="print_property.ico", lpString2="Windows") returned -1 [0102.082] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files") returned -1 [0102.082] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files (x86)") returned -1 [0102.082] lstrcmpiW (lpString1="print_property.ico", lpString2="$Recycle.bin") returned 1 [0102.082] lstrcmpiW (lpString1="print_property.ico", lpString2="System Volume Information") returned -1 [0102.082] lstrcmpiW (lpString1="print_property.ico", lpString2=".") returned 1 [0102.082] lstrcmpiW (lpString1="print_property.ico", lpString2="..") returned 1 [0102.082] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 104 [0102.082] lstrcmpW (lpString1="print_property.ico", lpString2="PUSSY.TXT") returned -1 [0102.082] PathFindExtensionW (pszPath="print_property.ico") returned=".ico" [0102.082] lstrlenW (lpString=".ico") returned 4 [0102.082] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.083] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.083] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f112be3, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f112be3, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7be8cbf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0102.083] lstrcmpiW (lpString1="print_queue.ico", lpString2="Windows") returned -1 [0102.083] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files") returned -1 [0102.083] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files (x86)") returned -1 [0102.083] lstrcmpiW (lpString1="print_queue.ico", lpString2="$Recycle.bin") returned 1 [0102.083] lstrcmpiW (lpString1="print_queue.ico", lpString2="System Volume Information") returned -1 [0102.083] lstrcmpiW (lpString1="print_queue.ico", lpString2=".") returned 1 [0102.083] lstrcmpiW (lpString1="print_queue.ico", lpString2="..") returned 1 [0102.083] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 101 [0102.083] lstrcmpW (lpString1="print_queue.ico", lpString2="PUSSY.TXT") returned -1 [0102.083] PathFindExtensionW (pszPath="print_queue.ico") returned=".ico" [0102.083] lstrlenW (lpString=".ico") returned 4 [0102.083] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.083] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.084] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f138d40, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f138d40, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c0ee1d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0102.084] lstrcmpiW (lpString1="scan_.ico", lpString2="Windows") returned -1 [0102.084] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files") returned 1 [0102.084] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files (x86)") returned 1 [0102.084] lstrcmpiW (lpString1="scan_.ico", lpString2="$Recycle.bin") returned 1 [0102.084] lstrcmpiW (lpString1="scan_.ico", lpString2="System Volume Information") returned -1 [0102.084] lstrcmpiW (lpString1="scan_.ico", lpString2=".") returned 1 [0102.084] lstrcmpiW (lpString1="scan_.ico", lpString2="..") returned 1 [0102.084] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 95 [0102.084] lstrcmpW (lpString1="scan_.ico", lpString2="PUSSY.TXT") returned 1 [0102.084] PathFindExtensionW (pszPath="scan_.ico") returned=".ico" [0102.084] lstrlenW (lpString=".ico") returned 4 [0102.084] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.085] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.085] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f15ee9d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f15ee9d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c0ee1d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0102.085] lstrcmpiW (lpString1="scan_property.ico", lpString2="Windows") returned -1 [0102.085] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files") returned 1 [0102.085] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files (x86)") returned 1 [0102.085] lstrcmpiW (lpString1="scan_property.ico", lpString2="$Recycle.bin") returned 1 [0102.085] lstrcmpiW (lpString1="scan_property.ico", lpString2="System Volume Information") returned -1 [0102.085] lstrcmpiW (lpString1="scan_property.ico", lpString2=".") returned 1 [0102.085] lstrcmpiW (lpString1="scan_property.ico", lpString2="..") returned 1 [0102.085] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 103 [0102.085] lstrcmpW (lpString1="scan_property.ico", lpString2="PUSSY.TXT") returned 1 [0102.085] PathFindExtensionW (pszPath="scan_property.ico") returned=".ico" [0102.085] lstrlenW (lpString=".ico") returned 4 [0102.085] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.085] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.085] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f138d40, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f138d40, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c34f7b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0102.085] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Windows") returned -1 [0102.085] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files") returned 1 [0102.085] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files (x86)") returned 1 [0102.085] lstrcmpiW (lpString1="scan_settings.ico", lpString2="$Recycle.bin") returned 1 [0102.085] lstrcmpiW (lpString1="scan_settings.ico", lpString2="System Volume Information") returned -1 [0102.085] lstrcmpiW (lpString1="scan_settings.ico", lpString2=".") returned 1 [0102.086] lstrcmpiW (lpString1="scan_settings.ico", lpString2="..") returned 1 [0102.086] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 103 [0102.086] lstrcmpW (lpString1="scan_settings.ico", lpString2="PUSSY.TXT") returned 1 [0102.086] PathFindExtensionW (pszPath="scan_settings.ico") returned=".ico" [0102.086] lstrlenW (lpString=".ico") returned 4 [0102.086] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.086] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.086] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f054512, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f054512, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7d3f90d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0102.086] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0102.086] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0102.086] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0102.086] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0102.086] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0102.086] lstrcmpiW (lpString1="tasks.xml", lpString2=".") returned 1 [0102.086] lstrcmpiW (lpString1="tasks.xml", lpString2="..") returned 1 [0102.086] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 95 [0102.086] lstrcmpW (lpString1="tasks.xml", lpString2="PUSSY.TXT") returned 1 [0102.086] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0102.086] lstrlenW (lpString=".xml") returned 4 [0102.086] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0102.086] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0102.086] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f054512, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f054512, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7d3f90d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="tasks.xml", cAlternateFileName="")) returned 0 [0102.087] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0102.087] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\PUSSY.TXT") returned 95 [0102.087] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0102.087] lstrlenA (lpString="abcd") returned 4 [0102.087] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0102.088] CloseHandle (hObject=0x16c) returned 1 [0102.088] GetProcessHeap () returned 0x4c0000 [0102.088] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0102.088] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0102.088] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0102.089] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\PUSSY.TXT") returned 56 [0102.089] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0102.089] lstrlenA (lpString="abcd") returned 4 [0102.089] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0102.090] CloseHandle (hObject=0x1a4) returned 1 [0102.090] GetProcessHeap () returned 0x4c0000 [0102.090] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.090] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Task", cAlternateFileName="")) returned 0 [0102.090] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0102.090] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\PUSSY.TXT") returned 51 [0102.091] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\device stage\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0102.092] lstrlenA (lpString="abcd") returned 4 [0102.092] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0102.093] CloseHandle (hObject=0x19c) returned 1 [0102.093] GetProcessHeap () returned 0x4c0000 [0102.093] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0102.093] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0102.093] lstrcmpiW (lpString1="DeviceSync", lpString2="Windows") returned -1 [0102.093] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files") returned -1 [0102.093] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files (x86)") returned -1 [0102.093] lstrcmpiW (lpString1="DeviceSync", lpString2="$Recycle.bin") returned 1 [0102.093] lstrcmpiW (lpString1="DeviceSync", lpString2="System Volume Information") returned -1 [0102.093] lstrcmpiW (lpString1="DeviceSync", lpString2=".") returned 1 [0102.093] lstrcmpiW (lpString1="DeviceSync", lpString2="..") returned 1 [0102.093] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned 39 [0102.093] GetProcessHeap () returned 0x4c0000 [0102.093] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.093] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync" [0102.093] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*" [0102.093] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0102.094] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.094] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.094] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.094] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.094] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.094] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.094] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.095] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.095] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.095] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.095] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.095] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.095] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.095] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.095] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0102.095] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0102.095] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\PUSSY.TXT") returned 49 [0102.095] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\devicesync\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0102.095] lstrlenA (lpString="abcd") returned 4 [0102.096] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0102.097] CloseHandle (hObject=0x19c) returned 1 [0102.097] GetProcessHeap () returned 0x4c0000 [0102.097] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.097] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="DRM", cAlternateFileName="")) returned 1 [0102.097] lstrcmpiW (lpString1="DRM", lpString2="Windows") returned -1 [0102.097] lstrcmpiW (lpString1="DRM", lpString2="Program Files") returned -1 [0102.097] lstrcmpiW (lpString1="DRM", lpString2="Program Files (x86)") returned -1 [0102.097] lstrcmpiW (lpString1="DRM", lpString2="$Recycle.bin") returned 1 [0102.097] lstrcmpiW (lpString1="DRM", lpString2="System Volume Information") returned -1 [0102.097] lstrcmpiW (lpString1="DRM", lpString2=".") returned 1 [0102.097] lstrcmpiW (lpString1="DRM", lpString2="..") returned 1 [0102.097] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned 32 [0102.097] GetProcessHeap () returned 0x4c0000 [0102.097] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.097] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DRM" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM" [0102.097] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*" [0102.097] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0102.098] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.098] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.098] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.098] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.098] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.098] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.098] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.098] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.098] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.098] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.098] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.098] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.098] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.098] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.098] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Server", cAlternateFileName="")) returned 1 [0102.098] lstrcmpiW (lpString1="Server", lpString2="Windows") returned -1 [0102.098] lstrcmpiW (lpString1="Server", lpString2="Program Files") returned 1 [0102.098] lstrcmpiW (lpString1="Server", lpString2="Program Files (x86)") returned 1 [0102.098] lstrcmpiW (lpString1="Server", lpString2="$Recycle.bin") returned 1 [0102.098] lstrcmpiW (lpString1="Server", lpString2="System Volume Information") returned -1 [0102.098] lstrcmpiW (lpString1="Server", lpString2=".") returned 1 [0102.098] lstrcmpiW (lpString1="Server", lpString2="..") returned 1 [0102.098] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned 39 [0102.099] GetProcessHeap () returned 0x4c0000 [0102.099] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0102.099] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server" [0102.099] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*" [0102.099] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0102.099] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.099] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.099] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.099] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.099] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.099] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.099] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.099] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.099] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.099] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.099] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.100] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.100] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.100] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.100] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0102.100] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0102.100] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\PUSSY.TXT") returned 49 [0102.100] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\drm\\server\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0102.100] lstrlenA (lpString="abcd") returned 4 [0102.100] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0102.101] CloseHandle (hObject=0x1a4) returned 1 [0102.101] GetProcessHeap () returned 0x4c0000 [0102.102] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0102.102] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Server", cAlternateFileName="")) returned 0 [0102.102] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0102.102] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\PUSSY.TXT") returned 42 [0102.102] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\drm\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0102.103] lstrlenA (lpString="abcd") returned 4 [0102.103] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0102.104] CloseHandle (hObject=0x19c) returned 1 [0102.104] GetProcessHeap () returned 0x4c0000 [0102.104] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.105] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="eHome", cAlternateFileName="")) returned 1 [0102.105] lstrcmpiW (lpString1="eHome", lpString2="Windows") returned -1 [0102.105] lstrcmpiW (lpString1="eHome", lpString2="Program Files") returned -1 [0102.105] lstrcmpiW (lpString1="eHome", lpString2="Program Files (x86)") returned -1 [0102.105] lstrcmpiW (lpString1="eHome", lpString2="$Recycle.bin") returned 1 [0102.105] lstrcmpiW (lpString1="eHome", lpString2="System Volume Information") returned -1 [0102.105] lstrcmpiW (lpString1="eHome", lpString2=".") returned 1 [0102.105] lstrcmpiW (lpString1="eHome", lpString2="..") returned 1 [0102.105] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome") returned 34 [0102.105] GetProcessHeap () returned 0x4c0000 [0102.105] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.105] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\eHome" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome" [0102.105] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*" [0102.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0102.105] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.105] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.105] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.106] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.106] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.106] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.106] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.106] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.106] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.106] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.106] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.106] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.106] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.106] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.106] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="logs", cAlternateFileName="")) returned 1 [0102.106] lstrcmpiW (lpString1="logs", lpString2="Windows") returned -1 [0102.106] lstrcmpiW (lpString1="logs", lpString2="Program Files") returned -1 [0102.106] lstrcmpiW (lpString1="logs", lpString2="Program Files (x86)") returned -1 [0102.106] lstrcmpiW (lpString1="logs", lpString2="$Recycle.bin") returned 1 [0102.106] lstrcmpiW (lpString1="logs", lpString2="System Volume Information") returned -1 [0102.106] lstrcmpiW (lpString1="logs", lpString2=".") returned 1 [0102.106] lstrcmpiW (lpString1="logs", lpString2="..") returned 1 [0102.106] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs") returned 39 [0102.106] GetProcessHeap () returned 0x4c0000 [0102.106] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0102.106] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs" [0102.106] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*" [0102.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0102.107] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.107] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.107] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.107] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.107] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.107] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.107] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.107] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.107] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.107] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.107] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.107] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.107] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.107] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.107] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0102.107] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0102.108] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\PUSSY.TXT") returned 49 [0102.108] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\ehome\\logs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0102.108] lstrlenA (lpString="abcd") returned 4 [0102.108] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0102.109] CloseHandle (hObject=0x1a4) returned 1 [0102.109] GetProcessHeap () returned 0x4c0000 [0102.109] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0102.109] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="logs", cAlternateFileName="")) returned 0 [0102.109] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0102.110] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\PUSSY.TXT") returned 44 [0102.110] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\ehome\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0102.110] lstrlenA (lpString="abcd") returned 4 [0102.110] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0102.111] CloseHandle (hObject=0x19c) returned 1 [0102.111] GetProcessHeap () returned 0x4c0000 [0102.111] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.111] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0102.112] lstrcmpiW (lpString1="Event Viewer", lpString2="Windows") returned -1 [0102.112] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files") returned -1 [0102.112] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files (x86)") returned -1 [0102.112] lstrcmpiW (lpString1="Event Viewer", lpString2="$Recycle.bin") returned 1 [0102.112] lstrcmpiW (lpString1="Event Viewer", lpString2="System Volume Information") returned -1 [0102.112] lstrcmpiW (lpString1="Event Viewer", lpString2=".") returned 1 [0102.112] lstrcmpiW (lpString1="Event Viewer", lpString2="..") returned 1 [0102.112] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer") returned 41 [0102.112] GetProcessHeap () returned 0x4c0000 [0102.112] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.112] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer" [0102.112] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*" [0102.112] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0102.113] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.113] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.113] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.113] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.113] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.113] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.113] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.113] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.113] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.114] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.114] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.114] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.114] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.114] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.114] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Views", cAlternateFileName="")) returned 1 [0102.114] lstrcmpiW (lpString1="Views", lpString2="Windows") returned -1 [0102.114] lstrcmpiW (lpString1="Views", lpString2="Program Files") returned 1 [0102.114] lstrcmpiW (lpString1="Views", lpString2="Program Files (x86)") returned 1 [0102.114] lstrcmpiW (lpString1="Views", lpString2="$Recycle.bin") returned 1 [0102.114] lstrcmpiW (lpString1="Views", lpString2="System Volume Information") returned 1 [0102.114] lstrcmpiW (lpString1="Views", lpString2=".") returned 1 [0102.114] lstrcmpiW (lpString1="Views", lpString2="..") returned 1 [0102.114] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views") returned 47 [0102.114] GetProcessHeap () returned 0x4c0000 [0102.114] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0102.114] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views" [0102.114] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*" [0102.114] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0102.115] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.115] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.115] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.115] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.115] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.115] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.115] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.115] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.115] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.115] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.115] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.115] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.115] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.115] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.115] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 1 [0102.115] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Windows") returned -1 [0102.115] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files") returned -1 [0102.115] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files (x86)") returned -1 [0102.116] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="$Recycle.bin") returned 1 [0102.116] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="System Volume Information") returned -1 [0102.116] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2=".") returned 1 [0102.116] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="..") returned 1 [0102.116] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned 72 [0102.116] GetProcessHeap () returned 0x4c0000 [0102.116] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc8160 [0102.116] lstrcpyW (in: lpString1=0x3bc8160, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode" [0102.116] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*" [0102.116] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0102.116] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.116] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.116] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.116] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.116] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.116] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.116] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.116] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.116] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.116] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.117] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.117] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.117] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.117] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.117] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0102.117] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0102.117] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\PUSSY.TXT") returned 82 [0102.117] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\applicationviewsrootnode\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0102.118] lstrlenA (lpString="abcd") returned 4 [0102.118] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0102.119] CloseHandle (hObject=0x16c) returned 1 [0102.119] GetProcessHeap () returned 0x4c0000 [0102.119] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0102.119] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 0 [0102.120] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0102.120] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\PUSSY.TXT") returned 57 [0102.120] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0102.120] lstrlenA (lpString="abcd") returned 4 [0102.120] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0102.121] CloseHandle (hObject=0x1a4) returned 1 [0102.121] GetProcessHeap () returned 0x4c0000 [0102.121] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0102.121] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Views", cAlternateFileName="")) returned 0 [0102.122] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0102.122] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\PUSSY.TXT") returned 51 [0102.122] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\event viewer\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0102.132] lstrlenA (lpString="abcd") returned 4 [0102.132] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0102.134] CloseHandle (hObject=0x19c) returned 1 [0102.134] GetProcessHeap () returned 0x4c0000 [0102.134] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.134] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0102.134] lstrcmpiW (lpString1="IdentityCRL", lpString2="Windows") returned -1 [0102.134] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files") returned -1 [0102.134] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files (x86)") returned -1 [0102.134] lstrcmpiW (lpString1="IdentityCRL", lpString2="$Recycle.bin") returned 1 [0102.134] lstrcmpiW (lpString1="IdentityCRL", lpString2="System Volume Information") returned -1 [0102.134] lstrcmpiW (lpString1="IdentityCRL", lpString2=".") returned 1 [0102.134] lstrcmpiW (lpString1="IdentityCRL", lpString2="..") returned 1 [0102.134] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned 40 [0102.134] GetProcessHeap () returned 0x4c0000 [0102.134] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.134] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL" [0102.134] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*" [0102.134] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0102.135] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.135] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.135] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.135] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.135] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.135] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.135] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.135] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.135] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.135] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.135] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.135] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.135] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.135] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.135] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd591378b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd591378b, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac29de1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3d00, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ppcrlconfig.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0102.135] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="Windows") returned -1 [0102.135] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="Program Files") returned -1 [0102.135] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="Program Files (x86)") returned -1 [0102.135] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="$Recycle.bin") returned 1 [0102.136] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="System Volume Information") returned -1 [0102.136] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2=".") returned 1 [0102.136] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="..") returned 1 [0102.136] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned 56 [0102.136] lstrcmpW (lpString1="ppcrlconfig.dll", lpString2="PUSSY.TXT") returned -1 [0102.136] PathFindExtensionW (pszPath="ppcrlconfig.dll") returned=".dll" [0102.136] lstrlenW (lpString=".dll") returned 4 [0102.136] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0102.136] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0102.136] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=15616) returned 1 [0102.136] GetProcessHeap () returned 0x4c0000 [0102.136] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0102.149] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="11") returned 2 [0102.149] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="34") returned 2 [0102.149] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E4") returned 2 [0102.149] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FF") returned 2 [0102.149] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="E9") returned 2 [0102.149] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="9D") returned 2 [0102.149] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="F5") returned 2 [0102.149] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="C7") returned 2 [0102.149] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="D2") returned 2 [0102.149] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="8C") returned 2 [0102.149] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="71") returned 2 [0102.149] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="4A") returned 2 [0102.150] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="4A") returned 2 [0102.150] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="9C") returned 2 [0102.150] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="62") returned 2 [0102.150] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="57") returned 2 [0102.150] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="EF") returned 2 [0102.150] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="6E") returned 2 [0102.150] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="38") returned 2 [0102.150] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="77") returned 2 [0102.150] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="18") returned 2 [0102.150] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="5F") returned 2 [0102.150] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="00") returned 2 [0102.150] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="4F") returned 2 [0102.150] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="8B") returned 2 [0102.150] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="00") returned 2 [0102.150] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="79") returned 2 [0102.150] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="A1") returned 2 [0102.150] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="48") returned 2 [0102.150] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="DF") returned 2 [0102.150] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="C6") returned 2 [0102.150] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="0E") returned 2 [0102.162] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" [0102.162] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" [0102.163] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll", lpString2=".1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E" [0102.163] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0102.163] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0102.163] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac4ff3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 1 [0102.163] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="Windows") returned -1 [0102.163] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="Program Files") returned -1 [0102.163] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="Program Files (x86)") returned -1 [0102.163] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="$Recycle.bin") returned 1 [0102.184] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="System Volume Information") returned -1 [0102.185] lstrcmpiW (lpString1="ppcrlui.dll", lpString2=".") returned 1 [0102.185] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="..") returned 1 [0102.185] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned 52 [0102.185] lstrcmpW (lpString1="ppcrlui.dll", lpString2="PUSSY.TXT") returned -1 [0102.185] PathFindExtensionW (pszPath="ppcrlui.dll") returned=".dll" [0102.185] lstrlenW (lpString=".dll") returned 4 [0102.185] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0102.186] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0102.187] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=254216) returned 1 [0102.187] GetProcessHeap () returned 0x4c0000 [0102.187] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0102.203] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="16") returned 2 [0102.203] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="65") returned 2 [0102.203] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="77") returned 2 [0102.203] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="61") returned 2 [0102.203] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="12") returned 2 [0102.203] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="40") returned 2 [0102.203] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="8A") returned 2 [0102.203] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="00") returned 2 [0102.203] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="AC") returned 2 [0102.203] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="11") returned 2 [0102.203] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="87") returned 2 [0102.203] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="AF") returned 2 [0102.203] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="E4") returned 2 [0102.203] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="6B") returned 2 [0102.203] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="6E") returned 2 [0102.203] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="BD") returned 2 [0102.203] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="C8") returned 2 [0102.204] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="FD") returned 2 [0102.204] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="7F") returned 2 [0102.204] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="DB") returned 2 [0102.204] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="3E") returned 2 [0102.204] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="22") returned 2 [0102.204] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="2A") returned 2 [0102.204] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="98") returned 2 [0102.204] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="B0") returned 2 [0102.204] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="40") returned 2 [0102.204] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="2A") returned 2 [0102.204] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="6E") returned 2 [0102.204] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A7") returned 2 [0102.204] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="6A") returned 2 [0102.204] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="CE") returned 2 [0102.204] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="51") returned 2 [0102.215] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" [0102.215] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" [0102.215] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll", lpString2=".1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51" [0102.215] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0102.216] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0102.217] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac4ff3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 0 [0102.217] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0102.217] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\PUSSY.TXT") returned 50 [0102.217] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\identitycrl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0102.263] lstrlenA (lpString="abcd") returned 4 [0102.263] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0102.264] CloseHandle (hObject=0x19c) returned 1 [0102.264] GetProcessHeap () returned 0x4c0000 [0102.264] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.264] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0102.264] lstrcmpiW (lpString1="Media Player", lpString2="Windows") returned -1 [0102.264] lstrcmpiW (lpString1="Media Player", lpString2="Program Files") returned -1 [0102.264] lstrcmpiW (lpString1="Media Player", lpString2="Program Files (x86)") returned -1 [0102.264] lstrcmpiW (lpString1="Media Player", lpString2="$Recycle.bin") returned 1 [0102.264] lstrcmpiW (lpString1="Media Player", lpString2="System Volume Information") returned -1 [0102.264] lstrcmpiW (lpString1="Media Player", lpString2=".") returned 1 [0102.264] lstrcmpiW (lpString1="Media Player", lpString2="..") returned 1 [0102.264] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player") returned 41 [0102.264] GetProcessHeap () returned 0x4c0000 [0102.264] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.264] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player" [0102.265] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*" [0102.265] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0102.265] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.265] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.265] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.265] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.265] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.265] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.265] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.265] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.265] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.265] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.265] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.266] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.266] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.266] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.266] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0102.266] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0102.266] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\PUSSY.TXT") returned 51 [0102.266] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\media player\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0102.266] lstrlenA (lpString="abcd") returned 4 [0102.266] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0102.268] CloseHandle (hObject=0x19c) returned 1 [0102.268] GetProcessHeap () returned 0x4c0000 [0102.268] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.268] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MF", cAlternateFileName="")) returned 1 [0102.268] lstrcmpiW (lpString1="MF", lpString2="Windows") returned -1 [0102.268] lstrcmpiW (lpString1="MF", lpString2="Program Files") returned -1 [0102.268] lstrcmpiW (lpString1="MF", lpString2="Program Files (x86)") returned -1 [0102.268] lstrcmpiW (lpString1="MF", lpString2="$Recycle.bin") returned 1 [0102.268] lstrcmpiW (lpString1="MF", lpString2="System Volume Information") returned -1 [0102.268] lstrcmpiW (lpString1="MF", lpString2=".") returned 1 [0102.268] lstrcmpiW (lpString1="MF", lpString2="..") returned 1 [0102.268] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned 31 [0102.268] GetProcessHeap () returned 0x4c0000 [0102.268] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.269] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF" [0102.269] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*" [0102.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0102.269] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.269] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.269] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.269] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.269] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.269] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.269] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.269] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.269] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.269] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.269] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.269] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.270] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.270] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.270] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Active.GRL", cAlternateFileName="")) returned 1 [0102.270] lstrcmpiW (lpString1="Active.GRL", lpString2="Windows") returned -1 [0102.270] lstrcmpiW (lpString1="Active.GRL", lpString2="Program Files") returned -1 [0102.270] lstrcmpiW (lpString1="Active.GRL", lpString2="Program Files (x86)") returned -1 [0102.270] lstrcmpiW (lpString1="Active.GRL", lpString2="$Recycle.bin") returned 1 [0102.270] lstrcmpiW (lpString1="Active.GRL", lpString2="System Volume Information") returned -1 [0102.270] lstrcmpiW (lpString1="Active.GRL", lpString2=".") returned 1 [0102.270] lstrcmpiW (lpString1="Active.GRL", lpString2="..") returned 1 [0102.270] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0102.270] lstrcmpW (lpString1="Active.GRL", lpString2="PUSSY.TXT") returned -1 [0102.270] PathFindExtensionW (pszPath="Active.GRL") returned=".GRL" [0102.270] lstrlenW (lpString=".GRL") returned 4 [0102.270] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0102.270] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0102.271] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=14972) returned 1 [0102.271] GetProcessHeap () returned 0x4c0000 [0102.271] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0102.280] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="8E") returned 2 [0102.280] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="53") returned 2 [0102.281] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="D3") returned 2 [0102.281] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="1B") returned 2 [0102.281] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="5C") returned 2 [0102.281] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="B8") returned 2 [0102.281] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="FB") returned 2 [0102.281] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A5") returned 2 [0102.281] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="3E") returned 2 [0102.281] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="31") returned 2 [0102.281] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="A3") returned 2 [0102.281] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="EB") returned 2 [0102.281] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="7E") returned 2 [0102.281] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="91") returned 2 [0102.281] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="DD") returned 2 [0102.281] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="70") returned 2 [0102.281] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="C2") returned 2 [0102.281] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="FD") returned 2 [0102.281] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="37") returned 2 [0102.281] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="D9") returned 2 [0102.281] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="F6") returned 2 [0102.281] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="78") returned 2 [0102.281] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="A4") returned 2 [0102.281] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E4") returned 2 [0102.281] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="4E") returned 2 [0102.281] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="3B") returned 2 [0102.281] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="44") returned 2 [0102.281] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="C8") returned 2 [0102.281] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="B7") returned 2 [0102.281] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="92") returned 2 [0102.281] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="38") returned 2 [0102.282] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="73") returned 2 [0102.289] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" [0102.290] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" [0102.290] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL", lpString2=".8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873" [0102.290] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0102.290] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0102.290] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0102.290] lstrcmpiW (lpString1="Pending.GRL", lpString2="Windows") returned -1 [0102.290] lstrcmpiW (lpString1="Pending.GRL", lpString2="Program Files") returned -1 [0102.290] lstrcmpiW (lpString1="Pending.GRL", lpString2="Program Files (x86)") returned -1 [0102.290] lstrcmpiW (lpString1="Pending.GRL", lpString2="$Recycle.bin") returned 1 [0102.290] lstrcmpiW (lpString1="Pending.GRL", lpString2="System Volume Information") returned -1 [0102.290] lstrcmpiW (lpString1="Pending.GRL", lpString2=".") returned 1 [0102.290] lstrcmpiW (lpString1="Pending.GRL", lpString2="..") returned 1 [0102.290] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0102.290] lstrcmpW (lpString1="Pending.GRL", lpString2="PUSSY.TXT") returned -1 [0102.290] PathFindExtensionW (pszPath="Pending.GRL") returned=".GRL" [0102.290] lstrlenW (lpString=".GRL") returned 4 [0102.290] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0102.290] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0102.291] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=14972) returned 1 [0102.291] GetProcessHeap () returned 0x4c0000 [0102.291] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0102.300] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="F7") returned 2 [0102.300] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="1B") returned 2 [0102.300] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E3") returned 2 [0102.300] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="41") returned 2 [0102.300] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="4F") returned 2 [0102.300] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="88") returned 2 [0102.300] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="B8") returned 2 [0102.300] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="65") returned 2 [0102.301] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="37") returned 2 [0102.301] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="83") returned 2 [0102.301] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="97") returned 2 [0102.301] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="81") returned 2 [0102.301] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="8E") returned 2 [0102.301] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="A6") returned 2 [0102.301] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="13") returned 2 [0102.301] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="00") returned 2 [0102.301] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="36") returned 2 [0102.301] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="32") returned 2 [0102.301] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="02") returned 2 [0102.301] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="F8") returned 2 [0102.301] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="1D") returned 2 [0102.301] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="6F") returned 2 [0102.301] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="4E") returned 2 [0102.301] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="58") returned 2 [0102.301] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="9D") returned 2 [0102.301] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="92") returned 2 [0102.301] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="C2") returned 2 [0102.301] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="44") returned 2 [0102.301] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="E6") returned 2 [0102.301] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="BE") returned 2 [0102.301] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="5C") returned 2 [0102.301] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="5E") returned 2 [0102.309] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" [0102.310] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" [0102.310] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL", lpString2=".F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E" [0102.310] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0102.310] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0102.310] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Pending.GRL", cAlternateFileName="")) returned 0 [0102.310] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0102.310] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\PUSSY.TXT") returned 41 [0102.310] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\mf\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0102.310] lstrlenA (lpString="abcd") returned 4 [0102.310] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0102.311] CloseHandle (hObject=0x19c) returned 1 [0102.311] GetProcessHeap () returned 0x4c0000 [0102.312] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.312] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MSDN", cAlternateFileName="")) returned 1 [0102.312] lstrcmpiW (lpString1="MSDN", lpString2="Windows") returned -1 [0102.312] lstrcmpiW (lpString1="MSDN", lpString2="Program Files") returned -1 [0102.312] lstrcmpiW (lpString1="MSDN", lpString2="Program Files (x86)") returned -1 [0102.312] lstrcmpiW (lpString1="MSDN", lpString2="$Recycle.bin") returned 1 [0102.312] lstrcmpiW (lpString1="MSDN", lpString2="System Volume Information") returned -1 [0102.312] lstrcmpiW (lpString1="MSDN", lpString2=".") returned 1 [0102.312] lstrcmpiW (lpString1="MSDN", lpString2="..") returned 1 [0102.312] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN") returned 33 [0102.312] GetProcessHeap () returned 0x4c0000 [0102.312] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.312] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN" [0102.312] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*" [0102.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0102.312] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.312] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.312] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.312] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.313] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.313] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.313] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.313] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.313] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.313] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.313] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.313] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.313] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.313] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.313] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="8.0", cAlternateFileName="")) returned 1 [0102.313] lstrcmpiW (lpString1="8.0", lpString2="Windows") returned -1 [0102.313] lstrcmpiW (lpString1="8.0", lpString2="Program Files") returned -1 [0102.313] lstrcmpiW (lpString1="8.0", lpString2="Program Files (x86)") returned -1 [0102.313] lstrcmpiW (lpString1="8.0", lpString2="$Recycle.bin") returned 1 [0102.313] lstrcmpiW (lpString1="8.0", lpString2="System Volume Information") returned -1 [0102.313] lstrcmpiW (lpString1="8.0", lpString2=".") returned 1 [0102.313] lstrcmpiW (lpString1="8.0", lpString2="..") returned 1 [0102.313] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0") returned 37 [0102.313] GetProcessHeap () returned 0x4c0000 [0102.313] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0102.313] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0" [0102.313] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*" [0102.313] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0102.313] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.314] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.314] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.314] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.314] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.314] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.314] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.314] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.314] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.314] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.314] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.314] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.314] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.314] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.314] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0102.314] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0102.314] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\PUSSY.TXT") returned 47 [0102.314] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\msdn\\8.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0102.317] lstrlenA (lpString="abcd") returned 4 [0102.317] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0102.318] CloseHandle (hObject=0x174) returned 1 [0102.318] GetProcessHeap () returned 0x4c0000 [0102.318] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0102.318] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="8.0", cAlternateFileName="")) returned 0 [0102.318] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0102.318] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\PUSSY.TXT") returned 43 [0102.318] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\msdn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0102.319] lstrlenA (lpString="abcd") returned 4 [0102.319] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0102.320] CloseHandle (hObject=0x19c) returned 1 [0102.320] GetProcessHeap () returned 0x4c0000 [0102.320] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.320] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0102.320] lstrcmpiW (lpString1="NetFramework", lpString2="Windows") returned -1 [0102.320] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files") returned -1 [0102.320] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files (x86)") returned -1 [0102.320] lstrcmpiW (lpString1="NetFramework", lpString2="$Recycle.bin") returned 1 [0102.320] lstrcmpiW (lpString1="NetFramework", lpString2="System Volume Information") returned -1 [0102.320] lstrcmpiW (lpString1="NetFramework", lpString2=".") returned 1 [0102.320] lstrcmpiW (lpString1="NetFramework", lpString2="..") returned 1 [0102.320] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned 41 [0102.320] GetProcessHeap () returned 0x4c0000 [0102.320] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.320] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework" [0102.320] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*" [0102.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0102.321] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.321] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.322] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.322] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.322] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.322] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.322] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.322] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.322] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.322] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.322] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.322] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.322] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.322] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.322] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0102.322] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Windows") returned -1 [0102.322] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files") returned -1 [0102.322] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files (x86)") returned -1 [0102.322] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="$Recycle.bin") returned 1 [0102.322] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="System Volume Information") returned -1 [0102.322] lstrcmpiW (lpString1="BreadcrumbStore", lpString2=".") returned 1 [0102.322] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="..") returned 1 [0102.322] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned 57 [0102.323] GetProcessHeap () returned 0x4c0000 [0102.323] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0102.323] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore" [0102.323] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*" [0102.323] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0102.323] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.323] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.323] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.323] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.323] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.323] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.323] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.323] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.324] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.324] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.324] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.324] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.324] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.324] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.324] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0102.324] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0102.324] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\PUSSY.TXT") returned 67 [0102.324] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0102.367] lstrlenA (lpString="abcd") returned 4 [0102.367] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0102.368] CloseHandle (hObject=0x1a4) returned 1 [0102.368] GetProcessHeap () returned 0x4c0000 [0102.368] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0102.370] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 0 [0102.370] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0102.370] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\PUSSY.TXT") returned 51 [0102.370] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\netframework\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0102.371] lstrlenA (lpString="abcd") returned 4 [0102.371] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0102.372] CloseHandle (hObject=0x19c) returned 1 [0102.372] GetProcessHeap () returned 0x4c0000 [0102.372] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.373] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Network", cAlternateFileName="")) returned 1 [0102.373] lstrcmpiW (lpString1="Network", lpString2="Windows") returned -1 [0102.373] lstrcmpiW (lpString1="Network", lpString2="Program Files") returned -1 [0102.373] lstrcmpiW (lpString1="Network", lpString2="Program Files (x86)") returned -1 [0102.373] lstrcmpiW (lpString1="Network", lpString2="$Recycle.bin") returned 1 [0102.373] lstrcmpiW (lpString1="Network", lpString2="System Volume Information") returned -1 [0102.373] lstrcmpiW (lpString1="Network", lpString2=".") returned 1 [0102.373] lstrcmpiW (lpString1="Network", lpString2="..") returned 1 [0102.373] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned 36 [0102.373] GetProcessHeap () returned 0x4c0000 [0102.373] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.373] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network" [0102.373] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*" [0102.374] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0102.374] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.374] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.374] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.374] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.374] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.374] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.374] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.374] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.374] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.374] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.374] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.374] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.374] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.374] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.375] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0102.375] lstrcmpiW (lpString1="Connections", lpString2="Windows") returned -1 [0102.375] lstrcmpiW (lpString1="Connections", lpString2="Program Files") returned -1 [0102.375] lstrcmpiW (lpString1="Connections", lpString2="Program Files (x86)") returned -1 [0102.375] lstrcmpiW (lpString1="Connections", lpString2="$Recycle.bin") returned 1 [0102.375] lstrcmpiW (lpString1="Connections", lpString2="System Volume Information") returned -1 [0102.375] lstrcmpiW (lpString1="Connections", lpString2=".") returned 1 [0102.375] lstrcmpiW (lpString1="Connections", lpString2="..") returned 1 [0102.375] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned 48 [0102.375] GetProcessHeap () returned 0x4c0000 [0102.375] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0102.375] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections" [0102.375] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*" [0102.375] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0102.376] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.376] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.376] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.376] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.376] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.376] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.376] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.376] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.376] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.376] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.376] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.376] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.376] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.376] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.377] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0102.377] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0102.377] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\PUSSY.TXT") returned 58 [0102.377] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\network\\connections\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0102.377] lstrlenA (lpString="abcd") returned 4 [0102.377] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0102.378] CloseHandle (hObject=0x1a4) returned 1 [0102.378] GetProcessHeap () returned 0x4c0000 [0102.378] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0102.378] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0102.378] lstrcmpiW (lpString1="Downloader", lpString2="Windows") returned -1 [0102.378] lstrcmpiW (lpString1="Downloader", lpString2="Program Files") returned -1 [0102.378] lstrcmpiW (lpString1="Downloader", lpString2="Program Files (x86)") returned -1 [0102.378] lstrcmpiW (lpString1="Downloader", lpString2="$Recycle.bin") returned 1 [0102.379] lstrcmpiW (lpString1="Downloader", lpString2="System Volume Information") returned -1 [0102.379] lstrcmpiW (lpString1="Downloader", lpString2=".") returned 1 [0102.379] lstrcmpiW (lpString1="Downloader", lpString2="..") returned 1 [0102.379] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned 47 [0102.379] GetProcessHeap () returned 0x4c0000 [0102.379] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0102.379] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader" [0102.379] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*" [0102.379] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0102.379] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.379] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.379] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.379] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.379] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.379] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.379] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0102.379] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.380] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.380] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.380] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.380] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.380] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.380] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.380] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xe0118910, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1 [0102.380] lstrcmpiW (lpString1="qmgr0.dat", lpString2="Windows") returned -1 [0102.380] lstrcmpiW (lpString1="qmgr0.dat", lpString2="Program Files") returned 1 [0102.380] lstrcmpiW (lpString1="qmgr0.dat", lpString2="Program Files (x86)") returned 1 [0102.380] lstrcmpiW (lpString1="qmgr0.dat", lpString2="$Recycle.bin") returned 1 [0102.380] lstrcmpiW (lpString1="qmgr0.dat", lpString2="System Volume Information") returned -1 [0102.380] lstrcmpiW (lpString1="qmgr0.dat", lpString2=".") returned 1 [0102.380] lstrcmpiW (lpString1="qmgr0.dat", lpString2="..") returned 1 [0102.380] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0102.380] lstrcmpW (lpString1="qmgr0.dat", lpString2="PUSSY.TXT") returned 1 [0102.380] PathFindExtensionW (pszPath="qmgr0.dat") returned=".dat" [0102.380] lstrlenW (lpString=".dat") returned 4 [0102.380] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0102.380] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0102.381] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=4194304) returned 1 [0102.381] GetProcessHeap () returned 0x4c0000 [0102.381] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0102.391] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="C9") returned 2 [0102.391] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="EF") returned 2 [0102.391] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="2F") returned 2 [0102.391] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="43") returned 2 [0102.391] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="E0") returned 2 [0102.391] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="1D") returned 2 [0102.391] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="8F") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="B1") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="91") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="5E") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="D4") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="C4") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="DA") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="46") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="DD") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="A9") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="83") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="9D") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="C9") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="45") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="2B") returned 2 [0102.391] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="B7") returned 2 [0102.392] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="DF") returned 2 [0102.392] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="15") returned 2 [0102.392] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="01") returned 2 [0102.392] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="0E") returned 2 [0102.392] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="91") returned 2 [0102.392] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="79") returned 2 [0102.392] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="B6") returned 2 [0102.392] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="95") returned 2 [0102.392] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="64") returned 2 [0102.392] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="48") returned 2 [0102.400] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" [0102.400] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" [0102.401] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat", lpString2=".C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448" [0102.401] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0102.401] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0102.401] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xdd404870, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1 [0102.401] lstrcmpiW (lpString1="qmgr1.dat", lpString2="Windows") returned -1 [0102.401] lstrcmpiW (lpString1="qmgr1.dat", lpString2="Program Files") returned 1 [0102.401] lstrcmpiW (lpString1="qmgr1.dat", lpString2="Program Files (x86)") returned 1 [0102.401] lstrcmpiW (lpString1="qmgr1.dat", lpString2="$Recycle.bin") returned 1 [0102.401] lstrcmpiW (lpString1="qmgr1.dat", lpString2="System Volume Information") returned -1 [0102.401] lstrcmpiW (lpString1="qmgr1.dat", lpString2=".") returned 1 [0102.401] lstrcmpiW (lpString1="qmgr1.dat", lpString2="..") returned 1 [0102.401] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0102.401] lstrcmpW (lpString1="qmgr1.dat", lpString2="PUSSY.TXT") returned 1 [0102.401] PathFindExtensionW (pszPath="qmgr1.dat") returned=".dat" [0102.401] lstrlenW (lpString=".dat") returned 4 [0102.401] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0102.401] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0102.402] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=4194304) returned 1 [0102.402] GetProcessHeap () returned 0x4c0000 [0102.402] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0102.424] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="E8") returned 2 [0102.424] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="CF") returned 2 [0102.424] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="22") returned 2 [0102.424] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="60") returned 2 [0102.424] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="70") returned 2 [0102.424] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="66") returned 2 [0102.425] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="0F") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="88") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="10") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="FA") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="21") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="5F") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="D1") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="D4") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="F1") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="68") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="5F") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="15") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="EA") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="8D") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="56") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="49") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="F3") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="61") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="78") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="64") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="F3") returned 2 [0102.425] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="C3") returned 2 [0102.426] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="68") returned 2 [0102.426] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="B0") returned 2 [0102.426] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="6F") returned 2 [0102.426] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="71") returned 2 [0102.439] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" [0102.439] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" [0102.439] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat", lpString2=".E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71" [0102.439] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0102.440] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0102.440] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xdd404870, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x4e2a18, dwReserved1=0x77c61b06, cFileName="qmgr1.dat", cAlternateFileName="")) returned 0 [0102.440] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0102.440] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\PUSSY.TXT") returned 57 [0102.440] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0102.440] lstrlenA (lpString="abcd") returned 4 [0102.440] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0102.441] CloseHandle (hObject=0x1a4) returned 1 [0102.441] GetProcessHeap () returned 0x4c0000 [0102.441] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0102.441] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 0 [0102.442] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0102.442] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\PUSSY.TXT") returned 46 [0102.442] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\network\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0102.444] lstrlenA (lpString="abcd") returned 4 [0102.444] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0102.445] CloseHandle (hObject=0x19c) returned 1 [0102.445] GetProcessHeap () returned 0x4c0000 [0102.445] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0102.445] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="OFFICE", cAlternateFileName="")) returned 1 [0102.445] lstrcmpiW (lpString1="OFFICE", lpString2="Windows") returned -1 [0102.445] lstrcmpiW (lpString1="OFFICE", lpString2="Program Files") returned -1 [0102.445] lstrcmpiW (lpString1="OFFICE", lpString2="Program Files (x86)") returned -1 [0102.445] lstrcmpiW (lpString1="OFFICE", lpString2="$Recycle.bin") returned 1 [0102.445] lstrcmpiW (lpString1="OFFICE", lpString2="System Volume Information") returned -1 [0102.445] lstrcmpiW (lpString1="OFFICE", lpString2=".") returned 1 [0102.445] lstrcmpiW (lpString1="OFFICE", lpString2="..") returned 1 [0102.446] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE") returned 35 [0102.446] GetProcessHeap () returned 0x4c0000 [0102.446] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0102.446] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE" [0102.446] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*" [0102.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0102.705] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0102.705] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0102.705] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0102.705] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0102.705] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0102.705] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.705] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0102.705] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0102.705] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0102.705] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0102.705] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0102.705] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0102.705] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.705] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.705] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5011dd00, ftCreationTime.dwHighDateTime=0x1ca04ff, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5011dd00, ftLastWriteTime.dwHighDateTime=0x1ca04ff, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="AssetLibrary.ico", cAlternateFileName="ASSETL~1.ICO")) returned 1 [0102.705] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="Windows") returned -1 [0102.705] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="Program Files") returned -1 [0102.706] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="Program Files (x86)") returned -1 [0102.706] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="$Recycle.bin") returned 1 [0102.706] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="System Volume Information") returned -1 [0102.706] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2=".") returned 1 [0102.706] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="..") returned 1 [0102.706] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned 52 [0102.706] lstrcmpW (lpString1="AssetLibrary.ico", lpString2="PUSSY.TXT") returned -1 [0102.706] PathFindExtensionW (pszPath="AssetLibrary.ico") returned=".ico" [0102.706] lstrlenW (lpString=".ico") returned 4 [0102.706] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0102.706] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0102.707] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=5430) returned 1 [0102.707] GetProcessHeap () returned 0x4c0000 [0102.707] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0102.722] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="97") returned 2 [0102.722] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="46") returned 2 [0102.722] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="9B") returned 2 [0102.722] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="60") returned 2 [0102.722] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="AF") returned 2 [0102.722] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="3B") returned 2 [0102.722] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="A2") returned 2 [0102.722] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="EE") returned 2 [0102.722] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="7D") returned 2 [0102.722] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="AB") returned 2 [0102.722] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="FB") returned 2 [0102.722] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A8") returned 2 [0102.722] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="80") returned 2 [0102.722] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E7") returned 2 [0102.722] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="AF") returned 2 [0102.722] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="B3") returned 2 [0102.722] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="8B") returned 2 [0102.722] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="3D") returned 2 [0102.722] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E9") returned 2 [0102.722] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="BE") returned 2 [0102.723] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="BF") returned 2 [0102.723] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="89") returned 2 [0102.723] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="33") returned 2 [0102.723] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="28") returned 2 [0102.723] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="90") returned 2 [0102.723] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="91") returned 2 [0102.723] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="62") returned 2 [0102.723] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="4A") returned 2 [0102.723] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="77") returned 2 [0102.723] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="F0") returned 2 [0102.723] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="F5") returned 2 [0102.723] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4C") returned 2 [0102.742] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" [0102.742] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" [0102.742] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico", lpString2=".97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C" [0102.742] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0102.742] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0102.743] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabeeea00, ftCreationTime.dwHighDateTime=0x1c63848, ftLastAccessTime.dwLowDateTime=0x51e19d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xabeeea00, ftLastWriteTime.dwHighDateTime=0x1c63848, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="DocumentRepository.ico", cAlternateFileName="DOCUME~1.ICO")) returned 1 [0102.743] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="Windows") returned -1 [0102.743] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="Program Files") returned -1 [0102.743] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="Program Files (x86)") returned -1 [0102.751] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="$Recycle.bin") returned 1 [0102.751] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="System Volume Information") returned -1 [0102.751] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2=".") returned 1 [0102.751] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="..") returned 1 [0102.751] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned 58 [0102.751] lstrcmpW (lpString1="DocumentRepository.ico", lpString2="PUSSY.TXT") returned -1 [0102.751] PathFindExtensionW (pszPath="DocumentRepository.ico") returned=".ico" [0102.751] lstrlenW (lpString=".ico") returned 4 [0102.753] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0102.754] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0102.759] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=25214) returned 1 [0102.759] GetProcessHeap () returned 0x4c0000 [0102.759] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0102.773] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="1C") returned 2 [0102.773] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="34") returned 2 [0102.773] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="CB") returned 2 [0102.773] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="7E") returned 2 [0102.774] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="E2") returned 2 [0102.774] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="A2") returned 2 [0102.774] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="CE") returned 2 [0102.774] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="E8") returned 2 [0102.774] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="A5") returned 2 [0102.774] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="AA") returned 2 [0102.774] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="A7") returned 2 [0102.774] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="26") returned 2 [0102.774] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="DD") returned 2 [0102.774] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="F0") returned 2 [0102.774] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="C9") returned 2 [0102.774] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="23") returned 2 [0102.774] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="79") returned 2 [0102.774] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="8D") returned 2 [0102.774] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="54") returned 2 [0102.774] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="0A") returned 2 [0102.774] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="45") returned 2 [0102.774] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="4E") returned 2 [0102.774] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="2F") returned 2 [0102.774] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="62") returned 2 [0102.774] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="A5") returned 2 [0102.774] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="FF") returned 2 [0102.775] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="37") returned 2 [0102.775] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="2E") returned 2 [0102.775] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="04") returned 2 [0102.775] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="75") returned 2 [0102.775] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="CC") returned 2 [0102.775] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="3A") returned 2 [0102.806] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" [0102.807] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" [0102.807] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico", lpString2=".1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A" [0102.807] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0102.807] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0102.807] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2bfbd800, ftCreationTime.dwHighDateTime=0x1c9facb, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2bfbd800, ftLastWriteTime.dwHighDateTime=0x1c9facb, nFileSizeHigh=0x0, nFileSizeLow=0x5532e, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="MySharePoints.ico", cAlternateFileName="MYSHAR~1.ICO")) returned 1 [0102.807] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="Windows") returned -1 [0102.807] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="Program Files") returned -1 [0102.807] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="Program Files (x86)") returned -1 [0102.807] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="$Recycle.bin") returned 1 [0102.807] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="System Volume Information") returned -1 [0102.807] lstrcmpiW (lpString1="MySharePoints.ico", lpString2=".") returned 1 [0102.807] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="..") returned 1 [0102.807] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned 53 [0102.807] lstrcmpW (lpString1="MySharePoints.ico", lpString2="PUSSY.TXT") returned -1 [0102.807] PathFindExtensionW (pszPath="MySharePoints.ico") returned=".ico" [0102.807] lstrlenW (lpString=".ico") returned 4 [0102.807] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0102.807] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0102.833] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=348974) returned 1 [0102.833] GetProcessHeap () returned 0x4c0000 [0102.833] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0102.844] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="55") returned 2 [0102.844] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="93") returned 2 [0102.844] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="9C") returned 2 [0102.844] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="72") returned 2 [0102.844] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="43") returned 2 [0102.844] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="93") returned 2 [0102.844] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="95") returned 2 [0102.844] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="67") returned 2 [0102.844] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="34") returned 2 [0102.844] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="DC") returned 2 [0102.844] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="13") returned 2 [0102.844] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A5") returned 2 [0102.844] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="88") returned 2 [0102.844] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="51") returned 2 [0102.844] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="AC") returned 2 [0102.844] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E2") returned 2 [0102.844] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="45") returned 2 [0102.845] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="74") returned 2 [0102.845] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="63") returned 2 [0102.845] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="AD") returned 2 [0102.845] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="22") returned 2 [0102.845] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="5E") returned 2 [0102.845] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="66") returned 2 [0102.845] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="30") returned 2 [0102.845] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="85") returned 2 [0102.845] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="63") returned 2 [0102.845] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="09") returned 2 [0102.845] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F3") returned 2 [0102.845] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="27") returned 2 [0102.845] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="00") returned 2 [0102.845] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="53") returned 2 [0102.845] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="56") returned 2 [0102.854] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" [0102.854] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" [0102.854] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico", lpString2=".55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356" [0102.854] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0102.854] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0102.855] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc92d1d00, ftCreationTime.dwHighDateTime=0x1c627a2, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc92d1d00, ftLastWriteTime.dwHighDateTime=0x1c627a2, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="MySite.ico", cAlternateFileName="")) returned 1 [0102.855] lstrcmpiW (lpString1="MySite.ico", lpString2="Windows") returned -1 [0102.855] lstrcmpiW (lpString1="MySite.ico", lpString2="Program Files") returned -1 [0102.856] lstrcmpiW (lpString1="MySite.ico", lpString2="Program Files (x86)") returned -1 [0102.856] lstrcmpiW (lpString1="MySite.ico", lpString2="$Recycle.bin") returned 1 [0102.856] lstrcmpiW (lpString1="MySite.ico", lpString2="System Volume Information") returned -1 [0102.856] lstrcmpiW (lpString1="MySite.ico", lpString2=".") returned 1 [0102.856] lstrcmpiW (lpString1="MySite.ico", lpString2="..") returned 1 [0102.856] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned 46 [0102.856] lstrcmpW (lpString1="MySite.ico", lpString2="PUSSY.TXT") returned -1 [0102.888] PathFindExtensionW (pszPath="MySite.ico") returned=".ico" [0102.888] lstrlenW (lpString=".ico") returned 4 [0102.888] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0102.888] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0102.890] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=25214) returned 1 [0102.890] GetProcessHeap () returned 0x4c0000 [0102.890] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0102.901] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="5A") returned 2 [0102.901] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="BC") returned 2 [0102.901] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="A1") returned 2 [0102.901] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="E2") returned 2 [0102.901] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="69") returned 2 [0102.901] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="39") returned 2 [0102.901] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="03") returned 2 [0102.901] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A1") returned 2 [0102.901] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="19") returned 2 [0102.901] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="09") returned 2 [0102.901] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="E4") returned 2 [0102.901] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="DB") returned 2 [0102.901] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="1B") returned 2 [0102.901] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="A7") returned 2 [0102.901] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="D3") returned 2 [0102.901] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="A3") returned 2 [0102.901] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="6F") returned 2 [0102.902] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="9B") returned 2 [0102.902] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="6A") returned 2 [0102.902] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="A2") returned 2 [0102.902] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="79") returned 2 [0102.902] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="E1") returned 2 [0102.902] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="67") returned 2 [0102.902] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="BE") returned 2 [0102.902] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="DD") returned 2 [0102.902] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="A6") returned 2 [0102.902] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="53") returned 2 [0102.902] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="3B") returned 2 [0102.902] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="53") returned 2 [0102.902] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="10") returned 2 [0102.902] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="03") returned 2 [0102.902] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="2C") returned 2 [0102.911] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" [0102.911] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" [0102.911] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico", lpString2=".5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C" [0102.911] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0102.912] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0102.912] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf2444900, ftCreationTime.dwHighDateTime=0x1c63848, ftLastAccessTime.dwLowDateTime=0x5ab49610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2444900, ftLastWriteTime.dwHighDateTime=0x1c63848, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="SharePointPortalSite.ico", cAlternateFileName="SHAREP~1.ICO")) returned 1 [0102.912] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="Windows") returned -1 [0102.912] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="Program Files") returned 1 [0102.912] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="Program Files (x86)") returned 1 [0102.912] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="$Recycle.bin") returned 1 [0102.912] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="System Volume Information") returned -1 [0102.912] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2=".") returned 1 [0102.912] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="..") returned 1 [0102.912] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned 60 [0102.912] lstrcmpW (lpString1="SharePointPortalSite.ico", lpString2="PUSSY.TXT") returned 1 [0102.912] PathFindExtensionW (pszPath="SharePointPortalSite.ico") returned=".ico" [0102.912] lstrlenW (lpString=".ico") returned 4 [0102.912] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0102.912] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0102.937] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=25214) returned 1 [0102.938] GetProcessHeap () returned 0x4c0000 [0102.938] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52aad8 [0102.966] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="F6") returned 2 [0102.966] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="4D") returned 2 [0102.966] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="90") returned 2 [0102.966] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="73") returned 2 [0102.966] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="58") returned 2 [0102.966] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="61") returned 2 [0102.966] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="F4") returned 2 [0102.966] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="D1") returned 2 [0102.966] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="8A") returned 2 [0102.966] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="2B") returned 2 [0102.966] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="2F") returned 2 [0102.967] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C4") returned 2 [0102.967] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="09") returned 2 [0102.967] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="19") returned 2 [0102.967] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="87") returned 2 [0102.967] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="0A") returned 2 [0102.967] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="CF") returned 2 [0102.967] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="58") returned 2 [0102.967] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="47") returned 2 [0102.967] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="79") returned 2 [0102.967] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="C1") returned 2 [0102.967] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="81") returned 2 [0102.967] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="61") returned 2 [0102.967] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="D1") returned 2 [0102.967] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="A4") returned 2 [0102.967] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="E5") returned 2 [0102.967] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="03") returned 2 [0102.967] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="E8") returned 2 [0102.967] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="62") returned 2 [0102.967] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="78") returned 2 [0102.967] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="DE") returned 2 [0102.967] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="49") returned 2 [0102.977] lstrcpyW (in: lpString1=0x53ab0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" [0102.977] lstrcpyW (in: lpString1=0x52ab0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" [0102.977] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico", lpString2=".F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49" [0102.977] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x52aad8, NumberOfConcurrentThreads=0x0) returned 0x94 [0102.977] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52aad8, lpOverlapped=0x52aad8) returned 1 [0103.007] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad743900, ftCreationTime.dwHighDateTime=0x1c62706, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad743900, ftLastWriteTime.dwHighDateTime=0x1c62706, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="SharePointTeamSite.ico", cAlternateFileName="SHAREP~2.ICO")) returned 1 [0103.007] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="Windows") returned -1 [0103.007] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="Program Files") returned 1 [0103.007] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="Program Files (x86)") returned 1 [0103.007] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="$Recycle.bin") returned 1 [0103.007] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="System Volume Information") returned -1 [0103.007] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2=".") returned 1 [0103.007] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="..") returned 1 [0103.007] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned 58 [0103.007] lstrcmpW (lpString1="SharePointTeamSite.ico", lpString2="PUSSY.TXT") returned 1 [0103.007] PathFindExtensionW (pszPath="SharePointTeamSite.ico") returned=".ico" [0103.007] lstrlenW (lpString=".ico") returned 4 [0103.007] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0103.007] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0103.009] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=25214) returned 1 [0103.009] GetProcessHeap () returned 0x4c0000 [0103.009] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0103.017] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="39") returned 2 [0103.017] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="35") returned 2 [0103.017] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B4") returned 2 [0103.017] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="37") returned 2 [0103.017] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="22") returned 2 [0103.017] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="6C") returned 2 [0103.017] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="AB") returned 2 [0103.017] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="52") returned 2 [0103.017] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="91") returned 2 [0103.017] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="34") returned 2 [0103.017] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="9B") returned 2 [0103.018] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="CA") returned 2 [0103.018] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="8A") returned 2 [0103.018] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="88") returned 2 [0103.018] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="6E") returned 2 [0103.018] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="DC") returned 2 [0103.018] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="BF") returned 2 [0103.018] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="C3") returned 2 [0103.018] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="1C") returned 2 [0103.018] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="AC") returned 2 [0103.018] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="D5") returned 2 [0103.018] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="61") returned 2 [0103.018] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="15") returned 2 [0103.018] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="28") returned 2 [0103.018] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="BB") returned 2 [0103.018] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="F5") returned 2 [0103.018] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="82") returned 2 [0103.018] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="2D") returned 2 [0103.018] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="19") returned 2 [0103.018] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="67") returned 2 [0103.018] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="59") returned 2 [0103.018] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4D") returned 2 [0103.027] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" [0103.027] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" [0103.027] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico", lpString2=".3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D" [0103.027] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.027] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0103.027] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="UICaptions", cAlternateFileName="UICAPT~1")) returned 1 [0103.027] lstrcmpiW (lpString1="UICaptions", lpString2="Windows") returned -1 [0103.027] lstrcmpiW (lpString1="UICaptions", lpString2="Program Files") returned 1 [0103.027] lstrcmpiW (lpString1="UICaptions", lpString2="Program Files (x86)") returned 1 [0103.027] lstrcmpiW (lpString1="UICaptions", lpString2="$Recycle.bin") returned 1 [0103.028] lstrcmpiW (lpString1="UICaptions", lpString2="System Volume Information") returned 1 [0103.028] lstrcmpiW (lpString1="UICaptions", lpString2=".") returned 1 [0103.028] lstrcmpiW (lpString1="UICaptions", lpString2="..") returned 1 [0103.028] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions") returned 46 [0103.028] GetProcessHeap () returned 0x4c0000 [0103.028] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0103.028] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions" [0103.028] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\*" [0103.028] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0103.057] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0103.057] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0103.057] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0103.058] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0103.058] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0103.058] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0103.058] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0103.058] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0103.058] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0103.058] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0103.058] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0103.058] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0103.058] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0103.058] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0103.058] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="1036", cAlternateFileName="")) returned 1 [0103.058] lstrcmpiW (lpString1="1036", lpString2="Windows") returned -1 [0103.058] lstrcmpiW (lpString1="1036", lpString2="Program Files") returned -1 [0103.058] lstrcmpiW (lpString1="1036", lpString2="Program Files (x86)") returned -1 [0103.058] lstrcmpiW (lpString1="1036", lpString2="$Recycle.bin") returned 1 [0103.058] lstrcmpiW (lpString1="1036", lpString2="System Volume Information") returned -1 [0103.058] lstrcmpiW (lpString1="1036", lpString2=".") returned 1 [0103.058] lstrcmpiW (lpString1="1036", lpString2="..") returned 1 [0103.058] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036") returned 51 [0103.058] GetProcessHeap () returned 0x4c0000 [0103.058] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0103.058] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036" [0103.058] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\*" [0103.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0103.061] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0103.061] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0103.061] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0103.061] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0103.061] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0103.061] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0103.061] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0103.069] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0103.069] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0103.069] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0103.069] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0103.069] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0103.070] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0103.070] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0103.070] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1be9a700, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="ENVELOPR.DLL.trx_dll", cAlternateFileName="ENVELO~1.TRX")) returned 1 [0103.070] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Windows") returned -1 [0103.070] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files") returned -1 [0103.070] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.070] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.070] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0103.070] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2=".") returned 1 [0103.070] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="..") returned 1 [0103.070] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned 72 [0103.070] lstrcmpW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.070] PathFindExtensionW (pszPath="ENVELOPR.DLL.trx_dll") returned=".trx_dll" [0103.070] lstrlenW (lpString=".trx_dll") returned 8 [0103.070] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.070] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0103.071] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=14688) returned 1 [0103.071] GetProcessHeap () returned 0x4c0000 [0103.071] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0103.085] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="38") returned 2 [0103.085] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="75") returned 2 [0103.085] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="66") returned 2 [0103.085] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="35") returned 2 [0103.085] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="49") returned 2 [0103.085] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="BE") returned 2 [0103.085] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="C1") returned 2 [0103.085] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="A8") returned 2 [0103.085] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="BC") returned 2 [0103.085] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="70") returned 2 [0103.085] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="7F") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="7D") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="AF") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="89") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="F2") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="EC") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="5D") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="D4") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="18") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="57") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="4C") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="7D") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="FD") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="E4") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="9D") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="4F") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="E0") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="BB") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="6D") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="E8") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="4E") returned 2 [0103.086] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="79") returned 2 [0103.099] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" [0103.099] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" [0103.099] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll", lpString2=".3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79" [0103.099] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.099] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0103.099] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd48e100, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbd48e100, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0xbf60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="GRINTL32.DLL.trx_dll", cAlternateFileName="GRINTL~1.TRX")) returned 1 [0103.099] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Windows") returned -1 [0103.100] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files") returned -1 [0103.100] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.100] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.100] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0103.100] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2=".") returned 1 [0103.100] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="..") returned 1 [0103.100] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned 72 [0103.100] lstrcmpW (lpString1="GRINTL32.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.100] PathFindExtensionW (pszPath="GRINTL32.DLL.trx_dll") returned=".trx_dll" [0103.100] lstrlenW (lpString=".trx_dll") returned 8 [0103.100] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.100] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0103.122] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=48992) returned 1 [0103.122] GetProcessHeap () returned 0x4c0000 [0103.122] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x554b38 [0103.137] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="51") returned 2 [0103.137] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="19") returned 2 [0103.137] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="5C") returned 2 [0103.137] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="D9") returned 2 [0103.137] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="6A") returned 2 [0103.137] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="68") returned 2 [0103.137] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="E6") returned 2 [0103.137] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="F9") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="8A") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="36") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="21") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="FF") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="DE") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="C8") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="2A") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="46") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="52") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="FC") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="04") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="70") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="7F") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="D7") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="4A") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="CF") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="AA") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="D4") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="54") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="C3") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="F6") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="85") returned 2 [0103.138] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="2D") returned 2 [0103.139] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="17") returned 2 [0103.161] lstrcpyW (in: lpString1=0x564b6c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" [0103.161] lstrcpyW (in: lpString1=0x554b6c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" [0103.161] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll", lpString2=".51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17" [0103.161] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x554b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.161] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x554b38, lpOverlapped=0x554b38) returned 1 [0103.162] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd48e100, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbd48e100, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0x3d960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="GRINTL32.REST.trx_dll", cAlternateFileName="GRINTL~2.TRX")) returned 1 [0103.162] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Windows") returned -1 [0103.162] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files") returned -1 [0103.162] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.204] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.204] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="System Volume Information") returned -1 [0103.204] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2=".") returned 1 [0103.204] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="..") returned 1 [0103.204] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned 73 [0103.205] lstrcmpW (lpString1="GRINTL32.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.205] PathFindExtensionW (pszPath="GRINTL32.REST.trx_dll") returned=".trx_dll" [0103.205] lstrlenW (lpString=".trx_dll") returned 8 [0103.205] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.205] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0103.207] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=252256) returned 1 [0103.207] GetProcessHeap () returned 0x4c0000 [0103.207] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0103.219] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="C3") returned 2 [0103.219] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="F1") returned 2 [0103.219] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="8B") returned 2 [0103.219] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="AE") returned 2 [0103.219] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="5A") returned 2 [0103.219] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="D6") returned 2 [0103.219] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="96") returned 2 [0103.219] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="C3") returned 2 [0103.219] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="D4") returned 2 [0103.219] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="48") returned 2 [0103.219] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="07") returned 2 [0103.219] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="34") returned 2 [0103.219] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="B5") returned 2 [0103.219] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="A6") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="34") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="F9") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="69") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="BC") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="E2") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="9F") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="EF") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="DE") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="EE") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="36") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="A2") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="8E") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="96") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="0F") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="EC") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="A7") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="11") returned 2 [0103.220] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="5C") returned 2 [0103.232] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" [0103.232] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" [0103.232] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll", lpString2=".C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C" [0103.232] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.232] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0103.233] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1be9a700, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x49f60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="MAPIR.DLL.trx_dll", cAlternateFileName="MAPIRD~1.TRX")) returned 1 [0103.233] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Windows") returned -1 [0103.233] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files") returned -1 [0103.233] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.233] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.233] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0103.233] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2=".") returned 1 [0103.233] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="..") returned 1 [0103.234] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned 69 [0103.234] lstrcmpW (lpString1="MAPIR.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.234] PathFindExtensionW (pszPath="MAPIR.DLL.trx_dll") returned=".trx_dll" [0103.234] lstrlenW (lpString=".trx_dll") returned 8 [0103.234] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.234] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0103.278] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=302944) returned 1 [0103.278] GetProcessHeap () returned 0x4c0000 [0103.278] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x512a90 [0103.297] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="57") returned 2 [0103.297] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="EF") returned 2 [0103.297] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="54") returned 2 [0103.297] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="0D") returned 2 [0103.297] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="F6") returned 2 [0103.297] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="8E") returned 2 [0103.297] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="99") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="0F") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="3F") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="91") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="8A") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="9B") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="71") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="49") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="BD") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="1F") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="F6") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="3C") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="DD") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="7F") returned 2 [0103.297] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="CC") returned 2 [0103.298] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="32") returned 2 [0103.298] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="16") returned 2 [0103.298] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="DC") returned 2 [0103.298] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="A5") returned 2 [0103.298] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="4C") returned 2 [0103.298] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="31") returned 2 [0103.298] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="FA") returned 2 [0103.298] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="E0") returned 2 [0103.298] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="9C") returned 2 [0103.298] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="8A") returned 2 [0103.298] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="5E") returned 2 [0103.309] lstrcpyW (in: lpString1=0x522ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" [0103.309] lstrcpyW (in: lpString1=0x512ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" [0103.309] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll", lpString2=".57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E" [0103.309] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x512a90, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.309] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x512a90, lpOverlapped=0x512a90) returned 1 [0103.310] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa27f6800, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa27f6800, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0xc160, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="MOR6INT.REST.trx_dll", cAlternateFileName="MOR6IN~1.TRX")) returned 1 [0103.310] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Windows") returned -1 [0103.310] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files") returned -1 [0103.310] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.310] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.310] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0103.310] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2=".") returned 1 [0103.310] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="..") returned 1 [0103.310] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned 72 [0103.310] lstrcmpW (lpString1="MOR6INT.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.311] PathFindExtensionW (pszPath="MOR6INT.REST.trx_dll") returned=".trx_dll" [0103.311] lstrlenW (lpString=".trx_dll") returned 8 [0103.311] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.311] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0103.312] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=49504) returned 1 [0103.312] GetProcessHeap () returned 0x4c0000 [0103.312] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x57cb88 [0103.321] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="8D") returned 2 [0103.321] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="B5") returned 2 [0103.321] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="AB") returned 2 [0103.322] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="42") returned 2 [0103.322] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="2F") returned 2 [0103.322] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="20") returned 2 [0103.322] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="B0") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="A9") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="00") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="AE") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="FA") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="73") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="88") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="92") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="B6") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="1D") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="98") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="E5") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="8F") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="92") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="DD") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="D9") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="1D") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="9D") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="E1") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="E2") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="7B") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="A1") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="B5") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="16") returned 2 [0103.322] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="ED") returned 2 [0103.323] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="40") returned 2 [0103.330] lstrcpyW (in: lpString1=0x58cbbc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" [0103.330] lstrcpyW (in: lpString1=0x57cbbc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" [0103.331] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll", lpString2=".8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40" [0103.331] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x57cb88, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.331] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x57cb88, lpOverlapped=0x57cb88) returned 1 [0103.331] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9f53ca00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x9f53ca00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x17960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="MSOINTL.DLL.trx_dll", cAlternateFileName="MSOINT~1.TRX")) returned 1 [0103.331] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0103.331] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0103.331] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.331] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.331] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0103.331] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2=".") returned 1 [0103.331] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="..") returned 1 [0103.331] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned 71 [0103.331] lstrcmpW (lpString1="MSOINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.331] PathFindExtensionW (pszPath="MSOINTL.DLL.trx_dll") returned=".trx_dll" [0103.331] lstrlenW (lpString=".trx_dll") returned 8 [0103.331] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.331] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0103.332] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=96608) returned 1 [0103.332] GetProcessHeap () returned 0x4c0000 [0103.332] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0103.341] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="62") returned 2 [0103.341] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="89") returned 2 [0103.341] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="6D") returned 2 [0103.341] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="41") returned 2 [0103.341] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="4C") returned 2 [0103.341] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="9A") returned 2 [0103.341] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="0C") returned 2 [0103.341] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="0F") returned 2 [0103.341] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="A5") returned 2 [0103.341] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="A8") returned 2 [0103.341] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="D1") returned 2 [0103.341] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="74") returned 2 [0103.341] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="B7") returned 2 [0103.341] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="C9") returned 2 [0103.341] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="F4") returned 2 [0103.341] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="25") returned 2 [0103.341] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="1B") returned 2 [0103.341] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="79") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="AA") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="B3") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="80") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="96") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="AD") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="EC") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="34") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="10") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="1D") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="92") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="41") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="A2") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="41") returned 2 [0103.342] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="23") returned 2 [0103.369] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" [0103.370] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" [0103.370] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll", lpString2=".62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123" [0103.370] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.370] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0103.370] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9f53ca00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x9f53ca00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x2ced60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="MSOINTL.REST.trx_dll", cAlternateFileName="MSOINT~2.TRX")) returned 1 [0103.370] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Windows") returned -1 [0103.370] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0103.370] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.370] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.370] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0103.370] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2=".") returned 1 [0103.370] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="..") returned 1 [0103.370] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned 72 [0103.370] lstrcmpW (lpString1="MSOINTL.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.371] PathFindExtensionW (pszPath="MSOINTL.REST.trx_dll") returned=".trx_dll" [0103.371] lstrlenW (lpString=".trx_dll") returned 8 [0103.371] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.371] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0103.372] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=2944352) returned 1 [0103.372] GetProcessHeap () returned 0x4c0000 [0103.372] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0103.381] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="EE") returned 2 [0103.381] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="71") returned 2 [0103.381] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="B3") returned 2 [0103.381] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="EA") returned 2 [0103.382] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="2E") returned 2 [0103.382] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="70") returned 2 [0103.382] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="B3") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="ED") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="66") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="3D") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="23") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="F3") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="AB") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="7C") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="94") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="71") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="2A") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="4A") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="DB") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="0B") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="4F") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="4F") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="CD") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="E7") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="C4") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="F1") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="85") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="37") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="5E") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="86") returned 2 [0103.382] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="AF") returned 2 [0103.383] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="35") returned 2 [0103.391] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" [0103.392] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" [0103.392] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll", lpString2=".EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35" [0103.392] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.392] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0103.392] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa381000, ftCreationTime.dwHighDateTime=0x1cac7fb, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xaa381000, ftLastWriteTime.dwHighDateTime=0x1cac7fb, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="OMSINTL.DLL.trx_dll", cAlternateFileName="OMSINT~1.TRX")) returned 1 [0103.392] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0103.392] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0103.392] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.392] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.392] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0103.392] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2=".") returned 1 [0103.392] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="..") returned 1 [0103.392] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned 71 [0103.392] lstrcmpW (lpString1="OMSINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.392] PathFindExtensionW (pszPath="OMSINTL.DLL.trx_dll") returned=".trx_dll" [0103.392] lstrlenW (lpString=".trx_dll") returned 8 [0103.392] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.392] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0103.394] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=45920) returned 1 [0103.394] GetProcessHeap () returned 0x4c0000 [0103.394] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0103.403] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="F9") returned 2 [0103.403] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="C4") returned 2 [0103.403] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="BA") returned 2 [0103.403] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="04") returned 2 [0103.403] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="80") returned 2 [0103.403] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="AE") returned 2 [0103.403] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="7F") returned 2 [0103.403] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="C7") returned 2 [0103.403] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="E8") returned 2 [0103.403] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="AA") returned 2 [0103.403] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="44") returned 2 [0103.403] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="96") returned 2 [0103.403] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="92") returned 2 [0103.403] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="99") returned 2 [0103.403] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="41") returned 2 [0103.403] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="1D") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="07") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="EF") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="63") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="B1") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="A8") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="00") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="4B") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="3E") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="1A") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="2B") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="80") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="03") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="83") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="DB") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="1F") returned 2 [0103.404] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="31") returned 2 [0103.413] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" [0103.413] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" [0103.413] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll", lpString2=".F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31" [0103.413] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.413] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0103.414] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7337cc00, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7337cc00, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x7b60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="ONINTL.DLL.trx_dll", cAlternateFileName="ONINTL~1.TRX")) returned 1 [0103.414] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0103.414] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0103.414] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.414] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.414] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0103.414] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2=".") returned 1 [0103.414] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="..") returned 1 [0103.414] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned 70 [0103.414] lstrcmpW (lpString1="ONINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.414] PathFindExtensionW (pszPath="ONINTL.DLL.trx_dll") returned=".trx_dll" [0103.414] lstrlenW (lpString=".trx_dll") returned 8 [0103.414] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.414] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0103.430] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=31584) returned 1 [0103.430] GetProcessHeap () returned 0x4c0000 [0103.430] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0103.584] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="91") returned 2 [0103.584] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="2A") returned 2 [0103.584] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="0D") returned 2 [0103.584] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="89") returned 2 [0103.584] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="B9") returned 2 [0103.584] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="7A") returned 2 [0103.585] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="00") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="6E") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="2A") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="C3") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="1E") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="1E") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="E4") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="E9") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="79") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="9A") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="38") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="77") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="98") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="36") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="56") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="35") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="54") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="05") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="CC") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="66") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="59") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="69") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="EA") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="42") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="84") returned 2 [0103.585] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="02") returned 2 [0103.596] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" [0103.596] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" [0103.596] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll", lpString2=".912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402" [0103.596] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.597] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0103.597] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7337cc00, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7337cc00, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x3fb60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="ONINTL.REST.trx_dll", cAlternateFileName="ONINTL~2.TRX")) returned 1 [0103.597] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Windows") returned -1 [0103.630] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0103.630] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.630] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.630] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0103.630] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2=".") returned 1 [0103.630] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="..") returned 1 [0103.630] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned 71 [0103.630] lstrcmpW (lpString1="ONINTL.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.630] PathFindExtensionW (pszPath="ONINTL.REST.trx_dll") returned=".trx_dll" [0103.630] lstrlenW (lpString=".trx_dll") returned 8 [0103.631] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.631] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0103.665] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=260960) returned 1 [0103.665] GetProcessHeap () returned 0x4c0000 [0103.665] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0103.724] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="1A") returned 2 [0103.724] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="CE") returned 2 [0103.724] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="6B") returned 2 [0103.724] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="11") returned 2 [0103.724] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="50") returned 2 [0103.724] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="E9") returned 2 [0103.725] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="B8") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="50") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="B9") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="E5") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="F1") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="DA") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="F0") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="58") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="47") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="68") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="79") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="34") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="A4") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="C6") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="DE") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="AD") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="DF") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="20") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="77") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="C1") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="9E") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="29") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="EE") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="C1") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="B7") returned 2 [0103.725] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="55") returned 2 [0103.738] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" [0103.738] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" [0103.738] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll", lpString2=".1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755" [0103.738] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.738] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0103.739] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ab87a00, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1ab87a00, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x37560, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="OUTLLIBR.DLL.trx_dll", cAlternateFileName="OUTLLI~1.TRX")) returned 1 [0103.739] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Windows") returned -1 [0103.739] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files") returned -1 [0103.800] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.800] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.800] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0103.801] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2=".") returned 1 [0103.801] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="..") returned 1 [0103.801] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned 72 [0103.801] lstrcmpW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.801] PathFindExtensionW (pszPath="OUTLLIBR.DLL.trx_dll") returned=".trx_dll" [0103.801] lstrlenW (lpString=".trx_dll") returned 8 [0103.801] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.801] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0103.802] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=226656) returned 1 [0103.802] GetProcessHeap () returned 0x4c0000 [0103.802] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0103.814] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="0D") returned 2 [0103.814] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="7C") returned 2 [0103.815] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="F7") returned 2 [0103.815] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="D5") returned 2 [0103.815] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="59") returned 2 [0103.815] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="0F") returned 2 [0103.815] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="B0") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="96") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="5E") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="5E") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="12") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="63") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="F9") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="39") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="40") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="04") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="C7") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="F2") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="AA") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="02") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="8F") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="E9") returned 2 [0103.815] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="D2") returned 2 [0103.816] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="69") returned 2 [0103.816] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="09") returned 2 [0103.816] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="CC") returned 2 [0103.816] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="77") returned 2 [0103.816] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="37") returned 2 [0103.816] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="CC") returned 2 [0103.816] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="0E") returned 2 [0103.816] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="F5") returned 2 [0103.816] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="09") returned 2 [0103.828] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" [0103.828] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" [0103.828] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll", lpString2=".0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509" [0103.828] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.828] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0103.829] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ab87a00, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1ab87a00, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0xa6560, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="OUTLLIBR.REST.trx_dll", cAlternateFileName="OUTLLI~2.TRX")) returned 1 [0103.829] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Windows") returned -1 [0103.829] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files") returned -1 [0103.870] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.870] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.870] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="System Volume Information") returned -1 [0103.870] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2=".") returned 1 [0103.870] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="..") returned 1 [0103.870] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned 73 [0103.870] lstrcmpW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.870] PathFindExtensionW (pszPath="OUTLLIBR.REST.trx_dll") returned=".trx_dll" [0103.870] lstrlenW (lpString=".trx_dll") returned 8 [0103.870] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.871] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0103.871] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=681312) returned 1 [0103.872] GetProcessHeap () returned 0x4c0000 [0103.872] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0103.884] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="45") returned 2 [0103.884] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="F4") returned 2 [0103.884] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="8C") returned 2 [0103.884] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="B3") returned 2 [0103.884] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="02") returned 2 [0103.884] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="AD") returned 2 [0103.885] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="E9") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="31") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="01") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="EA") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="9E") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="D3") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="9D") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="42") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="08") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="02") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="7A") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="1F") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="D8") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="61") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="97") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="30") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="57") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="B2") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="94") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="3B") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="35") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="FF") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="B0") returned 2 [0103.885] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="1D") returned 2 [0103.886] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="66") returned 2 [0103.886] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="4C") returned 2 [0103.898] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" [0103.898] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" [0103.898] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll", lpString2=".45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C" [0103.898] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.898] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0103.898] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1be9a700, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x2b60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="OUTLWVW.DLL.trx_dll", cAlternateFileName="OUTLWV~1.TRX")) returned 1 [0103.898] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Windows") returned -1 [0103.898] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files") returned -1 [0103.898] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0103.898] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0103.898] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0103.898] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2=".") returned 1 [0103.898] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="..") returned 1 [0103.899] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned 71 [0103.899] lstrcmpW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0103.899] PathFindExtensionW (pszPath="OUTLWVW.DLL.trx_dll") returned=".trx_dll" [0103.899] lstrlenW (lpString=".trx_dll") returned 8 [0103.899] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0103.899] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0103.899] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=11104) returned 1 [0103.899] GetProcessHeap () returned 0x4c0000 [0103.899] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x554b38 [0103.913] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="52") returned 2 [0103.913] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="FB") returned 2 [0103.913] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="CA") returned 2 [0103.913] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="4A") returned 2 [0103.913] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="AB") returned 2 [0103.913] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="AD") returned 2 [0103.913] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="8F") returned 2 [0103.913] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="7B") returned 2 [0103.913] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="06") returned 2 [0103.913] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="0D") returned 2 [0103.913] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="CE") returned 2 [0103.913] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="E4") returned 2 [0103.913] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="74") returned 2 [0103.913] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="FE") returned 2 [0103.913] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="1E") returned 2 [0103.913] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="68") returned 2 [0103.913] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="95") returned 2 [0103.913] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="C2") returned 2 [0103.913] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="1B") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="54") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="3E") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="80") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="3D") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="C7") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="67") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="7B") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="A6") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="C5") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="04") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="97") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="D4") returned 2 [0103.914] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="4B") returned 2 [0103.990] lstrcpyW (in: lpString1=0x564b6c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" [0103.990] lstrcpyW (in: lpString1=0x554b6c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" [0103.990] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll", lpString2=".52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B" [0103.990] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x554b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0103.990] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x554b38, lpOverlapped=0x554b38) returned 1 [0103.991] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cef6000, ftCreationTime.dwHighDateTime=0x1cac803, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7cef6000, ftLastWriteTime.dwHighDateTime=0x1cac803, nFileSizeHigh=0x0, nFileSizeLow=0xcd60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="PPINTL.DLL.trx_dll", cAlternateFileName="PPINTL~1.TRX")) returned 1 [0103.991] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0104.006] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0104.006] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0104.006] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.006] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0104.006] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2=".") returned 1 [0104.006] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="..") returned 1 [0104.006] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned 70 [0104.006] lstrcmpW (lpString1="PPINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0104.006] PathFindExtensionW (pszPath="PPINTL.DLL.trx_dll") returned=".trx_dll" [0104.006] lstrlenW (lpString=".trx_dll") returned 8 [0104.006] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.006] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0104.007] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=52576) returned 1 [0104.007] GetProcessHeap () returned 0x4c0000 [0104.007] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0104.020] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="15") returned 2 [0104.020] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="53") returned 2 [0104.020] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="6C") returned 2 [0104.020] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="AC") returned 2 [0104.020] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="8E") returned 2 [0104.020] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="DB") returned 2 [0104.020] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="5D") returned 2 [0104.020] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="3C") returned 2 [0104.020] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="1E") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="FC") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="11") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="9C") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="DA") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="24") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="7F") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="DA") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="EA") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="C2") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="C7") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="5A") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="F7") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="AE") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="FC") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="90") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="8D") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="00") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="9A") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="89") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="64") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="5D") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="95") returned 2 [0104.021] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="6E") returned 2 [0104.034] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" [0104.034] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" [0104.034] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll", lpString2=".15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E" [0104.034] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.034] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0104.034] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cef6000, ftCreationTime.dwHighDateTime=0x1cac803, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7cef6000, ftLastWriteTime.dwHighDateTime=0x1cac803, nFileSizeHigh=0x0, nFileSizeLow=0x45f60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="PPINTL.REST.trx_dll", cAlternateFileName="PPINTL~2.TRX")) returned 1 [0104.034] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Windows") returned -1 [0104.034] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0104.034] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0104.034] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.034] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0104.034] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2=".") returned 1 [0104.034] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="..") returned 1 [0104.034] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned 71 [0104.034] lstrcmpW (lpString1="PPINTL.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0104.034] PathFindExtensionW (pszPath="PPINTL.REST.trx_dll") returned=".trx_dll" [0104.034] lstrlenW (lpString=".trx_dll") returned 8 [0104.035] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.035] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0104.081] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=286560) returned 1 [0104.081] GetProcessHeap () returned 0x4c0000 [0104.081] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x57cb88 [0104.094] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="52") returned 2 [0104.094] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="FA") returned 2 [0104.094] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="B7") returned 2 [0104.094] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="1D") returned 2 [0104.094] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="9D") returned 2 [0104.094] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="63") returned 2 [0104.094] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="58") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="4C") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="01") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="E1") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="EB") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="78") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="F5") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="47") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="E0") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="62") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="A1") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="68") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="BB") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="9B") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="3D") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="9C") returned 2 [0104.094] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="0F") returned 2 [0104.095] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="E6") returned 2 [0104.095] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="0D") returned 2 [0104.095] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="BC") returned 2 [0104.095] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="4B") returned 2 [0104.095] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="0D") returned 2 [0104.095] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="CC") returned 2 [0104.095] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="C9") returned 2 [0104.095] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="AC") returned 2 [0104.095] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="72") returned 2 [0104.107] lstrcpyW (in: lpString1=0x58cbbc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" [0104.107] lstrcpyW (in: lpString1=0x57cbbc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" [0104.107] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll", lpString2=".52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72" [0104.107] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x57cb88, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.107] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x57cb88, lpOverlapped=0x57cb88) returned 1 [0104.108] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3b09500, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa3b09500, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x1a360, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="PUB6INTL.DLL.trx_dll", cAlternateFileName="PUB6IN~1.TRX")) returned 1 [0104.108] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Windows") returned -1 [0104.108] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0104.108] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0104.108] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.108] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0104.108] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2=".") returned 1 [0104.108] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="..") returned 1 [0104.108] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned 72 [0104.108] lstrcmpW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0104.108] PathFindExtensionW (pszPath="PUB6INTL.DLL.trx_dll") returned=".trx_dll" [0104.108] lstrlenW (lpString=".trx_dll") returned 8 [0104.108] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.108] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0104.152] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=107360) returned 1 [0104.152] GetProcessHeap () returned 0x4c0000 [0104.152] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x512a90 [0104.165] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="4D") returned 2 [0104.165] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="3A") returned 2 [0104.165] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="26") returned 2 [0104.165] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="7B") returned 2 [0104.165] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="DD") returned 2 [0104.165] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="8B") returned 2 [0104.165] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="33") returned 2 [0104.165] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="EB") returned 2 [0104.165] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="9F") returned 2 [0104.165] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="BF") returned 2 [0104.165] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="A0") returned 2 [0104.165] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="BC") returned 2 [0104.165] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="04") returned 2 [0104.165] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="F2") returned 2 [0104.165] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="C9") returned 2 [0104.165] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="A3") returned 2 [0104.165] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="56") returned 2 [0104.165] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="57") returned 2 [0104.165] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="1F") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="23") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="5F") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="66") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="0F") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="25") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="F4") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="08") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="61") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="92") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="59") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="51") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="89") returned 2 [0104.166] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="73") returned 2 [0104.179] lstrcpyW (in: lpString1=0x522ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" [0104.179] lstrcpyW (in: lpString1=0x512ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" [0104.179] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll", lpString2=".4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973" [0104.179] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x512a90, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.179] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x512a90, lpOverlapped=0x512a90) returned 1 [0104.179] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa27f6800, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa27f6800, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x8e160, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="PUB6INTL.REST.trx_dll", cAlternateFileName="PUB6IN~2.TRX")) returned 1 [0104.179] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Windows") returned -1 [0104.179] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files") returned 1 [0104.179] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0104.179] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.179] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0104.179] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2=".") returned 1 [0104.179] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="..") returned 1 [0104.179] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned 73 [0104.179] lstrcmpW (lpString1="PUB6INTL.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0104.179] PathFindExtensionW (pszPath="PUB6INTL.REST.trx_dll") returned=".trx_dll" [0104.179] lstrlenW (lpString=".trx_dll") returned 8 [0104.179] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.180] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0104.180] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=581984) returned 1 [0104.180] GetProcessHeap () returned 0x4c0000 [0104.180] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0104.256] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="59") returned 2 [0104.256] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="FE") returned 2 [0104.256] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="51") returned 2 [0104.256] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="2D") returned 2 [0104.256] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="45") returned 2 [0104.256] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="B1") returned 2 [0104.256] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="9C") returned 2 [0104.256] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="C0") returned 2 [0104.256] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="0B") returned 2 [0104.256] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="6B") returned 2 [0104.256] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="8A") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="7C") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="3D") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="FF") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="C7") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="D1") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="A2") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="ED") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="9A") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="C2") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="28") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="F0") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="E9") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="9E") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="3D") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="7A") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="57") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="F2") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="48") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="79") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="03") returned 2 [0104.257] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="16") returned 2 [0104.270] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" [0104.270] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" [0104.270] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll", lpString2=".59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316" [0104.270] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.270] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0104.270] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749d2200, ftCreationTime.dwHighDateTime=0x1cac80f, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x749d2200, ftLastWriteTime.dwHighDateTime=0x1cac80f, nFileSizeHigh=0x0, nFileSizeLow=0x5ab60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="PUBWZINT.REST.trx_dll", cAlternateFileName="PUBWZI~1.TRX")) returned 1 [0104.271] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Windows") returned -1 [0104.271] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files") returned 1 [0104.271] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0104.271] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.315] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0104.315] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2=".") returned 1 [0104.315] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="..") returned 1 [0104.315] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned 73 [0104.315] lstrcmpW (lpString1="PUBWZINT.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0104.315] PathFindExtensionW (pszPath="PUBWZINT.REST.trx_dll") returned=".trx_dll" [0104.315] lstrlenW (lpString=".trx_dll") returned 8 [0104.315] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.315] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0104.317] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=371552) returned 1 [0104.317] GetProcessHeap () returned 0x4c0000 [0104.317] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0104.329] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="6C") returned 2 [0104.329] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="87") returned 2 [0104.329] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="55") returned 2 [0104.329] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="DE") returned 2 [0104.329] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="DC") returned 2 [0104.329] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="BA") returned 2 [0104.329] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="40") returned 2 [0104.329] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="06") returned 2 [0104.329] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="2A") returned 2 [0104.329] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="F5") returned 2 [0104.329] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="F7") returned 2 [0104.329] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="6C") returned 2 [0104.329] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="73") returned 2 [0104.329] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="99") returned 2 [0104.329] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="50") returned 2 [0104.329] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="38") returned 2 [0104.329] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="7F") returned 2 [0104.329] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="75") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="E1") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="7C") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="EC") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="7A") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="B4") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="2A") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="0C") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="FE") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="8E") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="CF") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="A7") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="8F") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="E9") returned 2 [0104.330] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="11") returned 2 [0104.342] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" [0104.342] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" [0104.342] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll", lpString2=".6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911" [0104.343] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.343] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0104.343] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d7a1200, ftCreationTime.dwHighDateTime=0x1cac817, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6d7a1200, ftLastWriteTime.dwHighDateTime=0x1cac817, nFileSizeHigh=0x0, nFileSizeLow=0x3360, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="SGRES.DLL.trx_dll", cAlternateFileName="SGRESD~1.TRX")) returned 1 [0104.343] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Windows") returned -1 [0104.343] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0104.389] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0104.389] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.389] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0104.389] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2=".") returned 1 [0104.389] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="..") returned 1 [0104.389] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned 69 [0104.389] lstrcmpW (lpString1="SGRES.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0104.389] PathFindExtensionW (pszPath="SGRES.DLL.trx_dll") returned=".trx_dll" [0104.389] lstrlenW (lpString=".trx_dll") returned 8 [0104.389] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.390] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0104.391] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=13152) returned 1 [0104.391] GetProcessHeap () returned 0x4c0000 [0104.391] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0104.405] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="5B") returned 2 [0104.405] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="A3") returned 2 [0104.405] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="AD") returned 2 [0104.405] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="70") returned 2 [0104.405] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="05") returned 2 [0104.405] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="F9") returned 2 [0104.405] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="12") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="49") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="0F") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="EE") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="70") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="59") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="75") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="B3") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="B5") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="55") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="7B") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="0A") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="46") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="27") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="FE") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="B4") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="E3") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="0C") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="56") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="34") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="F1") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="F2") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="67") returned 2 [0104.406] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="4A") returned 2 [0104.407] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="4A") returned 2 [0104.407] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="1D") returned 2 [0104.419] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" [0104.419] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" [0104.419] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll", lpString2=".5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D" [0104.419] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.419] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0104.419] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8e7d800, ftCreationTime.dwHighDateTime=0x1cac7f6, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc8e7d800, ftLastWriteTime.dwHighDateTime=0x1cac7f6, nFileSizeHigh=0x0, nFileSizeLow=0x4160, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="STINTL.DLL.trx_dll", cAlternateFileName="STINTL~1.TRX")) returned 1 [0104.419] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0104.420] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0104.420] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0104.420] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.420] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0104.420] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2=".") returned 1 [0104.420] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="..") returned 1 [0104.420] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned 70 [0104.420] lstrcmpW (lpString1="STINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0104.420] PathFindExtensionW (pszPath="STINTL.DLL.trx_dll") returned=".trx_dll" [0104.420] lstrlenW (lpString=".trx_dll") returned 8 [0104.420] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.420] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0104.438] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=16736) returned 1 [0104.438] GetProcessHeap () returned 0x4c0000 [0104.438] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x554b38 [0104.454] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="7D") returned 2 [0104.454] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="12") returned 2 [0104.454] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="64") returned 2 [0104.454] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="63") returned 2 [0104.455] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="1E") returned 2 [0104.455] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="14") returned 2 [0104.455] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="A1") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="16") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="9A") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="6F") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="1F") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="A8") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="CF") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="6F") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="0B") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="04") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="3E") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="59") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="74") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="2F") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="FE") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="CE") returned 2 [0104.455] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="86") returned 2 [0104.456] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="4F") returned 2 [0104.456] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="94") returned 2 [0104.456] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="3C") returned 2 [0104.456] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="A2") returned 2 [0104.456] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="F6") returned 2 [0104.456] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C8") returned 2 [0104.456] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="5E") returned 2 [0104.456] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="69") returned 2 [0104.456] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="2E") returned 2 [0104.493] lstrcpyW (in: lpString1=0x564b6c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" [0104.494] lstrcpyW (in: lpString1=0x554b6c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" [0104.494] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll", lpString2=".7D1264631E14A1169A6F1FA8CF6F0B043E59742FFECE864F943CA2F6C85E692E" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.7D1264631E14A1169A6F1FA8CF6F0B043E59742FFECE864F943CA2F6C85E692E") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.7D1264631E14A1169A6F1FA8CF6F0B043E59742FFECE864F943CA2F6C85E692E" [0104.494] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x554b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.494] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x554b38, lpOverlapped=0x554b38) returned 1 [0104.494] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf706700, ftCreationTime.dwHighDateTime=0x1cac81a, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbf706700, ftLastWriteTime.dwHighDateTime=0x1cac81a, nFileSizeHigh=0x0, nFileSizeLow=0x6960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="VISBRRES.DLL.trx_dll", cAlternateFileName="VISBRR~1.TRX")) returned 1 [0104.494] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Windows") returned -1 [0104.494] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0104.519] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0104.519] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.519] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0104.519] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2=".") returned 1 [0104.519] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="..") returned 1 [0104.519] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned 72 [0104.519] lstrcmpW (lpString1="VISBRRES.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0104.519] PathFindExtensionW (pszPath="VISBRRES.DLL.trx_dll") returned=".trx_dll" [0104.519] lstrlenW (lpString=".trx_dll") returned 8 [0104.519] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.519] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0104.521] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=26976) returned 1 [0104.521] GetProcessHeap () returned 0x4c0000 [0104.521] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x57cb88 [0104.534] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="FC") returned 2 [0104.534] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="89") returned 2 [0104.534] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="A1") returned 2 [0104.534] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="02") returned 2 [0104.534] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="65") returned 2 [0104.534] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="74") returned 2 [0104.534] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="61") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="06") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="23") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="2D") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="F8") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="5C") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="10") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="60") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="54") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="77") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="A3") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="44") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="DB") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="3E") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="C9") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="BE") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="C9") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="BC") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="B0") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="A3") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="52") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="D6") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="07") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="7E") returned 2 [0104.535] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="AD") returned 2 [0104.536] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="51") returned 2 [0104.549] lstrcpyW (in: lpString1=0x58cbbc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" [0104.549] lstrcpyW (in: lpString1=0x57cbbc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" [0104.549] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll", lpString2=".FC89A10265746106232DF85C10605477A344DB3EC9BEC9BCB0A352D6077EAD51" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.FC89A10265746106232DF85C10605477A344DB3EC9BEC9BCB0A352D6077EAD51") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.FC89A10265746106232DF85C10605477A344DB3EC9BEC9BCB0A352D6077EAD51" [0104.549] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x57cb88, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.549] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x57cb88, lpOverlapped=0x57cb88) returned 1 [0104.549] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a315700, ftCreationTime.dwHighDateTime=0x1cac814, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6a315700, ftLastWriteTime.dwHighDateTime=0x1cac814, nFileSizeHigh=0x0, nFileSizeLow=0x77560, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="VISINTL.DLL.trx_dll", cAlternateFileName="VISINT~1.TRX")) returned 1 [0104.550] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0104.550] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0104.550] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0104.550] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.550] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0104.550] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2=".") returned 1 [0104.550] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="..") returned 1 [0104.550] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned 71 [0104.550] lstrcmpW (lpString1="VISINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0104.550] PathFindExtensionW (pszPath="VISINTL.DLL.trx_dll") returned=".trx_dll" [0104.550] lstrlenW (lpString=".trx_dll") returned 8 [0104.550] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.550] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0104.551] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=488800) returned 1 [0104.551] GetProcessHeap () returned 0x4c0000 [0104.551] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x512a90 [0104.565] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="78") returned 2 [0104.565] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="9F") returned 2 [0104.565] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="4C") returned 2 [0104.565] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="D5") returned 2 [0104.565] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="1A") returned 2 [0104.565] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="FF") returned 2 [0104.565] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="47") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="29") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="78") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="1E") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="15") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="49") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="FC") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="AB") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="1E") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="AD") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="9C") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="57") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="85") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="89") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="13") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="0F") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="15") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="EF") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="C9") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="57") returned 2 [0104.565] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="27") returned 2 [0104.566] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="C4") returned 2 [0104.566] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="CB") returned 2 [0104.566] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="A2") returned 2 [0104.566] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="91") returned 2 [0104.566] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="43") returned 2 [0104.579] lstrcpyW (in: lpString1=0x522ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" [0104.579] lstrcpyW (in: lpString1=0x512ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" [0104.579] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll", lpString2=".789F4CD51AFF4729781E1549FCAB1EAD9C578589130F15EFC95727C4CBA29143" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.789F4CD51AFF4729781E1549FCAB1EAD9C578589130F15EFC95727C4CBA29143") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.789F4CD51AFF4729781E1549FCAB1EAD9C578589130F15EFC95727C4CBA29143" [0104.579] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x512a90, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.579] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x512a90, lpOverlapped=0x512a90) returned 1 [0104.579] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb31c100, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0ca650, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xcb31c100, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x25b60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="WWINTL.DLL.trx_dll", cAlternateFileName="WWINTL~1.TRX")) returned 1 [0104.579] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Windows") returned 1 [0104.580] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0104.580] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0104.580] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.580] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0104.580] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2=".") returned 1 [0104.580] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="..") returned 1 [0104.580] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned 70 [0104.580] lstrcmpW (lpString1="WWINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0104.580] PathFindExtensionW (pszPath="WWINTL.DLL.trx_dll") returned=".trx_dll" [0104.580] lstrlenW (lpString=".trx_dll") returned 8 [0104.580] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.580] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0104.581] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=154464) returned 1 [0104.581] GetProcessHeap () returned 0x4c0000 [0104.581] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0104.723] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="60") returned 2 [0104.723] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="14") returned 2 [0104.723] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="F0") returned 2 [0104.723] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="40") returned 2 [0104.723] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="97") returned 2 [0104.723] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="6C") returned 2 [0104.723] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="99") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="B5") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="53") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="3B") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="F6") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="FF") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="84") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="41") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="14") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="B5") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="BA") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="19") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="27") returned 2 [0104.723] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="CD") returned 2 [0104.724] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="70") returned 2 [0104.724] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="9B") returned 2 [0104.724] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="EF") returned 2 [0104.724] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="BD") returned 2 [0104.724] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="1D") returned 2 [0104.724] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="DB") returned 2 [0104.724] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="59") returned 2 [0104.724] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="E3") returned 2 [0104.724] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="1F") returned 2 [0104.724] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="FF") returned 2 [0104.724] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="E0") returned 2 [0104.724] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="5C") returned 2 [0104.737] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" [0104.737] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" [0104.737] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll", lpString2=".6014F040976C99B5533BF6FF844114B5BA1927CD709BEFBD1DDB59E31FFFE05C" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.6014F040976C99B5533BF6FF844114B5BA1927CD709BEFBD1DDB59E31FFFE05C") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.6014F040976C99B5533BF6FF844114B5BA1927CD709BEFBD1DDB59E31FFFE05C" [0104.738] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.738] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0104.738] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb31c100, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xcb31c100, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x115b60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="WWINTL.REST.trx_dll", cAlternateFileName="WWINTL~2.TRX")) returned 1 [0104.738] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Windows") returned 1 [0104.738] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files") returned 1 [0104.738] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0104.738] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.738] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="System Volume Information") returned 1 [0104.738] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2=".") returned 1 [0104.739] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="..") returned 1 [0104.799] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned 71 [0104.799] lstrcmpW (lpString1="WWINTL.REST.trx_dll", lpString2="PUSSY.TXT") returned 1 [0104.799] PathFindExtensionW (pszPath="WWINTL.REST.trx_dll") returned=".trx_dll" [0104.799] lstrlenW (lpString=".trx_dll") returned 8 [0104.799] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.799] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0104.799] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=1137504) returned 1 [0104.799] GetProcessHeap () returned 0x4c0000 [0104.799] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0104.815] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="37") returned 2 [0104.815] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="7D") returned 2 [0104.815] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="79") returned 2 [0104.815] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="3F") returned 2 [0104.815] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="C7") returned 2 [0104.818] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="DE") returned 2 [0104.818] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="28") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="BD") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="E1") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="0A") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="25") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="D7") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="E8") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="4B") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="FA") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="2D") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="A2") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="64") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="EB") returned 2 [0104.818] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="50") returned 2 [0104.819] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="06") returned 2 [0104.819] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="FE") returned 2 [0104.819] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="D2") returned 2 [0104.819] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="23") returned 2 [0104.819] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="E1") returned 2 [0104.819] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="C2") returned 2 [0104.819] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="A2") returned 2 [0104.819] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="96") returned 2 [0104.819] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C7") returned 2 [0104.819] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="5D") returned 2 [0104.819] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="2D") returned 2 [0104.819] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="04") returned 2 [0104.832] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" [0104.832] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" [0104.832] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll", lpString2=".377D793FC7DE28BDE10A25D7E84BFA2DA264EB5006FED223E1C2A296C75D2D04" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.377D793FC7DE28BDE10A25D7E84BFA2DA264EB5006FED223E1C2A296C75D2D04") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.377D793FC7DE28BDE10A25D7E84BFA2DA264EB5006FED223E1C2A296C75D2D04" [0104.833] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.833] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0104.833] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6b688100, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6b688100, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x25360, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="XLINTL32.DLL.trx_dll", cAlternateFileName="XLINTL~1.TRX")) returned 1 [0104.833] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Windows") returned 1 [0104.833] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files") returned 1 [0104.833] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0104.833] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.879] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0104.879] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2=".") returned 1 [0104.879] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="..") returned 1 [0104.879] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned 72 [0104.880] lstrcmpW (lpString1="XLINTL32.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0104.880] PathFindExtensionW (pszPath="XLINTL32.DLL.trx_dll") returned=".trx_dll" [0104.880] lstrlenW (lpString=".trx_dll") returned 8 [0104.880] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.880] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0104.883] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=152416) returned 1 [0104.883] GetProcessHeap () returned 0x4c0000 [0104.884] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x554b38 [0104.897] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="63") returned 2 [0104.897] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="F4") returned 2 [0104.897] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="7A") returned 2 [0104.897] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="CF") returned 2 [0104.897] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="67") returned 2 [0104.897] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="11") returned 2 [0104.897] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="1D") returned 2 [0104.897] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="28") returned 2 [0104.897] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="0A") returned 2 [0104.897] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="1D") returned 2 [0104.897] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="FC") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="89") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="EF") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="A7") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="50") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="4F") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="90") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="66") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="76") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="87") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="D5") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="47") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="54") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="CD") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="80") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="F7") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="6F") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="45") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="D6") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="6B") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="58") returned 2 [0104.898] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="33") returned 2 [0104.912] lstrcpyW (in: lpString1=0x564b6c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" [0104.912] lstrcpyW (in: lpString1=0x554b6c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" [0104.912] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll", lpString2=".63F47ACF67111D280A1DFC89EFA7504F90667687D54754CD80F76F45D66B5833" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.63F47ACF67111D280A1DFC89EFA7504F90667687D54754CD80F76F45D66B5833") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.63F47ACF67111D280A1DFC89EFA7504F90667687D54754CD80F76F45D66B5833" [0104.912] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x554b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.912] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x554b38, lpOverlapped=0x554b38) returned 1 [0104.912] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a375400, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6a375400, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x137960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="XLINTL32.REST.trx_dll", cAlternateFileName="XLINTL~2.TRX")) returned 1 [0104.912] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Windows") returned 1 [0104.912] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files") returned 1 [0104.912] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0104.912] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0104.912] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="System Volume Information") returned 1 [0104.913] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2=".") returned 1 [0104.913] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="..") returned 1 [0104.913] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned 73 [0104.913] lstrcmpW (lpString1="XLINTL32.REST.trx_dll", lpString2="PUSSY.TXT") returned 1 [0104.913] PathFindExtensionW (pszPath="XLINTL32.REST.trx_dll") returned=".trx_dll" [0104.913] lstrlenW (lpString=".trx_dll") returned 8 [0104.913] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0104.913] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x170 [0104.913] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=1276256) returned 1 [0104.913] GetProcessHeap () returned 0x4c0000 [0104.914] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x57cb88 [0104.928] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="35") returned 2 [0104.928] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="F1") returned 2 [0104.928] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="92") returned 2 [0104.928] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="3C") returned 2 [0104.928] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="7D") returned 2 [0104.928] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="72") returned 2 [0104.928] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="9F") returned 2 [0104.928] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="E9") returned 2 [0104.928] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="41") returned 2 [0104.928] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="2F") returned 2 [0104.928] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="77") returned 2 [0104.928] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="BF") returned 2 [0104.928] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="79") returned 2 [0104.928] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="EF") returned 2 [0104.928] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="C5") returned 2 [0104.928] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="E7") returned 2 [0104.928] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="E8") returned 2 [0104.928] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="BA") returned 2 [0104.928] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="DB") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="9F") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="51") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="72") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="13") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="18") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="65") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="41") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="B7") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="D9") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="4F") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="A4") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="AC") returned 2 [0104.929] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="0E") returned 2 [0104.998] lstrcpyW (in: lpString1=0x58cbbc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" [0104.998] lstrcpyW (in: lpString1=0x57cbbc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" [0104.998] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll", lpString2=".35F1923C7D729FE9412F77BF79EFC5E7E8BADB9F517213186541B7D94FA4AC0E" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.35F1923C7D729FE9412F77BF79EFC5E7E8BADB9F517213186541B7D94FA4AC0E") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.35F1923C7D729FE9412F77BF79EFC5E7E8BADB9F517213186541B7D94FA4AC0E" [0104.998] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x94, CompletionKey=0x57cb88, NumberOfConcurrentThreads=0x0) returned 0x94 [0104.998] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x57cb88, lpOverlapped=0x57cb88) returned 1 [0104.999] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe092000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe092000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 1 [0105.046] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Windows") returned 1 [0105.046] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files") returned 1 [0105.046] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0105.046] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.046] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0105.046] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2=".") returned 1 [0105.047] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="..") returned 1 [0105.047] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned 72 [0105.047] lstrcmpW (lpString1="XLSLICER.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0105.047] PathFindExtensionW (pszPath="XLSLICER.DLL.trx_dll") returned=".trx_dll" [0105.047] lstrlenW (lpString=".trx_dll") returned 8 [0105.047] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.047] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x188 [0105.047] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=15712) returned 1 [0105.048] GetProcessHeap () returned 0x4c0000 [0105.048] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x512a90 [0105.062] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="11") returned 2 [0105.062] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="62") returned 2 [0105.062] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="F7") returned 2 [0105.062] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="C1") returned 2 [0105.062] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="75") returned 2 [0105.062] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="D9") returned 2 [0105.062] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="F2") returned 2 [0105.062] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="26") returned 2 [0105.062] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="52") returned 2 [0105.062] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="FC") returned 2 [0105.062] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="F6") returned 2 [0105.062] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="C6") returned 2 [0105.062] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="E2") returned 2 [0105.062] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="FB") returned 2 [0105.062] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="80") returned 2 [0105.062] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="BF") returned 2 [0105.062] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="3D") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="31") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="D2") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="81") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="3B") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="18") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="2F") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="03") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="52") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="AD") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="20") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="4D") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="DF") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="8C") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="47") returned 2 [0105.063] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="3E") returned 2 [0105.089] lstrcpyW (in: lpString1=0x522ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" [0105.089] lstrcpyW (in: lpString1=0x512ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" [0105.089] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll", lpString2=".1162F7C175D9F22652FCF6C6E2FB80BF3D31D2813B182F0352AD204DDF8C473E" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.1162F7C175D9F22652FCF6C6E2FB80BF3D31D2813B182F0352AD204DDF8C473E") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.1162F7C175D9F22652FCF6C6E2FB80BF3D31D2813B182F0352AD204DDF8C473E" [0105.090] CreateIoCompletionPort (FileHandle=0x188, ExistingCompletionPort=0x94, CompletionKey=0x512a90, NumberOfConcurrentThreads=0x0) returned 0x94 [0105.090] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x512a90, lpOverlapped=0x512a90) returned 1 [0105.090] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe092000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe092000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 0 [0105.090] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0105.116] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUSSY.TXT") returned 61 [0105.116] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0105.117] lstrlenA (lpString="abcd") returned 4 [0105.117] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0105.118] CloseHandle (hObject=0x174) returned 1 [0105.119] GetProcessHeap () returned 0x4c0000 [0105.119] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0105.122] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="3082", cAlternateFileName="")) returned 1 [0105.122] lstrcmpiW (lpString1="3082", lpString2="Windows") returned -1 [0105.122] lstrcmpiW (lpString1="3082", lpString2="Program Files") returned -1 [0105.122] lstrcmpiW (lpString1="3082", lpString2="Program Files (x86)") returned -1 [0105.122] lstrcmpiW (lpString1="3082", lpString2="$Recycle.bin") returned 1 [0105.122] lstrcmpiW (lpString1="3082", lpString2="System Volume Information") returned -1 [0105.122] lstrcmpiW (lpString1="3082", lpString2=".") returned 1 [0105.122] lstrcmpiW (lpString1="3082", lpString2="..") returned 1 [0105.122] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082") returned 51 [0105.122] GetProcessHeap () returned 0x4c0000 [0105.122] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0105.123] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082" [0105.123] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\*" [0105.123] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0105.125] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0105.125] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0105.125] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0105.125] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0105.126] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0105.126] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.126] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0105.127] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0105.127] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0105.127] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0105.127] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0105.127] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0105.127] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.127] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.127] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x3760, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="ENVELOPR.DLL.trx_dll", cAlternateFileName="ENVELO~1.TRX")) returned 1 [0105.127] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Windows") returned -1 [0105.127] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files") returned -1 [0105.127] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0105.127] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.127] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0105.127] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2=".") returned 1 [0105.127] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="..") returned 1 [0105.127] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned 72 [0105.127] lstrcmpW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0105.128] PathFindExtensionW (pszPath="ENVELOPR.DLL.trx_dll") returned=".trx_dll" [0105.128] lstrlenW (lpString=".trx_dll") returned 8 [0105.128] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.128] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0105.129] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=14176) returned 1 [0105.129] GetProcessHeap () returned 0x4c0000 [0105.129] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0105.142] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="76") returned 2 [0105.143] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="57") returned 2 [0105.143] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="07") returned 2 [0105.143] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="90") returned 2 [0105.143] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="C1") returned 2 [0105.143] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="99") returned 2 [0105.143] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="49") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="C8") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="F0") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="04") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="F4") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="85") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="3F") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="FC") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="9E") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="78") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="24") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="94") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="29") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="89") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="09") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="31") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="6E") returned 2 [0105.143] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="00") returned 2 [0105.144] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="3D") returned 2 [0105.144] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="D7") returned 2 [0105.144] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="99") returned 2 [0105.144] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="5A") returned 2 [0105.144] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C1") returned 2 [0105.144] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="14") returned 2 [0105.144] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="9B") returned 2 [0105.144] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="64") returned 2 [0105.156] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" [0105.156] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" [0105.156] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll", lpString2=".76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64" [0105.156] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0105.156] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0105.156] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x74912800, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x74912800, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0xb960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="GRINTL32.DLL.trx_dll", cAlternateFileName="GRINTL~1.TRX")) returned 1 [0105.156] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Windows") returned -1 [0105.156] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files") returned -1 [0105.156] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0105.156] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.156] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0105.156] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2=".") returned 1 [0105.156] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="..") returned 1 [0105.156] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned 72 [0105.157] lstrcmpW (lpString1="GRINTL32.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0105.157] PathFindExtensionW (pszPath="GRINTL32.DLL.trx_dll") returned=".trx_dll" [0105.157] lstrlenW (lpString=".trx_dll") returned 8 [0105.157] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.157] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0105.157] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=47456) returned 1 [0105.157] GetProcessHeap () returned 0x4c0000 [0105.157] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0105.169] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="F1") returned 2 [0105.169] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="1D") returned 2 [0105.169] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="11") returned 2 [0105.169] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="98") returned 2 [0105.169] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="DA") returned 2 [0105.169] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="D6") returned 2 [0105.169] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="23") returned 2 [0105.169] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="9B") returned 2 [0105.169] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="75") returned 2 [0105.169] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="EF") returned 2 [0105.169] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="D1") returned 2 [0105.169] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="C5") returned 2 [0105.169] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="49") returned 2 [0105.169] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="F0") returned 2 [0105.169] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="7C") returned 2 [0105.169] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="2E") returned 2 [0105.169] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="A1") returned 2 [0105.169] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="02") returned 2 [0105.169] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="A8") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="CB") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="CF") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="78") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="07") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="92") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="48") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="79") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="82") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="D8") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="A5") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="FF") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="D9") returned 2 [0105.170] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="3C") returned 2 [0105.187] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" [0105.187] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" [0105.187] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll", lpString2=".F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C" [0105.187] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0105.187] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0105.187] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x74912800, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x74912800, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0x39960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="GRINTL32.REST.trx_dll", cAlternateFileName="GRINTL~2.TRX")) returned 1 [0105.188] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Windows") returned -1 [0105.188] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files") returned -1 [0105.188] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0105.188] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.188] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="System Volume Information") returned -1 [0105.188] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2=".") returned 1 [0105.188] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="..") returned 1 [0105.188] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned 73 [0105.188] lstrcmpW (lpString1="GRINTL32.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0105.188] PathFindExtensionW (pszPath="GRINTL32.REST.trx_dll") returned=".trx_dll" [0105.188] lstrlenW (lpString=".trx_dll") returned 8 [0105.188] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.188] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0105.200] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=235872) returned 1 [0105.200] GetProcessHeap () returned 0x4c0000 [0105.200] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0105.217] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="AB") returned 2 [0105.217] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="34") returned 2 [0105.217] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="33") returned 2 [0105.217] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="E1") returned 2 [0105.217] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="E0") returned 2 [0105.217] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="1E") returned 2 [0105.218] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="12") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="EB") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="E9") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="BC") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="E3") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="C0") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="28") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="BE") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="0D") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="34") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="54") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="D8") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="BC") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="64") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="72") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="8D") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="83") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="17") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="31") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="3F") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="7F") returned 2 [0105.218] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="11") returned 2 [0105.219] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="CC") returned 2 [0105.219] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="DF") returned 2 [0105.219] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="A9") returned 2 [0105.219] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="57") returned 2 [0105.304] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" [0105.304] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" [0105.304] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll", lpString2=".AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957" [0105.304] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0105.304] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0105.305] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x47d60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="MAPIR.DLL.trx_dll", cAlternateFileName="MAPIRD~1.TRX")) returned 1 [0105.305] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Windows") returned -1 [0105.305] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files") returned -1 [0105.305] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0105.305] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.305] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0105.305] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2=".") returned 1 [0105.305] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="..") returned 1 [0105.305] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned 69 [0105.305] lstrcmpW (lpString1="MAPIR.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0105.305] PathFindExtensionW (pszPath="MAPIR.DLL.trx_dll") returned=".trx_dll" [0105.305] lstrlenW (lpString=".trx_dll") returned 8 [0105.305] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.305] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0105.306] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=294240) returned 1 [0105.306] GetProcessHeap () returned 0x4c0000 [0105.306] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0105.320] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="35") returned 2 [0105.320] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="C8") returned 2 [0105.320] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="F1") returned 2 [0105.320] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="2F") returned 2 [0105.320] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="5D") returned 2 [0105.320] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="E6") returned 2 [0105.320] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="D0") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="E7") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="50") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="A2") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="66") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="27") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="A5") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="3B") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="A0") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="BA") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="E7") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="13") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="A7") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="11") returned 2 [0105.320] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="A7") returned 2 [0105.321] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="D2") returned 2 [0105.321] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="F8") returned 2 [0105.321] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="D6") returned 2 [0105.321] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="87") returned 2 [0105.321] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="C5") returned 2 [0105.321] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="A2") returned 2 [0105.321] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="AB") returned 2 [0105.321] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="91") returned 2 [0105.321] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="09") returned 2 [0105.321] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="70") returned 2 [0105.321] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="3F") returned 2 [0105.333] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" [0105.333] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" [0105.333] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll", lpString2=".35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F" [0105.333] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0105.333] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0105.334] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58968200, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x58968200, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0xc160, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="MOR6INT.REST.trx_dll", cAlternateFileName="MOR6IN~1.TRX")) returned 1 [0105.334] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Windows") returned -1 [0105.334] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files") returned -1 [0105.334] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0105.334] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.334] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0105.334] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2=".") returned 1 [0105.334] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="..") returned 1 [0105.334] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned 72 [0105.334] lstrcmpW (lpString1="MOR6INT.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0105.334] PathFindExtensionW (pszPath="MOR6INT.REST.trx_dll") returned=".trx_dll" [0105.334] lstrlenW (lpString=".trx_dll") returned 8 [0105.334] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.334] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0105.336] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=49504) returned 1 [0105.336] GetProcessHeap () returned 0x4c0000 [0105.336] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0105.447] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="93") returned 2 [0105.447] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="35") returned 2 [0105.447] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="6F") returned 2 [0105.447] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="5D") returned 2 [0105.447] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="6E") returned 2 [0105.447] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="DA") returned 2 [0105.447] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="AE") returned 2 [0105.447] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="7B") returned 2 [0105.447] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="D0") returned 2 [0105.447] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="08") returned 2 [0105.447] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="CA") returned 2 [0105.447] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="76") returned 2 [0105.447] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="A7") returned 2 [0105.447] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="EE") returned 2 [0105.447] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="F0") returned 2 [0105.447] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="6C") returned 2 [0105.447] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="F3") returned 2 [0105.447] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="58") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="0A") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="67") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="8D") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="08") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="21") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="98") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="86") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="E5") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="D2") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="93") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="B7") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="B3") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="30") returned 2 [0105.448] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="1A") returned 2 [0105.541] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" [0105.542] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" [0105.542] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll", lpString2=".93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A" [0105.542] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0105.542] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0105.542] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x248aaf00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x248aaf00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x16f60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="MSOINTL.DLL.trx_dll", cAlternateFileName="MSOINT~1.TRX")) returned 1 [0105.542] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0105.542] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0105.542] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0105.588] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.588] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0105.588] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2=".") returned 1 [0105.588] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="..") returned 1 [0105.589] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned 71 [0105.589] lstrcmpW (lpString1="MSOINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0105.589] PathFindExtensionW (pszPath="MSOINTL.DLL.trx_dll") returned=".trx_dll" [0105.589] lstrlenW (lpString=".trx_dll") returned 8 [0105.589] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.589] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0105.589] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=94048) returned 1 [0105.589] GetProcessHeap () returned 0x4c0000 [0105.589] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0105.603] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="FE") returned 2 [0105.603] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="B2") returned 2 [0105.603] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="61") returned 2 [0105.603] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="CB") returned 2 [0105.603] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="77") returned 2 [0105.603] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="63") returned 2 [0105.603] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="07") returned 2 [0105.603] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="ED") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="6D") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="04") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="56") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="36") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="E6") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="57") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="8B") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="30") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="FD") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="FA") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="A5") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="E9") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="31") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="50") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="9B") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="2F") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="C9") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="B0") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="20") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="78") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="B0") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="21") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="66") returned 2 [0105.604] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="77") returned 2 [0105.616] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" [0105.617] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" [0105.617] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll", lpString2=".FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677" [0105.617] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0105.617] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0105.617] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x25bbdc00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x25bbdc00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x2b2560, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="MSOINTL.REST.trx_dll", cAlternateFileName="MSOINT~2.TRX")) returned 1 [0105.617] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Windows") returned -1 [0105.617] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0105.618] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0105.618] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.618] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0105.618] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2=".") returned 1 [0105.618] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="..") returned 1 [0105.618] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned 72 [0105.618] lstrcmpW (lpString1="MSOINTL.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0105.618] PathFindExtensionW (pszPath="MSOINTL.REST.trx_dll") returned=".trx_dll" [0105.618] lstrlenW (lpString=".trx_dll") returned 8 [0105.618] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.618] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0105.664] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=2827616) returned 1 [0105.664] GetProcessHeap () returned 0x4c0000 [0105.664] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x512a90 [0105.679] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="9F") returned 2 [0105.679] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="56") returned 2 [0105.679] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="57") returned 2 [0105.679] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="36") returned 2 [0105.679] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="54") returned 2 [0105.679] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="60") returned 2 [0105.679] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="45") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="34") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="04") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="8A") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="1C") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="7F") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="8B") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="6D") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="39") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="C7") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="35") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="48") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="BD") returned 2 [0105.679] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="BE") returned 2 [0105.680] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="63") returned 2 [0105.680] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="8E") returned 2 [0105.680] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="32") returned 2 [0105.680] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="FF") returned 2 [0105.680] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="B7") returned 2 [0105.680] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="51") returned 2 [0105.680] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="CA") returned 2 [0105.680] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="D9") returned 2 [0105.680] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="14") returned 2 [0105.680] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="F9") returned 2 [0105.680] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="F3") returned 2 [0105.680] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="07") returned 2 [0105.692] lstrcpyW (in: lpString1=0x522ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" [0105.692] lstrcpyW (in: lpString1=0x512ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" [0105.692] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll", lpString2=".9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307" [0105.692] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x512a90, NumberOfConcurrentThreads=0x0) returned 0x94 [0105.692] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x512a90, lpOverlapped=0x512a90) returned 1 [0105.693] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3564d600, ftCreationTime.dwHighDateTime=0x1cac7fb, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3564d600, ftLastWriteTime.dwHighDateTime=0x1cac7fb, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="OMSINTL.DLL.trx_dll", cAlternateFileName="OMSINT~1.TRX")) returned 1 [0105.693] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0105.693] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0105.693] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0105.693] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.693] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0105.693] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2=".") returned 1 [0105.693] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="..") returned 1 [0105.693] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned 71 [0105.735] lstrcmpW (lpString1="OMSINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0105.735] PathFindExtensionW (pszPath="OMSINTL.DLL.trx_dll") returned=".trx_dll" [0105.735] lstrlenW (lpString=".trx_dll") returned 8 [0105.735] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.735] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0105.736] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=45920) returned 1 [0105.736] GetProcessHeap () returned 0x4c0000 [0105.736] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0105.749] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="B2") returned 2 [0105.749] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="4C") returned 2 [0105.749] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="88") returned 2 [0105.749] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="AA") returned 2 [0105.749] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="07") returned 2 [0105.749] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="F3") returned 2 [0105.749] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="52") returned 2 [0105.749] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="12") returned 2 [0105.749] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="77") returned 2 [0105.749] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="6B") returned 2 [0105.749] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="66") returned 2 [0105.749] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="68") returned 2 [0105.749] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="EA") returned 2 [0105.749] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="DE") returned 2 [0105.749] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="6A") returned 2 [0105.749] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="ED") returned 2 [0105.749] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="BC") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="28") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="1F") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="FB") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="46") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="C9") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="D4") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="28") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="83") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="42") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="BD") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="B8") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="04") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="43") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="41") returned 2 [0105.750] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="13") returned 2 [0105.762] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" [0105.762] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" [0105.762] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll", lpString2=".B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113" [0105.762] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0105.762] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0105.763] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x63b88300, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x63b88300, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x7b60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="ONINTL.DLL.trx_dll", cAlternateFileName="ONINTL~1.TRX")) returned 1 [0105.763] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0105.763] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0105.763] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0105.818] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.818] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0105.818] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2=".") returned 1 [0105.818] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="..") returned 1 [0105.818] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned 70 [0105.818] lstrcmpW (lpString1="ONINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0105.818] PathFindExtensionW (pszPath="ONINTL.DLL.trx_dll") returned=".trx_dll" [0105.818] lstrlenW (lpString=".trx_dll") returned 8 [0105.818] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.818] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0105.819] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=31584) returned 1 [0105.819] GetProcessHeap () returned 0x4c0000 [0105.819] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0105.848] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="FA") returned 2 [0105.848] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="5F") returned 2 [0105.848] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="95") returned 2 [0105.848] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="29") returned 2 [0105.848] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="5C") returned 2 [0105.848] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="7A") returned 2 [0105.848] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="39") returned 2 [0105.848] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="EB") returned 2 [0105.848] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="FB") returned 2 [0105.848] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="A6") returned 2 [0105.848] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="71") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="5D") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="24") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="A7") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="2C") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="14") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="ED") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="D0") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="F0") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="32") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="4D") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="C4") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="2D") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="50") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="BE") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="DC") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="F7") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="7B") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="53") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="AA") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="95") returned 2 [0105.849] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="1D") returned 2 [0105.861] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" [0105.861] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" [0105.861] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll", lpString2=".FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D" [0105.861] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0105.862] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0105.863] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x62875600, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x62875600, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x3d960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="ONINTL.REST.trx_dll", cAlternateFileName="ONINTL~2.TRX")) returned 1 [0105.863] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Windows") returned -1 [0105.863] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0105.863] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0105.904] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.904] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0105.905] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2=".") returned 1 [0105.905] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="..") returned 1 [0105.905] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned 71 [0105.905] lstrcmpW (lpString1="ONINTL.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0105.905] PathFindExtensionW (pszPath="ONINTL.REST.trx_dll") returned=".trx_dll" [0105.905] lstrlenW (lpString=".trx_dll") returned 8 [0105.905] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.905] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0105.905] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=252256) returned 1 [0105.905] GetProcessHeap () returned 0x4c0000 [0105.905] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0105.919] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="14") returned 2 [0105.919] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="13") returned 2 [0105.919] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="25") returned 2 [0105.919] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="BF") returned 2 [0105.919] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="7C") returned 2 [0105.920] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="6C") returned 2 [0105.920] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="99") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="31") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="1F") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="24") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="AC") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="18") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="A6") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="84") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="29") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="E1") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="95") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="B3") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="8C") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="9C") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="1D") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="08") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="80") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="07") returned 2 [0105.920] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="3E") returned 2 [0105.921] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="86") returned 2 [0105.921] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="33") returned 2 [0105.921] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="51") returned 2 [0105.921] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="11") returned 2 [0105.921] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="1A") returned 2 [0105.921] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="90") returned 2 [0105.921] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="09") returned 2 [0105.933] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" [0105.933] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" [0105.933] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll", lpString2=".141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009" [0105.933] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0105.933] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0105.934] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x35960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="OUTLLIBR.DLL.trx_dll", cAlternateFileName="OUTLLI~1.TRX")) returned 1 [0105.934] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Windows") returned -1 [0105.934] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files") returned -1 [0105.934] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0105.934] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.934] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0105.934] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2=".") returned 1 [0105.934] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="..") returned 1 [0105.934] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned 72 [0105.934] lstrcmpW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0105.934] PathFindExtensionW (pszPath="OUTLLIBR.DLL.trx_dll") returned=".trx_dll" [0105.934] lstrlenW (lpString=".trx_dll") returned 8 [0105.934] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.934] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0105.935] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=219488) returned 1 [0105.935] GetProcessHeap () returned 0x4c0000 [0105.935] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0105.947] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="90") returned 2 [0105.947] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="9B") returned 2 [0105.947] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="4B") returned 2 [0105.947] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="65") returned 2 [0105.947] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="2C") returned 2 [0105.947] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="4B") returned 2 [0105.947] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="25") returned 2 [0105.947] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="00") returned 2 [0105.947] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="FD") returned 2 [0105.947] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="1E") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="F1") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="D7") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="B8") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="30") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="D8") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="C2") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="9C") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="D7") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="68") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="29") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="34") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="F1") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="70") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="83") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="04") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="F0") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="75") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="9F") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="38") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="85") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="E0") returned 2 [0105.948] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="37") returned 2 [0105.962] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" [0105.962] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" [0105.962] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll", lpString2=".909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037" [0105.962] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0105.962] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0105.963] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x9f560, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="OUTLLIBR.REST.trx_dll", cAlternateFileName="OUTLLI~2.TRX")) returned 1 [0105.963] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Windows") returned -1 [0105.963] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files") returned -1 [0105.963] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0105.963] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0105.963] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="System Volume Information") returned -1 [0105.963] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2=".") returned 1 [0105.963] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="..") returned 1 [0105.963] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned 73 [0105.963] lstrcmpW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0105.963] PathFindExtensionW (pszPath="OUTLLIBR.REST.trx_dll") returned=".trx_dll" [0105.963] lstrlenW (lpString=".trx_dll") returned 8 [0105.964] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0105.964] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0105.964] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=652640) returned 1 [0105.964] GetProcessHeap () returned 0x4c0000 [0105.964] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x512a90 [0106.069] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="A7") returned 2 [0106.069] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="AF") returned 2 [0106.069] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="E5") returned 2 [0106.069] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="4B") returned 2 [0106.069] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="99") returned 2 [0106.069] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="86") returned 2 [0106.069] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="78") returned 2 [0106.069] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="91") returned 2 [0106.069] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="92") returned 2 [0106.069] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="FE") returned 2 [0106.069] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="A2") returned 2 [0106.069] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="78") returned 2 [0106.069] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="29") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="16") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="94") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="A8") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="D1") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="45") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="8E") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="8F") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="79") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="04") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="7A") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="48") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="6E") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="32") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="AD") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="AE") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C9") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="9B") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="4C") returned 2 [0106.070] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="41") returned 2 [0106.090] lstrcpyW (in: lpString1=0x522ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" [0106.091] lstrcpyW (in: lpString1=0x512ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" [0106.091] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll", lpString2=".A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41" [0106.091] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x512a90, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.091] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x512a90, lpOverlapped=0x512a90) returned 1 [0106.102] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x315ed100, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x315ed100, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="OUTLWVW.DLL.trx_dll", cAlternateFileName="OUTLWV~1.TRX")) returned 1 [0106.102] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Windows") returned -1 [0106.102] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files") returned -1 [0106.102] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0106.133] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.133] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0106.133] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2=".") returned 1 [0106.133] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="..") returned 1 [0106.133] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned 71 [0106.133] lstrcmpW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0106.133] PathFindExtensionW (pszPath="OUTLWVW.DLL.trx_dll") returned=".trx_dll" [0106.133] lstrlenW (lpString=".trx_dll") returned 8 [0106.133] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.133] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0106.135] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=11616) returned 1 [0106.135] GetProcessHeap () returned 0x4c0000 [0106.135] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x554b38 [0106.147] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="63") returned 2 [0106.147] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="EB") returned 2 [0106.147] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="E5") returned 2 [0106.147] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="90") returned 2 [0106.147] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="F8") returned 2 [0106.148] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="6E") returned 2 [0106.148] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="E6") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="E6") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="78") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="0F") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="7A") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="2A") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="53") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="33") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="32") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="D8") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="FF") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="71") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="41") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="8A") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="BD") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="A9") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="05") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="7B") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="35") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="A0") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="D6") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="FC") returned 2 [0106.148] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C9") returned 2 [0106.149] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="54") returned 2 [0106.149] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="63") returned 2 [0106.149] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="57") returned 2 [0106.158] lstrcpyW (in: lpString1=0x564b6c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" [0106.158] lstrcpyW (in: lpString1=0x554b6c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" [0106.158] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll", lpString2=".63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357" [0106.158] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x554b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.158] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x554b38, lpOverlapped=0x554b38) returned 1 [0106.158] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1a4a9400, ftCreationTime.dwHighDateTime=0x1cac804, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1a4a9400, ftLastWriteTime.dwHighDateTime=0x1cac804, nFileSizeHigh=0x0, nFileSizeLow=0xd160, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="PPINTL.DLL.trx_dll", cAlternateFileName="PPINTL~1.TRX")) returned 1 [0106.158] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0106.159] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0106.170] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0106.170] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.170] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0106.170] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2=".") returned 1 [0106.170] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="..") returned 1 [0106.170] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned 70 [0106.170] lstrcmpW (lpString1="PPINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0106.170] PathFindExtensionW (pszPath="PPINTL.DLL.trx_dll") returned=".trx_dll" [0106.170] lstrlenW (lpString=".trx_dll") returned 8 [0106.170] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.170] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0106.171] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=53600) returned 1 [0106.171] GetProcessHeap () returned 0x4c0000 [0106.171] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x57cb88 [0106.182] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="50") returned 2 [0106.182] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="DF") returned 2 [0106.182] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="6D") returned 2 [0106.182] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="9E") returned 2 [0106.182] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="50") returned 2 [0106.182] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="18") returned 2 [0106.182] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="25") returned 2 [0106.182] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="B7") returned 2 [0106.182] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="9A") returned 2 [0106.182] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="8B") returned 2 [0106.182] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="C0") returned 2 [0106.182] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="2A") returned 2 [0106.182] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="67") returned 2 [0106.182] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="CA") returned 2 [0106.182] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="FB") returned 2 [0106.182] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="2F") returned 2 [0106.182] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="D2") returned 2 [0106.182] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="A2") returned 2 [0106.182] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="D4") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="23") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="3C") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="F5") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="E0") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="3C") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="07") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="DF") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="2A") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="65") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="AC") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="DB") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="D1") returned 2 [0106.183] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="49") returned 2 [0106.197] lstrcpyW (in: lpString1=0x58cbbc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" [0106.197] lstrcpyW (in: lpString1=0x57cbbc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" [0106.197] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll", lpString2=".50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149" [0106.197] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x57cb88, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.198] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x57cb88, lpOverlapped=0x57cb88) returned 1 [0106.198] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x19196700, ftCreationTime.dwHighDateTime=0x1cac804, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x19196700, ftLastWriteTime.dwHighDateTime=0x1cac804, nFileSizeHigh=0x0, nFileSizeLow=0x43560, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="PPINTL.REST.trx_dll", cAlternateFileName="PPINTL~2.TRX")) returned 1 [0106.198] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Windows") returned -1 [0106.198] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0106.249] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0106.249] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.249] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0106.249] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2=".") returned 1 [0106.249] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="..") returned 1 [0106.249] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned 71 [0106.249] lstrcmpW (lpString1="PPINTL.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0106.249] PathFindExtensionW (pszPath="PPINTL.REST.trx_dll") returned=".trx_dll" [0106.249] lstrlenW (lpString=".trx_dll") returned 8 [0106.250] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.250] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0106.250] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=275808) returned 1 [0106.250] GetProcessHeap () returned 0x4c0000 [0106.250] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0106.267] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="D6") returned 2 [0106.267] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="91") returned 2 [0106.267] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="3B") returned 2 [0106.267] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="CF") returned 2 [0106.267] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="48") returned 2 [0106.267] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="76") returned 2 [0106.267] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="F8") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="FE") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="C5") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="EA") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="C1") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="F2") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="F1") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="30") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="CA") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="28") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="64") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="D7") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="D7") returned 2 [0106.267] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="04") returned 2 [0106.268] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="24") returned 2 [0106.268] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="B6") returned 2 [0106.268] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="7C") returned 2 [0106.268] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="68") returned 2 [0106.268] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="47") returned 2 [0106.268] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="AB") returned 2 [0106.268] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="66") returned 2 [0106.268] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="E7") returned 2 [0106.268] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="5E") returned 2 [0106.268] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="31") returned 2 [0106.268] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="34") returned 2 [0106.268] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="5B") returned 2 [0106.280] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" [0106.284] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" [0106.284] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll", lpString2=".D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B" [0106.284] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.284] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0106.285] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58968200, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x58968200, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x1a560, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="PUB6INTL.DLL.trx_dll", cAlternateFileName="PUB6IN~1.TRX")) returned 1 [0106.285] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Windows") returned -1 [0106.285] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0106.329] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0106.329] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.329] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0106.329] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2=".") returned 1 [0106.329] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="..") returned 1 [0106.329] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned 72 [0106.329] lstrcmpW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned -1 [0106.329] PathFindExtensionW (pszPath="PUB6INTL.DLL.trx_dll") returned=".trx_dll" [0106.332] lstrlenW (lpString=".trx_dll") returned 8 [0106.332] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.332] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0106.333] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=107872) returned 1 [0106.333] GetProcessHeap () returned 0x4c0000 [0106.333] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0106.368] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="4C") returned 2 [0106.368] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="82") returned 2 [0106.368] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="34") returned 2 [0106.368] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="7A") returned 2 [0106.368] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="81") returned 2 [0106.368] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="A7") returned 2 [0106.368] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="6A") returned 2 [0106.368] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="2A") returned 2 [0106.368] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="78") returned 2 [0106.368] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="E5") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="A1") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="D7") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="79") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="92") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="75") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="B4") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="BC") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="97") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="09") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="7D") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="4D") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="64") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="22") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="3C") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="F4") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="CE") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="13") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="10") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="0C") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="42") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="30") returned 2 [0106.369] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="72") returned 2 [0106.380] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" [0106.380] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" [0106.380] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll", lpString2=".4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072" [0106.380] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.380] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0106.387] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x57655500, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x57655500, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x87f60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="PUB6INTL.REST.trx_dll", cAlternateFileName="PUB6IN~2.TRX")) returned 1 [0106.387] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Windows") returned -1 [0106.387] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files") returned 1 [0106.387] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0106.387] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.387] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0106.387] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2=".") returned 1 [0106.387] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="..") returned 1 [0106.387] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned 73 [0106.387] lstrcmpW (lpString1="PUB6INTL.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0106.387] PathFindExtensionW (pszPath="PUB6INTL.REST.trx_dll") returned=".trx_dll" [0106.387] lstrlenW (lpString=".trx_dll") returned 8 [0106.388] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.388] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0106.388] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=556896) returned 1 [0106.388] GetProcessHeap () returned 0x4c0000 [0106.388] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0106.471] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="35") returned 2 [0106.471] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="0F") returned 2 [0106.471] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="19") returned 2 [0106.471] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="F7") returned 2 [0106.471] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="38") returned 2 [0106.471] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="99") returned 2 [0106.471] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="9E") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="06") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="30") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="2D") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="20") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="32") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="0D") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="48") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="A0") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="51") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="00") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="2D") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="6A") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="26") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="43") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="E1") returned 2 [0106.471] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="98") returned 2 [0106.472] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="90") returned 2 [0106.472] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="60") returned 2 [0106.472] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="0E") returned 2 [0106.472] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="80") returned 2 [0106.472] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="70") returned 2 [0106.472] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="B8") returned 2 [0106.472] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="D3") returned 2 [0106.472] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="B8") returned 2 [0106.472] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="5E") returned 2 [0106.487] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" [0106.487] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" [0106.487] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll", lpString2=".350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E" [0106.487] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.487] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0106.488] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2720b500, ftCreationTime.dwHighDateTime=0x1cac80f, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x2720b500, ftLastWriteTime.dwHighDateTime=0x1cac80f, nFileSizeHigh=0x0, nFileSizeLow=0x57f60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="PUBWZINT.REST.trx_dll", cAlternateFileName="PUBWZI~1.TRX")) returned 1 [0106.488] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Windows") returned -1 [0106.488] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files") returned 1 [0106.488] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0106.552] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.553] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0106.553] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2=".") returned 1 [0106.553] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="..") returned 1 [0106.553] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned 73 [0106.553] lstrcmpW (lpString1="PUBWZINT.REST.trx_dll", lpString2="PUSSY.TXT") returned -1 [0106.553] PathFindExtensionW (pszPath="PUBWZINT.REST.trx_dll") returned=".trx_dll" [0106.553] lstrlenW (lpString=".trx_dll") returned 8 [0106.553] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.553] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0106.554] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=360288) returned 1 [0106.554] GetProcessHeap () returned 0x4c0000 [0106.554] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x512a90 [0106.568] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="7F") returned 2 [0106.568] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="F7") returned 2 [0106.568] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="52") returned 2 [0106.568] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="BF") returned 2 [0106.568] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="E0") returned 2 [0106.568] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="57") returned 2 [0106.568] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="AE") returned 2 [0106.568] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="69") returned 2 [0106.568] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="50") returned 2 [0106.568] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="81") returned 2 [0106.568] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="F7") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="7D") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="89") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="C0") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="5B") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="5F") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="6D") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="92") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="69") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="84") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="36") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="BB") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="85") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="6E") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="1B") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="26") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="DB") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="6C") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="F6") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="36") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="F3") returned 2 [0106.569] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="71") returned 2 [0106.584] lstrcpyW (in: lpString1=0x522ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" [0106.584] lstrcpyW (in: lpString1=0x512ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" [0106.584] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll", lpString2=".7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371" [0106.584] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x512a90, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.584] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x512a90, lpOverlapped=0x512a90) returned 1 [0106.585] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x94d0df00, ftCreationTime.dwHighDateTime=0x1cac817, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x94d0df00, ftLastWriteTime.dwHighDateTime=0x1cac817, nFileSizeHigh=0x0, nFileSizeLow=0x3360, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="SGRES.DLL.trx_dll", cAlternateFileName="SGRESD~1.TRX")) returned 1 [0106.585] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Windows") returned -1 [0106.585] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0106.585] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0106.585] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.586] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0106.586] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2=".") returned 1 [0106.586] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="..") returned 1 [0106.586] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned 69 [0106.586] lstrcmpW (lpString1="SGRES.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0106.586] PathFindExtensionW (pszPath="SGRES.DLL.trx_dll") returned=".trx_dll" [0106.586] lstrlenW (lpString=".trx_dll") returned 8 [0106.586] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.586] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0106.587] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=13152) returned 1 [0106.587] GetProcessHeap () returned 0x4c0000 [0106.587] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0106.654] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="0B") returned 2 [0106.654] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="70") returned 2 [0106.654] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="95") returned 2 [0106.654] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="B1") returned 2 [0106.654] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="99") returned 2 [0106.654] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="C0") returned 2 [0106.654] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="CD") returned 2 [0106.654] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="BA") returned 2 [0106.654] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="0D") returned 2 [0106.654] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="06") returned 2 [0106.654] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="FB") returned 2 [0106.654] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="2E") returned 2 [0106.654] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="C3") returned 2 [0106.654] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="D8") returned 2 [0106.654] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="13") returned 2 [0106.654] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="02") returned 2 [0106.654] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="70") returned 2 [0106.654] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="AC") returned 2 [0106.654] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="42") returned 2 [0106.655] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="6B") returned 2 [0106.655] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="7F") returned 2 [0106.680] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="F7") returned 2 [0106.680] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="BF") returned 2 [0106.680] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="A9") returned 2 [0106.680] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="38") returned 2 [0106.680] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="36") returned 2 [0106.680] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="AD") returned 2 [0106.680] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="A4") returned 2 [0106.680] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="4F") returned 2 [0106.680] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="A2") returned 2 [0106.680] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="AF") returned 2 [0106.680] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="7C") returned 2 [0106.691] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" [0106.691] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" [0106.691] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll", lpString2=".0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C" [0106.691] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.692] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0106.707] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xca190500, ftCreationTime.dwHighDateTime=0x1cac7f6, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xca190500, ftLastWriteTime.dwHighDateTime=0x1cac7f6, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="STINTL.DLL.trx_dll", cAlternateFileName="STINTL~1.TRX")) returned 1 [0106.707] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0106.707] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0106.708] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0106.708] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.708] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0106.708] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2=".") returned 1 [0106.708] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="..") returned 1 [0106.708] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned 70 [0106.708] lstrcmpW (lpString1="STINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0106.708] PathFindExtensionW (pszPath="STINTL.DLL.trx_dll") returned=".trx_dll" [0106.708] lstrlenW (lpString=".trx_dll") returned 8 [0106.708] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.708] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0106.709] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=17248) returned 1 [0106.709] GetProcessHeap () returned 0x4c0000 [0106.709] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0106.718] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="AE") returned 2 [0106.718] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="E5") returned 2 [0106.718] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="AB") returned 2 [0106.718] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="20") returned 2 [0106.718] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="C7") returned 2 [0106.718] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="DB") returned 2 [0106.718] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="F1") returned 2 [0106.718] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="74") returned 2 [0106.718] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="9F") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="77") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="E8") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="12") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="C0") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="6E") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="B0") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="8A") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="AF") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="BD") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="6B") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="DC") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="4E") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="AF") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="0E") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="8D") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="F3") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="3A") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="B4") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="F7") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="80") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="D2") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="42") returned 2 [0106.719] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="63") returned 2 [0106.727] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" [0106.727] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" [0106.727] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll", lpString2=".AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263" [0106.728] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.728] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0106.728] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf706700, ftCreationTime.dwHighDateTime=0x1cac81a, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbf706700, ftLastWriteTime.dwHighDateTime=0x1cac81a, nFileSizeHigh=0x0, nFileSizeLow=0x6960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="VISBRRES.DLL.trx_dll", cAlternateFileName="VISBRR~1.TRX")) returned 1 [0106.728] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Windows") returned -1 [0106.728] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0106.747] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0106.747] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.747] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0106.747] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2=".") returned 1 [0106.747] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="..") returned 1 [0106.747] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned 72 [0106.747] lstrcmpW (lpString1="VISBRRES.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0106.747] PathFindExtensionW (pszPath="VISBRRES.DLL.trx_dll") returned=".trx_dll" [0106.747] lstrlenW (lpString=".trx_dll") returned 8 [0106.747] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.747] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0106.748] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=26976) returned 1 [0106.748] GetProcessHeap () returned 0x4c0000 [0106.748] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0106.765] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="2B") returned 2 [0106.765] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="2F") returned 2 [0106.765] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="78") returned 2 [0106.765] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="A1") returned 2 [0106.765] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="8B") returned 2 [0106.765] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="2C") returned 2 [0106.765] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="34") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="43") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="5D") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="0D") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="8B") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="44") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="C1") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="22") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="8B") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="4E") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="E4") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="4C") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="4E") returned 2 [0106.765] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="15") returned 2 [0106.766] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="5B") returned 2 [0106.766] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="A0") returned 2 [0106.766] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="60") returned 2 [0106.766] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="69") returned 2 [0106.766] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="A4") returned 2 [0106.766] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="62") returned 2 [0106.766] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="F6") returned 2 [0106.766] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="99") returned 2 [0106.766] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="99") returned 2 [0106.766] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="57") returned 2 [0106.766] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="D3") returned 2 [0106.766] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="25") returned 2 [0106.779] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" [0106.779] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" [0106.779] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll", lpString2=".2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325" [0106.802] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.802] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0106.803] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x70273800, ftCreationTime.dwHighDateTime=0x1cac814, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x70273800, ftLastWriteTime.dwHighDateTime=0x1cac814, nFileSizeHigh=0x0, nFileSizeLow=0x73960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="VISINTL.DLL.trx_dll", cAlternateFileName="VISINT~1.TRX")) returned 1 [0106.803] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0106.803] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0106.803] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0106.803] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.803] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0106.803] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2=".") returned 1 [0106.803] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="..") returned 1 [0106.803] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned 71 [0106.803] lstrcmpW (lpString1="VISINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0106.803] PathFindExtensionW (pszPath="VISINTL.DLL.trx_dll") returned=".trx_dll" [0106.803] lstrlenW (lpString=".trx_dll") returned 8 [0106.803] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.804] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0106.804] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=473440) returned 1 [0106.804] GetProcessHeap () returned 0x4c0000 [0106.804] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0106.841] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="B7") returned 2 [0106.841] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="C5") returned 2 [0106.841] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="A2") returned 2 [0106.841] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="A2") returned 2 [0106.841] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="03") returned 2 [0106.841] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="78") returned 2 [0106.841] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="8A") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="36") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="1D") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="09") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="55") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="FA") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="ED") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="CE") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="AB") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="4F") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="BD") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="76") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="5A") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="05") returned 2 [0106.841] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="E3") returned 2 [0106.842] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="A4") returned 2 [0106.842] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="D6") returned 2 [0106.842] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="38") returned 2 [0106.842] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="0E") returned 2 [0106.842] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="E8") returned 2 [0106.842] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="C5") returned 2 [0106.842] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="90") returned 2 [0106.842] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="DD") returned 2 [0106.842] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="36") returned 2 [0106.842] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="8C") returned 2 [0106.842] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="4A") returned 2 [0106.852] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" [0106.852] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" [0106.852] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll", lpString2=".B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A" [0106.852] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.852] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0106.853] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa1789a00, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0ca650, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa1789a00, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x24360, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="WWINTL.DLL.trx_dll", cAlternateFileName="WWINTL~1.TRX")) returned 1 [0106.853] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Windows") returned 1 [0106.853] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0106.853] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0106.853] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.853] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0106.853] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2=".") returned 1 [0106.853] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="..") returned 1 [0106.884] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned 70 [0106.884] lstrcmpW (lpString1="WWINTL.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0106.884] PathFindExtensionW (pszPath="WWINTL.DLL.trx_dll") returned=".trx_dll" [0106.884] lstrlenW (lpString=".trx_dll") returned 8 [0106.884] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.884] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0106.885] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=148320) returned 1 [0106.885] GetProcessHeap () returned 0x4c0000 [0106.885] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0106.900] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="9E") returned 2 [0106.900] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="B9") returned 2 [0106.900] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="A5") returned 2 [0106.901] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="6C") returned 2 [0106.901] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="2F") returned 2 [0106.901] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="F2") returned 2 [0106.901] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="F7") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="1F") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="70") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="8D") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="50") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="A7") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="B1") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="46") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="59") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="6D") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="B4") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="6B") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="FF") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="F8") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="D0") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="89") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="4B") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="AC") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="5A") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="49") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="F9") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="21") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="2F") returned 2 [0106.901] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="2B") returned 2 [0106.902] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="61") returned 2 [0106.902] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="12") returned 2 [0106.928] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" [0106.928] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" [0106.928] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll", lpString2=".9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112" [0106.928] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.928] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0106.928] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa2a9c700, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa2a9c700, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x110b60, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="WWINTL.REST.trx_dll", cAlternateFileName="WWINTL~2.TRX")) returned 1 [0106.928] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Windows") returned 1 [0106.928] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files") returned 1 [0106.929] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0106.929] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.929] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="System Volume Information") returned 1 [0106.929] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2=".") returned 1 [0106.929] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="..") returned 1 [0106.929] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned 71 [0106.929] lstrcmpW (lpString1="WWINTL.REST.trx_dll", lpString2="PUSSY.TXT") returned 1 [0106.929] PathFindExtensionW (pszPath="WWINTL.REST.trx_dll") returned=".trx_dll" [0106.929] lstrlenW (lpString=".trx_dll") returned 8 [0106.929] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.929] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0106.930] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=1117024) returned 1 [0106.930] GetProcessHeap () returned 0x4c0000 [0106.930] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0106.981] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="D5") returned 2 [0106.981] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="16") returned 2 [0106.981] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="3E") returned 2 [0106.981] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="36") returned 2 [0106.981] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="92") returned 2 [0106.981] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="46") returned 2 [0106.981] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="A2") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="73") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="AF") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="FF") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="41") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="F2") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="68") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="11") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="5C") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="5A") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="54") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="F7") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="CA") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="D5") returned 2 [0106.981] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="5E") returned 2 [0106.982] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="A1") returned 2 [0106.982] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="83") returned 2 [0106.982] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="5D") returned 2 [0106.982] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="E5") returned 2 [0106.982] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="6E") returned 2 [0106.982] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="38") returned 2 [0106.982] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="50") returned 2 [0106.982] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="4C") returned 2 [0106.982] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="8B") returned 2 [0106.982] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="33") returned 2 [0106.982] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="03") returned 2 [0106.994] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" [0106.994] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" [0106.994] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll", lpString2=".D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303" [0106.994] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0106.995] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0106.995] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x61df1900, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x61df1900, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x23960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="XLINTL32.DLL.trx_dll", cAlternateFileName="XLINTL~1.TRX")) returned 1 [0106.995] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Windows") returned 1 [0106.995] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files") returned 1 [0106.995] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0106.995] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0106.995] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0106.995] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2=".") returned 1 [0106.995] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="..") returned 1 [0106.996] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned 72 [0106.996] lstrcmpW (lpString1="XLINTL32.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0106.996] PathFindExtensionW (pszPath="XLINTL32.DLL.trx_dll") returned=".trx_dll" [0106.996] lstrlenW (lpString=".trx_dll") returned 8 [0106.996] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0106.996] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0106.996] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=145760) returned 1 [0106.996] GetProcessHeap () returned 0x4c0000 [0106.997] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0107.051] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="7B") returned 2 [0107.051] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="42") returned 2 [0107.051] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="7B") returned 2 [0107.051] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="F2") returned 2 [0107.051] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="73") returned 2 [0107.051] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="28") returned 2 [0107.051] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="8E") returned 2 [0107.051] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="96") returned 2 [0107.051] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="C8") returned 2 [0107.051] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="45") returned 2 [0107.051] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="23") returned 2 [0107.051] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="C9") returned 2 [0107.051] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="A0") returned 2 [0107.051] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="5C") returned 2 [0107.051] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="CE") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="75") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="A2") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="FA") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="CC") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="1A") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="AD") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="C9") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="DE") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="34") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="2F") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="70") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="16") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="7E") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="82") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="99") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="8F") returned 2 [0107.052] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="23") returned 2 [0107.064] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" [0107.064] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" [0107.064] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll", lpString2=".7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23" [0107.065] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0107.065] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0107.065] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x61df1900, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x61df1900, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x126760, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="XLINTL32.REST.trx_dll", cAlternateFileName="XLINTL~2.TRX")) returned 1 [0107.065] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Windows") returned 1 [0107.065] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files") returned 1 [0107.065] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0107.065] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0107.065] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="System Volume Information") returned 1 [0107.065] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2=".") returned 1 [0107.065] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="..") returned 1 [0107.065] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned 73 [0107.065] lstrcmpW (lpString1="XLINTL32.REST.trx_dll", lpString2="PUSSY.TXT") returned 1 [0107.065] PathFindExtensionW (pszPath="XLINTL32.REST.trx_dll") returned=".trx_dll" [0107.065] lstrlenW (lpString=".trx_dll") returned 8 [0107.065] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0107.065] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0107.066] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=1206112) returned 1 [0107.066] GetProcessHeap () returned 0x4c0000 [0107.066] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x512a90 [0107.078] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="A0") returned 2 [0107.078] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="8E") returned 2 [0107.078] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="B1") returned 2 [0107.078] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="C5") returned 2 [0107.078] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="F9") returned 2 [0107.078] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="AE") returned 2 [0107.078] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="F8") returned 2 [0107.078] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="21") returned 2 [0107.078] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="68") returned 2 [0107.078] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="DA") returned 2 [0107.078] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="A6") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="53") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="3A") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="BB") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="92") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="1F") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="FE") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="72") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="49") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="15") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="43") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="70") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="9B") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="D0") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="89") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="49") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="FB") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="02") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="63") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="47") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="AF") returned 2 [0107.079] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="0E") returned 2 [0107.091] lstrcpyW (in: lpString1=0x522ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" [0107.091] lstrcpyW (in: lpString1=0x512ac4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" [0107.091] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll", lpString2=".A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E" [0107.091] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x512a90, NumberOfConcurrentThreads=0x0) returned 0x94 [0107.091] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x512a90, lpOverlapped=0x512a90) returned 1 [0107.091] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7e38000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd7e38000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 1 [0107.091] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Windows") returned 1 [0107.091] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files") returned 1 [0107.091] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0107.091] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0107.091] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0107.092] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2=".") returned 1 [0107.092] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="..") returned 1 [0107.092] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned 72 [0107.092] lstrcmpW (lpString1="XLSLICER.DLL.trx_dll", lpString2="PUSSY.TXT") returned 1 [0107.092] PathFindExtensionW (pszPath="XLSLICER.DLL.trx_dll") returned=".trx_dll" [0107.092] lstrlenW (lpString=".trx_dll") returned 8 [0107.092] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0107.092] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0107.092] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=14688) returned 1 [0107.092] GetProcessHeap () returned 0x4c0000 [0107.092] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x554b38 [0107.105] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="48") returned 2 [0107.105] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="80") returned 2 [0107.105] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="0B") returned 2 [0107.105] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="22") returned 2 [0107.105] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="AA") returned 2 [0107.106] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="0C") returned 2 [0107.106] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="45") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="5F") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="06") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="40") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="8C") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="88") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="08") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="34") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="F4") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="1A") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="38") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="F6") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="80") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="20") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="E1") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="C9") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="6E") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="06") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="D1") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="D5") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="CC") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="FD") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="6B") returned 2 [0107.106] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="E3") returned 2 [0107.107] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="F5") returned 2 [0107.107] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="31") returned 2 [0107.126] lstrcpyW (in: lpString1=0x564b6c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" [0107.126] lstrcpyW (in: lpString1=0x554b6c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" [0107.126] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll", lpString2=".48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531" [0107.126] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x554b38, NumberOfConcurrentThreads=0x0) returned 0x94 [0107.126] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x554b38, lpOverlapped=0x554b38) returned 1 [0107.127] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7e38000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd7e38000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x4e2a18, dwReserved1=0xfe000000, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 0 [0107.127] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0107.127] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUSSY.TXT") returned 61 [0107.128] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0107.128] lstrlenA (lpString="abcd") returned 4 [0107.128] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0107.130] CloseHandle (hObject=0x174) returned 1 [0107.130] GetProcessHeap () returned 0x4c0000 [0107.130] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0107.130] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="3082", cAlternateFileName="")) returned 0 [0107.130] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0107.130] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\PUSSY.TXT") returned 56 [0107.130] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0107.132] lstrlenA (lpString="abcd") returned 4 [0107.132] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0107.133] CloseHandle (hObject=0x184) returned 1 [0107.133] GetProcessHeap () returned 0x4c0000 [0107.133] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0107.134] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="UICaptions", cAlternateFileName="UICAPT~1")) returned 0 [0107.134] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0107.134] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\PUSSY.TXT") returned 45 [0107.134] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\office\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0107.134] lstrlenA (lpString="abcd") returned 4 [0107.135] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0107.136] CloseHandle (hObject=0x19c) returned 1 [0107.136] GetProcessHeap () returned 0x4c0000 [0107.136] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0107.140] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0107.140] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Windows") returned -1 [0107.140] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Program Files") returned -1 [0107.140] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Program Files (x86)") returned -1 [0107.140] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="$Recycle.bin") returned 1 [0107.140] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="System Volume Information") returned -1 [0107.140] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0107.140] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0107.140] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform") returned 61 [0107.141] GetProcessHeap () returned 0x4c0000 [0107.141] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0107.142] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform" [0107.142] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*" [0107.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0107.142] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.255] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.255] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.255] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.255] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.255] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.256] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0107.256] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.256] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.256] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.256] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.256] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.256] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.256] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.256] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Cache", cAlternateFileName="")) returned 1 [0107.256] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0107.256] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0107.256] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0107.256] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0107.256] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0107.256] lstrcmpiW (lpString1="Cache", lpString2=".") returned 1 [0107.256] lstrcmpiW (lpString1="Cache", lpString2="..") returned 1 [0107.256] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned 67 [0107.256] GetProcessHeap () returned 0x4c0000 [0107.257] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0107.258] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache" [0107.258] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*" [0107.258] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0107.258] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.258] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.258] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.258] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.258] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.258] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.258] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0107.259] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.259] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.259] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.259] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.259] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.259] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.259] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.259] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2caa5f40, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="cache.dat", cAlternateFileName="")) returned 1 [0107.259] lstrcmpiW (lpString1="cache.dat", lpString2="Windows") returned -1 [0107.259] lstrcmpiW (lpString1="cache.dat", lpString2="Program Files") returned -1 [0107.259] lstrcmpiW (lpString1="cache.dat", lpString2="Program Files (x86)") returned -1 [0107.259] lstrcmpiW (lpString1="cache.dat", lpString2="$Recycle.bin") returned 1 [0107.259] lstrcmpiW (lpString1="cache.dat", lpString2="System Volume Information") returned -1 [0107.259] lstrcmpiW (lpString1="cache.dat", lpString2=".") returned 1 [0107.259] lstrcmpiW (lpString1="cache.dat", lpString2="..") returned 1 [0107.259] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned 77 [0107.259] lstrcmpW (lpString1="cache.dat", lpString2="PUSSY.TXT") returned -1 [0107.259] PathFindExtensionW (pszPath="cache.dat") returned=".dat" [0107.260] lstrlenW (lpString=".dat") returned 4 [0107.260] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.260] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0107.260] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=262768) returned 1 [0107.260] GetProcessHeap () returned 0x4c0000 [0107.260] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0107.274] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="27") returned 2 [0107.274] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="65") returned 2 [0107.274] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="25") returned 2 [0107.274] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="85") returned 2 [0107.275] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="F2") returned 2 [0107.275] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="D3") returned 2 [0107.275] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="57") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="A6") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="72") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="07") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="25") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="33") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="C2") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="02") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="28") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="AF") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="1A") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="DB") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="E8") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="89") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="FE") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="29") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="D6") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="A7") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="F2") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="74") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="F8") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="D8") returned 2 [0107.275] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="8B") returned 2 [0107.276] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="B3") returned 2 [0107.276] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="2D") returned 2 [0107.276] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="6A") returned 2 [0107.288] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" [0107.288] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" [0107.288] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat", lpString2=".27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A" [0107.288] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0107.288] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0107.289] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2caa5f40, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="cache.dat", cAlternateFileName="")) returned 0 [0107.289] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0107.289] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\PUSSY.TXT") returned 77 [0107.289] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0107.346] lstrlenA (lpString="abcd") returned 4 [0107.346] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0107.347] CloseHandle (hObject=0x184) returned 1 [0107.348] GetProcessHeap () returned 0x4c0000 [0107.348] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0107.348] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0x63c5e40, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="tokens.dat", cAlternateFileName="")) returned 1 [0107.348] lstrcmpiW (lpString1="tokens.dat", lpString2="Windows") returned -1 [0107.348] lstrcmpiW (lpString1="tokens.dat", lpString2="Program Files") returned 1 [0107.348] lstrcmpiW (lpString1="tokens.dat", lpString2="Program Files (x86)") returned 1 [0107.348] lstrcmpiW (lpString1="tokens.dat", lpString2="$Recycle.bin") returned 1 [0107.348] lstrcmpiW (lpString1="tokens.dat", lpString2="System Volume Information") returned 1 [0107.348] lstrcmpiW (lpString1="tokens.dat", lpString2=".") returned 1 [0107.348] lstrcmpiW (lpString1="tokens.dat", lpString2="..") returned 1 [0107.348] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned 72 [0107.348] lstrcmpW (lpString1="tokens.dat", lpString2="PUSSY.TXT") returned 1 [0107.348] PathFindExtensionW (pszPath="tokens.dat") returned=".dat" [0107.348] lstrlenW (lpString=".dat") returned 4 [0107.349] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0107.349] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0107.350] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=4627413) returned 1 [0107.350] GetProcessHeap () returned 0x4c0000 [0107.350] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0107.364] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="7E") returned 2 [0107.364] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="81") returned 2 [0107.364] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="FB") returned 2 [0107.364] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FF") returned 2 [0107.364] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="00") returned 2 [0107.364] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="D9") returned 2 [0107.364] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="18") returned 2 [0107.364] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="92") returned 2 [0107.364] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="27") returned 2 [0107.364] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="FC") returned 2 [0107.364] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="99") returned 2 [0107.364] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="B2") returned 2 [0107.364] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="EC") returned 2 [0107.364] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="4C") returned 2 [0107.364] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="76") returned 2 [0107.364] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="69") returned 2 [0107.364] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="EA") returned 2 [0107.365] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="F4") returned 2 [0107.365] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="6F") returned 2 [0107.365] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="2B") returned 2 [0107.365] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="0E") returned 2 [0107.365] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="85") returned 2 [0107.365] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="9F") returned 2 [0107.365] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="77") returned 2 [0107.365] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="8C") returned 2 [0107.365] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="D1") returned 2 [0107.365] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="E3") returned 2 [0107.365] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="E3") returned 2 [0107.365] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="DD") returned 2 [0107.365] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="5F") returned 2 [0107.365] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="2F") returned 2 [0107.365] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="2B") returned 2 [0107.377] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" [0107.377] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" [0107.377] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat", lpString2=".7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B" [0107.377] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0107.377] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0107.377] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0x63c5e40, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="tokens.dat", cAlternateFileName="")) returned 0 [0107.378] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0107.378] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\PUSSY.TXT") returned 71 [0107.378] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0107.378] lstrlenA (lpString="abcd") returned 4 [0107.378] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0107.380] CloseHandle (hObject=0x19c) returned 1 [0107.380] GetProcessHeap () returned 0x4c0000 [0107.380] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0107.380] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="RAC", cAlternateFileName="")) returned 1 [0107.380] lstrcmpiW (lpString1="RAC", lpString2="Windows") returned -1 [0107.380] lstrcmpiW (lpString1="RAC", lpString2="Program Files") returned 1 [0107.380] lstrcmpiW (lpString1="RAC", lpString2="Program Files (x86)") returned 1 [0107.380] lstrcmpiW (lpString1="RAC", lpString2="$Recycle.bin") returned 1 [0107.380] lstrcmpiW (lpString1="RAC", lpString2="System Volume Information") returned -1 [0107.380] lstrcmpiW (lpString1="RAC", lpString2=".") returned 1 [0107.380] lstrcmpiW (lpString1="RAC", lpString2="..") returned 1 [0107.380] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC") returned 32 [0107.380] GetProcessHeap () returned 0x4c0000 [0107.380] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0107.380] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC" [0107.380] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*" [0107.380] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0107.381] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.381] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.381] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.381] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.381] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.381] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.381] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0107.381] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.381] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.381] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.381] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.381] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.381] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.381] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.381] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Outbound", cAlternateFileName="")) returned 1 [0107.381] lstrcmpiW (lpString1="Outbound", lpString2="Windows") returned -1 [0107.381] lstrcmpiW (lpString1="Outbound", lpString2="Program Files") returned -1 [0107.381] lstrcmpiW (lpString1="Outbound", lpString2="Program Files (x86)") returned -1 [0107.381] lstrcmpiW (lpString1="Outbound", lpString2="$Recycle.bin") returned 1 [0107.381] lstrcmpiW (lpString1="Outbound", lpString2="System Volume Information") returned -1 [0107.381] lstrcmpiW (lpString1="Outbound", lpString2=".") returned 1 [0107.381] lstrcmpiW (lpString1="Outbound", lpString2="..") returned 1 [0107.382] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound") returned 41 [0107.382] GetProcessHeap () returned 0x4c0000 [0107.382] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0107.382] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound" [0107.382] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*" [0107.382] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0107.382] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.382] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.382] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.382] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.382] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.382] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.382] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0107.382] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.383] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.383] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.383] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.383] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.383] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.383] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.383] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0107.383] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0107.383] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\PUSSY.TXT") returned 51 [0107.383] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\rac\\outbound\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0107.384] lstrlenA (lpString="abcd") returned 4 [0107.384] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0107.385] CloseHandle (hObject=0x178) returned 1 [0107.385] GetProcessHeap () returned 0x4c0000 [0107.385] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0107.385] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa6414be0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa6414be0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="PublishedData", cAlternateFileName="PUBLIS~1")) returned 1 [0107.385] lstrcmpiW (lpString1="PublishedData", lpString2="Windows") returned -1 [0107.385] lstrcmpiW (lpString1="PublishedData", lpString2="Program Files") returned 1 [0107.385] lstrcmpiW (lpString1="PublishedData", lpString2="Program Files (x86)") returned 1 [0107.385] lstrcmpiW (lpString1="PublishedData", lpString2="$Recycle.bin") returned 1 [0107.385] lstrcmpiW (lpString1="PublishedData", lpString2="System Volume Information") returned -1 [0107.385] lstrcmpiW (lpString1="PublishedData", lpString2=".") returned 1 [0107.385] lstrcmpiW (lpString1="PublishedData", lpString2="..") returned 1 [0107.385] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData") returned 46 [0107.385] GetProcessHeap () returned 0x4c0000 [0107.385] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0107.385] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData" [0107.386] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*" [0107.386] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa6414be0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa6414be0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0107.386] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.386] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.386] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.386] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.386] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.386] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.386] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa6414be0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa6414be0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0107.386] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.386] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.386] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.386] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.386] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.386] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.386] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.386] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xa6414be0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa6460ea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 1 [0107.386] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Windows") returned -1 [0107.386] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Program Files") returned 1 [0107.386] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Program Files (x86)") returned 1 [0107.386] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="$Recycle.bin") returned 1 [0107.386] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="System Volume Information") returned -1 [0107.387] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2=".") returned 1 [0107.387] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="..") returned 1 [0107.387] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned 65 [0107.387] lstrcmpW (lpString1="RacWmiDatabase.sdf", lpString2="PUSSY.TXT") returned 1 [0107.387] PathFindExtensionW (pszPath="RacWmiDatabase.sdf") returned=".sdf" [0107.387] lstrlenW (lpString=".sdf") returned 4 [0107.387] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.387] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.387] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xa6414be0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa6460ea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 0 [0107.387] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0107.391] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\PUSSY.TXT") returned 56 [0107.391] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0107.470] lstrlenA (lpString="abcd") returned 4 [0107.470] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0107.473] CloseHandle (hObject=0x1a4) returned 1 [0107.473] GetProcessHeap () returned 0x4c0000 [0107.473] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0107.473] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa6414be0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa6414be0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="StateData", cAlternateFileName="STATED~1")) returned 1 [0107.473] lstrcmpiW (lpString1="StateData", lpString2="Windows") returned -1 [0107.474] lstrcmpiW (lpString1="StateData", lpString2="Program Files") returned 1 [0107.474] lstrcmpiW (lpString1="StateData", lpString2="Program Files (x86)") returned 1 [0107.474] lstrcmpiW (lpString1="StateData", lpString2="$Recycle.bin") returned 1 [0107.474] lstrcmpiW (lpString1="StateData", lpString2="System Volume Information") returned -1 [0107.474] lstrcmpiW (lpString1="StateData", lpString2=".") returned 1 [0107.474] lstrcmpiW (lpString1="StateData", lpString2="..") returned 1 [0107.474] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData") returned 42 [0107.474] GetProcessHeap () returned 0x4c0000 [0107.474] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0107.474] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData" [0107.474] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*" [0107.474] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa6414be0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa6414be0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4ddce8 [0107.474] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.474] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.474] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.474] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.474] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.474] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.475] FindNextFileW (in: hFindFile=0x4ddce8, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa6414be0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa6414be0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0107.475] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.475] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.475] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.475] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.475] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.475] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.476] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.476] FindNextFileW (in: hFindFile=0x4ddce8, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb35800, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xecb35800, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xbddb7d60, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="RacDatabase.sdf", cAlternateFileName="RACDAT~1.SDF")) returned 1 [0107.476] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Windows") returned -1 [0107.476] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Program Files") returned 1 [0107.476] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Program Files (x86)") returned 1 [0107.476] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="$Recycle.bin") returned 1 [0107.476] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="System Volume Information") returned -1 [0107.476] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2=".") returned 1 [0107.476] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="..") returned 1 [0107.476] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned 58 [0107.476] lstrcmpW (lpString1="RacDatabase.sdf", lpString2="PUSSY.TXT") returned 1 [0107.476] PathFindExtensionW (pszPath="RacDatabase.sdf") returned=".sdf" [0107.476] lstrlenW (lpString=".sdf") returned 4 [0107.476] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.476] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.477] FindNextFileW (in: hFindFile=0x4ddce8, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0xbddddec0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 1 [0107.477] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Windows") returned -1 [0107.477] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Program Files") returned 1 [0107.477] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Program Files (x86)") returned 1 [0107.477] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="$Recycle.bin") returned 1 [0107.477] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="System Volume Information") returned -1 [0107.477] lstrcmpiW (lpString1="RacMetaData.dat", lpString2=".") returned 1 [0107.477] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="..") returned 1 [0107.477] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat") returned 58 [0107.477] lstrcmpW (lpString1="RacMetaData.dat", lpString2="PUSSY.TXT") returned 1 [0107.477] PathFindExtensionW (pszPath="RacMetaData.dat") returned=".dat" [0107.477] lstrlenW (lpString=".dat") returned 4 [0107.478] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.478] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.478] FindNextFileW (in: hFindFile=0x4ddce8, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0xbddddec0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 0 [0107.478] FindClose (in: hFindFile=0x4ddce8 | out: hFindFile=0x4ddce8) returned 1 [0107.478] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\PUSSY.TXT") returned 52 [0107.478] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0107.479] lstrlenA (lpString="abcd") returned 4 [0107.479] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0107.480] CloseHandle (hObject=0x1a4) returned 1 [0107.480] GetProcessHeap () returned 0x4c0000 [0107.480] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0107.480] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa651f580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa651f580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Temp", cAlternateFileName="")) returned 1 [0107.480] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0107.480] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0107.480] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0107.480] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0107.480] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0107.481] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0107.481] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0107.481] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp") returned 37 [0107.481] GetProcessHeap () returned 0x4c0000 [0107.481] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0107.481] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp" [0107.481] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*" [0107.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa651f580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa651f580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4ddce8 [0107.481] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.481] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.481] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.481] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.481] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.481] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.481] FindNextFileW (in: hFindFile=0x4ddce8, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa651f580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa651f580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0107.481] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.481] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.481] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.481] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.481] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.481] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.481] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.482] FindNextFileW (in: hFindFile=0x4ddce8, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa64f9420, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xa64f9420, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa64f9420, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="sqlA553.tmp", cAlternateFileName="")) returned 1 [0107.482] lstrcmpiW (lpString1="sqlA553.tmp", lpString2="Windows") returned -1 [0107.482] lstrcmpiW (lpString1="sqlA553.tmp", lpString2="Program Files") returned 1 [0107.482] lstrcmpiW (lpString1="sqlA553.tmp", lpString2="Program Files (x86)") returned 1 [0107.482] lstrcmpiW (lpString1="sqlA553.tmp", lpString2="$Recycle.bin") returned 1 [0107.482] lstrcmpiW (lpString1="sqlA553.tmp", lpString2="System Volume Information") returned -1 [0107.482] lstrcmpiW (lpString1="sqlA553.tmp", lpString2=".") returned 1 [0107.482] lstrcmpiW (lpString1="sqlA553.tmp", lpString2="..") returned 1 [0107.482] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sqlA553.tmp") returned 49 [0107.482] lstrcmpW (lpString1="sqlA553.tmp", lpString2="PUSSY.TXT") returned 1 [0107.482] PathFindExtensionW (pszPath="sqlA553.tmp") returned=".tmp" [0107.482] lstrlenW (lpString=".tmp") returned 4 [0107.482] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sqlA553.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sqla553.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.482] FindNextFileW (in: hFindFile=0x4ddce8, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa651f580, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xa651f580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa65456e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="sqlA563.tmp", cAlternateFileName="")) returned 1 [0107.482] lstrcmpiW (lpString1="sqlA563.tmp", lpString2="Windows") returned -1 [0107.482] lstrcmpiW (lpString1="sqlA563.tmp", lpString2="Program Files") returned 1 [0107.482] lstrcmpiW (lpString1="sqlA563.tmp", lpString2="Program Files (x86)") returned 1 [0107.482] lstrcmpiW (lpString1="sqlA563.tmp", lpString2="$Recycle.bin") returned 1 [0107.482] lstrcmpiW (lpString1="sqlA563.tmp", lpString2="System Volume Information") returned -1 [0107.483] lstrcmpiW (lpString1="sqlA563.tmp", lpString2=".") returned 1 [0107.483] lstrcmpiW (lpString1="sqlA563.tmp", lpString2="..") returned 1 [0107.483] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sqlA563.tmp") returned 49 [0107.483] lstrcmpW (lpString1="sqlA563.tmp", lpString2="PUSSY.TXT") returned 1 [0107.483] PathFindExtensionW (pszPath="sqlA563.tmp") returned=".tmp" [0107.483] lstrlenW (lpString=".tmp") returned 4 [0107.483] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.483] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sqlA563.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sqla563.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.483] FindNextFileW (in: hFindFile=0x4ddce8, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa651f580, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xa651f580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa65456e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="sqlA563.tmp", cAlternateFileName="")) returned 0 [0107.483] FindClose (in: hFindFile=0x4ddce8 | out: hFindFile=0x4ddce8) returned 1 [0107.483] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\PUSSY.TXT") returned 47 [0107.483] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0107.484] lstrlenA (lpString="abcd") returned 4 [0107.484] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0107.485] CloseHandle (hObject=0x1a4) returned 1 [0107.485] GetProcessHeap () returned 0x4c0000 [0107.485] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0107.485] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa651f580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa651f580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Temp", cAlternateFileName="")) returned 0 [0107.485] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0107.485] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PUSSY.TXT") returned 42 [0107.485] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\rac\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0107.487] lstrlenA (lpString="abcd") returned 4 [0107.487] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0107.489] CloseHandle (hObject=0x19c) returned 1 [0107.489] GetProcessHeap () returned 0x4c0000 [0107.489] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0107.490] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Search", cAlternateFileName="")) returned 1 [0107.490] lstrcmpiW (lpString1="Search", lpString2="Windows") returned -1 [0107.490] lstrcmpiW (lpString1="Search", lpString2="Program Files") returned 1 [0107.490] lstrcmpiW (lpString1="Search", lpString2="Program Files (x86)") returned 1 [0107.490] lstrcmpiW (lpString1="Search", lpString2="$Recycle.bin") returned 1 [0107.490] lstrcmpiW (lpString1="Search", lpString2="System Volume Information") returned -1 [0107.490] lstrcmpiW (lpString1="Search", lpString2=".") returned 1 [0107.490] lstrcmpiW (lpString1="Search", lpString2="..") returned 1 [0107.490] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search") returned 35 [0107.491] GetProcessHeap () returned 0x4c0000 [0107.491] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0107.492] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search" [0107.492] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*" [0107.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4ddce8 [0107.493] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.493] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.493] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.493] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.493] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.493] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.493] FindNextFileW (in: hFindFile=0x4ddce8, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0107.493] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.493] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.493] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.493] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.493] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.493] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.493] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.493] FindNextFileW (in: hFindFile=0x4ddce8, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Data", cAlternateFileName="")) returned 1 [0107.494] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0107.494] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0107.494] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0107.494] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0107.494] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0107.494] lstrcmpiW (lpString1="Data", lpString2=".") returned 1 [0107.494] lstrcmpiW (lpString1="Data", lpString2="..") returned 1 [0107.494] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data") returned 40 [0107.494] GetProcessHeap () returned 0x4c0000 [0107.494] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0107.495] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data" [0107.495] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*" [0107.495] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0107.496] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.496] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.496] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.496] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.496] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.496] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.496] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0107.496] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.496] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.496] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.496] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.496] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.496] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.496] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.496] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0107.496] lstrcmpiW (lpString1="Applications", lpString2="Windows") returned -1 [0107.496] lstrcmpiW (lpString1="Applications", lpString2="Program Files") returned -1 [0107.496] lstrcmpiW (lpString1="Applications", lpString2="Program Files (x86)") returned -1 [0107.496] lstrcmpiW (lpString1="Applications", lpString2="$Recycle.bin") returned 1 [0107.496] lstrcmpiW (lpString1="Applications", lpString2="System Volume Information") returned -1 [0107.496] lstrcmpiW (lpString1="Applications", lpString2=".") returned 1 [0107.496] lstrcmpiW (lpString1="Applications", lpString2="..") returned 1 [0107.496] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications") returned 53 [0107.496] GetProcessHeap () returned 0x4c0000 [0107.496] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c00048 [0107.498] lstrcpyW (in: lpString1=0x3c00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications" [0107.498] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*" [0107.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bf11b8 [0107.501] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.501] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.501] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.501] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.501] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.501] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.501] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0107.501] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.501] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.501] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.501] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.501] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.501] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.502] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.502] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="Windows", cAlternateFileName="")) returned 1 [0107.502] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0107.502] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="Windows", cAlternateFileName="")) returned 0 [0107.502] FindClose (in: hFindFile=0x3bf11b8 | out: hFindFile=0x3bf11b8) returned 1 [0107.502] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\PUSSY.TXT") returned 63 [0107.502] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0107.505] lstrlenA (lpString="abcd") returned 4 [0107.505] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0107.506] CloseHandle (hObject=0x194) returned 1 [0107.506] GetProcessHeap () returned 0x4c0000 [0107.506] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0107.506] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="Temp", cAlternateFileName="")) returned 1 [0107.506] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0107.506] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0107.506] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0107.506] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0107.506] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0107.506] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0107.507] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0107.507] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp") returned 45 [0107.507] GetProcessHeap () returned 0x4c0000 [0107.507] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x57cb88 [0107.508] lstrcpyW (in: lpString1=0x57cb88, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp" [0107.508] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*" [0107.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bf11b8 [0107.508] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.508] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.508] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.508] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.508] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.508] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.508] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0107.509] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.509] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.509] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.509] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.509] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.509] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.509] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.509] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0107.509] FindClose (in: hFindFile=0x3bf11b8 | out: hFindFile=0x3bf11b8) returned 1 [0107.509] wnsprintfW (in: pszDest=0x57cb88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\PUSSY.TXT") returned 55 [0107.509] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0107.510] lstrlenA (lpString="abcd") returned 4 [0107.510] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0107.511] CloseHandle (hObject=0x194) returned 1 [0107.511] GetProcessHeap () returned 0x4c0000 [0107.511] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57cb88 | out: hHeap=0x4c0000) returned 1 [0107.514] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="Temp", cAlternateFileName="")) returned 0 [0107.514] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0107.514] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\PUSSY.TXT") returned 50 [0107.514] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\search\\data\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0107.515] lstrlenA (lpString="abcd") returned 4 [0107.515] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0107.516] CloseHandle (hObject=0x1a4) returned 1 [0107.516] GetProcessHeap () returned 0x4c0000 [0107.516] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0107.517] FindNextFileW (in: hFindFile=0x4ddce8, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Data", cAlternateFileName="")) returned 0 [0107.517] FindClose (in: hFindFile=0x4ddce8 | out: hFindFile=0x4ddce8) returned 1 [0107.517] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\PUSSY.TXT") returned 45 [0107.517] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\search\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0107.517] lstrlenA (lpString="abcd") returned 4 [0107.517] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0107.518] CloseHandle (hObject=0x19c) returned 1 [0107.519] GetProcessHeap () returned 0x4c0000 [0107.519] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0107.520] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0107.520] lstrcmpiW (lpString1="User Account Pictures", lpString2="Windows") returned -1 [0107.520] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files") returned 1 [0107.520] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files (x86)") returned 1 [0107.520] lstrcmpiW (lpString1="User Account Pictures", lpString2="$Recycle.bin") returned 1 [0107.520] lstrcmpiW (lpString1="User Account Pictures", lpString2="System Volume Information") returned 1 [0107.520] lstrcmpiW (lpString1="User Account Pictures", lpString2=".") returned 1 [0107.520] lstrcmpiW (lpString1="User Account Pictures", lpString2="..") returned 1 [0107.520] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures") returned 50 [0107.520] GetProcessHeap () returned 0x4c0000 [0107.520] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0107.521] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures" [0107.521] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*" [0107.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0107.522] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.522] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.522] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.522] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.522] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.522] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.522] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0107.522] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.522] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.522] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.522] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.522] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.522] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.522] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.522] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29423840, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="5p5NrGJn0jS HALPmcxz.dat", cAlternateFileName="5P5NRG~1.DAT")) returned 1 [0107.522] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Windows") returned -1 [0107.522] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Program Files") returned -1 [0107.522] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Program Files (x86)") returned -1 [0107.522] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="$Recycle.bin") returned 1 [0107.522] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="System Volume Information") returned -1 [0107.522] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2=".") returned 1 [0107.522] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="..") returned 1 [0107.522] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned 75 [0107.522] lstrcmpW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="PUSSY.TXT") returned -1 [0107.523] PathFindExtensionW (pszPath="5p5NrGJn0jS HALPmcxz.dat") returned=".dat" [0107.523] lstrlenW (lpString=".dat") returned 4 [0107.523] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0107.523] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0107.524] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=0) returned 1 [0107.524] CloseHandle (hObject=0x1a4) returned 1 [0107.524] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Default Pictures", cAlternateFileName="DEFAUL~1")) returned 1 [0107.524] lstrcmpiW (lpString1="Default Pictures", lpString2="Windows") returned -1 [0107.524] lstrcmpiW (lpString1="Default Pictures", lpString2="Program Files") returned -1 [0107.524] lstrcmpiW (lpString1="Default Pictures", lpString2="Program Files (x86)") returned -1 [0107.524] lstrcmpiW (lpString1="Default Pictures", lpString2="$Recycle.bin") returned 1 [0107.524] lstrcmpiW (lpString1="Default Pictures", lpString2="System Volume Information") returned -1 [0107.524] lstrcmpiW (lpString1="Default Pictures", lpString2=".") returned 1 [0107.524] lstrcmpiW (lpString1="Default Pictures", lpString2="..") returned 1 [0107.524] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures") returned 67 [0107.524] GetProcessHeap () returned 0x4c0000 [0107.524] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53aae0 [0107.525] lstrcpyW (in: lpString1=0x53aae0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures" [0107.526] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*" [0107.526] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0107.528] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.528] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.528] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.528] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.528] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.528] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.528] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0107.528] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.528] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.528] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.528] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.528] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.528] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.528] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.528] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xda0a8861, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile10.bmp", cAlternateFileName="")) returned 1 [0107.528] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Windows") returned -1 [0107.529] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Program Files") returned 1 [0107.529] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Program Files (x86)") returned 1 [0107.529] lstrcmpiW (lpString1="usertile10.bmp", lpString2="$Recycle.bin") returned 1 [0107.529] lstrcmpiW (lpString1="usertile10.bmp", lpString2="System Volume Information") returned 1 [0107.529] lstrcmpiW (lpString1="usertile10.bmp", lpString2=".") returned 1 [0107.529] lstrcmpiW (lpString1="usertile10.bmp", lpString2="..") returned 1 [0107.529] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned 82 [0107.529] lstrcmpW (lpString1="usertile10.bmp", lpString2="PUSSY.TXT") returned 1 [0107.529] PathFindExtensionW (pszPath="usertile10.bmp") returned=".bmp" [0107.529] lstrlenW (lpString=".bmp") returned 4 [0107.529] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.529] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.530] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb5a2927, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile11.bmp", cAlternateFileName="")) returned 1 [0107.530] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Windows") returned -1 [0107.530] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Program Files") returned 1 [0107.530] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Program Files (x86)") returned 1 [0107.530] lstrcmpiW (lpString1="usertile11.bmp", lpString2="$Recycle.bin") returned 1 [0107.530] lstrcmpiW (lpString1="usertile11.bmp", lpString2="System Volume Information") returned 1 [0107.530] lstrcmpiW (lpString1="usertile11.bmp", lpString2=".") returned 1 [0107.530] lstrcmpiW (lpString1="usertile11.bmp", lpString2="..") returned 1 [0107.530] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned 82 [0107.530] lstrcmpW (lpString1="usertile11.bmp", lpString2="PUSSY.TXT") returned 1 [0107.530] PathFindExtensionW (pszPath="usertile11.bmp") returned=".bmp" [0107.530] lstrlenW (lpString=".bmp") returned 4 [0107.530] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.531] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.531] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2755d1, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2755d1, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb6d3417, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile12.bmp", cAlternateFileName="")) returned 1 [0107.531] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Windows") returned -1 [0107.531] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Program Files") returned 1 [0107.531] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Program Files (x86)") returned 1 [0107.531] lstrcmpiW (lpString1="usertile12.bmp", lpString2="$Recycle.bin") returned 1 [0107.531] lstrcmpiW (lpString1="usertile12.bmp", lpString2="System Volume Information") returned 1 [0107.531] lstrcmpiW (lpString1="usertile12.bmp", lpString2=".") returned 1 [0107.531] lstrcmpiW (lpString1="usertile12.bmp", lpString2="..") returned 1 [0107.531] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned 82 [0107.531] lstrcmpW (lpString1="usertile12.bmp", lpString2="PUSSY.TXT") returned 1 [0107.531] PathFindExtensionW (pszPath="usertile12.bmp") returned=".bmp" [0107.531] lstrlenW (lpString=".bmp") returned 4 [0107.531] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.531] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.531] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae29b72e, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae29b72e, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb76b98f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xbeb8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile13.bmp", cAlternateFileName="")) returned 1 [0107.531] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Windows") returned -1 [0107.531] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Program Files") returned 1 [0107.531] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Program Files (x86)") returned 1 [0107.531] lstrcmpiW (lpString1="usertile13.bmp", lpString2="$Recycle.bin") returned 1 [0107.532] lstrcmpiW (lpString1="usertile13.bmp", lpString2="System Volume Information") returned 1 [0107.532] lstrcmpiW (lpString1="usertile13.bmp", lpString2=".") returned 1 [0107.532] lstrcmpiW (lpString1="usertile13.bmp", lpString2="..") returned 1 [0107.532] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned 82 [0107.532] lstrcmpW (lpString1="usertile13.bmp", lpString2="PUSSY.TXT") returned 1 [0107.532] PathFindExtensionW (pszPath="usertile13.bmp") returned=".bmp" [0107.532] lstrlenW (lpString=".bmp") returned 4 [0107.532] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.532] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.532] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb82a065, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile14.bmp", cAlternateFileName="")) returned 1 [0107.532] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Windows") returned -1 [0107.532] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Program Files") returned 1 [0107.532] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Program Files (x86)") returned 1 [0107.532] lstrcmpiW (lpString1="usertile14.bmp", lpString2="$Recycle.bin") returned 1 [0107.532] lstrcmpiW (lpString1="usertile14.bmp", lpString2="System Volume Information") returned 1 [0107.532] lstrcmpiW (lpString1="usertile14.bmp", lpString2=".") returned 1 [0107.532] lstrcmpiW (lpString1="usertile14.bmp", lpString2="..") returned 1 [0107.532] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned 82 [0107.532] lstrcmpW (lpString1="usertile14.bmp", lpString2="PUSSY.TXT") returned 1 [0107.532] PathFindExtensionW (pszPath="usertile14.bmp") returned=".bmp" [0107.532] lstrlenW (lpString=".bmp") returned 4 [0107.532] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.533] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.533] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdbb95fd7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile15.bmp", cAlternateFileName="")) returned 1 [0107.533] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Windows") returned -1 [0107.533] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Program Files") returned 1 [0107.533] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Program Files (x86)") returned 1 [0107.533] lstrcmpiW (lpString1="usertile15.bmp", lpString2="$Recycle.bin") returned 1 [0107.533] lstrcmpiW (lpString1="usertile15.bmp", lpString2="System Volume Information") returned 1 [0107.534] lstrcmpiW (lpString1="usertile15.bmp", lpString2=".") returned 1 [0107.534] lstrcmpiW (lpString1="usertile15.bmp", lpString2="..") returned 1 [0107.534] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned 82 [0107.534] lstrcmpW (lpString1="usertile15.bmp", lpString2="PUSSY.TXT") returned 1 [0107.534] PathFindExtensionW (pszPath="usertile15.bmp") returned=".bmp" [0107.534] lstrlenW (lpString=".bmp") returned 4 [0107.534] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.534] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.534] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae30db45, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae30db45, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdca9c9ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile16.bmp", cAlternateFileName="")) returned 1 [0107.534] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Windows") returned -1 [0107.534] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Program Files") returned 1 [0107.534] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Program Files (x86)") returned 1 [0107.534] lstrcmpiW (lpString1="usertile16.bmp", lpString2="$Recycle.bin") returned 1 [0107.534] lstrcmpiW (lpString1="usertile16.bmp", lpString2="System Volume Information") returned 1 [0107.534] lstrcmpiW (lpString1="usertile16.bmp", lpString2=".") returned 1 [0107.534] lstrcmpiW (lpString1="usertile16.bmp", lpString2="..") returned 1 [0107.534] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned 82 [0107.534] lstrcmpW (lpString1="usertile16.bmp", lpString2="PUSSY.TXT") returned 1 [0107.534] PathFindExtensionW (pszPath="usertile16.bmp") returned=".bmp" [0107.534] lstrlenW (lpString=".bmp") returned 4 [0107.534] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.534] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.535] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc3f8f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile17.bmp", cAlternateFileName="")) returned 1 [0107.535] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Windows") returned -1 [0107.535] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Program Files") returned 1 [0107.535] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Program Files (x86)") returned 1 [0107.535] lstrcmpiW (lpString1="usertile17.bmp", lpString2="$Recycle.bin") returned 1 [0107.535] lstrcmpiW (lpString1="usertile17.bmp", lpString2="System Volume Information") returned 1 [0107.535] lstrcmpiW (lpString1="usertile17.bmp", lpString2=".") returned 1 [0107.535] lstrcmpiW (lpString1="usertile17.bmp", lpString2="..") returned 1 [0107.535] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned 82 [0107.535] lstrcmpW (lpString1="usertile17.bmp", lpString2="PUSSY.TXT") returned 1 [0107.535] PathFindExtensionW (pszPath="usertile17.bmp") returned=".bmp" [0107.535] lstrlenW (lpString=".bmp") returned 4 [0107.535] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.535] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.535] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc65a55, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile18.bmp", cAlternateFileName="")) returned 1 [0107.535] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Windows") returned -1 [0107.535] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Program Files") returned 1 [0107.535] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Program Files (x86)") returned 1 [0107.535] lstrcmpiW (lpString1="usertile18.bmp", lpString2="$Recycle.bin") returned 1 [0107.535] lstrcmpiW (lpString1="usertile18.bmp", lpString2="System Volume Information") returned 1 [0107.535] lstrcmpiW (lpString1="usertile18.bmp", lpString2=".") returned 1 [0107.535] lstrcmpiW (lpString1="usertile18.bmp", lpString2="..") returned 1 [0107.536] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned 82 [0107.536] lstrcmpW (lpString1="usertile18.bmp", lpString2="PUSSY.TXT") returned 1 [0107.536] PathFindExtensionW (pszPath="usertile18.bmp") returned=".bmp" [0107.536] lstrlenW (lpString=".bmp") returned 4 [0107.536] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.536] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.536] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae359dff, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae359dff, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc8bbb3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile19.bmp", cAlternateFileName="")) returned 1 [0107.537] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Windows") returned -1 [0107.537] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Program Files") returned 1 [0107.537] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Program Files (x86)") returned 1 [0107.537] lstrcmpiW (lpString1="usertile19.bmp", lpString2="$Recycle.bin") returned 1 [0107.537] lstrcmpiW (lpString1="usertile19.bmp", lpString2="System Volume Information") returned 1 [0107.537] lstrcmpiW (lpString1="usertile19.bmp", lpString2=".") returned 1 [0107.537] lstrcmpiW (lpString1="usertile19.bmp", lpString2="..") returned 1 [0107.537] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned 82 [0107.537] lstrcmpW (lpString1="usertile19.bmp", lpString2="PUSSY.TXT") returned 1 [0107.537] PathFindExtensionW (pszPath="usertile19.bmp") returned=".bmp" [0107.537] lstrlenW (lpString=".bmp") returned 4 [0107.537] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.537] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.537] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae37ff5c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae37ff5c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdccb1d11, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile20.bmp", cAlternateFileName="")) returned 1 [0107.537] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Windows") returned -1 [0107.537] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Program Files") returned 1 [0107.537] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Program Files (x86)") returned 1 [0107.537] lstrcmpiW (lpString1="usertile20.bmp", lpString2="$Recycle.bin") returned 1 [0107.537] lstrcmpiW (lpString1="usertile20.bmp", lpString2="System Volume Information") returned 1 [0107.537] lstrcmpiW (lpString1="usertile20.bmp", lpString2=".") returned 1 [0107.537] lstrcmpiW (lpString1="usertile20.bmp", lpString2="..") returned 1 [0107.537] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned 82 [0107.537] lstrcmpW (lpString1="usertile20.bmp", lpString2="PUSSY.TXT") returned 1 [0107.538] PathFindExtensionW (pszPath="usertile20.bmp") returned=".bmp" [0107.538] lstrlenW (lpString=".bmp") returned 4 [0107.538] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.538] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.538] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd069f3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile21.bmp", cAlternateFileName="")) returned 1 [0107.538] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Windows") returned -1 [0107.538] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Program Files") returned 1 [0107.538] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Program Files (x86)") returned 1 [0107.538] lstrcmpiW (lpString1="usertile21.bmp", lpString2="$Recycle.bin") returned 1 [0107.538] lstrcmpiW (lpString1="usertile21.bmp", lpString2="System Volume Information") returned 1 [0107.538] lstrcmpiW (lpString1="usertile21.bmp", lpString2=".") returned 1 [0107.538] lstrcmpiW (lpString1="usertile21.bmp", lpString2="..") returned 1 [0107.538] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned 82 [0107.538] lstrcmpW (lpString1="usertile21.bmp", lpString2="PUSSY.TXT") returned 1 [0107.538] PathFindExtensionW (pszPath="usertile21.bmp") returned=".bmp" [0107.538] lstrlenW (lpString=".bmp") returned 4 [0107.538] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.538] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.538] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd09009d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile22.bmp", cAlternateFileName="")) returned 1 [0107.538] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Windows") returned -1 [0107.539] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Program Files") returned 1 [0107.539] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Program Files (x86)") returned 1 [0107.539] lstrcmpiW (lpString1="usertile22.bmp", lpString2="$Recycle.bin") returned 1 [0107.539] lstrcmpiW (lpString1="usertile22.bmp", lpString2="System Volume Information") returned 1 [0107.539] lstrcmpiW (lpString1="usertile22.bmp", lpString2=".") returned 1 [0107.539] lstrcmpiW (lpString1="usertile22.bmp", lpString2="..") returned 1 [0107.539] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned 82 [0107.539] lstrcmpW (lpString1="usertile22.bmp", lpString2="PUSSY.TXT") returned 1 [0107.539] PathFindExtensionW (pszPath="usertile22.bmp") returned=".bmp" [0107.539] lstrlenW (lpString=".bmp") returned 4 [0107.539] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.539] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.540] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3cc216, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3cc216, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd0b61fb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile23.bmp", cAlternateFileName="")) returned 1 [0107.540] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Windows") returned -1 [0107.540] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Program Files") returned 1 [0107.540] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Program Files (x86)") returned 1 [0107.540] lstrcmpiW (lpString1="usertile23.bmp", lpString2="$Recycle.bin") returned 1 [0107.540] lstrcmpiW (lpString1="usertile23.bmp", lpString2="System Volume Information") returned 1 [0107.540] lstrcmpiW (lpString1="usertile23.bmp", lpString2=".") returned 1 [0107.540] lstrcmpiW (lpString1="usertile23.bmp", lpString2="..") returned 1 [0107.540] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned 82 [0107.540] lstrcmpW (lpString1="usertile23.bmp", lpString2="PUSSY.TXT") returned 1 [0107.540] PathFindExtensionW (pszPath="usertile23.bmp") returned=".bmp" [0107.540] lstrlenW (lpString=".bmp") returned 4 [0107.540] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.540] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.540] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd232fa7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile24.bmp", cAlternateFileName="")) returned 1 [0107.540] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Windows") returned -1 [0107.540] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Program Files") returned 1 [0107.541] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Program Files (x86)") returned 1 [0107.541] lstrcmpiW (lpString1="usertile24.bmp", lpString2="$Recycle.bin") returned 1 [0107.541] lstrcmpiW (lpString1="usertile24.bmp", lpString2="System Volume Information") returned 1 [0107.541] lstrcmpiW (lpString1="usertile24.bmp", lpString2=".") returned 1 [0107.541] lstrcmpiW (lpString1="usertile24.bmp", lpString2="..") returned 1 [0107.541] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned 82 [0107.541] lstrcmpW (lpString1="usertile24.bmp", lpString2="PUSSY.TXT") returned 1 [0107.541] PathFindExtensionW (pszPath="usertile24.bmp") returned=".bmp" [0107.541] lstrlenW (lpString=".bmp") returned 4 [0107.541] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.541] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.541] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd259105, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile25.bmp", cAlternateFileName="")) returned 1 [0107.541] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Windows") returned -1 [0107.541] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Program Files") returned 1 [0107.541] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Program Files (x86)") returned 1 [0107.541] lstrcmpiW (lpString1="usertile25.bmp", lpString2="$Recycle.bin") returned 1 [0107.541] lstrcmpiW (lpString1="usertile25.bmp", lpString2="System Volume Information") returned 1 [0107.541] lstrcmpiW (lpString1="usertile25.bmp", lpString2=".") returned 1 [0107.541] lstrcmpiW (lpString1="usertile25.bmp", lpString2="..") returned 1 [0107.541] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned 82 [0107.541] lstrcmpW (lpString1="usertile25.bmp", lpString2="PUSSY.TXT") returned 1 [0107.541] PathFindExtensionW (pszPath="usertile25.bmp") returned=".bmp" [0107.541] lstrlenW (lpString=".bmp") returned 4 [0107.542] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.542] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.542] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd27f263, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile26.bmp", cAlternateFileName="")) returned 1 [0107.542] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Windows") returned -1 [0107.542] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Program Files") returned 1 [0107.542] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Program Files (x86)") returned 1 [0107.542] lstrcmpiW (lpString1="usertile26.bmp", lpString2="$Recycle.bin") returned 1 [0107.542] lstrcmpiW (lpString1="usertile26.bmp", lpString2="System Volume Information") returned 1 [0107.542] lstrcmpiW (lpString1="usertile26.bmp", lpString2=".") returned 1 [0107.542] lstrcmpiW (lpString1="usertile26.bmp", lpString2="..") returned 1 [0107.542] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned 82 [0107.542] lstrcmpW (lpString1="usertile26.bmp", lpString2="PUSSY.TXT") returned 1 [0107.542] PathFindExtensionW (pszPath="usertile26.bmp") returned=".bmp" [0107.542] lstrlenW (lpString=".bmp") returned 4 [0107.542] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.542] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.543] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4184d0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4184d0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd2a53c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile27.bmp", cAlternateFileName="")) returned 1 [0107.543] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Windows") returned -1 [0107.543] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Program Files") returned 1 [0107.543] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Program Files (x86)") returned 1 [0107.543] lstrcmpiW (lpString1="usertile27.bmp", lpString2="$Recycle.bin") returned 1 [0107.543] lstrcmpiW (lpString1="usertile27.bmp", lpString2="System Volume Information") returned 1 [0107.543] lstrcmpiW (lpString1="usertile27.bmp", lpString2=".") returned 1 [0107.543] lstrcmpiW (lpString1="usertile27.bmp", lpString2="..") returned 1 [0107.543] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned 82 [0107.543] lstrcmpW (lpString1="usertile27.bmp", lpString2="PUSSY.TXT") returned 1 [0107.543] PathFindExtensionW (pszPath="usertile27.bmp") returned=".bmp" [0107.543] lstrlenW (lpString=".bmp") returned 4 [0107.543] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.543] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.544] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3177db, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile28.bmp", cAlternateFileName="")) returned 1 [0107.544] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Windows") returned -1 [0107.544] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Program Files") returned 1 [0107.544] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Program Files (x86)") returned 1 [0107.544] lstrcmpiW (lpString1="usertile28.bmp", lpString2="$Recycle.bin") returned 1 [0107.544] lstrcmpiW (lpString1="usertile28.bmp", lpString2="System Volume Information") returned 1 [0107.544] lstrcmpiW (lpString1="usertile28.bmp", lpString2=".") returned 1 [0107.544] lstrcmpiW (lpString1="usertile28.bmp", lpString2="..") returned 1 [0107.544] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned 82 [0107.544] lstrcmpW (lpString1="usertile28.bmp", lpString2="PUSSY.TXT") returned 1 [0107.544] PathFindExtensionW (pszPath="usertile28.bmp") returned=".bmp" [0107.544] lstrlenW (lpString=".bmp") returned 4 [0107.544] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.544] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.544] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd33d939, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile29.bmp", cAlternateFileName="")) returned 1 [0107.544] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Windows") returned -1 [0107.544] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Program Files") returned 1 [0107.545] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Program Files (x86)") returned 1 [0107.545] lstrcmpiW (lpString1="usertile29.bmp", lpString2="$Recycle.bin") returned 1 [0107.545] lstrcmpiW (lpString1="usertile29.bmp", lpString2="System Volume Information") returned 1 [0107.545] lstrcmpiW (lpString1="usertile29.bmp", lpString2=".") returned 1 [0107.545] lstrcmpiW (lpString1="usertile29.bmp", lpString2="..") returned 1 [0107.545] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned 82 [0107.545] lstrcmpW (lpString1="usertile29.bmp", lpString2="PUSSY.TXT") returned 1 [0107.545] PathFindExtensionW (pszPath="usertile29.bmp") returned=".bmp" [0107.545] lstrlenW (lpString=".bmp") returned 4 [0107.545] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.545] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.545] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae46478a, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae46478a, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile30.bmp", cAlternateFileName="")) returned 1 [0107.545] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Windows") returned -1 [0107.545] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Program Files") returned 1 [0107.545] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Program Files (x86)") returned 1 [0107.545] lstrcmpiW (lpString1="usertile30.bmp", lpString2="$Recycle.bin") returned 1 [0107.545] lstrcmpiW (lpString1="usertile30.bmp", lpString2="System Volume Information") returned 1 [0107.545] lstrcmpiW (lpString1="usertile30.bmp", lpString2=".") returned 1 [0107.545] lstrcmpiW (lpString1="usertile30.bmp", lpString2="..") returned 1 [0107.545] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned 82 [0107.545] lstrcmpW (lpString1="usertile30.bmp", lpString2="PUSSY.TXT") returned 1 [0107.545] PathFindExtensionW (pszPath="usertile30.bmp") returned=".bmp" [0107.545] lstrlenW (lpString=".bmp") returned 4 [0107.545] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.546] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.548] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile31.bmp", cAlternateFileName="")) returned 1 [0107.548] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Windows") returned -1 [0107.549] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Program Files") returned 1 [0107.549] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Program Files (x86)") returned 1 [0107.549] lstrcmpiW (lpString1="usertile31.bmp", lpString2="$Recycle.bin") returned 1 [0107.549] lstrcmpiW (lpString1="usertile31.bmp", lpString2="System Volume Information") returned 1 [0107.549] lstrcmpiW (lpString1="usertile31.bmp", lpString2=".") returned 1 [0107.549] lstrcmpiW (lpString1="usertile31.bmp", lpString2="..") returned 1 [0107.549] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned 82 [0107.549] lstrcmpW (lpString1="usertile31.bmp", lpString2="PUSSY.TXT") returned 1 [0107.549] PathFindExtensionW (pszPath="usertile31.bmp") returned=".bmp" [0107.549] lstrlenW (lpString=".bmp") returned 4 [0107.549] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.549] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.549] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd42216d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile32.bmp", cAlternateFileName="")) returned 1 [0107.549] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Windows") returned -1 [0107.549] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Program Files") returned 1 [0107.549] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Program Files (x86)") returned 1 [0107.549] lstrcmpiW (lpString1="usertile32.bmp", lpString2="$Recycle.bin") returned 1 [0107.549] lstrcmpiW (lpString1="usertile32.bmp", lpString2="System Volume Information") returned 1 [0107.549] lstrcmpiW (lpString1="usertile32.bmp", lpString2=".") returned 1 [0107.549] lstrcmpiW (lpString1="usertile32.bmp", lpString2="..") returned 1 [0107.549] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned 82 [0107.549] lstrcmpW (lpString1="usertile32.bmp", lpString2="PUSSY.TXT") returned 1 [0107.550] PathFindExtensionW (pszPath="usertile32.bmp") returned=".bmp" [0107.550] lstrlenW (lpString=".bmp") returned 4 [0107.550] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.550] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.550] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4b0a44, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4b0a44, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd4482cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile33.bmp", cAlternateFileName="")) returned 1 [0107.550] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Windows") returned -1 [0107.550] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Program Files") returned 1 [0107.550] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Program Files (x86)") returned 1 [0107.550] lstrcmpiW (lpString1="usertile33.bmp", lpString2="$Recycle.bin") returned 1 [0107.550] lstrcmpiW (lpString1="usertile33.bmp", lpString2="System Volume Information") returned 1 [0107.550] lstrcmpiW (lpString1="usertile33.bmp", lpString2=".") returned 1 [0107.550] lstrcmpiW (lpString1="usertile33.bmp", lpString2="..") returned 1 [0107.550] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned 82 [0107.550] lstrcmpW (lpString1="usertile33.bmp", lpString2="PUSSY.TXT") returned 1 [0107.550] PathFindExtensionW (pszPath="usertile33.bmp") returned=".bmp" [0107.550] lstrlenW (lpString=".bmp") returned 4 [0107.550] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.550] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.550] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9c9561, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile34.bmp", cAlternateFileName="")) returned 1 [0107.551] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Windows") returned -1 [0107.551] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Program Files") returned 1 [0107.551] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Program Files (x86)") returned 1 [0107.551] lstrcmpiW (lpString1="usertile34.bmp", lpString2="$Recycle.bin") returned 1 [0107.551] lstrcmpiW (lpString1="usertile34.bmp", lpString2="System Volume Information") returned 1 [0107.551] lstrcmpiW (lpString1="usertile34.bmp", lpString2=".") returned 1 [0107.551] lstrcmpiW (lpString1="usertile34.bmp", lpString2="..") returned 1 [0107.551] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned 82 [0107.551] lstrcmpW (lpString1="usertile34.bmp", lpString2="PUSSY.TXT") returned 1 [0107.551] PathFindExtensionW (pszPath="usertile34.bmp") returned=".bmp" [0107.551] lstrlenW (lpString=".bmp") returned 4 [0107.551] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.551] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.552] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile35.bmp", cAlternateFileName="")) returned 1 [0107.552] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Windows") returned -1 [0107.552] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Program Files") returned 1 [0107.552] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Program Files (x86)") returned 1 [0107.552] lstrcmpiW (lpString1="usertile35.bmp", lpString2="$Recycle.bin") returned 1 [0107.552] lstrcmpiW (lpString1="usertile35.bmp", lpString2="System Volume Information") returned 1 [0107.552] lstrcmpiW (lpString1="usertile35.bmp", lpString2=".") returned 1 [0107.552] lstrcmpiW (lpString1="usertile35.bmp", lpString2="..") returned 1 [0107.552] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned 82 [0107.552] lstrcmpW (lpString1="usertile35.bmp", lpString2="PUSSY.TXT") returned 1 [0107.552] PathFindExtensionW (pszPath="usertile35.bmp") returned=".bmp" [0107.552] lstrlenW (lpString=".bmp") returned 4 [0107.552] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.552] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.552] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae548fb8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae548fb8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile36.bmp", cAlternateFileName="")) returned 1 [0107.552] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Windows") returned -1 [0107.553] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Program Files") returned 1 [0107.553] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Program Files (x86)") returned 1 [0107.553] lstrcmpiW (lpString1="usertile36.bmp", lpString2="$Recycle.bin") returned 1 [0107.553] lstrcmpiW (lpString1="usertile36.bmp", lpString2="System Volume Information") returned 1 [0107.553] lstrcmpiW (lpString1="usertile36.bmp", lpString2=".") returned 1 [0107.553] lstrcmpiW (lpString1="usertile36.bmp", lpString2="..") returned 1 [0107.553] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned 82 [0107.553] lstrcmpW (lpString1="usertile36.bmp", lpString2="PUSSY.TXT") returned 1 [0107.553] PathFindExtensionW (pszPath="usertile36.bmp") returned=".bmp" [0107.553] lstrlenW (lpString=".bmp") returned 4 [0107.553] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.553] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.553] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae595272, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae595272, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile37.bmp", cAlternateFileName="")) returned 1 [0107.553] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Windows") returned -1 [0107.553] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Program Files") returned 1 [0107.553] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Program Files (x86)") returned 1 [0107.553] lstrcmpiW (lpString1="usertile37.bmp", lpString2="$Recycle.bin") returned 1 [0107.553] lstrcmpiW (lpString1="usertile37.bmp", lpString2="System Volume Information") returned 1 [0107.553] lstrcmpiW (lpString1="usertile37.bmp", lpString2=".") returned 1 [0107.553] lstrcmpiW (lpString1="usertile37.bmp", lpString2="..") returned 1 [0107.553] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned 82 [0107.553] lstrcmpW (lpString1="usertile37.bmp", lpString2="PUSSY.TXT") returned 1 [0107.554] PathFindExtensionW (pszPath="usertile37.bmp") returned=".bmp" [0107.554] lstrlenW (lpString=".bmp") returned 4 [0107.554] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.554] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.554] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5bb3cf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5bb3cf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile38.bmp", cAlternateFileName="")) returned 1 [0107.554] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Windows") returned -1 [0107.554] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Program Files") returned 1 [0107.554] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Program Files (x86)") returned 1 [0107.554] lstrcmpiW (lpString1="usertile38.bmp", lpString2="$Recycle.bin") returned 1 [0107.554] lstrcmpiW (lpString1="usertile38.bmp", lpString2="System Volume Information") returned 1 [0107.554] lstrcmpiW (lpString1="usertile38.bmp", lpString2=".") returned 1 [0107.554] lstrcmpiW (lpString1="usertile38.bmp", lpString2="..") returned 1 [0107.554] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned 82 [0107.554] lstrcmpW (lpString1="usertile38.bmp", lpString2="PUSSY.TXT") returned 1 [0107.554] PathFindExtensionW (pszPath="usertile38.bmp") returned=".bmp" [0107.554] lstrlenW (lpString=".bmp") returned 4 [0107.554] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.554] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.555] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5e152c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5e152c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc2ab41, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile39.bmp", cAlternateFileName="")) returned 1 [0107.555] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Windows") returned -1 [0107.555] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Program Files") returned 1 [0107.555] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Program Files (x86)") returned 1 [0107.555] lstrcmpiW (lpString1="usertile39.bmp", lpString2="$Recycle.bin") returned 1 [0107.555] lstrcmpiW (lpString1="usertile39.bmp", lpString2="System Volume Information") returned 1 [0107.556] lstrcmpiW (lpString1="usertile39.bmp", lpString2=".") returned 1 [0107.556] lstrcmpiW (lpString1="usertile39.bmp", lpString2="..") returned 1 [0107.556] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned 82 [0107.556] lstrcmpW (lpString1="usertile39.bmp", lpString2="PUSSY.TXT") returned 1 [0107.556] PathFindExtensionW (pszPath="usertile39.bmp") returned=".bmp" [0107.556] lstrlenW (lpString=".bmp") returned 4 [0107.556] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.556] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.556] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae607689, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae607689, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc50c9f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile40.bmp", cAlternateFileName="")) returned 1 [0107.556] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Windows") returned -1 [0107.556] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Program Files") returned 1 [0107.556] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Program Files (x86)") returned 1 [0107.556] lstrcmpiW (lpString1="usertile40.bmp", lpString2="$Recycle.bin") returned 1 [0107.556] lstrcmpiW (lpString1="usertile40.bmp", lpString2="System Volume Information") returned 1 [0107.556] lstrcmpiW (lpString1="usertile40.bmp", lpString2=".") returned 1 [0107.556] lstrcmpiW (lpString1="usertile40.bmp", lpString2="..") returned 1 [0107.556] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned 82 [0107.556] lstrcmpW (lpString1="usertile40.bmp", lpString2="PUSSY.TXT") returned 1 [0107.556] PathFindExtensionW (pszPath="usertile40.bmp") returned=".bmp" [0107.556] lstrlenW (lpString=".bmp") returned 4 [0107.556] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.556] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.557] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae62d7e6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae62d7e6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddcc30b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile41.bmp", cAlternateFileName="")) returned 1 [0107.557] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Windows") returned -1 [0107.557] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Program Files") returned 1 [0107.557] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Program Files (x86)") returned 1 [0107.557] lstrcmpiW (lpString1="usertile41.bmp", lpString2="$Recycle.bin") returned 1 [0107.557] lstrcmpiW (lpString1="usertile41.bmp", lpString2="System Volume Information") returned 1 [0107.557] lstrcmpiW (lpString1="usertile41.bmp", lpString2=".") returned 1 [0107.557] lstrcmpiW (lpString1="usertile41.bmp", lpString2="..") returned 1 [0107.557] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned 82 [0107.557] lstrcmpW (lpString1="usertile41.bmp", lpString2="PUSSY.TXT") returned 1 [0107.557] PathFindExtensionW (pszPath="usertile41.bmp") returned=".bmp" [0107.557] lstrlenW (lpString=".bmp") returned 4 [0107.557] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.557] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.557] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddce9217, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile42.bmp", cAlternateFileName="")) returned 1 [0107.557] lstrcmpiW (lpString1="usertile42.bmp", lpString2="Windows") returned -1 [0107.557] lstrcmpiW (lpString1="usertile42.bmp", lpString2="Program Files") returned 1 [0107.557] lstrcmpiW (lpString1="usertile42.bmp", lpString2="Program Files (x86)") returned 1 [0107.557] lstrcmpiW (lpString1="usertile42.bmp", lpString2="$Recycle.bin") returned 1 [0107.557] lstrcmpiW (lpString1="usertile42.bmp", lpString2="System Volume Information") returned 1 [0107.558] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned 82 [0107.558] lstrcmpW (lpString1="usertile42.bmp", lpString2="PUSSY.TXT") returned 1 [0107.558] PathFindExtensionW (pszPath="usertile42.bmp") returned=".bmp" [0107.558] lstrlenW (lpString=".bmp") returned 4 [0107.558] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.558] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.558] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd0f375, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile43.bmp", cAlternateFileName="")) returned 1 [0107.558] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned 82 [0107.558] lstrcmpW (lpString1="usertile43.bmp", lpString2="PUSSY.TXT") returned 1 [0107.558] PathFindExtensionW (pszPath="usertile43.bmp") returned=".bmp" [0107.558] lstrlenW (lpString=".bmp") returned 4 [0107.558] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.558] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.559] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile44.bmp", cAlternateFileName="")) returned 1 [0107.559] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned 82 [0107.559] lstrcmpW (lpString1="usertile44.bmp", lpString2="PUSSY.TXT") returned 1 [0107.559] PathFindExtensionW (pszPath="usertile44.bmp") returned=".bmp" [0107.559] lstrlenW (lpString=".bmp") returned 4 [0107.559] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0107.559] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.559] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile44.bmp", cAlternateFileName="")) returned 0 [0107.559] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0107.560] wnsprintfW (in: pszDest=0x53aae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\PUSSY.TXT") returned 77 [0107.560] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0107.563] lstrlenA (lpString="abcd") returned 4 [0107.563] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0107.564] CloseHandle (hObject=0x1a4) returned 1 [0107.565] GetProcessHeap () returned 0x4c0000 [0107.565] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0107.565] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="guest.bmp", cAlternateFileName="")) returned 1 [0107.565] lstrcmpiW (lpString1="guest.bmp", lpString2="Windows") returned -1 [0107.565] lstrcmpiW (lpString1="guest.bmp", lpString2="Program Files") returned -1 [0107.565] lstrcmpiW (lpString1="guest.bmp", lpString2="Program Files (x86)") returned -1 [0107.565] lstrcmpiW (lpString1="guest.bmp", lpString2="$Recycle.bin") returned 1 [0107.565] lstrcmpiW (lpString1="guest.bmp", lpString2="System Volume Information") returned -1 [0107.565] lstrcmpiW (lpString1="guest.bmp", lpString2=".") returned 1 [0107.565] lstrcmpiW (lpString1="guest.bmp", lpString2="..") returned 1 [0107.565] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0107.565] lstrcmpW (lpString1="guest.bmp", lpString2="PUSSY.TXT") returned -1 [0107.565] PathFindExtensionW (pszPath="guest.bmp") returned=".bmp" [0107.565] lstrlenW (lpString=".bmp") returned 4 [0107.565] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0107.565] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0107.566] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=49208) returned 1 [0107.566] GetProcessHeap () returned 0x4c0000 [0107.566] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x57cb88 [0107.587] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="C4") returned 2 [0107.587] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="E3") returned 2 [0107.587] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B0") returned 2 [0107.587] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="2A") returned 2 [0107.587] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="63") returned 2 [0107.587] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="CE") returned 2 [0107.587] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="71") returned 2 [0107.587] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="3B") returned 2 [0107.587] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="17") returned 2 [0107.587] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="C8") returned 2 [0107.587] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="18") returned 2 [0107.587] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A5") returned 2 [0107.587] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="2B") returned 2 [0107.587] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C2") returned 2 [0107.587] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="B4") returned 2 [0107.587] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="C1") returned 2 [0107.587] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="B4") returned 2 [0107.587] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="05") returned 2 [0107.587] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="BF") returned 2 [0107.587] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="B7") returned 2 [0107.588] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="34") returned 2 [0107.588] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="A0") returned 2 [0107.588] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="1E") returned 2 [0107.588] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="73") returned 2 [0107.588] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="99") returned 2 [0107.588] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="F3") returned 2 [0107.588] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="DE") returned 2 [0107.588] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="BF") returned 2 [0107.588] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="82") returned 2 [0107.588] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="3B") returned 2 [0107.588] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="99") returned 2 [0107.588] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="5A") returned 2 [0107.602] lstrcpyW (in: lpString1=0x58cbbc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" [0107.602] lstrcpyW (in: lpString1=0x57cbbc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" [0107.602] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp", lpString2=".C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A" [0107.603] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x57cb88, NumberOfConcurrentThreads=0x0) returned 0x94 [0107.603] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x57cb88, lpOverlapped=0x57cb88) returned 1 [0107.603] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="user.bmp", cAlternateFileName="")) returned 1 [0107.603] lstrcmpiW (lpString1="user.bmp", lpString2="Windows") returned -1 [0107.603] lstrcmpiW (lpString1="user.bmp", lpString2="Program Files") returned 1 [0107.603] lstrcmpiW (lpString1="user.bmp", lpString2="Program Files (x86)") returned 1 [0107.603] lstrcmpiW (lpString1="user.bmp", lpString2="$Recycle.bin") returned 1 [0107.604] lstrcmpiW (lpString1="user.bmp", lpString2="System Volume Information") returned 1 [0107.604] lstrcmpiW (lpString1="user.bmp", lpString2=".") returned 1 [0107.604] lstrcmpiW (lpString1="user.bmp", lpString2="..") returned 1 [0107.604] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0107.604] lstrcmpW (lpString1="user.bmp", lpString2="PUSSY.TXT") returned 1 [0107.604] PathFindExtensionW (pszPath="user.bmp") returned=".bmp" [0107.604] lstrlenW (lpString=".bmp") returned 4 [0107.604] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0107.604] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0107.605] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=49208) returned 1 [0107.605] GetProcessHeap () returned 0x4c0000 [0107.605] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53aae0 [0107.620] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="0D") returned 2 [0107.620] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="DD") returned 2 [0107.620] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="8D") returned 2 [0107.620] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="B0") returned 2 [0107.620] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="49") returned 2 [0107.620] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="BD") returned 2 [0107.620] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E0") returned 2 [0107.620] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="BA") returned 2 [0107.620] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="08") returned 2 [0107.620] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="D5") returned 2 [0107.620] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="93") returned 2 [0107.620] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="28") returned 2 [0107.620] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="A0") returned 2 [0107.620] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="58") returned 2 [0107.620] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="35") returned 2 [0107.620] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="DB") returned 2 [0107.620] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="B6") returned 2 [0107.620] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="73") returned 2 [0107.620] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="5B") returned 2 [0107.620] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="A8") returned 2 [0107.620] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="64") returned 2 [0107.620] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="93") returned 2 [0107.620] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="9E") returned 2 [0107.620] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="53") returned 2 [0107.621] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="1F") returned 2 [0107.621] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="6F") returned 2 [0107.621] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="F4") returned 2 [0107.621] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="C7") returned 2 [0107.621] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="55") returned 2 [0107.621] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="29") returned 2 [0107.621] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="4C") returned 2 [0107.621] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="13") returned 2 [0107.636] lstrcpyW (in: lpString1=0x54ab14, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" [0107.636] lstrcpyW (in: lpString1=0x53ab14, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" [0107.636] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp", lpString2=".0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13" [0107.636] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x53aae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0107.636] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53aae0, lpOverlapped=0x53aae0) returned 1 [0107.636] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="user.bmp", cAlternateFileName="")) returned 0 [0107.636] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0107.637] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\PUSSY.TXT") returned 60 [0107.637] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\user account pictures\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0107.874] lstrlenA (lpString="abcd") returned 4 [0107.874] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0107.875] CloseHandle (hObject=0x18c) returned 1 [0107.875] GetProcessHeap () returned 0x4c0000 [0107.875] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0107.875] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Vault", cAlternateFileName="")) returned 1 [0107.875] lstrcmpiW (lpString1="Vault", lpString2="Windows") returned -1 [0107.875] lstrcmpiW (lpString1="Vault", lpString2="Program Files") returned 1 [0107.875] lstrcmpiW (lpString1="Vault", lpString2="Program Files (x86)") returned 1 [0107.875] lstrcmpiW (lpString1="Vault", lpString2="$Recycle.bin") returned 1 [0107.875] lstrcmpiW (lpString1="Vault", lpString2="System Volume Information") returned 1 [0107.875] lstrcmpiW (lpString1="Vault", lpString2=".") returned 1 [0107.875] lstrcmpiW (lpString1="Vault", lpString2="..") returned 1 [0107.876] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault") returned 34 [0107.876] GetProcessHeap () returned 0x4c0000 [0107.876] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x562b30 [0107.876] lstrcpyW (in: lpString1=0x562b30, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Vault" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault" [0107.876] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*" [0107.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0107.876] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.876] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.876] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.876] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.876] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.876] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.876] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0107.876] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.876] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.877] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.877] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.877] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.877] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.877] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.877] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0107.877] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0107.877] wnsprintfW (in: pszDest=0x562b30, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\PUSSY.TXT") returned 44 [0107.877] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\vault\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0107.877] lstrlenA (lpString="abcd") returned 4 [0107.877] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0107.878] CloseHandle (hObject=0x18c) returned 1 [0107.878] GetProcessHeap () returned 0x4c0000 [0107.878] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x562b30 | out: hHeap=0x4c0000) returned 1 [0107.878] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="VISIO", cAlternateFileName="")) returned 1 [0107.879] lstrcmpiW (lpString1="VISIO", lpString2="Windows") returned -1 [0107.879] lstrcmpiW (lpString1="VISIO", lpString2="Program Files") returned 1 [0107.879] lstrcmpiW (lpString1="VISIO", lpString2="Program Files (x86)") returned 1 [0107.879] lstrcmpiW (lpString1="VISIO", lpString2="$Recycle.bin") returned 1 [0107.879] lstrcmpiW (lpString1="VISIO", lpString2="System Volume Information") returned 1 [0107.879] lstrcmpiW (lpString1="VISIO", lpString2=".") returned 1 [0107.879] lstrcmpiW (lpString1="VISIO", lpString2="..") returned 1 [0107.879] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO") returned 34 [0107.879] GetProcessHeap () returned 0x4c0000 [0107.879] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x562b30 [0107.879] lstrcpyW (in: lpString1=0x562b30, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO") returned="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO" [0107.879] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\*" [0107.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0107.880] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.880] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.880] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.880] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.880] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.880] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.880] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0107.880] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.880] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.880] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.881] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.881] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.881] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.881] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.881] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0107.881] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0107.881] wnsprintfW (in: pszDest=0x562b30, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\PUSSY.TXT") returned 44 [0107.881] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\visio\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0107.881] lstrlenA (lpString="abcd") returned 4 [0107.881] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0107.882] CloseHandle (hObject=0x18c) returned 1 [0107.883] GetProcessHeap () returned 0x4c0000 [0107.883] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x562b30 | out: hHeap=0x4c0000) returned 1 [0107.883] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60ae73a0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x60ae73a0, ftLastWriteTime.dwHighDateTime=0x1d2de2a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Windows", cAlternateFileName="")) returned 1 [0107.883] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0107.883] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xb9b4aaa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xb9b4aaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0107.883] lstrcmpiW (lpString1="Windows Defender", lpString2="Windows") returned 1 [0107.883] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files") returned 1 [0107.883] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files (x86)") returned 1 [0107.883] lstrcmpiW (lpString1="Windows Defender", lpString2="$Recycle.bin") returned 1 [0107.883] lstrcmpiW (lpString1="Windows Defender", lpString2="System Volume Information") returned 1 [0107.883] lstrcmpiW (lpString1="Windows Defender", lpString2=".") returned 1 [0107.883] lstrcmpiW (lpString1="Windows Defender", lpString2="..") returned 1 [0107.883] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender") returned 45 [0107.883] GetProcessHeap () returned 0x4c0000 [0107.883] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x562b30 [0107.883] lstrcpyW (in: lpString1=0x562b30, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender" [0107.883] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*" [0107.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xb9b4aaa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xb9b4aaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0107.884] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.884] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.884] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.884] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.884] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.884] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.884] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xb9b4aaa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xb9b4aaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0107.884] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.884] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.884] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.884] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.884] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.884] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.884] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.884] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0107.884] lstrcmpiW (lpString1="Definition Updates", lpString2="Windows") returned -1 [0107.884] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files") returned -1 [0107.885] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files (x86)") returned -1 [0107.885] lstrcmpiW (lpString1="Definition Updates", lpString2="$Recycle.bin") returned 1 [0107.885] lstrcmpiW (lpString1="Definition Updates", lpString2="System Volume Information") returned -1 [0107.885] lstrcmpiW (lpString1="Definition Updates", lpString2=".") returned 1 [0107.885] lstrcmpiW (lpString1="Definition Updates", lpString2="..") returned 1 [0107.885] wnsprintfW (in: pszDest=0x562b30, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates") returned 64 [0107.885] GetProcessHeap () returned 0x4c0000 [0107.885] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0107.885] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates" [0107.885] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*" [0107.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0107.885] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.885] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.885] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.885] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.885] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.885] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.885] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0107.886] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.886] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.886] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.886] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.886] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.886] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.886] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.886] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="Backup", cAlternateFileName="")) returned 1 [0107.886] lstrcmpiW (lpString1="Backup", lpString2="Windows") returned -1 [0107.886] lstrcmpiW (lpString1="Backup", lpString2="Program Files") returned -1 [0107.886] lstrcmpiW (lpString1="Backup", lpString2="Program Files (x86)") returned -1 [0107.886] lstrcmpiW (lpString1="Backup", lpString2="$Recycle.bin") returned 1 [0107.886] lstrcmpiW (lpString1="Backup", lpString2="System Volume Information") returned -1 [0107.886] lstrcmpiW (lpString1="Backup", lpString2=".") returned 1 [0107.886] lstrcmpiW (lpString1="Backup", lpString2="..") returned 1 [0107.886] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned 71 [0107.886] GetProcessHeap () returned 0x4c0000 [0107.886] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0107.886] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup" [0107.886] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*" [0107.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0107.887] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.887] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.887] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.887] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.887] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.887] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.887] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0107.887] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.888] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.888] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.888] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.888] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.888] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.888] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.888] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0107.888] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0107.888] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\PUSSY.TXT") returned 81 [0107.888] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\backup\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0107.889] lstrlenA (lpString="abcd") returned 4 [0107.889] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0107.890] CloseHandle (hObject=0xec) returned 1 [0107.890] GetProcessHeap () returned 0x4c0000 [0107.890] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0107.894] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="Updates", cAlternateFileName="")) returned 1 [0107.895] lstrcmpiW (lpString1="Updates", lpString2="Windows") returned -1 [0107.895] lstrcmpiW (lpString1="Updates", lpString2="Program Files") returned 1 [0107.895] lstrcmpiW (lpString1="Updates", lpString2="Program Files (x86)") returned 1 [0107.895] lstrcmpiW (lpString1="Updates", lpString2="$Recycle.bin") returned 1 [0107.895] lstrcmpiW (lpString1="Updates", lpString2="System Volume Information") returned 1 [0107.895] lstrcmpiW (lpString1="Updates", lpString2=".") returned 1 [0107.895] lstrcmpiW (lpString1="Updates", lpString2="..") returned 1 [0107.895] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned 72 [0107.895] GetProcessHeap () returned 0x4c0000 [0107.895] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0107.896] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates" [0107.896] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*" [0107.896] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0107.896] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.896] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.896] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.896] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.896] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.896] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.896] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0107.897] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.897] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.897] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.897] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.897] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.897] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.897] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.897] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0107.897] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0107.897] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\PUSSY.TXT") returned 82 [0107.897] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\updates\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0107.898] lstrlenA (lpString="abcd") returned 4 [0107.898] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0107.899] CloseHandle (hObject=0xec) returned 1 [0107.899] GetProcessHeap () returned 0x4c0000 [0107.899] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0107.899] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", cAlternateFileName="{D2B0B~1")) returned 1 [0107.899] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Windows") returned -1 [0107.900] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Program Files") returned -1 [0107.900] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Program Files (x86)") returned -1 [0107.900] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="$Recycle.bin") returned 1 [0107.900] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="System Volume Information") returned -1 [0107.900] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2=".") returned 1 [0107.900] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="..") returned 1 [0107.900] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned 103 [0107.900] GetProcessHeap () returned 0x4c0000 [0107.900] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0107.900] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}" [0107.900] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*" [0107.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0107.900] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0107.900] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0107.900] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0107.900] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0107.900] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0107.901] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.901] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0107.901] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0107.901] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0107.901] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0107.901] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0107.901] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0107.901] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.901] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.901] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fd91f9, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fd91f9, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x12c4d000, ftLastWriteTime.dwHighDateTime=0x1cb85c9, nFileSizeHigh=0x0, nFileSizeLow=0xb17190, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="mpasbase.vdm", cAlternateFileName="")) returned 1 [0107.901] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="Windows") returned -1 [0107.901] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="Program Files") returned -1 [0107.901] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="Program Files (x86)") returned -1 [0107.901] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="$Recycle.bin") returned 1 [0107.901] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="System Volume Information") returned -1 [0107.901] lstrcmpiW (lpString1="mpasbase.vdm", lpString2=".") returned 1 [0107.901] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="..") returned 1 [0107.901] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned 116 [0107.901] lstrcmpW (lpString1="mpasbase.vdm", lpString2="PUSSY.TXT") returned -1 [0107.901] PathFindExtensionW (pszPath="mpasbase.vdm") returned=".vdm" [0107.901] lstrlenW (lpString=".vdm") returned 4 [0107.902] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0107.902] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0107.907] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=11628944) returned 1 [0107.907] GetProcessHeap () returned 0x4c0000 [0107.907] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc8160 [0107.924] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="43") returned 2 [0107.924] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="6B") returned 2 [0107.924] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="AD") returned 2 [0107.924] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="EA") returned 2 [0107.925] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="47") returned 2 [0107.925] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="FA") returned 2 [0107.925] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="D4") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="45") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="E6") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="9E") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="01") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="BD") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="0C") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="D7") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="96") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="85") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="29") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="1C") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="1E") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="FF") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="E1") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="4E") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="EB") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="BC") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="69") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="E2") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="88") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="DB") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="1C") returned 2 [0107.925] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="EE") returned 2 [0107.926] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="3C") returned 2 [0107.926] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="29") returned 2 [0107.940] lstrcpyW (in: lpString1=0x3bd8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" [0107.940] lstrcpyW (in: lpString1=0x3bc8194, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" [0107.940] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm", lpString2=".436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29" [0107.940] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3bc8160, NumberOfConcurrentThreads=0x0) returned 0x94 [0107.940] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc8160, lpOverlapped=0x3bc8160) returned 1 [0107.941] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fff35a, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x6da22700, ftLastWriteTime.dwHighDateTime=0x1cb8783, nFileSizeHigh=0x0, nFileSizeLow=0x52d90, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="mpasdlta.vdm", cAlternateFileName="")) returned 1 [0107.941] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="Windows") returned -1 [0107.941] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="Program Files") returned -1 [0107.941] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="Program Files (x86)") returned -1 [0107.941] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="$Recycle.bin") returned 1 [0107.941] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="System Volume Information") returned -1 [0107.941] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2=".") returned 1 [0107.941] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="..") returned 1 [0107.941] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned 116 [0107.941] lstrcmpW (lpString1="mpasdlta.vdm", lpString2="PUSSY.TXT") returned -1 [0107.941] PathFindExtensionW (pszPath="mpasdlta.vdm") returned=".vdm" [0107.941] lstrlenW (lpString=".vdm") returned 4 [0107.941] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0107.941] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0107.942] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=339344) returned 1 [0107.942] GetProcessHeap () returned 0x4c0000 [0107.942] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0107.959] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="CA") returned 2 [0107.959] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="4B") returned 2 [0107.959] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="70") returned 2 [0107.959] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="61") returned 2 [0107.959] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="6C") returned 2 [0107.959] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="C0") returned 2 [0107.959] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="EA") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="53") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="53") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="E9") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="34") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="36") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="D9") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="DC") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="BA") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="D0") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="BB") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="4D") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="C7") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="7D") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="5B") returned 2 [0107.959] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="F6") returned 2 [0107.960] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="23") returned 2 [0107.960] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="54") returned 2 [0107.960] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="D8") returned 2 [0107.960] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="6E") returned 2 [0107.960] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="54") returned 2 [0107.960] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="A5") returned 2 [0107.960] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C3") returned 2 [0107.960] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="A8") returned 2 [0107.960] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="18") returned 2 [0107.960] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="5C") returned 2 [0107.974] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" [0107.974] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" [0107.974] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm", lpString2=".CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C" [0107.974] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0107.974] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0107.974] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x93b6800, ftLastWriteTime.dwHighDateTime=0x1cb85c9, nFileSizeHigh=0x0, nFileSizeLow=0x7d1d50, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="mpengine.dll", cAlternateFileName="")) returned 1 [0107.974] lstrcmpiW (lpString1="mpengine.dll", lpString2="Windows") returned -1 [0107.974] lstrcmpiW (lpString1="mpengine.dll", lpString2="Program Files") returned -1 [0107.974] lstrcmpiW (lpString1="mpengine.dll", lpString2="Program Files (x86)") returned -1 [0107.974] lstrcmpiW (lpString1="mpengine.dll", lpString2="$Recycle.bin") returned 1 [0107.974] lstrcmpiW (lpString1="mpengine.dll", lpString2="System Volume Information") returned -1 [0107.974] lstrcmpiW (lpString1="mpengine.dll", lpString2=".") returned 1 [0107.974] lstrcmpiW (lpString1="mpengine.dll", lpString2="..") returned 1 [0107.974] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned 116 [0107.974] lstrcmpW (lpString1="mpengine.dll", lpString2="PUSSY.TXT") returned -1 [0107.974] PathFindExtensionW (pszPath="mpengine.dll") returned=".dll" [0107.975] lstrlenW (lpString=".dll") returned 4 [0107.975] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0107.975] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0108.057] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x93b6800, ftLastWriteTime.dwHighDateTime=0x1cb85c9, nFileSizeHigh=0x0, nFileSizeLow=0x7d1d50, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="mpengine.dll", cAlternateFileName="")) returned 0 [0108.058] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0108.058] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\PUSSY.TXT") returned 113 [0108.058] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0108.058] lstrlenA (lpString="abcd") returned 4 [0108.058] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0108.059] CloseHandle (hObject=0xec) returned 1 [0108.059] GetProcessHeap () returned 0x4c0000 [0108.059] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0108.059] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", cAlternateFileName="{D2B0B~1")) returned 0 [0108.059] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0108.060] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\PUSSY.TXT") returned 74 [0108.060] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0108.061] lstrlenA (lpString="abcd") returned 4 [0108.061] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0108.062] CloseHandle (hObject=0x19c) returned 1 [0108.062] GetProcessHeap () returned 0x4c0000 [0108.062] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0108.062] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xb9b4aaa0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xb9b4aaa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xb9b4aaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", cAlternateFileName="IMPSER~1.LOC")) returned 1 [0108.063] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="Windows") returned -1 [0108.063] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="Program Files") returned -1 [0108.063] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="Program Files (x86)") returned -1 [0108.063] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="$Recycle.bin") returned 1 [0108.063] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="System Volume Information") returned -1 [0108.063] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2=".") returned 1 [0108.063] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="..") returned 1 [0108.063] wnsprintfW (in: pszDest=0x562b30, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock") returned 97 [0108.063] lstrcmpW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="PUSSY.TXT") returned -1 [0108.063] PathFindExtensionW (pszPath="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock") returned=".lock" [0108.063] lstrlenW (lpString=".lock") returned 5 [0108.063] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0108.063] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock" (normalized: "c:\\programdata\\microsoft\\windows defender\\impservice925a3aca-c353-458a-ac8d-a7e5eb378092.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0108.063] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0108.063] lstrcmpiW (lpString1="LocalCopy", lpString2="Windows") returned -1 [0108.063] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files") returned -1 [0108.063] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files (x86)") returned -1 [0108.063] lstrcmpiW (lpString1="LocalCopy", lpString2="$Recycle.bin") returned 1 [0108.063] lstrcmpiW (lpString1="LocalCopy", lpString2="System Volume Information") returned -1 [0108.063] lstrcmpiW (lpString1="LocalCopy", lpString2=".") returned 1 [0108.063] lstrcmpiW (lpString1="LocalCopy", lpString2="..") returned 1 [0108.063] wnsprintfW (in: pszDest=0x562b30, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy") returned 55 [0108.063] GetProcessHeap () returned 0x4c0000 [0108.063] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x52aad8 [0108.064] lstrcpyW (in: lpString1=0x52aad8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy" [0108.064] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*" [0108.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0108.064] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.064] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.064] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.064] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.064] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.064] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.064] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.064] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.064] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.065] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.065] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.065] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.065] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.065] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.065] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0108.065] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0108.065] wnsprintfW (in: pszDest=0x52aad8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\PUSSY.TXT") returned 65 [0108.065] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\localcopy\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0108.065] lstrlenA (lpString="abcd") returned 4 [0108.065] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0108.066] CloseHandle (hObject=0x19c) returned 1 [0108.066] GetProcessHeap () returned 0x4c0000 [0108.066] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52aad8 | out: hHeap=0x4c0000) returned 1 [0108.068] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0108.068] lstrcmpiW (lpString1="Quarantine", lpString2="Windows") returned -1 [0108.068] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files") returned 1 [0108.068] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files (x86)") returned 1 [0108.068] lstrcmpiW (lpString1="Quarantine", lpString2="$Recycle.bin") returned 1 [0108.068] lstrcmpiW (lpString1="Quarantine", lpString2="System Volume Information") returned -1 [0108.068] lstrcmpiW (lpString1="Quarantine", lpString2=".") returned 1 [0108.068] lstrcmpiW (lpString1="Quarantine", lpString2="..") returned 1 [0108.068] wnsprintfW (in: pszDest=0x562b30, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine") returned 56 [0108.068] GetProcessHeap () returned 0x4c0000 [0108.068] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x52aad8 [0108.069] lstrcpyW (in: lpString1=0x52aad8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine" [0108.069] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*" [0108.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0108.069] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.069] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.069] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.069] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.069] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.070] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.070] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.070] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.070] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.070] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.070] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.070] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.070] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.070] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.070] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0108.070] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0108.070] wnsprintfW (in: pszDest=0x52aad8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\PUSSY.TXT") returned 66 [0108.070] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\quarantine\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0108.071] lstrlenA (lpString="abcd") returned 4 [0108.071] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0108.072] CloseHandle (hObject=0x19c) returned 1 [0108.072] GetProcessHeap () returned 0x4c0000 [0108.072] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52aad8 | out: hHeap=0x4c0000) returned 1 [0108.072] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Scans", cAlternateFileName="")) returned 1 [0108.072] lstrcmpiW (lpString1="Scans", lpString2="Windows") returned -1 [0108.072] lstrcmpiW (lpString1="Scans", lpString2="Program Files") returned 1 [0108.072] lstrcmpiW (lpString1="Scans", lpString2="Program Files (x86)") returned 1 [0108.072] lstrcmpiW (lpString1="Scans", lpString2="$Recycle.bin") returned 1 [0108.072] lstrcmpiW (lpString1="Scans", lpString2="System Volume Information") returned -1 [0108.072] lstrcmpiW (lpString1="Scans", lpString2=".") returned 1 [0108.072] lstrcmpiW (lpString1="Scans", lpString2="..") returned 1 [0108.072] wnsprintfW (in: pszDest=0x562b30, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans") returned 51 [0108.072] GetProcessHeap () returned 0x4c0000 [0108.072] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x52aad8 [0108.072] lstrcpyW (in: lpString1=0x52aad8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans" [0108.072] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*" [0108.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0108.073] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.073] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.073] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.073] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.073] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.073] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.073] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.073] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.073] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.073] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.073] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.073] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.073] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.073] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.073] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="History", cAlternateFileName="")) returned 1 [0108.073] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0108.073] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0108.073] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0108.074] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0108.074] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0108.074] lstrcmpiW (lpString1="History", lpString2=".") returned 1 [0108.074] lstrcmpiW (lpString1="History", lpString2="..") returned 1 [0108.074] wnsprintfW (in: pszDest=0x52aad8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History") returned 59 [0108.074] GetProcessHeap () returned 0x4c0000 [0108.074] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0108.075] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History" [0108.075] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*" [0108.075] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0108.076] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.076] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.076] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.076] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.076] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.076] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.076] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0108.076] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.076] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.076] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.076] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.076] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.076] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.076] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.076] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="CacheManager", cAlternateFileName="CACHEM~1")) returned 1 [0108.076] lstrcmpiW (lpString1="CacheManager", lpString2="Windows") returned -1 [0108.076] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files") returned -1 [0108.076] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files (x86)") returned -1 [0108.076] lstrcmpiW (lpString1="CacheManager", lpString2="$Recycle.bin") returned 1 [0108.076] lstrcmpiW (lpString1="CacheManager", lpString2="System Volume Information") returned -1 [0108.077] lstrcmpiW (lpString1="CacheManager", lpString2=".") returned 1 [0108.077] lstrcmpiW (lpString1="CacheManager", lpString2="..") returned 1 [0108.077] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned 72 [0108.077] GetProcessHeap () returned 0x4c0000 [0108.077] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0108.077] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" [0108.077] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*" [0108.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bf11b8 [0108.077] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.078] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.078] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.078] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.078] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.078] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.078] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.078] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.078] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.078] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.078] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.078] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.078] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.079] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.079] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcfc0a7e0, ftCreationTime.dwHighDateTime=0x1d2faf9, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc30940, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x33b60, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="MpSfc.bin", cAlternateFileName="")) returned 1 [0108.079] lstrcmpiW (lpString1="MpSfc.bin", lpString2="Windows") returned -1 [0108.079] lstrcmpiW (lpString1="MpSfc.bin", lpString2="Program Files") returned -1 [0108.079] lstrcmpiW (lpString1="MpSfc.bin", lpString2="Program Files (x86)") returned -1 [0108.079] lstrcmpiW (lpString1="MpSfc.bin", lpString2="$Recycle.bin") returned 1 [0108.079] lstrcmpiW (lpString1="MpSfc.bin", lpString2="System Volume Information") returned -1 [0108.079] lstrcmpiW (lpString1="MpSfc.bin", lpString2=".") returned 1 [0108.079] lstrcmpiW (lpString1="MpSfc.bin", lpString2="..") returned 1 [0108.079] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned 82 [0108.079] lstrcmpW (lpString1="MpSfc.bin", lpString2="PUSSY.TXT") returned -1 [0108.079] PathFindExtensionW (pszPath="MpSfc.bin") returned=".bin" [0108.079] lstrlenW (lpString=".bin") returned 4 [0108.079] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0108.079] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0108.079] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcfc0a7e0, ftCreationTime.dwHighDateTime=0x1d2faf9, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc30940, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x33b60, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="MpSfc.bin", cAlternateFileName="")) returned 0 [0108.079] FindClose (in: hFindFile=0x3bf11b8 | out: hFindFile=0x3bf11b8) returned 1 [0108.080] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\PUSSY.TXT") returned 82 [0108.080] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0108.082] lstrlenA (lpString="abcd") returned 4 [0108.082] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0108.083] CloseHandle (hObject=0x16c) returned 1 [0108.083] GetProcessHeap () returned 0x4c0000 [0108.083] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0108.083] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="Results", cAlternateFileName="")) returned 1 [0108.083] lstrcmpiW (lpString1="Results", lpString2="Windows") returned -1 [0108.083] lstrcmpiW (lpString1="Results", lpString2="Program Files") returned 1 [0108.083] lstrcmpiW (lpString1="Results", lpString2="Program Files (x86)") returned 1 [0108.083] lstrcmpiW (lpString1="Results", lpString2="$Recycle.bin") returned 1 [0108.084] lstrcmpiW (lpString1="Results", lpString2="System Volume Information") returned -1 [0108.084] lstrcmpiW (lpString1="Results", lpString2=".") returned 1 [0108.084] lstrcmpiW (lpString1="Results", lpString2="..") returned 1 [0108.084] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned 67 [0108.084] GetProcessHeap () returned 0x4c0000 [0108.084] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0108.084] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results" [0108.084] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*" [0108.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bf11b8 [0108.084] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.084] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.084] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.084] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.084] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.084] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.084] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.084] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.084] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.084] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.085] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.085] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.085] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.085] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.085] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="Resource", cAlternateFileName="")) returned 1 [0108.085] lstrcmpiW (lpString1="Resource", lpString2="Windows") returned -1 [0108.085] lstrcmpiW (lpString1="Resource", lpString2="Program Files") returned 1 [0108.085] lstrcmpiW (lpString1="Resource", lpString2="Program Files (x86)") returned 1 [0108.085] lstrcmpiW (lpString1="Resource", lpString2="$Recycle.bin") returned 1 [0108.085] lstrcmpiW (lpString1="Resource", lpString2="System Volume Information") returned -1 [0108.085] lstrcmpiW (lpString1="Resource", lpString2=".") returned 1 [0108.085] lstrcmpiW (lpString1="Resource", lpString2="..") returned 1 [0108.085] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource") returned 76 [0108.085] GetProcessHeap () returned 0x4c0000 [0108.085] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c00048 [0108.087] lstrcpyW (in: lpString1=0x3c00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource" [0108.087] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*" [0108.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb80d8 [0108.087] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.087] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.087] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.087] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.087] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.087] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.087] FindNextFileW (in: hFindFile=0x3bb80d8, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.087] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.087] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.087] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.088] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.088] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.088] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.088] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.088] FindNextFileW (in: hFindFile=0x3bb80d8, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80be8ad0, ftCreationTime.dwHighDateTime=0x1d33740, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x81085570, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x1a60, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", cAlternateFileName="{1D1DB~1")) returned 1 [0108.088] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="Windows") returned -1 [0108.088] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="Program Files") returned -1 [0108.088] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="Program Files (x86)") returned -1 [0108.088] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="$Recycle.bin") returned 1 [0108.088] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="System Volume Information") returned -1 [0108.088] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2=".") returned 1 [0108.088] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="..") returned 1 [0108.088] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned 115 [0108.088] lstrcmpW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="PUSSY.TXT") returned -1 [0108.088] PathFindExtensionW (pszPath="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned="" [0108.088] lstrlenW (lpString="") returned 0 [0108.088] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0108.088] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0108.089] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=6752) returned 1 [0108.089] GetProcessHeap () returned 0x4c0000 [0108.089] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c10050 [0108.098] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="C7") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="5D") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="A4") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="B1") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="1A") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="DC") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="76") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="52") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="5E") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="E6") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="82") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="32") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="8F") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="EC") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="05") returned 2 [0108.098] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="8E") returned 2 [0108.098] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="1D") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="8C") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="54") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="D7") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="7E") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="6B") returned 2 [0108.098] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="02") returned 2 [0108.098] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="D6") returned 2 [0108.099] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="D7") returned 2 [0108.099] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="E7") returned 2 [0108.099] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="77") returned 2 [0108.099] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="4A") returned 2 [0108.099] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="09") returned 2 [0108.099] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="9C") returned 2 [0108.099] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="30") returned 2 [0108.099] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="47") returned 2 [0108.107] lstrcpyW (in: lpString1=0x3c20084, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" [0108.107] lstrcpyW (in: lpString1=0x3c10084, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" [0108.107] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2=".C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047" [0108.107] CreateIoCompletionPort (FileHandle=0x114, ExistingCompletionPort=0x94, CompletionKey=0x3c10050, NumberOfConcurrentThreads=0x0) returned 0x94 [0108.107] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c10050, lpOverlapped=0x3c10050) returned 1 [0108.107] FindNextFileW (in: hFindFile=0x3bb80d8, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80be8ad0, ftCreationTime.dwHighDateTime=0x1d33740, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x81085570, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x1a60, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", cAlternateFileName="{1D1DB~1")) returned 0 [0108.107] FindClose (in: hFindFile=0x3bb80d8 | out: hFindFile=0x3bb80d8) returned 1 [0108.107] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\PUSSY.TXT") returned 86 [0108.107] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0108.108] lstrlenA (lpString="abcd") returned 4 [0108.108] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0108.109] CloseHandle (hObject=0x174) returned 1 [0108.109] GetProcessHeap () returned 0x4c0000 [0108.109] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0108.109] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="Resource", cAlternateFileName="")) returned 0 [0108.109] FindClose (in: hFindFile=0x3bf11b8 | out: hFindFile=0x3bf11b8) returned 1 [0108.109] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\PUSSY.TXT") returned 77 [0108.109] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0108.109] lstrlenA (lpString="abcd") returned 4 [0108.109] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0108.110] CloseHandle (hObject=0x16c) returned 1 [0108.111] GetProcessHeap () returned 0x4c0000 [0108.111] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0108.111] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="Service", cAlternateFileName="")) returned 1 [0108.111] lstrcmpiW (lpString1="Service", lpString2="Windows") returned -1 [0108.111] lstrcmpiW (lpString1="Service", lpString2="Program Files") returned 1 [0108.111] lstrcmpiW (lpString1="Service", lpString2="Program Files (x86)") returned 1 [0108.111] lstrcmpiW (lpString1="Service", lpString2="$Recycle.bin") returned 1 [0108.111] lstrcmpiW (lpString1="Service", lpString2="System Volume Information") returned -1 [0108.111] lstrcmpiW (lpString1="Service", lpString2=".") returned 1 [0108.111] lstrcmpiW (lpString1="Service", lpString2="..") returned 1 [0108.111] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned 67 [0108.111] GetProcessHeap () returned 0x4c0000 [0108.111] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c00048 [0108.111] lstrcpyW (in: lpString1=0x3c00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service" [0108.111] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*" [0108.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bf11b8 [0108.111] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.111] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.111] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.111] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.111] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.111] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.112] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.112] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.112] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.112] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.112] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.112] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.112] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.112] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.112] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb9820270, ftCreationTime.dwHighDateTime=0x1d2faf0, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0x7de6c9b0, ftLastWriteTime.dwHighDateTime=0x1d3373d, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="History.Log", cAlternateFileName="")) returned 1 [0108.112] lstrcmpiW (lpString1="History.Log", lpString2="Windows") returned -1 [0108.112] lstrcmpiW (lpString1="History.Log", lpString2="Program Files") returned -1 [0108.112] lstrcmpiW (lpString1="History.Log", lpString2="Program Files (x86)") returned -1 [0108.112] lstrcmpiW (lpString1="History.Log", lpString2="$Recycle.bin") returned 1 [0108.112] lstrcmpiW (lpString1="History.Log", lpString2="System Volume Information") returned -1 [0108.112] lstrcmpiW (lpString1="History.Log", lpString2=".") returned 1 [0108.112] lstrcmpiW (lpString1="History.Log", lpString2="..") returned 1 [0108.112] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned 79 [0108.112] lstrcmpW (lpString1="History.Log", lpString2="PUSSY.TXT") returned -1 [0108.112] PathFindExtensionW (pszPath="History.Log") returned=".Log" [0108.112] lstrlenW (lpString=".Log") returned 4 [0108.112] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0108.112] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\history.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0108.120] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2) returned 1 [0108.120] CloseHandle (hObject=0x174) returned 1 [0108.120] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xadeed740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xadeed740, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x2d1f02a0, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x1a86, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="Unknown.Log", cAlternateFileName="")) returned 1 [0108.120] lstrcmpiW (lpString1="Unknown.Log", lpString2="Windows") returned -1 [0108.120] lstrcmpiW (lpString1="Unknown.Log", lpString2="Program Files") returned 1 [0108.120] lstrcmpiW (lpString1="Unknown.Log", lpString2="Program Files (x86)") returned 1 [0108.120] lstrcmpiW (lpString1="Unknown.Log", lpString2="$Recycle.bin") returned 1 [0108.120] lstrcmpiW (lpString1="Unknown.Log", lpString2="System Volume Information") returned 1 [0108.120] lstrcmpiW (lpString1="Unknown.Log", lpString2=".") returned 1 [0108.120] lstrcmpiW (lpString1="Unknown.Log", lpString2="..") returned 1 [0108.120] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned 79 [0108.120] lstrcmpW (lpString1="Unknown.Log", lpString2="PUSSY.TXT") returned 1 [0108.120] PathFindExtensionW (pszPath="Unknown.Log") returned=".Log" [0108.120] lstrlenW (lpString=".Log") returned 4 [0108.120] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0108.121] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\unknown.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0108.121] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=6790) returned 1 [0108.121] GetProcessHeap () returned 0x4c0000 [0108.121] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c380a0 [0108.133] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="B3") returned 2 [0108.133] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="AB") returned 2 [0108.133] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="65") returned 2 [0108.133] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="07") returned 2 [0108.133] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="8A") returned 2 [0108.133] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="21") returned 2 [0108.133] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="68") returned 2 [0108.133] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="43") returned 2 [0108.133] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="F5") returned 2 [0108.133] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="DF") returned 2 [0108.133] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="0D") returned 2 [0108.133] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="5B") returned 2 [0108.133] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="DB") returned 2 [0108.133] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="C0") returned 2 [0108.133] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="B8") returned 2 [0108.134] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="3C") returned 2 [0108.134] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="54") returned 2 [0108.134] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="6A") returned 2 [0108.134] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="61") returned 2 [0108.134] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="FF") returned 2 [0108.134] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="A0") returned 2 [0108.134] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="9F") returned 2 [0108.134] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="77") returned 2 [0108.134] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="E9") returned 2 [0108.134] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="90") returned 2 [0108.134] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="8D") returned 2 [0108.134] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="A6") returned 2 [0108.134] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="25") returned 2 [0108.134] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="04") returned 2 [0108.134] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="B7") returned 2 [0108.134] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="B4") returned 2 [0108.134] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="0B") returned 2 [0108.143] lstrcpyW (in: lpString1=0x3c480d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" [0108.143] lstrcpyW (in: lpString1=0x3c380d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" [0108.143] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log", lpString2=".B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B" [0108.143] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3c380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0108.143] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c380a0, lpOverlapped=0x3c380a0) returned 1 [0108.144] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xadeed740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xadeed740, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x2d1f02a0, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x1a86, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="Unknown.Log", cAlternateFileName="")) returned 0 [0108.144] FindClose (in: hFindFile=0x3bf11b8 | out: hFindFile=0x3bf11b8) returned 1 [0108.151] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\PUSSY.TXT") returned 77 [0108.151] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0108.153] lstrlenA (lpString="abcd") returned 4 [0108.153] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0108.154] CloseHandle (hObject=0x174) returned 1 [0108.154] GetProcessHeap () returned 0x4c0000 [0108.154] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0108.154] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="Store", cAlternateFileName="")) returned 1 [0108.154] lstrcmpiW (lpString1="Store", lpString2="Windows") returned -1 [0108.154] lstrcmpiW (lpString1="Store", lpString2="Program Files") returned 1 [0108.154] lstrcmpiW (lpString1="Store", lpString2="Program Files (x86)") returned 1 [0108.154] lstrcmpiW (lpString1="Store", lpString2="$Recycle.bin") returned 1 [0108.154] lstrcmpiW (lpString1="Store", lpString2="System Volume Information") returned -1 [0108.154] lstrcmpiW (lpString1="Store", lpString2=".") returned 1 [0108.154] lstrcmpiW (lpString1="Store", lpString2="..") returned 1 [0108.154] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned 65 [0108.154] GetProcessHeap () returned 0x4c0000 [0108.154] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0108.154] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store" [0108.155] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*" [0108.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bf11b8 [0108.155] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.155] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.155] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.155] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.155] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.155] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.155] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.155] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.155] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.155] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.155] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.155] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.155] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.155] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.155] FindNextFileW (in: hFindFile=0x3bf11b8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0108.155] FindClose (in: hFindFile=0x3bf11b8 | out: hFindFile=0x3bf11b8) returned 1 [0108.155] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\PUSSY.TXT") returned 75 [0108.155] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\store\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0108.157] lstrlenA (lpString="abcd") returned 4 [0108.157] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0108.157] CloseHandle (hObject=0x174) returned 1 [0108.158] GetProcessHeap () returned 0x4c0000 [0108.158] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0108.160] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="Store", cAlternateFileName="")) returned 0 [0108.160] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0108.161] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\PUSSY.TXT") returned 69 [0108.161] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0108.165] lstrlenA (lpString="abcd") returned 4 [0108.165] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0108.166] CloseHandle (hObject=0x1a4) returned 1 [0108.166] GetProcessHeap () returned 0x4c0000 [0108.166] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0108.167] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="History", cAlternateFileName="")) returned 0 [0108.167] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0108.167] wnsprintfW (in: pszDest=0x52aad8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\PUSSY.TXT") returned 61 [0108.167] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0108.167] lstrlenA (lpString="abcd") returned 4 [0108.167] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0108.168] CloseHandle (hObject=0x19c) returned 1 [0108.168] GetProcessHeap () returned 0x4c0000 [0108.168] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52aad8 | out: hHeap=0x4c0000) returned 1 [0108.171] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Support", cAlternateFileName="")) returned 1 [0108.171] lstrcmpiW (lpString1="Support", lpString2="Windows") returned -1 [0108.171] lstrcmpiW (lpString1="Support", lpString2="Program Files") returned 1 [0108.171] lstrcmpiW (lpString1="Support", lpString2="Program Files (x86)") returned 1 [0108.171] lstrcmpiW (lpString1="Support", lpString2="$Recycle.bin") returned 1 [0108.171] lstrcmpiW (lpString1="Support", lpString2="System Volume Information") returned -1 [0108.171] lstrcmpiW (lpString1="Support", lpString2=".") returned 1 [0108.171] lstrcmpiW (lpString1="Support", lpString2="..") returned 1 [0108.172] wnsprintfW (in: pszDest=0x562b30, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support") returned 53 [0108.172] GetProcessHeap () returned 0x4c0000 [0108.172] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x52aad8 [0108.173] lstrcpyW (in: lpString1=0x52aad8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support" [0108.173] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*" [0108.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0108.173] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.173] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.173] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.173] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.173] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.173] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.173] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.173] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.173] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.173] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.173] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.173] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.173] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.173] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.173] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x76792c22, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x798d48a0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x30ada, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="MPLog-07132009-221054.log", cAlternateFileName="MPLOG-~1.LOG")) returned 1 [0108.173] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="Windows") returned -1 [0108.173] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="Program Files") returned -1 [0108.173] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="Program Files (x86)") returned -1 [0108.173] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="$Recycle.bin") returned 1 [0108.174] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="System Volume Information") returned -1 [0108.174] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2=".") returned 1 [0108.174] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="..") returned 1 [0108.174] wnsprintfW (in: pszDest=0x52aad8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned 79 [0108.174] lstrcmpW (lpString1="MPLog-07132009-221054.log", lpString2="PUSSY.TXT") returned -1 [0108.174] PathFindExtensionW (pszPath="MPLog-07132009-221054.log") returned=".log" [0108.174] lstrlenW (lpString=".log") returned 4 [0108.174] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0108.174] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0108.174] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x76792c22, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x798d48a0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x30ada, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="MPLog-07132009-221054.log", cAlternateFileName="MPLOG-~1.LOG")) returned 0 [0108.174] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0108.174] wnsprintfW (in: pszDest=0x52aad8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\PUSSY.TXT") returned 63 [0108.174] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0108.175] lstrlenA (lpString="abcd") returned 4 [0108.175] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0108.176] CloseHandle (hObject=0x19c) returned 1 [0108.176] GetProcessHeap () returned 0x4c0000 [0108.176] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52aad8 | out: hHeap=0x4c0000) returned 1 [0108.176] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Support", cAlternateFileName="")) returned 0 [0108.176] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0108.176] wnsprintfW (in: pszDest=0x562b30, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\PUSSY.TXT") returned 55 [0108.176] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows defender\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0108.190] lstrlenA (lpString="abcd") returned 4 [0108.190] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0108.191] CloseHandle (hObject=0x178) returned 1 [0108.191] GetProcessHeap () returned 0x4c0000 [0108.191] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x562b30 | out: hHeap=0x4c0000) returned 1 [0108.192] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0108.192] lstrcmpiW (lpString1="Windows NT", lpString2="Windows") returned 1 [0108.192] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files") returned 1 [0108.192] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files (x86)") returned 1 [0108.192] lstrcmpiW (lpString1="Windows NT", lpString2="$Recycle.bin") returned 1 [0108.192] lstrcmpiW (lpString1="Windows NT", lpString2="System Volume Information") returned 1 [0108.192] lstrcmpiW (lpString1="Windows NT", lpString2=".") returned 1 [0108.192] lstrcmpiW (lpString1="Windows NT", lpString2="..") returned 1 [0108.192] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT") returned 39 [0108.192] GetProcessHeap () returned 0x4c0000 [0108.192] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0108.193] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT" [0108.193] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*" [0108.193] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0108.194] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.194] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.194] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.194] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.194] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.194] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.194] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.194] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.194] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.194] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.194] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.194] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.194] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.194] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.194] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="MSFax", cAlternateFileName="")) returned 1 [0108.194] lstrcmpiW (lpString1="MSFax", lpString2="Windows") returned -1 [0108.194] lstrcmpiW (lpString1="MSFax", lpString2="Program Files") returned -1 [0108.194] lstrcmpiW (lpString1="MSFax", lpString2="Program Files (x86)") returned -1 [0108.194] lstrcmpiW (lpString1="MSFax", lpString2="$Recycle.bin") returned 1 [0108.194] lstrcmpiW (lpString1="MSFax", lpString2="System Volume Information") returned -1 [0108.194] lstrcmpiW (lpString1="MSFax", lpString2=".") returned 1 [0108.194] lstrcmpiW (lpString1="MSFax", lpString2="..") returned 1 [0108.195] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax") returned 45 [0108.195] GetProcessHeap () returned 0x4c0000 [0108.195] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0108.195] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax" [0108.195] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*" [0108.195] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0108.201] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.201] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.201] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.201] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.201] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.201] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.201] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.201] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.201] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.201] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.201] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.201] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.201] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.201] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.201] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="ActivityLog", cAlternateFileName="ACTIVI~1")) returned 1 [0108.201] lstrcmpiW (lpString1="ActivityLog", lpString2="Windows") returned -1 [0108.201] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files") returned -1 [0108.202] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files (x86)") returned -1 [0108.202] lstrcmpiW (lpString1="ActivityLog", lpString2="$Recycle.bin") returned 1 [0108.202] lstrcmpiW (lpString1="ActivityLog", lpString2="System Volume Information") returned -1 [0108.202] lstrcmpiW (lpString1="ActivityLog", lpString2=".") returned 1 [0108.202] lstrcmpiW (lpString1="ActivityLog", lpString2="..") returned 1 [0108.202] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned 57 [0108.202] GetProcessHeap () returned 0x4c0000 [0108.202] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc8160 [0108.202] lstrcpyW (in: lpString1=0x3bc8160, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog" [0108.202] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*" [0108.202] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0108.202] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.202] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.202] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.202] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.202] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.202] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.202] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.203] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.203] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.203] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.203] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.203] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.203] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.203] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.203] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0108.203] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0108.203] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\PUSSY.TXT") returned 67 [0108.203] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\activitylog\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0108.204] lstrlenA (lpString="abcd") returned 4 [0108.204] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0108.205] CloseHandle (hObject=0x184) returned 1 [0108.205] GetProcessHeap () returned 0x4c0000 [0108.205] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0108.205] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="Common Coverpages", cAlternateFileName="COMMON~1")) returned 1 [0108.205] lstrcmpiW (lpString1="Common Coverpages", lpString2="Windows") returned -1 [0108.205] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files") returned -1 [0108.205] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files (x86)") returned -1 [0108.205] lstrcmpiW (lpString1="Common Coverpages", lpString2="$Recycle.bin") returned 1 [0108.205] lstrcmpiW (lpString1="Common Coverpages", lpString2="System Volume Information") returned -1 [0108.205] lstrcmpiW (lpString1="Common Coverpages", lpString2=".") returned 1 [0108.205] lstrcmpiW (lpString1="Common Coverpages", lpString2="..") returned 1 [0108.205] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned 63 [0108.205] GetProcessHeap () returned 0x4c0000 [0108.205] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc8160 [0108.205] lstrcpyW (in: lpString1=0x3bc8160, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" [0108.205] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*" [0108.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0108.206] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.206] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.206] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.206] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.206] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.206] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.206] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.206] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.206] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.206] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.206] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.206] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.206] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.206] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.206] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="en-US", cAlternateFileName="")) returned 1 [0108.206] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0108.206] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0108.206] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0108.206] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0108.206] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0108.206] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0108.206] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0108.206] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned 69 [0108.206] GetProcessHeap () returned 0x4c0000 [0108.206] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd8168 [0108.206] lstrcpyW (in: lpString1=0x3bd8168, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" [0108.207] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*" [0108.207] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb80d8 [0108.207] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.207] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.207] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.207] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.207] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.207] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.207] FindNextFileW (in: hFindFile=0x3bb80d8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.207] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.207] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.207] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.207] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.207] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.207] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.207] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.207] FindNextFileW (in: hFindFile=0x3bb80d8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x28aa, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="confident.cov", cAlternateFileName="")) returned 1 [0108.207] lstrcmpiW (lpString1="confident.cov", lpString2="Windows") returned -1 [0108.207] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files") returned -1 [0108.207] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files (x86)") returned -1 [0108.207] lstrcmpiW (lpString1="confident.cov", lpString2="$Recycle.bin") returned 1 [0108.207] lstrcmpiW (lpString1="confident.cov", lpString2="System Volume Information") returned -1 [0108.207] lstrcmpiW (lpString1="confident.cov", lpString2=".") returned 1 [0108.207] lstrcmpiW (lpString1="confident.cov", lpString2="..") returned 1 [0108.207] wnsprintfW (in: pszDest=0x3bd8168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned 83 [0108.207] lstrcmpW (lpString1="confident.cov", lpString2="PUSSY.TXT") returned -1 [0108.208] PathFindExtensionW (pszPath="confident.cov") returned=".cov" [0108.208] lstrlenW (lpString=".cov") returned 4 [0108.208] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0108.208] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\confident.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0108.208] FindNextFileW (in: hFindFile=0x3bb80d8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2a09, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="fyi.cov", cAlternateFileName="")) returned 1 [0108.208] lstrcmpiW (lpString1="fyi.cov", lpString2="Windows") returned -1 [0108.208] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files") returned -1 [0108.208] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files (x86)") returned -1 [0108.209] lstrcmpiW (lpString1="fyi.cov", lpString2="$Recycle.bin") returned 1 [0108.209] lstrcmpiW (lpString1="fyi.cov", lpString2="System Volume Information") returned -1 [0108.209] lstrcmpiW (lpString1="fyi.cov", lpString2=".") returned 1 [0108.209] lstrcmpiW (lpString1="fyi.cov", lpString2="..") returned 1 [0108.209] wnsprintfW (in: pszDest=0x3bd8168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned 77 [0108.209] lstrcmpW (lpString1="fyi.cov", lpString2="PUSSY.TXT") returned -1 [0108.209] PathFindExtensionW (pszPath="fyi.cov") returned=".cov" [0108.209] lstrlenW (lpString=".cov") returned 4 [0108.209] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0108.209] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\fyi.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0108.209] FindNextFileW (in: hFindFile=0x3bb80d8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3aa0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="generic.cov", cAlternateFileName="")) returned 1 [0108.209] lstrcmpiW (lpString1="generic.cov", lpString2="Windows") returned -1 [0108.209] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files") returned -1 [0108.209] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files (x86)") returned -1 [0108.209] lstrcmpiW (lpString1="generic.cov", lpString2="$Recycle.bin") returned 1 [0108.209] lstrcmpiW (lpString1="generic.cov", lpString2="System Volume Information") returned -1 [0108.209] lstrcmpiW (lpString1="generic.cov", lpString2=".") returned 1 [0108.209] lstrcmpiW (lpString1="generic.cov", lpString2="..") returned 1 [0108.209] wnsprintfW (in: pszDest=0x3bd8168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned 81 [0108.209] lstrcmpW (lpString1="generic.cov", lpString2="PUSSY.TXT") returned -1 [0108.209] PathFindExtensionW (pszPath="generic.cov") returned=".cov" [0108.209] lstrlenW (lpString=".cov") returned 4 [0108.209] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0108.209] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\generic.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0108.210] FindNextFileW (in: hFindFile=0x3bb80d8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="urgent.cov", cAlternateFileName="")) returned 1 [0108.210] lstrcmpiW (lpString1="urgent.cov", lpString2="Windows") returned -1 [0108.210] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files") returned 1 [0108.210] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files (x86)") returned 1 [0108.210] lstrcmpiW (lpString1="urgent.cov", lpString2="$Recycle.bin") returned 1 [0108.210] lstrcmpiW (lpString1="urgent.cov", lpString2="System Volume Information") returned 1 [0108.210] lstrcmpiW (lpString1="urgent.cov", lpString2=".") returned 1 [0108.210] lstrcmpiW (lpString1="urgent.cov", lpString2="..") returned 1 [0108.210] wnsprintfW (in: pszDest=0x3bd8168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned 80 [0108.210] lstrcmpW (lpString1="urgent.cov", lpString2="PUSSY.TXT") returned 1 [0108.210] PathFindExtensionW (pszPath="urgent.cov") returned=".cov" [0108.210] lstrlenW (lpString=".cov") returned 4 [0108.210] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0108.210] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\urgent.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0108.210] FindNextFileW (in: hFindFile=0x3bb80d8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="urgent.cov", cAlternateFileName="")) returned 0 [0108.210] FindClose (in: hFindFile=0x3bb80d8 | out: hFindFile=0x3bb80d8) returned 1 [0108.210] wnsprintfW (in: pszDest=0x3bd8168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\PUSSY.TXT") returned 79 [0108.210] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0108.211] lstrlenA (lpString="abcd") returned 4 [0108.211] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0108.212] CloseHandle (hObject=0x18c) returned 1 [0108.212] GetProcessHeap () returned 0x4c0000 [0108.212] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd8168 | out: hHeap=0x4c0000) returned 1 [0108.215] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="en-US", cAlternateFileName="")) returned 0 [0108.215] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0108.215] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\PUSSY.TXT") returned 73 [0108.216] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0108.216] lstrlenA (lpString="abcd") returned 4 [0108.216] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0108.217] CloseHandle (hObject=0x184) returned 1 [0108.217] GetProcessHeap () returned 0x4c0000 [0108.217] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0108.217] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="Inbox", cAlternateFileName="")) returned 1 [0108.217] lstrcmpiW (lpString1="Inbox", lpString2="Windows") returned -1 [0108.218] lstrcmpiW (lpString1="Inbox", lpString2="Program Files") returned -1 [0108.218] lstrcmpiW (lpString1="Inbox", lpString2="Program Files (x86)") returned -1 [0108.218] lstrcmpiW (lpString1="Inbox", lpString2="$Recycle.bin") returned 1 [0108.218] lstrcmpiW (lpString1="Inbox", lpString2="System Volume Information") returned -1 [0108.218] lstrcmpiW (lpString1="Inbox", lpString2=".") returned 1 [0108.218] lstrcmpiW (lpString1="Inbox", lpString2="..") returned 1 [0108.218] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox") returned 51 [0108.218] GetProcessHeap () returned 0x4c0000 [0108.218] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc8160 [0108.218] lstrcpyW (in: lpString1=0x3bc8160, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox" [0108.218] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*" [0108.218] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0108.219] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.219] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.219] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.219] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.219] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.219] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.219] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.219] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.219] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.219] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.219] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.219] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.219] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.219] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.219] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0108.219] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0108.219] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\PUSSY.TXT") returned 61 [0108.219] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\inbox\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0108.220] lstrlenA (lpString="abcd") returned 4 [0108.221] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0108.221] CloseHandle (hObject=0x184) returned 1 [0108.221] GetProcessHeap () returned 0x4c0000 [0108.221] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0108.221] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="Queue", cAlternateFileName="")) returned 1 [0108.222] lstrcmpiW (lpString1="Queue", lpString2="Windows") returned -1 [0108.222] lstrcmpiW (lpString1="Queue", lpString2="Program Files") returned 1 [0108.222] lstrcmpiW (lpString1="Queue", lpString2="Program Files (x86)") returned 1 [0108.222] lstrcmpiW (lpString1="Queue", lpString2="$Recycle.bin") returned 1 [0108.222] lstrcmpiW (lpString1="Queue", lpString2="System Volume Information") returned -1 [0108.222] lstrcmpiW (lpString1="Queue", lpString2=".") returned 1 [0108.222] lstrcmpiW (lpString1="Queue", lpString2="..") returned 1 [0108.222] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue") returned 51 [0108.222] GetProcessHeap () returned 0x4c0000 [0108.222] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc8160 [0108.222] lstrcpyW (in: lpString1=0x3bc8160, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue" [0108.222] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*" [0108.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0108.222] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.222] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.222] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.222] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.222] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.222] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.222] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.222] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.222] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.222] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.223] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.223] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.223] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.223] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.223] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0108.223] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0108.223] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\PUSSY.TXT") returned 61 [0108.223] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\queue\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0108.223] lstrlenA (lpString="abcd") returned 4 [0108.223] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0108.224] CloseHandle (hObject=0x184) returned 1 [0108.224] GetProcessHeap () returned 0x4c0000 [0108.224] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0108.224] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="SentItems", cAlternateFileName="SENTIT~1")) returned 1 [0108.224] lstrcmpiW (lpString1="SentItems", lpString2="Windows") returned -1 [0108.224] lstrcmpiW (lpString1="SentItems", lpString2="Program Files") returned 1 [0108.224] lstrcmpiW (lpString1="SentItems", lpString2="Program Files (x86)") returned 1 [0108.224] lstrcmpiW (lpString1="SentItems", lpString2="$Recycle.bin") returned 1 [0108.224] lstrcmpiW (lpString1="SentItems", lpString2="System Volume Information") returned -1 [0108.224] lstrcmpiW (lpString1="SentItems", lpString2=".") returned 1 [0108.224] lstrcmpiW (lpString1="SentItems", lpString2="..") returned 1 [0108.224] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems") returned 55 [0108.224] GetProcessHeap () returned 0x4c0000 [0108.224] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc8160 [0108.224] lstrcpyW (in: lpString1=0x3bc8160, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems" [0108.225] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*" [0108.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0108.225] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.225] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.225] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.225] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.225] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.225] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.225] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.225] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.225] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.225] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.225] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.225] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.225] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.225] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.225] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0108.225] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0108.225] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\PUSSY.TXT") returned 65 [0108.225] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\sentitems\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0108.226] lstrlenA (lpString="abcd") returned 4 [0108.226] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0108.227] CloseHandle (hObject=0x184) returned 1 [0108.227] GetProcessHeap () returned 0x4c0000 [0108.227] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0108.227] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 1 [0108.227] lstrcmpiW (lpString1="VirtualInbox", lpString2="Windows") returned -1 [0108.227] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files") returned 1 [0108.227] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files (x86)") returned 1 [0108.227] lstrcmpiW (lpString1="VirtualInbox", lpString2="$Recycle.bin") returned 1 [0108.227] lstrcmpiW (lpString1="VirtualInbox", lpString2="System Volume Information") returned 1 [0108.227] lstrcmpiW (lpString1="VirtualInbox", lpString2=".") returned 1 [0108.227] lstrcmpiW (lpString1="VirtualInbox", lpString2="..") returned 1 [0108.227] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned 58 [0108.227] GetProcessHeap () returned 0x4c0000 [0108.227] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc8160 [0108.227] lstrcpyW (in: lpString1=0x3bc8160, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" [0108.227] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*" [0108.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0108.228] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.228] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.228] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.228] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.228] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.228] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.228] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.228] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.228] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.228] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.228] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.228] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.228] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.228] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.228] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="en-US", cAlternateFileName="")) returned 1 [0108.228] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0108.228] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0108.228] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0108.228] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0108.228] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0108.228] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0108.228] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0108.228] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned 64 [0108.228] GetProcessHeap () returned 0x4c0000 [0108.229] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd8168 [0108.229] lstrcpyW (in: lpString1=0x3bd8168, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" [0108.229] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*" [0108.229] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb80d8 [0108.230] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.230] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.230] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.230] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.230] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.230] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.230] FindNextFileW (in: hFindFile=0x3bb80d8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.230] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.230] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.230] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.230] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.230] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.230] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.230] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.231] FindNextFileW (in: hFindFile=0x3bb80d8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 1 [0108.231] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Windows") returned -1 [0108.231] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files") returned 1 [0108.231] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files (x86)") returned 1 [0108.231] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="$Recycle.bin") returned 1 [0108.231] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="System Volume Information") returned 1 [0108.231] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2=".") returned 1 [0108.231] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="..") returned 1 [0108.231] wnsprintfW (in: pszDest=0x3bd8168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned 79 [0108.231] lstrcmpW (lpString1="WelcomeFax.tif", lpString2="PUSSY.TXT") returned 1 [0108.231] PathFindExtensionW (pszPath="WelcomeFax.tif") returned=".tif" [0108.231] lstrlenW (lpString=".tif") returned 4 [0108.231] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0108.231] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0108.231] FindNextFileW (in: hFindFile=0x3bb80d8, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x4e06f8, dwReserved1=0xc0100080, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 0 [0108.231] FindClose (in: hFindFile=0x3bb80d8 | out: hFindFile=0x3bb80d8) returned 1 [0108.231] wnsprintfW (in: pszDest=0x3bd8168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\PUSSY.TXT") returned 74 [0108.231] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0108.232] lstrlenA (lpString="abcd") returned 4 [0108.232] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0108.233] CloseHandle (hObject=0x18c) returned 1 [0108.233] GetProcessHeap () returned 0x4c0000 [0108.233] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd8168 | out: hHeap=0x4c0000) returned 1 [0108.233] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="en-US", cAlternateFileName="")) returned 0 [0108.233] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0108.233] wnsprintfW (in: pszDest=0x3bc8160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\PUSSY.TXT") returned 68 [0108.233] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0108.234] lstrlenA (lpString="abcd") returned 4 [0108.234] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0108.235] CloseHandle (hObject=0x184) returned 1 [0108.235] GetProcessHeap () returned 0x4c0000 [0108.235] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0108.235] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 0 [0108.235] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0108.235] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\PUSSY.TXT") returned 55 [0108.235] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0108.235] lstrlenA (lpString="abcd") returned 4 [0108.235] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0108.236] CloseHandle (hObject=0x194) returned 1 [0108.237] GetProcessHeap () returned 0x4c0000 [0108.237] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0108.237] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="MSScan", cAlternateFileName="")) returned 1 [0108.237] lstrcmpiW (lpString1="MSScan", lpString2="Windows") returned -1 [0108.237] lstrcmpiW (lpString1="MSScan", lpString2="Program Files") returned -1 [0108.237] lstrcmpiW (lpString1="MSScan", lpString2="Program Files (x86)") returned -1 [0108.237] lstrcmpiW (lpString1="MSScan", lpString2="$Recycle.bin") returned 1 [0108.237] lstrcmpiW (lpString1="MSScan", lpString2="System Volume Information") returned -1 [0108.237] lstrcmpiW (lpString1="MSScan", lpString2=".") returned 1 [0108.237] lstrcmpiW (lpString1="MSScan", lpString2="..") returned 1 [0108.237] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan") returned 46 [0108.237] GetProcessHeap () returned 0x4c0000 [0108.237] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0108.237] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan" [0108.237] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*" [0108.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0108.238] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.238] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.238] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.238] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.238] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.238] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.238] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.238] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.238] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.238] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.238] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.238] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.238] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.238] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.238] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea12c467, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xea12c467, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xea1525c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 1 [0108.238] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Windows") returned -1 [0108.238] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files") returned 1 [0108.238] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files (x86)") returned 1 [0108.238] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="$Recycle.bin") returned 1 [0108.238] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="System Volume Information") returned 1 [0108.238] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2=".") returned 1 [0108.238] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="..") returned 1 [0108.238] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned 62 [0108.238] lstrcmpW (lpString1="WelcomeScan.jpg", lpString2="PUSSY.TXT") returned 1 [0108.238] PathFindExtensionW (pszPath="WelcomeScan.jpg") returned=".jpg" [0108.238] lstrlenW (lpString=".jpg") returned 4 [0108.238] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0108.238] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0108.239] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea12c467, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xea12c467, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xea1525c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 0 [0108.239] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0108.239] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\PUSSY.TXT") returned 56 [0108.239] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0108.239] lstrlenA (lpString="abcd") returned 4 [0108.239] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0108.240] CloseHandle (hObject=0x194) returned 1 [0108.240] GetProcessHeap () returned 0x4c0000 [0108.240] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0108.240] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="MSScan", cAlternateFileName="")) returned 0 [0108.240] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0108.240] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\PUSSY.TXT") returned 49 [0108.240] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\windows nt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0108.241] lstrlenA (lpString="abcd") returned 4 [0108.241] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0108.241] CloseHandle (hObject=0x178) returned 1 [0108.241] GetProcessHeap () returned 0x4c0000 [0108.242] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0108.242] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0108.242] lstrcmpiW (lpString1="WwanSvc", lpString2="Windows") returned 1 [0108.242] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files") returned 1 [0108.242] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files (x86)") returned 1 [0108.242] lstrcmpiW (lpString1="WwanSvc", lpString2="$Recycle.bin") returned 1 [0108.242] lstrcmpiW (lpString1="WwanSvc", lpString2="System Volume Information") returned 1 [0108.242] lstrcmpiW (lpString1="WwanSvc", lpString2=".") returned 1 [0108.242] lstrcmpiW (lpString1="WwanSvc", lpString2="..") returned 1 [0108.242] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc") returned 36 [0108.242] GetProcessHeap () returned 0x4c0000 [0108.242] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0108.242] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc" [0108.242] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*" [0108.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0108.242] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.242] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.242] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.242] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.242] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.243] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.243] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.243] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.243] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.243] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.243] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.243] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.243] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.243] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.243] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Profiles", cAlternateFileName="")) returned 1 [0108.243] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0108.243] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0108.243] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0108.243] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0108.243] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0108.243] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0108.243] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0108.243] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles") returned 45 [0108.243] GetProcessHeap () returned 0x4c0000 [0108.243] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0108.243] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles" [0108.243] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*" [0108.243] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0108.244] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.244] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.244] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.244] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.244] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.244] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.244] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.244] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.244] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.244] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.244] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.244] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.244] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.244] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.244] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0108.244] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0108.244] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\PUSSY.TXT") returned 55 [0108.244] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.244] GetProcessHeap () returned 0x4c0000 [0108.244] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0108.244] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2a18, dwReserved1=0xc0100080, cFileName="Profiles", cAlternateFileName="")) returned 0 [0108.244] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0108.244] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\PUSSY.TXT") returned 46 [0108.244] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\wwansvc\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0108.245] lstrlenA (lpString="abcd") returned 4 [0108.245] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0108.246] CloseHandle (hObject=0x178) returned 1 [0108.246] GetProcessHeap () returned 0x4c0000 [0108.246] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0108.246] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="WwanSvc", cAlternateFileName="")) returned 0 [0108.246] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0108.247] wnsprintfW (in: pszDest=0x3bb8158, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\PUSSY.TXT") returned 38 [0108.247] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0108.247] lstrlenA (lpString="abcd") returned 4 [0108.247] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0108.248] CloseHandle (hObject=0x180) returned 1 [0108.248] GetProcessHeap () returned 0x4c0000 [0108.248] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb8158 | out: hHeap=0x4c0000) returned 1 [0108.248] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0108.248] lstrcmpiW (lpString1="Microsoft Help", lpString2="Windows") returned -1 [0108.248] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files") returned -1 [0108.248] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files (x86)") returned -1 [0108.248] lstrcmpiW (lpString1="Microsoft Help", lpString2="$Recycle.bin") returned 1 [0108.248] lstrcmpiW (lpString1="Microsoft Help", lpString2="System Volume Information") returned -1 [0108.248] lstrcmpiW (lpString1="Microsoft Help", lpString2=".") returned 1 [0108.248] lstrcmpiW (lpString1="Microsoft Help", lpString2="..") returned 1 [0108.248] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help") returned 33 [0108.248] GetProcessHeap () returned 0x4c0000 [0108.248] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0108.248] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help") returned="\\\\?\\C:\\ProgramData\\Microsoft Help" [0108.249] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*" [0108.249] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e0698 [0108.251] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.251] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.251] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.251] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.251] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.251] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.251] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.252] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.252] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.252] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.252] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.252] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.252] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.252] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.252] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x896b9210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x896b9210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Hx.hxn", cAlternateFileName="")) returned 1 [0108.252] lstrcmpiW (lpString1="Hx.hxn", lpString2="Windows") returned -1 [0108.252] lstrcmpiW (lpString1="Hx.hxn", lpString2="Program Files") returned -1 [0108.252] lstrcmpiW (lpString1="Hx.hxn", lpString2="Program Files (x86)") returned -1 [0108.252] lstrcmpiW (lpString1="Hx.hxn", lpString2="$Recycle.bin") returned 1 [0108.252] lstrcmpiW (lpString1="Hx.hxn", lpString2="System Volume Information") returned -1 [0108.252] lstrcmpiW (lpString1="Hx.hxn", lpString2=".") returned 1 [0108.252] lstrcmpiW (lpString1="Hx.hxn", lpString2="..") returned 1 [0108.252] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn") returned 40 [0108.252] lstrcmpW (lpString1="Hx.hxn", lpString2="PUSSY.TXT") returned -1 [0108.253] PathFindExtensionW (pszPath="Hx.hxn") returned=".hxn" [0108.253] lstrlenW (lpString=".hxn") returned 4 [0108.253] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.253] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn" (normalized: "c:\\programdata\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.253] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=390) returned 1 [0108.253] CloseHandle (hObject=0x194) returned 1 [0108.253] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa72fc10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa72fc10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.EXCEL.14.1033.hxn", cAlternateFileName="MSEXCE~1.HXN")) returned 1 [0108.253] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="Windows") returned -1 [0108.253] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="Program Files") returned -1 [0108.253] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.253] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.253] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.253] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2=".") returned 1 [0108.253] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="..") returned 1 [0108.253] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 54 [0108.253] lstrcmpW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.253] PathFindExtensionW (pszPath="MS.EXCEL.14.1033.hxn") returned=".hxn" [0108.254] lstrlenW (lpString=".hxn") returned 4 [0108.254] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.254] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.254] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=326) returned 1 [0108.254] CloseHandle (hObject=0x194) returned 1 [0108.254] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa755d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa755d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.EXCEL.DEV.14.1033.hxn", cAlternateFileName="MSEXCE~2.HXN")) returned 1 [0108.255] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0108.255] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0108.255] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.255] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.255] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.255] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2=".") returned 1 [0108.255] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="..") returned 1 [0108.255] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 58 [0108.255] lstrcmpW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.255] PathFindExtensionW (pszPath="MS.EXCEL.DEV.14.1033.hxn") returned=".hxn" [0108.255] lstrlenW (lpString=".hxn") returned 4 [0108.255] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.255] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.255] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=350) returned 1 [0108.255] CloseHandle (hObject=0x194) returned 1 [0108.255] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.GRAPH.14.1033.hxn", cAlternateFileName="MSGRAP~1.HXN")) returned 1 [0108.255] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="Windows") returned -1 [0108.255] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="Program Files") returned -1 [0108.255] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.255] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.255] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.255] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2=".") returned 1 [0108.256] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="..") returned 1 [0108.256] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 54 [0108.256] lstrcmpW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.256] PathFindExtensionW (pszPath="MS.GRAPH.14.1033.hxn") returned=".hxn" [0108.256] lstrlenW (lpString=".hxn") returned 4 [0108.256] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.256] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.259] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=326) returned 1 [0108.259] CloseHandle (hObject=0x194) returned 1 [0108.259] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfd789af0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd789af0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd822070, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.GROOVE.14.1033.hxn", cAlternateFileName="MSGROO~1.HXN")) returned 1 [0108.259] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="Windows") returned -1 [0108.259] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="Program Files") returned -1 [0108.260] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.260] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.260] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.260] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2=".") returned 1 [0108.260] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="..") returned 1 [0108.260] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 55 [0108.260] lstrcmpW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.260] PathFindExtensionW (pszPath="MS.GROOVE.14.1033.hxn") returned=".hxn" [0108.260] lstrlenW (lpString=".hxn") returned 4 [0108.260] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.260] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.260] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=332) returned 1 [0108.260] CloseHandle (hObject=0x194) returned 1 [0108.260] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11446a50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.INFOPATH.14.1033.hxn", cAlternateFileName="MSINFO~1.HXN")) returned 1 [0108.260] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="Windows") returned -1 [0108.260] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="Program Files") returned -1 [0108.260] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.260] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.261] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.261] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2=".") returned 1 [0108.261] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="..") returned 1 [0108.261] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 57 [0108.261] lstrcmpW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.261] PathFindExtensionW (pszPath="MS.INFOPATH.14.1033.hxn") returned=".hxn" [0108.261] lstrlenW (lpString=".hxn") returned 4 [0108.261] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.261] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.262] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=344) returned 1 [0108.262] CloseHandle (hObject=0x194) returned 1 [0108.262] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1146cbb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.INFOPATHEDITOR.14.1033.hxn", cAlternateFileName="MSINFO~2.HXN")) returned 1 [0108.262] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="Windows") returned -1 [0108.262] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="Program Files") returned -1 [0108.263] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.263] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.263] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.263] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2=".") returned 1 [0108.263] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="..") returned 1 [0108.263] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 63 [0108.263] lstrcmpW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.263] PathFindExtensionW (pszPath="MS.INFOPATHEDITOR.14.1033.hxn") returned=".hxn" [0108.263] lstrlenW (lpString=".hxn") returned 4 [0108.263] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.263] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.263] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=380) returned 1 [0108.263] CloseHandle (hObject=0x194) returned 1 [0108.265] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.MSACCESS.14.1033.hxn", cAlternateFileName="MSMSAC~1.HXN")) returned 1 [0108.265] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="Windows") returned -1 [0108.265] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="Program Files") returned -1 [0108.265] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.265] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.266] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.266] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2=".") returned 1 [0108.266] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="..") returned 1 [0108.266] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 57 [0108.266] lstrcmpW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.266] PathFindExtensionW (pszPath="MS.MSACCESS.14.1033.hxn") returned=".hxn" [0108.266] lstrlenW (lpString=".hxn") returned 4 [0108.266] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.266] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.267] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=344) returned 1 [0108.267] CloseHandle (hObject=0x194) returned 1 [0108.267] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.MSACCESS.DEV.14.1033.hxn", cAlternateFileName="MSMSAC~2.HXN")) returned 1 [0108.267] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0108.267] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0108.267] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.267] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.267] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.267] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2=".") returned 1 [0108.267] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="..") returned 1 [0108.267] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 61 [0108.267] lstrcmpW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.267] PathFindExtensionW (pszPath="MS.MSACCESS.DEV.14.1033.hxn") returned=".hxn" [0108.267] lstrlenW (lpString=".hxn") returned 4 [0108.267] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.267] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.268] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=368) returned 1 [0108.268] CloseHandle (hObject=0x194) returned 1 [0108.268] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.MSOUC.14.1033.hxn", cAlternateFileName="MSMSOU~1.HXN")) returned 1 [0108.268] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="Windows") returned -1 [0108.268] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="Program Files") returned -1 [0108.268] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.268] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.268] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.268] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2=".") returned 1 [0108.268] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="..") returned 1 [0108.268] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 54 [0108.268] lstrcmpW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.268] PathFindExtensionW (pszPath="MS.MSOUC.14.1033.hxn") returned=".hxn" [0108.268] lstrlenW (lpString=".hxn") returned 4 [0108.268] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.268] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.269] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=326) returned 1 [0108.269] CloseHandle (hObject=0x194) returned 1 [0108.269] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.MSPUB.14.1033.hxn", cAlternateFileName="MSMSPU~1.HXN")) returned 1 [0108.269] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="Windows") returned -1 [0108.269] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="Program Files") returned -1 [0108.269] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.269] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.269] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.269] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2=".") returned 1 [0108.269] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="..") returned 1 [0108.269] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 54 [0108.269] lstrcmpW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.269] PathFindExtensionW (pszPath="MS.MSPUB.14.1033.hxn") returned=".hxn" [0108.269] lstrlenW (lpString=".hxn") returned 4 [0108.269] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.269] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.270] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=326) returned 1 [0108.270] CloseHandle (hObject=0x194) returned 1 [0108.270] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.MSPUB.DEV.14.1033.hxn", cAlternateFileName="MSMSPU~2.HXN")) returned 1 [0108.270] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0108.270] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0108.270] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.270] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.270] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.270] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2=".") returned 1 [0108.270] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="..") returned 1 [0108.271] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 58 [0108.271] lstrcmpW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.271] PathFindExtensionW (pszPath="MS.MSPUB.DEV.14.1033.hxn") returned=".hxn" [0108.271] lstrlenW (lpString=".hxn") returned 4 [0108.271] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.271] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.271] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=350) returned 1 [0108.271] CloseHandle (hObject=0x194) returned 1 [0108.271] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.MSTORE.14.1033.hxn", cAlternateFileName="MSMSTO~1.HXN")) returned 1 [0108.271] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="Windows") returned -1 [0108.271] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="Program Files") returned -1 [0108.271] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.271] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.271] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.271] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2=".") returned 1 [0108.271] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="..") returned 1 [0108.271] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 55 [0108.271] lstrcmpW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.271] PathFindExtensionW (pszPath="MS.MSTORE.14.1033.hxn") returned=".hxn" [0108.271] lstrlenW (lpString=".hxn") returned 4 [0108.271] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.271] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.272] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=332) returned 1 [0108.272] CloseHandle (hObject=0x194) returned 1 [0108.272] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.OIS.14.1033.hxn", cAlternateFileName="MSOIS1~1.HXN")) returned 1 [0108.272] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="Windows") returned -1 [0108.272] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="Program Files") returned -1 [0108.272] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.272] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.272] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.272] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2=".") returned 1 [0108.272] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="..") returned 1 [0108.272] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 52 [0108.272] lstrcmpW (lpString1="MS.OIS.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.272] PathFindExtensionW (pszPath="MS.OIS.14.1033.hxn") returned=".hxn" [0108.272] lstrlenW (lpString=".hxn") returned 4 [0108.272] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.272] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.273] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=314) returned 1 [0108.273] CloseHandle (hObject=0x194) returned 1 [0108.273] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xc997810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc997810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc9e3ad0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.ONENOTE.14.1033.hxn", cAlternateFileName="MSONEN~1.HXN")) returned 1 [0108.273] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="Windows") returned -1 [0108.273] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="Program Files") returned -1 [0108.273] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.273] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.273] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.273] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2=".") returned 1 [0108.273] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="..") returned 1 [0108.273] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 56 [0108.273] lstrcmpW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.273] PathFindExtensionW (pszPath="MS.ONENOTE.14.1033.hxn") returned=".hxn" [0108.273] lstrlenW (lpString=".hxn") returned 4 [0108.273] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.273] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.274] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=338) returned 1 [0108.274] CloseHandle (hObject=0x194) returned 1 [0108.274] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2689510, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.OUTLOOK.14.1033.hxn", cAlternateFileName="MSOUTL~1.HXN")) returned 1 [0108.274] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="Windows") returned -1 [0108.274] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="Program Files") returned -1 [0108.274] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.274] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.274] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.274] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2=".") returned 1 [0108.274] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="..") returned 1 [0108.274] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 56 [0108.274] lstrcmpW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.274] PathFindExtensionW (pszPath="MS.OUTLOOK.14.1033.hxn") returned=".hxn" [0108.274] lstrlenW (lpString=".hxn") returned 4 [0108.274] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.274] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.275] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=338) returned 1 [0108.275] CloseHandle (hObject=0x194) returned 1 [0108.275] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x26af670, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.OUTLOOK.DEV.14.1033.hxn", cAlternateFileName="MSOUTL~2.HXN")) returned 1 [0108.275] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0108.275] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0108.275] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.275] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.275] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.275] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2=".") returned 1 [0108.275] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="..") returned 1 [0108.275] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 60 [0108.276] lstrcmpW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.276] PathFindExtensionW (pszPath="MS.OUTLOOK.DEV.14.1033.hxn") returned=".hxn" [0108.276] lstrlenW (lpString=".hxn") returned 4 [0108.276] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.276] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.276] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=362) returned 1 [0108.276] CloseHandle (hObject=0x194) returned 1 [0108.276] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.POWERPNT.14.1033.hxn", cAlternateFileName="MSPOWE~1.HXN")) returned 1 [0108.276] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="Windows") returned -1 [0108.276] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="Program Files") returned -1 [0108.276] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.276] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.276] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.276] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2=".") returned 1 [0108.276] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="..") returned 1 [0108.277] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 57 [0108.277] lstrcmpW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.277] PathFindExtensionW (pszPath="MS.POWERPNT.14.1033.hxn") returned=".hxn" [0108.277] lstrlenW (lpString=".hxn") returned 4 [0108.277] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.277] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.278] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=344) returned 1 [0108.278] CloseHandle (hObject=0x194) returned 1 [0108.278] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.POWERPNT.DEV.14.1033.hxn", cAlternateFileName="MSPOWE~2.HXN")) returned 1 [0108.278] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0108.278] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0108.278] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.278] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.278] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.278] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2=".") returned 1 [0108.278] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="..") returned 1 [0108.278] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 61 [0108.278] lstrcmpW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.278] PathFindExtensionW (pszPath="MS.POWERPNT.DEV.14.1033.hxn") returned=".hxn" [0108.278] lstrlenW (lpString=".hxn") returned 4 [0108.278] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.278] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.278] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=368) returned 1 [0108.279] CloseHandle (hObject=0x194) returned 1 [0108.279] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.SETLANG.14.1033.hxn", cAlternateFileName="MSSETL~1.HXN")) returned 1 [0108.279] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="Windows") returned -1 [0108.279] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="Program Files") returned -1 [0108.279] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.279] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.279] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.279] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2=".") returned 1 [0108.279] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="..") returned 1 [0108.279] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 56 [0108.279] lstrcmpW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.279] PathFindExtensionW (pszPath="MS.SETLANG.14.1033.hxn") returned=".hxn" [0108.279] lstrlenW (lpString=".hxn") returned 4 [0108.279] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.279] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.279] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=338) returned 1 [0108.279] CloseHandle (hObject=0x194) returned 1 [0108.279] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x5269fec0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.VISIO.14.1033.hxn", cAlternateFileName="MSVISI~1.HXN")) returned 1 [0108.279] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="Windows") returned -1 [0108.280] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="Program Files") returned -1 [0108.280] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.280] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.280] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.280] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2=".") returned 1 [0108.280] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="..") returned 1 [0108.280] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 54 [0108.280] lstrcmpW (lpString1="MS.VISIO.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.280] PathFindExtensionW (pszPath="MS.VISIO.14.1033.hxn") returned=".hxn" [0108.280] lstrlenW (lpString=".hxn") returned 4 [0108.280] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.280] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.281] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=326) returned 1 [0108.281] CloseHandle (hObject=0x194) returned 1 [0108.281] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.VISIO.DEV.14.1033.hxn", cAlternateFileName="MSVISI~3.HXN")) returned 1 [0108.281] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0108.281] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0108.281] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.281] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.281] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.281] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2=".") returned 1 [0108.281] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="..") returned 1 [0108.281] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 58 [0108.281] lstrcmpW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.281] PathFindExtensionW (pszPath="MS.VISIO.DEV.14.1033.hxn") returned=".hxn" [0108.281] lstrlenW (lpString=".hxn") returned 4 [0108.281] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.281] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.282] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=350) returned 1 [0108.282] CloseHandle (hObject=0x194) returned 1 [0108.282] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52738440, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.VISIO.SHAPESHEET.14.1033.hxn", cAlternateFileName="MSVISI~4.HXN")) returned 1 [0108.282] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="Windows") returned -1 [0108.282] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="Program Files") returned -1 [0108.282] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.282] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.282] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.282] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2=".") returned 1 [0108.282] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="..") returned 1 [0108.282] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 65 [0108.282] lstrcmpW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.282] PathFindExtensionW (pszPath="MS.VISIO.SHAPESHEET.14.1033.hxn") returned=".hxn" [0108.282] lstrlenW (lpString=".hxn") returned 4 [0108.282] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.283] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.283] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=392) returned 1 [0108.283] CloseHandle (hObject=0x194) returned 1 [0108.283] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52738440, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.VISIO_PRM.14.1033.hxn", cAlternateFileName="MSE1C9~1.HXN")) returned 1 [0108.283] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="Windows") returned -1 [0108.283] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="Program Files") returned -1 [0108.283] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.283] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.283] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.283] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2=".") returned 1 [0108.283] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="..") returned 1 [0108.283] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 58 [0108.283] lstrcmpW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.283] PathFindExtensionW (pszPath="MS.VISIO_PRM.14.1033.hxn") returned=".hxn" [0108.283] lstrlenW (lpString=".hxn") returned 4 [0108.283] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.284] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.284] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=350) returned 1 [0108.284] CloseHandle (hObject=0x194) returned 1 [0108.284] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.VISIO_STD.14.1033.hxn", cAlternateFileName="MSVISI~2.HXN")) returned 1 [0108.284] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="Windows") returned -1 [0108.284] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="Program Files") returned -1 [0108.285] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.285] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.285] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.285] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2=".") returned 1 [0108.285] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="..") returned 1 [0108.285] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 58 [0108.285] lstrcmpW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.285] PathFindExtensionW (pszPath="MS.VISIO_STD.14.1033.hxn") returned=".hxn" [0108.285] lstrlenW (lpString=".hxn") returned 4 [0108.285] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.285] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.285] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=350) returned 1 [0108.285] CloseHandle (hObject=0x194) returned 1 [0108.285] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xaf766ee0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf766ee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf7d9300, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.WINPROJ.14.1033.hxn", cAlternateFileName="MSWINP~1.HXN")) returned 1 [0108.285] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="Windows") returned -1 [0108.285] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="Program Files") returned -1 [0108.285] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.285] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.285] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.285] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2=".") returned 1 [0108.285] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="..") returned 1 [0108.285] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 56 [0108.285] lstrcmpW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.286] PathFindExtensionW (pszPath="MS.WINPROJ.14.1033.hxn") returned=".hxn" [0108.286] lstrlenW (lpString=".hxn") returned 4 [0108.286] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.286] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.291] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=338) returned 1 [0108.291] CloseHandle (hObject=0x194) returned 1 [0108.291] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xaf766ee0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf766ee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf7d9300, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.WINPROJ.DEV.14.1033.hxn", cAlternateFileName="MSWINP~2.HXN")) returned 1 [0108.291] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0108.291] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0108.291] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.291] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.291] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.291] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2=".") returned 1 [0108.291] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="..") returned 1 [0108.291] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 60 [0108.291] lstrcmpW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.291] PathFindExtensionW (pszPath="MS.WINPROJ.DEV.14.1033.hxn") returned=".hxn" [0108.292] lstrlenW (lpString=".hxn") returned 4 [0108.292] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.292] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.292] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=362) returned 1 [0108.292] CloseHandle (hObject=0x194) returned 1 [0108.292] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1e67e130, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e67e130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e6f0550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.WINWORD.14.1033.hxn", cAlternateFileName="MSWINW~1.HXN")) returned 1 [0108.293] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="Windows") returned -1 [0108.293] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="Program Files") returned -1 [0108.293] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.293] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.293] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.293] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2=".") returned 1 [0108.293] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="..") returned 1 [0108.293] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 56 [0108.293] lstrcmpW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.293] PathFindExtensionW (pszPath="MS.WINWORD.14.1033.hxn") returned=".hxn" [0108.293] lstrlenW (lpString=".hxn") returned 4 [0108.293] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.293] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.294] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=338) returned 1 [0108.294] CloseHandle (hObject=0x194) returned 1 [0108.294] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1e67e130, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e67e130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e6f0550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="MS.WINWORD.DEV.14.1033.hxn", cAlternateFileName="MSWINW~2.HXN")) returned 1 [0108.294] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0108.294] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0108.294] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0108.294] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0108.294] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0108.294] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2=".") returned 1 [0108.294] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="..") returned 1 [0108.294] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 60 [0108.294] lstrcmpW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0108.294] PathFindExtensionW (pszPath="MS.WINWORD.DEV.14.1033.hxn") returned=".hxn" [0108.294] lstrlenW (lpString=".hxn") returned 4 [0108.294] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.294] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.295] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=362) returned 1 [0108.295] CloseHandle (hObject=0x194) returned 1 [0108.295] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x21dc, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="nslist.hxl", cAlternateFileName="")) returned 1 [0108.295] lstrcmpiW (lpString1="nslist.hxl", lpString2="Windows") returned -1 [0108.295] lstrcmpiW (lpString1="nslist.hxl", lpString2="Program Files") returned -1 [0108.295] lstrcmpiW (lpString1="nslist.hxl", lpString2="Program Files (x86)") returned -1 [0108.295] lstrcmpiW (lpString1="nslist.hxl", lpString2="$Recycle.bin") returned 1 [0108.295] lstrcmpiW (lpString1="nslist.hxl", lpString2="System Volume Information") returned -1 [0108.295] lstrcmpiW (lpString1="nslist.hxl", lpString2=".") returned 1 [0108.295] lstrcmpiW (lpString1="nslist.hxl", lpString2="..") returned 1 [0108.295] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned 44 [0108.295] lstrcmpW (lpString1="nslist.hxl", lpString2="PUSSY.TXT") returned -1 [0108.295] PathFindExtensionW (pszPath="nslist.hxl") returned=".hxl" [0108.295] lstrlenW (lpString=".hxl") returned 4 [0108.295] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0108.295] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0108.295] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=8668) returned 1 [0108.295] GetProcessHeap () returned 0x4c0000 [0108.295] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bb80d8 [0108.304] wsprintfW (in: param_1=0x28e2c6, param_2="%02X" | out: param_1="CC") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2ca, param_2="%02X" | out: param_1="66") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2ce, param_2="%02X" | out: param_1="6C") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2d2, param_2="%02X" | out: param_1="16") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2d6, param_2="%02X" | out: param_1="DF") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2da, param_2="%02X" | out: param_1="D0") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2de, param_2="%02X" | out: param_1="91") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2e2, param_2="%02X" | out: param_1="99") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2e6, param_2="%02X" | out: param_1="1D") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2ea, param_2="%02X" | out: param_1="29") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2ee, param_2="%02X" | out: param_1="70") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2f2, param_2="%02X" | out: param_1="BC") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2f6, param_2="%02X" | out: param_1="6D") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2fa, param_2="%02X" | out: param_1="A0") returned 2 [0108.304] wsprintfW (in: param_1=0x28e2fe, param_2="%02X" | out: param_1="53") returned 2 [0108.304] wsprintfW (in: param_1=0x28e302, param_2="%02X" | out: param_1="A5") returned 2 [0108.304] wsprintfW (in: param_1=0x28e306, param_2="%02X" | out: param_1="8E") returned 2 [0108.304] wsprintfW (in: param_1=0x28e30a, param_2="%02X" | out: param_1="4A") returned 2 [0108.304] wsprintfW (in: param_1=0x28e30e, param_2="%02X" | out: param_1="5F") returned 2 [0108.304] wsprintfW (in: param_1=0x28e312, param_2="%02X" | out: param_1="BA") returned 2 [0108.304] wsprintfW (in: param_1=0x28e316, param_2="%02X" | out: param_1="55") returned 2 [0108.304] wsprintfW (in: param_1=0x28e31a, param_2="%02X" | out: param_1="D1") returned 2 [0108.304] wsprintfW (in: param_1=0x28e31e, param_2="%02X" | out: param_1="07") returned 2 [0108.304] wsprintfW (in: param_1=0x28e322, param_2="%02X" | out: param_1="55") returned 2 [0108.305] wsprintfW (in: param_1=0x28e326, param_2="%02X" | out: param_1="05") returned 2 [0108.305] wsprintfW (in: param_1=0x28e32a, param_2="%02X" | out: param_1="09") returned 2 [0108.305] wsprintfW (in: param_1=0x28e32e, param_2="%02X" | out: param_1="23") returned 2 [0108.305] wsprintfW (in: param_1=0x28e332, param_2="%02X" | out: param_1="D2") returned 2 [0108.305] wsprintfW (in: param_1=0x28e336, param_2="%02X" | out: param_1="52") returned 2 [0108.305] wsprintfW (in: param_1=0x28e33a, param_2="%02X" | out: param_1="35") returned 2 [0108.305] wsprintfW (in: param_1=0x28e33e, param_2="%02X" | out: param_1="31") returned 2 [0108.305] wsprintfW (in: param_1=0x28e342, param_2="%02X" | out: param_1="0E") returned 2 [0108.323] lstrcpyW (in: lpString1=0x3bc810c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl" [0108.323] lstrcpyW (in: lpString1=0x3bb810c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl" [0108.323] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpString2=".CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E" [0108.323] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3bb80d8, NumberOfConcurrentThreads=0x0) returned 0x94 [0108.323] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bb80d8, lpOverlapped=0x3bb80d8) returned 1 [0108.323] FindNextFileW (in: hFindFile=0x4e0698, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x21dc, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="nslist.hxl", cAlternateFileName="")) returned 0 [0108.323] FindClose (in: hFindFile=0x4e0698 | out: hFindFile=0x4e0698) returned 1 [0108.334] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\PUSSY.TXT") returned 43 [0108.335] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\PUSSY.TXT" (normalized: "c:\\programdata\\microsoft help\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0108.339] lstrlenA (lpString="abcd") returned 4 [0108.339] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0108.341] CloseHandle (hObject=0x194) returned 1 [0108.341] GetProcessHeap () returned 0x4c0000 [0108.341] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0108.341] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0108.341] lstrcmpiW (lpString1="Mozilla", lpString2="Windows") returned -1 [0108.341] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files") returned -1 [0108.341] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files (x86)") returned -1 [0108.341] lstrcmpiW (lpString1="Mozilla", lpString2="$Recycle.bin") returned 1 [0108.341] lstrcmpiW (lpString1="Mozilla", lpString2="System Volume Information") returned -1 [0108.341] lstrcmpiW (lpString1="Mozilla", lpString2=".") returned 1 [0108.341] lstrcmpiW (lpString1="Mozilla", lpString2="..") returned 1 [0108.341] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla") returned 26 [0108.341] GetProcessHeap () returned 0x4c0000 [0108.341] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0108.341] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Mozilla" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla") returned="\\\\?\\C:\\ProgramData\\Mozilla" [0108.341] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Mozilla", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\*") returned="\\\\?\\C:\\ProgramData\\Mozilla\\*" [0108.341] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0108.342] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.342] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.342] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.342] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.342] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.342] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.342] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.342] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.342] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.342] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.342] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.342] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.342] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.342] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.342] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="logs", cAlternateFileName="")) returned 1 [0108.342] lstrcmpiW (lpString1="logs", lpString2="Windows") returned -1 [0108.342] lstrcmpiW (lpString1="logs", lpString2="Program Files") returned -1 [0108.342] lstrcmpiW (lpString1="logs", lpString2="Program Files (x86)") returned -1 [0108.343] lstrcmpiW (lpString1="logs", lpString2="$Recycle.bin") returned 1 [0108.343] lstrcmpiW (lpString1="logs", lpString2="System Volume Information") returned -1 [0108.343] lstrcmpiW (lpString1="logs", lpString2=".") returned 1 [0108.343] lstrcmpiW (lpString1="logs", lpString2="..") returned 1 [0108.343] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs") returned 31 [0108.343] GetProcessHeap () returned 0x4c0000 [0108.343] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0108.343] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Mozilla\\logs" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs") returned="\\\\?\\C:\\ProgramData\\Mozilla\\logs" [0108.343] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*") returned="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*" [0108.343] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dc30, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0108.344] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.344] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.344] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.344] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.344] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.344] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.344] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dc30, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0108.344] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.344] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.344] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.344] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.344] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.344] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.344] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.344] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb07822e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa4, dwReserved0=0x28dc30, dwReserved1=0x77c61b06, cFileName="maintenanceservice-install.log", cAlternateFileName="MAINTE~1.LOG")) returned 1 [0108.344] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="Windows") returned -1 [0108.345] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="Program Files") returned -1 [0108.345] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="Program Files (x86)") returned -1 [0108.345] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="$Recycle.bin") returned 1 [0108.345] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="System Volume Information") returned -1 [0108.345] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2=".") returned 1 [0108.345] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="..") returned 1 [0108.345] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log") returned 62 [0108.345] lstrcmpW (lpString1="maintenanceservice-install.log", lpString2="PUSSY.TXT") returned -1 [0108.345] PathFindExtensionW (pszPath="maintenanceservice-install.log") returned=".log" [0108.345] lstrlenW (lpString=".log") returned 4 [0108.345] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0108.345] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0108.346] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=164) returned 1 [0108.346] CloseHandle (hObject=0x178) returned 1 [0108.346] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb07822e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa4, dwReserved0=0x28dc30, dwReserved1=0x77c61b06, cFileName="maintenanceservice-install.log", cAlternateFileName="MAINTE~1.LOG")) returned 0 [0108.346] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0108.346] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\PUSSY.TXT") returned 41 [0108.346] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\PUSSY.TXT" (normalized: "c:\\programdata\\mozilla\\logs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0108.347] lstrlenA (lpString="abcd") returned 4 [0108.347] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0108.348] CloseHandle (hObject=0x180) returned 1 [0108.348] GetProcessHeap () returned 0x4c0000 [0108.348] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0108.348] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="logs", cAlternateFileName="")) returned 0 [0108.348] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0108.348] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\PUSSY.TXT") returned 36 [0108.348] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\PUSSY.TXT" (normalized: "c:\\programdata\\mozilla\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0108.349] lstrlenA (lpString="abcd") returned 4 [0108.349] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0108.350] CloseHandle (hObject=0x194) returned 1 [0108.350] GetProcessHeap () returned 0x4c0000 [0108.350] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0108.350] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Oracle", cAlternateFileName="")) returned 1 [0108.350] lstrcmpiW (lpString1="Oracle", lpString2="Windows") returned -1 [0108.350] lstrcmpiW (lpString1="Oracle", lpString2="Program Files") returned -1 [0108.351] lstrcmpiW (lpString1="Oracle", lpString2="Program Files (x86)") returned -1 [0108.351] lstrcmpiW (lpString1="Oracle", lpString2="$Recycle.bin") returned 1 [0108.351] lstrcmpiW (lpString1="Oracle", lpString2="System Volume Information") returned -1 [0108.351] lstrcmpiW (lpString1="Oracle", lpString2=".") returned 1 [0108.351] lstrcmpiW (lpString1="Oracle", lpString2="..") returned 1 [0108.351] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle") returned 25 [0108.351] GetProcessHeap () returned 0x4c0000 [0108.351] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0108.351] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Oracle" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle") returned="\\\\?\\C:\\ProgramData\\Oracle" [0108.351] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\*") returned="\\\\?\\C:\\ProgramData\\Oracle\\*" [0108.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0108.351] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.351] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.351] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.351] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.351] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.351] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.351] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.352] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.352] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.352] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.352] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.352] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.352] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.352] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.352] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0108.352] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0108.352] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\PUSSY.TXT") returned 35 [0108.352] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\PUSSY.TXT" (normalized: "c:\\programdata\\oracle\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0108.352] lstrlenA (lpString="abcd") returned 4 [0108.352] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0108.353] CloseHandle (hObject=0x194) returned 1 [0108.353] GetProcessHeap () returned 0x4c0000 [0108.354] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0108.354] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0108.354] lstrcmpiW (lpString1="Package Cache", lpString2="Windows") returned -1 [0108.354] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files") returned -1 [0108.354] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files (x86)") returned -1 [0108.354] lstrcmpiW (lpString1="Package Cache", lpString2="$Recycle.bin") returned 1 [0108.354] lstrcmpiW (lpString1="Package Cache", lpString2="System Volume Information") returned -1 [0108.354] lstrcmpiW (lpString1="Package Cache", lpString2=".") returned 1 [0108.354] lstrcmpiW (lpString1="Package Cache", lpString2="..") returned 1 [0108.354] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache") returned 32 [0108.354] GetProcessHeap () returned 0x4c0000 [0108.354] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0108.354] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Package Cache" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache") returned="\\\\?\\C:\\ProgramData\\Package Cache" [0108.354] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*" [0108.354] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0108.357] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.357] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.357] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.357] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.357] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.357] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.357] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0108.358] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.358] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.358] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.358] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.358] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.358] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.359] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.359] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="42D5BEC7DDFBD49E76467529CBC2868987BF8460", cAlternateFileName="42D5BE~1")) returned 1 [0108.359] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="Windows") returned -1 [0108.359] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="Program Files") returned -1 [0108.359] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="Program Files (x86)") returned -1 [0108.359] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="$Recycle.bin") returned 1 [0108.359] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="System Volume Information") returned -1 [0108.359] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2=".") returned 1 [0108.359] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="..") returned 1 [0108.359] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned 73 [0108.359] GetProcessHeap () returned 0x4c0000 [0108.359] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0108.359] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460" [0108.359] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*" [0108.359] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0108.360] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.360] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.360] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.360] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.360] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.360] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.360] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0108.360] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.360] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.360] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.360] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.360] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.360] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.360] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.360] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0108.360] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0108.360] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0108.360] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0108.360] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0108.360] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0108.360] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0108.360] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0108.360] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages") returned 82 [0108.360] GetProcessHeap () returned 0x4c0000 [0108.361] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb80d8 [0108.361] lstrcpyW (in: lpString1=0x3bb80d8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages" [0108.361] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*" [0108.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0108.361] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.361] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.361] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.361] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.361] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.361] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.361] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0108.361] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.361] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.361] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.361] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.361] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.362] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.362] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.362] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c5f9e2, cFileName="Patch", cAlternateFileName="")) returned 1 [0108.362] lstrcmpiW (lpString1="Patch", lpString2="Windows") returned -1 [0108.362] lstrcmpiW (lpString1="Patch", lpString2="Program Files") returned -1 [0108.362] lstrcmpiW (lpString1="Patch", lpString2="Program Files (x86)") returned -1 [0108.362] lstrcmpiW (lpString1="Patch", lpString2="$Recycle.bin") returned 1 [0108.362] lstrcmpiW (lpString1="Patch", lpString2="System Volume Information") returned -1 [0108.362] lstrcmpiW (lpString1="Patch", lpString2=".") returned 1 [0108.362] lstrcmpiW (lpString1="Patch", lpString2="..") returned 1 [0108.362] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch") returned 88 [0108.362] GetProcessHeap () returned 0x4c0000 [0108.362] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0108.362] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch" [0108.362] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*" [0108.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0108.363] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.363] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.363] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.363] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.363] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.363] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.363] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName="..", cAlternateFileName="")) returned 1 [0108.363] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.363] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.363] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.363] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.363] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.363] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.363] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.363] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName="x64", cAlternateFileName="")) returned 1 [0108.363] lstrcmpiW (lpString1="x64", lpString2="Windows") returned 1 [0108.363] lstrcmpiW (lpString1="x64", lpString2="Program Files") returned 1 [0108.363] lstrcmpiW (lpString1="x64", lpString2="Program Files (x86)") returned 1 [0108.363] lstrcmpiW (lpString1="x64", lpString2="$Recycle.bin") returned 1 [0108.363] lstrcmpiW (lpString1="x64", lpString2="System Volume Information") returned 1 [0108.363] lstrcmpiW (lpString1="x64", lpString2=".") returned 1 [0108.363] lstrcmpiW (lpString1="x64", lpString2="..") returned 1 [0108.364] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64") returned 92 [0108.364] GetProcessHeap () returned 0x4c0000 [0108.364] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0108.364] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64" [0108.364] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*" [0108.364] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xaffc61, cFileName=".", cAlternateFileName="")) returned 0x4e05a0 [0108.364] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.364] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.364] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.364] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.364] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.364] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.364] FindNextFileW (in: hFindFile=0x4e05a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xaffc61, cFileName="..", cAlternateFileName="")) returned 1 [0108.364] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.364] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.364] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.364] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.365] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.365] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.365] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.365] FindNextFileW (in: hFindFile=0x4e05a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0x59d2100, ftLastWriteTime.dwHighDateTime=0x1d0a100, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0x4e06f8, dwReserved1=0xaffc61, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0108.365] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Windows") returned 1 [0108.365] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Program Files") returned 1 [0108.365] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Program Files (x86)") returned 1 [0108.365] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="$Recycle.bin") returned 1 [0108.365] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="System Volume Information") returned 1 [0108.365] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2=".") returned 1 [0108.365] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="..") returned 1 [0108.365] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0108.365] lstrcmpW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="PUSSY.TXT") returned 1 [0108.365] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x64.msu") returned=".msu" [0108.365] lstrlenW (lpString=".msu") returned 4 [0108.365] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0108.365] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0108.366] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=1012025) returned 1 [0108.366] GetProcessHeap () returned 0x4c0000 [0108.366] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0108.381] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="BC") returned 2 [0108.381] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="F2") returned 2 [0108.381] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="BF") returned 2 [0108.381] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="95") returned 2 [0108.381] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="86") returned 2 [0108.381] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="BC") returned 2 [0108.381] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="1C") returned 2 [0108.381] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="E8") returned 2 [0108.381] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="60") returned 2 [0108.381] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="41") returned 2 [0108.382] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="6E") returned 2 [0108.382] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="73") returned 2 [0108.382] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="B9") returned 2 [0108.382] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="56") returned 2 [0108.382] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="22") returned 2 [0108.382] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="70") returned 2 [0108.382] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="E7") returned 2 [0108.382] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="45") returned 2 [0108.382] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="89") returned 2 [0108.382] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="99") returned 2 [0108.382] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="A8") returned 2 [0108.382] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="D7") returned 2 [0108.382] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="6D") returned 2 [0108.382] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="B9") returned 2 [0108.382] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="62") returned 2 [0108.382] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="B7") returned 2 [0108.382] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="B6") returned 2 [0108.382] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="70") returned 2 [0108.382] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="14") returned 2 [0108.382] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="DE") returned 2 [0108.382] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="D0") returned 2 [0108.382] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="67") returned 2 [0108.395] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0108.395] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0108.395] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu", lpString2=".BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067" [0108.395] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0108.395] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0108.395] FindNextFileW (in: hFindFile=0x4e05a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0x59d2100, ftLastWriteTime.dwHighDateTime=0x1d0a100, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0x4e06f8, dwReserved1=0xaffc61, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 0 [0108.396] FindClose (in: hFindFile=0x4e05a0 | out: hFindFile=0x4e05a0) returned 1 [0108.396] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\PUSSY.TXT") returned 102 [0108.396] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0108.396] lstrlenA (lpString="abcd") returned 4 [0108.396] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0108.398] CloseHandle (hObject=0x18c) returned 1 [0108.398] GetProcessHeap () returned 0x4c0000 [0108.398] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0108.400] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName="x64", cAlternateFileName="")) returned 0 [0108.400] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0108.400] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\PUSSY.TXT") returned 98 [0108.400] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0108.401] lstrlenA (lpString="abcd") returned 4 [0108.401] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0108.402] CloseHandle (hObject=0x184) returned 1 [0108.402] GetProcessHeap () returned 0x4c0000 [0108.402] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0108.402] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c5f9e2, cFileName="Patch", cAlternateFileName="")) returned 0 [0108.402] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0108.403] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\PUSSY.TXT") returned 92 [0108.403] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0108.407] lstrlenA (lpString="abcd") returned 4 [0108.407] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0108.408] CloseHandle (hObject=0x178) returned 1 [0108.408] GetProcessHeap () returned 0x4c0000 [0108.408] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0108.408] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0108.408] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0108.409] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\PUSSY.TXT") returned 83 [0108.409] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0108.409] lstrlenA (lpString="abcd") returned 4 [0108.409] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0108.410] CloseHandle (hObject=0x180) returned 1 [0108.410] GetProcessHeap () returned 0x4c0000 [0108.410] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0108.411] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", cAlternateFileName="54050A~1")) returned 1 [0108.411] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Windows") returned -1 [0108.411] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Program Files") returned -1 [0108.411] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Program Files (x86)") returned -1 [0108.411] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="$Recycle.bin") returned 1 [0108.411] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="System Volume Information") returned -1 [0108.411] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2=".") returned 1 [0108.411] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="..") returned 1 [0108.411] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned 73 [0108.411] GetProcessHeap () returned 0x4c0000 [0108.411] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0108.411] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D" [0108.411] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*" [0108.411] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0108.475] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.475] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.475] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.475] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.477] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.477] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.477] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0108.477] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.477] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.477] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.477] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.477] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.477] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.477] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.477] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0108.478] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0108.478] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0108.478] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0108.478] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0108.478] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0108.478] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0108.478] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0108.478] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages") returned 82 [0108.478] GetProcessHeap () returned 0x4c0000 [0108.478] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb80d8 [0108.478] lstrcpyW (in: lpString1=0x3bb80d8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages" [0108.478] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*" [0108.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0108.479] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.479] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.479] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.479] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.479] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.479] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.479] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0108.479] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.479] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.479] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.479] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.479] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.479] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.479] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.479] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c5f9e2, cFileName="Patch", cAlternateFileName="")) returned 1 [0108.479] lstrcmpiW (lpString1="Patch", lpString2="Windows") returned -1 [0108.479] lstrcmpiW (lpString1="Patch", lpString2="Program Files") returned -1 [0108.479] lstrcmpiW (lpString1="Patch", lpString2="Program Files (x86)") returned -1 [0108.479] lstrcmpiW (lpString1="Patch", lpString2="$Recycle.bin") returned 1 [0108.479] lstrcmpiW (lpString1="Patch", lpString2="System Volume Information") returned -1 [0108.479] lstrcmpiW (lpString1="Patch", lpString2=".") returned 1 [0108.480] lstrcmpiW (lpString1="Patch", lpString2="..") returned 1 [0108.480] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch") returned 88 [0108.480] GetProcessHeap () returned 0x4c0000 [0108.480] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0108.480] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch" [0108.480] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*" [0108.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0108.481] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.481] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.481] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.481] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.481] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.481] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.481] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName="..", cAlternateFileName="")) returned 1 [0108.481] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.481] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.481] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.481] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.481] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.482] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.482] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.482] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName="x64", cAlternateFileName="")) returned 1 [0108.482] lstrcmpiW (lpString1="x64", lpString2="Windows") returned 1 [0108.482] lstrcmpiW (lpString1="x64", lpString2="Program Files") returned 1 [0108.482] lstrcmpiW (lpString1="x64", lpString2="Program Files (x86)") returned 1 [0108.482] lstrcmpiW (lpString1="x64", lpString2="$Recycle.bin") returned 1 [0108.482] lstrcmpiW (lpString1="x64", lpString2="System Volume Information") returned 1 [0108.482] lstrcmpiW (lpString1="x64", lpString2=".") returned 1 [0108.482] lstrcmpiW (lpString1="x64", lpString2="..") returned 1 [0108.482] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64") returned 92 [0108.482] GetProcessHeap () returned 0x4c0000 [0108.482] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0108.483] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64" [0108.483] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*" [0108.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xaffc61, cFileName=".", cAlternateFileName="")) returned 0x4e05a0 [0108.483] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.483] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.483] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.483] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.483] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.483] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.483] FindNextFileW (in: hFindFile=0x4e05a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xaffc61, cFileName="..", cAlternateFileName="")) returned 1 [0108.483] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.483] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.483] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.483] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.484] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.484] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.484] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.484] FindNextFileW (in: hFindFile=0x4e05a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ab54b00, ftCreationTime.dwHighDateTime=0x1d1a02d, ftLastAccessTime.dwLowDateTime=0x9ab54b00, ftLastAccessTime.dwHighDateTime=0x1d1a02d, ftLastWriteTime.dwLowDateTime=0x9ab54b00, ftLastWriteTime.dwHighDateTime=0x1d1a02d, nFileSizeHigh=0x0, nFileSizeLow=0xfc93c, dwReserved0=0x4e06f8, dwReserved1=0xaffc61, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0108.484] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Windows") returned 1 [0108.484] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Program Files") returned 1 [0108.484] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Program Files (x86)") returned 1 [0108.484] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="$Recycle.bin") returned 1 [0108.484] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="System Volume Information") returned 1 [0108.484] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2=".") returned 1 [0108.484] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="..") returned 1 [0108.484] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0108.484] lstrcmpW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="PUSSY.TXT") returned 1 [0108.484] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x64.msu") returned=".msu" [0108.484] lstrlenW (lpString=".msu") returned 4 [0108.484] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0108.484] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0108.485] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=1034556) returned 1 [0108.485] GetProcessHeap () returned 0x4c0000 [0108.485] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0108.502] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="2E") returned 2 [0108.502] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="F5") returned 2 [0108.502] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="9A") returned 2 [0108.502] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="B4") returned 2 [0108.502] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="29") returned 2 [0108.502] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="1B") returned 2 [0108.502] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="FB") returned 2 [0108.502] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="01") returned 2 [0108.502] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="F7") returned 2 [0108.502] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="66") returned 2 [0108.502] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="E1") returned 2 [0108.502] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="17") returned 2 [0108.503] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="A3") returned 2 [0108.503] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="64") returned 2 [0108.503] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="70") returned 2 [0108.503] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="A8") returned 2 [0108.503] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="04") returned 2 [0108.503] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="5E") returned 2 [0108.503] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="46") returned 2 [0108.503] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="4F") returned 2 [0108.503] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="1A") returned 2 [0108.503] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="F6") returned 2 [0108.503] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="DF") returned 2 [0108.503] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="D7") returned 2 [0108.503] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="AB") returned 2 [0108.503] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="8A") returned 2 [0108.503] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="25") returned 2 [0108.503] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="23") returned 2 [0108.503] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="E4") returned 2 [0108.503] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="BA") returned 2 [0108.503] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="7F") returned 2 [0108.503] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="51") returned 2 [0108.515] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0108.515] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0108.515] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu", lpString2=".2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51" [0108.515] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0108.515] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0108.516] FindNextFileW (in: hFindFile=0x4e05a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ab54b00, ftCreationTime.dwHighDateTime=0x1d1a02d, ftLastAccessTime.dwLowDateTime=0x9ab54b00, ftLastAccessTime.dwHighDateTime=0x1d1a02d, ftLastWriteTime.dwLowDateTime=0x9ab54b00, ftLastWriteTime.dwHighDateTime=0x1d1a02d, nFileSizeHigh=0x0, nFileSizeLow=0xfc93c, dwReserved0=0x4e06f8, dwReserved1=0xaffc61, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 0 [0108.516] FindClose (in: hFindFile=0x4e05a0 | out: hFindFile=0x4e05a0) returned 1 [0108.516] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\PUSSY.TXT") returned 102 [0108.516] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0108.558] lstrlenA (lpString="abcd") returned 4 [0108.559] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0108.560] CloseHandle (hObject=0x18c) returned 1 [0108.560] GetProcessHeap () returned 0x4c0000 [0108.560] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0108.560] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName="x64", cAlternateFileName="")) returned 0 [0108.560] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0108.560] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\PUSSY.TXT") returned 98 [0108.560] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0108.560] lstrlenA (lpString="abcd") returned 4 [0108.560] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0108.562] CloseHandle (hObject=0x184) returned 1 [0108.562] GetProcessHeap () returned 0x4c0000 [0108.562] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0108.562] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c5f9e2, cFileName="Patch", cAlternateFileName="")) returned 0 [0108.562] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0108.562] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\PUSSY.TXT") returned 92 [0108.562] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0108.563] lstrlenA (lpString="abcd") returned 4 [0108.563] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0108.564] CloseHandle (hObject=0x178) returned 1 [0108.564] GetProcessHeap () returned 0x4c0000 [0108.564] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0108.564] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0108.564] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0108.564] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\PUSSY.TXT") returned 83 [0108.564] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0108.564] lstrlenA (lpString="abcd") returned 4 [0108.564] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0108.565] CloseHandle (hObject=0x180) returned 1 [0108.565] GetProcessHeap () returned 0x4c0000 [0108.566] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0108.568] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0108.568] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Windows") returned -1 [0108.569] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files") returned -1 [0108.569] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0108.569] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0108.569] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="System Volume Information") returned -1 [0108.569] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2=".") returned 1 [0108.569] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="..") returned 1 [0108.569] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 82 [0108.569] GetProcessHeap () returned 0x4c0000 [0108.569] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0108.570] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" [0108.570] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*" [0108.570] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0108.570] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.570] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.570] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.570] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.570] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.570] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.571] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0108.571] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.571] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.571] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.571] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.571] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.571] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.571] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.571] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0108.571] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0108.571] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0108.571] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0108.571] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0108.571] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0108.571] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0108.571] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0108.571] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned 91 [0108.571] GetProcessHeap () returned 0x4c0000 [0108.571] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0108.572] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" [0108.572] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*" [0108.573] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0108.574] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.574] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.574] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.574] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.574] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.574] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.574] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0108.574] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.574] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.574] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.574] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.574] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.575] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.575] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.575] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0108.575] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0108.575] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0108.575] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0108.575] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0108.575] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0108.575] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0108.575] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0108.575] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned 112 [0108.575] GetProcessHeap () returned 0x4c0000 [0108.575] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0108.575] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" [0108.576] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*" [0108.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0108.576] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.576] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.576] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.576] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.576] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.576] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.576] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName="..", cAlternateFileName="")) returned 1 [0108.576] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.576] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.576] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.576] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.576] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.576] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.576] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.576] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x50cc6500, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0108.577] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0108.577] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0108.577] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0108.577] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0108.577] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0108.577] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0108.577] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0108.577] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0108.577] lstrcmpW (lpString1="cab1.cab", lpString2="PUSSY.TXT") returned -1 [0108.577] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.577] lstrlenW (lpString=".cab") returned 4 [0108.577] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0108.577] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0108.577] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=997054) returned 1 [0108.578] GetProcessHeap () returned 0x4c0000 [0108.578] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bb80d8 [0108.591] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="99") returned 2 [0108.591] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="1D") returned 2 [0108.591] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="78") returned 2 [0108.591] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="AF") returned 2 [0108.591] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="38") returned 2 [0108.592] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="B2") returned 2 [0108.592] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="1C") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="A9") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="67") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="EA") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="CC") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="E1") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="BE") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="71") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="51") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="50") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="A4") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="47") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="09") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="E8") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="E3") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="23") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="86") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="E7") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="C1") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="51") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="4B") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="8F") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="58") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="76") returned 2 [0108.592] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="BD") returned 2 [0108.593] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="51") returned 2 [0108.604] lstrcpyW (in: lpString1=0x3bc810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0108.604] lstrcpyW (in: lpString1=0x3bb810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0108.604] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51" [0108.604] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3bb80d8, NumberOfConcurrentThreads=0x0) returned 0x94 [0108.604] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bb80d8, lpOverlapped=0x3bb80d8) returned 1 [0108.605] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x50cc6500, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0108.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Windows") returned -1 [0108.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files") returned 1 [0108.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files (x86)") returned 1 [0108.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$Recycle.bin") returned 1 [0108.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="System Volume Information") returned 1 [0108.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0108.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0108.605] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0108.605] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="PUSSY.TXT") returned 1 [0108.605] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0108.605] lstrlenW (lpString=".msi") returned 4 [0108.605] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0108.605] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0108.606] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=143360) returned 1 [0108.606] GetProcessHeap () returned 0x4c0000 [0108.606] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0108.620] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="09") returned 2 [0108.620] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="C1") returned 2 [0108.620] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="AB") returned 2 [0108.620] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="1F") returned 2 [0108.620] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="6D") returned 2 [0108.620] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="8E") returned 2 [0108.620] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="EE") returned 2 [0108.620] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="2D") returned 2 [0108.620] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="C4") returned 2 [0108.620] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="16") returned 2 [0108.620] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="AD") returned 2 [0108.620] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="67") returned 2 [0108.620] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="1D") returned 2 [0108.620] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="78") returned 2 [0108.620] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="9A") returned 2 [0108.620] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="7F") returned 2 [0108.620] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="98") returned 2 [0108.620] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="40") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="47") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="36") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="D1") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="68") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="FC") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="46") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="93") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="E8") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="73") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="60") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="79") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="75") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="49") returned 2 [0108.621] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="17") returned 2 [0108.633] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0108.633] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0108.633] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi", lpString2=".09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917" [0108.633] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0108.633] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0108.633] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x50cc6500, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x4e06f8, dwReserved1=0x2c4822d7, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0108.633] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0108.633] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT") returned 122 [0108.633] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0108.634] lstrlenA (lpString="abcd") returned 4 [0108.634] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0108.635] CloseHandle (hObject=0x184) returned 1 [0108.635] GetProcessHeap () returned 0x4c0000 [0108.635] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0108.635] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0108.635] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0108.635] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\PUSSY.TXT") returned 101 [0108.635] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0108.640] lstrlenA (lpString="abcd") returned 4 [0108.640] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0108.641] CloseHandle (hObject=0x178) returned 1 [0108.641] GetProcessHeap () returned 0x4c0000 [0108.641] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0108.641] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0108.641] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0108.641] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\PUSSY.TXT") returned 92 [0108.641] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0108.642] lstrlenA (lpString="abcd") returned 4 [0108.642] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0108.643] CloseHandle (hObject=0x180) returned 1 [0108.643] GetProcessHeap () returned 0x4c0000 [0108.643] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0108.645] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0108.645] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Windows") returned -1 [0108.645] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files") returned -1 [0108.645] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files (x86)") returned -1 [0108.646] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="$Recycle.bin") returned 1 [0108.646] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="System Volume Information") returned -1 [0108.646] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2=".") returned 1 [0108.646] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="..") returned 1 [0108.646] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 71 [0108.646] GetProcessHeap () returned 0x4c0000 [0108.646] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0108.647] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" [0108.647] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*" [0108.647] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0108.647] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.647] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.647] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.647] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.647] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.647] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.647] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0108.647] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.647] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.648] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.648] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.648] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.648] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.648] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.648] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd314a0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xf08b3aa0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0108.648] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0108.648] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0108.648] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0108.648] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0108.648] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0108.648] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0108.648] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0108.648] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 81 [0108.648] lstrcmpW (lpString1="state.rsm", lpString2="PUSSY.TXT") returned 1 [0108.648] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0108.648] lstrlenW (lpString=".rsm") returned 4 [0108.648] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0108.648] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0108.649] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=654) returned 1 [0108.649] GetProcessHeap () returned 0x4c0000 [0108.650] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0108.663] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="BA") returned 2 [0108.663] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="D3") returned 2 [0108.663] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="D9") returned 2 [0108.663] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="50") returned 2 [0108.663] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="C9") returned 2 [0108.664] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="68") returned 2 [0108.664] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="58") returned 2 [0108.664] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="8C") returned 2 [0108.664] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="5F") returned 2 [0108.664] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="05") returned 2 [0108.664] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="79") returned 2 [0108.664] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="BA") returned 2 [0108.664] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="C4") returned 2 [0108.664] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C4") returned 2 [0108.664] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="15") returned 2 [0108.664] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="19") returned 2 [0108.664] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="FF") returned 2 [0108.664] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D0") returned 2 [0108.664] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="DA") returned 2 [0108.664] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="D5") returned 2 [0108.664] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="B4") returned 2 [0108.664] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="1A") returned 2 [0108.664] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C3") returned 2 [0108.664] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="5E") returned 2 [0108.664] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="1D") returned 2 [0108.664] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="A5") returned 2 [0108.664] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="D2") returned 2 [0108.665] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="07") returned 2 [0108.665] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="55") returned 2 [0108.665] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="4C") returned 2 [0108.665] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="BF") returned 2 [0108.665] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="31") returned 2 [0108.677] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" [0108.677] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" [0108.678] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm", lpString2=".BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31" [0108.678] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0108.678] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0108.678] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd0b340, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd3ea4f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0108.678] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Windows") returned -1 [0108.678] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files") returned 1 [0108.678] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files (x86)") returned 1 [0108.678] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$Recycle.bin") returned 1 [0108.678] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="System Volume Information") returned 1 [0108.678] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2=".") returned 1 [0108.678] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="..") returned 1 [0108.678] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0108.678] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="PUSSY.TXT") returned 1 [0108.678] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0108.678] lstrlenW (lpString=".exe") returned 4 [0108.678] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0108.678] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0108.679] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=455720) returned 1 [0108.679] GetProcessHeap () returned 0x4c0000 [0108.679] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0108.693] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="FD") returned 2 [0108.693] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="87") returned 2 [0108.694] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="80") returned 2 [0108.694] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="9A") returned 2 [0108.694] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="B3") returned 2 [0108.694] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="A4") returned 2 [0108.694] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="0B") returned 2 [0108.694] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="9F") returned 2 [0108.694] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="62") returned 2 [0108.694] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="F0") returned 2 [0108.694] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="BB") returned 2 [0108.694] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C1") returned 2 [0108.694] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="F4") returned 2 [0108.694] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="89") returned 2 [0108.694] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="D6") returned 2 [0108.694] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="4D") returned 2 [0108.694] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="FE") returned 2 [0108.694] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="CF") returned 2 [0108.695] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="BA") returned 2 [0108.695] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="50") returned 2 [0108.695] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="D4") returned 2 [0108.695] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="A5") returned 2 [0108.695] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="BA") returned 2 [0108.695] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="DE") returned 2 [0108.695] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="EA") returned 2 [0108.695] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="CA") returned 2 [0108.695] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="4A") returned 2 [0108.695] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="19") returned 2 [0108.695] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="EF") returned 2 [0108.695] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E3") returned 2 [0108.695] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="4B") returned 2 [0108.695] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="55") returned 2 [0108.707] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" [0108.707] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" [0108.707] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe", lpString2=".FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55" [0108.707] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0108.707] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0108.707] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd0b340, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd3ea4f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0108.707] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0108.708] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\PUSSY.TXT") returned 81 [0108.708] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0108.708] lstrlenA (lpString="abcd") returned 4 [0108.708] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0108.709] CloseHandle (hObject=0x180) returned 1 [0108.709] GetProcessHeap () returned 0x4c0000 [0108.709] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0108.709] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0108.710] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Windows") returned -1 [0108.710] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files") returned -1 [0108.710] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0108.710] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0108.710] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="System Volume Information") returned -1 [0108.710] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2=".") returned 1 [0108.710] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="..") returned 1 [0108.710] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 82 [0108.710] GetProcessHeap () returned 0x4c0000 [0108.710] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0108.710] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" [0108.710] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*" [0108.710] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0108.711] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.711] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.711] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.711] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.711] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.711] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.711] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0108.711] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.712] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.712] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.712] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.712] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.712] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.712] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.712] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0108.712] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0108.712] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0108.712] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0108.712] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0108.712] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0108.712] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0108.712] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0108.712] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned 91 [0108.712] GetProcessHeap () returned 0x4c0000 [0108.712] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0108.713] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" [0108.713] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*" [0108.713] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0108.714] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.714] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.714] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.714] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.714] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.714] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.714] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0108.714] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.714] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.714] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.714] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.714] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.714] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.714] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.714] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0108.714] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0108.715] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0108.715] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0108.715] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0108.715] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0108.715] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0108.715] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0108.715] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned 117 [0108.715] GetProcessHeap () returned 0x4c0000 [0108.715] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0108.716] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" [0108.716] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*" [0108.716] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0108.807] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0108.807] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0108.807] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0108.807] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0108.807] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0108.807] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.807] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0108.807] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0108.807] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0108.820] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0108.820] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0108.820] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0108.820] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.820] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.820] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa87bcb00, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0xa87bcb00, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0xa87bcb00, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0x588124, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0108.820] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0108.820] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0108.820] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0108.820] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0108.820] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0108.820] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0108.820] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0108.820] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0108.821] lstrcmpW (lpString1="cab1.cab", lpString2="PUSSY.TXT") returned -1 [0108.821] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.821] lstrlenW (lpString=".cab") returned 4 [0108.821] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0108.821] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0108.821] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=5800228) returned 1 [0108.821] GetProcessHeap () returned 0x4c0000 [0108.821] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0108.833] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="A6") returned 2 [0108.833] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="77") returned 2 [0108.833] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="10") returned 2 [0108.834] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="D9") returned 2 [0108.834] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="F8") returned 2 [0108.834] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="24") returned 2 [0108.834] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="D2") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="EE") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="7C") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="41") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="41") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="07") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="32") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="DD") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="48") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="3C") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="C0") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="E9") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="98") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="55") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="14") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="F5") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="0A") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="63") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="A5") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="65") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="02") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="6B") returned 2 [0108.834] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="E0") returned 2 [0108.835] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="E4") returned 2 [0108.835] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="C2") returned 2 [0108.835] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="09") returned 2 [0108.857] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0108.857] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0108.857] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", lpString2=".A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209" [0108.857] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0108.857] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0108.858] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4374a500, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x4374a500, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x4374a500, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0108.858] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Windows") returned -1 [0108.858] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files") returned 1 [0108.858] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files (x86)") returned 1 [0108.858] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$Recycle.bin") returned 1 [0108.858] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="System Volume Information") returned 1 [0108.858] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0108.858] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0108.858] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0108.858] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="PUSSY.TXT") returned 1 [0108.858] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0108.858] lstrlenW (lpString=".msi") returned 4 [0108.858] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0108.858] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0109.043] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=151552) returned 1 [0109.043] GetProcessHeap () returned 0x4c0000 [0109.043] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bb80d8 [0109.058] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="ED") returned 2 [0109.058] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="D9") returned 2 [0109.058] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="A8") returned 2 [0109.058] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="0F") returned 2 [0109.058] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="A6") returned 2 [0109.058] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="42") returned 2 [0109.058] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="2F") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="FE") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="70") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="A9") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="13") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="3A") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="7D") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="0D") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="46") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="A5") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="D8") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="15") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="85") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="D7") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="6C") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="38") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="71") returned 2 [0109.058] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="21") returned 2 [0109.059] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="9B") returned 2 [0109.059] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="F2") returned 2 [0109.059] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="0A") returned 2 [0109.059] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="10") returned 2 [0109.059] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="A0") returned 2 [0109.059] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="80") returned 2 [0109.059] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="D6") returned 2 [0109.059] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="0C") returned 2 [0109.071] lstrcpyW (in: lpString1=0x3bc810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0109.071] lstrcpyW (in: lpString1=0x3bb810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0109.071] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi", lpString2=".EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C" [0109.071] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3bb80d8, NumberOfConcurrentThreads=0x0) returned 0x94 [0109.072] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bb80d8, lpOverlapped=0x3bb80d8) returned 1 [0109.072] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4374a500, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x4374a500, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x4374a500, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0109.072] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0109.072] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT") returned 127 [0109.072] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0109.072] lstrlenA (lpString="abcd") returned 4 [0109.073] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0109.074] CloseHandle (hObject=0x19c) returned 1 [0109.074] GetProcessHeap () returned 0x4c0000 [0109.074] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0109.076] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0109.076] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0109.076] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\PUSSY.TXT") returned 101 [0109.076] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0109.077] lstrlenA (lpString="abcd") returned 4 [0109.077] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0109.078] CloseHandle (hObject=0x174) returned 1 [0109.078] GetProcessHeap () returned 0x4c0000 [0109.078] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0109.078] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0109.078] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0109.078] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\PUSSY.TXT") returned 92 [0109.078] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0109.079] lstrlenA (lpString="abcd") returned 4 [0109.079] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0109.080] CloseHandle (hObject=0x180) returned 1 [0109.080] GetProcessHeap () returned 0x4c0000 [0109.080] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0109.081] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0109.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Windows") returned -1 [0109.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Program Files") returned -1 [0109.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Program Files (x86)") returned -1 [0109.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="$Recycle.bin") returned 1 [0109.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="System Volume Information") returned -1 [0109.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2=".") returned 1 [0109.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="..") returned 1 [0109.081] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 71 [0109.081] GetProcessHeap () returned 0x4c0000 [0109.081] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0109.081] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" [0109.081] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*" [0109.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0109.121] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.121] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.121] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.121] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.121] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.121] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.121] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0109.121] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.121] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.121] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.121] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.121] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.121] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.121] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.122] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a127460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1c821ca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0109.122] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0109.122] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0109.122] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0109.122] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0109.122] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0109.122] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0109.122] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0109.122] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 81 [0109.122] lstrcmpW (lpString1="state.rsm", lpString2="PUSSY.TXT") returned 1 [0109.122] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0109.122] lstrlenW (lpString=".rsm") returned 4 [0109.122] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0109.122] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0109.123] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=666) returned 1 [0109.123] GetProcessHeap () returned 0x4c0000 [0109.123] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0109.133] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="A6") returned 2 [0109.133] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="2E") returned 2 [0109.133] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="1B") returned 2 [0109.133] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="7F") returned 2 [0109.133] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="52") returned 2 [0109.133] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="48") returned 2 [0109.133] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="B4") returned 2 [0109.133] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="FE") returned 2 [0109.133] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B2") returned 2 [0109.133] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="1C") returned 2 [0109.133] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="FC") returned 2 [0109.133] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="39") returned 2 [0109.133] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="DD") returned 2 [0109.133] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="BF") returned 2 [0109.133] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="E4") returned 2 [0109.134] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="A7") returned 2 [0109.134] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="00") returned 2 [0109.134] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="F1") returned 2 [0109.134] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="D1") returned 2 [0109.134] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="12") returned 2 [0109.134] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="DE") returned 2 [0109.134] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="9E") returned 2 [0109.134] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="6E") returned 2 [0109.134] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="8C") returned 2 [0109.134] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="C3") returned 2 [0109.134] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="3F") returned 2 [0109.134] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="DD") returned 2 [0109.134] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="C6") returned 2 [0109.134] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="59") returned 2 [0109.134] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="04") returned 2 [0109.134] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="67") returned 2 [0109.134] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6E") returned 2 [0109.143] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" [0109.143] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" [0109.143] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm", lpString2=".A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E" [0109.143] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0109.143] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0109.144] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a0db1a0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1073de80, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0109.144] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Windows") returned -1 [0109.144] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files") returned 1 [0109.144] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files (x86)") returned 1 [0109.144] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$Recycle.bin") returned 1 [0109.144] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="System Volume Information") returned 1 [0109.144] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2=".") returned 1 [0109.144] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="..") returned 1 [0109.144] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 88 [0109.144] lstrcmpW (lpString1="vcredist_x64.exe", lpString2="PUSSY.TXT") returned 1 [0109.144] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0109.144] lstrlenW (lpString=".exe") returned 4 [0109.144] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0109.145] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0109.145] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=463016) returned 1 [0109.145] GetProcessHeap () returned 0x4c0000 [0109.145] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0109.155] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="DD") returned 2 [0109.155] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="87") returned 2 [0109.155] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="2E") returned 2 [0109.155] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="D8") returned 2 [0109.155] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="FC") returned 2 [0109.155] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="C4") returned 2 [0109.155] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C5") returned 2 [0109.155] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="69") returned 2 [0109.155] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="31") returned 2 [0109.155] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="D9") returned 2 [0109.155] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="BC") returned 2 [0109.155] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A1") returned 2 [0109.155] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="DA") returned 2 [0109.155] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="4F") returned 2 [0109.155] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="9C") returned 2 [0109.155] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="0F") returned 2 [0109.155] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="22") returned 2 [0109.155] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="58") returned 2 [0109.155] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E2") returned 2 [0109.155] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="B1") returned 2 [0109.155] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="BE") returned 2 [0109.155] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="49") returned 2 [0109.156] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="EA") returned 2 [0109.156] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="78") returned 2 [0109.156] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="98") returned 2 [0109.156] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="29") returned 2 [0109.156] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="DE") returned 2 [0109.156] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="E6") returned 2 [0109.156] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="88") returned 2 [0109.156] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="D1") returned 2 [0109.156] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="5D") returned 2 [0109.156] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="76") returned 2 [0109.165] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" [0109.165] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" [0109.165] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe", lpString2=".DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76" [0109.165] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0109.165] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0109.166] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a0db1a0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1073de80, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0109.166] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0109.166] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\PUSSY.TXT") returned 81 [0109.166] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0109.196] lstrlenA (lpString="abcd") returned 4 [0109.196] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0109.196] CloseHandle (hObject=0x180) returned 1 [0109.197] GetProcessHeap () returned 0x4c0000 [0109.197] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0109.197] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0109.197] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Windows") returned -1 [0109.197] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Program Files") returned -1 [0109.197] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0109.197] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0109.197] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="System Volume Information") returned -1 [0109.197] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2=".") returned 1 [0109.197] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="..") returned 1 [0109.197] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned 83 [0109.197] GetProcessHeap () returned 0x4c0000 [0109.197] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0109.197] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017" [0109.197] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*" [0109.197] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0109.199] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.199] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.199] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.199] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.199] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.199] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.199] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0109.199] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.199] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.199] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.199] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.199] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.199] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.199] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.199] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0109.199] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0109.199] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0109.199] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0109.200] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0109.200] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0109.200] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0109.200] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0109.200] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned 92 [0109.200] GetProcessHeap () returned 0x4c0000 [0109.200] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0109.200] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages" [0109.201] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*" [0109.201] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0109.201] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.201] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.201] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.201] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.201] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.201] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.201] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0109.201] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.201] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.201] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.201] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.201] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.201] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.201] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.201] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0109.201] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0109.201] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0109.201] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0109.201] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0109.202] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0109.202] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0109.202] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0109.202] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned 113 [0109.202] GetProcessHeap () returned 0x4c0000 [0109.202] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0109.202] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86" [0109.202] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*" [0109.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0109.203] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.203] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.203] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.203] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.203] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.203] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.203] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0109.203] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.203] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.203] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.203] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.203] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.203] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.203] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.203] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd15e8b00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd15e8b00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd15e8b00, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x13babb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0109.203] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0109.203] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0109.203] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0109.203] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0109.203] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0109.203] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0109.203] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0109.204] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 122 [0109.204] lstrcmpW (lpString1="cab1.cab", lpString2="PUSSY.TXT") returned -1 [0109.204] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.204] lstrlenW (lpString=".cab") returned 4 [0109.204] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0109.204] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0109.206] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=1292987) returned 1 [0109.207] GetProcessHeap () returned 0x4c0000 [0109.207] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0109.274] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="73") returned 2 [0109.274] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="FE") returned 2 [0109.274] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="A8") returned 2 [0109.274] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="45") returned 2 [0109.274] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="42") returned 2 [0109.274] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="5B") returned 2 [0109.274] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="41") returned 2 [0109.274] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="57") returned 2 [0109.274] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="24") returned 2 [0109.274] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="D7") returned 2 [0109.274] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="DD") returned 2 [0109.274] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="5E") returned 2 [0109.274] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="F3") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="BC") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="1D") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="23") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="B3") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="12") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="89") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="9B") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="84") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="B8") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="1A") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="EC") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="F8") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="90") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="54") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="79") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="08") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="FB") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="A5") returned 2 [0109.275] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="52") returned 2 [0109.283] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0109.283] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0109.283] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552" [0109.283] CreateIoCompletionPort (FileHandle=0x114, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0109.283] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0109.284] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb17b200, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfb17b200, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfb17b200, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0109.284] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Windows") returned -1 [0109.284] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files") returned 1 [0109.284] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files (x86)") returned 1 [0109.284] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$Recycle.bin") returned 1 [0109.284] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="System Volume Information") returned 1 [0109.284] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0109.284] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0109.284] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0109.284] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="PUSSY.TXT") returned 1 [0109.284] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0109.284] lstrlenW (lpString=".msi") returned 4 [0109.284] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0109.284] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0109.285] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=147456) returned 1 [0109.285] GetProcessHeap () returned 0x4c0000 [0109.285] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bb80d8 [0109.294] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="B1") returned 2 [0109.294] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="FD") returned 2 [0109.294] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="35") returned 2 [0109.294] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="E1") returned 2 [0109.294] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="F1") returned 2 [0109.294] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="0B") returned 2 [0109.294] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="95") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="B5") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="74") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="3E") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="2C") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="2A") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="05") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="F8") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="96") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="5A") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="38") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="88") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="AC") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="73") returned 2 [0109.294] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="D5") returned 2 [0109.295] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="AF") returned 2 [0109.295] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="78") returned 2 [0109.295] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="B7") returned 2 [0109.295] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="49") returned 2 [0109.295] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="77") returned 2 [0109.295] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="FF") returned 2 [0109.295] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="52") returned 2 [0109.295] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="B6") returned 2 [0109.295] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="77") returned 2 [0109.295] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="78") returned 2 [0109.295] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="66") returned 2 [0109.303] lstrcpyW (in: lpString1=0x3bc810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0109.303] lstrcpyW (in: lpString1=0x3bb810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0109.303] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi", lpString2=".B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866" [0109.303] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3bb80d8, NumberOfConcurrentThreads=0x0) returned 0x94 [0109.303] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bb80d8, lpOverlapped=0x3bb80d8) returned 1 [0109.304] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb17b200, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfb17b200, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfb17b200, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0109.304] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0109.307] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT") returned 123 [0109.307] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0109.307] lstrlenA (lpString="abcd") returned 4 [0109.307] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0109.308] CloseHandle (hObject=0x18c) returned 1 [0109.308] GetProcessHeap () returned 0x4c0000 [0109.308] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0109.312] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0109.313] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0109.313] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\PUSSY.TXT") returned 102 [0109.313] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0109.313] lstrlenA (lpString="abcd") returned 4 [0109.313] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0109.314] CloseHandle (hObject=0x1a4) returned 1 [0109.314] GetProcessHeap () returned 0x4c0000 [0109.314] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0109.314] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0109.314] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0109.314] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\PUSSY.TXT") returned 93 [0109.314] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0109.315] lstrlenA (lpString="abcd") returned 4 [0109.315] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0109.316] CloseHandle (hObject=0x180) returned 1 [0109.316] GetProcessHeap () returned 0x4c0000 [0109.316] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0109.317] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0109.317] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Windows") returned -1 [0109.317] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Program Files") returned -1 [0109.317] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0109.317] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0109.317] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="System Volume Information") returned -1 [0109.317] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2=".") returned 1 [0109.317] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="..") returned 1 [0109.317] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned 83 [0109.317] GetProcessHeap () returned 0x4c0000 [0109.317] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0109.318] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017" [0109.318] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*" [0109.318] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0109.319] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.319] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.319] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.319] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.319] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.319] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.319] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0109.319] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.319] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.319] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.319] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.319] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.319] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.320] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.320] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0109.320] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0109.320] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0109.320] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0109.320] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0109.320] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0109.320] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0109.320] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0109.320] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned 92 [0109.320] GetProcessHeap () returned 0x4c0000 [0109.320] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0109.321] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages" [0109.321] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*" [0109.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0109.321] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.321] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.321] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.321] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.321] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.321] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.321] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0109.321] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.321] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.321] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.321] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.321] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.321] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.321] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.321] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0109.321] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0109.322] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0109.322] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0109.322] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0109.322] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0109.322] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0109.322] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0109.322] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned 116 [0109.322] GetProcessHeap () returned 0x4c0000 [0109.322] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0109.323] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86" [0109.323] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*" [0109.323] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0109.323] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.323] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.323] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.323] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.323] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.323] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.324] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0109.324] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.324] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.324] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.324] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.324] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.324] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.324] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.324] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c0e500, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd3c0e500, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd3c0e500, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x4f699e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0109.324] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0109.324] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0109.324] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0109.324] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0109.324] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0109.324] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0109.324] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0109.324] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0109.324] lstrcmpW (lpString1="cab1.cab", lpString2="PUSSY.TXT") returned -1 [0109.324] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.324] lstrlenW (lpString=".cab") returned 4 [0109.324] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0109.324] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0109.391] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=5204382) returned 1 [0109.391] GetProcessHeap () returned 0x4c0000 [0109.391] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0109.404] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="B5") returned 2 [0109.404] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="9D") returned 2 [0109.404] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="AA") returned 2 [0109.404] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="F1") returned 2 [0109.404] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="82") returned 2 [0109.404] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="31") returned 2 [0109.404] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="84") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="A9") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="04") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="7D") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="19") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="3D") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="84") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="32") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="85") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="B2") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="70") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="E3") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="94") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="9D") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="D5") returned 2 [0109.404] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="8B") returned 2 [0109.405] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="0B") returned 2 [0109.405] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="9B") returned 2 [0109.405] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="19") returned 2 [0109.405] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="16") returned 2 [0109.405] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="D2") returned 2 [0109.405] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="FD") returned 2 [0109.405] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="58") returned 2 [0109.405] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="07") returned 2 [0109.405] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="4D") returned 2 [0109.405] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="2E") returned 2 [0109.413] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0109.413] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0109.413] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E" [0109.413] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0109.414] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0109.414] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeab3900, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfeab3900, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfeab3900, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0109.414] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Windows") returned -1 [0109.414] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files") returned 1 [0109.414] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files (x86)") returned 1 [0109.444] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$Recycle.bin") returned 1 [0109.444] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="System Volume Information") returned 1 [0109.444] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0109.444] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0109.444] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0109.444] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="PUSSY.TXT") returned 1 [0109.445] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0109.445] lstrlenW (lpString=".msi") returned 4 [0109.445] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0109.445] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0109.445] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=143360) returned 1 [0109.445] GetProcessHeap () returned 0x4c0000 [0109.445] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0109.454] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="70") returned 2 [0109.454] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="5B") returned 2 [0109.454] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="70") returned 2 [0109.454] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="E5") returned 2 [0109.455] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="34") returned 2 [0109.455] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="14") returned 2 [0109.455] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="28") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="94") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="4F") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="B4") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="80") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="D0") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="0D") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="D8") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="D8") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="10") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="61") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="F5") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="70") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="9C") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="F4") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="D1") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="C5") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="AC") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="2D") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="02") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="F4") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="44") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C6") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="D3") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="3D") returned 2 [0109.455] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="25") returned 2 [0109.466] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0109.466] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0109.466] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi", lpString2=".705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25" [0109.466] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0109.466] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0109.466] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeab3900, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfeab3900, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfeab3900, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0109.466] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0109.467] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT") returned 126 [0109.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0109.467] lstrlenA (lpString="abcd") returned 4 [0109.467] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0109.468] CloseHandle (hObject=0x18c) returned 1 [0109.468] GetProcessHeap () returned 0x4c0000 [0109.469] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0109.469] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0109.469] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0109.469] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\PUSSY.TXT") returned 102 [0109.469] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0109.469] lstrlenA (lpString="abcd") returned 4 [0109.469] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0109.470] CloseHandle (hObject=0x1a4) returned 1 [0109.470] GetProcessHeap () returned 0x4c0000 [0109.470] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0109.470] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0109.470] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0109.470] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\PUSSY.TXT") returned 93 [0109.470] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0109.471] lstrlenA (lpString="abcd") returned 4 [0109.471] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0109.472] CloseHandle (hObject=0x180) returned 1 [0109.472] GetProcessHeap () returned 0x4c0000 [0109.472] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0109.474] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0109.474] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Windows") returned -1 [0109.474] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Program Files") returned -1 [0109.474] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0109.474] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0109.474] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="System Volume Information") returned -1 [0109.474] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2=".") returned 1 [0109.474] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="..") returned 1 [0109.474] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned 83 [0109.474] GetProcessHeap () returned 0x4c0000 [0109.474] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0109.475] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" [0109.475] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*" [0109.475] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0109.500] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.500] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.500] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.500] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.500] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.500] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.500] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0109.500] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.500] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.500] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.500] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.500] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.500] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.500] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.500] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0109.501] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0109.501] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0109.501] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0109.501] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0109.501] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0109.501] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0109.501] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0109.501] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned 92 [0109.501] GetProcessHeap () returned 0x4c0000 [0109.501] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0109.502] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages" [0109.502] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*" [0109.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0109.503] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.503] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.504] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.504] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.504] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.504] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.504] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0109.504] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.504] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.504] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.504] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.504] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.504] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.504] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.504] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0109.504] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0109.504] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0109.504] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0109.504] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0109.504] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0109.504] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0109.504] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0109.504] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned 115 [0109.504] GetProcessHeap () returned 0x4c0000 [0109.504] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0109.505] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64" [0109.505] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*" [0109.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0109.506] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.506] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.506] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.506] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.506] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.506] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.506] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0109.506] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.506] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.506] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.506] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.506] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.507] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.507] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.507] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c0e500, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd3c0e500, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd3c0e500, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x165257, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0109.507] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0109.507] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0109.507] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0109.507] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0109.507] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0109.507] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0109.507] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0109.507] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 124 [0109.507] lstrcmpW (lpString1="cab1.cab", lpString2="PUSSY.TXT") returned -1 [0109.507] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.507] lstrlenW (lpString=".cab") returned 4 [0109.507] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0109.507] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0109.511] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=1462871) returned 1 [0109.511] GetProcessHeap () returned 0x4c0000 [0109.511] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0109.568] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="E1") returned 2 [0109.568] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="A0") returned 2 [0109.568] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="4C") returned 2 [0109.568] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="6D") returned 2 [0109.568] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="E8") returned 2 [0109.568] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="B3") returned 2 [0109.568] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="F1") returned 2 [0109.568] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="35") returned 2 [0109.568] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="5E") returned 2 [0109.568] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="4C") returned 2 [0109.568] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="B6") returned 2 [0109.568] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="78") returned 2 [0109.568] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="C2") returned 2 [0109.568] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="A7") returned 2 [0109.568] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="AA") returned 2 [0109.568] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="BE") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="E9") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="43") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="13") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="8F") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="63") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="C1") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="7E") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="A6") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="DE") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="07") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="C5") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="E4") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="DB") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="E2") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="FE") returned 2 [0109.569] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="16") returned 2 [0109.579] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0109.579] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0109.579] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", lpString2=".E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16" [0109.579] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0109.579] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0109.580] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7a0c00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfd7a0c00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfd7a0c00, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0109.580] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Windows") returned -1 [0109.580] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files") returned 1 [0109.580] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files (x86)") returned 1 [0109.580] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$Recycle.bin") returned 1 [0109.580] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="System Volume Information") returned 1 [0109.580] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0109.580] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0109.580] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 141 [0109.580] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="PUSSY.TXT") returned 1 [0109.580] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0109.580] lstrlenW (lpString=".msi") returned 4 [0109.580] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0109.580] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0109.581] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=147456) returned 1 [0109.581] GetProcessHeap () returned 0x4c0000 [0109.581] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bb80d8 [0109.592] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="B0") returned 2 [0109.592] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="C8") returned 2 [0109.592] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="47") returned 2 [0109.593] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="31") returned 2 [0109.593] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="50") returned 2 [0109.593] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="11") returned 2 [0109.593] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="CB") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="FB") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="47") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="CA") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="75") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="4F") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="5E") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="C4") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="BB") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="7B") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="3C") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="B7") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="D8") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="57") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="2D") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="A5") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="61") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="2C") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="55") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="20") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="EE") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="DF") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="A1") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="54") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="71") returned 2 [0109.593] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="5F") returned 2 [0109.602] lstrcpyW (in: lpString1=0x3bc810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0109.602] lstrcpyW (in: lpString1=0x3bb810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0109.602] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi", lpString2=".B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F" [0109.602] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3bb80d8, NumberOfConcurrentThreads=0x0) returned 0x94 [0109.602] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bb80d8, lpOverlapped=0x3bb80d8) returned 1 [0109.602] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7a0c00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfd7a0c00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfd7a0c00, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0109.603] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0109.603] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT") returned 125 [0109.603] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0109.603] lstrlenA (lpString="abcd") returned 4 [0109.603] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0109.604] CloseHandle (hObject=0x18c) returned 1 [0109.604] GetProcessHeap () returned 0x4c0000 [0109.605] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0109.607] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0109.607] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0109.607] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\PUSSY.TXT") returned 102 [0109.607] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0109.608] lstrlenA (lpString="abcd") returned 4 [0109.608] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0109.608] CloseHandle (hObject=0x1a4) returned 1 [0109.609] GetProcessHeap () returned 0x4c0000 [0109.609] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0109.609] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0109.609] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0109.609] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\PUSSY.TXT") returned 93 [0109.609] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0109.609] lstrlenA (lpString="abcd") returned 4 [0109.609] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0109.610] CloseHandle (hObject=0x180) returned 1 [0109.610] GetProcessHeap () returned 0x4c0000 [0109.610] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0109.610] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0109.610] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Windows") returned -1 [0109.610] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Program Files") returned -1 [0109.610] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0109.610] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0109.611] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="System Volume Information") returned -1 [0109.611] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2=".") returned 1 [0109.611] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="..") returned 1 [0109.611] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 82 [0109.611] GetProcessHeap () returned 0x4c0000 [0109.611] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0109.611] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" [0109.611] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*" [0109.611] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0109.611] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.611] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.611] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.611] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.611] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.611] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.611] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0109.611] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.612] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.612] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.612] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.612] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.612] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.612] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.612] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0109.612] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0109.612] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0109.612] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0109.612] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0109.612] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0109.612] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0109.612] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0109.612] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned 91 [0109.612] GetProcessHeap () returned 0x4c0000 [0109.612] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0109.612] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" [0109.612] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*" [0109.612] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0109.613] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.613] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.613] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.613] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.613] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.613] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.613] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0109.613] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.613] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.613] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.613] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.613] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.613] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.613] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.613] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0109.613] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0109.613] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0109.613] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0109.613] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0109.613] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0109.613] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0109.614] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0109.614] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned 117 [0109.614] GetProcessHeap () returned 0x4c0000 [0109.614] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0109.615] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" [0109.615] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*" [0109.615] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0109.615] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.615] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.615] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.615] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.615] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.615] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.615] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0109.615] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.615] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.615] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.615] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.615] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.615] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.615] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.615] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c9b1b00, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7c9b1b00, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7c9b1b00, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x554520, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0109.615] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0109.616] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0109.616] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0109.616] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0109.616] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0109.616] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0109.616] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0109.616] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0109.616] lstrcmpW (lpString1="cab1.cab", lpString2="PUSSY.TXT") returned -1 [0109.616] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.616] lstrlenW (lpString=".cab") returned 4 [0109.616] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0109.616] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0109.620] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=5588256) returned 1 [0109.620] GetProcessHeap () returned 0x4c0000 [0109.620] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0109.630] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="4C") returned 2 [0109.631] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="98") returned 2 [0109.631] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="58") returned 2 [0109.631] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="CB") returned 2 [0109.631] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="7B") returned 2 [0109.631] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="01") returned 2 [0109.631] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="A6") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="5C") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="B9") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="0A") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="67") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="4B") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="96") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="1F") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="B4") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="D8") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="54") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="39") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="70") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="DE") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="FF") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="0B") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="18") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="47") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="16") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="13") returned 2 [0109.631] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="6B") returned 2 [0109.632] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="6A") returned 2 [0109.632] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="79") returned 2 [0109.632] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="6F") returned 2 [0109.632] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="9D") returned 2 [0109.632] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="4D") returned 2 [0109.708] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0109.708] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0109.708] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", lpString2=".4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D" [0109.708] CreateIoCompletionPort (FileHandle=0x114, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0109.708] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0109.709] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0109.709] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Windows") returned -1 [0109.709] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files") returned 1 [0109.709] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files (x86)") returned 1 [0109.752] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$Recycle.bin") returned 1 [0109.752] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="System Volume Information") returned 1 [0109.752] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0109.752] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0109.752] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0109.752] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="PUSSY.TXT") returned 1 [0109.752] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0109.752] lstrlenW (lpString=".msi") returned 4 [0109.752] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0109.752] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0109.753] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=143360) returned 1 [0109.753] GetProcessHeap () returned 0x4c0000 [0109.753] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0109.768] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="22") returned 2 [0109.768] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="18") returned 2 [0109.768] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="F5") returned 2 [0109.768] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="31") returned 2 [0109.768] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="B5") returned 2 [0109.768] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="35") returned 2 [0109.768] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="A4") returned 2 [0109.768] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="2F") returned 2 [0109.768] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="E1") returned 2 [0109.768] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="6E") returned 2 [0109.768] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="5F") returned 2 [0109.768] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="FB") returned 2 [0109.768] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="B8") returned 2 [0109.768] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="81") returned 2 [0109.768] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="FC") returned 2 [0109.768] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="F7") returned 2 [0109.768] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="FA") returned 2 [0109.768] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="33") returned 2 [0109.768] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="DF") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="AC") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="C8") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="FC") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="5C") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="DB") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="53") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="98") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="F2") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="FF") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="A1") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="E9") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="7E") returned 2 [0109.769] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="24") returned 2 [0109.781] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0109.781] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0109.781] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi", lpString2=".2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24" [0109.781] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0109.781] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0109.782] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0109.782] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0109.782] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT") returned 127 [0109.782] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0109.782] lstrlenA (lpString="abcd") returned 4 [0109.783] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0109.784] CloseHandle (hObject=0x18c) returned 1 [0109.784] GetProcessHeap () returned 0x4c0000 [0109.784] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0109.784] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0109.784] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0109.784] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\PUSSY.TXT") returned 101 [0109.784] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0109.795] lstrlenA (lpString="abcd") returned 4 [0109.795] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0109.796] CloseHandle (hObject=0x1a4) returned 1 [0109.796] GetProcessHeap () returned 0x4c0000 [0109.796] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0109.796] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0109.796] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0109.796] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\PUSSY.TXT") returned 92 [0109.796] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0109.797] lstrlenA (lpString="abcd") returned 4 [0109.797] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0109.798] CloseHandle (hObject=0x180) returned 1 [0109.798] GetProcessHeap () returned 0x4c0000 [0109.798] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0109.801] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0109.801] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Windows") returned -1 [0109.801] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Program Files") returned -1 [0109.801] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0109.801] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0109.801] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="System Volume Information") returned -1 [0109.801] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2=".") returned 1 [0109.801] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="..") returned 1 [0109.801] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 82 [0109.801] GetProcessHeap () returned 0x4c0000 [0109.801] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0109.802] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" [0109.802] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*" [0109.802] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0109.803] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.803] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.803] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.803] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.803] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.803] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.803] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0109.803] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.803] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.803] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.803] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.803] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.803] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.803] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.803] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0109.803] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0109.803] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0109.803] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0109.803] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0109.803] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0109.803] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0109.803] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0109.803] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned 91 [0109.804] GetProcessHeap () returned 0x4c0000 [0109.804] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0109.804] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" [0109.804] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*" [0109.805] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0109.805] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.805] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.805] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.805] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.805] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.805] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.805] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0109.805] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.805] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.805] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.805] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.805] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.805] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.805] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.805] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0109.805] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0109.805] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0109.806] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0109.806] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0109.806] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0109.806] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0109.806] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0109.806] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned 114 [0109.806] GetProcessHeap () returned 0x4c0000 [0109.806] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0109.821] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" [0109.821] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*" [0109.821] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0109.822] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0109.822] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0109.822] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0109.822] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0109.822] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0109.822] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.822] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0109.822] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0109.822] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0109.822] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0109.822] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0109.822] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0109.822] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.822] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.823] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b69ee00, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7b69ee00, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7b69ee00, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0109.823] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0109.823] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0109.823] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0109.823] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0109.823] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0109.823] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0109.823] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0109.823] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0109.823] lstrcmpW (lpString1="cab1.cab", lpString2="PUSSY.TXT") returned -1 [0109.823] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.823] lstrlenW (lpString=".cab") returned 4 [0109.823] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0109.823] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0109.824] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=1034506) returned 1 [0109.824] GetProcessHeap () returned 0x4c0000 [0109.824] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0109.836] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="3D") returned 2 [0109.836] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="62") returned 2 [0109.836] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="94") returned 2 [0109.836] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="13") returned 2 [0109.836] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="C6") returned 2 [0109.836] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="FE") returned 2 [0109.836] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="F4") returned 2 [0109.836] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="F8") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="74") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="11") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="72") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="D5") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="CD") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="86") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="0D") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="C0") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="81") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="A8") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="7F") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="6F") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="EB") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="73") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="78") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="08") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="37") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="BD") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="99") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="CA") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="CC") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="CF") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="01") returned 2 [0109.837] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="48") returned 2 [0109.846] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0109.846] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0109.846] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", lpString2=".3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148" [0109.846] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0109.846] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0109.846] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0109.846] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Windows") returned -1 [0109.846] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files") returned 1 [0109.846] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files (x86)") returned 1 [0109.846] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$Recycle.bin") returned 1 [0109.846] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="System Volume Information") returned 1 [0109.846] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0109.846] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0109.847] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0109.847] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="PUSSY.TXT") returned 1 [0109.889] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0109.889] lstrlenW (lpString=".msi") returned 4 [0109.889] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0109.889] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0109.891] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=143360) returned 1 [0109.891] GetProcessHeap () returned 0x4c0000 [0109.891] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0109.905] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="37") returned 2 [0109.905] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="AA") returned 2 [0109.905] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="7B") returned 2 [0109.905] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="2C") returned 2 [0109.905] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="B6") returned 2 [0109.905] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="CB") returned 2 [0109.905] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="76") returned 2 [0109.905] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="2C") returned 2 [0109.905] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="54") returned 2 [0109.905] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="89") returned 2 [0109.905] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="A6") returned 2 [0109.905] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="E1") returned 2 [0109.905] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="9C") returned 2 [0109.905] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="86") returned 2 [0109.905] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="38") returned 2 [0109.905] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="66") returned 2 [0109.905] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="78") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="90") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="67") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="A0") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="87") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="A3") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="44") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="63") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="C9") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="37") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="0D") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="73") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="F5") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="6F") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="6A") returned 2 [0109.906] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="60") returned 2 [0110.004] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0110.004] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0110.004] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi", lpString2=".37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60" [0110.004] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0110.004] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0110.004] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0110.004] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0110.005] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT") returned 124 [0110.005] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0110.049] lstrlenA (lpString="abcd") returned 4 [0110.049] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0110.050] CloseHandle (hObject=0x18c) returned 1 [0110.050] GetProcessHeap () returned 0x4c0000 [0110.050] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0110.056] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0110.056] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0110.056] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\PUSSY.TXT") returned 101 [0110.057] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0110.057] lstrlenA (lpString="abcd") returned 4 [0110.057] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0110.058] CloseHandle (hObject=0x1a4) returned 1 [0110.059] GetProcessHeap () returned 0x4c0000 [0110.059] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0110.059] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0110.059] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0110.059] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\PUSSY.TXT") returned 92 [0110.059] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0110.060] lstrlenA (lpString="abcd") returned 4 [0110.060] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0110.061] CloseHandle (hObject=0x180) returned 1 [0110.061] GetProcessHeap () returned 0x4c0000 [0110.061] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0110.062] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0110.062] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Windows") returned -1 [0110.062] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Program Files") returned -1 [0110.062] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0110.063] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0110.063] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="System Volume Information") returned -1 [0110.063] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2=".") returned 1 [0110.063] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="..") returned 1 [0110.063] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 82 [0110.063] GetProcessHeap () returned 0x4c0000 [0110.063] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0110.063] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" [0110.063] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*" [0110.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0110.065] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.065] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.065] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.065] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.065] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.065] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.066] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0110.066] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.066] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.066] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.066] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.066] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.066] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.066] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.066] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0110.066] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0110.067] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0110.067] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0110.067] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0110.067] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0110.067] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0110.067] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0110.067] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned 91 [0110.067] GetProcessHeap () returned 0x4c0000 [0110.067] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0110.069] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" [0110.069] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*" [0110.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0110.070] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.070] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.070] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.070] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.070] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.070] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.071] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0110.071] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.071] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.071] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.071] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.071] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.071] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.071] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.071] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0110.072] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0110.072] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0110.072] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0110.072] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0110.072] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0110.072] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0110.072] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0110.072] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned 115 [0110.072] GetProcessHeap () returned 0x4c0000 [0110.072] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b380a0 [0110.074] lstrcpyW (in: lpString1=0x3b380a0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" [0110.074] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*" [0110.074] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0110.074] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.075] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.075] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.075] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.075] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.075] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.075] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0110.075] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.075] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.075] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.075] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.075] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.075] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.075] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.075] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aae6600, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x8aae6600, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x8aae6600, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0110.075] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0110.075] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0110.075] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0110.075] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0110.076] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0110.076] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0110.076] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0110.076] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0110.076] lstrcmpW (lpString1="cab1.cab", lpString2="PUSSY.TXT") returned -1 [0110.076] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0110.076] lstrlenW (lpString=".cab") returned 4 [0110.076] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0110.076] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0110.076] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=5153816) returned 1 [0110.076] GetProcessHeap () returned 0x4c0000 [0110.077] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0110.091] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="EE") returned 2 [0110.091] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="17") returned 2 [0110.091] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="1E") returned 2 [0110.091] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="52") returned 2 [0110.091] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="8F") returned 2 [0110.092] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="C8") returned 2 [0110.092] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="71") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="14") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="5D") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="4C") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="1B") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="3D") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="85") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="95") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="3D") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="28") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="64") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="F4") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="5E") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="85") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="4C") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="7C") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="0E") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="63") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="F4") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="81") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="8C") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="A2") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="0F") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="63") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="1F") returned 2 [0110.092] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="7A") returned 2 [0110.104] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0110.104] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0110.104] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A" [0110.104] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0110.104] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0110.104] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x48395900, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.104] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Windows") returned -1 [0110.105] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files") returned 1 [0110.105] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files (x86)") returned 1 [0110.105] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$Recycle.bin") returned 1 [0110.105] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="System Volume Information") returned 1 [0110.105] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0110.105] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0110.105] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0110.105] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="PUSSY.TXT") returned 1 [0110.105] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0110.105] lstrlenW (lpString=".msi") returned 4 [0110.105] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0110.105] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0110.107] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=151552) returned 1 [0110.107] GetProcessHeap () returned 0x4c0000 [0110.107] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bb80d8 [0110.121] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="89") returned 2 [0110.121] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="43") returned 2 [0110.121] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="3C") returned 2 [0110.121] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="E5") returned 2 [0110.121] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="38") returned 2 [0110.121] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="C2") returned 2 [0110.121] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="0F") returned 2 [0110.121] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="46") returned 2 [0110.121] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="AA") returned 2 [0110.121] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="79") returned 2 [0110.121] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="29") returned 2 [0110.121] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="B1") returned 2 [0110.121] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="D2") returned 2 [0110.121] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="5C") returned 2 [0110.121] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="6E") returned 2 [0110.121] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="37") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="3C") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="48") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="B6") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="22") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="AF") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="80") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="BF") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="50") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="B2") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="F1") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="CC") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="C4") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="FB") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="61") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="6E") returned 2 [0110.122] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="0F") returned 2 [0110.135] lstrcpyW (in: lpString1=0x3bc810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0110.135] lstrcpyW (in: lpString1=0x3bb810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0110.135] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi", lpString2=".89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F" [0110.135] CreateIoCompletionPort (FileHandle=0x114, ExistingCompletionPort=0x94, CompletionKey=0x3bb80d8, NumberOfConcurrentThreads=0x0) returned 0x94 [0110.135] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bb80d8, lpOverlapped=0x3bb80d8) returned 1 [0110.135] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x48395900, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0110.135] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0110.135] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT") returned 125 [0110.136] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0110.136] lstrlenA (lpString="abcd") returned 4 [0110.136] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0110.138] CloseHandle (hObject=0x18c) returned 1 [0110.138] GetProcessHeap () returned 0x4c0000 [0110.138] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0110.138] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0110.138] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0110.138] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\PUSSY.TXT") returned 101 [0110.138] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0110.139] lstrlenA (lpString="abcd") returned 4 [0110.139] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0110.140] CloseHandle (hObject=0x1a4) returned 1 [0110.140] GetProcessHeap () returned 0x4c0000 [0110.141] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0110.144] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0110.144] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0110.144] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\PUSSY.TXT") returned 92 [0110.144] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0110.144] lstrlenA (lpString="abcd") returned 4 [0110.145] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0110.146] CloseHandle (hObject=0x180) returned 1 [0110.146] GetProcessHeap () returned 0x4c0000 [0110.146] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0110.146] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0110.146] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Windows") returned -1 [0110.146] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Program Files") returned -1 [0110.146] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0110.146] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0110.147] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="System Volume Information") returned -1 [0110.147] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2=".") returned 1 [0110.147] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="..") returned 1 [0110.147] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 82 [0110.147] GetProcessHeap () returned 0x4c0000 [0110.147] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0110.148] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" [0110.148] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*" [0110.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0110.149] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.149] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.149] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.149] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.149] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.149] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.154] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0110.154] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.154] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.154] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.154] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.154] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.154] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.154] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.155] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0110.155] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0110.155] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0110.155] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0110.155] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0110.155] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0110.155] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0110.155] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0110.155] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned 91 [0110.155] GetProcessHeap () returned 0x4c0000 [0110.155] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0110.155] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" [0110.155] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*" [0110.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0110.309] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.309] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.309] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.309] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.309] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.309] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.309] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0110.309] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.310] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.310] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.310] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.310] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.310] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.310] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.310] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0110.310] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0110.310] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0110.310] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0110.310] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0110.310] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0110.310] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0110.310] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0110.310] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned 112 [0110.310] GetProcessHeap () returned 0x4c0000 [0110.310] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0110.311] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" [0110.311] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*" [0110.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0110.320] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.320] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.320] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.320] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.321] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.321] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.321] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0110.321] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.321] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.321] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.321] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.321] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.321] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.321] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.321] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x884c0c00, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x884c0c00, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x884c0c00, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0110.321] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0110.321] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0110.321] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0110.321] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0110.321] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0110.321] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0110.322] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0110.322] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0110.322] lstrcmpW (lpString1="cab1.cab", lpString2="PUSSY.TXT") returned -1 [0110.322] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0110.322] lstrlenW (lpString=".cab") returned 4 [0110.322] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0110.322] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0110.322] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=821681) returned 1 [0110.322] GetProcessHeap () returned 0x4c0000 [0110.322] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0110.335] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="CE") returned 2 [0110.336] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="F1") returned 2 [0110.336] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="BE") returned 2 [0110.336] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="81") returned 2 [0110.336] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="94") returned 2 [0110.336] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="34") returned 2 [0110.336] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="00") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="31") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="7C") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="B3") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="6F") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="7D") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="1B") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="2E") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="B1") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="E4") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="3B") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="34") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="D2") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="60") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="BA") returned 2 [0110.336] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="A9") returned 2 [0110.337] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="CF") returned 2 [0110.337] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="8E") returned 2 [0110.337] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="2D") returned 2 [0110.337] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="A3") returned 2 [0110.337] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="EB") returned 2 [0110.337] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="9F") returned 2 [0110.337] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="47") returned 2 [0110.337] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="7A") returned 2 [0110.337] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="5B") returned 2 [0110.337] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="29") returned 2 [0110.350] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0110.350] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0110.350] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29" [0110.350] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0110.350] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0110.350] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x48395900, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.351] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Windows") returned -1 [0110.351] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files") returned 1 [0110.351] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files (x86)") returned 1 [0110.351] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$Recycle.bin") returned 1 [0110.351] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="System Volume Information") returned 1 [0110.351] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0110.351] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0110.351] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0110.351] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="PUSSY.TXT") returned 1 [0110.351] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0110.351] lstrlenW (lpString=".msi") returned 4 [0110.351] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0110.351] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0110.352] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=151552) returned 1 [0110.352] GetProcessHeap () returned 0x4c0000 [0110.352] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0110.366] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="F6") returned 2 [0110.366] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="EE") returned 2 [0110.366] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="45") returned 2 [0110.366] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="B2") returned 2 [0110.366] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="D8") returned 2 [0110.366] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="4E") returned 2 [0110.366] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="7B") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="03") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="1F") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="E7") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="6E") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="36") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="FA") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="80") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="FA") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="A3") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="FC") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="1F") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="90") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="20") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="9C") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="B9") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="D1") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="0E") returned 2 [0110.366] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="3A") returned 2 [0110.367] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="E8") returned 2 [0110.367] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="60") returned 2 [0110.367] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="05") returned 2 [0110.367] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="12") returned 2 [0110.367] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="66") returned 2 [0110.367] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="2A") returned 2 [0110.367] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="52") returned 2 [0110.379] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0110.379] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0110.379] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi", lpString2=".F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52" [0110.380] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0110.380] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0110.380] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x48395900, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0110.380] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0110.380] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT") returned 122 [0110.380] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0110.381] lstrlenA (lpString="abcd") returned 4 [0110.381] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0110.382] CloseHandle (hObject=0x190) returned 1 [0110.382] GetProcessHeap () returned 0x4c0000 [0110.382] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0110.385] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0110.385] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0110.385] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\PUSSY.TXT") returned 101 [0110.385] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0110.385] lstrlenA (lpString="abcd") returned 4 [0110.385] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0110.387] CloseHandle (hObject=0x19c) returned 1 [0110.387] GetProcessHeap () returned 0x4c0000 [0110.387] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0110.387] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0110.387] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0110.387] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\PUSSY.TXT") returned 92 [0110.387] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0110.387] lstrlenA (lpString="abcd") returned 4 [0110.387] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0110.388] CloseHandle (hObject=0x180) returned 1 [0110.389] GetProcessHeap () returned 0x4c0000 [0110.389] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0110.389] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0110.389] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Windows") returned -1 [0110.389] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Program Files") returned -1 [0110.389] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Program Files (x86)") returned -1 [0110.389] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="$Recycle.bin") returned 1 [0110.389] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="System Volume Information") returned -1 [0110.389] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2=".") returned 1 [0110.389] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="..") returned 1 [0110.389] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 71 [0110.389] GetProcessHeap () returned 0x4c0000 [0110.389] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0110.389] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" [0110.389] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*" [0110.389] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0110.444] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.444] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.444] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.444] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.444] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.444] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.444] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0110.444] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.444] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.445] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.445] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.445] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.445] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.445] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.445] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfe3882c0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0110.445] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0110.445] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0110.445] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0110.445] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0110.445] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0110.445] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0110.445] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0110.446] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 81 [0110.446] lstrcmpW (lpString1="state.rsm", lpString2="PUSSY.TXT") returned 1 [0110.446] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.446] lstrlenW (lpString=".rsm") returned 4 [0110.446] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0110.446] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0110.511] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=654) returned 1 [0110.511] GetProcessHeap () returned 0x4c0000 [0110.512] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0110.531] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="B6") returned 2 [0110.531] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="D4") returned 2 [0110.531] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="1D") returned 2 [0110.531] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="63") returned 2 [0110.531] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="62") returned 2 [0110.531] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="0B") returned 2 [0110.531] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="0F") returned 2 [0110.531] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="C5") returned 2 [0110.532] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="9E") returned 2 [0110.532] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="1D") returned 2 [0110.532] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="D3") returned 2 [0110.532] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="B3") returned 2 [0110.532] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="CA") returned 2 [0110.532] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="85") returned 2 [0110.532] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="86") returned 2 [0110.532] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="AA") returned 2 [0110.532] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="65") returned 2 [0110.532] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D1") returned 2 [0110.532] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="63") returned 2 [0110.532] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="9D") returned 2 [0110.532] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="22") returned 2 [0110.532] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="64") returned 2 [0110.532] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="11") returned 2 [0110.532] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="4D") returned 2 [0110.532] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="B2") returned 2 [0110.532] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="AB") returned 2 [0110.532] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="F6") returned 2 [0110.532] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="CC") returned 2 [0110.532] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="49") returned 2 [0110.533] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="A7") returned 2 [0110.533] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="53") returned 2 [0110.533] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="2C") returned 2 [0110.547] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" [0110.547] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" [0110.547] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm", lpString2=".B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C" [0110.547] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0110.547] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0110.550] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xf0a0a700, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0110.550] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Windows") returned -1 [0110.550] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files") returned 1 [0110.550] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files (x86)") returned 1 [0110.550] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$Recycle.bin") returned 1 [0110.550] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="System Volume Information") returned 1 [0110.550] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2=".") returned 1 [0110.550] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="..") returned 1 [0110.550] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 88 [0110.550] lstrcmpW (lpString1="vcredist_x64.exe", lpString2="PUSSY.TXT") returned 1 [0110.550] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0110.550] lstrlenW (lpString=".exe") returned 4 [0110.550] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0110.550] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0110.551] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=455576) returned 1 [0110.551] GetProcessHeap () returned 0x4c0000 [0110.551] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0110.566] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="6F") returned 2 [0110.566] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="9C") returned 2 [0110.566] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="C3") returned 2 [0110.566] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="63") returned 2 [0110.566] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="BD") returned 2 [0110.566] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="63") returned 2 [0110.566] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="14") returned 2 [0110.566] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="B4") returned 2 [0110.566] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="A7") returned 2 [0110.566] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="CF") returned 2 [0110.566] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="50") returned 2 [0110.566] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="1A") returned 2 [0110.567] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="0D") returned 2 [0110.567] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C9") returned 2 [0110.567] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="8D") returned 2 [0110.567] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="9D") returned 2 [0110.567] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="6A") returned 2 [0110.567] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="E7") returned 2 [0110.567] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="8E") returned 2 [0110.567] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="AB") returned 2 [0110.567] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="8C") returned 2 [0110.567] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="EB") returned 2 [0110.567] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="BB") returned 2 [0110.567] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6C") returned 2 [0110.567] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="F1") returned 2 [0110.567] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="CB") returned 2 [0110.567] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="6F") returned 2 [0110.567] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="93") returned 2 [0110.567] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="49") returned 2 [0110.567] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="5E") returned 2 [0110.567] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="37") returned 2 [0110.567] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4C") returned 2 [0110.582] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" [0110.582] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" [0110.582] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe", lpString2=".6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C" [0110.582] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0110.582] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0110.582] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xf0a0a700, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0110.582] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0110.583] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\PUSSY.TXT") returned 81 [0110.583] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0110.583] lstrlenA (lpString="abcd") returned 4 [0110.583] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0110.637] CloseHandle (hObject=0x180) returned 1 [0110.637] GetProcessHeap () returned 0x4c0000 [0110.637] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0110.637] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0110.637] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Windows") returned -1 [0110.637] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Program Files") returned -1 [0110.637] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0110.637] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0110.637] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="System Volume Information") returned -1 [0110.637] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2=".") returned 1 [0110.637] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="..") returned 1 [0110.638] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 82 [0110.638] GetProcessHeap () returned 0x4c0000 [0110.638] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0110.638] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" [0110.638] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*" [0110.638] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4ddcc8 [0110.667] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.667] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.667] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.667] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.667] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.667] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.667] FindNextFileW (in: hFindFile=0x4ddcc8, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0110.667] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.667] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.667] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.667] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.667] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.667] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.667] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.667] FindNextFileW (in: hFindFile=0x4ddcc8, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0110.667] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0110.668] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0110.668] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0110.668] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0110.668] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0110.668] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0110.668] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0110.668] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned 91 [0110.668] GetProcessHeap () returned 0x4c0000 [0110.668] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0110.669] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" [0110.669] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*" [0110.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0110.669] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.669] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.669] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.669] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.669] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.669] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.669] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0110.670] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.670] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.670] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.670] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.670] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.670] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.670] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.670] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0110.670] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0110.670] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0110.670] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0110.670] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0110.670] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0110.670] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0110.670] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0110.670] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned 114 [0110.670] GetProcessHeap () returned 0x4c0000 [0110.670] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b88140 [0110.670] lstrcpyW (in: lpString1=0x3b88140, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" [0110.670] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*" [0110.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0110.671] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.671] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.671] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.671] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.671] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.671] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.671] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0110.671] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.671] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.671] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.671] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.671] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.671] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.671] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.671] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x969a2800, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x969a2800, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x969a2800, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0110.672] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0110.672] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0110.672] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0110.672] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0110.672] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0110.672] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0110.672] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0110.672] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0110.672] lstrcmpW (lpString1="cab1.cab", lpString2="PUSSY.TXT") returned -1 [0110.672] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0110.672] lstrlenW (lpString=".cab") returned 4 [0110.672] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0110.672] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0110.673] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=809765) returned 1 [0110.673] GetProcessHeap () returned 0x4c0000 [0110.673] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bb80d8 [0110.686] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="85") returned 2 [0110.686] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="9C") returned 2 [0110.686] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="A4") returned 2 [0110.686] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="6D") returned 2 [0110.686] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="25") returned 2 [0110.686] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="4D") returned 2 [0110.686] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="29") returned 2 [0110.686] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="42") returned 2 [0110.686] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="4B") returned 2 [0110.686] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="1E") returned 2 [0110.686] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="75") returned 2 [0110.686] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="1B") returned 2 [0110.686] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="F2") returned 2 [0110.686] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="5F") returned 2 [0110.686] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="1A") returned 2 [0110.686] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="BA") returned 2 [0110.686] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="5C") returned 2 [0110.686] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="CE") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="E9") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="A2") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="E3") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="A5") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="80") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="AB") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="0C") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="06") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="54") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="65") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="B3") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="3E") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="84") returned 2 [0110.687] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="2D") returned 2 [0110.700] lstrcpyW (in: lpString1=0x3bc810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0110.700] lstrcpyW (in: lpString1=0x3bb810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0110.700] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", lpString2=".859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D" [0110.700] CreateIoCompletionPort (FileHandle=0x114, ExistingCompletionPort=0x94, CompletionKey=0x3bb80d8, NumberOfConcurrentThreads=0x0) returned 0x94 [0110.700] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bb80d8, lpOverlapped=0x3bb80d8) returned 1 [0110.700] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1afc00, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x5a1afc00, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x5a1afc00, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.700] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Windows") returned -1 [0110.700] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files") returned 1 [0110.700] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files (x86)") returned 1 [0110.700] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$Recycle.bin") returned 1 [0110.700] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="System Volume Information") returned 1 [0110.700] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0110.700] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0110.700] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0110.700] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="PUSSY.TXT") returned 1 [0110.701] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0110.701] lstrlenW (lpString=".msi") returned 4 [0110.701] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0110.701] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0110.716] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=151552) returned 1 [0110.716] GetProcessHeap () returned 0x4c0000 [0110.716] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0110.733] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="B3") returned 2 [0110.733] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="B7") returned 2 [0110.733] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="18") returned 2 [0110.733] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="0E") returned 2 [0110.733] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="6E") returned 2 [0110.733] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="CF") returned 2 [0110.733] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="A0") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="C7") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="93") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="95") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="A4") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="FE") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="36") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="B4") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="4D") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="4C") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="72") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="2D") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="F0") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="6B") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="64") returned 2 [0110.733] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="34") returned 2 [0110.734] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="A8") returned 2 [0110.734] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="A0") returned 2 [0110.734] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="48") returned 2 [0110.734] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="5A") returned 2 [0110.734] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="36") returned 2 [0110.734] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="C9") returned 2 [0110.734] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="D4") returned 2 [0110.734] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="F2") returned 2 [0110.734] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="71") returned 2 [0110.734] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="31") returned 2 [0110.746] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0110.746] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0110.747] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi", lpString2=".B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131" [0110.747] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0110.747] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0110.747] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1afc00, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x5a1afc00, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x5a1afc00, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0110.747] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0110.748] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT") returned 124 [0110.748] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0110.864] lstrlenA (lpString="abcd") returned 4 [0110.864] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0110.865] CloseHandle (hObject=0x180) returned 1 [0110.865] GetProcessHeap () returned 0x4c0000 [0110.865] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0110.866] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0110.866] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0110.866] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\PUSSY.TXT") returned 101 [0110.866] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0110.866] lstrlenA (lpString="abcd") returned 4 [0110.866] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0110.868] CloseHandle (hObject=0x18c) returned 1 [0110.868] GetProcessHeap () returned 0x4c0000 [0110.868] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0110.872] FindNextFileW (in: hFindFile=0x4ddcc8, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0110.872] FindClose (in: hFindFile=0x4ddcc8 | out: hFindFile=0x4ddcc8) returned 1 [0110.873] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\PUSSY.TXT") returned 92 [0110.873] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0110.873] lstrlenA (lpString="abcd") returned 4 [0110.873] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0110.874] CloseHandle (hObject=0x174) returned 1 [0110.875] GetProcessHeap () returned 0x4c0000 [0110.875] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0110.875] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0110.875] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Windows") returned -1 [0110.875] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Program Files") returned -1 [0110.875] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0110.875] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0110.875] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="System Volume Information") returned -1 [0110.875] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2=".") returned 1 [0110.875] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="..") returned 1 [0110.875] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned 83 [0110.875] GetProcessHeap () returned 0x4c0000 [0110.875] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0110.875] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" [0110.875] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*" [0110.875] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0110.876] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.876] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.876] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.876] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.876] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.876] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.876] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0110.876] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.876] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.876] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.876] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.876] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.876] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.876] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.876] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0110.876] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0110.877] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0110.877] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0110.877] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0110.877] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0110.877] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0110.877] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0110.877] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned 92 [0110.877] GetProcessHeap () returned 0x4c0000 [0110.877] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0110.878] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages" [0110.878] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*" [0110.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0110.880] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.880] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.880] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.880] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.880] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.880] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.880] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0110.881] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.881] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.881] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.881] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.881] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.881] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.881] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.881] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0110.881] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0110.881] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0110.881] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0110.881] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0110.881] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0110.881] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0110.881] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0110.881] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64") returned 118 [0110.881] GetProcessHeap () returned 0x4c0000 [0110.881] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0110.882] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64" [0110.882] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*" [0110.882] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0110.883] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0110.883] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0110.883] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0110.883] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0110.883] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0110.883] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0110.883] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0110.883] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0110.883] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0110.883] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0110.883] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0110.883] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0110.883] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0110.883] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0110.883] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdae7f300, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xdae7f300, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xdae7f300, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x59bde5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0110.883] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0110.883] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0110.883] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0110.883] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0110.883] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0110.884] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0110.884] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0110.884] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 127 [0110.884] lstrcmpW (lpString1="cab1.cab", lpString2="PUSSY.TXT") returned -1 [0110.884] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0110.884] lstrlenW (lpString=".cab") returned 4 [0110.884] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0110.884] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0110.886] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=5881317) returned 1 [0110.886] GetProcessHeap () returned 0x4c0000 [0110.886] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0110.900] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="45") returned 2 [0110.900] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="03") returned 2 [0110.900] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="7A") returned 2 [0110.900] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="FF") returned 2 [0110.900] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="E6") returned 2 [0110.900] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="65") returned 2 [0110.900] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="01") returned 2 [0110.900] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="EE") returned 2 [0110.900] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="30") returned 2 [0110.900] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="29") returned 2 [0110.900] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="88") returned 2 [0110.900] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="A8") returned 2 [0110.900] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="40") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="29") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="E1") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="D9") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="1F") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="C1") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="0B") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="DD") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="1E") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="C0") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="20") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="0F") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="F2") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="CA") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="F5") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="A3") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C4") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="4E") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="C0") returned 2 [0110.901] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="1C") returned 2 [0110.915] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0110.915] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0110.915] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", lpString2=".45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C" [0110.916] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0110.916] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0110.916] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36fed00, ftCreationTime.dwHighDateTime=0x1d28825, ftLastAccessTime.dwLowDateTime=0x36fed00, ftLastAccessTime.dwHighDateTime=0x1d28825, ftLastWriteTime.dwLowDateTime=0x36fed00, ftLastWriteTime.dwHighDateTime=0x1d28825, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.916] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Windows") returned -1 [0110.916] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files") returned 1 [0110.916] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files (x86)") returned 1 [0110.916] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$Recycle.bin") returned 1 [0110.916] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="System Volume Information") returned 1 [0110.916] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0110.916] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0110.916] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 147 [0110.916] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="PUSSY.TXT") returned 1 [0110.916] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0110.916] lstrlenW (lpString=".msi") returned 4 [0110.916] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0110.916] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0110.919] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=143360) returned 1 [0110.919] GetProcessHeap () returned 0x4c0000 [0110.919] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0110.933] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="27") returned 2 [0110.933] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="E0") returned 2 [0110.933] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="6E") returned 2 [0110.933] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="12") returned 2 [0110.933] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="45") returned 2 [0110.933] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="65") returned 2 [0110.934] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="62") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="54") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="7C") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="5F") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="CF") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="08") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="DA") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="69") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="BE") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="3E") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="84") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="AB") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="F7") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="94") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="C7") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="DD") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="B9") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="79") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="F2") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="47") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="D6") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="AF") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="A9") returned 2 [0110.934] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="DA") returned 2 [0110.935] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="23") returned 2 [0110.935] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="15") returned 2 [0110.947] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0110.947] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0110.947] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi", lpString2=".27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315" [0110.947] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0110.947] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0110.948] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36fed00, ftCreationTime.dwHighDateTime=0x1d28825, ftLastAccessTime.dwLowDateTime=0x36fed00, ftLastAccessTime.dwHighDateTime=0x1d28825, ftLastWriteTime.dwLowDateTime=0x36fed00, ftLastWriteTime.dwHighDateTime=0x1d28825, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0110.948] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0110.992] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT") returned 128 [0110.992] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0110.993] lstrlenA (lpString="abcd") returned 4 [0110.993] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0110.994] CloseHandle (hObject=0x18c) returned 1 [0110.994] GetProcessHeap () returned 0x4c0000 [0110.994] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0110.994] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0x77c61b06, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0110.995] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0110.995] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\PUSSY.TXT") returned 102 [0110.995] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0110.995] lstrlenA (lpString="abcd") returned 4 [0110.995] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0110.996] CloseHandle (hObject=0x190) returned 1 [0110.997] GetProcessHeap () returned 0x4c0000 [0110.997] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0110.999] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0110.999] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0110.999] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\PUSSY.TXT") returned 93 [0110.999] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0110.999] lstrlenA (lpString="abcd") returned 4 [0110.999] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0111.001] CloseHandle (hObject=0x174) returned 1 [0111.001] GetProcessHeap () returned 0x4c0000 [0111.001] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0111.001] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0111.001] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Windows") returned -1 [0111.001] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Program Files") returned -1 [0111.001] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Program Files (x86)") returned -1 [0111.001] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="$Recycle.bin") returned 1 [0111.001] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="System Volume Information") returned -1 [0111.001] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2=".") returned 1 [0111.001] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="..") returned 1 [0111.001] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned 71 [0111.001] GetProcessHeap () returned 0x4c0000 [0111.001] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0111.002] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}" [0111.002] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*" [0111.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0111.002] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.003] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.003] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.003] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.003] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.003] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.003] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0111.003] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.003] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.003] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.003] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.003] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.003] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.003] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.003] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xe9f9cff0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0111.003] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0111.003] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0111.003] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0111.003] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0111.003] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0111.004] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0111.004] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0111.004] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned 81 [0111.004] lstrcmpW (lpString1="state.rsm", lpString2="PUSSY.TXT") returned 1 [0111.004] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0111.004] lstrlenW (lpString=".rsm") returned 4 [0111.004] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0111.004] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0111.004] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=766) returned 1 [0111.004] GetProcessHeap () returned 0x4c0000 [0111.004] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0111.082] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="78") returned 2 [0111.082] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="7C") returned 2 [0111.082] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="5C") returned 2 [0111.082] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="76") returned 2 [0111.082] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="DF") returned 2 [0111.082] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="4D") returned 2 [0111.082] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="3B") returned 2 [0111.082] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="65") returned 2 [0111.082] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="FA") returned 2 [0111.082] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="A9") returned 2 [0111.083] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="8F") returned 2 [0111.083] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="21") returned 2 [0111.083] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="91") returned 2 [0111.083] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="22") returned 2 [0111.083] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="A2") returned 2 [0111.083] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E1") returned 2 [0111.083] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="44") returned 2 [0111.083] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="54") returned 2 [0111.083] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="29") returned 2 [0111.083] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="BF") returned 2 [0111.083] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="3D") returned 2 [0111.083] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="BC") returned 2 [0111.083] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="FA") returned 2 [0111.083] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="38") returned 2 [0111.083] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="BB") returned 2 [0111.083] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="9F") returned 2 [0111.083] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="FB") returned 2 [0111.083] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="5D") returned 2 [0111.083] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="0D") returned 2 [0111.083] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="A0") returned 2 [0111.083] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="C8") returned 2 [0111.083] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="70") returned 2 [0111.096] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" [0111.096] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" [0111.096] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm", lpString2=".787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870" [0111.096] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0111.096] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0111.097] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x968d5df0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0111.097] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="Windows") returned -1 [0111.099] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="Program Files") returned 1 [0111.099] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="Program Files (x86)") returned 1 [0111.099] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="$Recycle.bin") returned 1 [0111.099] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="System Volume Information") returned 1 [0111.099] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2=".") returned 1 [0111.099] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="..") returned 1 [0111.099] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned 89 [0111.099] lstrcmpW (lpString1="VC_redist.x64.exe", lpString2="PUSSY.TXT") returned 1 [0111.099] PathFindExtensionW (pszPath="VC_redist.x64.exe") returned=".exe" [0111.100] lstrlenW (lpString=".exe") returned 4 [0111.101] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0111.101] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0111.108] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=781880) returned 1 [0111.108] GetProcessHeap () returned 0x4c0000 [0111.108] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bb80d8 [0111.121] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="86") returned 2 [0111.121] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="1F") returned 2 [0111.121] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="85") returned 2 [0111.121] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="38") returned 2 [0111.122] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="A4") returned 2 [0111.122] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="DD") returned 2 [0111.122] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="71") returned 2 [0111.122] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="E9") returned 2 [0111.122] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B1") returned 2 [0111.122] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="52") returned 2 [0111.122] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="5F") returned 2 [0111.122] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="48") returned 2 [0111.122] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="DA") returned 2 [0111.122] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="BC") returned 2 [0111.122] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="EA") returned 2 [0111.122] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E3") returned 2 [0111.122] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="78") returned 2 [0111.122] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="03") returned 2 [0111.122] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="4B") returned 2 [0111.122] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="93") returned 2 [0111.122] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="77") returned 2 [0111.122] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="29") returned 2 [0111.122] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="52") returned 2 [0111.122] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6B") returned 2 [0111.122] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="E3") returned 2 [0111.122] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="8A") returned 2 [0111.122] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="80") returned 2 [0111.122] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="28") returned 2 [0111.122] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="ED") returned 2 [0111.122] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="28") returned 2 [0111.123] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="A7") returned 2 [0111.123] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="7C") returned 2 [0111.135] lstrcpyW (in: lpString1=0x3bc810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" [0111.135] lstrcpyW (in: lpString1=0x3bb810c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" [0111.135] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe", lpString2=".861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C" [0111.135] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x3bb80d8, NumberOfConcurrentThreads=0x0) returned 0x94 [0111.136] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bb80d8, lpOverlapped=0x3bb80d8) returned 1 [0111.136] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x968d5df0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0111.136] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0111.180] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\PUSSY.TXT") returned 81 [0111.180] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0111.181] lstrlenA (lpString="abcd") returned 4 [0111.181] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0111.182] CloseHandle (hObject=0x174) returned 1 [0111.182] GetProcessHeap () returned 0x4c0000 [0111.182] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0111.184] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0111.184] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Windows") returned -1 [0111.184] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Program Files") returned -1 [0111.184] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Program Files (x86)") returned -1 [0111.184] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="$Recycle.bin") returned 1 [0111.184] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="System Volume Information") returned -1 [0111.184] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2=".") returned 1 [0111.184] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="..") returned 1 [0111.184] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 71 [0111.184] GetProcessHeap () returned 0x4c0000 [0111.184] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0111.185] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" [0111.185] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*" [0111.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0111.186] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.186] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.186] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.186] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.186] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.186] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.186] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0111.186] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.187] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.187] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.187] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.187] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.187] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.187] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.187] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcad7040, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x105e7220, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0111.187] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0111.187] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0111.187] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0111.187] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0111.187] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0111.187] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0111.187] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0111.187] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0111.187] lstrcmpW (lpString1="state.rsm", lpString2="PUSSY.TXT") returned 1 [0111.187] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0111.187] lstrlenW (lpString=".rsm") returned 4 [0111.187] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0111.188] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0111.188] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=666) returned 1 [0111.188] GetProcessHeap () returned 0x4c0000 [0111.188] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0111.204] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="26") returned 2 [0111.204] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="F3") returned 2 [0111.204] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="EA") returned 2 [0111.204] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="2F") returned 2 [0111.204] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="51") returned 2 [0111.204] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="39") returned 2 [0111.204] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="2E") returned 2 [0111.204] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="2F") returned 2 [0111.204] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="2C") returned 2 [0111.204] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="32") returned 2 [0111.204] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="A4") returned 2 [0111.204] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="97") returned 2 [0111.204] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="76") returned 2 [0111.204] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="F8") returned 2 [0111.204] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="44") returned 2 [0111.204] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="48") returned 2 [0111.204] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="CF") returned 2 [0111.204] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="8B") returned 2 [0111.204] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="13") returned 2 [0111.204] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="3C") returned 2 [0111.205] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="88") returned 2 [0111.205] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="FD") returned 2 [0111.205] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="97") returned 2 [0111.205] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="EF") returned 2 [0111.205] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="77") returned 2 [0111.205] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="42") returned 2 [0111.205] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="E1") returned 2 [0111.205] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="08") returned 2 [0111.205] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D4") returned 2 [0111.205] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="75") returned 2 [0111.205] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="B0") returned 2 [0111.205] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="0E") returned 2 [0111.218] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" [0111.218] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" [0111.218] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm", lpString2=".26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E" [0111.218] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0111.218] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0111.218] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca64c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xfe5c3760, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0111.218] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Windows") returned -1 [0111.218] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files") returned 1 [0111.218] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files (x86)") returned 1 [0111.218] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$Recycle.bin") returned 1 [0111.218] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="System Volume Information") returned 1 [0111.218] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2=".") returned 1 [0111.218] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="..") returned 1 [0111.218] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0111.218] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="PUSSY.TXT") returned 1 [0111.218] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0111.218] lstrlenW (lpString=".exe") returned 4 [0111.218] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0111.218] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0111.227] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=462976) returned 1 [0111.227] GetProcessHeap () returned 0x4c0000 [0111.227] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0111.240] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="07") returned 2 [0111.240] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="A1") returned 2 [0111.240] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="69") returned 2 [0111.240] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="B8") returned 2 [0111.240] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="42") returned 2 [0111.240] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="1B") returned 2 [0111.240] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="D1") returned 2 [0111.240] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="78") returned 2 [0111.240] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="22") returned 2 [0111.240] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="A2") returned 2 [0111.240] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="7E") returned 2 [0111.240] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="08") returned 2 [0111.240] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="E9") returned 2 [0111.240] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="26") returned 2 [0111.241] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="80") returned 2 [0111.241] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="77") returned 2 [0111.241] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="DC") returned 2 [0111.241] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="7F") returned 2 [0111.241] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="61") returned 2 [0111.241] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="19") returned 2 [0111.241] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="3A") returned 2 [0111.241] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="8A") returned 2 [0111.241] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="E5") returned 2 [0111.241] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="A7") returned 2 [0111.241] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="D4") returned 2 [0111.241] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="6A") returned 2 [0111.241] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="F2") returned 2 [0111.241] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="64") returned 2 [0111.241] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A9") returned 2 [0111.241] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0B") returned 2 [0111.241] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="16") returned 2 [0111.241] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="05") returned 2 [0111.253] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" [0111.253] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" [0111.253] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe", lpString2=".07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605" [0111.253] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0111.253] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0111.253] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca64c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xfe5c3760, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0111.253] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0111.253] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\PUSSY.TXT") returned 81 [0111.254] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0111.254] lstrlenA (lpString="abcd") returned 4 [0111.254] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0111.255] CloseHandle (hObject=0x174) returned 1 [0111.255] GetProcessHeap () returned 0x4c0000 [0111.256] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0111.256] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0111.256] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Windows") returned -1 [0111.256] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Program Files") returned -1 [0111.256] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Program Files (x86)") returned -1 [0111.256] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="$Recycle.bin") returned 1 [0111.256] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="System Volume Information") returned -1 [0111.256] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2=".") returned 1 [0111.256] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="..") returned 1 [0111.256] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned 71 [0111.256] GetProcessHeap () returned 0x4c0000 [0111.256] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3be0128 [0111.256] lstrcpyW (in: lpString1=0x3be0128, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}" [0111.256] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*" [0111.256] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0111.343] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.343] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.343] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.343] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.343] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.343] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.343] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0111.343] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.343] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.343] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.344] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.344] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.344] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.344] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.344] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf93efac0, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0x6601040, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0111.344] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0111.344] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0111.344] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0111.344] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0111.344] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0111.344] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0111.344] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0111.344] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned 81 [0111.344] lstrcmpW (lpString1="state.rsm", lpString2="PUSSY.TXT") returned 1 [0111.344] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0111.344] lstrlenW (lpString=".rsm") returned 4 [0111.344] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0111.344] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0111.345] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=766) returned 1 [0111.345] GetProcessHeap () returned 0x4c0000 [0111.345] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0111.358] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="A0") returned 2 [0111.358] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="C1") returned 2 [0111.358] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="51") returned 2 [0111.358] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="49") returned 2 [0111.358] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="ED") returned 2 [0111.358] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="F3") returned 2 [0111.358] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="23") returned 2 [0111.358] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A7") returned 2 [0111.358] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="86") returned 2 [0111.358] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="F4") returned 2 [0111.358] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="29") returned 2 [0111.358] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="5F") returned 2 [0111.358] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="B4") returned 2 [0111.358] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="05") returned 2 [0111.358] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="14") returned 2 [0111.358] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="2E") returned 2 [0111.358] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="4F") returned 2 [0111.358] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="B4") returned 2 [0111.358] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="5E") returned 2 [0111.358] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="0C") returned 2 [0111.358] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="10") returned 2 [0111.359] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="33") returned 2 [0111.359] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="68") returned 2 [0111.359] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="D4") returned 2 [0111.359] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="16") returned 2 [0111.359] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="63") returned 2 [0111.359] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="07") returned 2 [0111.359] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="10") returned 2 [0111.359] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="83") returned 2 [0111.359] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="1C") returned 2 [0111.359] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="EB") returned 2 [0111.359] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="30") returned 2 [0111.371] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" [0111.371] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" [0111.371] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm", lpString2=".A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30" [0111.371] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0111.371] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0111.373] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93c9960, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xedfa2720, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0111.373] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="Windows") returned -1 [0111.373] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="Program Files") returned 1 [0111.373] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="Program Files (x86)") returned 1 [0111.373] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="$Recycle.bin") returned 1 [0111.373] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="System Volume Information") returned 1 [0111.374] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2=".") returned 1 [0111.374] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="..") returned 1 [0111.374] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned 89 [0111.374] lstrcmpW (lpString1="VC_redist.x86.exe", lpString2="PUSSY.TXT") returned 1 [0111.374] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0111.374] lstrlenW (lpString=".exe") returned 4 [0111.374] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0111.374] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0111.374] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=781872) returned 1 [0111.375] GetProcessHeap () returned 0x4c0000 [0111.375] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0111.387] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="DC") returned 2 [0111.387] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="5F") returned 2 [0111.387] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="36") returned 2 [0111.387] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="B7") returned 2 [0111.387] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="62") returned 2 [0111.387] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="64") returned 2 [0111.387] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E2") returned 2 [0111.387] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="80") returned 2 [0111.387] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="D2") returned 2 [0111.387] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="A4") returned 2 [0111.388] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B7") returned 2 [0111.388] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="15") returned 2 [0111.388] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="70") returned 2 [0111.388] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="B8") returned 2 [0111.388] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="4B") returned 2 [0111.388] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="A1") returned 2 [0111.388] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="B6") returned 2 [0111.388] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="1B") returned 2 [0111.388] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="52") returned 2 [0111.388] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="3A") returned 2 [0111.388] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="6C") returned 2 [0111.388] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="FB") returned 2 [0111.388] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="3A") returned 2 [0111.388] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="77") returned 2 [0111.388] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="24") returned 2 [0111.388] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="85") returned 2 [0111.388] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="68") returned 2 [0111.388] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="A2") returned 2 [0111.388] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="1D") returned 2 [0111.388] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="F2") returned 2 [0111.388] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="15") returned 2 [0111.388] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="21") returned 2 [0111.401] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" [0111.401] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" [0111.401] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe", lpString2=".DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521" [0111.401] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0111.401] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0111.402] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93c9960, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xedfa2720, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0111.402] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0111.402] wnsprintfW (in: pszDest=0x3be0128, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\PUSSY.TXT") returned 81 [0111.402] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0111.605] lstrlenA (lpString="abcd") returned 4 [0111.605] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0111.606] CloseHandle (hObject=0x190) returned 1 [0111.606] GetProcessHeap () returned 0x4c0000 [0111.606] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3be0128 | out: hHeap=0x4c0000) returned 1 [0111.606] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0111.606] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Windows") returned -1 [0111.606] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Program Files") returned -1 [0111.606] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0111.606] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0111.606] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="System Volume Information") returned -1 [0111.607] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2=".") returned 1 [0111.607] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="..") returned 1 [0111.607] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 82 [0111.607] GetProcessHeap () returned 0x4c0000 [0111.607] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0111.607] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" [0111.608] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*" [0111.608] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0111.608] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.608] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.608] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.608] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.608] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.608] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.608] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0111.608] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.608] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.608] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.608] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.608] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.609] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.609] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.609] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 1 [0111.609] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0111.609] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0111.609] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0111.609] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0111.609] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0111.609] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0111.609] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0111.609] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned 91 [0111.609] GetProcessHeap () returned 0x4c0000 [0111.609] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0111.610] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" [0111.610] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*" [0111.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a4bd0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0111.611] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.611] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.611] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.611] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.611] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.611] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.611] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a4bd0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0111.611] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.611] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.611] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.611] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.611] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.611] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.611] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.611] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a4bd0, dwReserved1=0x77c61b06, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0111.611] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0111.611] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0111.611] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0111.611] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0111.611] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0111.611] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0111.612] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0111.612] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned 115 [0111.612] GetProcessHeap () returned 0x4c0000 [0111.612] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb80d8 [0111.612] lstrcpyW (in: lpString1=0x3bb80d8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" [0111.612] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*" [0111.612] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a4bd0, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4dbf10 [0111.612] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.612] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.613] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.613] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.613] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.613] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.613] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a4bd0, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0111.613] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.613] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.613] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.613] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.613] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.613] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.613] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.613] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x532ebf00, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x532ebf00, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x532ebf00, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0x5a4bd0, dwReserved1=0xfe000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0111.613] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0111.613] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0111.613] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0111.613] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0111.613] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0111.613] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0111.613] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0111.614] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0111.614] lstrcmpW (lpString1="cab1.cab", lpString2="PUSSY.TXT") returned -1 [0111.614] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0111.614] lstrlenW (lpString=".cab") returned 4 [0111.614] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0111.614] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0111.614] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=4932896) returned 1 [0111.614] GetProcessHeap () returned 0x4c0000 [0111.614] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0111.627] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="9F") returned 2 [0111.628] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="83") returned 2 [0111.628] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="0D") returned 2 [0111.628] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="64") returned 2 [0111.628] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="05") returned 2 [0111.628] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="81") returned 2 [0111.628] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="7E") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="AF") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="69") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="B6") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="80") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="6C") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="BC") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="75") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="A5") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="71") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="70") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="C4") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="46") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="1A") returned 2 [0111.628] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="B1") returned 2 [0111.629] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="4F") returned 2 [0111.629] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="A2") returned 2 [0111.629] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="F4") returned 2 [0111.629] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="2A") returned 2 [0111.629] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="BE") returned 2 [0111.629] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="AE") returned 2 [0111.629] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="7E") returned 2 [0111.629] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="B8") returned 2 [0111.629] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="6F") returned 2 [0111.629] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="39") returned 2 [0111.629] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="1C") returned 2 [0111.643] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0111.643] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0111.643] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C" [0111.643] CreateIoCompletionPort (FileHandle=0x114, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0111.643] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0111.643] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9b3800, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x4f9b3800, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x4f9b3800, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x5a4bd0, dwReserved1=0xfe000000, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0111.643] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Windows") returned -1 [0111.643] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files") returned 1 [0111.643] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files (x86)") returned 1 [0111.643] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$Recycle.bin") returned 1 [0111.643] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="System Volume Information") returned 1 [0111.643] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0111.643] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0111.644] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0111.644] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="PUSSY.TXT") returned 1 [0111.644] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0111.644] lstrlenW (lpString=".msi") returned 4 [0111.644] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0111.644] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0111.644] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=143360) returned 1 [0111.644] GetProcessHeap () returned 0x4c0000 [0111.644] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0111.659] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="40") returned 2 [0111.659] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="91") returned 2 [0111.659] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="D3") returned 2 [0111.659] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="24") returned 2 [0111.659] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="F9") returned 2 [0111.659] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="DD") returned 2 [0111.659] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="4B") returned 2 [0111.659] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="2B") returned 2 [0111.659] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="A6") returned 2 [0111.659] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="90") returned 2 [0111.659] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="AC") returned 2 [0111.659] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="D5") returned 2 [0111.659] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="8E") returned 2 [0111.659] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="D3") returned 2 [0111.659] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="C1") returned 2 [0111.659] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="79") returned 2 [0111.659] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="4D") returned 2 [0111.659] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="7D") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="11") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="8C") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="22") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="CC") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="DA") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="44") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="3E") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="A7") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="18") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="2D") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="8D") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="E5") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="D6") returned 2 [0111.660] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="34") returned 2 [0111.673] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0111.673] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0111.673] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi", lpString2=".4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634" [0111.673] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0111.674] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0111.674] FindNextFileW (in: hFindFile=0x4dbf10, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9b3800, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x4f9b3800, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x4f9b3800, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x5a4bd0, dwReserved1=0xfe000000, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0111.674] FindClose (in: hFindFile=0x4dbf10 | out: hFindFile=0x4dbf10) returned 1 [0111.674] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT") returned 125 [0111.674] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0111.675] lstrlenA (lpString="abcd") returned 4 [0111.675] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0111.676] CloseHandle (hObject=0x174) returned 1 [0111.676] GetProcessHeap () returned 0x4c0000 [0111.676] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0111.676] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a4bd0, dwReserved1=0x77c61b06, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0111.676] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0111.676] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\PUSSY.TXT") returned 101 [0111.676] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0111.679] lstrlenA (lpString="abcd") returned 4 [0111.679] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0111.680] CloseHandle (hObject=0x19c) returned 1 [0111.680] GetProcessHeap () returned 0x4c0000 [0111.680] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0111.682] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="packages", cAlternateFileName="")) returned 0 [0111.682] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0111.682] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\PUSSY.TXT") returned 92 [0111.682] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0111.683] lstrlenA (lpString="abcd") returned 4 [0111.683] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0111.684] CloseHandle (hObject=0x190) returned 1 [0111.684] GetProcessHeap () returned 0x4c0000 [0111.684] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0111.684] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0111.684] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0111.684] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\PUSSY.TXT") returned 42 [0111.684] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\PUSSY.TXT" (normalized: "c:\\programdata\\package cache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0111.684] lstrlenA (lpString="abcd") returned 4 [0111.685] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0111.686] CloseHandle (hObject=0x194) returned 1 [0111.686] GetProcessHeap () returned 0x4c0000 [0111.686] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0111.687] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0111.687] lstrcmpiW (lpString1="Start Menu", lpString2="Windows") returned -1 [0111.687] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files") returned 1 [0111.687] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files (x86)") returned 1 [0111.687] lstrcmpiW (lpString1="Start Menu", lpString2="$Recycle.bin") returned 1 [0111.687] lstrcmpiW (lpString1="Start Menu", lpString2="System Volume Information") returned -1 [0111.687] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0111.687] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0111.687] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Start Menu") returned 29 [0111.687] GetProcessHeap () returned 0x4c0000 [0111.687] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb80d8 [0111.688] lstrcpyW (in: lpString1=0x3bb80d8, lpString2="\\\\?\\C:\\ProgramData\\Start Menu" | out: lpString1="\\\\?\\C:\\ProgramData\\Start Menu") returned="\\\\?\\C:\\ProgramData\\Start Menu" [0111.688] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Start Menu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Start Menu\\*") returned="\\\\?\\C:\\ProgramData\\Start Menu\\*" [0111.688] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Start Menu\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="u")) returned 0xffffffff [0111.688] GetProcessHeap () returned 0x4c0000 [0111.688] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0111.691] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Sun", cAlternateFileName="")) returned 1 [0111.691] lstrcmpiW (lpString1="Sun", lpString2="Windows") returned -1 [0111.691] lstrcmpiW (lpString1="Sun", lpString2="Program Files") returned 1 [0111.691] lstrcmpiW (lpString1="Sun", lpString2="Program Files (x86)") returned 1 [0111.691] lstrcmpiW (lpString1="Sun", lpString2="$Recycle.bin") returned 1 [0111.691] lstrcmpiW (lpString1="Sun", lpString2="System Volume Information") returned -1 [0111.691] lstrcmpiW (lpString1="Sun", lpString2=".") returned 1 [0111.691] lstrcmpiW (lpString1="Sun", lpString2="..") returned 1 [0111.691] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun") returned 22 [0111.691] GetProcessHeap () returned 0x4c0000 [0111.691] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb80d8 [0111.692] lstrcpyW (in: lpString1=0x3bb80d8, lpString2="\\\\?\\C:\\ProgramData\\Sun" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun") returned="\\\\?\\C:\\ProgramData\\Sun" [0111.692] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Sun", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\*") returned="\\\\?\\C:\\ProgramData\\Sun\\*" [0111.692] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Sun\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4ddbc8 [0111.817] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.817] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.817] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.817] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.817] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.817] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.817] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0111.817] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.817] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.817] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.817] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.817] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.817] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.817] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.817] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Java", cAlternateFileName="")) returned 1 [0111.817] lstrcmpiW (lpString1="Java", lpString2="Windows") returned -1 [0111.817] lstrcmpiW (lpString1="Java", lpString2="Program Files") returned -1 [0111.817] lstrcmpiW (lpString1="Java", lpString2="Program Files (x86)") returned -1 [0111.817] lstrcmpiW (lpString1="Java", lpString2="$Recycle.bin") returned 1 [0111.818] lstrcmpiW (lpString1="Java", lpString2="System Volume Information") returned -1 [0111.818] lstrcmpiW (lpString1="Java", lpString2=".") returned 1 [0111.818] lstrcmpiW (lpString1="Java", lpString2="..") returned 1 [0111.818] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java") returned 27 [0111.818] GetProcessHeap () returned 0x4c0000 [0111.818] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0111.819] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\ProgramData\\Sun\\Java" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java") returned="\\\\?\\C:\\ProgramData\\Sun\\Java" [0111.819] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\*") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\*" [0111.819] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4ddc08 [0111.819] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.819] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.819] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.819] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.819] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.820] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.820] FindNextFileW (in: hFindFile=0x4ddc08, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0111.820] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.820] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.820] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.820] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.820] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.820] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.820] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.820] FindNextFileW (in: hFindFile=0x4ddc08, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 1 [0111.820] lstrcmpiW (lpString1="Java Update", lpString2="Windows") returned -1 [0111.820] lstrcmpiW (lpString1="Java Update", lpString2="Program Files") returned -1 [0111.820] lstrcmpiW (lpString1="Java Update", lpString2="Program Files (x86)") returned -1 [0111.820] lstrcmpiW (lpString1="Java Update", lpString2="$Recycle.bin") returned 1 [0111.820] lstrcmpiW (lpString1="Java Update", lpString2="System Volume Information") returned -1 [0111.820] lstrcmpiW (lpString1="Java Update", lpString2=".") returned 1 [0111.820] lstrcmpiW (lpString1="Java Update", lpString2="..") returned 1 [0111.820] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update") returned 39 [0111.820] GetProcessHeap () returned 0x4c0000 [0111.821] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0111.822] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update" [0111.822] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*" [0111.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a4bd0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0111.822] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.822] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.822] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.822] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.823] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.823] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.823] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a4bd0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0111.823] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.823] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.823] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.823] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.823] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.823] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.823] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.823] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x77, dwReserved0=0x5a4bd0, dwReserved1=0x77c61b06, cFileName="jaureglist.xml", cAlternateFileName="JAUREG~1.XML")) returned 1 [0111.823] lstrcmpiW (lpString1="jaureglist.xml", lpString2="Windows") returned -1 [0111.823] lstrcmpiW (lpString1="jaureglist.xml", lpString2="Program Files") returned -1 [0111.823] lstrcmpiW (lpString1="jaureglist.xml", lpString2="Program Files (x86)") returned -1 [0111.823] lstrcmpiW (lpString1="jaureglist.xml", lpString2="$Recycle.bin") returned 1 [0111.823] lstrcmpiW (lpString1="jaureglist.xml", lpString2="System Volume Information") returned -1 [0111.823] lstrcmpiW (lpString1="jaureglist.xml", lpString2=".") returned 1 [0111.823] lstrcmpiW (lpString1="jaureglist.xml", lpString2="..") returned 1 [0111.823] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml") returned 54 [0111.823] lstrcmpW (lpString1="jaureglist.xml", lpString2="PUSSY.TXT") returned -1 [0111.823] PathFindExtensionW (pszPath="jaureglist.xml") returned=".xml" [0111.823] lstrlenW (lpString=".xml") returned 4 [0111.823] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0111.824] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0111.824] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=119) returned 1 [0111.824] CloseHandle (hObject=0x190) returned 1 [0111.824] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x77, dwReserved0=0x5a4bd0, dwReserved1=0x77c61b06, cFileName="jaureglist.xml", cAlternateFileName="JAUREG~1.XML")) returned 0 [0111.824] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0111.824] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\PUSSY.TXT") returned 49 [0111.825] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\PUSSY.TXT" (normalized: "c:\\programdata\\sun\\java\\java update\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0111.852] lstrlenA (lpString="abcd") returned 4 [0111.852] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0111.853] CloseHandle (hObject=0x194) returned 1 [0111.853] GetProcessHeap () returned 0x4c0000 [0111.853] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0111.853] FindNextFileW (in: hFindFile=0x4ddc08, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 0 [0111.853] FindClose (in: hFindFile=0x4ddc08 | out: hFindFile=0x4ddc08) returned 1 [0111.854] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\PUSSY.TXT") returned 37 [0111.854] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\PUSSY.TXT" (normalized: "c:\\programdata\\sun\\java\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0111.854] lstrlenA (lpString="abcd") returned 4 [0111.854] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0111.855] CloseHandle (hObject=0x180) returned 1 [0111.855] GetProcessHeap () returned 0x4c0000 [0111.855] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0111.857] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Java", cAlternateFileName="")) returned 0 [0111.857] FindClose (in: hFindFile=0x4ddbc8 | out: hFindFile=0x4ddbc8) returned 1 [0111.857] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\PUSSY.TXT") returned 32 [0111.857] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\PUSSY.TXT" (normalized: "c:\\programdata\\sun\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0111.858] lstrlenA (lpString="abcd") returned 4 [0111.858] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0111.859] CloseHandle (hObject=0x1a4) returned 1 [0111.859] GetProcessHeap () returned 0x4c0000 [0111.859] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0111.859] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0111.859] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0111.859] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0111.859] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0111.859] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0111.859] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0111.859] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0111.859] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0111.860] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Templates") returned 28 [0111.860] GetProcessHeap () returned 0x4c0000 [0111.860] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb80d8 [0111.860] lstrcpyW (in: lpString1=0x3bb80d8, lpString2="\\\\?\\C:\\ProgramData\\Templates" | out: lpString1="\\\\?\\C:\\ProgramData\\Templates") returned="\\\\?\\C:\\ProgramData\\Templates" [0111.860] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Templates\\*") returned="\\\\?\\C:\\ProgramData\\Templates\\*" [0111.860] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Templates\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Java", cAlternateFileName="s")) returned 0xffffffff [0111.860] GetProcessHeap () returned 0x4c0000 [0111.860] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0111.860] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0111.860] FindClose (in: hFindFile=0x4e22d0 | out: hFindFile=0x4e22d0) returned 1 [0111.860] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\PUSSY.TXT") returned 28 [0111.861] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\PUSSY.TXT" (normalized: "c:\\programdata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0111.861] lstrlenA (lpString="abcd") returned 4 [0111.861] WriteFile (in: hFile=0x160, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28ed8c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28ed8c*=0x4, lpOverlapped=0x0) returned 1 [0111.862] CloseHandle (hObject=0x160) returned 1 [0111.862] GetProcessHeap () returned 0x4c0000 [0111.862] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0111.863] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0111.863] lstrcmpiW (lpString1="Recovery", lpString2="Windows") returned -1 [0111.863] lstrcmpiW (lpString1="Recovery", lpString2="Program Files") returned 1 [0111.863] lstrcmpiW (lpString1="Recovery", lpString2="Program Files (x86)") returned 1 [0111.863] lstrcmpiW (lpString1="Recovery", lpString2="$Recycle.bin") returned 1 [0111.863] lstrcmpiW (lpString1="Recovery", lpString2="System Volume Information") returned -1 [0111.863] lstrcmpiW (lpString1="Recovery", lpString2=".") returned 1 [0111.863] lstrcmpiW (lpString1="Recovery", lpString2="..") returned 1 [0111.863] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery") returned 15 [0111.863] GetProcessHeap () returned 0x4c0000 [0111.863] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb80d8 [0111.863] lstrcpyW (in: lpString1=0x3bb80d8, lpString2="\\\\?\\C:\\Recovery" | out: lpString1="\\\\?\\C:\\Recovery") returned="\\\\?\\C:\\Recovery" [0111.863] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Recovery\\*") returned="\\\\?\\C:\\Recovery\\*" [0111.863] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\*", lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e22d0 [0111.864] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.864] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.864] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.864] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.864] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.865] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.865] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0111.865] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.865] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.865] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.865] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.865] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.865] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.865] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.865] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 1 [0111.865] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="Windows") returned -1 [0111.865] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="Program Files") returned -1 [0111.865] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="Program Files (x86)") returned -1 [0111.865] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="$Recycle.bin") returned 1 [0111.866] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="System Volume Information") returned -1 [0111.866] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2=".") returned 1 [0111.866] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="..") returned 1 [0111.866] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 52 [0111.866] GetProcessHeap () returned 0x4c0000 [0111.866] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0111.866] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" [0111.866] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*" [0111.866] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4ddbc8 [0111.867] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.867] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.867] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.867] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.867] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.867] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.867] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0111.867] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.867] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.867] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.867] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.867] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.867] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.867] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.867] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x27c2fae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x4185decd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0111.867] lstrcmpiW (lpString1="boot.sdi", lpString2="Windows") returned -1 [0111.867] lstrcmpiW (lpString1="boot.sdi", lpString2="Program Files") returned -1 [0111.867] lstrcmpiW (lpString1="boot.sdi", lpString2="Program Files (x86)") returned -1 [0111.867] lstrcmpiW (lpString1="boot.sdi", lpString2="$Recycle.bin") returned 1 [0111.868] lstrcmpiW (lpString1="boot.sdi", lpString2="System Volume Information") returned -1 [0111.868] lstrcmpiW (lpString1="boot.sdi", lpString2=".") returned 1 [0111.868] lstrcmpiW (lpString1="boot.sdi", lpString2="..") returned 1 [0111.868] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 61 [0111.868] lstrcmpW (lpString1="boot.sdi", lpString2="PUSSY.TXT") returned -1 [0111.868] PathFindExtensionW (pszPath="boot.sdi") returned=".sdi" [0111.868] lstrlenW (lpString=".sdi") returned 4 [0111.868] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0111.868] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0111.868] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=3170304) returned 1 [0111.868] GetProcessHeap () returned 0x4c0000 [0111.868] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c500e8 [0111.879] wsprintfW (in: param_1=0x28e2c6, param_2="%02X" | out: param_1="68") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2ca, param_2="%02X" | out: param_1="6D") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2ce, param_2="%02X" | out: param_1="C4") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2d2, param_2="%02X" | out: param_1="26") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2d6, param_2="%02X" | out: param_1="11") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2da, param_2="%02X" | out: param_1="82") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2de, param_2="%02X" | out: param_1="45") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2e2, param_2="%02X" | out: param_1="01") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2e6, param_2="%02X" | out: param_1="A1") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2ea, param_2="%02X" | out: param_1="F3") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2ee, param_2="%02X" | out: param_1="EF") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2f2, param_2="%02X" | out: param_1="65") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2f6, param_2="%02X" | out: param_1="8F") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2fa, param_2="%02X" | out: param_1="97") returned 2 [0111.879] wsprintfW (in: param_1=0x28e2fe, param_2="%02X" | out: param_1="87") returned 2 [0111.879] wsprintfW (in: param_1=0x28e302, param_2="%02X" | out: param_1="00") returned 2 [0111.879] wsprintfW (in: param_1=0x28e306, param_2="%02X" | out: param_1="56") returned 2 [0111.880] wsprintfW (in: param_1=0x28e30a, param_2="%02X" | out: param_1="9F") returned 2 [0111.880] wsprintfW (in: param_1=0x28e30e, param_2="%02X" | out: param_1="17") returned 2 [0111.880] wsprintfW (in: param_1=0x28e312, param_2="%02X" | out: param_1="9F") returned 2 [0111.880] wsprintfW (in: param_1=0x28e316, param_2="%02X" | out: param_1="8A") returned 2 [0111.880] wsprintfW (in: param_1=0x28e31a, param_2="%02X" | out: param_1="6A") returned 2 [0111.880] wsprintfW (in: param_1=0x28e31e, param_2="%02X" | out: param_1="7B") returned 2 [0111.880] wsprintfW (in: param_1=0x28e322, param_2="%02X" | out: param_1="28") returned 2 [0111.880] wsprintfW (in: param_1=0x28e326, param_2="%02X" | out: param_1="43") returned 2 [0111.880] wsprintfW (in: param_1=0x28e32a, param_2="%02X" | out: param_1="E8") returned 2 [0111.880] wsprintfW (in: param_1=0x28e32e, param_2="%02X" | out: param_1="FB") returned 2 [0111.880] wsprintfW (in: param_1=0x28e332, param_2="%02X" | out: param_1="39") returned 2 [0111.880] wsprintfW (in: param_1=0x28e336, param_2="%02X" | out: param_1="D7") returned 2 [0111.880] wsprintfW (in: param_1=0x28e33a, param_2="%02X" | out: param_1="2B") returned 2 [0111.880] wsprintfW (in: param_1=0x28e33e, param_2="%02X" | out: param_1="F1") returned 2 [0111.880] wsprintfW (in: param_1=0x28e342, param_2="%02X" | out: param_1="65") returned 2 [0111.891] lstrcpyW (in: lpString1=0x3c6011c, lpString2="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0111.892] lstrcpyW (in: lpString1=0x3c5011c, lpString2="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0111.892] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpString2=".686DC42611824501A1F3EF658F978700569F179F8A6A7B2843E8FB39D72BF165" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.686DC42611824501A1F3EF658F978700569F179F8A6A7B2843E8FB39D72BF165") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.686DC42611824501A1F3EF658F978700569F179F8A6A7B2843E8FB39D72BF165" [0111.892] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x3c500e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0111.892] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c500e8, lpOverlapped=0x3c500e8) returned 1 [0111.892] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0111.892] lstrcmpiW (lpString1="Winre.wim", lpString2="Windows") returned 1 [0111.892] lstrcmpiW (lpString1="Winre.wim", lpString2="Program Files") returned 1 [0111.892] lstrcmpiW (lpString1="Winre.wim", lpString2="Program Files (x86)") returned 1 [0111.892] lstrcmpiW (lpString1="Winre.wim", lpString2="$Recycle.bin") returned 1 [0111.892] lstrcmpiW (lpString1="Winre.wim", lpString2="System Volume Information") returned 1 [0111.892] lstrcmpiW (lpString1="Winre.wim", lpString2=".") returned 1 [0111.892] lstrcmpiW (lpString1="Winre.wim", lpString2="..") returned 1 [0111.892] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 62 [0111.892] lstrcmpW (lpString1="Winre.wim", lpString2="PUSSY.TXT") returned 1 [0111.892] PathFindExtensionW (pszPath="Winre.wim") returned=".wim" [0111.892] lstrlenW (lpString=".wim") returned 4 [0111.892] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0111.892] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0111.895] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=169213970) returned 1 [0111.895] GetProcessHeap () returned 0x4c0000 [0111.895] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0111.904] wsprintfW (in: param_1=0x28e2c6, param_2="%02X" | out: param_1="1D") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2ca, param_2="%02X" | out: param_1="EF") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2ce, param_2="%02X" | out: param_1="FA") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2d2, param_2="%02X" | out: param_1="D8") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2d6, param_2="%02X" | out: param_1="6B") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2da, param_2="%02X" | out: param_1="67") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2de, param_2="%02X" | out: param_1="5C") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2e2, param_2="%02X" | out: param_1="82") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2e6, param_2="%02X" | out: param_1="04") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2ea, param_2="%02X" | out: param_1="C2") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2ee, param_2="%02X" | out: param_1="6A") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2f2, param_2="%02X" | out: param_1="26") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2f6, param_2="%02X" | out: param_1="47") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2fa, param_2="%02X" | out: param_1="29") returned 2 [0111.904] wsprintfW (in: param_1=0x28e2fe, param_2="%02X" | out: param_1="09") returned 2 [0111.904] wsprintfW (in: param_1=0x28e302, param_2="%02X" | out: param_1="20") returned 2 [0111.904] wsprintfW (in: param_1=0x28e306, param_2="%02X" | out: param_1="D2") returned 2 [0111.904] wsprintfW (in: param_1=0x28e30a, param_2="%02X" | out: param_1="A9") returned 2 [0111.904] wsprintfW (in: param_1=0x28e30e, param_2="%02X" | out: param_1="5D") returned 2 [0111.904] wsprintfW (in: param_1=0x28e312, param_2="%02X" | out: param_1="BB") returned 2 [0111.904] wsprintfW (in: param_1=0x28e316, param_2="%02X" | out: param_1="D6") returned 2 [0111.904] wsprintfW (in: param_1=0x28e31a, param_2="%02X" | out: param_1="CB") returned 2 [0111.905] wsprintfW (in: param_1=0x28e31e, param_2="%02X" | out: param_1="46") returned 2 [0111.905] wsprintfW (in: param_1=0x28e322, param_2="%02X" | out: param_1="64") returned 2 [0111.905] wsprintfW (in: param_1=0x28e326, param_2="%02X" | out: param_1="D6") returned 2 [0111.905] wsprintfW (in: param_1=0x28e32a, param_2="%02X" | out: param_1="41") returned 2 [0111.905] wsprintfW (in: param_1=0x28e32e, param_2="%02X" | out: param_1="98") returned 2 [0111.905] wsprintfW (in: param_1=0x28e332, param_2="%02X" | out: param_1="53") returned 2 [0111.905] wsprintfW (in: param_1=0x28e336, param_2="%02X" | out: param_1="E3") returned 2 [0111.905] wsprintfW (in: param_1=0x28e33a, param_2="%02X" | out: param_1="10") returned 2 [0111.905] wsprintfW (in: param_1=0x28e33e, param_2="%02X" | out: param_1="C2") returned 2 [0111.905] wsprintfW (in: param_1=0x28e342, param_2="%02X" | out: param_1="68") returned 2 [0111.913] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0111.913] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0111.913] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpString2=".1DEFFAD86B675C8204C26A2647290920D2A95DBBD6CB4664D6419853E310C268" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.1DEFFAD86B675C8204C26A2647290920D2A95DBBD6CB4664D6419853E310C268") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.1DEFFAD86B675C8204C26A2647290920D2A95DBBD6CB4664D6419853E310C268" [0111.913] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0111.913] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0111.913] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="Winre.wim", cAlternateFileName="")) returned 0 [0111.913] FindClose (in: hFindFile=0x4ddbc8 | out: hFindFile=0x4ddbc8) returned 1 [0111.913] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\PUSSY.TXT") returned 62 [0111.913] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\PUSSY.TXT" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0111.914] lstrlenA (lpString="abcd") returned 4 [0111.914] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0111.915] CloseHandle (hObject=0x1a4) returned 1 [0111.915] GetProcessHeap () returned 0x4c0000 [0111.915] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0111.915] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 0 [0111.915] FindClose (in: hFindFile=0x4e22d0 | out: hFindFile=0x4e22d0) returned 1 [0111.915] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\PUSSY.TXT") returned 25 [0111.916] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\PUSSY.TXT" (normalized: "c:\\recovery\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0111.916] lstrlenA (lpString="abcd") returned 4 [0111.916] WriteFile (in: hFile=0x160, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28ed8c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28ed8c*=0x4, lpOverlapped=0x0) returned 1 [0111.917] CloseHandle (hObject=0x160) returned 1 [0111.917] GetProcessHeap () returned 0x4c0000 [0111.917] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0111.917] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x56231c60, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0xa1602bc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa1602bc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0111.917] lstrcmpiW (lpString1="System Volume Information", lpString2="Windows") returned -1 [0111.917] lstrcmpiW (lpString1="System Volume Information", lpString2="Program Files") returned 1 [0111.917] lstrcmpiW (lpString1="System Volume Information", lpString2="Program Files (x86)") returned 1 [0111.917] lstrcmpiW (lpString1="System Volume Information", lpString2="$Recycle.bin") returned 1 [0111.917] lstrcmpiW (lpString1="System Volume Information", lpString2="System Volume Information") returned 0 [0111.917] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0111.917] lstrcmpiW (lpString1="Users", lpString2="Windows") returned -1 [0111.917] lstrcmpiW (lpString1="Users", lpString2="Program Files") returned 1 [0111.917] lstrcmpiW (lpString1="Users", lpString2="Program Files (x86)") returned 1 [0111.917] lstrcmpiW (lpString1="Users", lpString2="$Recycle.bin") returned 1 [0111.917] lstrcmpiW (lpString1="Users", lpString2="System Volume Information") returned 1 [0111.917] lstrcmpiW (lpString1="Users", lpString2=".") returned 1 [0111.917] lstrcmpiW (lpString1="Users", lpString2="..") returned 1 [0111.917] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users") returned 12 [0111.917] GetProcessHeap () returned 0x4c0000 [0111.918] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bb80d8 [0111.918] lstrcpyW (in: lpString1=0x3bb80d8, lpString2="\\\\?\\C:\\Users" | out: lpString1="\\\\?\\C:\\Users") returned="\\\\?\\C:\\Users" [0111.918] lstrcatW (in: lpString1="\\\\?\\C:\\Users", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\*") returned="\\\\?\\C:\\Users\\*" [0111.918] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\*", lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4e22d0 [0111.918] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.918] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.918] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.918] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.918] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.918] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.918] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0111.918] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.918] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.918] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.918] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.918] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.918] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.918] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.918] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 1 [0111.918] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="Windows") returned -1 [0111.918] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="Program Files") returned -1 [0111.918] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="Program Files (x86)") returned -1 [0111.918] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="$Recycle.bin") returned 1 [0111.918] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="System Volume Information") returned -1 [0111.918] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2=".") returned 1 [0111.918] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="..") returned 1 [0111.919] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 33 [0111.919] GetProcessHeap () returned 0x4c0000 [0111.919] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b28098 [0111.919] lstrcpyW (in: lpString1=0x3b28098, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" [0111.919] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0111.919] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x4ddbc8 [0111.919] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.919] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.919] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.919] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.919] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.919] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.919] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0111.919] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.919] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.919] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.919] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.919] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.919] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.919] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.919] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e2318, dwReserved1=0xc0100080, cFileName="AppData", cAlternateFileName="")) returned 1 [0111.920] lstrcmpiW (lpString1="AppData", lpString2="Windows") returned -1 [0111.920] lstrcmpiW (lpString1="AppData", lpString2="Program Files") returned -1 [0111.920] lstrcmpiW (lpString1="AppData", lpString2="Program Files (x86)") returned -1 [0111.920] lstrcmpiW (lpString1="AppData", lpString2="$Recycle.bin") returned 1 [0111.920] lstrcmpiW (lpString1="AppData", lpString2="System Volume Information") returned -1 [0111.920] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0111.920] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0111.920] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData") returned 41 [0111.920] GetProcessHeap () returned 0x4c0000 [0111.920] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0111.920] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData" [0111.920] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*" [0111.920] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x4ddc08 [0111.920] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.920] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.920] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.920] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.920] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.920] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.920] FindNextFileW (in: hFindFile=0x4ddc08, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0111.920] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.920] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.920] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.920] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.920] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.920] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.920] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.920] FindNextFileW (in: hFindFile=0x4ddc08, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="Local", cAlternateFileName="")) returned 1 [0111.920] lstrcmpiW (lpString1="Local", lpString2="Windows") returned -1 [0111.921] lstrcmpiW (lpString1="Local", lpString2="Program Files") returned -1 [0111.921] lstrcmpiW (lpString1="Local", lpString2="Program Files (x86)") returned -1 [0111.921] lstrcmpiW (lpString1="Local", lpString2="$Recycle.bin") returned 1 [0111.921] lstrcmpiW (lpString1="Local", lpString2="System Volume Information") returned -1 [0111.921] lstrcmpiW (lpString1="Local", lpString2=".") returned 1 [0111.921] lstrcmpiW (lpString1="Local", lpString2="..") returned 1 [0111.921] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 47 [0111.921] GetProcessHeap () returned 0x4c0000 [0111.921] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x52bae0 [0111.921] lstrcpyW (in: lpString1=0x52bae0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local" [0111.922] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*" [0111.922] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x4e2920 [0111.922] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.922] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.922] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.922] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.922] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.922] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.922] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0111.922] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.922] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.922] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.922] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.922] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.922] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.922] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.922] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0xfe000000, cFileName="Adobe", cAlternateFileName="")) returned 1 [0111.922] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0111.922] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0111.922] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0111.922] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0111.922] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0111.923] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0111.923] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0111.923] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe") returned 53 [0111.923] GetProcessHeap () returned 0x4c0000 [0111.923] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0111.923] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe" [0111.923] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*" [0111.923] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName=".", cAlternateFileName="")) returned 0x4e2960 [0111.924] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.924] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.924] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.924] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.924] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.924] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.924] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName="..", cAlternateFileName="")) returned 1 [0111.924] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.924] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.924] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.924] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.924] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.924] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.924] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.924] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0111.924] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0111.924] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0111.924] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0111.924] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0111.924] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0111.924] lstrcmpiW (lpString1="Acrobat", lpString2=".") returned 1 [0111.924] lstrcmpiW (lpString1="Acrobat", lpString2="..") returned 1 [0111.924] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat") returned 61 [0111.924] GetProcessHeap () returned 0x4c0000 [0111.924] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x54db00 [0111.925] lstrcpyW (in: lpString1=0x54db00, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat" [0111.925] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*" [0111.925] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x147b505, dwReserved1=0xff06c663, cFileName=".", cAlternateFileName="")) returned 0x4e29a0 [0111.925] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.925] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.925] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.925] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.925] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.925] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.925] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x147b505, dwReserved1=0xff06c663, cFileName="..", cAlternateFileName="")) returned 1 [0111.925] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.925] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.925] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.925] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.925] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.926] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.926] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.926] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xee135b70, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xee135b70, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x147b505, dwReserved1=0xff06c663, cFileName="10.0", cAlternateFileName="")) returned 1 [0111.926] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0111.926] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0111.926] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0111.926] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0111.926] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0111.926] lstrcmpiW (lpString1="10.0", lpString2=".") returned 1 [0111.926] lstrcmpiW (lpString1="10.0", lpString2="..") returned 1 [0111.926] wnsprintfW (in: pszDest=0x54db00, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0") returned 66 [0111.926] GetProcessHeap () returned 0x4c0000 [0111.926] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x55eb10 [0111.926] lstrcpyW (in: lpString1=0x55eb10, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0" [0111.926] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*" [0111.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xee135b70, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xee135b70, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bf1138 [0111.927] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0111.927] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0111.928] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0111.928] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0111.928] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0111.928] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0111.928] FindNextFileW (in: hFindFile=0x3bf1138, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xee135b70, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xee135b70, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0111.928] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0111.928] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0111.928] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0111.928] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0111.928] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0111.928] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0111.928] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0111.928] FindNextFileW (in: hFindFile=0x3bf1138, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb5bdd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xecb5bdd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe952fcd0, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x892c, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="AdobeCMapFnt10.lst", cAlternateFileName="ADOBEC~1.LST")) returned 1 [0111.928] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="Windows") returned -1 [0111.928] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="Program Files") returned -1 [0111.928] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="Program Files (x86)") returned -1 [0111.928] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="$Recycle.bin") returned 1 [0111.928] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="System Volume Information") returned -1 [0111.928] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2=".") returned 1 [0111.928] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="..") returned 1 [0111.928] wnsprintfW (in: pszDest=0x55eb10, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned 85 [0111.928] lstrcmpW (lpString1="AdobeCMapFnt10.lst", lpString2="PUSSY.TXT") returned -1 [0111.928] PathFindExtensionW (pszPath="AdobeCMapFnt10.lst") returned=".lst" [0111.928] lstrlenW (lpString=".lst") returned 4 [0111.928] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0111.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0111.929] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=35116) returned 1 [0111.929] GetProcessHeap () returned 0x4c0000 [0111.929] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x56fb20 [0111.943] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="49") returned 2 [0111.943] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="F0") returned 2 [0111.943] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="B9") returned 2 [0111.943] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="29") returned 2 [0111.943] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="75") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="63") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="B7") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="F9") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="01") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="29") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="2A") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="DD") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="3A") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="20") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="76") returned 2 [0111.952] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="F2") returned 2 [0111.952] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="F9") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="26") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="8E") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="8E") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="67") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="91") returned 2 [0111.952] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="20") returned 2 [0111.953] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="C4") returned 2 [0111.953] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="1B") returned 2 [0111.953] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="9D") returned 2 [0111.953] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="07") returned 2 [0111.953] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="61") returned 2 [0111.953] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="92") returned 2 [0111.953] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="36") returned 2 [0111.953] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="FF") returned 2 [0111.953] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="4B") returned 2 [0111.970] lstrcpyW (in: lpString1=0x57fb54, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" [0111.970] lstrcpyW (in: lpString1=0x56fb54, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" [0111.970] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst", lpString2=".49F0B9297563B7F901292ADD3A2076F2F9268E8E679120C41B9D07619236FF4B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.49F0B9297563B7F901292ADD3A2076F2F9268E8E679120C41B9D07619236FF4B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.49F0B9297563B7F901292ADD3A2076F2F9268E8E679120C41B9D07619236FF4B" [0111.970] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x56fb20, NumberOfConcurrentThreads=0x0) returned 0x94 [0111.970] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x56fb20, lpOverlapped=0x56fb20) returned 1 [0111.971] FindNextFileW (in: hFindFile=0x3bf1138, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb5bdd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xecb5bdd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xd9c071a0, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0x21cdb, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="AdobeSysFnt10.lst", cAlternateFileName="ADOBES~1.LST")) returned 1 [0111.971] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="Windows") returned -1 [0111.971] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="Program Files") returned -1 [0111.971] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="Program Files (x86)") returned -1 [0111.971] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="$Recycle.bin") returned 1 [0111.971] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="System Volume Information") returned -1 [0111.971] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2=".") returned 1 [0111.971] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="..") returned 1 [0111.971] wnsprintfW (in: pszDest=0x55eb10, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst") returned 84 [0111.971] lstrcmpW (lpString1="AdobeSysFnt10.lst", lpString2="PUSSY.TXT") returned -1 [0111.971] PathFindExtensionW (pszPath="AdobeSysFnt10.lst") returned=".lst" [0111.971] lstrlenW (lpString=".lst") returned 4 [0111.971] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0111.972] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0111.973] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=138459) returned 1 [0111.973] GetProcessHeap () returned 0x4c0000 [0111.973] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0111.989] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="DD") returned 2 [0111.989] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="78") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="9A") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="8C") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="3E") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="0F") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="92") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="4C") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="61") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="AE") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="0A") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="09") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="C5") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="93") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="44") returned 2 [0111.990] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="75") returned 2 [0111.990] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="A4") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="C3") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="09") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="35") returned 2 [0111.990] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="BC") returned 2 [0111.991] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="64") returned 2 [0111.991] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="D3") returned 2 [0111.991] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="3D") returned 2 [0111.991] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="C3") returned 2 [0111.991] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="AD") returned 2 [0111.991] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="22") returned 2 [0111.991] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="69") returned 2 [0111.991] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="DE") returned 2 [0111.991] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="CE") returned 2 [0111.991] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="29") returned 2 [0111.991] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="67") returned 2 [0112.002] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" [0112.002] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" [0112.002] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst", lpString2=".DD789A8C3E0F924C61AE0A09C5934475A4C30935BC64D33DC3AD2269DECE2967" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst.DD789A8C3E0F924C61AE0A09C5934475A4C30935BC64D33DC3AD2269DECE2967") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst.DD789A8C3E0F924C61AE0A09C5934475A4C30935BC64D33DC3AD2269DECE2967" [0112.002] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0112.002] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0112.002] FindNextFileW (in: hFindFile=0x3bf1138, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecb5bdd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xecb5bdd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xecb5bdd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="Cache", cAlternateFileName="")) returned 1 [0112.002] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0112.002] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0112.002] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0112.002] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0112.002] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0112.003] lstrcmpiW (lpString1="Cache", lpString2=".") returned 1 [0112.003] lstrcmpiW (lpString1="Cache", lpString2="..") returned 1 [0112.003] wnsprintfW (in: pszDest=0x55eb10, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache") returned 72 [0112.003] GetProcessHeap () returned 0x4c0000 [0112.003] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c00048 [0112.004] lstrcpyW (in: lpString1=0x3c00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache" [0112.004] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\*" [0112.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecb5bdd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xecb5bdd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xecb5bdd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bf1178 [0112.005] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.005] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.005] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.005] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.005] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.005] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.005] FindNextFileW (in: hFindFile=0x3bf1178, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecb5bdd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xecb5bdd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xecb5bdd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0112.005] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.005] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.005] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.005] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.005] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.005] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.005] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.005] FindNextFileW (in: hFindFile=0x3bf1178, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb5bdd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xecb5bdd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe952fcd0, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0xcfc4, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="AcroFnt10.lst", cAlternateFileName="ACROFN~1.LST")) returned 1 [0112.005] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="Windows") returned -1 [0112.006] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="Program Files") returned -1 [0112.006] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="Program Files (x86)") returned -1 [0112.006] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="$Recycle.bin") returned 1 [0112.006] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="System Volume Information") returned -1 [0112.006] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2=".") returned 1 [0112.006] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="..") returned 1 [0112.006] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst") returned 86 [0112.006] lstrcmpW (lpString1="AcroFnt10.lst", lpString2="PUSSY.TXT") returned -1 [0112.006] PathFindExtensionW (pszPath="AcroFnt10.lst") returned=".lst" [0112.006] lstrlenW (lpString=".lst") returned 4 [0112.006] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0112.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0112.007] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=53188) returned 1 [0112.007] GetProcessHeap () returned 0x4c0000 [0112.007] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0112.019] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="D7") returned 2 [0112.019] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="98") returned 2 [0112.020] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="FF") returned 2 [0112.020] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="33") returned 2 [0112.020] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="91") returned 2 [0112.020] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="2D") returned 2 [0112.020] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="8E") returned 2 [0112.020] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="4F") returned 2 [0112.020] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="27") returned 2 [0112.020] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="9F") returned 2 [0112.020] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="25") returned 2 [0112.020] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="F1") returned 2 [0112.020] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="0C") returned 2 [0112.020] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="08") returned 2 [0112.020] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="A9") returned 2 [0112.020] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="14") returned 2 [0112.020] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="E8") returned 2 [0112.020] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="6A") returned 2 [0112.020] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="AD") returned 2 [0112.020] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="9F") returned 2 [0112.021] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="7E") returned 2 [0112.021] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="70") returned 2 [0112.021] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="83") returned 2 [0112.021] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="FE") returned 2 [0112.021] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="5C") returned 2 [0112.021] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="C7") returned 2 [0112.021] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="F9") returned 2 [0112.021] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="9D") returned 2 [0112.021] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="DD") returned 2 [0112.021] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="D9") returned 2 [0112.021] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="03") returned 2 [0112.021] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="3D") returned 2 [0112.034] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" [0112.035] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" [0112.035] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst", lpString2=".D798FF33912D8E4F279F25F10C08A914E86AAD9F7E7083FE5CC7F99DDDD9033D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst.D798FF33912D8E4F279F25F10C08A914E86AAD9F7E7083FE5CC7F99DDDD9033D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst.D798FF33912D8E4F279F25F10C08A914E86AAD9F7E7083FE5CC7F99DDDD9033D" [0112.035] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0112.035] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0112.035] FindNextFileW (in: hFindFile=0x3bf1178, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb5bdd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xecb5bdd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe952fcd0, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0xcfc4, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="AcroFnt10.lst", cAlternateFileName="ACROFN~1.LST")) returned 0 [0112.036] FindClose (in: hFindFile=0x3bf1178 | out: hFindFile=0x3bf1178) returned 1 [0112.036] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\PUSSY.TXT") returned 82 [0112.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0112.036] lstrlenA (lpString="abcd") returned 4 [0112.036] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0112.038] CloseHandle (hObject=0x198) returned 1 [0112.038] GetProcessHeap () returned 0x4c0000 [0112.038] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0112.038] FindNextFileW (in: hFindFile=0x3bf1138, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd3b286a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd3b286a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xee0c3750, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="SharedDataEvents", cAlternateFileName="SHARED~1")) returned 1 [0112.038] lstrcmpiW (lpString1="SharedDataEvents", lpString2="Windows") returned -1 [0112.038] lstrcmpiW (lpString1="SharedDataEvents", lpString2="Program Files") returned 1 [0112.038] lstrcmpiW (lpString1="SharedDataEvents", lpString2="Program Files (x86)") returned 1 [0112.038] lstrcmpiW (lpString1="SharedDataEvents", lpString2="$Recycle.bin") returned 1 [0112.038] lstrcmpiW (lpString1="SharedDataEvents", lpString2="System Volume Information") returned -1 [0112.038] lstrcmpiW (lpString1="SharedDataEvents", lpString2=".") returned 1 [0112.038] lstrcmpiW (lpString1="SharedDataEvents", lpString2="..") returned 1 [0112.039] wnsprintfW (in: pszDest=0x55eb10, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents") returned 83 [0112.039] lstrcmpW (lpString1="SharedDataEvents", lpString2="PUSSY.TXT") returned 1 [0112.039] PathFindExtensionW (pszPath="SharedDataEvents") returned="" [0112.039] lstrlenW (lpString="") returned 0 [0112.039] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0112.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0112.040] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=5120) returned 1 [0112.041] GetProcessHeap () returned 0x4c0000 [0112.041] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0112.056] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="AB") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="00") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="15") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="D7") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="56") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="4C") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="73") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="2C") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="E8") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="EC") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="1D") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="2E") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="FF") returned 2 [0112.056] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="1C") returned 2 [0112.057] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="1D") returned 2 [0112.057] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="85") returned 2 [0112.057] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="57") returned 2 [0112.057] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="1C") returned 2 [0112.057] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="95") returned 2 [0112.057] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="F5") returned 2 [0112.057] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="2D") returned 2 [0112.057] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="14") returned 2 [0112.057] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="4C") returned 2 [0112.057] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="03") returned 2 [0112.057] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="D6") returned 2 [0112.057] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="68") returned 2 [0112.057] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="91") returned 2 [0112.057] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="16") returned 2 [0112.057] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="BB") returned 2 [0112.057] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="35") returned 2 [0112.057] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="46") returned 2 [0112.057] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="05") returned 2 [0112.072] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" [0112.072] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" [0112.072] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents", lpString2=".AB0015D7564C732CE8EC1D2EFF1C1D85571C95F52D144C03D6689116BB354605" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents.AB0015D7564C732CE8EC1D2EFF1C1D85571C95F52D144C03D6689116BB354605") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents.AB0015D7564C732CE8EC1D2EFF1C1D85571C95F52D144C03D6689116BB354605" [0112.072] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0112.072] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0112.073] FindNextFileW (in: hFindFile=0x3bf1138, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd243f2e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd243f2e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe99341f0, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x12ea5, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="UserCache.bin", cAlternateFileName="USERCA~1.BIN")) returned 1 [0112.073] lstrcmpiW (lpString1="UserCache.bin", lpString2="Windows") returned -1 [0112.073] lstrcmpiW (lpString1="UserCache.bin", lpString2="Program Files") returned 1 [0112.073] lstrcmpiW (lpString1="UserCache.bin", lpString2="Program Files (x86)") returned 1 [0112.073] lstrcmpiW (lpString1="UserCache.bin", lpString2="$Recycle.bin") returned 1 [0112.073] lstrcmpiW (lpString1="UserCache.bin", lpString2="System Volume Information") returned 1 [0112.073] lstrcmpiW (lpString1="UserCache.bin", lpString2=".") returned 1 [0112.073] lstrcmpiW (lpString1="UserCache.bin", lpString2="..") returned 1 [0112.073] wnsprintfW (in: pszDest=0x55eb10, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin") returned 80 [0112.073] lstrcmpW (lpString1="UserCache.bin", lpString2="PUSSY.TXT") returned 1 [0112.074] PathFindExtensionW (pszPath="UserCache.bin") returned=".bin" [0112.074] lstrlenW (lpString=".bin") returned 4 [0112.074] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0112.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0112.074] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=77477) returned 1 [0112.074] GetProcessHeap () returned 0x4c0000 [0112.074] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0112.086] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="A4") returned 2 [0112.086] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="88") returned 2 [0112.086] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="98") returned 2 [0112.086] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="32") returned 2 [0112.086] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="DE") returned 2 [0112.086] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="E0") returned 2 [0112.086] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="05") returned 2 [0112.086] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="48") returned 2 [0112.086] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="64") returned 2 [0112.086] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="5C") returned 2 [0112.086] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="37") returned 2 [0112.087] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="1B") returned 2 [0112.087] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="75") returned 2 [0112.087] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="28") returned 2 [0112.087] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="74") returned 2 [0112.087] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="AB") returned 2 [0112.087] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="B6") returned 2 [0112.087] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="13") returned 2 [0112.087] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="72") returned 2 [0112.087] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="D6") returned 2 [0112.087] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="8F") returned 2 [0112.087] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="31") returned 2 [0112.087] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="6F") returned 2 [0112.087] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="31") returned 2 [0112.087] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="30") returned 2 [0112.087] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="76") returned 2 [0112.087] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="ED") returned 2 [0112.087] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="06") returned 2 [0112.087] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="CA") returned 2 [0112.087] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="76") returned 2 [0112.087] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="C0") returned 2 [0112.088] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="42") returned 2 [0112.096] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" [0112.096] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" [0112.096] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin", lpString2=".A4889832DEE00548645C371B752874ABB61372D68F316F313076ED06CA76C042" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin.A4889832DEE00548645C371B752874ABB61372D68F316F313076ED06CA76C042") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin.A4889832DEE00548645C371B752874ABB61372D68F316F313076ED06CA76C042" [0112.096] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0112.096] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0112.097] FindNextFileW (in: hFindFile=0x3bf1138, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd243f2e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd243f2e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe99341f0, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x12ea5, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="UserCache.bin", cAlternateFileName="USERCA~1.BIN")) returned 0 [0112.097] FindClose (in: hFindFile=0x3bf1138 | out: hFindFile=0x3bf1138) returned 1 [0112.097] wnsprintfW (in: pszDest=0x55eb10, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\PUSSY.TXT") returned 76 [0112.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0112.098] lstrlenA (lpString="abcd") returned 4 [0112.098] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0112.099] CloseHandle (hObject=0x178) returned 1 [0112.099] GetProcessHeap () returned 0x4c0000 [0112.099] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x55eb10 | out: hHeap=0x4c0000) returned 1 [0112.099] FindNextFileW (in: hFindFile=0x4e29a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xee135b70, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xee135b70, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x147b505, dwReserved1=0xff06c663, cFileName="10.0", cAlternateFileName="")) returned 0 [0112.099] FindClose (in: hFindFile=0x4e29a0 | out: hFindFile=0x4e29a0) returned 1 [0112.099] wnsprintfW (in: pszDest=0x54db00, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\PUSSY.TXT") returned 71 [0112.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0112.100] lstrlenA (lpString="abcd") returned 4 [0112.100] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0112.101] CloseHandle (hObject=0xec) returned 1 [0112.101] GetProcessHeap () returned 0x4c0000 [0112.101] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54db00 | out: hHeap=0x4c0000) returned 1 [0112.101] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce60f420, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce60f420, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName="Color", cAlternateFileName="")) returned 1 [0112.101] lstrcmpiW (lpString1="Color", lpString2="Windows") returned -1 [0112.101] lstrcmpiW (lpString1="Color", lpString2="Program Files") returned -1 [0112.101] lstrcmpiW (lpString1="Color", lpString2="Program Files (x86)") returned -1 [0112.101] lstrcmpiW (lpString1="Color", lpString2="$Recycle.bin") returned 1 [0112.101] lstrcmpiW (lpString1="Color", lpString2="System Volume Information") returned -1 [0112.101] lstrcmpiW (lpString1="Color", lpString2=".") returned 1 [0112.101] lstrcmpiW (lpString1="Color", lpString2="..") returned 1 [0112.101] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color") returned 59 [0112.101] GetProcessHeap () returned 0x4c0000 [0112.101] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x54db00 [0112.101] lstrcpyW (in: lpString1=0x54db00, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color" [0112.101] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*" [0112.101] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce60f420, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce60f420, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x147b505, dwReserved1=0xff06c663, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0112.102] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.102] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.102] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.102] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.102] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.102] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.102] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce60f420, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce60f420, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x147b505, dwReserved1=0xff06c663, cFileName="..", cAlternateFileName="")) returned 1 [0112.102] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.102] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.102] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.102] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.102] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.102] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.102] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.103] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xce60f420, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce60f420, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce719dc0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x49c, dwReserved0=0x147b505, dwReserved1=0xff06c663, cFileName="ACECache11.lst", cAlternateFileName="ACECAC~1.LST")) returned 1 [0112.103] lstrcmpiW (lpString1="ACECache11.lst", lpString2="Windows") returned -1 [0112.103] lstrcmpiW (lpString1="ACECache11.lst", lpString2="Program Files") returned -1 [0112.103] lstrcmpiW (lpString1="ACECache11.lst", lpString2="Program Files (x86)") returned -1 [0112.103] lstrcmpiW (lpString1="ACECache11.lst", lpString2="$Recycle.bin") returned 1 [0112.103] lstrcmpiW (lpString1="ACECache11.lst", lpString2="System Volume Information") returned -1 [0112.103] lstrcmpiW (lpString1="ACECache11.lst", lpString2=".") returned 1 [0112.103] lstrcmpiW (lpString1="ACECache11.lst", lpString2="..") returned 1 [0112.103] wnsprintfW (in: pszDest=0x54db00, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned 74 [0112.103] lstrcmpW (lpString1="ACECache11.lst", lpString2="PUSSY.TXT") returned -1 [0112.103] PathFindExtensionW (pszPath="ACECache11.lst") returned=".lst" [0112.103] lstrlenW (lpString=".lst") returned 4 [0112.103] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0112.103] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0112.103] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=1180) returned 1 [0112.103] GetProcessHeap () returned 0x4c0000 [0112.104] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0112.116] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="BA") returned 2 [0112.116] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="49") returned 2 [0112.116] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="68") returned 2 [0112.116] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="FA") returned 2 [0112.116] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="2C") returned 2 [0112.116] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="6A") returned 2 [0112.116] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="E9") returned 2 [0112.116] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="73") returned 2 [0112.117] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="C8") returned 2 [0112.117] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="2A") returned 2 [0112.117] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="F9") returned 2 [0112.117] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="4C") returned 2 [0112.117] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="F4") returned 2 [0112.117] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="6A") returned 2 [0112.117] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="90") returned 2 [0112.117] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="64") returned 2 [0112.117] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="09") returned 2 [0112.117] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="59") returned 2 [0112.117] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="8C") returned 2 [0112.117] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="50") returned 2 [0112.117] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="D3") returned 2 [0112.117] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="57") returned 2 [0112.117] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="EA") returned 2 [0112.117] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="3C") returned 2 [0112.118] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="2F") returned 2 [0112.118] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="37") returned 2 [0112.118] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="79") returned 2 [0112.118] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="0A") returned 2 [0112.118] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="04") returned 2 [0112.118] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="52") returned 2 [0112.118] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="30") returned 2 [0112.118] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="5D") returned 2 [0112.131] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" [0112.131] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" [0112.131] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst", lpString2=".BA4968FA2C6AE973C82AF94CF46A906409598C50D357EA3C2F37790A0452305D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.BA4968FA2C6AE973C82AF94CF46A906409598C50D357EA3C2F37790A0452305D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.BA4968FA2C6AE973C82AF94CF46A906409598C50D357EA3C2F37790A0452305D" [0112.131] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0112.131] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0112.132] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xce4463a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce6f3c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce6f3c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x147b505, dwReserved1=0xff06c663, cFileName="Profiles", cAlternateFileName="")) returned 1 [0112.132] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0112.132] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0112.132] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0112.132] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0112.132] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0112.132] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0112.132] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0112.133] wnsprintfW (in: pszDest=0x54db00, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles") returned 68 [0112.133] GetProcessHeap () returned 0x4c0000 [0112.133] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x55db08 [0112.133] lstrcpyW (in: lpString1=0x55db08, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles" [0112.133] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\*" [0112.133] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xce4463a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce6f3c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce6f3c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0112.134] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.134] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.134] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.134] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.134] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.134] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.134] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xce4463a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce6f3c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce6f3c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0112.135] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.135] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.135] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.135] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.135] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.135] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.135] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.135] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xce60f420, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce6f3c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce6f3c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x102a0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="wscRGB.icc", cAlternateFileName="")) returned 1 [0112.135] lstrcmpiW (lpString1="wscRGB.icc", lpString2="Windows") returned 1 [0112.135] lstrcmpiW (lpString1="wscRGB.icc", lpString2="Program Files") returned 1 [0112.135] lstrcmpiW (lpString1="wscRGB.icc", lpString2="Program Files (x86)") returned 1 [0112.135] lstrcmpiW (lpString1="wscRGB.icc", lpString2="$Recycle.bin") returned 1 [0112.135] lstrcmpiW (lpString1="wscRGB.icc", lpString2="System Volume Information") returned 1 [0112.135] lstrcmpiW (lpString1="wscRGB.icc", lpString2=".") returned 1 [0112.135] lstrcmpiW (lpString1="wscRGB.icc", lpString2="..") returned 1 [0112.135] wnsprintfW (in: pszDest=0x55db08, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned 79 [0112.135] lstrcmpW (lpString1="wscRGB.icc", lpString2="PUSSY.TXT") returned 1 [0112.135] PathFindExtensionW (pszPath="wscRGB.icc") returned=".icc" [0112.135] lstrlenW (lpString=".icc") returned 4 [0112.135] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0112.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0112.136] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=66208) returned 1 [0112.136] GetProcessHeap () returned 0x4c0000 [0112.136] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c78138 [0112.147] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="B6") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="52") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="D1") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="C7") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="33") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="4D") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="B1") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="4E") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="B1") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="3F") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="9A") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="D1") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="8D") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="E2") returned 2 [0112.147] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="B6") returned 2 [0112.148] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="65") returned 2 [0112.148] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="1A") returned 2 [0112.148] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="67") returned 2 [0112.148] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="E7") returned 2 [0112.148] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="A3") returned 2 [0112.148] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="77") returned 2 [0112.148] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="00") returned 2 [0112.148] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="0C") returned 2 [0112.148] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="2C") returned 2 [0112.148] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="5A") returned 2 [0112.148] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="AE") returned 2 [0112.148] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="7E") returned 2 [0112.148] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="64") returned 2 [0112.148] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="B5") returned 2 [0112.148] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="02") returned 2 [0112.148] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="84") returned 2 [0112.148] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="73") returned 2 [0112.161] lstrcpyW (in: lpString1=0x3c8816c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" [0112.161] lstrcpyW (in: lpString1=0x3c7816c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" [0112.161] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc", lpString2=".B652D1C7334DB14EB13F9AD18DE2B6651A67E7A377000C2C5AAE7E64B5028473" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc.B652D1C7334DB14EB13F9AD18DE2B6651A67E7A377000C2C5AAE7E64B5028473") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc.B652D1C7334DB14EB13F9AD18DE2B6651A67E7A377000C2C5AAE7E64B5028473" [0112.161] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3c78138, NumberOfConcurrentThreads=0x0) returned 0x94 [0112.161] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c78138, lpOverlapped=0x3c78138) returned 1 [0112.161] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xce60f420, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce6f3c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce6f3c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0xa74, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="wsRGB.icc", cAlternateFileName="")) returned 1 [0112.161] lstrcmpiW (lpString1="wsRGB.icc", lpString2="Windows") returned 1 [0112.161] lstrcmpiW (lpString1="wsRGB.icc", lpString2="Program Files") returned 1 [0112.161] lstrcmpiW (lpString1="wsRGB.icc", lpString2="Program Files (x86)") returned 1 [0112.161] lstrcmpiW (lpString1="wsRGB.icc", lpString2="$Recycle.bin") returned 1 [0112.162] lstrcmpiW (lpString1="wsRGB.icc", lpString2="System Volume Information") returned 1 [0112.162] lstrcmpiW (lpString1="wsRGB.icc", lpString2=".") returned 1 [0112.165] lstrcmpiW (lpString1="wsRGB.icc", lpString2="..") returned 1 [0112.165] wnsprintfW (in: pszDest=0x55db08, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned 78 [0112.165] lstrcmpW (lpString1="wsRGB.icc", lpString2="PUSSY.TXT") returned 1 [0112.165] PathFindExtensionW (pszPath="wsRGB.icc") returned=".icc" [0112.165] lstrlenW (lpString=".icc") returned 4 [0112.165] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0112.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0112.166] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=2676) returned 1 [0112.166] GetProcessHeap () returned 0x4c0000 [0112.166] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0188 [0112.578] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="A3") returned 2 [0112.578] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="63") returned 2 [0112.578] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="4D") returned 2 [0112.578] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="29") returned 2 [0112.578] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="86") returned 2 [0112.578] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="92") returned 2 [0112.578] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="33") returned 2 [0112.578] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="43") returned 2 [0112.578] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="90") returned 2 [0112.578] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="C1") returned 2 [0112.578] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="3D") returned 2 [0112.578] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="0C") returned 2 [0112.578] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="C8") returned 2 [0112.579] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="EE") returned 2 [0112.579] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="73") returned 2 [0112.579] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="07") returned 2 [0112.579] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="8F") returned 2 [0112.579] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="6E") returned 2 [0112.579] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="7A") returned 2 [0112.579] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="07") returned 2 [0112.579] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="FA") returned 2 [0112.579] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="4D") returned 2 [0112.579] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="CD") returned 2 [0112.579] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="00") returned 2 [0112.579] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="8D") returned 2 [0112.579] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="04") returned 2 [0112.579] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="AF") returned 2 [0112.579] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="29") returned 2 [0112.579] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="BA") returned 2 [0112.579] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="1B") returned 2 [0112.579] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="AB") returned 2 [0112.579] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="1A") returned 2 [0112.592] lstrcpyW (in: lpString1=0x3cb01bc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" [0112.592] lstrcpyW (in: lpString1=0x3ca01bc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" [0112.592] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc", lpString2=".A3634D298692334390C13D0CC8EE73078F6E7A07FA4DCD008D04AF29BA1BAB1A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc.A3634D298692334390C13D0CC8EE73078F6E7A07FA4DCD008D04AF29BA1BAB1A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc.A3634D298692334390C13D0CC8EE73078F6E7A07FA4DCD008D04AF29BA1BAB1A" [0112.592] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x3ca0188, NumberOfConcurrentThreads=0x0) returned 0x94 [0112.592] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0188, lpOverlapped=0x3ca0188) returned 1 [0112.600] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xce60f420, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce6f3c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce6f3c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0xa74, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="wsRGB.icc", cAlternateFileName="")) returned 0 [0112.600] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0112.601] wnsprintfW (in: pszDest=0x55db08, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\PUSSY.TXT") returned 78 [0112.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0112.602] lstrlenA (lpString="abcd") returned 4 [0112.602] WriteFile (in: hFile=0x1a8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0112.603] CloseHandle (hObject=0x1a8) returned 1 [0112.603] GetProcessHeap () returned 0x4c0000 [0112.603] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x55db08 | out: hHeap=0x4c0000) returned 1 [0112.605] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xce4463a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce6f3c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce6f3c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x147b505, dwReserved1=0xff06c663, cFileName="Profiles", cAlternateFileName="")) returned 0 [0112.605] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0112.606] wnsprintfW (in: pszDest=0x54db00, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\PUSSY.TXT") returned 69 [0112.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0112.607] lstrlenA (lpString="abcd") returned 4 [0112.607] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0112.608] CloseHandle (hObject=0xec) returned 1 [0112.608] GetProcessHeap () returned 0x4c0000 [0112.608] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54db00 | out: hHeap=0x4c0000) returned 1 [0112.608] FindNextFileW (in: hFindFile=0x4e2960, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce60f420, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce60f420, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName="Color", cAlternateFileName="")) returned 0 [0112.608] FindClose (in: hFindFile=0x4e2960 | out: hFindFile=0x4e2960) returned 1 [0112.608] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\PUSSY.TXT") returned 63 [0112.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0112.609] lstrlenA (lpString="abcd") returned 4 [0112.609] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0112.610] CloseHandle (hObject=0x174) returned 1 [0112.610] GetProcessHeap () returned 0x4c0000 [0112.610] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0112.610] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0112.610] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0112.610] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0112.611] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0112.611] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0112.611] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0112.611] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0112.611] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0112.611] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data") returned 64 [0112.611] GetProcessHeap () returned 0x4c0000 [0112.611] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c00048 [0112.612] lstrcpyW (in: lpString1=0x3c00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data" [0112.612] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\*" [0112.612] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce60f420, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce60f420, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName="Color", cAlternateFileName="a")) returned 0xffffffff [0112.612] GetProcessHeap () returned 0x4c0000 [0112.612] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0112.615] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Apps", cAlternateFileName="")) returned 1 [0112.615] lstrcmpiW (lpString1="Apps", lpString2="Windows") returned -1 [0112.615] lstrcmpiW (lpString1="Apps", lpString2="Program Files") returned -1 [0112.615] lstrcmpiW (lpString1="Apps", lpString2="Program Files (x86)") returned -1 [0112.615] lstrcmpiW (lpString1="Apps", lpString2="$Recycle.bin") returned 1 [0112.615] lstrcmpiW (lpString1="Apps", lpString2="System Volume Information") returned -1 [0112.615] lstrcmpiW (lpString1="Apps", lpString2=".") returned 1 [0112.615] lstrcmpiW (lpString1="Apps", lpString2="..") returned 1 [0112.615] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps") returned 52 [0112.615] GetProcessHeap () returned 0x4c0000 [0112.615] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c00048 [0112.616] lstrcpyW (in: lpString1=0x3c00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps" [0112.616] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*" [0112.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0112.617] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.617] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.617] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.617] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.617] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.617] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.617] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName="..", cAlternateFileName="")) returned 1 [0112.618] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.618] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.618] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.618] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.618] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.618] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.618] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.618] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName="2.0", cAlternateFileName="")) returned 1 [0112.618] lstrcmpiW (lpString1="2.0", lpString2="Windows") returned -1 [0112.618] lstrcmpiW (lpString1="2.0", lpString2="Program Files") returned -1 [0112.618] lstrcmpiW (lpString1="2.0", lpString2="Program Files (x86)") returned -1 [0112.618] lstrcmpiW (lpString1="2.0", lpString2="$Recycle.bin") returned 1 [0112.618] lstrcmpiW (lpString1="2.0", lpString2="System Volume Information") returned -1 [0112.618] lstrcmpiW (lpString1="2.0", lpString2=".") returned 1 [0112.618] lstrcmpiW (lpString1="2.0", lpString2="..") returned 1 [0112.618] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0") returned 56 [0112.618] GetProcessHeap () returned 0x4c0000 [0112.618] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c10050 [0112.619] lstrcpyW (in: lpString1=0x3c10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0" [0112.619] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*" [0112.619] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xff06c663, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0112.619] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.619] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.619] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.619] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.619] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.619] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.619] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xff06c663, cFileName="..", cAlternateFileName="")) returned 1 [0112.620] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.620] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.620] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.620] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.620] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.620] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.620] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.620] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xff06c663, cFileName="Data", cAlternateFileName="")) returned 1 [0112.620] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0112.620] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0112.620] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0112.620] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0112.620] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0112.620] lstrcmpiW (lpString1="Data", lpString2=".") returned 1 [0112.620] lstrcmpiW (lpString1="Data", lpString2="..") returned 1 [0112.620] wnsprintfW (in: pszDest=0x3c10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data") returned 61 [0112.620] GetProcessHeap () returned 0x4c0000 [0112.620] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0188 [0112.621] lstrcpyW (in: lpString1=0x3ca0188, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data" [0112.621] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*" [0112.621] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0112.622] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.622] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.622] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.622] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.623] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.623] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.623] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0112.623] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.623] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.623] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.623] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.623] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.623] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.623] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.623] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="CJW3O3KP.BX7", cAlternateFileName="")) returned 1 [0112.623] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="Windows") returned -1 [0112.623] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="Program Files") returned -1 [0112.623] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="Program Files (x86)") returned -1 [0112.623] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="$Recycle.bin") returned 1 [0112.623] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="System Volume Information") returned -1 [0112.623] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2=".") returned 1 [0112.623] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="..") returned 1 [0112.623] wnsprintfW (in: pszDest=0x3ca0188, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7") returned 74 [0112.623] GetProcessHeap () returned 0x4c0000 [0112.623] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3cb0190 [0112.624] lstrcpyW (in: lpString1=0x3cb0190, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7" [0112.624] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*" [0112.624] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0112.624] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.624] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.624] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.624] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.624] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.624] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.624] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0112.625] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.625] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.625] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.625] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.625] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.625] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.625] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.625] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="6NG60CXZ.9GJ", cAlternateFileName="")) returned 1 [0112.625] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="Windows") returned -1 [0112.625] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="Program Files") returned -1 [0112.625] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="Program Files (x86)") returned -1 [0112.625] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="$Recycle.bin") returned 1 [0112.625] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="System Volume Information") returned -1 [0112.625] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2=".") returned 1 [0112.625] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="..") returned 1 [0112.625] wnsprintfW (in: pszDest=0x3cb0190, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ") returned 87 [0112.625] GetProcessHeap () returned 0x4c0000 [0112.625] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0112.627] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ" [0112.627] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\*" [0112.627] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffb60922, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0112.627] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.628] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.628] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.628] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.628] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.628] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.628] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffb60922, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0112.628] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.628] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.628] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.628] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.628] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.628] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.628] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.628] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a3a0420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffb60922, dwReserved1=0xfe000000, cFileName="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", cAlternateFileName="GOOGAP~1.000")) returned 1 [0112.628] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Windows") returned -1 [0112.628] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Program Files") returned -1 [0112.628] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Program Files (x86)") returned -1 [0112.628] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="$Recycle.bin") returned 1 [0112.628] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="System Volume Information") returned -1 [0112.628] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2=".") returned 1 [0112.628] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="..") returned 1 [0112.628] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec") returned 142 [0112.628] GetProcessHeap () returned 0x4c0000 [0112.628] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x54caf8 [0112.629] lstrcpyW (in: lpString1=0x54caf8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec" [0112.629] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*" [0112.629] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a3a0420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2d94af45, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0112.630] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.630] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.630] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.630] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.630] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.631] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.631] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a3a0420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2d94af45, cFileName="..", cAlternateFileName="")) returned 1 [0112.631] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.631] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.631] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.631] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.631] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.631] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.631] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.631] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a3a0420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2d94af45, cFileName="Data", cAlternateFileName="")) returned 1 [0112.631] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0112.631] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0112.631] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0112.631] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0112.631] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0112.631] lstrcmpiW (lpString1="Data", lpString2=".") returned 1 [0112.631] lstrcmpiW (lpString1="Data", lpString2="..") returned 1 [0112.631] wnsprintfW (in: pszDest=0x54caf8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data") returned 147 [0112.631] GetProcessHeap () returned 0x4c0000 [0112.631] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x55cb00 [0112.632] lstrcpyW (in: lpString1=0x55cb00, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data" [0112.632] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\*" [0112.632] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a3a0420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfd78ac21, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0112.632] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.632] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.632] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.632] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.632] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.632] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.632] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a3a0420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfd78ac21, cFileName="..", cAlternateFileName="")) returned 1 [0112.633] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.633] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.633] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.633] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.633] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.633] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.633] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.633] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a3a0420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfd78ac21, cFileName="..", cAlternateFileName="")) returned 0 [0112.633] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0112.633] wnsprintfW (in: pszDest=0x55cb00, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\PUSSY.TXT") returned 157 [0112.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\data\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0112.634] lstrlenA (lpString="abcd") returned 4 [0112.634] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0112.635] CloseHandle (hObject=0x184) returned 1 [0112.635] GetProcessHeap () returned 0x4c0000 [0112.635] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x55cb00 | out: hHeap=0x4c0000) returned 1 [0112.635] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a3a0420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2d94af45, cFileName="Data", cAlternateFileName="")) returned 0 [0112.635] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0112.635] wnsprintfW (in: pszDest=0x54caf8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\PUSSY.TXT") returned 152 [0112.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0112.635] lstrlenA (lpString="abcd") returned 4 [0112.636] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0112.637] CloseHandle (hObject=0x178) returned 1 [0112.637] GetProcessHeap () returned 0x4c0000 [0112.637] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54caf8 | out: hHeap=0x4c0000) returned 1 [0112.637] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a3a0420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffb60922, dwReserved1=0xfe000000, cFileName="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", cAlternateFileName="GOOGAP~1.000")) returned 0 [0112.637] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0112.637] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\PUSSY.TXT") returned 97 [0112.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0112.637] lstrlenA (lpString="abcd") returned 4 [0112.637] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0112.639] CloseHandle (hObject=0x17c) returned 1 [0112.639] GetProcessHeap () returned 0x4c0000 [0112.639] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0112.639] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="6NG60CXZ.9GJ", cAlternateFileName="")) returned 0 [0112.639] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0112.639] wnsprintfW (in: pszDest=0x3cb0190, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\PUSSY.TXT") returned 84 [0112.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0112.639] lstrlenA (lpString="abcd") returned 4 [0112.639] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0112.640] CloseHandle (hObject=0x1b0) returned 1 [0112.641] GetProcessHeap () returned 0x4c0000 [0112.641] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3cb0190 | out: hHeap=0x4c0000) returned 1 [0112.644] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="CJW3O3KP.BX7", cAlternateFileName="")) returned 0 [0112.644] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0112.644] wnsprintfW (in: pszDest=0x3ca0188, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\PUSSY.TXT") returned 71 [0112.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0112.644] lstrlenA (lpString="abcd") returned 4 [0112.644] WriteFile (in: hFile=0x1a8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0112.646] CloseHandle (hObject=0x1a8) returned 1 [0112.646] GetProcessHeap () returned 0x4c0000 [0112.646] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0188 | out: hHeap=0x4c0000) returned 1 [0112.646] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xff06c663, cFileName="DQQ19BCJ.JAX", cAlternateFileName="")) returned 1 [0112.646] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="Windows") returned -1 [0112.646] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="Program Files") returned -1 [0112.646] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="Program Files (x86)") returned -1 [0112.646] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="$Recycle.bin") returned 1 [0112.646] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="System Volume Information") returned -1 [0112.647] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2=".") returned 1 [0112.647] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="..") returned 1 [0112.647] wnsprintfW (in: pszDest=0x3c10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX") returned 69 [0112.647] GetProcessHeap () returned 0x4c0000 [0112.647] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0188 [0112.647] lstrcpyW (in: lpString1=0x3ca0188, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX" [0112.647] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*" [0112.647] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0112.647] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.647] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.647] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.647] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.647] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.647] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.647] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0112.647] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.647] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.648] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.648] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.648] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.648] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.648] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.648] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="YVORLGOR.PNT", cAlternateFileName="")) returned 1 [0112.648] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="Windows") returned 1 [0112.648] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="Program Files") returned 1 [0112.648] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="Program Files (x86)") returned 1 [0112.648] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="$Recycle.bin") returned 1 [0112.648] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="System Volume Information") returned 1 [0112.648] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2=".") returned 1 [0112.648] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="..") returned 1 [0112.648] wnsprintfW (in: pszDest=0x3ca0188, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT") returned 82 [0112.648] GetProcessHeap () returned 0x4c0000 [0112.648] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3cb0190 [0112.649] lstrcpyW (in: lpString1=0x3cb0190, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT" [0112.649] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*" [0112.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0112.766] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.766] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.766] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.766] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.766] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.766] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.766] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0112.767] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.767] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.767] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.767] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.767] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.767] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.767] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.767] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", cAlternateFileName="CLICEX~1.000")) returned 1 [0112.767] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="Windows") returned -1 [0112.767] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="Program Files") returned -1 [0112.767] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="Program Files (x86)") returned -1 [0112.767] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="$Recycle.bin") returned 1 [0112.767] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="System Volume Information") returned -1 [0112.767] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2=".") returned 1 [0112.767] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="..") returned 1 [0112.767] wnsprintfW (in: pszDest=0x3cb0190, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715") returned 142 [0112.767] GetProcessHeap () returned 0x4c0000 [0112.767] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0112.773] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715" [0112.773] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\*" [0112.773] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0112.775] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.775] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.775] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.776] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.776] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.776] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.776] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0112.776] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.776] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.776] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.776] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.776] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.776] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.776] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.776] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a295a80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x113f58, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="GoogleUpdateSetup.exe", cAlternateFileName="GOOGLE~1.EXE")) returned 1 [0112.776] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Windows") returned -1 [0112.776] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Program Files") returned -1 [0112.776] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Program Files (x86)") returned -1 [0112.776] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="$Recycle.bin") returned 1 [0112.776] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="System Volume Information") returned -1 [0112.776] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2=".") returned 1 [0112.776] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="..") returned 1 [0112.776] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe") returned 164 [0112.776] lstrcmpW (lpString1="GoogleUpdateSetup.exe", lpString2="PUSSY.TXT") returned -1 [0112.776] PathFindExtensionW (pszPath="GoogleUpdateSetup.exe") returned=".exe" [0112.776] lstrlenW (lpString=".exe") returned 4 [0112.777] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0112.777] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\googleupdatesetup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0112.777] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1130328) returned 1 [0112.777] GetProcessHeap () returned 0x4c0000 [0112.777] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54caf8 [0112.791] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="3C") returned 2 [0112.791] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="F5") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="74") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="D6") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="C3") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="94") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="9A") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="5A") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="D5") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="70") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="14") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="A0") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="56") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="B2") returned 2 [0112.792] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="A7") returned 2 [0112.792] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="9A") returned 2 [0112.792] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="58") returned 2 [0112.792] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="A5") returned 2 [0112.792] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="88") returned 2 [0112.792] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="C1") returned 2 [0112.792] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="9F") returned 2 [0112.792] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="68") returned 2 [0112.792] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="74") returned 2 [0112.792] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="D8") returned 2 [0112.792] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="08") returned 2 [0112.792] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="0E") returned 2 [0112.792] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="04") returned 2 [0112.792] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="CE") returned 2 [0112.793] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="55") returned 2 [0112.793] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="AC") returned 2 [0112.793] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="00") returned 2 [0112.793] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="3E") returned 2 [0112.820] lstrcpyW (in: lpString1=0x55cb2c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe" [0112.820] lstrcpyW (in: lpString1=0x54cb2c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe" [0112.820] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe", lpString2=".3CF574D6C3949A5AD57014A056B2A79A58A588C19F6874D8080E04CE55AC003E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe.3CF574D6C3949A5AD57014A056B2A79A58A588C19F6874D8080E04CE55AC003E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe.3CF574D6C3949A5AD57014A056B2A79A58A588C19F6874D8080E04CE55AC003E" [0112.820] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x54caf8, NumberOfConcurrentThreads=0x0) returned 0x94 [0112.821] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54caf8, lpOverlapped=0x54caf8) returned 1 [0112.821] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a295a80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x113f58, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="GoogleUpdateSetup.exe", cAlternateFileName="GOOGLE~1.EXE")) returned 0 [0112.821] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0112.821] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\PUSSY.TXT") returned 152 [0112.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0112.822] lstrlenA (lpString="abcd") returned 4 [0112.822] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0112.823] CloseHandle (hObject=0x18c) returned 1 [0112.823] GetProcessHeap () returned 0x4c0000 [0112.823] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0112.823] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", cAlternateFileName="GOOGAP~1.000")) returned 1 [0112.823] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Windows") returned -1 [0112.823] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Program Files") returned -1 [0112.823] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Program Files (x86)") returned -1 [0112.823] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="$Recycle.bin") returned 1 [0112.823] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="System Volume Information") returned -1 [0112.824] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2=".") returned 1 [0112.824] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="..") returned 1 [0112.824] wnsprintfW (in: pszDest=0x3cb0190, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec") returned 137 [0112.824] GetProcessHeap () returned 0x4c0000 [0112.824] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0112.824] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec" [0112.824] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*" [0112.824] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0112.954] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0112.954] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0112.954] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0112.954] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0112.954] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0112.954] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.954] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0112.954] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0112.955] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0112.955] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0112.955] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0112.955] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0112.955] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.955] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.955] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a307ea0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3c50, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="clickonce_bootstrap.exe", cAlternateFileName="CLICKO~1.EXE")) returned 1 [0112.955] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="Windows") returned -1 [0112.955] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="Program Files") returned -1 [0112.955] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="Program Files (x86)") returned -1 [0112.955] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="$Recycle.bin") returned 1 [0112.955] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="System Volume Information") returned -1 [0112.955] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2=".") returned 1 [0112.955] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="..") returned 1 [0112.955] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe") returned 161 [0112.955] lstrcmpW (lpString1="clickonce_bootstrap.exe", lpString2="PUSSY.TXT") returned -1 [0112.955] PathFindExtensionW (pszPath="clickonce_bootstrap.exe") returned=".exe" [0112.955] lstrlenW (lpString=".exe") returned 4 [0112.955] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0112.955] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0112.956] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=15440) returned 1 [0112.956] GetProcessHeap () returned 0x4c0000 [0112.956] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c78138 [0112.971] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="37") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="F9") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="BB") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="F3") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="66") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="E0") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="D9") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="97") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="CC") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="58") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="09") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="E1") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="07") returned 2 [0112.971] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="71") returned 2 [0112.972] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="86") returned 2 [0112.972] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="99") returned 2 [0112.972] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="75") returned 2 [0112.972] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="6B") returned 2 [0112.972] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="86") returned 2 [0112.972] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="42") returned 2 [0112.972] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="C6") returned 2 [0112.972] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="5C") returned 2 [0112.972] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="5F") returned 2 [0112.972] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="C8") returned 2 [0112.972] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="04") returned 2 [0112.972] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="E5") returned 2 [0112.972] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="37") returned 2 [0112.972] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="27") returned 2 [0112.972] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="81") returned 2 [0112.972] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="50") returned 2 [0112.972] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="6A") returned 2 [0112.972] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="3F") returned 2 [0112.985] lstrcpyW (in: lpString1=0x3c8816c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe" [0112.985] lstrcpyW (in: lpString1=0x3c7816c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe" [0112.985] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe", lpString2=".37F9BBF366E0D997CC5809E107718699756B8642C65C5FC804E5372781506A3F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.37F9BBF366E0D997CC5809E107718699756B8642C65C5FC804E5372781506A3F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.37F9BBF366E0D997CC5809E107718699756B8642C65C5FC804E5372781506A3F" [0112.985] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3c78138, NumberOfConcurrentThreads=0x0) returned 0x94 [0112.985] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c78138, lpOverlapped=0x3c78138) returned 1 [0112.985] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x42d0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="clickonce_bootstrap.exe.cdf-ms", cAlternateFileName="")) returned 1 [0112.985] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="Windows") returned -1 [0112.985] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="Program Files") returned -1 [0112.985] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="Program Files (x86)") returned -1 [0112.985] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="$Recycle.bin") returned 1 [0112.985] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="System Volume Information") returned -1 [0112.985] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2=".") returned 1 [0112.985] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="..") returned 1 [0112.985] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms") returned 168 [0112.986] lstrcmpW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="PUSSY.TXT") returned -1 [0112.986] PathFindExtensionW (pszPath="clickonce_bootstrap.exe.cdf-ms") returned=".cdf-ms" [0112.986] lstrlenW (lpString=".cdf-ms") returned 7 [0112.986] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0112.986] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0112.988] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=17104) returned 1 [0112.988] GetProcessHeap () returned 0x4c0000 [0112.988] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0113.002] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="B1") returned 2 [0113.002] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="DE") returned 2 [0113.002] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="D7") returned 2 [0113.002] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="B6") returned 2 [0113.002] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="A3") returned 2 [0113.002] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="60") returned 2 [0113.002] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="FA") returned 2 [0113.002] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="70") returned 2 [0113.002] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="52") returned 2 [0113.002] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="95") returned 2 [0113.002] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="09") returned 2 [0113.003] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="3C") returned 2 [0113.003] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="7F") returned 2 [0113.003] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="E9") returned 2 [0113.003] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="68") returned 2 [0113.003] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="33") returned 2 [0113.003] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="B7") returned 2 [0113.003] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="06") returned 2 [0113.003] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="02") returned 2 [0113.003] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="1A") returned 2 [0113.003] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="1F") returned 2 [0113.003] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="49") returned 2 [0113.003] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="A2") returned 2 [0113.003] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="FD") returned 2 [0113.003] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="AD") returned 2 [0113.003] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="FC") returned 2 [0113.003] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="9D") returned 2 [0113.003] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="DC") returned 2 [0113.003] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="06") returned 2 [0113.003] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="15") returned 2 [0113.003] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="C6") returned 2 [0113.003] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="53") returned 2 [0113.019] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms" [0113.019] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms" [0113.019] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms", lpString2=".B1DED7B6A360FA705295093C7FE96833B706021A1F49A2FDADFC9DDC0615C653" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.B1DED7B6A360FA705295093C7FE96833B706021A1F49A2FDADFC9DDC0615C653") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.B1DED7B6A360FA705295093C7FE96833B706021A1F49A2FDADFC9DDC0615C653" [0113.019] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.019] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0113.019] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x354b, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="clickonce_bootstrap.exe.manifest", cAlternateFileName="")) returned 1 [0113.019] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="Windows") returned -1 [0113.019] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="Program Files") returned -1 [0113.019] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="Program Files (x86)") returned -1 [0113.019] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="$Recycle.bin") returned 1 [0113.019] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="System Volume Information") returned -1 [0113.019] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2=".") returned 1 [0113.019] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="..") returned 1 [0113.020] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest") returned 170 [0113.020] lstrcmpW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="PUSSY.TXT") returned -1 [0113.020] PathFindExtensionW (pszPath="clickonce_bootstrap.exe.manifest") returned=".manifest" [0113.020] lstrlenW (lpString=".manifest") returned 9 [0113.020] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0113.021] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=13643) returned 1 [0113.021] GetProcessHeap () returned 0x4c0000 [0113.021] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0113.037] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="FC") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="C5") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="87") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="B2") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="73") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="05") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="7C") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="78") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="90") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="AC") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="39") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="5F") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="4C") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="F5") returned 2 [0113.037] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="8E") returned 2 [0113.037] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="E7") returned 2 [0113.037] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="73") returned 2 [0113.037] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="9A") returned 2 [0113.037] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="E2") returned 2 [0113.037] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="C8") returned 2 [0113.037] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="B9") returned 2 [0113.037] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="43") returned 2 [0113.037] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="9A") returned 2 [0113.037] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="59") returned 2 [0113.038] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="B3") returned 2 [0113.038] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="E8") returned 2 [0113.038] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="2D") returned 2 [0113.038] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="97") returned 2 [0113.038] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="9F") returned 2 [0113.038] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="4A") returned 2 [0113.038] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="5F") returned 2 [0113.038] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="0A") returned 2 [0113.050] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest" [0113.050] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest" [0113.050] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest", lpString2=".FCC587B273057C7890AC395F4CF58EE7739AE2C8B9439A59B3E82D979F4A5F0A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.FCC587B273057C7890AC395F4CF58EE7739AE2C8B9439A59B3E82D979F4A5F0A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.FCC587B273057C7890AC395F4CF58EE7739AE2C8B9439A59B3E82D979F4A5F0A" [0113.050] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.050] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0113.050] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xee0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="clickonce_bootstrap_unsigned.cdf-ms", cAlternateFileName="CLICKO~1.CDF")) returned 1 [0113.050] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="Windows") returned -1 [0113.050] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="Program Files") returned -1 [0113.050] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="Program Files (x86)") returned -1 [0113.050] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="$Recycle.bin") returned 1 [0113.050] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="System Volume Information") returned -1 [0113.050] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2=".") returned 1 [0113.050] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="..") returned 1 [0113.050] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms") returned 173 [0113.050] lstrcmpW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="PUSSY.TXT") returned -1 [0113.051] PathFindExtensionW (pszPath="clickonce_bootstrap_unsigned.cdf-ms") returned=".cdf-ms" [0113.051] lstrlenW (lpString=".cdf-ms") returned 7 [0113.051] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0113.051] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=3808) returned 1 [0113.052] GetProcessHeap () returned 0x4c0000 [0113.052] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0113.064] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="9D") returned 2 [0113.064] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="01") returned 2 [0113.064] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="15") returned 2 [0113.064] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="23") returned 2 [0113.064] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="D3") returned 2 [0113.064] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="8B") returned 2 [0113.064] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="2C") returned 2 [0113.065] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="C8") returned 2 [0113.065] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="F2") returned 2 [0113.065] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="4A") returned 2 [0113.065] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="0C") returned 2 [0113.065] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="F1") returned 2 [0113.065] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="36") returned 2 [0113.065] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="95") returned 2 [0113.065] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="8D") returned 2 [0113.065] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="7A") returned 2 [0113.065] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="F6") returned 2 [0113.065] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="DF") returned 2 [0113.065] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="A0") returned 2 [0113.065] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="F8") returned 2 [0113.065] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="D7") returned 2 [0113.065] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="DC") returned 2 [0113.065] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="E2") returned 2 [0113.065] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="95") returned 2 [0113.065] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="44") returned 2 [0113.065] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="5C") returned 2 [0113.065] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="EF") returned 2 [0113.065] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="F5") returned 2 [0113.065] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="A6") returned 2 [0113.065] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="D1") returned 2 [0113.065] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="81") returned 2 [0113.065] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="28") returned 2 [0113.078] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" [0113.078] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" [0113.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms", lpString2=".9D011523D38B2CC8F24A0CF136958D7AF6DFA0F8D7DCE295445CEFF5A6D18128" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.9D011523D38B2CC8F24A0CF136958D7AF6DFA0F8D7DCE295445CEFF5A6D18128") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.9D011523D38B2CC8F24A0CF136958D7AF6DFA0F8D7DCE295445CEFF5A6D18128" [0113.079] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.079] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0113.079] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x560, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="clickonce_bootstrap_unsigned.manifest", cAlternateFileName="CLICKO~1.MAN")) returned 1 [0113.079] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="Windows") returned -1 [0113.079] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="Program Files") returned -1 [0113.079] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="Program Files (x86)") returned -1 [0113.079] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="$Recycle.bin") returned 1 [0113.079] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="System Volume Information") returned -1 [0113.079] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2=".") returned 1 [0113.079] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="..") returned 1 [0113.079] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest") returned 175 [0113.079] lstrcmpW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="PUSSY.TXT") returned -1 [0113.079] PathFindExtensionW (pszPath="clickonce_bootstrap_unsigned.manifest") returned=".manifest" [0113.079] lstrlenW (lpString=".manifest") returned 9 [0113.079] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.079] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0113.080] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1376) returned 1 [0113.080] GetProcessHeap () returned 0x4c0000 [0113.080] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0113.093] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="26") returned 2 [0113.093] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="A4") returned 2 [0113.093] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="E8") returned 2 [0113.093] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="09") returned 2 [0113.093] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="10") returned 2 [0113.093] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="4E") returned 2 [0113.093] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="27") returned 2 [0113.093] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="32") returned 2 [0113.093] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="60") returned 2 [0113.093] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="F7") returned 2 [0113.093] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="D4") returned 2 [0113.093] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="33") returned 2 [0113.094] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="A2") returned 2 [0113.094] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="E5") returned 2 [0113.094] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="10") returned 2 [0113.094] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="4C") returned 2 [0113.094] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="0A") returned 2 [0113.094] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="04") returned 2 [0113.094] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="06") returned 2 [0113.094] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="EF") returned 2 [0113.094] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="EA") returned 2 [0113.094] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="9E") returned 2 [0113.094] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="50") returned 2 [0113.094] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="2A") returned 2 [0113.094] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="8A") returned 2 [0113.094] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="F5") returned 2 [0113.094] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="1D") returned 2 [0113.094] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="2F") returned 2 [0113.094] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="87") returned 2 [0113.094] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="BF") returned 2 [0113.094] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="75") returned 2 [0113.094] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="46") returned 2 [0113.106] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" [0113.106] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" [0113.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest", lpString2=".26A4E809104E273260F7D433A2E5104C0A0406EFEA9E502A8AF51D2F87BF7546" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.26A4E809104E273260F7D433A2E5104C0A0406EFEA9E502A8AF51D2F87BF7546") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.26A4E809104E273260F7D433A2E5104C0A0406EFEA9E502A8AF51D2F87BF7546" [0113.107] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.107] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0113.107] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a295a80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x113f58, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="GoogleUpdateSetup.exe", cAlternateFileName="")) returned 1 [0113.107] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Windows") returned -1 [0113.107] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Program Files") returned -1 [0113.107] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Program Files (x86)") returned -1 [0113.107] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="$Recycle.bin") returned 1 [0113.107] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="System Volume Information") returned -1 [0113.107] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2=".") returned 1 [0113.107] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="..") returned 1 [0113.107] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe") returned 159 [0113.107] lstrcmpW (lpString1="GoogleUpdateSetup.exe", lpString2="PUSSY.TXT") returned -1 [0113.107] PathFindExtensionW (pszPath="GoogleUpdateSetup.exe") returned=".exe" [0113.107] lstrlenW (lpString=".exe") returned 4 [0113.107] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\googleupdatesetup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0113.294] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a295a80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x113f58, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="GoogleUpdateSetup.exe", cAlternateFileName="")) returned 0 [0113.294] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0113.294] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\PUSSY.TXT") returned 147 [0113.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0113.295] lstrlenA (lpString="abcd") returned 4 [0113.295] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0113.296] CloseHandle (hObject=0x18c) returned 1 [0113.296] GetProcessHeap () returned 0x4c0000 [0113.296] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0113.299] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="manifests", cAlternateFileName="MANIFE~1")) returned 1 [0113.299] lstrcmpiW (lpString1="manifests", lpString2="Windows") returned -1 [0113.299] lstrcmpiW (lpString1="manifests", lpString2="Program Files") returned -1 [0113.299] lstrcmpiW (lpString1="manifests", lpString2="Program Files (x86)") returned -1 [0113.299] lstrcmpiW (lpString1="manifests", lpString2="$Recycle.bin") returned 1 [0113.299] lstrcmpiW (lpString1="manifests", lpString2="System Volume Information") returned -1 [0113.299] lstrcmpiW (lpString1="manifests", lpString2=".") returned 1 [0113.299] lstrcmpiW (lpString1="manifests", lpString2="..") returned 1 [0113.299] wnsprintfW (in: pszDest=0x3cb0190, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests") returned 92 [0113.299] GetProcessHeap () returned 0x4c0000 [0113.299] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0113.300] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests" [0113.300] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\*" [0113.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0113.302] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0113.302] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0113.302] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0113.302] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0113.302] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0113.303] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.303] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0113.303] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0113.303] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0113.303] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0113.303] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0113.303] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0113.303] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.303] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.303] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x42d0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", cAlternateFileName="CLICEX~1.CDF")) returned 1 [0113.303] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="Windows") returned -1 [0113.303] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="Program Files") returned -1 [0113.303] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="Program Files (x86)") returned -1 [0113.303] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="$Recycle.bin") returned 1 [0113.303] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="System Volume Information") returned -1 [0113.303] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2=".") returned 1 [0113.304] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="..") returned 1 [0113.304] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms") returned 159 [0113.304] lstrcmpW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="PUSSY.TXT") returned -1 [0113.304] PathFindExtensionW (pszPath="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms") returned=".cdf-ms" [0113.304] lstrlenW (lpString=".cdf-ms") returned 7 [0113.304] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0113.308] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x354b, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", cAlternateFileName="CLICEX~1.MAN")) returned 1 [0113.308] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="Windows") returned -1 [0113.308] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="Program Files") returned -1 [0113.308] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="Program Files (x86)") returned -1 [0113.308] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="$Recycle.bin") returned 1 [0113.308] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="System Volume Information") returned -1 [0113.308] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2=".") returned 1 [0113.309] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="..") returned 1 [0113.309] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest") returned 161 [0113.309] lstrcmpW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="PUSSY.TXT") returned -1 [0113.309] PathFindExtensionW (pszPath="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest") returned=".manifest" [0113.309] lstrlenW (lpString=".manifest") returned 9 [0113.309] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0113.313] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x38b0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", cAlternateFileName="GOOGAP~1.CDF")) returned 1 [0113.313] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="Windows") returned -1 [0113.313] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="Program Files") returned -1 [0113.313] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="Program Files (x86)") returned -1 [0113.314] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="$Recycle.bin") returned 1 [0113.314] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="System Volume Information") returned -1 [0113.314] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2=".") returned 1 [0113.314] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="..") returned 1 [0113.314] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned 159 [0113.314] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="PUSSY.TXT") returned -1 [0113.314] PathFindExtensionW (pszPath="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned=".cdf-ms" [0113.314] lstrlenW (lpString=".cdf-ms") returned 7 [0113.314] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0113.315] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=14512) returned 1 [0113.315] GetProcessHeap () returned 0x4c0000 [0113.315] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0113.329] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="03") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="0E") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="CF") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="74") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="4F") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="EC") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="D9") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="A1") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="07") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="C5") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="AF") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="B5") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="97") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="FB") returned 2 [0113.329] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="27") returned 2 [0113.329] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="D7") returned 2 [0113.329] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="5D") returned 2 [0113.329] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="4A") returned 2 [0113.330] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="00") returned 2 [0113.330] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="92") returned 2 [0113.330] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="A5") returned 2 [0113.330] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="B4") returned 2 [0113.330] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="9A") returned 2 [0113.330] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="0D") returned 2 [0113.330] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="4A") returned 2 [0113.330] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="A9") returned 2 [0113.330] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="11") returned 2 [0113.330] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="19") returned 2 [0113.330] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="80") returned 2 [0113.330] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="4C") returned 2 [0113.330] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="1B") returned 2 [0113.330] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="4D") returned 2 [0113.344] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" [0113.344] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" [0113.344] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2=".030ECF744FECD9A107C5AFB597FB27D75D4A0092A5B49A0D4AA91119804C1B4D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.030ECF744FECD9A107C5AFB597FB27D75D4A0092A5B49A0D4AA91119804C1B4D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.030ECF744FECD9A107C5AFB597FB27D75D4A0092A5B49A0D4AA91119804C1B4D" [0113.344] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.344] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0113.344] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2e30, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", cAlternateFileName="GOOGAP~1.MAN")) returned 1 [0113.344] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="Windows") returned -1 [0113.344] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="Program Files") returned -1 [0113.344] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="Program Files (x86)") returned -1 [0113.344] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="$Recycle.bin") returned 1 [0113.344] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="System Volume Information") returned -1 [0113.344] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2=".") returned 1 [0113.344] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="..") returned 1 [0113.344] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned 161 [0113.344] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="PUSSY.TXT") returned -1 [0113.344] PathFindExtensionW (pszPath="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned=".manifest" [0113.344] lstrlenW (lpString=".manifest") returned 9 [0113.345] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0113.345] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=11824) returned 1 [0113.345] GetProcessHeap () returned 0x4c0000 [0113.345] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0113.359] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="12") returned 2 [0113.359] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="8C") returned 2 [0113.359] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="B2") returned 2 [0113.359] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="DC") returned 2 [0113.359] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="96") returned 2 [0113.360] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="4A") returned 2 [0113.360] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="3E") returned 2 [0113.360] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="22") returned 2 [0113.360] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="67") returned 2 [0113.360] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="6E") returned 2 [0113.360] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="69") returned 2 [0113.360] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="D9") returned 2 [0113.360] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="A9") returned 2 [0113.360] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="70") returned 2 [0113.360] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="CC") returned 2 [0113.360] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="C8") returned 2 [0113.360] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="C7") returned 2 [0113.360] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="43") returned 2 [0113.360] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="7A") returned 2 [0113.360] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="19") returned 2 [0113.360] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="00") returned 2 [0113.360] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="98") returned 2 [0113.360] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="C8") returned 2 [0113.360] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="35") returned 2 [0113.360] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="24") returned 2 [0113.360] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="31") returned 2 [0113.360] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="5A") returned 2 [0113.360] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="D7") returned 2 [0113.360] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="24") returned 2 [0113.360] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="C1") returned 2 [0113.361] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="78") returned 2 [0113.361] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="0F") returned 2 [0113.372] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" [0113.373] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" [0113.373] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2=".128CB2DC964A3E22676E69D9A970CCC8C7437A190098C83524315AD724C1780F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.128CB2DC964A3E22676E69D9A970CCC8C7437A190098C83524315AD724C1780F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.128CB2DC964A3E22676E69D9A970CCC8C7437A190098C83524315AD724C1780F" [0113.373] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.373] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0113.373] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2e30, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", cAlternateFileName="GOOGAP~1.MAN")) returned 0 [0113.373] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0113.373] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\PUSSY.TXT") returned 102 [0113.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0113.374] lstrlenA (lpString="abcd") returned 4 [0113.374] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0113.375] CloseHandle (hObject=0x18c) returned 1 [0113.375] GetProcessHeap () returned 0x4c0000 [0113.375] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0113.375] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="manifests", cAlternateFileName="MANIFE~1")) returned 0 [0113.375] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0113.375] wnsprintfW (in: pszDest=0x3cb0190, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\PUSSY.TXT") returned 92 [0113.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0113.376] lstrlenA (lpString="abcd") returned 4 [0113.376] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0113.377] CloseHandle (hObject=0x1b0) returned 1 [0113.377] GetProcessHeap () returned 0x4c0000 [0113.377] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3cb0190 | out: hHeap=0x4c0000) returned 1 [0113.381] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="YVORLGOR.PNT", cAlternateFileName="")) returned 0 [0113.381] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0113.381] wnsprintfW (in: pszDest=0x3ca0188, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\PUSSY.TXT") returned 79 [0113.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0113.381] lstrlenA (lpString="abcd") returned 4 [0113.381] WriteFile (in: hFile=0x1a8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0113.383] CloseHandle (hObject=0x1a8) returned 1 [0113.383] GetProcessHeap () returned 0x4c0000 [0113.383] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0188 | out: hHeap=0x4c0000) returned 1 [0113.383] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xff06c663, cFileName="DQQ19BCJ.JAX", cAlternateFileName="")) returned 0 [0113.383] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0113.383] wnsprintfW (in: pszDest=0x3c10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\PUSSY.TXT") returned 66 [0113.383] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0113.384] lstrlenA (lpString="abcd") returned 4 [0113.384] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0113.385] CloseHandle (hObject=0xec) returned 1 [0113.385] GetProcessHeap () returned 0x4c0000 [0113.385] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c10050 | out: hHeap=0x4c0000) returned 1 [0113.387] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName="2.0", cAlternateFileName="")) returned 0 [0113.387] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0113.387] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\PUSSY.TXT") returned 62 [0113.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0113.387] lstrlenA (lpString="abcd") returned 4 [0113.387] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0113.389] CloseHandle (hObject=0x174) returned 1 [0113.389] GetProcessHeap () returned 0x4c0000 [0113.389] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0113.389] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65e16800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6adbe1a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6adbe1a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 1 [0113.389] lstrcmpiW (lpString1="Deployment", lpString2="Windows") returned -1 [0113.389] lstrcmpiW (lpString1="Deployment", lpString2="Program Files") returned -1 [0113.389] lstrcmpiW (lpString1="Deployment", lpString2="Program Files (x86)") returned -1 [0113.389] lstrcmpiW (lpString1="Deployment", lpString2="$Recycle.bin") returned 1 [0113.389] lstrcmpiW (lpString1="Deployment", lpString2="System Volume Information") returned -1 [0113.389] lstrcmpiW (lpString1="Deployment", lpString2=".") returned 1 [0113.389] lstrcmpiW (lpString1="Deployment", lpString2="..") returned 1 [0113.389] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment") returned 58 [0113.389] GetProcessHeap () returned 0x4c0000 [0113.389] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c00048 [0113.389] lstrcpyW (in: lpString1=0x3c00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment" [0113.390] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\*" [0113.390] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65e16800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6adbe1a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6adbe1a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0113.390] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0113.390] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0113.390] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0113.390] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0113.390] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0113.390] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.390] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65e16800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6adbe1a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6adbe1a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName="..", cAlternateFileName="")) returned 1 [0113.390] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0113.390] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0113.391] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0113.391] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0113.391] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0113.391] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.391] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.391] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65e16800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6adbe1a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6adbe1a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d959bc5, cFileName="..", cAlternateFileName="")) returned 0 [0113.391] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0113.391] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\PUSSY.TXT") returned 68 [0113.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\deployment\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0113.391] lstrlenA (lpString="abcd") returned 4 [0113.391] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0113.392] CloseHandle (hObject=0x174) returned 1 [0113.392] GetProcessHeap () returned 0x4c0000 [0113.392] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0113.392] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x66051ca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x66051ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9791f220, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a918, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="GDIPFONTCACHEV1.DAT", cAlternateFileName="GDIPFO~1.DAT")) returned 1 [0113.393] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="Windows") returned -1 [0113.393] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="Program Files") returned -1 [0113.393] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="Program Files (x86)") returned -1 [0113.393] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="$Recycle.bin") returned 1 [0113.393] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="System Volume Information") returned -1 [0113.393] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2=".") returned 1 [0113.393] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="..") returned 1 [0113.393] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned 67 [0113.393] lstrcmpW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="PUSSY.TXT") returned -1 [0113.393] PathFindExtensionW (pszPath="GDIPFONTCACHEV1.DAT") returned=".DAT" [0113.393] lstrlenW (lpString=".DAT") returned 4 [0113.393] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0113.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0113.394] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=108824) returned 1 [0113.394] GetProcessHeap () returned 0x4c0000 [0113.394] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b00048 [0113.408] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="7B") returned 2 [0113.408] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="0A") returned 2 [0113.408] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="3B") returned 2 [0113.408] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="26") returned 2 [0113.408] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="DB") returned 2 [0113.408] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="CE") returned 2 [0113.408] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="33") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="55") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="14") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="E7") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="8D") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="84") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="48") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="38") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="1B") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="EE") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="33") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="BB") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="64") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="12") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="EB") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="05") returned 2 [0113.408] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="0F") returned 2 [0113.409] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="58") returned 2 [0113.409] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="47") returned 2 [0113.409] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="17") returned 2 [0113.409] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="4D") returned 2 [0113.409] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="A2") returned 2 [0113.409] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="2E") returned 2 [0113.409] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="49") returned 2 [0113.409] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="A8") returned 2 [0113.409] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="18") returned 2 [0113.467] lstrcpyW (in: lpString1=0x3b1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" [0113.467] lstrcpyW (in: lpString1=0x3b0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" [0113.467] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT", lpString2=".7B0A3B26DBCE335514E78D8448381BEE33BB6412EB050F5847174DA22E49A818" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.7B0A3B26DBCE335514E78D8448381BEE33BB6412EB050F5847174DA22E49A818") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.7B0A3B26DBCE335514E78D8448381BEE33BB6412EB050F5847174DA22E49A818" [0113.467] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3b00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.467] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b00048, lpOverlapped=0x3b00048) returned 1 [0113.467] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Google", cAlternateFileName="")) returned 1 [0113.467] lstrcmpiW (lpString1="Google", lpString2="Windows") returned -1 [0113.468] lstrcmpiW (lpString1="Google", lpString2="Program Files") returned -1 [0113.468] lstrcmpiW (lpString1="Google", lpString2="Program Files (x86)") returned -1 [0113.468] lstrcmpiW (lpString1="Google", lpString2="$Recycle.bin") returned 1 [0113.468] lstrcmpiW (lpString1="Google", lpString2="System Volume Information") returned -1 [0113.468] lstrcmpiW (lpString1="Google", lpString2=".") returned 1 [0113.468] lstrcmpiW (lpString1="Google", lpString2="..") returned 1 [0113.468] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google") returned 54 [0113.510] GetProcessHeap () returned 0x4c0000 [0113.510] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c00048 [0113.510] lstrcpyW (in: lpString1=0x3c00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google" [0113.511] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*" [0113.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0113.514] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0113.514] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0113.514] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0113.514] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0113.514] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0113.515] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.515] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0113.515] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0113.515] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0113.515] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0113.515] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0113.515] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0113.515] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.515] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.515] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Chrome", cAlternateFileName="")) returned 1 [0113.515] lstrcmpiW (lpString1="Chrome", lpString2="Windows") returned -1 [0113.515] lstrcmpiW (lpString1="Chrome", lpString2="Program Files") returned -1 [0113.515] lstrcmpiW (lpString1="Chrome", lpString2="Program Files (x86)") returned -1 [0113.515] lstrcmpiW (lpString1="Chrome", lpString2="$Recycle.bin") returned 1 [0113.515] lstrcmpiW (lpString1="Chrome", lpString2="System Volume Information") returned -1 [0113.515] lstrcmpiW (lpString1="Chrome", lpString2=".") returned 1 [0113.515] lstrcmpiW (lpString1="Chrome", lpString2="..") returned 1 [0113.515] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome") returned 61 [0113.515] GetProcessHeap () returned 0x4c0000 [0113.515] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c10050 [0113.516] lstrcpyW (in: lpString1=0x3c10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome" [0113.516] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*" [0113.516] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe45d5e1, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0113.516] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0113.516] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0113.516] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0113.516] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0113.516] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0113.516] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.516] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe45d5e1, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0113.516] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0113.516] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0113.516] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0113.516] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0113.516] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0113.517] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.517] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.517] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c593160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c593160, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe45d5e1, dwReserved1=0xfe000000, cFileName="User Data", cAlternateFileName="USERDA~1")) returned 1 [0113.517] lstrcmpiW (lpString1="User Data", lpString2="Windows") returned -1 [0113.517] lstrcmpiW (lpString1="User Data", lpString2="Program Files") returned 1 [0113.517] lstrcmpiW (lpString1="User Data", lpString2="Program Files (x86)") returned 1 [0113.517] lstrcmpiW (lpString1="User Data", lpString2="$Recycle.bin") returned 1 [0113.517] lstrcmpiW (lpString1="User Data", lpString2="System Volume Information") returned 1 [0113.517] lstrcmpiW (lpString1="User Data", lpString2=".") returned 1 [0113.517] lstrcmpiW (lpString1="User Data", lpString2="..") returned 1 [0113.517] wnsprintfW (in: pszDest=0x3c10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data") returned 71 [0113.517] GetProcessHeap () returned 0x4c0000 [0113.517] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0113.517] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data" [0113.517] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*" [0113.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c593160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c593160, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0113.520] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0113.520] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0113.520] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0113.520] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0113.520] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0113.520] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.520] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c593160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c593160, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="..", cAlternateFileName="")) returned 1 [0113.521] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0113.521] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0113.521] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0113.521] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0113.521] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0113.521] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.521] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.521] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="CertificateTransparency", cAlternateFileName="CERTIF~1")) returned 1 [0113.521] lstrcmpiW (lpString1="CertificateTransparency", lpString2="Windows") returned -1 [0113.521] lstrcmpiW (lpString1="CertificateTransparency", lpString2="Program Files") returned -1 [0113.521] lstrcmpiW (lpString1="CertificateTransparency", lpString2="Program Files (x86)") returned -1 [0113.521] lstrcmpiW (lpString1="CertificateTransparency", lpString2="$Recycle.bin") returned 1 [0113.521] lstrcmpiW (lpString1="CertificateTransparency", lpString2="System Volume Information") returned -1 [0113.521] lstrcmpiW (lpString1="CertificateTransparency", lpString2=".") returned 1 [0113.521] lstrcmpiW (lpString1="CertificateTransparency", lpString2="..") returned 1 [0113.521] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency") returned 95 [0113.521] GetProcessHeap () returned 0x4c0000 [0113.521] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0113.521] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency" [0113.521] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*" [0113.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0113.522] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0113.522] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0113.522] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0113.523] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0113.523] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0113.523] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.523] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="..", cAlternateFileName="")) returned 1 [0113.523] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0113.523] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0113.523] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0113.523] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0113.523] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0113.523] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.523] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.523] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="..", cAlternateFileName="")) returned 0 [0113.523] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0113.523] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\PUSSY.TXT") returned 105 [0113.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\certificatetransparency\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0113.524] lstrlenA (lpString="abcd") returned 4 [0113.524] WriteFile (in: hFile=0x1a8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0113.525] CloseHandle (hObject=0x1a8) returned 1 [0113.525] GetProcessHeap () returned 0x4c0000 [0113.525] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0113.528] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f598c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f5beda0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f5beda0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="Crashpad", cAlternateFileName="")) returned 1 [0113.529] lstrcmpiW (lpString1="Crashpad", lpString2="Windows") returned -1 [0113.529] lstrcmpiW (lpString1="Crashpad", lpString2="Program Files") returned -1 [0113.529] lstrcmpiW (lpString1="Crashpad", lpString2="Program Files (x86)") returned -1 [0113.529] lstrcmpiW (lpString1="Crashpad", lpString2="$Recycle.bin") returned 1 [0113.529] lstrcmpiW (lpString1="Crashpad", lpString2="System Volume Information") returned -1 [0113.529] lstrcmpiW (lpString1="Crashpad", lpString2=".") returned 1 [0113.529] lstrcmpiW (lpString1="Crashpad", lpString2="..") returned 1 [0113.529] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 80 [0113.529] GetProcessHeap () returned 0x4c0000 [0113.529] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0113.530] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad" [0113.530] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*" [0113.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f598c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f5beda0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f5beda0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0113.531] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0113.531] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0113.531] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0113.531] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0113.531] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0113.531] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.531] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f598c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f5beda0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f5beda0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="..", cAlternateFileName="")) returned 1 [0113.531] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0113.532] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0113.532] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0113.532] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0113.532] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0113.532] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.532] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.532] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7f5beda0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f5beda0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f5beda0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="metadata", cAlternateFileName="")) returned 1 [0113.532] lstrcmpiW (lpString1="metadata", lpString2="Windows") returned -1 [0113.532] lstrcmpiW (lpString1="metadata", lpString2="Program Files") returned -1 [0113.532] lstrcmpiW (lpString1="metadata", lpString2="Program Files (x86)") returned -1 [0113.532] lstrcmpiW (lpString1="metadata", lpString2="$Recycle.bin") returned 1 [0113.532] lstrcmpiW (lpString1="metadata", lpString2="System Volume Information") returned -1 [0113.532] lstrcmpiW (lpString1="metadata", lpString2=".") returned 1 [0113.532] lstrcmpiW (lpString1="metadata", lpString2="..") returned 1 [0113.532] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata") returned 89 [0113.532] lstrcmpW (lpString1="metadata", lpString2="PUSSY.TXT") returned -1 [0113.532] PathFindExtensionW (pszPath="metadata") returned="" [0113.532] lstrlenW (lpString="") returned 0 [0113.532] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0113.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0113.533] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0113.533] CloseHandle (hObject=0x1b0) returned 1 [0113.534] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f598c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f598c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f598c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="reports", cAlternateFileName="")) returned 1 [0113.534] lstrcmpiW (lpString1="reports", lpString2="Windows") returned -1 [0113.534] lstrcmpiW (lpString1="reports", lpString2="Program Files") returned 1 [0113.534] lstrcmpiW (lpString1="reports", lpString2="Program Files (x86)") returned 1 [0113.534] lstrcmpiW (lpString1="reports", lpString2="$Recycle.bin") returned 1 [0113.534] lstrcmpiW (lpString1="reports", lpString2="System Volume Information") returned -1 [0113.534] lstrcmpiW (lpString1="reports", lpString2=".") returned 1 [0113.534] lstrcmpiW (lpString1="reports", lpString2="..") returned 1 [0113.534] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports") returned 88 [0113.534] GetProcessHeap () returned 0x4c0000 [0113.534] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0113.535] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports" [0113.535] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\*" [0113.535] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f598c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f598c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f598c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0113.536] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0113.536] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0113.536] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0113.536] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0113.536] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0113.536] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.536] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f598c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f598c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f598c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0113.536] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0113.536] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0113.536] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0113.536] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0113.536] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0113.536] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.536] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.536] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f598c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f598c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f598c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0113.536] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0113.536] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\PUSSY.TXT") returned 98 [0113.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\reports\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0113.537] lstrlenA (lpString="abcd") returned 4 [0113.537] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0113.538] CloseHandle (hObject=0x1b0) returned 1 [0113.538] GetProcessHeap () returned 0x4c0000 [0113.538] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0113.538] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7f598c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f598c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x3a6374a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0113.538] lstrcmpiW (lpString1="settings.dat", lpString2="Windows") returned -1 [0113.538] lstrcmpiW (lpString1="settings.dat", lpString2="Program Files") returned 1 [0113.538] lstrcmpiW (lpString1="settings.dat", lpString2="Program Files (x86)") returned 1 [0113.538] lstrcmpiW (lpString1="settings.dat", lpString2="$Recycle.bin") returned 1 [0113.538] lstrcmpiW (lpString1="settings.dat", lpString2="System Volume Information") returned -1 [0113.538] lstrcmpiW (lpString1="settings.dat", lpString2=".") returned 1 [0113.538] lstrcmpiW (lpString1="settings.dat", lpString2="..") returned 1 [0113.538] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat") returned 93 [0113.538] lstrcmpW (lpString1="settings.dat", lpString2="PUSSY.TXT") returned 1 [0113.539] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0113.539] lstrlenW (lpString=".dat") returned 4 [0113.539] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0113.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0113.539] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=40) returned 1 [0113.539] CloseHandle (hObject=0x1b0) returned 1 [0113.539] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7f598c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f598c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x3a6374a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0113.539] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0113.539] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\PUSSY.TXT") returned 90 [0113.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0113.540] lstrlenA (lpString="abcd") returned 4 [0113.540] WriteFile (in: hFile=0x1a8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0113.541] CloseHandle (hObject=0x1a8) returned 1 [0113.543] GetProcessHeap () returned 0x4c0000 [0113.543] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0113.545] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f846500, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c4887c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c4887c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="Default", cAlternateFileName="")) returned 1 [0113.545] lstrcmpiW (lpString1="Default", lpString2="Windows") returned -1 [0113.545] lstrcmpiW (lpString1="Default", lpString2="Program Files") returned -1 [0113.545] lstrcmpiW (lpString1="Default", lpString2="Program Files (x86)") returned -1 [0113.545] lstrcmpiW (lpString1="Default", lpString2="$Recycle.bin") returned 1 [0113.545] lstrcmpiW (lpString1="Default", lpString2="System Volume Information") returned -1 [0113.545] lstrcmpiW (lpString1="Default", lpString2=".") returned 1 [0113.546] lstrcmpiW (lpString1="Default", lpString2="..") returned 1 [0113.546] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 79 [0113.546] GetProcessHeap () returned 0x4c0000 [0113.546] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0113.547] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default" [0113.547] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*" [0113.547] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f846500, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c4887c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c4887c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0113.564] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0113.564] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0113.564] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0113.564] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0113.564] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0113.564] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.564] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f846500, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c4887c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c4887c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="..", cAlternateFileName="")) returned 1 [0113.566] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0113.566] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0113.566] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0113.566] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0113.566] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0113.566] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.566] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.566] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x805aa0c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x805aa0c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x805aa0c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Cache", cAlternateFileName="")) returned 1 [0113.566] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0113.566] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0113.566] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0113.566] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0113.566] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0113.567] lstrcmpiW (lpString1="Cache", lpString2=".") returned 1 [0113.567] lstrcmpiW (lpString1="Cache", lpString2="..") returned 1 [0113.567] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 85 [0113.567] GetProcessHeap () returned 0x4c0000 [0113.567] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0113.568] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache" [0113.568] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\*" [0113.568] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x805aa0c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x805aa0c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x805aa0c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0113.569] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0113.569] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0113.569] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0113.569] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0113.569] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0113.569] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.569] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x805aa0c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x805aa0c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x805aa0c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0113.569] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0113.569] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0113.569] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0113.570] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0113.570] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0113.570] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.570] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.570] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x805aa0c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x805aa0c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c0e3de0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="data_0", cAlternateFileName="")) returned 1 [0113.570] lstrcmpiW (lpString1="data_0", lpString2="Windows") returned -1 [0113.570] lstrcmpiW (lpString1="data_0", lpString2="Program Files") returned -1 [0113.570] lstrcmpiW (lpString1="data_0", lpString2="Program Files (x86)") returned -1 [0113.570] lstrcmpiW (lpString1="data_0", lpString2="$Recycle.bin") returned 1 [0113.570] lstrcmpiW (lpString1="data_0", lpString2="System Volume Information") returned -1 [0113.570] lstrcmpiW (lpString1="data_0", lpString2=".") returned 1 [0113.570] lstrcmpiW (lpString1="data_0", lpString2="..") returned 1 [0113.570] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned 92 [0113.570] lstrcmpW (lpString1="data_0", lpString2="PUSSY.TXT") returned -1 [0113.570] PathFindExtensionW (pszPath="data_0") returned="" [0113.570] lstrlenW (lpString="") returned 0 [0113.570] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0113.571] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=45056) returned 1 [0113.571] GetProcessHeap () returned 0x4c0000 [0113.571] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0113.586] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="FD") returned 2 [0113.586] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="CD") returned 2 [0113.586] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="EA") returned 2 [0113.586] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="98") returned 2 [0113.586] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="DE") returned 2 [0113.586] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="18") returned 2 [0113.587] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="94") returned 2 [0113.587] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="65") returned 2 [0113.587] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="C2") returned 2 [0113.587] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="CF") returned 2 [0113.587] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="0A") returned 2 [0113.587] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="C1") returned 2 [0113.587] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="C7") returned 2 [0113.587] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="74") returned 2 [0113.587] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="1B") returned 2 [0113.587] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="1D") returned 2 [0113.587] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="F3") returned 2 [0113.587] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="51") returned 2 [0113.587] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="AB") returned 2 [0113.587] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="ED") returned 2 [0113.587] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="33") returned 2 [0113.587] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="05") returned 2 [0113.587] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="D1") returned 2 [0113.587] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="0A") returned 2 [0113.587] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="C9") returned 2 [0113.587] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="62") returned 2 [0113.587] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="EB") returned 2 [0113.587] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="94") returned 2 [0113.587] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="49") returned 2 [0113.587] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="0F") returned 2 [0113.587] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="69") returned 2 [0113.587] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="7C") returned 2 [0113.600] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" [0113.600] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" [0113.600] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0", lpString2=".FDCDEA98DE189465C2CF0AC1C7741B1DF351ABED3305D10AC962EB94490F697C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0.FDCDEA98DE189465C2CF0AC1C7741B1DF351ABED3305D10AC962EB94490F697C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0.FDCDEA98DE189465C2CF0AC1C7741B1DF351ABED3305D10AC962EB94490F697C" [0113.600] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.600] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0113.600] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x805aa0c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x805aa0c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c0e3de0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x42000, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="data_1", cAlternateFileName="")) returned 1 [0113.600] lstrcmpiW (lpString1="data_1", lpString2="Windows") returned -1 [0113.600] lstrcmpiW (lpString1="data_1", lpString2="Program Files") returned -1 [0113.600] lstrcmpiW (lpString1="data_1", lpString2="Program Files (x86)") returned -1 [0113.600] lstrcmpiW (lpString1="data_1", lpString2="$Recycle.bin") returned 1 [0113.600] lstrcmpiW (lpString1="data_1", lpString2="System Volume Information") returned -1 [0113.600] lstrcmpiW (lpString1="data_1", lpString2=".") returned 1 [0113.600] lstrcmpiW (lpString1="data_1", lpString2="..") returned 1 [0113.600] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned 92 [0113.600] lstrcmpW (lpString1="data_1", lpString2="PUSSY.TXT") returned -1 [0113.600] PathFindExtensionW (pszPath="data_1") returned="" [0113.600] lstrlenW (lpString="") returned 0 [0113.600] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0113.601] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=270336) returned 1 [0113.601] GetProcessHeap () returned 0x4c0000 [0113.601] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0113.675] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="D4") returned 2 [0113.675] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="23") returned 2 [0113.675] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="AA") returned 2 [0113.675] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="6E") returned 2 [0113.675] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="52") returned 2 [0113.675] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="EA") returned 2 [0113.675] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="E6") returned 2 [0113.675] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="7F") returned 2 [0113.675] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="76") returned 2 [0113.675] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="6F") returned 2 [0113.676] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="77") returned 2 [0113.676] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="6E") returned 2 [0113.676] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="78") returned 2 [0113.676] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="F6") returned 2 [0113.676] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="F3") returned 2 [0113.676] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="40") returned 2 [0113.676] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="F7") returned 2 [0113.676] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="33") returned 2 [0113.676] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="1F") returned 2 [0113.676] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="BF") returned 2 [0113.676] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="79") returned 2 [0113.676] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="15") returned 2 [0113.676] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="FC") returned 2 [0113.676] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="0A") returned 2 [0113.676] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="94") returned 2 [0113.676] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="8E") returned 2 [0113.676] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="C0") returned 2 [0113.676] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="C6") returned 2 [0113.676] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="33") returned 2 [0113.676] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="2E") returned 2 [0113.676] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="EC") returned 2 [0113.676] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="1C") returned 2 [0113.688] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" [0113.688] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" [0113.688] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1", lpString2=".D423AA6E52EAE67F766F776E78F6F340F7331FBF7915FC0A948EC0C6332EEC1C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1.D423AA6E52EAE67F766F776E78F6F340F7331FBF7915FC0A948EC0C6332EEC1C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1.D423AA6E52EAE67F766F776E78F6F340F7331FBF7915FC0A948EC0C6332EEC1C" [0113.688] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.689] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0113.689] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x805aa0c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x805aa0c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x805aa0c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="data_2", cAlternateFileName="")) returned 1 [0113.689] lstrcmpiW (lpString1="data_2", lpString2="Windows") returned -1 [0113.689] lstrcmpiW (lpString1="data_2", lpString2="Program Files") returned -1 [0113.689] lstrcmpiW (lpString1="data_2", lpString2="Program Files (x86)") returned -1 [0113.689] lstrcmpiW (lpString1="data_2", lpString2="$Recycle.bin") returned 1 [0113.738] lstrcmpiW (lpString1="data_2", lpString2="System Volume Information") returned -1 [0113.738] lstrcmpiW (lpString1="data_2", lpString2=".") returned 1 [0113.738] lstrcmpiW (lpString1="data_2", lpString2="..") returned 1 [0113.739] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned 92 [0113.739] lstrcmpW (lpString1="data_2", lpString2="PUSSY.TXT") returned -1 [0113.739] PathFindExtensionW (pszPath="data_2") returned="" [0113.739] lstrlenW (lpString="") returned 0 [0113.739] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.739] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0113.740] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=8192) returned 1 [0113.740] GetProcessHeap () returned 0x4c0000 [0113.740] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0113.754] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="A1") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="4C") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="11") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="37") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="DD") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="47") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="66") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="68") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="9D") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="8B") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="84") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="42") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="93") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="89") returned 2 [0113.754] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="3D") returned 2 [0113.754] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="F1") returned 2 [0113.754] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="4D") returned 2 [0113.754] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="72") returned 2 [0113.755] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="23") returned 2 [0113.755] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="13") returned 2 [0113.755] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="12") returned 2 [0113.755] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="77") returned 2 [0113.755] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="67") returned 2 [0113.755] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="93") returned 2 [0113.755] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="61") returned 2 [0113.755] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="C7") returned 2 [0113.755] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="B4") returned 2 [0113.755] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="2B") returned 2 [0113.755] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="47") returned 2 [0113.755] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="FC") returned 2 [0113.755] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="CA") returned 2 [0113.755] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="76") returned 2 [0113.767] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" [0113.767] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" [0113.767] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2", lpString2=".A14C1137DD4766689D8B844293893DF14D7223131277679361C7B42B47FCCA76" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2.A14C1137DD4766689D8B844293893DF14D7223131277679361C7B42B47FCCA76") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2.A14C1137DD4766689D8B844293893DF14D7223131277679361C7B42B47FCCA76" [0113.767] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.767] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0113.768] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x805aa0c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x805aa0c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c0e3de0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x402000, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="data_3", cAlternateFileName="")) returned 1 [0113.779] lstrcmpiW (lpString1="data_3", lpString2="Windows") returned -1 [0113.779] lstrcmpiW (lpString1="data_3", lpString2="Program Files") returned -1 [0113.779] lstrcmpiW (lpString1="data_3", lpString2="Program Files (x86)") returned -1 [0113.780] lstrcmpiW (lpString1="data_3", lpString2="$Recycle.bin") returned 1 [0113.780] lstrcmpiW (lpString1="data_3", lpString2="System Volume Information") returned -1 [0113.780] lstrcmpiW (lpString1="data_3", lpString2=".") returned 1 [0113.780] lstrcmpiW (lpString1="data_3", lpString2="..") returned 1 [0113.780] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned 92 [0113.780] lstrcmpW (lpString1="data_3", lpString2="PUSSY.TXT") returned -1 [0113.780] PathFindExtensionW (pszPath="data_3") returned="" [0113.780] lstrlenW (lpString="") returned 0 [0113.780] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0113.781] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=4202496) returned 1 [0113.781] GetProcessHeap () returned 0x4c0000 [0113.781] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0113.795] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="3A") returned 2 [0113.795] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="04") returned 2 [0113.795] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="64") returned 2 [0113.795] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="32") returned 2 [0113.795] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="9B") returned 2 [0113.795] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="B2") returned 2 [0113.795] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="EA") returned 2 [0113.795] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="ED") returned 2 [0113.795] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="0B") returned 2 [0113.796] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="63") returned 2 [0113.796] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="3F") returned 2 [0113.796] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="A3") returned 2 [0113.796] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="D0") returned 2 [0113.796] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="5C") returned 2 [0113.796] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="90") returned 2 [0113.796] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="56") returned 2 [0113.796] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="57") returned 2 [0113.796] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="AC") returned 2 [0113.796] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="AE") returned 2 [0113.796] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="42") returned 2 [0113.796] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="33") returned 2 [0113.796] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="69") returned 2 [0113.796] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="DB") returned 2 [0113.796] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="A9") returned 2 [0113.796] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="B7") returned 2 [0113.796] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="73") returned 2 [0113.796] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="61") returned 2 [0113.796] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="B3") returned 2 [0113.796] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="48") returned 2 [0113.796] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="4E") returned 2 [0113.796] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="E2") returned 2 [0113.796] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="78") returned 2 [0113.825] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" [0113.825] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" [0113.825] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3", lpString2=".3A0464329BB2EAED0B633FA3D05C905657ACAE423369DBA9B77361B3484EE278" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3.3A0464329BB2EAED0B633FA3D05C905657ACAE423369DBA9B77361B3484EE278") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3.3A0464329BB2EAED0B633FA3D05C905657ACAE423369DBA9B77361B3484EE278" [0113.825] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.825] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0113.825] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x805aa0c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x805aa0c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x805aa0c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x80170, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="index", cAlternateFileName="")) returned 1 [0113.826] lstrcmpiW (lpString1="index", lpString2="Windows") returned -1 [0113.826] lstrcmpiW (lpString1="index", lpString2="Program Files") returned -1 [0113.826] lstrcmpiW (lpString1="index", lpString2="Program Files (x86)") returned -1 [0113.826] lstrcmpiW (lpString1="index", lpString2="$Recycle.bin") returned 1 [0113.826] lstrcmpiW (lpString1="index", lpString2="System Volume Information") returned -1 [0113.826] lstrcmpiW (lpString1="index", lpString2=".") returned 1 [0113.826] lstrcmpiW (lpString1="index", lpString2="..") returned 1 [0113.826] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index") returned 91 [0113.826] lstrcmpW (lpString1="index", lpString2="PUSSY.TXT") returned -1 [0113.826] PathFindExtensionW (pszPath="index") returned="" [0113.826] lstrlenW (lpString="") returned 0 [0113.826] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0113.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\index"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0113.827] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=524656) returned 1 [0113.827] GetProcessHeap () returned 0x4c0000 [0113.827] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0113.842] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="6E") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="51") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="FC") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="49") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="79") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="1A") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="5C") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="D6") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="16") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="C3") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="BB") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="BC") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="34") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="74") returned 2 [0113.842] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="EE") returned 2 [0113.842] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="59") returned 2 [0113.843] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="02") returned 2 [0113.843] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="C3") returned 2 [0113.843] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="C5") returned 2 [0113.843] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="E4") returned 2 [0113.843] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="45") returned 2 [0113.843] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="43") returned 2 [0113.843] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="30") returned 2 [0113.843] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="70") returned 2 [0113.843] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="87") returned 2 [0113.843] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="92") returned 2 [0113.843] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="C9") returned 2 [0113.843] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="D2") returned 2 [0113.843] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="E3") returned 2 [0113.843] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="06") returned 2 [0113.843] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="FB") returned 2 [0113.843] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="59") returned 2 [0113.863] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index" [0113.863] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index" [0113.863] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index", lpString2=".6E51FC49791A5CD616C3BBBC3474EE5902C3C5E4454330708792C9D2E306FB59" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index.6E51FC49791A5CD616C3BBBC3474EE5902C3C5E4454330708792C9D2E306FB59") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index.6E51FC49791A5CD616C3BBBC3474EE5902C3C5E4454330708792C9D2E306FB59" [0113.863] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.863] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0113.864] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x805aa0c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x805aa0c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x805aa0c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x80170, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="index", cAlternateFileName="")) returned 0 [0113.864] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0113.864] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\PUSSY.TXT") returned 95 [0113.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0113.865] lstrlenA (lpString="abcd") returned 4 [0113.865] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0113.866] CloseHandle (hObject=0x1b0) returned 1 [0113.866] GetProcessHeap () returned 0x4c0000 [0113.866] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0113.870] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80d406e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80d406e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x98d1e730, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Cookies", cAlternateFileName="")) returned 1 [0113.870] lstrcmpiW (lpString1="Cookies", lpString2="Windows") returned -1 [0113.870] lstrcmpiW (lpString1="Cookies", lpString2="Program Files") returned -1 [0113.870] lstrcmpiW (lpString1="Cookies", lpString2="Program Files (x86)") returned -1 [0113.870] lstrcmpiW (lpString1="Cookies", lpString2="$Recycle.bin") returned 1 [0113.870] lstrcmpiW (lpString1="Cookies", lpString2="System Volume Information") returned -1 [0113.870] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0113.870] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0113.870] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies") returned 87 [0113.870] lstrcmpW (lpString1="Cookies", lpString2="PUSSY.TXT") returned -1 [0113.870] PathFindExtensionW (pszPath="Cookies") returned="" [0113.870] lstrlenW (lpString="") returned 0 [0113.870] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0113.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0113.872] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=7168) returned 1 [0113.872] GetProcessHeap () returned 0x4c0000 [0113.872] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0113.886] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="1F") returned 2 [0113.886] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="01") returned 2 [0113.886] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="A3") returned 2 [0113.886] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="46") returned 2 [0113.886] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="09") returned 2 [0113.886] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="F7") returned 2 [0113.886] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="E5") returned 2 [0113.886] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="46") returned 2 [0113.887] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="C6") returned 2 [0113.887] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="61") returned 2 [0113.887] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="35") returned 2 [0113.887] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="97") returned 2 [0113.887] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="94") returned 2 [0113.887] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="53") returned 2 [0113.887] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="FF") returned 2 [0113.887] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="5A") returned 2 [0113.887] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="52") returned 2 [0113.887] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="0A") returned 2 [0113.887] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="09") returned 2 [0113.887] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="F8") returned 2 [0113.887] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="CC") returned 2 [0113.887] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="AD") returned 2 [0113.887] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="B0") returned 2 [0113.887] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="47") returned 2 [0113.887] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="60") returned 2 [0113.887] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="F1") returned 2 [0113.887] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="75") returned 2 [0113.887] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="39") returned 2 [0113.887] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="20") returned 2 [0113.887] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="95") returned 2 [0113.887] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="CC") returned 2 [0113.888] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="6F") returned 2 [0113.900] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" [0113.900] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" [0113.900] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies", lpString2=".1F01A34609F7E546C66135979453FF5A520A09F8CCADB04760F175392095CC6F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies.1F01A34609F7E546C66135979453FF5A520A09F8CCADB04760F175392095CC6F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies.1F01A34609F7E546C66135979453FF5A520A09F8CCADB04760F175392095CC6F" [0113.900] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0113.900] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0113.900] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80d66840, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80d66840, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x98d44890, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Cookies-journal", cAlternateFileName="COOKIE~1")) returned 1 [0113.900] lstrcmpiW (lpString1="Cookies-journal", lpString2="Windows") returned -1 [0113.901] lstrcmpiW (lpString1="Cookies-journal", lpString2="Program Files") returned -1 [0113.901] lstrcmpiW (lpString1="Cookies-journal", lpString2="Program Files (x86)") returned -1 [0113.901] lstrcmpiW (lpString1="Cookies-journal", lpString2="$Recycle.bin") returned 1 [0113.901] lstrcmpiW (lpString1="Cookies-journal", lpString2="System Volume Information") returned -1 [0113.901] lstrcmpiW (lpString1="Cookies-journal", lpString2=".") returned 1 [0113.901] lstrcmpiW (lpString1="Cookies-journal", lpString2="..") returned 1 [0113.901] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal") returned 95 [0113.901] lstrcmpW (lpString1="Cookies-journal", lpString2="PUSSY.TXT") returned -1 [0113.901] PathFindExtensionW (pszPath="Cookies-journal") returned="" [0113.901] lstrlenW (lpString="") returned 0 [0113.901] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0113.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0113.902] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0113.902] CloseHandle (hObject=0x194) returned 1 [0113.902] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83b08a50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83b08a50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c0b57b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1d6, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Current Session", cAlternateFileName="CURREN~1")) returned 1 [0113.902] lstrcmpiW (lpString1="Current Session", lpString2="Windows") returned -1 [0113.902] lstrcmpiW (lpString1="Current Session", lpString2="Program Files") returned -1 [0113.902] lstrcmpiW (lpString1="Current Session", lpString2="Program Files (x86)") returned -1 [0113.902] lstrcmpiW (lpString1="Current Session", lpString2="$Recycle.bin") returned 1 [0113.902] lstrcmpiW (lpString1="Current Session", lpString2="System Volume Information") returned -1 [0113.902] lstrcmpiW (lpString1="Current Session", lpString2=".") returned 1 [0113.902] lstrcmpiW (lpString1="Current Session", lpString2="..") returned 1 [0113.902] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session") returned 95 [0113.902] lstrcmpW (lpString1="Current Session", lpString2="PUSSY.TXT") returned -1 [0113.902] PathFindExtensionW (pszPath="Current Session") returned="" [0113.902] lstrlenW (lpString="") returned 0 [0113.902] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0113.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current session"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0113.904] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=470) returned 1 [0113.904] CloseHandle (hObject=0x194) returned 1 [0113.905] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9c3b6860, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c3b6860, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c3b8f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x126, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Current Tabs", cAlternateFileName="CURREN~2")) returned 1 [0113.905] lstrcmpiW (lpString1="Current Tabs", lpString2="Windows") returned -1 [0113.905] lstrcmpiW (lpString1="Current Tabs", lpString2="Program Files") returned -1 [0113.905] lstrcmpiW (lpString1="Current Tabs", lpString2="Program Files (x86)") returned -1 [0113.905] lstrcmpiW (lpString1="Current Tabs", lpString2="$Recycle.bin") returned 1 [0113.905] lstrcmpiW (lpString1="Current Tabs", lpString2="System Volume Information") returned -1 [0113.905] lstrcmpiW (lpString1="Current Tabs", lpString2=".") returned 1 [0113.905] lstrcmpiW (lpString1="Current Tabs", lpString2="..") returned 1 [0113.905] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs") returned 92 [0113.905] lstrcmpW (lpString1="Current Tabs", lpString2="PUSSY.TXT") returned -1 [0113.906] PathFindExtensionW (pszPath="Current Tabs") returned="" [0113.906] lstrlenW (lpString="") returned 0 [0113.906] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0113.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current tabs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0113.906] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=294) returned 1 [0113.906] CloseHandle (hObject=0x194) returned 1 [0113.906] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x802d66a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80916060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x80916060, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="data_reduction_proxy_leveldb", cAlternateFileName="DATA_R~1")) returned 1 [0113.906] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="Windows") returned -1 [0113.906] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="Program Files") returned -1 [0113.906] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="Program Files (x86)") returned -1 [0113.906] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="$Recycle.bin") returned 1 [0113.906] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="System Volume Information") returned -1 [0113.907] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2=".") returned 1 [0113.907] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="..") returned 1 [0113.907] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 108 [0113.907] GetProcessHeap () returned 0x4c0000 [0113.907] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0113.908] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb" [0113.908] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\*" [0113.908] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x802d66a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80916060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x80916060, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0114.160] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.160] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.160] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.160] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.160] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.160] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.160] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x802d66a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80916060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x80916060, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0114.160] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.160] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.161] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.161] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.161] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.161] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.161] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.161] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80916060, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80916060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x80916060, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="000003.log", cAlternateFileName="")) returned 1 [0114.161] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0114.161] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0114.161] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0114.161] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0114.161] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0114.161] lstrcmpiW (lpString1="000003.log", lpString2=".") returned 1 [0114.161] lstrcmpiW (lpString1="000003.log", lpString2="..") returned 1 [0114.161] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log") returned 119 [0114.161] lstrcmpW (lpString1="000003.log", lpString2="PUSSY.TXT") returned -1 [0114.161] PathFindExtensionW (pszPath="000003.log") returned=".log" [0114.161] lstrlenW (lpString=".log") returned 4 [0114.161] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0114.162] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=0) returned 1 [0114.162] CloseHandle (hObject=0x1b0) returned 1 [0114.162] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x802d66a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x802d66a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x804795c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="CURRENT", cAlternateFileName="")) returned 1 [0114.162] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0114.162] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0114.162] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0114.162] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0114.162] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0114.162] lstrcmpiW (lpString1="CURRENT", lpString2=".") returned 1 [0114.162] lstrcmpiW (lpString1="CURRENT", lpString2="..") returned 1 [0114.162] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT") returned 116 [0114.162] lstrcmpW (lpString1="CURRENT", lpString2="PUSSY.TXT") returned -1 [0114.162] PathFindExtensionW (pszPath="CURRENT") returned="" [0114.162] lstrlenW (lpString="") returned 0 [0114.162] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0114.165] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=16) returned 1 [0114.165] CloseHandle (hObject=0x1b0) returned 1 [0114.165] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x802d66a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x802d66a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x802d66a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="LOCK", cAlternateFileName="")) returned 1 [0114.165] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0114.165] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0114.165] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0114.165] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0114.165] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0114.165] lstrcmpiW (lpString1="LOCK", lpString2=".") returned 1 [0114.165] lstrcmpiW (lpString1="LOCK", lpString2="..") returned 1 [0114.165] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK") returned 113 [0114.165] lstrcmpW (lpString1="LOCK", lpString2="PUSSY.TXT") returned -1 [0114.165] PathFindExtensionW (pszPath="LOCK") returned="" [0114.165] lstrlenW (lpString="") returned 0 [0114.165] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0114.166] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=0) returned 1 [0114.166] CloseHandle (hObject=0x1b0) returned 1 [0114.166] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x802d66a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x802d66a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9ab9e110, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xa7, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="LOG", cAlternateFileName="")) returned 1 [0114.166] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0114.166] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0114.166] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0114.166] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0114.166] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0114.166] lstrcmpiW (lpString1="LOG", lpString2=".") returned 1 [0114.166] lstrcmpiW (lpString1="LOG", lpString2="..") returned 1 [0114.166] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG") returned 112 [0114.166] lstrcmpW (lpString1="LOG", lpString2="PUSSY.TXT") returned -1 [0114.166] PathFindExtensionW (pszPath="LOG") returned="" [0114.166] lstrlenW (lpString="") returned 0 [0114.166] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0114.167] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=167) returned 1 [0114.167] CloseHandle (hObject=0x1b0) returned 1 [0114.167] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x802d66a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x802d66a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x802d66a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MANIFEST-000001", cAlternateFileName="MANIFE~1")) returned 1 [0114.167] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0114.167] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0114.167] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0114.167] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0114.167] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0114.167] lstrcmpiW (lpString1="MANIFEST-000001", lpString2=".") returned 1 [0114.167] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="..") returned 1 [0114.167] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001") returned 124 [0114.167] lstrcmpW (lpString1="MANIFEST-000001", lpString2="PUSSY.TXT") returned -1 [0114.167] PathFindExtensionW (pszPath="MANIFEST-000001") returned="" [0114.167] lstrlenW (lpString="") returned 0 [0114.167] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0114.168] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=41) returned 1 [0114.168] CloseHandle (hObject=0x1b0) returned 1 [0114.168] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x802d66a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x802d66a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x802d66a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MANIFEST-000001", cAlternateFileName="MANIFE~1")) returned 0 [0114.168] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0114.168] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\PUSSY.TXT") returned 118 [0114.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0114.169] lstrlenA (lpString="abcd") returned 4 [0114.169] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0114.170] CloseHandle (hObject=0x194) returned 1 [0114.170] GetProcessHeap () returned 0x4c0000 [0114.170] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.172] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82ad9940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82bed750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82bed750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Extension Rules", cAlternateFileName="EXTENS~3")) returned 1 [0114.172] lstrcmpiW (lpString1="Extension Rules", lpString2="Windows") returned -1 [0114.172] lstrcmpiW (lpString1="Extension Rules", lpString2="Program Files") returned -1 [0114.172] lstrcmpiW (lpString1="Extension Rules", lpString2="Program Files (x86)") returned -1 [0114.172] lstrcmpiW (lpString1="Extension Rules", lpString2="$Recycle.bin") returned 1 [0114.172] lstrcmpiW (lpString1="Extension Rules", lpString2="System Volume Information") returned -1 [0114.172] lstrcmpiW (lpString1="Extension Rules", lpString2=".") returned 1 [0114.172] lstrcmpiW (lpString1="Extension Rules", lpString2="..") returned 1 [0114.172] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 95 [0114.173] GetProcessHeap () returned 0x4c0000 [0114.173] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0114.174] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules" [0114.174] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\*" [0114.174] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82ad9940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82bed750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82bed750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0114.180] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.180] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.180] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.180] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.180] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.180] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.180] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82ad9940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82bed750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82bed750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0114.181] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.181] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.181] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.181] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.181] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.181] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.181] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.181] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82bed750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82bed750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8dae37f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x156, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="000003.log", cAlternateFileName="")) returned 1 [0114.181] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0114.181] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0114.181] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0114.181] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0114.181] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0114.181] lstrcmpiW (lpString1="000003.log", lpString2=".") returned 1 [0114.181] lstrcmpiW (lpString1="000003.log", lpString2="..") returned 1 [0114.181] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log") returned 106 [0114.181] lstrcmpW (lpString1="000003.log", lpString2="PUSSY.TXT") returned -1 [0114.181] PathFindExtensionW (pszPath="000003.log") returned=".log" [0114.181] lstrlenW (lpString=".log") returned 4 [0114.181] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0114.183] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=342) returned 1 [0114.183] CloseHandle (hObject=0x178) returned 1 [0114.183] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82adc050, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82adc050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82adc050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="CURRENT", cAlternateFileName="")) returned 1 [0114.183] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0114.183] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0114.183] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0114.183] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0114.183] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0114.183] lstrcmpiW (lpString1="CURRENT", lpString2=".") returned 1 [0114.183] lstrcmpiW (lpString1="CURRENT", lpString2="..") returned 1 [0114.183] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT") returned 103 [0114.183] lstrcmpW (lpString1="CURRENT", lpString2="PUSSY.TXT") returned -1 [0114.183] PathFindExtensionW (pszPath="CURRENT") returned="" [0114.183] lstrlenW (lpString="") returned 0 [0114.183] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0114.184] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=16) returned 1 [0114.184] CloseHandle (hObject=0x178) returned 1 [0114.184] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82ad9940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82ad9940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ad9940, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="LOCK", cAlternateFileName="")) returned 1 [0114.184] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0114.184] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0114.184] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0114.184] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0114.184] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0114.184] lstrcmpiW (lpString1="LOCK", lpString2=".") returned 1 [0114.184] lstrcmpiW (lpString1="LOCK", lpString2="..") returned 1 [0114.184] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK") returned 100 [0114.184] lstrcmpW (lpString1="LOCK", lpString2="PUSSY.TXT") returned -1 [0114.184] PathFindExtensionW (pszPath="LOCK") returned="" [0114.184] lstrlenW (lpString="") returned 0 [0114.184] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0114.186] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=0) returned 1 [0114.186] CloseHandle (hObject=0x178) returned 1 [0114.186] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82ad9940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82ad9940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8dae37f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x9a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="LOG", cAlternateFileName="")) returned 1 [0114.186] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0114.186] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0114.186] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0114.186] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0114.186] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0114.186] lstrcmpiW (lpString1="LOG", lpString2=".") returned 1 [0114.186] lstrcmpiW (lpString1="LOG", lpString2="..") returned 1 [0114.186] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG") returned 99 [0114.186] lstrcmpW (lpString1="LOG", lpString2="PUSSY.TXT") returned -1 [0114.186] PathFindExtensionW (pszPath="LOG") returned="" [0114.186] lstrlenW (lpString="") returned 0 [0114.186] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0114.187] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=154) returned 1 [0114.187] CloseHandle (hObject=0x178) returned 1 [0114.187] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82ad9940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82ad9940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82adc050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MANIFEST-000001", cAlternateFileName="MANIFE~1")) returned 1 [0114.187] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0114.187] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0114.187] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0114.187] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0114.188] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0114.188] lstrcmpiW (lpString1="MANIFEST-000001", lpString2=".") returned 1 [0114.188] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="..") returned 1 [0114.188] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001") returned 111 [0114.188] lstrcmpW (lpString1="MANIFEST-000001", lpString2="PUSSY.TXT") returned -1 [0114.188] PathFindExtensionW (pszPath="MANIFEST-000001") returned="" [0114.188] lstrlenW (lpString="") returned 0 [0114.188] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0114.188] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=41) returned 1 [0114.188] CloseHandle (hObject=0x178) returned 1 [0114.188] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82ad9940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82ad9940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82adc050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MANIFEST-000001", cAlternateFileName="MANIFE~1")) returned 0 [0114.188] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0114.188] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\PUSSY.TXT") returned 105 [0114.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0114.189] lstrlenA (lpString="abcd") returned 4 [0114.189] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0114.190] CloseHandle (hObject=0x194) returned 1 [0114.190] GetProcessHeap () returned 0x4c0000 [0114.190] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0114.193] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x824ad030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82556720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82556720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Extension State", cAlternateFileName="EXTENS~2")) returned 1 [0114.193] lstrcmpiW (lpString1="Extension State", lpString2="Windows") returned -1 [0114.193] lstrcmpiW (lpString1="Extension State", lpString2="Program Files") returned -1 [0114.193] lstrcmpiW (lpString1="Extension State", lpString2="Program Files (x86)") returned -1 [0114.193] lstrcmpiW (lpString1="Extension State", lpString2="$Recycle.bin") returned 1 [0114.193] lstrcmpiW (lpString1="Extension State", lpString2="System Volume Information") returned -1 [0114.193] lstrcmpiW (lpString1="Extension State", lpString2=".") returned 1 [0114.193] lstrcmpiW (lpString1="Extension State", lpString2="..") returned 1 [0114.193] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 95 [0114.193] GetProcessHeap () returned 0x4c0000 [0114.193] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0114.194] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State" [0114.194] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\*" [0114.194] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x824ad030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82556720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82556720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0114.197] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.197] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.197] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.197] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.197] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.197] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.197] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x824ad030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82556720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82556720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0114.198] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.198] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.198] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.198] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.198] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.198] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.198] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.198] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82556720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82556720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8c6f3fb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4ad, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="000003.log", cAlternateFileName="")) returned 1 [0114.198] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0114.198] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0114.198] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0114.198] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0114.198] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0114.198] lstrcmpiW (lpString1="000003.log", lpString2=".") returned 1 [0114.198] lstrcmpiW (lpString1="000003.log", lpString2="..") returned 1 [0114.198] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log") returned 106 [0114.198] lstrcmpW (lpString1="000003.log", lpString2="PUSSY.TXT") returned -1 [0114.198] PathFindExtensionW (pszPath="000003.log") returned=".log" [0114.198] lstrlenW (lpString=".log") returned 4 [0114.198] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0114.199] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1197) returned 1 [0114.199] GetProcessHeap () returned 0x4c0000 [0114.199] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0114.213] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="D4") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="9B") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="7D") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="A6") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="CE") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="DF") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="63") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="EF") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="26") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="F0") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="82") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="6E") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="00") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="33") returned 2 [0114.213] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="61") returned 2 [0114.213] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="B6") returned 2 [0114.213] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="D3") returned 2 [0114.213] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="78") returned 2 [0114.213] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="CA") returned 2 [0114.213] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="ED") returned 2 [0114.213] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="C8") returned 2 [0114.213] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="DC") returned 2 [0114.213] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="BE") returned 2 [0114.213] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="09") returned 2 [0114.213] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="B5") returned 2 [0114.214] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="A5") returned 2 [0114.214] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="AE") returned 2 [0114.214] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="E8") returned 2 [0114.214] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="EC") returned 2 [0114.214] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="7E") returned 2 [0114.214] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="EB") returned 2 [0114.214] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="65") returned 2 [0114.242] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log" [0114.242] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log" [0114.242] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log", lpString2=".D49B7DA6CEDF63EF26F0826E003361B6D378CAEDC8DCBE09B5A5AEE8EC7EEB65" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log.D49B7DA6CEDF63EF26F0826E003361B6D378CAEDC8DCBE09B5A5AEE8EC7EEB65") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log.D49B7DA6CEDF63EF26F0826E003361B6D378CAEDC8DCBE09B5A5AEE8EC7EEB65" [0114.242] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0114.242] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0114.243] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x824ad030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x824ad030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x824d3190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="CURRENT", cAlternateFileName="")) returned 1 [0114.243] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0114.243] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0114.243] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0114.243] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0114.243] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0114.243] lstrcmpiW (lpString1="CURRENT", lpString2=".") returned 1 [0114.243] lstrcmpiW (lpString1="CURRENT", lpString2="..") returned 1 [0114.243] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT") returned 103 [0114.243] lstrcmpW (lpString1="CURRENT", lpString2="PUSSY.TXT") returned -1 [0114.243] PathFindExtensionW (pszPath="CURRENT") returned="" [0114.243] lstrlenW (lpString="") returned 0 [0114.243] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0114.244] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=16) returned 1 [0114.244] CloseHandle (hObject=0x1b0) returned 1 [0114.244] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x824ad030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x824ad030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x824ad030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="LOCK", cAlternateFileName="")) returned 1 [0114.244] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0114.244] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0114.244] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0114.244] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0114.244] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0114.244] lstrcmpiW (lpString1="LOCK", lpString2=".") returned 1 [0114.244] lstrcmpiW (lpString1="LOCK", lpString2="..") returned 1 [0114.244] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK") returned 100 [0114.244] lstrcmpW (lpString1="LOCK", lpString2="PUSSY.TXT") returned -1 [0114.244] PathFindExtensionW (pszPath="LOCK") returned="" [0114.244] lstrlenW (lpString="") returned 0 [0114.245] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0114.245] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=0) returned 1 [0114.245] CloseHandle (hObject=0x1b0) returned 1 [0114.245] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x824ad030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x824ad030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8c6f3fb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x9a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="LOG", cAlternateFileName="")) returned 1 [0114.245] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0114.245] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0114.245] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0114.245] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0114.245] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0114.245] lstrcmpiW (lpString1="LOG", lpString2=".") returned 1 [0114.245] lstrcmpiW (lpString1="LOG", lpString2="..") returned 1 [0114.245] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG") returned 99 [0114.245] lstrcmpW (lpString1="LOG", lpString2="PUSSY.TXT") returned -1 [0114.249] PathFindExtensionW (pszPath="LOG") returned="" [0114.249] lstrlenW (lpString="") returned 0 [0114.249] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.249] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=154) returned 1 [0114.249] CloseHandle (hObject=0x16c) returned 1 [0114.249] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x824ad030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x824ad030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x824ad030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MANIFEST-000001", cAlternateFileName="MANIFE~1")) returned 1 [0114.249] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0114.249] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0114.249] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0114.250] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0114.250] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0114.250] lstrcmpiW (lpString1="MANIFEST-000001", lpString2=".") returned 1 [0114.250] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="..") returned 1 [0114.250] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001") returned 111 [0114.250] lstrcmpW (lpString1="MANIFEST-000001", lpString2="PUSSY.TXT") returned -1 [0114.250] PathFindExtensionW (pszPath="MANIFEST-000001") returned="" [0114.250] lstrlenW (lpString="") returned 0 [0114.250] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0114.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.250] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=41) returned 1 [0114.250] CloseHandle (hObject=0x16c) returned 1 [0114.250] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x824ad030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x824ad030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x824ad030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MANIFEST-000001", cAlternateFileName="MANIFE~1")) returned 0 [0114.250] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0114.251] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\PUSSY.TXT") returned 105 [0114.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0114.251] lstrlenA (lpString="abcd") returned 4 [0114.251] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0114.252] CloseHandle (hObject=0x194) returned 1 [0114.253] GetProcessHeap () returned 0x4c0000 [0114.253] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0114.255] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80d1a580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9174a630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9174a630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Extensions", cAlternateFileName="EXTENS~1")) returned 1 [0114.255] lstrcmpiW (lpString1="Extensions", lpString2="Windows") returned -1 [0114.255] lstrcmpiW (lpString1="Extensions", lpString2="Program Files") returned -1 [0114.255] lstrcmpiW (lpString1="Extensions", lpString2="Program Files (x86)") returned -1 [0114.255] lstrcmpiW (lpString1="Extensions", lpString2="$Recycle.bin") returned 1 [0114.255] lstrcmpiW (lpString1="Extensions", lpString2="System Volume Information") returned -1 [0114.255] lstrcmpiW (lpString1="Extensions", lpString2=".") returned 1 [0114.256] lstrcmpiW (lpString1="Extensions", lpString2="..") returned 1 [0114.256] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 90 [0114.256] GetProcessHeap () returned 0x4c0000 [0114.256] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0114.257] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions" [0114.257] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*" [0114.257] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80d1a580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9174a630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9174a630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0114.370] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.370] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.370] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.371] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.371] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.371] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.371] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80d1a580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9174a630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9174a630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0114.371] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.371] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.371] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.371] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.371] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.371] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.371] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.371] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85cca3f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85cf0550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cf0550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="aapocclcgogkmnckokdopfmhonfmgoek", cAlternateFileName="AAPOCC~1")) returned 1 [0114.371] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="Windows") returned -1 [0114.371] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="Program Files") returned -1 [0114.371] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="Program Files (x86)") returned -1 [0114.371] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="$Recycle.bin") returned 1 [0114.371] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="System Volume Information") returned -1 [0114.371] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2=".") returned 1 [0114.371] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="..") returned 1 [0114.371] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek") returned 123 [0114.371] GetProcessHeap () returned 0x4c0000 [0114.371] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0114.372] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek" [0114.372] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\*" [0114.372] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85cca3f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85cf0550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cf0550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0114.387] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.387] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.387] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.387] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.387] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.387] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.387] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85cca3f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85cf0550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cf0550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0114.387] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.387] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.387] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.387] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.387] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.387] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.387] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.387] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85cca3f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="0.9_0", cAlternateFileName="")) returned 1 [0114.387] lstrcmpiW (lpString1="0.9_0", lpString2="Windows") returned -1 [0114.387] lstrcmpiW (lpString1="0.9_0", lpString2="Program Files") returned -1 [0114.388] lstrcmpiW (lpString1="0.9_0", lpString2="Program Files (x86)") returned -1 [0114.388] lstrcmpiW (lpString1="0.9_0", lpString2="$Recycle.bin") returned 1 [0114.388] lstrcmpiW (lpString1="0.9_0", lpString2="System Volume Information") returned -1 [0114.388] lstrcmpiW (lpString1="0.9_0", lpString2=".") returned 1 [0114.388] lstrcmpiW (lpString1="0.9_0", lpString2="..") returned 1 [0114.388] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0") returned 129 [0114.388] GetProcessHeap () returned 0x4c0000 [0114.388] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0114.389] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0" [0114.389] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\*" [0114.389] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85cca3f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0114.391] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.391] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.391] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.391] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.391] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.391] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.391] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85cca3f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.392] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.392] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.392] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.392] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.392] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.392] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.392] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.392] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b4d630, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85cca3f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd2c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="icon_128.png", cAlternateFileName="")) returned 1 [0114.392] lstrcmpiW (lpString1="icon_128.png", lpString2="Windows") returned -1 [0114.392] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files") returned -1 [0114.392] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files (x86)") returned -1 [0114.392] lstrcmpiW (lpString1="icon_128.png", lpString2="$Recycle.bin") returned 1 [0114.392] lstrcmpiW (lpString1="icon_128.png", lpString2="System Volume Information") returned -1 [0114.392] lstrcmpiW (lpString1="icon_128.png", lpString2=".") returned 1 [0114.392] lstrcmpiW (lpString1="icon_128.png", lpString2="..") returned 1 [0114.392] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png") returned 142 [0114.393] lstrcmpW (lpString1="icon_128.png", lpString2="PUSSY.TXT") returned -1 [0114.393] PathFindExtensionW (pszPath="icon_128.png") returned=".png" [0114.393] lstrlenW (lpString=".png") returned 4 [0114.393] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0114.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0114.394] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=3372) returned 1 [0114.394] GetProcessHeap () returned 0x4c0000 [0114.394] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0114.403] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="C1") returned 2 [0114.403] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="B2") returned 2 [0114.403] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="84") returned 2 [0114.403] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="2C") returned 2 [0114.403] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="8B") returned 2 [0114.403] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="C5") returned 2 [0114.403] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="4D") returned 2 [0114.403] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="BA") returned 2 [0114.403] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="2A") returned 2 [0114.403] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="E1") returned 2 [0114.403] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="D1") returned 2 [0114.404] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="2D") returned 2 [0114.404] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="76") returned 2 [0114.404] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="BE") returned 2 [0114.404] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="87") returned 2 [0114.404] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="A8") returned 2 [0114.404] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="FC") returned 2 [0114.404] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="BE") returned 2 [0114.404] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="C4") returned 2 [0114.404] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="4F") returned 2 [0114.404] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="E4") returned 2 [0114.404] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="67") returned 2 [0114.404] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="FB") returned 2 [0114.404] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="80") returned 2 [0114.404] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="CC") returned 2 [0114.404] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="F9") returned 2 [0114.404] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="97") returned 2 [0114.404] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="5F") returned 2 [0114.404] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="8E") returned 2 [0114.404] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="4D") returned 2 [0114.404] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="10") returned 2 [0114.404] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="42") returned 2 [0114.413] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png" [0114.413] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png" [0114.413] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png", lpString2=".C1B2842C8BC54DBA2AE1D12D76BE87A8FCBEC44FE467FB80CCF9975F8E4D1042" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.C1B2842C8BC54DBA2AE1D12D76BE87A8FCBEC44FE467FB80CCF9975F8E4D1042") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.C1B2842C8BC54DBA2AE1D12D76BE87A8FCBEC44FE467FB80CCF9975F8E4D1042" [0114.414] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0114.414] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0114.414] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b4d630, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85cca3f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xa0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="icon_16.png", cAlternateFileName="")) returned 1 [0114.414] lstrcmpiW (lpString1="icon_16.png", lpString2="Windows") returned -1 [0114.414] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files") returned -1 [0114.414] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files (x86)") returned -1 [0114.414] lstrcmpiW (lpString1="icon_16.png", lpString2="$Recycle.bin") returned 1 [0114.414] lstrcmpiW (lpString1="icon_16.png", lpString2="System Volume Information") returned -1 [0114.414] lstrcmpiW (lpString1="icon_16.png", lpString2=".") returned 1 [0114.414] lstrcmpiW (lpString1="icon_16.png", lpString2="..") returned 1 [0114.414] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png") returned 141 [0114.414] lstrcmpW (lpString1="icon_16.png", lpString2="PUSSY.TXT") returned -1 [0114.414] PathFindExtensionW (pszPath="icon_16.png") returned=".png" [0114.414] lstrlenW (lpString=".png") returned 4 [0114.414] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0114.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.415] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=160) returned 1 [0114.415] CloseHandle (hObject=0x16c) returned 1 [0114.415] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b4d630, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b74730, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe4180700, ftLastWriteTime.dwHighDateTime=0x1d03f5e, nFileSizeHigh=0x0, nFileSizeLow=0x5c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="main.html", cAlternateFileName="MAIN~1.HTM")) returned 1 [0114.415] lstrcmpiW (lpString1="main.html", lpString2="Windows") returned -1 [0114.415] lstrcmpiW (lpString1="main.html", lpString2="Program Files") returned -1 [0114.415] lstrcmpiW (lpString1="main.html", lpString2="Program Files (x86)") returned -1 [0114.415] lstrcmpiW (lpString1="main.html", lpString2="$Recycle.bin") returned 1 [0114.415] lstrcmpiW (lpString1="main.html", lpString2="System Volume Information") returned -1 [0114.415] lstrcmpiW (lpString1="main.html", lpString2=".") returned 1 [0114.415] lstrcmpiW (lpString1="main.html", lpString2="..") returned 1 [0114.415] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html") returned 139 [0114.415] lstrcmpW (lpString1="main.html", lpString2="PUSSY.TXT") returned -1 [0114.415] PathFindExtensionW (pszPath="main.html") returned=".html" [0114.415] lstrlenW (lpString=".html") returned 5 [0114.415] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0114.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.417] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=92) returned 1 [0114.417] CloseHandle (hObject=0x16c) returned 1 [0114.417] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b998f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b9b830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe4180700, ftLastWriteTime.dwHighDateTime=0x1d03f5e, nFileSizeHigh=0x0, nFileSizeLow=0x5f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="main.js", cAlternateFileName="")) returned 1 [0114.417] lstrcmpiW (lpString1="main.js", lpString2="Windows") returned -1 [0114.417] lstrcmpiW (lpString1="main.js", lpString2="Program Files") returned -1 [0114.417] lstrcmpiW (lpString1="main.js", lpString2="Program Files (x86)") returned -1 [0114.417] lstrcmpiW (lpString1="main.js", lpString2="$Recycle.bin") returned 1 [0114.417] lstrcmpiW (lpString1="main.js", lpString2="System Volume Information") returned -1 [0114.417] lstrcmpiW (lpString1="main.js", lpString2=".") returned 1 [0114.417] lstrcmpiW (lpString1="main.js", lpString2="..") returned 1 [0114.417] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js") returned 137 [0114.417] lstrcmpW (lpString1="main.js", lpString2="PUSSY.TXT") returned -1 [0114.417] PathFindExtensionW (pszPath="main.js") returned=".js" [0114.417] lstrlenW (lpString=".js") returned 3 [0114.417] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0114.417] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.423] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=95) returned 1 [0114.423] CloseHandle (hObject=0x16c) returned 1 [0114.423] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b9b830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2d5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0114.423] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0114.423] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0114.423] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0114.423] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0114.423] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0114.423] lstrcmpiW (lpString1="manifest.json", lpString2=".") returned 1 [0114.423] lstrcmpiW (lpString1="manifest.json", lpString2="..") returned 1 [0114.423] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json") returned 143 [0114.423] lstrcmpW (lpString1="manifest.json", lpString2="PUSSY.TXT") returned -1 [0114.423] PathFindExtensionW (pszPath="manifest.json") returned=".json" [0114.423] lstrlenW (lpString=".json") returned 5 [0114.423] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0114.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.424] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=725) returned 1 [0114.424] GetProcessHeap () returned 0x4c0000 [0114.424] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0114.432] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="7A") returned 2 [0114.432] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="41") returned 2 [0114.432] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="09") returned 2 [0114.432] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="A7") returned 2 [0114.432] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="2B") returned 2 [0114.432] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="03") returned 2 [0114.432] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="2A") returned 2 [0114.432] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="C4") returned 2 [0114.432] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="87") returned 2 [0114.432] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="F1") returned 2 [0114.433] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="78") returned 2 [0114.433] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="54") returned 2 [0114.433] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="5E") returned 2 [0114.433] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="94") returned 2 [0114.433] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="A7") returned 2 [0114.433] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="26") returned 2 [0114.433] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="BA") returned 2 [0114.433] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="27") returned 2 [0114.433] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="3F") returned 2 [0114.433] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="08") returned 2 [0114.433] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="3F") returned 2 [0114.433] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="28") returned 2 [0114.433] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="92") returned 2 [0114.433] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="90") returned 2 [0114.433] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="01") returned 2 [0114.433] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="0E") returned 2 [0114.433] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="7C") returned 2 [0114.433] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="1C") returned 2 [0114.433] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="DA") returned 2 [0114.433] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="A0") returned 2 [0114.433] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="3C") returned 2 [0114.433] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="52") returned 2 [0114.444] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json" [0114.444] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json" [0114.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json", lpString2=".7A4109A72B032AC487F178545E94A726BA273F083F289290010E7C1CDAA03C52" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.7A4109A72B032AC487F178545E94A726BA273F083F289290010E7C1CDAA03C52") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.7A4109A72B032AC487F178545E94A726BA273F083F289290010E7C1CDAA03C52" [0114.444] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0114.444] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0114.444] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b4d630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b4d630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_locales", cAlternateFileName="")) returned 1 [0114.444] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0114.445] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0114.445] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0114.445] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0114.445] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0114.445] lstrcmpiW (lpString1="_locales", lpString2=".") returned 1 [0114.445] lstrcmpiW (lpString1="_locales", lpString2="..") returned 1 [0114.445] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales") returned 138 [0114.445] GetProcessHeap () returned 0x4c0000 [0114.445] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0114.446] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales" [0114.446] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\*" [0114.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b4d630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b4d630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0114.452] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.452] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.452] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.452] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.452] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.452] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.452] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b4d630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b4d630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0114.452] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.452] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.452] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.452] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.452] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.452] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.452] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.452] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857953d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857953d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ar", cAlternateFileName="")) returned 1 [0114.452] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0114.453] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0114.453] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0114.453] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0114.453] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0114.453] lstrcmpiW (lpString1="ar", lpString2=".") returned 1 [0114.453] lstrcmpiW (lpString1="ar", lpString2="..") returned 1 [0114.453] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar") returned 141 [0114.453] GetProcessHeap () returned 0x4c0000 [0114.453] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x564b40 [0114.454] lstrcpyW (in: lpString1=0x564b40, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar" [0114.454] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\*" [0114.454] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857953d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857953d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.454] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.454] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.454] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.454] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.454] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.454] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.454] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857953d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857953d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.455] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.455] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.455] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.455] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.455] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.455] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.455] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.455] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857953d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x101, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.455] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.455] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.455] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.455] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.455] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.455] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.455] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.455] wnsprintfW (in: pszDest=0x564b40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0114.455] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.455] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.456] lstrlenW (lpString=".json") returned 5 [0114.456] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0114.456] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=257) returned 1 [0114.456] CloseHandle (hObject=0x17c) returned 1 [0114.456] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857953d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x101, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.456] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.457] wnsprintfW (in: pszDest=0x564b40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\PUSSY.TXT") returned 151 [0114.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.457] lstrlenA (lpString="abcd") returned 4 [0114.457] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.459] CloseHandle (hObject=0x184) returned 1 [0114.459] GetProcessHeap () returned 0x4c0000 [0114.459] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0114.459] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="bg", cAlternateFileName="")) returned 1 [0114.459] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0114.459] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0114.459] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0114.459] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0114.459] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0114.459] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0114.459] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0114.459] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg") returned 141 [0114.459] GetProcessHeap () returned 0x4c0000 [0114.459] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x564b40 [0114.460] lstrcpyW (in: lpString1=0x564b40, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg" [0114.460] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\*" [0114.460] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.460] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.460] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.460] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.460] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.460] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.460] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.460] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.461] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.461] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.461] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.461] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.461] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.461] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.461] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.461] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bc4d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.461] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.461] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.461] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.461] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.461] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.461] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.461] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.461] wnsprintfW (in: pszDest=0x564b40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0114.461] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.461] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.461] lstrlenW (lpString=".json") returned 5 [0114.461] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0114.464] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=272) returned 1 [0114.464] CloseHandle (hObject=0x17c) returned 1 [0114.464] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bc4d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.464] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.464] wnsprintfW (in: pszDest=0x564b40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\PUSSY.TXT") returned 151 [0114.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.465] lstrlenA (lpString="abcd") returned 4 [0114.465] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.466] CloseHandle (hObject=0x184) returned 1 [0114.466] GetProcessHeap () returned 0x4c0000 [0114.466] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0114.466] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ca", cAlternateFileName="")) returned 1 [0114.466] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0114.466] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0114.466] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0114.466] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0114.466] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0114.466] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0114.466] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0114.467] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca") returned 141 [0114.467] GetProcessHeap () returned 0x4c0000 [0114.467] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x564b40 [0114.467] lstrcpyW (in: lpString1=0x564b40, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca" [0114.467] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\*" [0114.467] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.467] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.467] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.467] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.467] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.467] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.467] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.467] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.467] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.467] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.467] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.467] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.467] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.467] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.467] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.467] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bc4d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.467] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.468] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.468] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.468] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.468] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.468] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.468] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.468] wnsprintfW (in: pszDest=0x564b40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0114.468] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.468] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.468] lstrlenW (lpString=".json") returned 5 [0114.468] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.468] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0114.468] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=224) returned 1 [0114.468] CloseHandle (hObject=0x17c) returned 1 [0114.469] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bc4d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.469] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.469] wnsprintfW (in: pszDest=0x564b40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\PUSSY.TXT") returned 151 [0114.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.469] lstrlenA (lpString="abcd") returned 4 [0114.469] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.481] CloseHandle (hObject=0x184) returned 1 [0114.481] GetProcessHeap () returned 0x4c0000 [0114.481] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0114.482] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="cs", cAlternateFileName="")) returned 1 [0114.482] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0114.482] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0114.482] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0114.482] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0114.482] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0114.482] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0114.482] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0114.482] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs") returned 141 [0114.482] GetProcessHeap () returned 0x4c0000 [0114.482] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.483] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs" [0114.483] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\*" [0114.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.483] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.483] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.483] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.483] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.483] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.483] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.483] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.484] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.484] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.484] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.484] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.484] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.484] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.484] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.484] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bc4d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.484] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.484] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.484] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.484] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.484] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.484] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.484] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.484] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0114.484] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.484] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.484] lstrlenW (lpString=".json") returned 5 [0114.484] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.485] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=224) returned 1 [0114.485] CloseHandle (hObject=0x16c) returned 1 [0114.486] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bc4d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.486] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.486] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\PUSSY.TXT") returned 151 [0114.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.486] lstrlenA (lpString="abcd") returned 4 [0114.486] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.487] CloseHandle (hObject=0x184) returned 1 [0114.487] GetProcessHeap () returned 0x4c0000 [0114.487] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.487] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="da", cAlternateFileName="")) returned 1 [0114.487] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0114.488] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0114.488] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0114.488] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0114.488] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0114.488] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0114.488] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0114.488] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da") returned 141 [0114.488] GetProcessHeap () returned 0x4c0000 [0114.488] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.488] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da" [0114.488] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\*" [0114.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.488] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.488] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.488] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.488] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.488] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.488] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.488] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.488] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.488] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.488] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.488] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.488] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.489] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.489] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.489] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bc4d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.489] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.489] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.489] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.489] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.489] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.489] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.489] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.489] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json") returned 155 [0114.489] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.489] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.489] lstrlenW (lpString=".json") returned 5 [0114.489] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.489] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=224) returned 1 [0114.489] CloseHandle (hObject=0x16c) returned 1 [0114.490] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bc4d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.490] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.490] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\PUSSY.TXT") returned 151 [0114.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.490] lstrlenA (lpString="abcd") returned 4 [0114.490] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.491] CloseHandle (hObject=0x184) returned 1 [0114.491] GetProcessHeap () returned 0x4c0000 [0114.491] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.491] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="de", cAlternateFileName="")) returned 1 [0114.491] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0114.491] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0114.491] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0114.491] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0114.491] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0114.491] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0114.491] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0114.492] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de") returned 141 [0114.492] GetProcessHeap () returned 0x4c0000 [0114.492] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.492] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de" [0114.492] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\*" [0114.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.492] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.492] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.492] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.492] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.492] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.492] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.492] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.492] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.492] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.492] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.492] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.492] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.492] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.492] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.492] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bc4d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xea, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.492] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.492] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.492] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.493] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.493] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.493] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.493] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.493] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json") returned 155 [0114.493] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.493] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.493] lstrlenW (lpString=".json") returned 5 [0114.493] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.494] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=234) returned 1 [0114.494] CloseHandle (hObject=0x16c) returned 1 [0114.494] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bc4d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xea, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.494] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.494] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\PUSSY.TXT") returned 151 [0114.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.495] lstrlenA (lpString="abcd") returned 4 [0114.495] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.496] CloseHandle (hObject=0x184) returned 1 [0114.496] GetProcessHeap () returned 0x4c0000 [0114.496] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.496] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="el", cAlternateFileName="")) returned 1 [0114.496] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0114.496] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0114.496] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0114.496] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0114.496] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0114.496] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0114.496] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0114.496] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el") returned 141 [0114.496] GetProcessHeap () returned 0x4c0000 [0114.496] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.496] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el" [0114.496] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\*" [0114.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.496] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.496] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.497] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.497] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.497] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.497] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.497] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857bb530, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857bb530, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.497] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.497] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.497] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.497] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.497] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.497] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.497] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.497] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857e35d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x112, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.497] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.497] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.497] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.497] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.497] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.497] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.497] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.497] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json") returned 155 [0114.497] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.497] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.497] lstrlenW (lpString=".json") returned 5 [0114.497] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.498] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=274) returned 1 [0114.498] CloseHandle (hObject=0x16c) returned 1 [0114.498] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857bb530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857e35d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x112, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.498] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.498] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\PUSSY.TXT") returned 151 [0114.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.498] lstrlenA (lpString="abcd") returned 4 [0114.498] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.499] CloseHandle (hObject=0x184) returned 1 [0114.499] GetProcessHeap () returned 0x4c0000 [0114.499] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.499] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857e1690, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859aa710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859aa710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en_GB", cAlternateFileName="")) returned 1 [0114.499] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0114.499] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0114.500] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0114.500] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0114.500] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0114.500] lstrcmpiW (lpString1="en_GB", lpString2=".") returned 1 [0114.500] lstrcmpiW (lpString1="en_GB", lpString2="..") returned 1 [0114.500] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB") returned 144 [0114.500] GetProcessHeap () returned 0x4c0000 [0114.500] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.500] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB" [0114.500] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\*" [0114.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857e1690, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859aa710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859aa710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.500] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.500] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.500] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.500] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.500] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.500] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.500] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857e1690, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859aa710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859aa710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.501] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.501] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.501] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.501] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.501] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.501] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.501] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.501] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859abe80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.501] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.501] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.501] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.501] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.501] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.501] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.501] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.501] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0114.501] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.501] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.501] lstrlenW (lpString=".json") returned 5 [0114.501] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.530] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=214) returned 1 [0114.530] CloseHandle (hObject=0x16c) returned 1 [0114.531] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859abe80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.531] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.531] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\PUSSY.TXT") returned 154 [0114.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.531] lstrlenA (lpString="abcd") returned 4 [0114.531] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.532] CloseHandle (hObject=0x184) returned 1 [0114.532] GetProcessHeap () returned 0x4c0000 [0114.532] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.532] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859aa710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859aa710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en_US", cAlternateFileName="")) returned 1 [0114.532] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0114.532] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0114.532] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0114.532] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0114.532] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0114.533] lstrcmpiW (lpString1="en_US", lpString2=".") returned 1 [0114.533] lstrcmpiW (lpString1="en_US", lpString2="..") returned 1 [0114.533] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US") returned 144 [0114.533] GetProcessHeap () returned 0x4c0000 [0114.533] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.533] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US" [0114.533] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\*" [0114.533] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859aa710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859aa710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.533] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.533] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.533] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.533] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.533] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.533] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.533] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859aa710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859aa710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.533] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.533] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.533] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.533] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.533] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.533] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.534] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.534] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859abe80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.534] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.534] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.534] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.534] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.534] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.534] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.534] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.534] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0114.534] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.534] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.534] lstrlenW (lpString=".json") returned 5 [0114.534] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.534] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=215) returned 1 [0114.534] CloseHandle (hObject=0x16c) returned 1 [0114.534] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859abe80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.534] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.534] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\PUSSY.TXT") returned 154 [0114.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.535] lstrlenA (lpString="abcd") returned 4 [0114.535] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.536] CloseHandle (hObject=0x184) returned 1 [0114.536] GetProcessHeap () returned 0x4c0000 [0114.536] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.536] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859aa710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859aa710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es", cAlternateFileName="")) returned 1 [0114.536] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0114.536] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0114.536] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0114.536] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0114.536] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0114.536] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0114.536] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0114.536] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es") returned 141 [0114.536] GetProcessHeap () returned 0x4c0000 [0114.536] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.536] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es" [0114.536] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\*" [0114.536] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859aa710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859aa710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.537] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.537] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.537] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.537] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.537] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.537] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.537] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859aa710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859aa710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.538] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.538] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.538] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.538] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.538] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.538] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.538] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.538] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859abe80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.538] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.538] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.538] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.538] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.538] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.538] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.538] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.538] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json") returned 155 [0114.538] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.538] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.538] lstrlenW (lpString=".json") returned 5 [0114.538] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.538] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=223) returned 1 [0114.538] CloseHandle (hObject=0x16c) returned 1 [0114.539] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859abe80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.539] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.539] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\PUSSY.TXT") returned 151 [0114.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.539] lstrlenA (lpString="abcd") returned 4 [0114.539] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.540] CloseHandle (hObject=0x184) returned 1 [0114.540] GetProcessHeap () returned 0x4c0000 [0114.540] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.540] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859d0870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es_419", cAlternateFileName="")) returned 1 [0114.540] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0114.540] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0114.540] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0114.540] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0114.540] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0114.540] lstrcmpiW (lpString1="es_419", lpString2=".") returned 1 [0114.540] lstrcmpiW (lpString1="es_419", lpString2="..") returned 1 [0114.540] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419") returned 145 [0114.540] GetProcessHeap () returned 0x4c0000 [0114.540] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.541] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419" [0114.541] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\*" [0114.541] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859d0870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.541] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.541] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.541] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.541] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.541] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.541] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.541] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859d0870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.541] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.541] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.541] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.541] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.541] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.541] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.541] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.541] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.541] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.541] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.541] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.541] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.541] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.541] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.541] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.542] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0114.542] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.542] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.542] lstrlenW (lpString=".json") returned 5 [0114.542] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.542] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=221) returned 1 [0114.542] CloseHandle (hObject=0x16c) returned 1 [0114.542] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.542] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.542] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\PUSSY.TXT") returned 155 [0114.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.542] lstrlenA (lpString="abcd") returned 4 [0114.543] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.543] CloseHandle (hObject=0x184) returned 1 [0114.543] GetProcessHeap () returned 0x4c0000 [0114.544] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.544] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859d0870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="et", cAlternateFileName="")) returned 1 [0114.544] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0114.544] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0114.544] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0114.544] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0114.544] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0114.544] lstrcmpiW (lpString1="et", lpString2=".") returned 1 [0114.544] lstrcmpiW (lpString1="et", lpString2="..") returned 1 [0114.544] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et") returned 141 [0114.544] GetProcessHeap () returned 0x4c0000 [0114.544] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.544] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et" [0114.544] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\*" [0114.544] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859d0870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.545] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.545] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.545] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.545] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.545] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.545] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.545] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859d0870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.545] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.545] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.545] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.545] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.545] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.545] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.545] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.545] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.545] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.545] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.545] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.545] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.545] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.545] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.545] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.545] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json") returned 155 [0114.546] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.546] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.546] lstrlenW (lpString=".json") returned 5 [0114.546] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.546] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.546] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=214) returned 1 [0114.546] CloseHandle (hObject=0x16c) returned 1 [0114.546] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.546] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.546] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\PUSSY.TXT") returned 151 [0114.546] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.546] lstrlenA (lpString="abcd") returned 4 [0114.547] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.547] CloseHandle (hObject=0x184) returned 1 [0114.548] GetProcessHeap () returned 0x4c0000 [0114.548] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.548] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859d0870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fi", cAlternateFileName="")) returned 1 [0114.548] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0114.548] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0114.548] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0114.548] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0114.548] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0114.548] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0114.548] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0114.548] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi") returned 141 [0114.548] GetProcessHeap () returned 0x4c0000 [0114.548] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.548] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi" [0114.548] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\*" [0114.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859d0870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.548] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.548] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.548] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.548] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.548] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.548] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.548] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859d0870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.549] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.549] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.549] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.549] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.549] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.549] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.549] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.549] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.549] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.549] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.549] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.549] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.549] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.549] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.549] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.549] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0114.549] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.549] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.549] lstrlenW (lpString=".json") returned 5 [0114.549] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.549] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=217) returned 1 [0114.550] CloseHandle (hObject=0x16c) returned 1 [0114.550] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859d0870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859d0870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.550] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.550] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\PUSSY.TXT") returned 151 [0114.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.550] lstrlenA (lpString="abcd") returned 4 [0114.550] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.551] CloseHandle (hObject=0x184) returned 1 [0114.551] GetProcessHeap () returned 0x4c0000 [0114.551] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.551] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f69d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859f69d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fil", cAlternateFileName="")) returned 1 [0114.551] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0114.551] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0114.551] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0114.551] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0114.551] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0114.551] lstrcmpiW (lpString1="fil", lpString2=".") returned 1 [0114.551] lstrcmpiW (lpString1="fil", lpString2="..") returned 1 [0114.551] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil") returned 142 [0114.551] GetProcessHeap () returned 0x4c0000 [0114.551] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.551] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil" [0114.551] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\*" [0114.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f69d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859f69d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.563] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.563] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.563] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.563] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.563] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.563] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.563] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f69d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859f69d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.563] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.563] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.563] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.563] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.563] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.563] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.563] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.563] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f7970, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.564] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.564] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.564] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.564] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.564] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.564] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.564] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.564] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0114.564] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.564] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.564] lstrlenW (lpString=".json") returned 5 [0114.564] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.565] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=224) returned 1 [0114.565] CloseHandle (hObject=0x16c) returned 1 [0114.565] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f7970, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.565] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.566] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\PUSSY.TXT") returned 152 [0114.566] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.567] lstrlenA (lpString="abcd") returned 4 [0114.567] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.568] CloseHandle (hObject=0x184) returned 1 [0114.568] GetProcessHeap () returned 0x4c0000 [0114.568] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.568] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f69d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859f69d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fr", cAlternateFileName="")) returned 1 [0114.568] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0114.568] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0114.568] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0114.568] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0114.568] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0114.568] lstrcmpiW (lpString1="fr", lpString2=".") returned 1 [0114.568] lstrcmpiW (lpString1="fr", lpString2="..") returned 1 [0114.568] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr") returned 141 [0114.568] GetProcessHeap () returned 0x4c0000 [0114.568] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.568] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr" [0114.568] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\*" [0114.568] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f69d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859f69d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.568] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.569] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.569] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.569] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.569] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.569] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.569] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f69d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859f69d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.569] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.569] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.569] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.569] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.569] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.569] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.569] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.569] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f7970, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.569] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.569] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.569] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.569] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.569] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.569] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.569] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.569] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0114.569] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.569] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.569] lstrlenW (lpString=".json") returned 5 [0114.569] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.570] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=222) returned 1 [0114.570] CloseHandle (hObject=0x16c) returned 1 [0114.570] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f7970, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.570] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.570] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\PUSSY.TXT") returned 151 [0114.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.570] lstrlenA (lpString="abcd") returned 4 [0114.570] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.571] CloseHandle (hObject=0x184) returned 1 [0114.571] GetProcessHeap () returned 0x4c0000 [0114.571] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.571] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f69d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859f69d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="he", cAlternateFileName="")) returned 1 [0114.571] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0114.571] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0114.571] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0114.571] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0114.571] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0114.571] lstrcmpiW (lpString1="he", lpString2=".") returned 1 [0114.571] lstrcmpiW (lpString1="he", lpString2="..") returned 1 [0114.571] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he") returned 141 [0114.571] GetProcessHeap () returned 0x4c0000 [0114.572] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.572] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he" [0114.572] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\*" [0114.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f69d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859f69d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.573] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.573] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.573] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.573] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.573] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.573] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.573] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f69d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x859f69d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.573] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.573] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.573] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.573] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.573] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.573] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.573] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.573] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f7970, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.573] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.573] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.573] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.573] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.573] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.573] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.573] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.573] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json") returned 155 [0114.573] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.573] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.573] lstrlenW (lpString=".json") returned 5 [0114.573] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.574] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=225) returned 1 [0114.574] CloseHandle (hObject=0x16c) returned 1 [0114.574] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859f69d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x859f7970, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.574] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.574] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\PUSSY.TXT") returned 151 [0114.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.574] lstrlenA (lpString="abcd") returned 4 [0114.574] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.575] CloseHandle (hObject=0x184) returned 1 [0114.575] GetProcessHeap () returned 0x4c0000 [0114.575] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.575] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1cb30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a1cb30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hi", cAlternateFileName="")) returned 1 [0114.575] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0114.575] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0114.575] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0114.575] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0114.575] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0114.575] lstrcmpiW (lpString1="hi", lpString2=".") returned 1 [0114.575] lstrcmpiW (lpString1="hi", lpString2="..") returned 1 [0114.575] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi") returned 141 [0114.575] GetProcessHeap () returned 0x4c0000 [0114.575] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.576] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi" [0114.576] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\*" [0114.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1cb30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a1cb30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.576] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.576] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.576] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.576] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.576] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.576] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.576] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1cb30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a1cb30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.576] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.576] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.576] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.576] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.576] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.576] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.576] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.576] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1ea70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x123, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.576] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.576] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.576] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.576] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.576] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.576] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.577] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.577] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0114.577] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.577] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.577] lstrlenW (lpString=".json") returned 5 [0114.577] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.577] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=291) returned 1 [0114.577] CloseHandle (hObject=0x16c) returned 1 [0114.577] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1ea70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x123, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.577] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.577] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\PUSSY.TXT") returned 151 [0114.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.578] lstrlenA (lpString="abcd") returned 4 [0114.578] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.578] CloseHandle (hObject=0x184) returned 1 [0114.579] GetProcessHeap () returned 0x4c0000 [0114.579] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.579] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1cb30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a1cb30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hu", cAlternateFileName="")) returned 1 [0114.579] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0114.579] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0114.579] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0114.579] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0114.579] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0114.579] lstrcmpiW (lpString1="hu", lpString2=".") returned 1 [0114.579] lstrcmpiW (lpString1="hu", lpString2="..") returned 1 [0114.579] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu") returned 141 [0114.579] GetProcessHeap () returned 0x4c0000 [0114.579] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.579] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu" [0114.579] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\*" [0114.579] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1cb30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a1cb30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.607] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.607] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.607] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.607] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.607] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.607] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.607] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1cb30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a1cb30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.608] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.608] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.608] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.608] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.608] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.608] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.608] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.608] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1ea70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.608] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.608] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.608] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.608] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.608] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.608] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.608] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.608] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0114.608] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.608] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.608] lstrlenW (lpString=".json") returned 5 [0114.608] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.609] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=230) returned 1 [0114.609] CloseHandle (hObject=0x16c) returned 1 [0114.609] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1ea70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.609] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.609] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\PUSSY.TXT") returned 151 [0114.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.609] lstrlenA (lpString="abcd") returned 4 [0114.609] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.610] CloseHandle (hObject=0x184) returned 1 [0114.610] GetProcessHeap () returned 0x4c0000 [0114.610] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.610] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1cb30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a1cb30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="id", cAlternateFileName="")) returned 1 [0114.610] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0114.610] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0114.610] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0114.610] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0114.610] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0114.610] lstrcmpiW (lpString1="id", lpString2=".") returned 1 [0114.611] lstrcmpiW (lpString1="id", lpString2="..") returned 1 [0114.611] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id") returned 141 [0114.611] GetProcessHeap () returned 0x4c0000 [0114.611] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.611] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id" [0114.611] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\*" [0114.611] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1cb30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a1cb30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.611] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.611] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.611] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.611] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.611] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.611] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.611] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1cb30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a1cb30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.611] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.611] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.611] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.611] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.611] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.611] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.611] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.611] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1ea70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.611] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.611] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.612] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.612] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.612] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.612] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.612] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.612] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json") returned 155 [0114.612] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.612] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.612] lstrlenW (lpString=".json") returned 5 [0114.612] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.612] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=208) returned 1 [0114.612] CloseHandle (hObject=0x16c) returned 1 [0114.612] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a1ea70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.612] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.612] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\PUSSY.TXT") returned 151 [0114.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.613] lstrlenA (lpString="abcd") returned 4 [0114.613] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.614] CloseHandle (hObject=0x184) returned 1 [0114.614] GetProcessHeap () returned 0x4c0000 [0114.614] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.614] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a42c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a42c90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="it", cAlternateFileName="")) returned 1 [0114.614] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0114.614] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0114.614] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0114.614] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0114.614] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0114.614] lstrcmpiW (lpString1="it", lpString2=".") returned 1 [0114.614] lstrcmpiW (lpString1="it", lpString2="..") returned 1 [0114.614] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it") returned 141 [0114.614] GetProcessHeap () returned 0x4c0000 [0114.614] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.614] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it" [0114.615] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\*" [0114.615] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a42c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a42c90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.615] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.615] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.616] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.616] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.616] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.616] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.616] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a1cb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a42c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a42c90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.616] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.616] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.616] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.616] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.616] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.616] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.616] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.616] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a42c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a43460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.616] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.616] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.616] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.616] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.616] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.616] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.616] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.616] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json") returned 155 [0114.616] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.616] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.616] lstrlenW (lpString=".json") returned 5 [0114.616] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.617] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=221) returned 1 [0114.617] CloseHandle (hObject=0x16c) returned 1 [0114.617] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a42c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a43460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.617] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.617] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\PUSSY.TXT") returned 151 [0114.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.617] lstrlenA (lpString="abcd") returned 4 [0114.617] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.618] CloseHandle (hObject=0x184) returned 1 [0114.618] GetProcessHeap () returned 0x4c0000 [0114.618] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.618] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a42c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a42c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a42c90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ja", cAlternateFileName="")) returned 1 [0114.618] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0114.618] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0114.618] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0114.618] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0114.619] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0114.619] lstrcmpiW (lpString1="ja", lpString2=".") returned 1 [0114.619] lstrcmpiW (lpString1="ja", lpString2="..") returned 1 [0114.619] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja") returned 141 [0114.619] GetProcessHeap () returned 0x4c0000 [0114.619] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.619] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja" [0114.619] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\*" [0114.619] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a42c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a42c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a42c90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.619] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.619] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.619] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.619] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.619] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.619] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.619] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a42c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a42c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a42c90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.619] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.619] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.619] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.619] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.619] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.619] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.619] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.619] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a42c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a43460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xec, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.619] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.620] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.620] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.620] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.620] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.620] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.620] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.620] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0114.620] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.620] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.620] lstrlenW (lpString=".json") returned 5 [0114.620] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.620] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=236) returned 1 [0114.620] CloseHandle (hObject=0x16c) returned 1 [0114.620] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a42c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a43460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xec, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.620] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.621] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\PUSSY.TXT") returned 151 [0114.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.621] lstrlenA (lpString="abcd") returned 4 [0114.621] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.622] CloseHandle (hObject=0x184) returned 1 [0114.622] GetProcessHeap () returned 0x4c0000 [0114.622] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.622] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a42c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a42c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a42c90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ko", cAlternateFileName="")) returned 1 [0114.622] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0114.622] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0114.622] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0114.622] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0114.622] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0114.622] lstrcmpiW (lpString1="ko", lpString2=".") returned 1 [0114.622] lstrcmpiW (lpString1="ko", lpString2="..") returned 1 [0114.622] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko") returned 141 [0114.622] GetProcessHeap () returned 0x4c0000 [0114.622] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.623] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko" [0114.623] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\*" [0114.623] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a42c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a42c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a42c90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.623] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.623] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.624] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.624] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.624] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.624] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.624] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a42c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a42c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a42c90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.624] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.624] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.624] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.624] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.624] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.624] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.624] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.624] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a42c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a6a560, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.624] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.624] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.624] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.624] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.624] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.624] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.624] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.624] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0114.624] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.624] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.624] lstrlenW (lpString=".json") returned 5 [0114.624] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.625] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=230) returned 1 [0114.625] CloseHandle (hObject=0x16c) returned 1 [0114.625] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a42c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a6a560, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.625] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.625] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\PUSSY.TXT") returned 151 [0114.625] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.625] lstrlenA (lpString="abcd") returned 4 [0114.625] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.626] CloseHandle (hObject=0x184) returned 1 [0114.626] GetProcessHeap () returned 0x4c0000 [0114.626] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.626] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a68df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a68df0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lt", cAlternateFileName="")) returned 1 [0114.626] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0114.626] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0114.627] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0114.627] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0114.627] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0114.627] lstrcmpiW (lpString1="lt", lpString2=".") returned 1 [0114.627] lstrcmpiW (lpString1="lt", lpString2="..") returned 1 [0114.627] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt") returned 141 [0114.627] GetProcessHeap () returned 0x4c0000 [0114.627] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.627] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt" [0114.627] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\*" [0114.627] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a68df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a68df0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.627] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.627] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.627] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.627] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.627] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.627] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.627] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a68df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a68df0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.627] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.627] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.627] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.627] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.627] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.627] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.627] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.627] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a6a560, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.628] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.628] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.628] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.628] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.628] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.628] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.628] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.628] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0114.628] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.628] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.628] lstrlenW (lpString=".json") returned 5 [0114.628] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.628] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=228) returned 1 [0114.628] CloseHandle (hObject=0x16c) returned 1 [0114.628] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a6a560, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.628] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.628] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\PUSSY.TXT") returned 151 [0114.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.629] lstrlenA (lpString="abcd") returned 4 [0114.629] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.630] CloseHandle (hObject=0x184) returned 1 [0114.630] GetProcessHeap () returned 0x4c0000 [0114.630] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.630] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a68df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a68df0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lv", cAlternateFileName="")) returned 1 [0114.630] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0114.630] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0114.630] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0114.630] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0114.630] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0114.630] lstrcmpiW (lpString1="lv", lpString2=".") returned 1 [0114.630] lstrcmpiW (lpString1="lv", lpString2="..") returned 1 [0114.630] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv") returned 141 [0114.630] GetProcessHeap () returned 0x4c0000 [0114.630] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.630] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv" [0114.630] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\*" [0114.630] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a68df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a68df0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.632] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.632] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.632] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.632] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.632] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.632] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.632] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a68df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a68df0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.632] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.632] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.632] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.632] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.632] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.632] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.632] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.632] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a6a560, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.632] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.632] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.632] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.632] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.632] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.632] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.632] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.632] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0114.632] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.632] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.632] lstrlenW (lpString=".json") returned 5 [0114.632] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.633] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=233) returned 1 [0114.633] CloseHandle (hObject=0x16c) returned 1 [0114.633] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a6a560, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.633] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.633] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\PUSSY.TXT") returned 151 [0114.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.634] lstrlenA (lpString="abcd") returned 4 [0114.634] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.635] CloseHandle (hObject=0x184) returned 1 [0114.635] GetProcessHeap () returned 0x4c0000 [0114.635] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.635] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a8ef50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ms", cAlternateFileName="")) returned 1 [0114.635] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0114.635] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0114.635] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0114.635] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0114.635] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0114.635] lstrcmpiW (lpString1="ms", lpString2=".") returned 1 [0114.635] lstrcmpiW (lpString1="ms", lpString2="..") returned 1 [0114.635] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms") returned 141 [0114.635] GetProcessHeap () returned 0x4c0000 [0114.635] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.635] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms" [0114.635] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\*" [0114.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a8ef50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.636] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.636] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.636] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.636] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.636] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.636] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.636] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a68df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a8ef50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.636] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.636] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.636] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.636] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.636] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.636] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.636] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.636] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.636] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.636] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.636] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.636] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.636] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.636] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.636] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.636] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0114.636] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.636] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.636] lstrlenW (lpString=".json") returned 5 [0114.636] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.637] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=210) returned 1 [0114.637] CloseHandle (hObject=0x16c) returned 1 [0114.637] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.637] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.637] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\PUSSY.TXT") returned 151 [0114.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.637] lstrlenA (lpString="abcd") returned 4 [0114.637] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.638] CloseHandle (hObject=0x184) returned 1 [0114.638] GetProcessHeap () returned 0x4c0000 [0114.638] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.638] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a8ef50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="nl", cAlternateFileName="")) returned 1 [0114.639] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0114.639] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0114.639] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0114.639] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0114.639] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0114.639] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0114.639] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0114.639] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl") returned 141 [0114.639] GetProcessHeap () returned 0x4c0000 [0114.639] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.639] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl" [0114.639] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\*" [0114.639] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a8ef50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.640] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.640] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.640] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.640] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.640] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.640] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.640] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a8ef50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.640] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.640] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.640] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.640] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.640] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.640] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.640] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.640] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.640] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.640] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.640] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.640] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.640] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.640] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.640] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.640] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0114.641] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.641] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.641] lstrlenW (lpString=".json") returned 5 [0114.641] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.641] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.641] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=221) returned 1 [0114.641] CloseHandle (hObject=0x16c) returned 1 [0114.641] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.641] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.641] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\PUSSY.TXT") returned 151 [0114.641] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.642] lstrlenA (lpString="abcd") returned 4 [0114.642] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.643] CloseHandle (hObject=0x184) returned 1 [0114.643] GetProcessHeap () returned 0x4c0000 [0114.643] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.643] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a8ef50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="no", cAlternateFileName="")) returned 1 [0114.643] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0114.643] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0114.643] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0114.643] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0114.643] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0114.643] lstrcmpiW (lpString1="no", lpString2=".") returned 1 [0114.643] lstrcmpiW (lpString1="no", lpString2="..") returned 1 [0114.643] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no") returned 141 [0114.643] GetProcessHeap () returned 0x4c0000 [0114.643] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.643] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no" [0114.643] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\*" [0114.643] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a8ef50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.643] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.643] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.643] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.643] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.643] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.643] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.644] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a8ef50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.644] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.644] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.644] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.644] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.644] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.644] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.644] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.644] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe4180700, ftLastWriteTime.dwHighDateTime=0x1d03f5e, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.644] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.644] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.644] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.644] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.644] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.644] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.644] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.644] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json") returned 155 [0114.644] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.644] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.644] lstrlenW (lpString=".json") returned 5 [0114.644] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.644] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=203) returned 1 [0114.645] CloseHandle (hObject=0x16c) returned 1 [0114.645] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe4180700, ftLastWriteTime.dwHighDateTime=0x1d03f5e, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.645] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.645] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\PUSSY.TXT") returned 151 [0114.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.645] lstrlenA (lpString="abcd") returned 4 [0114.645] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.646] CloseHandle (hObject=0x184) returned 1 [0114.647] GetProcessHeap () returned 0x4c0000 [0114.647] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.647] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a8ef50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pl", cAlternateFileName="")) returned 1 [0114.647] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0114.647] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0114.647] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0114.647] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0114.647] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0114.647] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0114.647] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0114.647] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl") returned 141 [0114.647] GetProcessHeap () returned 0x4c0000 [0114.647] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.647] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl" [0114.647] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\*" [0114.647] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a8ef50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.648] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.648] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.648] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.648] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.648] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.648] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.648] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85a8ef50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.648] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.648] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.648] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.648] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.648] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.648] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.648] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.648] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.649] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.649] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.649] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.649] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.649] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.649] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.649] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.649] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0114.649] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.649] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.649] lstrlenW (lpString=".json") returned 5 [0114.649] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.649] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=217) returned 1 [0114.649] CloseHandle (hObject=0x16c) returned 1 [0114.649] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85a8ef50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85a8ef50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.649] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.649] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\PUSSY.TXT") returned 151 [0114.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.650] lstrlenA (lpString="abcd") returned 4 [0114.650] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.651] CloseHandle (hObject=0x184) returned 1 [0114.651] GetProcessHeap () returned 0x4c0000 [0114.651] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.651] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ab50b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ab50b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_BR", cAlternateFileName="")) returned 1 [0114.651] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0114.651] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0114.651] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0114.651] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0114.651] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0114.651] lstrcmpiW (lpString1="pt_BR", lpString2=".") returned 1 [0114.651] lstrcmpiW (lpString1="pt_BR", lpString2="..") returned 1 [0114.651] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR") returned 144 [0114.651] GetProcessHeap () returned 0x4c0000 [0114.651] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.651] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR" [0114.651] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\*" [0114.651] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ab50b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ab50b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.651] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.651] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.651] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.651] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.652] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.652] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.652] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ab50b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ab50b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.652] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.652] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.652] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.652] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.652] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.652] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.652] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.652] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ab6050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.652] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.652] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.652] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.652] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.652] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.652] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.652] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.652] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0114.652] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.652] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.652] lstrlenW (lpString=".json") returned 5 [0114.652] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.653] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=222) returned 1 [0114.653] CloseHandle (hObject=0x16c) returned 1 [0114.653] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ab6050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.653] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.653] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\PUSSY.TXT") returned 154 [0114.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.653] lstrlenA (lpString="abcd") returned 4 [0114.653] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.654] CloseHandle (hObject=0x184) returned 1 [0114.654] GetProcessHeap () returned 0x4c0000 [0114.654] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.654] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ab50b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ab50b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_PT", cAlternateFileName="")) returned 1 [0114.654] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0114.654] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0114.654] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0114.654] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0114.654] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0114.654] lstrcmpiW (lpString1="pt_PT", lpString2=".") returned 1 [0114.654] lstrcmpiW (lpString1="pt_PT", lpString2="..") returned 1 [0114.654] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT") returned 144 [0114.654] GetProcessHeap () returned 0x4c0000 [0114.654] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.654] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT" [0114.654] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\*" [0114.654] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ab50b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ab50b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.655] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.655] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.655] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.655] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.655] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.655] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.655] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ab50b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ab50b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.656] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.656] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.656] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.656] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.656] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.656] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.656] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.656] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ab6050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.656] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.656] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.656] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.656] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.656] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.656] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.656] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.656] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0114.656] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.656] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.656] lstrlenW (lpString=".json") returned 5 [0114.656] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.656] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=224) returned 1 [0114.656] CloseHandle (hObject=0x16c) returned 1 [0114.657] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ab6050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.657] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.657] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\PUSSY.TXT") returned 154 [0114.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.657] lstrlenA (lpString="abcd") returned 4 [0114.657] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.658] CloseHandle (hObject=0x184) returned 1 [0114.658] GetProcessHeap () returned 0x4c0000 [0114.658] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.658] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85adb210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85adb210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ro", cAlternateFileName="")) returned 1 [0114.658] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0114.658] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0114.658] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0114.658] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0114.658] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0114.658] lstrcmpiW (lpString1="ro", lpString2=".") returned 1 [0114.658] lstrcmpiW (lpString1="ro", lpString2="..") returned 1 [0114.658] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro") returned 141 [0114.658] GetProcessHeap () returned 0x4c0000 [0114.658] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.658] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro" [0114.658] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\*" [0114.658] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85adb210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85adb210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.659] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.659] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.659] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.659] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.659] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.659] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.659] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ab50b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85adb210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85adb210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.659] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.659] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.659] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.659] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.659] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.659] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.659] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.659] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85add150, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.659] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.659] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.659] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.659] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.659] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.659] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.659] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.659] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0114.659] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.659] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.660] lstrlenW (lpString=".json") returned 5 [0114.660] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.660] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=222) returned 1 [0114.660] CloseHandle (hObject=0x16c) returned 1 [0114.660] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85add150, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.660] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.660] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\PUSSY.TXT") returned 151 [0114.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.660] lstrlenA (lpString="abcd") returned 4 [0114.660] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.661] CloseHandle (hObject=0x184) returned 1 [0114.661] GetProcessHeap () returned 0x4c0000 [0114.661] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.661] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85adb210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85adb210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ru", cAlternateFileName="")) returned 1 [0114.661] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0114.661] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0114.662] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0114.662] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0114.662] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0114.662] lstrcmpiW (lpString1="ru", lpString2=".") returned 1 [0114.662] lstrcmpiW (lpString1="ru", lpString2="..") returned 1 [0114.662] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru") returned 141 [0114.662] GetProcessHeap () returned 0x4c0000 [0114.662] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.662] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru" [0114.662] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\*" [0114.662] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85adb210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85adb210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.663] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.663] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.663] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.663] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.663] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.663] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.663] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85adb210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85adb210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.663] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.663] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.663] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.663] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.663] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.663] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.663] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.663] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85add150, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.663] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.663] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.663] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.663] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.663] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.663] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.663] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.663] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0114.663] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.663] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.663] lstrlenW (lpString=".json") returned 5 [0114.663] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.664] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=272) returned 1 [0114.664] CloseHandle (hObject=0x16c) returned 1 [0114.664] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85add150, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.664] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.664] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\PUSSY.TXT") returned 151 [0114.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.664] lstrlenA (lpString="abcd") returned 4 [0114.664] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.665] CloseHandle (hObject=0x184) returned 1 [0114.665] GetProcessHeap () returned 0x4c0000 [0114.665] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.665] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85adb210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85adb210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sk", cAlternateFileName="")) returned 1 [0114.665] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0114.665] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0114.665] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0114.666] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0114.666] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0114.666] lstrcmpiW (lpString1="sk", lpString2=".") returned 1 [0114.666] lstrcmpiW (lpString1="sk", lpString2="..") returned 1 [0114.666] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk") returned 141 [0114.666] GetProcessHeap () returned 0x4c0000 [0114.666] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.666] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk" [0114.666] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\*" [0114.666] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85adb210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85adb210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.666] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.666] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.666] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.666] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.666] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.666] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.666] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85adb210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85adb210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.666] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.666] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.666] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.666] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.666] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.666] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.666] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.666] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85add150, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.667] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.667] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.667] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.667] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.667] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.667] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.667] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.667] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0114.667] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.667] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.667] lstrlenW (lpString=".json") returned 5 [0114.667] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.667] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=227) returned 1 [0114.667] CloseHandle (hObject=0x16c) returned 1 [0114.667] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85add150, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.667] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.667] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\PUSSY.TXT") returned 151 [0114.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.668] lstrlenA (lpString="abcd") returned 4 [0114.668] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.669] CloseHandle (hObject=0x184) returned 1 [0114.669] GetProcessHeap () returned 0x4c0000 [0114.669] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.669] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85adb210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85adb210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sl", cAlternateFileName="")) returned 1 [0114.669] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0114.669] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0114.669] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0114.669] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0114.669] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0114.669] lstrcmpiW (lpString1="sl", lpString2=".") returned 1 [0114.669] lstrcmpiW (lpString1="sl", lpString2="..") returned 1 [0114.669] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl") returned 141 [0114.669] GetProcessHeap () returned 0x4c0000 [0114.669] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.669] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl" [0114.669] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\*" [0114.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85adb210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85adb210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.670] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.670] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.670] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.670] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.670] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.670] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.670] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85adb210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85adb210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.671] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.671] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.671] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.671] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.671] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.671] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.671] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.671] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85add150, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.671] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.671] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.671] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.671] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.671] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.671] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.671] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.671] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0114.671] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.671] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.671] lstrlenW (lpString=".json") returned 5 [0114.671] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.671] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=223) returned 1 [0114.671] CloseHandle (hObject=0x16c) returned 1 [0114.672] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85adb210, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85add150, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.672] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.672] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\PUSSY.TXT") returned 151 [0114.672] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.672] lstrlenA (lpString="abcd") returned 4 [0114.672] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.673] CloseHandle (hObject=0x184) returned 1 [0114.673] GetProcessHeap () returned 0x4c0000 [0114.673] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.673] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01370, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b01370, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sr", cAlternateFileName="")) returned 1 [0114.673] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0114.673] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0114.673] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0114.673] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0114.673] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0114.673] lstrcmpiW (lpString1="sr", lpString2=".") returned 1 [0114.673] lstrcmpiW (lpString1="sr", lpString2="..") returned 1 [0114.673] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr") returned 141 [0114.673] GetProcessHeap () returned 0x4c0000 [0114.673] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.673] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr" [0114.673] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\*" [0114.673] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01370, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b01370, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.674] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.674] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.674] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.674] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.674] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.674] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.674] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01370, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b01370, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.674] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.674] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.674] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.674] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.674] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.674] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.674] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.674] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.674] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.674] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.674] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.674] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.674] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.674] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.674] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.674] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0114.674] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.675] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.675] lstrlenW (lpString=".json") returned 5 [0114.675] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.675] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=260) returned 1 [0114.675] CloseHandle (hObject=0x16c) returned 1 [0114.675] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.675] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.675] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\PUSSY.TXT") returned 151 [0114.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.675] lstrlenA (lpString="abcd") returned 4 [0114.675] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.677] CloseHandle (hObject=0x184) returned 1 [0114.677] GetProcessHeap () returned 0x4c0000 [0114.677] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.677] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01370, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b01370, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sv", cAlternateFileName="")) returned 1 [0114.677] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0114.677] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0114.677] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0114.677] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0114.677] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0114.677] lstrcmpiW (lpString1="sv", lpString2=".") returned 1 [0114.677] lstrcmpiW (lpString1="sv", lpString2="..") returned 1 [0114.677] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv") returned 141 [0114.677] GetProcessHeap () returned 0x4c0000 [0114.677] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.677] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv" [0114.677] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\*" [0114.677] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01370, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b01370, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.678] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.678] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.678] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.678] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.678] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.678] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.679] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01370, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b01370, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.679] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.679] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.679] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.679] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.679] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.679] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.679] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.679] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.679] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.679] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.679] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.679] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.679] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.679] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.679] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.679] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0114.679] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.679] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.679] lstrlenW (lpString=".json") returned 5 [0114.679] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.680] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=226) returned 1 [0114.680] CloseHandle (hObject=0x16c) returned 1 [0114.680] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.680] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.680] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\PUSSY.TXT") returned 151 [0114.680] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.680] lstrlenA (lpString="abcd") returned 4 [0114.680] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.682] CloseHandle (hObject=0x184) returned 1 [0114.682] GetProcessHeap () returned 0x4c0000 [0114.682] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.682] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01370, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b01370, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="th", cAlternateFileName="")) returned 1 [0114.682] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0114.682] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0114.682] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0114.682] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0114.682] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0114.682] lstrcmpiW (lpString1="th", lpString2=".") returned 1 [0114.682] lstrcmpiW (lpString1="th", lpString2="..") returned 1 [0114.682] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th") returned 141 [0114.682] GetProcessHeap () returned 0x4c0000 [0114.682] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.682] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th" [0114.682] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\*" [0114.682] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01370, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b01370, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.683] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.683] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.683] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.683] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.683] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.683] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.683] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01370, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b01370, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.683] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.683] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.683] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.683] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.683] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.683] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.683] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.683] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.683] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.683] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.683] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.683] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.683] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.684] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.684] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.684] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json") returned 155 [0114.684] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.684] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.684] lstrlenW (lpString=".json") returned 5 [0114.684] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.684] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.684] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=260) returned 1 [0114.684] CloseHandle (hObject=0x16c) returned 1 [0114.684] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b01b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.684] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.684] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\PUSSY.TXT") returned 151 [0114.685] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.685] lstrlenA (lpString="abcd") returned 4 [0114.685] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.686] CloseHandle (hObject=0x184) returned 1 [0114.686] GetProcessHeap () returned 0x4c0000 [0114.686] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.686] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b274d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b274d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="tr", cAlternateFileName="")) returned 1 [0114.686] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0114.686] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0114.686] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0114.686] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0114.686] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0114.686] lstrcmpiW (lpString1="tr", lpString2=".") returned 1 [0114.686] lstrcmpiW (lpString1="tr", lpString2="..") returned 1 [0114.686] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr") returned 141 [0114.686] GetProcessHeap () returned 0x4c0000 [0114.686] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.687] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr" [0114.687] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\*" [0114.687] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b274d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b274d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.688] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.688] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.688] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.688] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.688] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.688] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.688] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b01370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b274d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b274d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.688] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.688] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.688] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.688] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.688] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.688] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.688] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.688] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b28c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.688] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.688] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.688] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.688] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.688] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.688] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.688] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.688] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0114.688] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.688] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.689] lstrlenW (lpString=".json") returned 5 [0114.689] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.689] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.689] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=221) returned 1 [0114.689] CloseHandle (hObject=0x16c) returned 1 [0114.689] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b28c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.689] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.689] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\PUSSY.TXT") returned 151 [0114.689] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.690] lstrlenA (lpString="abcd") returned 4 [0114.690] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.690] CloseHandle (hObject=0x184) returned 1 [0114.691] GetProcessHeap () returned 0x4c0000 [0114.691] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.691] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b274d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b274d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="uk", cAlternateFileName="")) returned 1 [0114.691] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0114.691] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0114.691] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0114.691] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0114.691] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0114.691] lstrcmpiW (lpString1="uk", lpString2=".") returned 1 [0114.691] lstrcmpiW (lpString1="uk", lpString2="..") returned 1 [0114.691] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk") returned 141 [0114.691] GetProcessHeap () returned 0x4c0000 [0114.691] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.691] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk" [0114.691] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\*" [0114.691] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b274d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b274d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.691] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.691] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.691] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.691] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.691] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.691] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.691] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b274d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b274d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.692] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.692] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.692] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.692] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.692] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.692] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.692] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.692] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b28c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.692] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.692] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.692] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.692] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.692] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.692] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.692] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.692] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0114.692] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.692] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.692] lstrlenW (lpString=".json") returned 5 [0114.692] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.693] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=270) returned 1 [0114.693] CloseHandle (hObject=0x16c) returned 1 [0114.693] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b28c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.693] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.693] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\PUSSY.TXT") returned 151 [0114.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.693] lstrlenA (lpString="abcd") returned 4 [0114.693] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.694] CloseHandle (hObject=0x184) returned 1 [0114.695] GetProcessHeap () returned 0x4c0000 [0114.695] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.695] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b274d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b274d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="vi", cAlternateFileName="")) returned 1 [0114.695] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0114.695] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0114.695] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0114.695] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0114.695] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0114.695] lstrcmpiW (lpString1="vi", lpString2=".") returned 1 [0114.695] lstrcmpiW (lpString1="vi", lpString2="..") returned 1 [0114.695] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi") returned 141 [0114.695] GetProcessHeap () returned 0x4c0000 [0114.695] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.695] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi" [0114.695] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\*" [0114.695] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b274d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b274d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.696] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.696] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.696] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.696] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.696] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.696] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.696] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b274d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b274d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.696] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.696] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.696] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.697] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.697] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.697] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.697] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.697] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b28c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.697] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.697] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.697] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.697] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.697] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.697] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.697] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.697] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0114.697] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.697] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.697] lstrlenW (lpString=".json") returned 5 [0114.697] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.698] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=237) returned 1 [0114.698] CloseHandle (hObject=0x16c) returned 1 [0114.698] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b28c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.698] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.698] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\PUSSY.TXT") returned 151 [0114.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.698] lstrlenA (lpString="abcd") returned 4 [0114.698] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.700] CloseHandle (hObject=0x184) returned 1 [0114.700] GetProcessHeap () returned 0x4c0000 [0114.700] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.700] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b274d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b274d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_CN", cAlternateFileName="")) returned 1 [0114.700] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0114.700] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0114.700] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0114.700] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0114.700] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0114.700] lstrcmpiW (lpString1="zh_CN", lpString2=".") returned 1 [0114.700] lstrcmpiW (lpString1="zh_CN", lpString2="..") returned 1 [0114.700] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN") returned 144 [0114.700] GetProcessHeap () returned 0x4c0000 [0114.700] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.700] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN" [0114.700] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\*" [0114.700] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b274d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b274d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.701] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.701] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.701] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.701] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.701] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.701] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.701] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b274d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b274d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.701] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.701] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.701] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.701] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.701] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.701] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.701] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.701] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b28c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.701] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.701] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.701] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.701] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.701] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.701] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.701] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.701] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0114.701] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.701] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.702] lstrlenW (lpString=".json") returned 5 [0114.702] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.702] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=215) returned 1 [0114.702] CloseHandle (hObject=0x16c) returned 1 [0114.703] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b274d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b28c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.703] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.703] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\PUSSY.TXT") returned 154 [0114.703] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.703] lstrlenA (lpString="abcd") returned 4 [0114.703] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.704] CloseHandle (hObject=0x184) returned 1 [0114.704] GetProcessHeap () returned 0x4c0000 [0114.705] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.705] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b4d630, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b4d630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b4d630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 1 [0114.705] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0114.705] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0114.705] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0114.705] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0114.705] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0114.705] lstrcmpiW (lpString1="zh_TW", lpString2=".") returned 1 [0114.705] lstrcmpiW (lpString1="zh_TW", lpString2="..") returned 1 [0114.705] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW") returned 144 [0114.705] GetProcessHeap () returned 0x4c0000 [0114.705] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0114.705] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW" [0114.705] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\*" [0114.705] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b4d630, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b4d630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b4d630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0114.705] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.705] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.705] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.705] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.706] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.706] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.706] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b4d630, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b4d630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b4d630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.706] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.706] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.706] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.706] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.706] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.706] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.706] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.706] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b4d630, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b4d630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0114.706] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0114.706] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0114.706] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0114.706] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0114.706] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0114.706] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0114.706] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0114.706] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0114.706] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0114.706] PathFindExtensionW (pszPath="messages.json") returned=".json" [0114.706] lstrlenW (lpString=".json") returned 5 [0114.706] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0114.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0114.707] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=209) returned 1 [0114.707] CloseHandle (hObject=0x16c) returned 1 [0114.707] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b4d630, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b4d630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0114.707] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0114.707] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\PUSSY.TXT") returned 154 [0114.707] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0114.708] lstrlenA (lpString="abcd") returned 4 [0114.708] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0114.709] CloseHandle (hObject=0x184) returned 1 [0114.709] GetProcessHeap () returned 0x4c0000 [0114.709] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.709] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b4d630, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b4d630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b4d630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 0 [0114.709] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0114.709] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\PUSSY.TXT") returned 148 [0114.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0114.709] lstrlenA (lpString="abcd") returned 4 [0114.710] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0114.711] CloseHandle (hObject=0x1b0) returned 1 [0114.711] GetProcessHeap () returned 0x4c0000 [0114.711] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0114.715] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b998f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85d166b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85d166b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 1 [0114.715] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0114.715] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0114.715] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0114.715] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0114.715] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0114.715] lstrcmpiW (lpString1="_metadata", lpString2=".") returned 1 [0114.715] lstrcmpiW (lpString1="_metadata", lpString2="..") returned 1 [0114.715] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata") returned 139 [0114.715] GetProcessHeap () returned 0x4c0000 [0114.715] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0114.716] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata" [0114.716] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\*" [0114.716] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b998f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85d166b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85d166b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0114.717] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.717] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.717] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.717] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.717] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.717] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.717] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b998f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85d166b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85d166b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0114.717] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.717] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.717] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.717] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.717] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.717] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.717] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.717] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85d166b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85d166b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85d166b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="computed_hashes.json", cAlternateFileName="COMPUT~1.JSO")) returned 1 [0114.717] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0114.718] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0114.718] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0114.718] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0114.718] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0114.718] lstrcmpiW (lpString1="computed_hashes.json", lpString2=".") returned 1 [0114.718] lstrcmpiW (lpString1="computed_hashes.json", lpString2="..") returned 1 [0114.718] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0114.718] lstrcmpW (lpString1="computed_hashes.json", lpString2="PUSSY.TXT") returned -1 [0114.718] PathFindExtensionW (pszPath="computed_hashes.json") returned=".json" [0114.718] lstrlenW (lpString=".json") returned 5 [0114.718] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0114.718] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0114.718] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289638 | out: lpFileSize=0x289638*=352) returned 1 [0114.718] CloseHandle (hObject=0x184) returned 1 [0114.719] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b998f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b9b830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe4180700, ftLastWriteTime.dwHighDateTime=0x1d03f5e, nFileSizeHigh=0x0, nFileSizeLow=0x2b56, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 1 [0114.719] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0114.719] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0114.719] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0114.719] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0114.719] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0114.719] lstrcmpiW (lpString1="verified_contents.json", lpString2=".") returned 1 [0114.719] lstrcmpiW (lpString1="verified_contents.json", lpString2="..") returned 1 [0114.719] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0114.719] lstrcmpW (lpString1="verified_contents.json", lpString2="PUSSY.TXT") returned 1 [0114.719] PathFindExtensionW (pszPath="verified_contents.json") returned=".json" [0114.719] lstrlenW (lpString=".json") returned 5 [0114.719] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0114.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0114.719] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289638 | out: lpFileSize=0x289638*=11094) returned 1 [0114.719] GetProcessHeap () returned 0x4c0000 [0114.719] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0114.735] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="9A") returned 2 [0114.735] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="CC") returned 2 [0114.735] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="0A") returned 2 [0114.735] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="CE") returned 2 [0114.735] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="B6") returned 2 [0114.735] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="05") returned 2 [0114.735] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="A9") returned 2 [0114.735] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="03") returned 2 [0114.735] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="50") returned 2 [0114.736] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="53") returned 2 [0114.736] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="49") returned 2 [0114.736] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="3A") returned 2 [0114.736] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="1E") returned 2 [0114.736] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="F5") returned 2 [0114.736] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="2F") returned 2 [0114.736] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="6E") returned 2 [0114.736] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="15") returned 2 [0114.736] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="88") returned 2 [0114.736] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="8A") returned 2 [0114.736] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="69") returned 2 [0114.736] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="41") returned 2 [0114.736] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="45") returned 2 [0114.736] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="3B") returned 2 [0114.736] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="7B") returned 2 [0114.736] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="54") returned 2 [0114.736] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="33") returned 2 [0114.736] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="76") returned 2 [0114.736] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="3B") returned 2 [0114.736] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="20") returned 2 [0114.736] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="0F") returned 2 [0114.736] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="B1") returned 2 [0114.736] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="2E") returned 2 [0114.749] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json" [0114.749] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json" [0114.749] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json", lpString2=".9ACC0ACEB605A9035053493A1EF52F6E15888A6941453B7B5433763B200FB12E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.9ACC0ACEB605A9035053493A1EF52F6E15888A6941453B7B5433763B200FB12E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.9ACC0ACEB605A9035053493A1EF52F6E15888A6941453B7B5433763B200FB12E" [0114.750] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0114.750] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0114.750] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85b998f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b9b830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe4180700, ftLastWriteTime.dwHighDateTime=0x1d03f5e, nFileSizeHigh=0x0, nFileSizeLow=0x2b56, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 0 [0114.750] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0114.750] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\PUSSY.TXT") returned 149 [0114.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0114.773] lstrlenA (lpString="abcd") returned 4 [0114.773] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0114.774] CloseHandle (hObject=0x1b0) returned 1 [0114.774] GetProcessHeap () returned 0x4c0000 [0114.774] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0114.774] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85b998f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85d166b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85d166b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 0 [0114.774] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0114.774] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\PUSSY.TXT") returned 139 [0114.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0114.775] lstrlenA (lpString="abcd") returned 4 [0114.775] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0114.776] CloseHandle (hObject=0x178) returned 1 [0114.776] GetProcessHeap () returned 0x4c0000 [0114.776] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0114.778] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85cca3f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="0.9_0", cAlternateFileName="")) returned 0 [0114.778] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0114.778] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\PUSSY.TXT") returned 133 [0114.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0114.778] lstrlenA (lpString="abcd") returned 4 [0114.778] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0114.780] CloseHandle (hObject=0x18c) returned 1 [0114.780] GetProcessHeap () returned 0x4c0000 [0114.780] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0114.780] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80d1a580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x916d8210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x916d8210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="aohghmighlieiainnegkcijnfilokake", cAlternateFileName="AOHGHM~1")) returned 1 [0114.780] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="Windows") returned -1 [0114.780] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="Program Files") returned -1 [0114.780] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="Program Files (x86)") returned -1 [0114.780] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="$Recycle.bin") returned 1 [0114.780] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="System Volume Information") returned -1 [0114.780] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2=".") returned 1 [0114.780] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="..") returned 1 [0114.780] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 123 [0114.781] GetProcessHeap () returned 0x4c0000 [0114.781] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0114.781] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake" [0114.781] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\*" [0114.781] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80d1a580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x916d8210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x916d8210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0114.781] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.781] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.781] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.781] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.781] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.781] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.781] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80d1a580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x916d8210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x916d8210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0114.781] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.781] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.781] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.781] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.782] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.782] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.782] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.782] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86833250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="0.9_0", cAlternateFileName="")) returned 1 [0114.782] lstrcmpiW (lpString1="0.9_0", lpString2="Windows") returned -1 [0114.782] lstrcmpiW (lpString1="0.9_0", lpString2="Program Files") returned -1 [0114.782] lstrcmpiW (lpString1="0.9_0", lpString2="Program Files (x86)") returned -1 [0114.782] lstrcmpiW (lpString1="0.9_0", lpString2="$Recycle.bin") returned 1 [0114.782] lstrcmpiW (lpString1="0.9_0", lpString2="System Volume Information") returned -1 [0114.782] lstrcmpiW (lpString1="0.9_0", lpString2=".") returned 1 [0114.782] lstrcmpiW (lpString1="0.9_0", lpString2="..") returned 1 [0114.782] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0") returned 129 [0114.782] GetProcessHeap () returned 0x4c0000 [0114.782] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0114.783] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0" [0114.783] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\*" [0114.783] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86833250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0114.793] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0114.793] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0114.793] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0114.793] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0114.793] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0114.793] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.793] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86833250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0114.794] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0114.794] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0114.794] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0114.794] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0114.794] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0114.794] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.794] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.794] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86833250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc8d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="icon_128.png", cAlternateFileName="")) returned 1 [0114.794] lstrcmpiW (lpString1="icon_128.png", lpString2="Windows") returned -1 [0114.794] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files") returned -1 [0114.794] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files (x86)") returned -1 [0114.794] lstrcmpiW (lpString1="icon_128.png", lpString2="$Recycle.bin") returned 1 [0114.794] lstrcmpiW (lpString1="icon_128.png", lpString2="System Volume Information") returned -1 [0114.794] lstrcmpiW (lpString1="icon_128.png", lpString2=".") returned 1 [0114.794] lstrcmpiW (lpString1="icon_128.png", lpString2="..") returned 1 [0114.794] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png") returned 142 [0114.794] lstrcmpW (lpString1="icon_128.png", lpString2="PUSSY.TXT") returned -1 [0114.794] PathFindExtensionW (pszPath="icon_128.png") returned=".png" [0114.794] lstrlenW (lpString=".png") returned 4 [0114.794] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0114.794] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0114.796] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=3213) returned 1 [0114.796] GetProcessHeap () returned 0x4c0000 [0114.796] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0114.825] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="38") returned 2 [0114.825] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="64") returned 2 [0114.825] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="D7") returned 2 [0114.825] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="6E") returned 2 [0114.825] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="93") returned 2 [0114.825] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="4E") returned 2 [0114.825] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="21") returned 2 [0114.825] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="78") returned 2 [0114.825] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="0E") returned 2 [0114.825] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="4D") returned 2 [0114.825] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="D4") returned 2 [0114.825] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="A5") returned 2 [0114.825] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="65") returned 2 [0114.825] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="97") returned 2 [0114.825] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="18") returned 2 [0114.825] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="38") returned 2 [0114.825] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="E3") returned 2 [0114.825] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="77") returned 2 [0114.826] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="D9") returned 2 [0114.826] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="75") returned 2 [0114.826] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="54") returned 2 [0114.826] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="FA") returned 2 [0114.826] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="DB") returned 2 [0114.826] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="83") returned 2 [0114.826] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="D2") returned 2 [0114.826] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="27") returned 2 [0114.826] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="CF") returned 2 [0114.826] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="96") returned 2 [0114.826] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="6F") returned 2 [0114.826] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="F7") returned 2 [0114.826] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="79") returned 2 [0114.826] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="31") returned 2 [0114.839] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png" [0114.839] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png" [0114.839] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png", lpString2=".3864D76E934E21780E4DD4A565971838E377D97554FADB83D227CF966FF77931" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.3864D76E934E21780E4DD4A565971838E377D97554FADB83D227CF966FF77931") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.3864D76E934E21780E4DD4A565971838E377D97554FADB83D227CF966FF77931" [0114.839] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0114.839] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0114.839] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86833250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x8f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="icon_16.png", cAlternateFileName="")) returned 1 [0114.839] lstrcmpiW (lpString1="icon_16.png", lpString2="Windows") returned -1 [0114.839] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files") returned -1 [0114.839] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files (x86)") returned -1 [0114.839] lstrcmpiW (lpString1="icon_16.png", lpString2="$Recycle.bin") returned 1 [0114.839] lstrcmpiW (lpString1="icon_16.png", lpString2="System Volume Information") returned -1 [0114.839] lstrcmpiW (lpString1="icon_16.png", lpString2=".") returned 1 [0114.839] lstrcmpiW (lpString1="icon_16.png", lpString2="..") returned 1 [0114.839] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png") returned 141 [0114.839] lstrcmpW (lpString1="icon_16.png", lpString2="PUSSY.TXT") returned -1 [0114.839] PathFindExtensionW (pszPath="icon_16.png") returned=".png" [0114.839] lstrlenW (lpString=".png") returned 4 [0114.840] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0114.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0114.849] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=143) returned 1 [0114.850] CloseHandle (hObject=0x184) returned 1 [0114.850] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfe051a00, ftLastWriteTime.dwHighDateTime=0x1d03f5d, nFileSizeHigh=0x0, nFileSizeLow=0x5c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="main.html", cAlternateFileName="MAIN~1.HTM")) returned 1 [0114.850] lstrcmpiW (lpString1="main.html", lpString2="Windows") returned -1 [0114.850] lstrcmpiW (lpString1="main.html", lpString2="Program Files") returned -1 [0114.850] lstrcmpiW (lpString1="main.html", lpString2="Program Files (x86)") returned -1 [0114.850] lstrcmpiW (lpString1="main.html", lpString2="$Recycle.bin") returned 1 [0114.850] lstrcmpiW (lpString1="main.html", lpString2="System Volume Information") returned -1 [0114.850] lstrcmpiW (lpString1="main.html", lpString2=".") returned 1 [0114.850] lstrcmpiW (lpString1="main.html", lpString2="..") returned 1 [0114.850] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html") returned 139 [0114.850] lstrcmpW (lpString1="main.html", lpString2="PUSSY.TXT") returned -1 [0114.850] PathFindExtensionW (pszPath="main.html") returned=".html" [0114.850] lstrlenW (lpString=".html") returned 5 [0114.850] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0114.850] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0114.851] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=92) returned 1 [0114.851] CloseHandle (hObject=0x184) returned 1 [0114.851] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfe051a00, ftLastWriteTime.dwHighDateTime=0x1d03f5d, nFileSizeHigh=0x0, nFileSizeLow=0x5b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="main.js", cAlternateFileName="")) returned 1 [0114.851] lstrcmpiW (lpString1="main.js", lpString2="Windows") returned -1 [0114.851] lstrcmpiW (lpString1="main.js", lpString2="Program Files") returned -1 [0114.851] lstrcmpiW (lpString1="main.js", lpString2="Program Files (x86)") returned -1 [0114.851] lstrcmpiW (lpString1="main.js", lpString2="$Recycle.bin") returned 1 [0114.851] lstrcmpiW (lpString1="main.js", lpString2="System Volume Information") returned -1 [0114.851] lstrcmpiW (lpString1="main.js", lpString2=".") returned 1 [0114.851] lstrcmpiW (lpString1="main.js", lpString2="..") returned 1 [0114.851] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js") returned 137 [0114.851] lstrcmpW (lpString1="main.js", lpString2="PUSSY.TXT") returned -1 [0114.851] PathFindExtensionW (pszPath="main.js") returned=".js" [0114.851] lstrlenW (lpString=".js") returned 3 [0114.851] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0114.851] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0114.852] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=91) returned 1 [0114.852] CloseHandle (hObject=0x184) returned 1 [0114.852] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86727140, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2d5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0114.852] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0114.852] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0114.852] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0114.852] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0114.852] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0114.852] lstrcmpiW (lpString1="manifest.json", lpString2=".") returned 1 [0114.852] lstrcmpiW (lpString1="manifest.json", lpString2="..") returned 1 [0114.852] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json") returned 143 [0114.852] lstrcmpW (lpString1="manifest.json", lpString2="PUSSY.TXT") returned -1 [0114.852] PathFindExtensionW (pszPath="manifest.json") returned=".json" [0114.852] lstrlenW (lpString=".json") returned 5 [0114.852] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0114.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0114.853] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=725) returned 1 [0114.853] GetProcessHeap () returned 0x4c0000 [0114.853] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0114.865] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="7C") returned 2 [0114.865] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="D3") returned 2 [0114.865] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="D6") returned 2 [0114.865] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="5E") returned 2 [0114.865] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="F1") returned 2 [0114.865] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="50") returned 2 [0114.865] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="BC") returned 2 [0114.865] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="89") returned 2 [0114.865] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="3F") returned 2 [0114.866] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="C0") returned 2 [0114.866] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="20") returned 2 [0114.866] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="33") returned 2 [0114.866] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="79") returned 2 [0114.866] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="38") returned 2 [0114.866] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="E5") returned 2 [0114.866] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="8B") returned 2 [0114.866] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="34") returned 2 [0114.866] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="FE") returned 2 [0114.866] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="70") returned 2 [0114.866] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="FC") returned 2 [0114.866] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="B5") returned 2 [0114.866] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="A6") returned 2 [0114.866] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="BF") returned 2 [0114.866] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="A0") returned 2 [0114.866] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="1C") returned 2 [0114.866] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="99") returned 2 [0114.866] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="81") returned 2 [0114.866] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="12") returned 2 [0114.866] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="82") returned 2 [0114.866] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="E1") returned 2 [0114.866] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="B1") returned 2 [0114.866] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="7C") returned 2 [0114.879] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json" [0114.879] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json" [0114.879] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json", lpString2=".7CD3D65EF150BC893FC020337938E58B34FE70FCB5A6BFA01C99811282E1B17C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.7CD3D65EF150BC893FC020337938E58B34FE70FCB5A6BFA01C99811282E1B17C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.7CD3D65EF150BC893FC020337938E58B34FE70FCB5A6BFA01C99811282E1B17C" [0114.879] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0114.880] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0114.880] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_locales", cAlternateFileName="")) returned 1 [0114.880] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0114.880] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0114.880] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0114.880] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0114.880] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0114.880] lstrcmpiW (lpString1="_locales", lpString2=".") returned 1 [0114.880] lstrcmpiW (lpString1="_locales", lpString2="..") returned 1 [0114.880] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales") returned 138 [0114.880] GetProcessHeap () returned 0x4c0000 [0114.880] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0114.880] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales" [0114.880] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\*" [0114.880] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0115.097] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.097] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.097] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.097] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.097] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.097] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.097] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0115.097] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.097] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.097] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.097] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.097] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.098] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.098] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.098] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864c72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ar", cAlternateFileName="")) returned 1 [0115.098] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0115.098] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0115.098] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0115.098] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0115.098] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0115.098] lstrcmpiW (lpString1="ar", lpString2=".") returned 1 [0115.098] lstrcmpiW (lpString1="ar", lpString2="..") returned 1 [0115.098] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar") returned 141 [0115.098] GetProcessHeap () returned 0x4c0000 [0115.098] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0115.100] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar" [0115.100] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\*" [0115.100] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864c72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.100] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.100] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.100] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.100] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.100] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.100] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.100] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864c72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.100] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.101] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.101] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.101] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.101] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.101] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.101] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.101] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.101] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.101] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.101] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.101] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.101] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.101] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.101] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.101] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0115.101] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.101] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.101] lstrlenW (lpString=".json") returned 5 [0115.101] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.102] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=246) returned 1 [0115.102] CloseHandle (hObject=0x16c) returned 1 [0115.102] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.102] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.102] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\PUSSY.TXT") returned 151 [0115.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.106] lstrlenA (lpString="abcd") returned 4 [0115.106] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.107] CloseHandle (hObject=0x184) returned 1 [0115.107] GetProcessHeap () returned 0x4c0000 [0115.107] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0115.107] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864c72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="bg", cAlternateFileName="")) returned 1 [0115.107] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0115.107] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0115.107] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0115.107] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0115.107] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0115.107] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0115.107] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0115.107] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg") returned 141 [0115.107] GetProcessHeap () returned 0x4c0000 [0115.107] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.107] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg" [0115.107] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\*" [0115.108] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864c72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.112] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.112] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.112] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.112] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.112] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.112] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.112] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864c72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.112] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.112] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.112] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.112] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.112] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.112] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.112] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.113] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x108, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.113] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.113] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.113] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.113] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.113] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.113] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.113] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.113] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0115.113] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.113] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.113] lstrlenW (lpString=".json") returned 5 [0115.113] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.114] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=264) returned 1 [0115.115] CloseHandle (hObject=0x16c) returned 1 [0115.115] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x108, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.115] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.115] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\PUSSY.TXT") returned 151 [0115.115] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.115] lstrlenA (lpString="abcd") returned 4 [0115.115] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.117] CloseHandle (hObject=0x184) returned 1 [0115.117] GetProcessHeap () returned 0x4c0000 [0115.117] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.117] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864c72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ca", cAlternateFileName="")) returned 1 [0115.117] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0115.117] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0115.117] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0115.117] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0115.117] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0115.117] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0115.117] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0115.117] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca") returned 141 [0115.117] GetProcessHeap () returned 0x4c0000 [0115.117] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.117] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca" [0115.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\*" [0115.117] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864c72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.118] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.118] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.118] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.118] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.118] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.118] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.118] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864c72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.118] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.118] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.118] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.118] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.118] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.118] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.118] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.118] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.118] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.118] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.118] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.118] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.118] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.118] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.118] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.119] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0115.119] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.119] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.119] lstrlenW (lpString=".json") returned 5 [0115.119] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.119] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.119] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=207) returned 1 [0115.119] CloseHandle (hObject=0x16c) returned 1 [0115.119] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.119] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.119] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\PUSSY.TXT") returned 151 [0115.119] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.120] lstrlenA (lpString="abcd") returned 4 [0115.120] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.121] CloseHandle (hObject=0x184) returned 1 [0115.121] GetProcessHeap () returned 0x4c0000 [0115.121] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.121] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864c72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="cs", cAlternateFileName="")) returned 1 [0115.121] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0115.121] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0115.121] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0115.121] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0115.121] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0115.121] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0115.121] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0115.121] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs") returned 141 [0115.122] GetProcessHeap () returned 0x4c0000 [0115.122] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.122] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs" [0115.122] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\*" [0115.122] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864c72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.122] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.122] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.122] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.122] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.122] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.122] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.122] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864c72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.122] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.122] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.122] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.123] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.123] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.123] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.123] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.123] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.123] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.123] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.123] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.123] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.123] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.123] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.123] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.123] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0115.123] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.123] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.123] lstrlenW (lpString=".json") returned 5 [0115.123] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.124] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=222) returned 1 [0115.124] CloseHandle (hObject=0x16c) returned 1 [0115.125] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864c72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.125] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.125] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\PUSSY.TXT") returned 151 [0115.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.125] lstrlenA (lpString="abcd") returned 4 [0115.125] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.127] CloseHandle (hObject=0x184) returned 1 [0115.127] GetProcessHeap () returned 0x4c0000 [0115.127] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.127] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ed410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864ed410, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="da", cAlternateFileName="")) returned 1 [0115.127] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0115.127] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0115.127] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0115.127] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0115.127] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0115.127] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0115.127] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0115.127] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da") returned 141 [0115.127] GetProcessHeap () returned 0x4c0000 [0115.127] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.127] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da" [0115.127] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\*" [0115.127] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ed410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864ed410, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.128] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.128] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.128] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.128] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.128] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.128] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.128] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ed410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864ed410, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.128] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.128] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.128] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.128] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.128] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.128] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.128] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.128] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ebca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.128] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.128] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.128] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.128] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.128] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.128] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.128] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.129] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json") returned 155 [0115.129] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.129] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.129] lstrlenW (lpString=".json") returned 5 [0115.129] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.129] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=216) returned 1 [0115.129] CloseHandle (hObject=0x16c) returned 1 [0115.129] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ebca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.129] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.129] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\PUSSY.TXT") returned 151 [0115.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.130] lstrlenA (lpString="abcd") returned 4 [0115.130] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.131] CloseHandle (hObject=0x184) returned 1 [0115.131] GetProcessHeap () returned 0x4c0000 [0115.131] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.131] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ed410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864ed410, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="de", cAlternateFileName="")) returned 1 [0115.131] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0115.131] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0115.131] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0115.131] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0115.131] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0115.131] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0115.131] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0115.131] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de") returned 141 [0115.131] GetProcessHeap () returned 0x4c0000 [0115.131] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.131] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de" [0115.131] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\*" [0115.132] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ed410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864ed410, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.132] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.132] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.132] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.132] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.132] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.132] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.132] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ed410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864ed410, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.132] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.132] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.132] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.132] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.132] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.132] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.132] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.132] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ebca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.132] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.132] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.132] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.133] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.133] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.133] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.133] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.133] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json") returned 155 [0115.133] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.133] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.133] lstrlenW (lpString=".json") returned 5 [0115.133] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.133] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.134] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=217) returned 1 [0115.134] CloseHandle (hObject=0x16c) returned 1 [0115.134] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ebca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.134] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.134] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\PUSSY.TXT") returned 151 [0115.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.135] lstrlenA (lpString="abcd") returned 4 [0115.135] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.136] CloseHandle (hObject=0x184) returned 1 [0115.136] GetProcessHeap () returned 0x4c0000 [0115.136] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.136] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ed410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864ed410, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="el", cAlternateFileName="")) returned 1 [0115.136] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0115.136] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0115.136] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0115.136] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0115.136] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0115.136] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0115.136] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0115.136] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el") returned 141 [0115.136] GetProcessHeap () returned 0x4c0000 [0115.136] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.136] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el" [0115.137] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\*" [0115.137] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ed410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864ed410, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.137] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.137] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.137] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.137] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.137] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.137] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.137] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ed410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x864ed410, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.137] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.137] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.137] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.137] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.137] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.137] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.137] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.137] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ebca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.138] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.138] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.138] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.138] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.138] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.138] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.138] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.138] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json") returned 155 [0115.138] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.138] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.138] lstrlenW (lpString=".json") returned 5 [0115.138] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.138] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=260) returned 1 [0115.138] CloseHandle (hObject=0x16c) returned 1 [0115.138] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x864ebca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.139] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.139] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\PUSSY.TXT") returned 151 [0115.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.139] lstrlenA (lpString="abcd") returned 4 [0115.139] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.140] CloseHandle (hObject=0x184) returned 1 [0115.140] GetProcessHeap () returned 0x4c0000 [0115.140] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.140] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865396d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865396d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en_GB", cAlternateFileName="")) returned 1 [0115.140] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0115.140] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0115.140] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0115.141] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0115.141] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0115.141] lstrcmpiW (lpString1="en_GB", lpString2=".") returned 1 [0115.141] lstrcmpiW (lpString1="en_GB", lpString2="..") returned 1 [0115.141] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB") returned 144 [0115.141] GetProcessHeap () returned 0x4c0000 [0115.141] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.141] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB" [0115.141] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\*" [0115.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865396d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865396d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.141] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.141] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.141] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.141] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.141] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.141] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.141] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864ed410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865396d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865396d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.142] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.142] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.142] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.142] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.142] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.142] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.142] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.142] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86539ea0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.142] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.142] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.142] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.142] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.142] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.142] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.142] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.142] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0115.142] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.142] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.142] lstrlenW (lpString=".json") returned 5 [0115.142] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.143] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=208) returned 1 [0115.143] CloseHandle (hObject=0x16c) returned 1 [0115.144] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86539ea0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.144] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.144] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\PUSSY.TXT") returned 154 [0115.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.144] lstrlenA (lpString="abcd") returned 4 [0115.144] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.146] CloseHandle (hObject=0x184) returned 1 [0115.146] GetProcessHeap () returned 0x4c0000 [0115.146] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.146] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865396d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865396d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en_US", cAlternateFileName="")) returned 1 [0115.146] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0115.146] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0115.146] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0115.146] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0115.146] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0115.146] lstrcmpiW (lpString1="en_US", lpString2=".") returned 1 [0115.146] lstrcmpiW (lpString1="en_US", lpString2="..") returned 1 [0115.146] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US") returned 144 [0115.146] GetProcessHeap () returned 0x4c0000 [0115.146] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.146] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US" [0115.146] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\*" [0115.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865396d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865396d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.147] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.147] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.147] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.147] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.147] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.147] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.147] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865396d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865396d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.147] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.147] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.147] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.147] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.147] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.147] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.147] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.147] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86539ea0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.147] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.147] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.147] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.147] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.147] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.147] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.147] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.147] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0115.147] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.147] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.148] lstrlenW (lpString=".json") returned 5 [0115.148] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.149] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=209) returned 1 [0115.149] CloseHandle (hObject=0x16c) returned 1 [0115.149] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86539ea0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.149] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.149] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\PUSSY.TXT") returned 154 [0115.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.149] lstrlenA (lpString="abcd") returned 4 [0115.150] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.151] CloseHandle (hObject=0x184) returned 1 [0115.151] GetProcessHeap () returned 0x4c0000 [0115.151] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.151] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865396d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865396d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es", cAlternateFileName="")) returned 1 [0115.151] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0115.151] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0115.151] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0115.151] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0115.151] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0115.151] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0115.151] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0115.151] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es") returned 141 [0115.151] GetProcessHeap () returned 0x4c0000 [0115.151] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.151] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es" [0115.151] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\*" [0115.151] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865396d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865396d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.152] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.152] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.152] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.152] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.152] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.152] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.152] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865396d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865396d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.152] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.152] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.152] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.152] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.152] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.152] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.152] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.152] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86539ea0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.152] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.152] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.152] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.152] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.152] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.153] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.153] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.153] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json") returned 155 [0115.153] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.153] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.153] lstrlenW (lpString=".json") returned 5 [0115.153] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.153] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=206) returned 1 [0115.153] CloseHandle (hObject=0x16c) returned 1 [0115.153] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86539ea0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.153] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.153] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\PUSSY.TXT") returned 151 [0115.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.154] lstrlenA (lpString="abcd") returned 4 [0115.154] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.155] CloseHandle (hObject=0x184) returned 1 [0115.155] GetProcessHeap () returned 0x4c0000 [0115.155] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.155] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865396d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865396d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es_419", cAlternateFileName="")) returned 1 [0115.155] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0115.155] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0115.155] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0115.155] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0115.156] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0115.156] lstrcmpiW (lpString1="es_419", lpString2=".") returned 1 [0115.156] lstrcmpiW (lpString1="es_419", lpString2="..") returned 1 [0115.156] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419") returned 145 [0115.156] GetProcessHeap () returned 0x4c0000 [0115.156] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.156] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419" [0115.156] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\*" [0115.156] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865396d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865396d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.156] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.156] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.156] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.156] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.156] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.156] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.156] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865396d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865396d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.157] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.157] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.157] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.157] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.157] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.157] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.157] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.157] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86539ea0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.157] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.157] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.157] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.157] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.157] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.157] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.157] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.157] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0115.157] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.157] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.157] lstrlenW (lpString=".json") returned 5 [0115.157] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.161] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=206) returned 1 [0115.162] CloseHandle (hObject=0x16c) returned 1 [0115.162] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865396d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86539ea0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.162] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.162] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\PUSSY.TXT") returned 155 [0115.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.162] lstrlenA (lpString="abcd") returned 4 [0115.162] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.163] CloseHandle (hObject=0x184) returned 1 [0115.163] GetProcessHeap () returned 0x4c0000 [0115.163] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.163] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="et", cAlternateFileName="")) returned 1 [0115.164] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0115.164] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0115.164] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0115.164] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0115.164] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0115.164] lstrcmpiW (lpString1="et", lpString2=".") returned 1 [0115.164] lstrcmpiW (lpString1="et", lpString2="..") returned 1 [0115.164] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et") returned 141 [0115.164] GetProcessHeap () returned 0x4c0000 [0115.164] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.164] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et" [0115.164] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\*" [0115.164] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.164] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.164] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.164] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.164] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.164] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.164] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.164] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.164] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.165] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.165] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.165] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.165] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.165] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.165] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.165] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655e890, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.165] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.165] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.165] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.165] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.165] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.165] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.165] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.165] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json") returned 155 [0115.165] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.165] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.165] lstrlenW (lpString=".json") returned 5 [0115.165] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.165] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=216) returned 1 [0115.165] CloseHandle (hObject=0x16c) returned 1 [0115.166] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655e890, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.166] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.166] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\PUSSY.TXT") returned 151 [0115.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.166] lstrlenA (lpString="abcd") returned 4 [0115.166] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.167] CloseHandle (hObject=0x184) returned 1 [0115.167] GetProcessHeap () returned 0x4c0000 [0115.168] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.168] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fi", cAlternateFileName="")) returned 1 [0115.168] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0115.168] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0115.168] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0115.168] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0115.168] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0115.168] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0115.168] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0115.168] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi") returned 141 [0115.168] GetProcessHeap () returned 0x4c0000 [0115.168] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.168] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi" [0115.168] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\*" [0115.168] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.168] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.169] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.169] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.169] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.169] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.169] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.169] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.169] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.169] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.169] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.169] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.169] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.169] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.169] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.169] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655e890, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.169] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.169] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.169] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.169] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.169] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.169] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.169] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.169] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0115.169] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.169] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.169] lstrlenW (lpString=".json") returned 5 [0115.169] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.171] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=216) returned 1 [0115.171] CloseHandle (hObject=0x16c) returned 1 [0115.171] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655e890, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.171] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.171] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\PUSSY.TXT") returned 151 [0115.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.172] lstrlenA (lpString="abcd") returned 4 [0115.172] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.173] CloseHandle (hObject=0x184) returned 1 [0115.173] GetProcessHeap () returned 0x4c0000 [0115.173] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.173] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fil", cAlternateFileName="")) returned 1 [0115.173] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0115.173] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0115.173] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0115.173] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0115.173] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0115.173] lstrcmpiW (lpString1="fil", lpString2=".") returned 1 [0115.173] lstrcmpiW (lpString1="fil", lpString2="..") returned 1 [0115.173] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil") returned 142 [0115.173] GetProcessHeap () returned 0x4c0000 [0115.173] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.173] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil" [0115.173] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\*" [0115.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.174] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.174] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.174] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.174] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.174] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.174] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.174] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.174] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.174] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.174] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.174] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.174] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.174] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.174] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.174] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655e890, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.174] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.174] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.175] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.175] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.175] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.175] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.175] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.175] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0115.175] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.175] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.175] lstrlenW (lpString=".json") returned 5 [0115.175] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.175] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.175] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=219) returned 1 [0115.175] CloseHandle (hObject=0x16c) returned 1 [0115.175] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655e890, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.175] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.176] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\PUSSY.TXT") returned 152 [0115.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.176] lstrlenA (lpString="abcd") returned 4 [0115.176] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.177] CloseHandle (hObject=0x184) returned 1 [0115.177] GetProcessHeap () returned 0x4c0000 [0115.177] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.177] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fr", cAlternateFileName="")) returned 1 [0115.177] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0115.178] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0115.178] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0115.178] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0115.178] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0115.178] lstrcmpiW (lpString1="fr", lpString2=".") returned 1 [0115.178] lstrcmpiW (lpString1="fr", lpString2="..") returned 1 [0115.178] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr") returned 141 [0115.178] GetProcessHeap () returned 0x4c0000 [0115.178] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.178] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr" [0115.178] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\*" [0115.178] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.178] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.178] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.178] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.178] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.178] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.178] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.179] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.179] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.179] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.179] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.179] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.179] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.179] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.179] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.179] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655e890, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.179] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.179] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.179] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.179] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.179] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.179] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.179] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.179] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0115.179] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.179] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.179] lstrlenW (lpString=".json") returned 5 [0115.179] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.181] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=215) returned 1 [0115.181] CloseHandle (hObject=0x16c) returned 1 [0115.181] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655e890, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.181] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.181] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\PUSSY.TXT") returned 151 [0115.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.182] lstrlenA (lpString="abcd") returned 4 [0115.182] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.183] CloseHandle (hObject=0x184) returned 1 [0115.183] GetProcessHeap () returned 0x4c0000 [0115.183] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.183] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="he", cAlternateFileName="")) returned 1 [0115.183] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0115.183] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0115.183] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0115.183] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0115.183] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0115.183] lstrcmpiW (lpString1="he", lpString2=".") returned 1 [0115.183] lstrcmpiW (lpString1="he", lpString2="..") returned 1 [0115.183] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he") returned 141 [0115.183] GetProcessHeap () returned 0x4c0000 [0115.183] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.183] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he" [0115.183] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\*" [0115.183] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.184] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.184] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.184] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.184] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.184] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.184] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.184] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655f830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8655f830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.184] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.184] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.184] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.184] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.184] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.184] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.184] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.184] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655e890, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.184] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.184] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.184] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.185] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.185] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.185] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.185] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.185] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json") returned 155 [0115.185] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.185] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.185] lstrlenW (lpString=".json") returned 5 [0115.185] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.185] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=221) returned 1 [0115.185] CloseHandle (hObject=0x16c) returned 1 [0115.185] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8655f830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8655e890, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.186] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.186] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\PUSSY.TXT") returned 151 [0115.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.186] lstrlenA (lpString="abcd") returned 4 [0115.186] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.188] CloseHandle (hObject=0x184) returned 1 [0115.188] GetProcessHeap () returned 0x4c0000 [0115.188] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.189] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hi", cAlternateFileName="")) returned 1 [0115.189] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0115.189] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0115.189] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0115.189] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0115.189] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0115.189] lstrcmpiW (lpString1="hi", lpString2=".") returned 1 [0115.189] lstrcmpiW (lpString1="hi", lpString2="..") returned 1 [0115.189] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi") returned 141 [0115.189] GetProcessHeap () returned 0x4c0000 [0115.189] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.189] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi" [0115.189] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\*" [0115.189] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.189] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.189] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.189] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.189] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.190] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.190] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.190] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.190] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.190] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.190] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.190] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.190] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.190] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.190] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.190] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x117, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.190] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.190] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.190] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.190] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.190] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.190] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.190] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.190] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0115.190] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.190] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.190] lstrlenW (lpString=".json") returned 5 [0115.190] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.192] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=279) returned 1 [0115.192] CloseHandle (hObject=0x16c) returned 1 [0115.192] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x117, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.192] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.192] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\PUSSY.TXT") returned 151 [0115.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.192] lstrlenA (lpString="abcd") returned 4 [0115.192] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.194] CloseHandle (hObject=0x184) returned 1 [0115.194] GetProcessHeap () returned 0x4c0000 [0115.194] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.194] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hu", cAlternateFileName="")) returned 1 [0115.194] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0115.194] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0115.194] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0115.194] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0115.194] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0115.194] lstrcmpiW (lpString1="hu", lpString2=".") returned 1 [0115.194] lstrcmpiW (lpString1="hu", lpString2="..") returned 1 [0115.194] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu") returned 141 [0115.194] GetProcessHeap () returned 0x4c0000 [0115.194] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.194] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu" [0115.194] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\*" [0115.194] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.195] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.195] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.195] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.195] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.195] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.195] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.195] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.195] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.195] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.195] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.195] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.195] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.195] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.195] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.195] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.195] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.195] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.195] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.195] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.195] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.195] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.195] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.195] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0115.196] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.196] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.196] lstrlenW (lpString=".json") returned 5 [0115.196] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.196] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=235) returned 1 [0115.196] CloseHandle (hObject=0x16c) returned 1 [0115.196] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.196] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.196] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\PUSSY.TXT") returned 151 [0115.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.197] lstrlenA (lpString="abcd") returned 4 [0115.197] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.198] CloseHandle (hObject=0x184) returned 1 [0115.198] GetProcessHeap () returned 0x4c0000 [0115.198] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.198] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="id", cAlternateFileName="")) returned 1 [0115.198] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0115.198] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0115.198] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0115.198] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0115.198] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0115.198] lstrcmpiW (lpString1="id", lpString2=".") returned 1 [0115.199] lstrcmpiW (lpString1="id", lpString2="..") returned 1 [0115.199] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id") returned 141 [0115.199] GetProcessHeap () returned 0x4c0000 [0115.199] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.199] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id" [0115.199] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\*" [0115.199] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.199] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.199] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.199] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.199] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.199] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.199] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.199] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.199] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.199] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.199] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.200] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.200] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.200] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.200] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.200] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.200] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.200] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.200] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.200] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.200] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.200] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.200] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.200] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json") returned 155 [0115.200] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.200] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.200] lstrlenW (lpString=".json") returned 5 [0115.200] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.201] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=209) returned 1 [0115.201] CloseHandle (hObject=0x16c) returned 1 [0115.201] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.202] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.202] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\PUSSY.TXT") returned 151 [0115.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.202] lstrlenA (lpString="abcd") returned 4 [0115.202] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.203] CloseHandle (hObject=0x184) returned 1 [0115.209] GetProcessHeap () returned 0x4c0000 [0115.210] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.210] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="it", cAlternateFileName="")) returned 1 [0115.210] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0115.210] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0115.210] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0115.210] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0115.210] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0115.210] lstrcmpiW (lpString1="it", lpString2=".") returned 1 [0115.210] lstrcmpiW (lpString1="it", lpString2="..") returned 1 [0115.210] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it") returned 141 [0115.210] GetProcessHeap () returned 0x4c0000 [0115.210] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.210] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it" [0115.210] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\*" [0115.210] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.211] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.211] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.211] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.211] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.211] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.211] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.211] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.211] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.211] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.211] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.211] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.211] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.211] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.211] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.211] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.211] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.211] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.211] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.211] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.211] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.211] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.211] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.211] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json") returned 155 [0115.212] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.212] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.212] lstrlenW (lpString=".json") returned 5 [0115.212] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.212] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=213) returned 1 [0115.212] CloseHandle (hObject=0x16c) returned 1 [0115.212] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.212] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.213] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\PUSSY.TXT") returned 151 [0115.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.213] lstrlenA (lpString="abcd") returned 4 [0115.213] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.214] CloseHandle (hObject=0x184) returned 1 [0115.214] GetProcessHeap () returned 0x4c0000 [0115.214] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.214] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ja", cAlternateFileName="")) returned 1 [0115.214] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0115.214] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0115.215] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0115.215] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0115.215] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0115.215] lstrcmpiW (lpString1="ja", lpString2=".") returned 1 [0115.215] lstrcmpiW (lpString1="ja", lpString2="..") returned 1 [0115.215] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja") returned 141 [0115.215] GetProcessHeap () returned 0x4c0000 [0115.215] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.215] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja" [0115.215] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\*" [0115.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.215] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.215] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.215] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.215] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.215] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.215] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.215] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.216] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.216] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.216] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.216] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.216] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.216] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.216] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.216] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.216] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.216] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.216] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.216] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.216] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.216] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.216] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.216] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0115.216] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.216] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.216] lstrlenW (lpString=".json") returned 5 [0115.216] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.217] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=221) returned 1 [0115.218] CloseHandle (hObject=0x16c) returned 1 [0115.218] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.219] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.219] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\PUSSY.TXT") returned 151 [0115.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.219] lstrlenA (lpString="abcd") returned 4 [0115.219] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.220] CloseHandle (hObject=0x184) returned 1 [0115.220] GetProcessHeap () returned 0x4c0000 [0115.221] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.221] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ko", cAlternateFileName="")) returned 1 [0115.221] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0115.221] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0115.221] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0115.221] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0115.221] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0115.221] lstrcmpiW (lpString1="ko", lpString2=".") returned 1 [0115.221] lstrcmpiW (lpString1="ko", lpString2="..") returned 1 [0115.221] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko") returned 141 [0115.221] GetProcessHeap () returned 0x4c0000 [0115.221] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.221] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko" [0115.221] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\*" [0115.221] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.221] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.221] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.222] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.222] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.222] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.222] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.222] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86585990, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.222] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.222] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.222] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.222] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.222] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.222] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.222] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.222] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xda, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.222] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.222] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.222] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.222] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.222] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.222] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.222] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.222] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0115.222] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.222] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.222] lstrlenW (lpString=".json") returned 5 [0115.223] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.223] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=218) returned 1 [0115.223] CloseHandle (hObject=0x16c) returned 1 [0115.223] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86585990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86585990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xda, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.223] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.223] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\PUSSY.TXT") returned 151 [0115.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.224] lstrlenA (lpString="abcd") returned 4 [0115.224] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.225] CloseHandle (hObject=0x184) returned 1 [0115.225] GetProcessHeap () returned 0x4c0000 [0115.225] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.225] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865abaf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865abaf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865abaf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lt", cAlternateFileName="")) returned 1 [0115.225] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0115.225] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0115.225] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0115.225] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0115.225] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0115.225] lstrcmpiW (lpString1="lt", lpString2=".") returned 1 [0115.225] lstrcmpiW (lpString1="lt", lpString2="..") returned 1 [0115.225] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt") returned 141 [0115.225] GetProcessHeap () returned 0x4c0000 [0115.225] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.225] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt" [0115.225] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\*" [0115.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865abaf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865abaf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865abaf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.226] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.226] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.226] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.226] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.226] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.226] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.226] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865abaf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865abaf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865abaf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.226] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.226] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.226] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.226] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.226] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.226] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.226] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.226] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865abaf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865aa380, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.226] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.226] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.226] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.226] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.226] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.226] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.226] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.226] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0115.226] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.226] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.226] lstrlenW (lpString=".json") returned 5 [0115.226] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.227] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=228) returned 1 [0115.227] CloseHandle (hObject=0x16c) returned 1 [0115.227] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865abaf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865aa380, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.228] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.228] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\PUSSY.TXT") returned 151 [0115.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.228] lstrlenA (lpString="abcd") returned 4 [0115.228] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.229] CloseHandle (hObject=0x184) returned 1 [0115.229] GetProcessHeap () returned 0x4c0000 [0115.229] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.229] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865abaf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865abaf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865abaf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lv", cAlternateFileName="")) returned 1 [0115.229] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0115.229] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0115.230] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0115.230] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0115.230] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0115.230] lstrcmpiW (lpString1="lv", lpString2=".") returned 1 [0115.230] lstrcmpiW (lpString1="lv", lpString2="..") returned 1 [0115.230] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv") returned 141 [0115.230] GetProcessHeap () returned 0x4c0000 [0115.230] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.230] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv" [0115.230] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\*" [0115.230] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865abaf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865abaf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865abaf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.230] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.230] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.230] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.230] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.230] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.230] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.230] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865abaf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865abaf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865abaf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.231] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.231] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.231] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.231] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.231] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.231] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.231] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.231] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865abaf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865aa380, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.231] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.231] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.231] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.231] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.231] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.231] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.231] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.231] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0115.231] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.231] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.231] lstrlenW (lpString=".json") returned 5 [0115.231] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.232] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=224) returned 1 [0115.232] CloseHandle (hObject=0x16c) returned 1 [0115.232] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865abaf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865aa380, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.232] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.232] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\PUSSY.TXT") returned 151 [0115.232] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.232] lstrlenA (lpString="abcd") returned 4 [0115.232] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.234] CloseHandle (hObject=0x184) returned 1 [0115.234] GetProcessHeap () returned 0x4c0000 [0115.234] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.234] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865d1c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865d1c50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865d1c50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ms", cAlternateFileName="")) returned 1 [0115.234] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0115.234] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0115.234] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0115.234] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0115.234] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0115.234] lstrcmpiW (lpString1="ms", lpString2=".") returned 1 [0115.234] lstrcmpiW (lpString1="ms", lpString2="..") returned 1 [0115.234] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms") returned 141 [0115.234] GetProcessHeap () returned 0x4c0000 [0115.234] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.234] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms" [0115.234] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\*" [0115.234] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865d1c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865d1c50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865d1c50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.288] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.288] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.288] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.288] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.288] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.288] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.288] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865d1c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865d1c50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865d1c50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.288] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.288] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.289] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.289] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.289] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.289] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.289] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.289] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865d1c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865d1480, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.289] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.289] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.289] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.289] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.289] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.289] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.289] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.289] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0115.289] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.289] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.289] lstrlenW (lpString=".json") returned 5 [0115.289] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.291] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=207) returned 1 [0115.291] CloseHandle (hObject=0x16c) returned 1 [0115.291] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865d1c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865d1480, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.292] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.292] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\PUSSY.TXT") returned 151 [0115.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.292] lstrlenA (lpString="abcd") returned 4 [0115.292] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.293] CloseHandle (hObject=0x184) returned 1 [0115.293] GetProcessHeap () returned 0x4c0000 [0115.293] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.293] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865d1c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865f7db0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865f7db0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="nl", cAlternateFileName="")) returned 1 [0115.293] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0115.293] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0115.293] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0115.293] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0115.293] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0115.293] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0115.293] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0115.293] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl") returned 141 [0115.293] GetProcessHeap () returned 0x4c0000 [0115.293] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.293] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl" [0115.294] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\*" [0115.294] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865d1c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865f7db0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865f7db0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.294] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.294] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.294] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.294] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.294] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.294] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.294] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865d1c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865f7db0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x865f7db0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.294] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.294] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.294] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.294] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.294] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.294] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.294] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.294] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865f7db0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865f8580, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.294] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.294] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.294] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.294] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.294] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.294] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.294] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.294] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0115.294] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.295] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.295] lstrlenW (lpString=".json") returned 5 [0115.295] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.295] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=217) returned 1 [0115.295] CloseHandle (hObject=0x16c) returned 1 [0115.295] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x865f7db0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x865f8580, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.295] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.295] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\PUSSY.TXT") returned 151 [0115.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.296] lstrlenA (lpString="abcd") returned 4 [0115.296] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.297] CloseHandle (hObject=0x184) returned 1 [0115.297] GetProcessHeap () returned 0x4c0000 [0115.297] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.297] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865f7db0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8661df10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8661df10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="no", cAlternateFileName="")) returned 1 [0115.297] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0115.297] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0115.297] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0115.297] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0115.297] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0115.297] lstrcmpiW (lpString1="no", lpString2=".") returned 1 [0115.297] lstrcmpiW (lpString1="no", lpString2="..") returned 1 [0115.297] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no") returned 141 [0115.297] GetProcessHeap () returned 0x4c0000 [0115.297] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.297] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no" [0115.297] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\*" [0115.297] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865f7db0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8661df10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8661df10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.297] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.297] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.297] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.297] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.297] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.298] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.298] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x865f7db0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8661df10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8661df10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.298] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.298] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.298] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.298] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.298] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.298] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.298] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.298] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8661df10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8661cf70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfe051a00, ftLastWriteTime.dwHighDateTime=0x1d03f5d, nFileSizeHigh=0x0, nFileSizeLow=0xc3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.298] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.298] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.298] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.298] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.298] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.298] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.298] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.298] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json") returned 155 [0115.298] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.298] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.298] lstrlenW (lpString=".json") returned 5 [0115.298] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.298] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.299] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=195) returned 1 [0115.299] CloseHandle (hObject=0x16c) returned 1 [0115.299] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8661df10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8661cf70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfe051a00, ftLastWriteTime.dwHighDateTime=0x1d03f5d, nFileSizeHigh=0x0, nFileSizeLow=0xc3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.299] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.299] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\PUSSY.TXT") returned 151 [0115.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.300] lstrlenA (lpString="abcd") returned 4 [0115.300] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.301] CloseHandle (hObject=0x184) returned 1 [0115.301] GetProcessHeap () returned 0x4c0000 [0115.301] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.301] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8661df10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8661df10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8661df10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pl", cAlternateFileName="")) returned 1 [0115.301] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0115.301] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0115.301] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0115.301] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0115.301] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0115.301] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0115.301] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0115.301] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl") returned 141 [0115.301] GetProcessHeap () returned 0x4c0000 [0115.301] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.301] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl" [0115.301] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\*" [0115.301] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8661df10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8661df10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8661df10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.301] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.301] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.301] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.301] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.301] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.301] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.301] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8661df10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8661df10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8661df10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.302] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.302] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.302] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.302] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.302] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.302] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.302] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.302] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8661df10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8661cf70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.302] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.302] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.302] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.302] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.302] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.302] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.302] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.302] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0115.302] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.302] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.302] lstrlenW (lpString=".json") returned 5 [0115.302] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.303] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=213) returned 1 [0115.303] CloseHandle (hObject=0x16c) returned 1 [0115.303] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8661df10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8661cf70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.303] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.303] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\PUSSY.TXT") returned 151 [0115.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.303] lstrlenA (lpString="abcd") returned 4 [0115.303] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.304] CloseHandle (hObject=0x184) returned 1 [0115.304] GetProcessHeap () returned 0x4c0000 [0115.304] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.304] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86644070, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86644070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86644070, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_BR", cAlternateFileName="")) returned 1 [0115.304] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0115.304] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0115.304] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0115.304] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0115.304] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0115.304] lstrcmpiW (lpString1="pt_BR", lpString2=".") returned 1 [0115.304] lstrcmpiW (lpString1="pt_BR", lpString2="..") returned 1 [0115.304] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR") returned 144 [0115.304] GetProcessHeap () returned 0x4c0000 [0115.304] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.304] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR" [0115.304] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\*" [0115.304] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86644070, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86644070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86644070, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.305] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.305] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.305] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.305] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.305] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.305] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.305] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86644070, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86644070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86644070, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.305] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.305] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.305] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.305] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.305] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.305] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.305] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.305] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86644070, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86644070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.305] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.305] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.305] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.305] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.305] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.305] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.305] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.305] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0115.305] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.305] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.305] lstrlenW (lpString=".json") returned 5 [0115.305] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.306] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=206) returned 1 [0115.306] CloseHandle (hObject=0x16c) returned 1 [0115.306] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86644070, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86644070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.307] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.307] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\PUSSY.TXT") returned 154 [0115.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.307] lstrlenA (lpString="abcd") returned 4 [0115.307] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.308] CloseHandle (hObject=0x184) returned 1 [0115.308] GetProcessHeap () returned 0x4c0000 [0115.308] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.308] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86644070, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86644070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86644070, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_PT", cAlternateFileName="")) returned 1 [0115.308] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0115.308] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0115.308] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0115.308] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0115.308] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0115.308] lstrcmpiW (lpString1="pt_PT", lpString2=".") returned 1 [0115.308] lstrcmpiW (lpString1="pt_PT", lpString2="..") returned 1 [0115.308] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT") returned 144 [0115.308] GetProcessHeap () returned 0x4c0000 [0115.308] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.309] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT" [0115.309] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\*" [0115.309] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86644070, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86644070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86644070, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.309] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.309] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.309] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.309] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.309] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.309] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.309] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86644070, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86644070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86644070, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.309] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.309] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.309] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.309] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.309] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.309] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.309] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.309] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86644070, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86644070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.309] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.310] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.310] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.310] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.310] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.310] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.310] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.310] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0115.310] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.310] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.310] lstrlenW (lpString=".json") returned 5 [0115.310] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.310] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=208) returned 1 [0115.310] CloseHandle (hObject=0x16c) returned 1 [0115.310] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86644070, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86644070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.310] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.310] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\PUSSY.TXT") returned 154 [0115.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.311] lstrlenA (lpString="abcd") returned 4 [0115.311] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.312] CloseHandle (hObject=0x184) returned 1 [0115.312] GetProcessHeap () returned 0x4c0000 [0115.312] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.312] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8666a1d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86690330, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86690330, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ro", cAlternateFileName="")) returned 1 [0115.312] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0115.312] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0115.312] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0115.312] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0115.312] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0115.312] lstrcmpiW (lpString1="ro", lpString2=".") returned 1 [0115.312] lstrcmpiW (lpString1="ro", lpString2="..") returned 1 [0115.312] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro") returned 141 [0115.312] GetProcessHeap () returned 0x4c0000 [0115.312] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.312] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro" [0115.312] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\*" [0115.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8666a1d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86690330, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86690330, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.313] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.313] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.313] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.313] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.313] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.313] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.313] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8666a1d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86690330, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86690330, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.313] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.313] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.313] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.313] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.313] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.313] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.313] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.313] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86690330, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8668fb60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.313] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.313] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.313] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.313] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.313] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.313] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.313] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.314] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0115.314] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.314] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.314] lstrlenW (lpString=".json") returned 5 [0115.314] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.315] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=213) returned 1 [0115.315] CloseHandle (hObject=0x16c) returned 1 [0115.315] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86690330, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8668fb60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.315] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.315] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\PUSSY.TXT") returned 151 [0115.315] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.315] lstrlenA (lpString="abcd") returned 4 [0115.315] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.316] CloseHandle (hObject=0x184) returned 1 [0115.316] GetProcessHeap () returned 0x4c0000 [0115.316] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.316] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86690330, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86690330, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86690330, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ru", cAlternateFileName="")) returned 1 [0115.316] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0115.316] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0115.316] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0115.316] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0115.316] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0115.316] lstrcmpiW (lpString1="ru", lpString2=".") returned 1 [0115.316] lstrcmpiW (lpString1="ru", lpString2="..") returned 1 [0115.316] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru") returned 141 [0115.316] GetProcessHeap () returned 0x4c0000 [0115.316] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.316] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru" [0115.317] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\*" [0115.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86690330, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86690330, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86690330, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.317] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.317] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.317] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.317] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.317] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.317] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.317] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86690330, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86690330, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86690330, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.317] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.317] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.317] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.317] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.317] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.317] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.317] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.317] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86690330, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8668fb60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.317] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.317] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.318] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.318] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.318] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.318] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.318] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.318] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0115.318] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.318] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.318] lstrlenW (lpString=".json") returned 5 [0115.318] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.318] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=266) returned 1 [0115.318] CloseHandle (hObject=0x16c) returned 1 [0115.318] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86690330, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8668fb60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.318] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.318] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\PUSSY.TXT") returned 151 [0115.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.319] lstrlenA (lpString="abcd") returned 4 [0115.319] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.320] CloseHandle (hObject=0x184) returned 1 [0115.320] GetProcessHeap () returned 0x4c0000 [0115.320] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.320] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866b6490, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866b6490, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866b6490, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sk", cAlternateFileName="")) returned 1 [0115.320] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0115.320] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0115.320] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0115.320] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0115.320] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0115.320] lstrcmpiW (lpString1="sk", lpString2=".") returned 1 [0115.320] lstrcmpiW (lpString1="sk", lpString2="..") returned 1 [0115.320] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk") returned 141 [0115.320] GetProcessHeap () returned 0x4c0000 [0115.320] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.320] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk" [0115.320] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\*" [0115.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866b6490, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866b6490, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866b6490, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.321] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.321] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.321] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.321] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.321] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.321] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.321] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866b6490, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866b6490, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866b6490, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.321] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.321] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.321] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.321] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.321] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.321] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.321] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.321] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x866b6490, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866b6c60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.321] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.321] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.321] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.321] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.321] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.321] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.322] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.322] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0115.322] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.322] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.322] lstrlenW (lpString=".json") returned 5 [0115.322] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.323] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=221) returned 1 [0115.323] CloseHandle (hObject=0x16c) returned 1 [0115.323] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x866b6490, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866b6c60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.323] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.323] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\PUSSY.TXT") returned 151 [0115.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.323] lstrlenA (lpString="abcd") returned 4 [0115.323] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.324] CloseHandle (hObject=0x184) returned 1 [0115.324] GetProcessHeap () returned 0x4c0000 [0115.324] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.324] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866b6490, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866b6490, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866b6490, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sl", cAlternateFileName="")) returned 1 [0115.324] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0115.325] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0115.325] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0115.325] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0115.325] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0115.325] lstrcmpiW (lpString1="sl", lpString2=".") returned 1 [0115.325] lstrcmpiW (lpString1="sl", lpString2="..") returned 1 [0115.325] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl") returned 141 [0115.325] GetProcessHeap () returned 0x4c0000 [0115.325] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.325] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl" [0115.325] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\*" [0115.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866b6490, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866b6490, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866b6490, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.325] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.325] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.325] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.325] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.325] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.325] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.325] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866b6490, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866b6490, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866b6490, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.325] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.326] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.326] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.326] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.326] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.326] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.326] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.326] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x866b6490, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866b6c60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xda, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.326] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.326] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.326] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.326] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.326] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.326] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.326] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.326] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0115.326] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.326] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.326] lstrlenW (lpString=".json") returned 5 [0115.326] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.327] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=218) returned 1 [0115.327] CloseHandle (hObject=0x16c) returned 1 [0115.327] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x866b6490, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866b6c60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xda, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.327] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.327] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\PUSSY.TXT") returned 151 [0115.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.327] lstrlenA (lpString="abcd") returned 4 [0115.327] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.329] CloseHandle (hObject=0x184) returned 1 [0115.329] GetProcessHeap () returned 0x4c0000 [0115.329] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.329] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866dc5f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866dc5f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sr", cAlternateFileName="")) returned 1 [0115.329] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0115.329] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0115.329] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0115.329] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0115.329] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0115.329] lstrcmpiW (lpString1="sr", lpString2=".") returned 1 [0115.329] lstrcmpiW (lpString1="sr", lpString2="..") returned 1 [0115.329] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr") returned 141 [0115.329] GetProcessHeap () returned 0x4c0000 [0115.329] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.329] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr" [0115.329] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\*" [0115.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866dc5f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866dc5f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.330] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.330] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.330] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.330] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.330] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.330] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.330] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866dc5f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866dc5f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.330] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.330] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.330] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.330] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.330] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.330] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.330] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.330] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866db650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.330] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.330] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.330] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.330] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.330] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.330] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.330] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.330] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0115.331] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.331] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.331] lstrlenW (lpString=".json") returned 5 [0115.331] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.332] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=248) returned 1 [0115.332] CloseHandle (hObject=0x16c) returned 1 [0115.332] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866db650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.332] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.332] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\PUSSY.TXT") returned 151 [0115.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.332] lstrlenA (lpString="abcd") returned 4 [0115.332] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.334] CloseHandle (hObject=0x184) returned 1 [0115.334] GetProcessHeap () returned 0x4c0000 [0115.334] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.334] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866dc5f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866dc5f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sv", cAlternateFileName="")) returned 1 [0115.334] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0115.334] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0115.334] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0115.334] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0115.334] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0115.334] lstrcmpiW (lpString1="sv", lpString2=".") returned 1 [0115.334] lstrcmpiW (lpString1="sv", lpString2="..") returned 1 [0115.334] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv") returned 141 [0115.334] GetProcessHeap () returned 0x4c0000 [0115.334] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.334] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv" [0115.334] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\*" [0115.334] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866dc5f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866dc5f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.335] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.335] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.335] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.335] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.335] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.335] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.335] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866dc5f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866dc5f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.335] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.335] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.335] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.335] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.335] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.335] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.335] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.335] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866db650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.335] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.335] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.335] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.335] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.335] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.335] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.335] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.335] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0115.336] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.336] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.336] lstrlenW (lpString=".json") returned 5 [0115.336] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.336] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=214) returned 1 [0115.336] CloseHandle (hObject=0x16c) returned 1 [0115.336] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866db650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.336] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.336] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\PUSSY.TXT") returned 151 [0115.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.337] lstrlenA (lpString="abcd") returned 4 [0115.337] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.338] CloseHandle (hObject=0x184) returned 1 [0115.338] GetProcessHeap () returned 0x4c0000 [0115.338] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.338] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866dc5f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866dc5f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="th", cAlternateFileName="")) returned 1 [0115.338] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0115.338] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0115.338] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0115.338] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0115.339] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0115.339] lstrcmpiW (lpString1="th", lpString2=".") returned 1 [0115.339] lstrcmpiW (lpString1="th", lpString2="..") returned 1 [0115.339] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th") returned 141 [0115.339] GetProcessHeap () returned 0x4c0000 [0115.339] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.339] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th" [0115.339] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\*" [0115.339] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866dc5f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866dc5f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.339] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.339] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.339] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.339] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.339] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.339] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.339] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866dc5f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866dc5f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.339] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.339] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.340] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.340] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.340] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.340] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.340] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.340] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866db650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.340] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.340] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.340] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.340] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.340] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.340] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.340] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.340] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json") returned 155 [0115.340] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.340] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.340] lstrlenW (lpString=".json") returned 5 [0115.340] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.340] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.341] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=254) returned 1 [0115.341] CloseHandle (hObject=0x16c) returned 1 [0115.342] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866db650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.342] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.342] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\PUSSY.TXT") returned 151 [0115.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.342] lstrlenA (lpString="abcd") returned 4 [0115.342] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.343] CloseHandle (hObject=0x184) returned 1 [0115.343] GetProcessHeap () returned 0x4c0000 [0115.343] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.343] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866dc5f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866dc5f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="tr", cAlternateFileName="")) returned 1 [0115.344] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0115.344] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0115.344] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0115.344] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0115.344] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0115.344] lstrcmpiW (lpString1="tr", lpString2=".") returned 1 [0115.344] lstrcmpiW (lpString1="tr", lpString2="..") returned 1 [0115.344] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr") returned 141 [0115.344] GetProcessHeap () returned 0x4c0000 [0115.344] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.344] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr" [0115.344] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\*" [0115.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866dc5f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866dc5f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.344] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.344] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.344] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.344] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.345] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.345] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.345] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866dc5f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x866dc5f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.345] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.345] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.345] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.345] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.345] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.345] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.345] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.345] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866db650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.345] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.345] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.345] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.345] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.345] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.345] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.345] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.345] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0115.345] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.345] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.345] lstrlenW (lpString=".json") returned 5 [0115.345] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.346] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=227) returned 1 [0115.346] CloseHandle (hObject=0x16c) returned 1 [0115.346] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x866db650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.346] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.346] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\PUSSY.TXT") returned 151 [0115.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.347] lstrlenA (lpString="abcd") returned 4 [0115.347] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.348] CloseHandle (hObject=0x184) returned 1 [0115.348] GetProcessHeap () returned 0x4c0000 [0115.348] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.348] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="uk", cAlternateFileName="")) returned 1 [0115.348] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0115.348] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0115.348] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0115.348] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0115.348] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0115.348] lstrcmpiW (lpString1="uk", lpString2=".") returned 1 [0115.348] lstrcmpiW (lpString1="uk", lpString2="..") returned 1 [0115.348] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk") returned 141 [0115.348] GetProcessHeap () returned 0x4c0000 [0115.348] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.348] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk" [0115.348] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\*" [0115.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.349] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.349] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.349] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.349] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.349] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.349] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.349] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x866dc5f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.349] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.349] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.349] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.349] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.349] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.349] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.349] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.349] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x108, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.349] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.349] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.349] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.349] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.349] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.350] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.350] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.350] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0115.350] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.350] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.350] lstrlenW (lpString=".json") returned 5 [0115.350] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.351] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=264) returned 1 [0115.351] CloseHandle (hObject=0x16c) returned 1 [0115.351] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x108, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.351] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.351] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\PUSSY.TXT") returned 151 [0115.351] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.352] lstrlenA (lpString="abcd") returned 4 [0115.352] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.353] CloseHandle (hObject=0x184) returned 1 [0115.353] GetProcessHeap () returned 0x4c0000 [0115.353] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.353] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="vi", cAlternateFileName="")) returned 1 [0115.353] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0115.353] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0115.353] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0115.353] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0115.353] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0115.353] lstrcmpiW (lpString1="vi", lpString2=".") returned 1 [0115.353] lstrcmpiW (lpString1="vi", lpString2="..") returned 1 [0115.353] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi") returned 141 [0115.353] GetProcessHeap () returned 0x4c0000 [0115.353] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.353] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi" [0115.353] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\*" [0115.354] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.354] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.354] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.354] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.354] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.354] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.354] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.354] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.354] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.354] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.354] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.354] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.354] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.354] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.354] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.354] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.354] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.354] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.354] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.355] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.355] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.355] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.355] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.355] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0115.355] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.355] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.355] lstrlenW (lpString=".json") returned 5 [0115.355] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.355] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=225) returned 1 [0115.355] CloseHandle (hObject=0x16c) returned 1 [0115.355] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.355] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.356] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\PUSSY.TXT") returned 151 [0115.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.356] lstrlenA (lpString="abcd") returned 4 [0115.356] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.357] CloseHandle (hObject=0x184) returned 1 [0115.357] GetProcessHeap () returned 0x4c0000 [0115.357] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.357] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_CN", cAlternateFileName="")) returned 1 [0115.357] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0115.357] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0115.357] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0115.357] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0115.358] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0115.358] lstrcmpiW (lpString1="zh_CN", lpString2=".") returned 1 [0115.358] lstrcmpiW (lpString1="zh_CN", lpString2="..") returned 1 [0115.358] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN") returned 144 [0115.358] GetProcessHeap () returned 0x4c0000 [0115.358] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.358] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN" [0115.358] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\*" [0115.358] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.358] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.358] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.358] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.358] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.358] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.358] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.358] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.359] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.359] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.359] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.359] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.359] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.359] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.359] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.359] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.359] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.359] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.359] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.359] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.359] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.359] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.359] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.359] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0115.359] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.359] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.359] lstrlenW (lpString=".json") returned 5 [0115.359] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.360] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=206) returned 1 [0115.360] CloseHandle (hObject=0x16c) returned 1 [0115.360] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.360] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.360] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\PUSSY.TXT") returned 154 [0115.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.360] lstrlenA (lpString="abcd") returned 4 [0115.360] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.362] CloseHandle (hObject=0x184) returned 1 [0115.362] GetProcessHeap () returned 0x4c0000 [0115.362] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.362] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 1 [0115.362] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0115.362] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0115.362] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0115.362] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0115.362] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0115.362] lstrcmpiW (lpString1="zh_TW", lpString2=".") returned 1 [0115.362] lstrcmpiW (lpString1="zh_TW", lpString2="..") returned 1 [0115.362] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW") returned 144 [0115.362] GetProcessHeap () returned 0x4c0000 [0115.362] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.362] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW" [0115.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\*" [0115.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.363] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.363] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.363] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.363] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.363] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.363] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.363] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.363] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.363] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.363] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.363] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.363] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.363] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.363] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.363] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.363] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.363] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.363] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.363] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.363] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.363] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.363] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.363] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0115.363] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.363] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.364] lstrlenW (lpString=".json") returned 5 [0115.364] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0115.364] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=206) returned 1 [0115.364] CloseHandle (hObject=0x16c) returned 1 [0115.364] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.364] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.364] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\PUSSY.TXT") returned 154 [0115.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.365] lstrlenA (lpString="abcd") returned 4 [0115.365] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.366] CloseHandle (hObject=0x184) returned 1 [0115.366] GetProcessHeap () returned 0x4c0000 [0115.366] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.366] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86702750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86702750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86702750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 0 [0115.366] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0115.366] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\PUSSY.TXT") returned 148 [0115.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0115.367] lstrlenA (lpString="abcd") returned 4 [0115.367] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0115.368] CloseHandle (hObject=0x1b0) returned 1 [0115.368] GetProcessHeap () returned 0x4c0000 [0115.368] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0115.372] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x867288b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8687f510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8687f510, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 1 [0115.372] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0115.372] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0115.372] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0115.372] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0115.372] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0115.372] lstrcmpiW (lpString1="_metadata", lpString2=".") returned 1 [0115.372] lstrcmpiW (lpString1="_metadata", lpString2="..") returned 1 [0115.372] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata") returned 139 [0115.372] GetProcessHeap () returned 0x4c0000 [0115.372] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0115.373] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata" [0115.373] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\*" [0115.374] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x867288b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8687f510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8687f510, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0115.374] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.374] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.374] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.374] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.374] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.374] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.374] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x867288b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8687f510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8687f510, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0115.374] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.374] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.374] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.375] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.375] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.375] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.375] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.375] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8687f510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8687f510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8687f510, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="computed_hashes.json", cAlternateFileName="COMPUT~1.JSO")) returned 1 [0115.375] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0115.375] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0115.375] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0115.375] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0115.375] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0115.375] lstrcmpiW (lpString1="computed_hashes.json", lpString2=".") returned 1 [0115.375] lstrcmpiW (lpString1="computed_hashes.json", lpString2="..") returned 1 [0115.375] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0115.375] lstrcmpW (lpString1="computed_hashes.json", lpString2="PUSSY.TXT") returned -1 [0115.375] PathFindExtensionW (pszPath="computed_hashes.json") returned=".json" [0115.375] lstrlenW (lpString=".json") returned 5 [0115.375] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0115.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0115.377] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289638 | out: lpFileSize=0x289638*=352) returned 1 [0115.377] CloseHandle (hObject=0x184) returned 1 [0115.377] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x867288b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86727140, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfe051a00, ftLastWriteTime.dwHighDateTime=0x1d03f5d, nFileSizeHigh=0x0, nFileSizeLow=0x2b56, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 1 [0115.377] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0115.377] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0115.377] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0115.377] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0115.377] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0115.377] lstrcmpiW (lpString1="verified_contents.json", lpString2=".") returned 1 [0115.377] lstrcmpiW (lpString1="verified_contents.json", lpString2="..") returned 1 [0115.377] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0115.377] lstrcmpW (lpString1="verified_contents.json", lpString2="PUSSY.TXT") returned 1 [0115.377] PathFindExtensionW (pszPath="verified_contents.json") returned=".json" [0115.377] lstrlenW (lpString=".json") returned 5 [0115.377] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0115.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0115.378] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289638 | out: lpFileSize=0x289638*=11094) returned 1 [0115.378] GetProcessHeap () returned 0x4c0000 [0115.378] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0115.394] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="0E") returned 2 [0115.394] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="D9") returned 2 [0115.394] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="71") returned 2 [0115.394] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="62") returned 2 [0115.394] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="83") returned 2 [0115.394] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="B7") returned 2 [0115.395] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="C0") returned 2 [0115.395] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="78") returned 2 [0115.395] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="29") returned 2 [0115.395] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="93") returned 2 [0115.395] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="85") returned 2 [0115.395] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="C9") returned 2 [0115.395] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="2C") returned 2 [0115.395] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="59") returned 2 [0115.395] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="20") returned 2 [0115.395] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="04") returned 2 [0115.395] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="69") returned 2 [0115.395] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="41") returned 2 [0115.395] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="F7") returned 2 [0115.395] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="C9") returned 2 [0115.395] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="65") returned 2 [0115.395] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="B8") returned 2 [0115.395] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="85") returned 2 [0115.395] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="FC") returned 2 [0115.395] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="2B") returned 2 [0115.395] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="85") returned 2 [0115.395] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="3A") returned 2 [0115.395] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="EF") returned 2 [0115.395] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="52") returned 2 [0115.395] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="04") returned 2 [0115.395] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="E5") returned 2 [0115.395] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="05") returned 2 [0115.408] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json" [0115.408] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json" [0115.408] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json", lpString2=".0ED9716283B7C078299385C92C5920046941F7C965B885FC2B853AEF5204E505" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.0ED9716283B7C078299385C92C5920046941F7C965B885FC2B853AEF5204E505") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.0ED9716283B7C078299385C92C5920046941F7C965B885FC2B853AEF5204E505" [0115.408] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0115.408] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0115.421] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x867288b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86727140, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfe051a00, ftLastWriteTime.dwHighDateTime=0x1d03f5d, nFileSizeHigh=0x0, nFileSizeLow=0x2b56, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 0 [0115.421] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0115.421] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\PUSSY.TXT") returned 149 [0115.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0115.570] lstrlenA (lpString="abcd") returned 4 [0115.571] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0115.572] CloseHandle (hObject=0x1b0) returned 1 [0115.572] GetProcessHeap () returned 0x4c0000 [0115.572] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0115.572] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x867288b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8687f510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8687f510, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 0 [0115.572] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0115.572] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\PUSSY.TXT") returned 139 [0115.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0115.573] lstrlenA (lpString="abcd") returned 4 [0115.573] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0115.574] CloseHandle (hObject=0x178) returned 1 [0115.574] GetProcessHeap () returned 0x4c0000 [0115.574] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0115.577] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x864c72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86833250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86833250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="0.9_0", cAlternateFileName="")) returned 0 [0115.577] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0115.577] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\PUSSY.TXT") returned 133 [0115.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0115.577] lstrlenA (lpString="abcd") returned 4 [0115.577] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0115.579] CloseHandle (hObject=0x18c) returned 1 [0115.579] GetProcessHeap () returned 0x4c0000 [0115.579] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0115.579] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x819d0bd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x916d8210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x916d8210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="apdfllckaahabafndbhieahigkjlhalf", cAlternateFileName="APDFLL~1")) returned 1 [0115.579] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="Windows") returned -1 [0115.579] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="Program Files") returned -1 [0115.579] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="Program Files (x86)") returned -1 [0115.579] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="$Recycle.bin") returned 1 [0115.579] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="System Volume Information") returned -1 [0115.579] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2=".") returned 1 [0115.579] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="..") returned 1 [0115.579] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf") returned 123 [0115.579] GetProcessHeap () returned 0x4c0000 [0115.579] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0115.580] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf" [0115.580] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\*" [0115.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x819d0bd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x916d8210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x916d8210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0115.580] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.580] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.580] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.580] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.580] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.580] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.580] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x819d0bd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x916d8210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x916d8210, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0115.580] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.580] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.580] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.580] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.581] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.581] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.581] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.581] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e26950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x871928f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="14.1_0", cAlternateFileName="")) returned 1 [0115.581] lstrcmpiW (lpString1="14.1_0", lpString2="Windows") returned -1 [0115.581] lstrcmpiW (lpString1="14.1_0", lpString2="Program Files") returned -1 [0115.581] lstrcmpiW (lpString1="14.1_0", lpString2="Program Files (x86)") returned -1 [0115.581] lstrcmpiW (lpString1="14.1_0", lpString2="$Recycle.bin") returned 1 [0115.581] lstrcmpiW (lpString1="14.1_0", lpString2="System Volume Information") returned -1 [0115.581] lstrcmpiW (lpString1="14.1_0", lpString2=".") returned 1 [0115.581] lstrcmpiW (lpString1="14.1_0", lpString2="..") returned 1 [0115.581] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0") returned 130 [0115.581] GetProcessHeap () returned 0x4c0000 [0115.581] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0115.582] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0" [0115.582] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\*" [0115.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e26950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x871928f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0115.589] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.589] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.589] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.589] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.589] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.589] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.589] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e26950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x871928f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.590] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.590] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.590] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.590] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.590] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.590] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.590] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.590] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e26950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x871928f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1a33, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="128.png", cAlternateFileName="")) returned 1 [0115.590] lstrcmpiW (lpString1="128.png", lpString2="Windows") returned -1 [0115.590] lstrcmpiW (lpString1="128.png", lpString2="Program Files") returned -1 [0115.590] lstrcmpiW (lpString1="128.png", lpString2="Program Files (x86)") returned -1 [0115.590] lstrcmpiW (lpString1="128.png", lpString2="$Recycle.bin") returned 1 [0115.590] lstrcmpiW (lpString1="128.png", lpString2="System Volume Information") returned -1 [0115.590] lstrcmpiW (lpString1="128.png", lpString2=".") returned 1 [0115.590] lstrcmpiW (lpString1="128.png", lpString2="..") returned 1 [0115.590] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png") returned 138 [0115.590] lstrcmpW (lpString1="128.png", lpString2="PUSSY.TXT") returned -1 [0115.590] PathFindExtensionW (pszPath="128.png") returned=".png" [0115.590] lstrlenW (lpString=".png") returned 4 [0115.590] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0115.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0115.592] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=6707) returned 1 [0115.592] GetProcessHeap () returned 0x4c0000 [0115.592] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0115.604] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="A0") returned 2 [0115.604] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="16") returned 2 [0115.604] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="A1") returned 2 [0115.604] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="D7") returned 2 [0115.604] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="A6") returned 2 [0115.604] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="5D") returned 2 [0115.604] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="E3") returned 2 [0115.604] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="33") returned 2 [0115.604] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="99") returned 2 [0115.604] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="DE") returned 2 [0115.604] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="2E") returned 2 [0115.604] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="62") returned 2 [0115.604] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="87") returned 2 [0115.604] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="E5") returned 2 [0115.604] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="E1") returned 2 [0115.604] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="D3") returned 2 [0115.604] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="44") returned 2 [0115.604] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="3D") returned 2 [0115.605] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="36") returned 2 [0115.605] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="76") returned 2 [0115.605] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="86") returned 2 [0115.605] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="07") returned 2 [0115.605] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="AF") returned 2 [0115.605] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="C0") returned 2 [0115.605] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="77") returned 2 [0115.605] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="21") returned 2 [0115.605] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="47") returned 2 [0115.605] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="AD") returned 2 [0115.605] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="27") returned 2 [0115.605] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="82") returned 2 [0115.605] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="8D") returned 2 [0115.605] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="4E") returned 2 [0115.620] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png" [0115.620] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png" [0115.620] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png", lpString2=".A016A1D7A65DE33399DE2E6287E5E1D3443D36768607AFC0772147AD27828D4E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.A016A1D7A65DE33399DE2E6287E5E1D3443D36768607AFC0772147AD27828D4E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.A016A1D7A65DE33399DE2E6287E5E1D3443D36768607AFC0772147AD27828D4E" [0115.620] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0115.620] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0115.620] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e26950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87016300, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8716c790, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3ec, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0115.620] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0115.620] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0115.621] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0115.621] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0115.621] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0115.621] lstrcmpiW (lpString1="manifest.json", lpString2=".") returned 1 [0115.621] lstrcmpiW (lpString1="manifest.json", lpString2="..") returned 1 [0115.621] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json") returned 144 [0115.621] lstrcmpW (lpString1="manifest.json", lpString2="PUSSY.TXT") returned -1 [0115.621] PathFindExtensionW (pszPath="manifest.json") returned=".json" [0115.621] lstrlenW (lpString=".json") returned 5 [0115.621] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0115.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.622] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=1004) returned 1 [0115.622] GetProcessHeap () returned 0x4c0000 [0115.622] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0115.637] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="BA") returned 2 [0115.637] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="75") returned 2 [0115.637] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="81") returned 2 [0115.637] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="34") returned 2 [0115.637] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="09") returned 2 [0115.637] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="3C") returned 2 [0115.637] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="EE") returned 2 [0115.637] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="3B") returned 2 [0115.637] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="B1") returned 2 [0115.637] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="B6") returned 2 [0115.637] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="7E") returned 2 [0115.637] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="F5") returned 2 [0115.637] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="00") returned 2 [0115.637] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="57") returned 2 [0115.637] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="3B") returned 2 [0115.637] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="7F") returned 2 [0115.637] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="01") returned 2 [0115.638] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="CE") returned 2 [0115.638] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="A1") returned 2 [0115.638] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="79") returned 2 [0115.638] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="D5") returned 2 [0115.638] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="8B") returned 2 [0115.638] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="F2") returned 2 [0115.638] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="83") returned 2 [0115.638] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="FA") returned 2 [0115.638] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="41") returned 2 [0115.638] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="5E") returned 2 [0115.638] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="35") returned 2 [0115.638] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="67") returned 2 [0115.638] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="25") returned 2 [0115.638] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="C0") returned 2 [0115.638] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="18") returned 2 [0115.651] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json" [0115.651] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json" [0115.651] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json", lpString2=".BA758134093CEE3BB1B67EF500573B7F01CEA179D58BF283FA415E356725C018" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.BA758134093CEE3BB1B67EF500573B7F01CEA179D58BF283FA415E356725C018") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.BA758134093CEE3BB1B67EF500573B7F01CEA179D58BF283FA415E356725C018" [0115.651] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0115.651] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0115.651] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e26950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_locales", cAlternateFileName="")) returned 1 [0115.651] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0115.652] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0115.652] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0115.652] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0115.652] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0115.652] lstrcmpiW (lpString1="_locales", lpString2=".") returned 1 [0115.652] lstrcmpiW (lpString1="_locales", lpString2="..") returned 1 [0115.652] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales") returned 139 [0115.652] GetProcessHeap () returned 0x4c0000 [0115.652] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0115.652] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales" [0115.652] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\*" [0115.652] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e26950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0115.682] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.682] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.682] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.682] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.682] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.682] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.682] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e26950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0115.683] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.683] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.683] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.683] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.683] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.683] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.683] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.683] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ar", cAlternateFileName="")) returned 1 [0115.683] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0115.683] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0115.683] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0115.683] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0115.683] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0115.683] lstrcmpiW (lpString1="ar", lpString2=".") returned 1 [0115.683] lstrcmpiW (lpString1="ar", lpString2="..") returned 1 [0115.683] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar") returned 142 [0115.684] GetProcessHeap () returned 0x4c0000 [0115.684] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.684] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar" [0115.684] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\*" [0115.684] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.684] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.685] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.685] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.685] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.685] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.685] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.685] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.685] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.685] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.685] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.685] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.685] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.685] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.685] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.685] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4da50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.685] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.685] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.685] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.685] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.685] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.685] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.685] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.685] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json") returned 156 [0115.686] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.686] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.686] lstrlenW (lpString=".json") returned 5 [0115.686] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.686] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.689] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=278) returned 1 [0115.689] CloseHandle (hObject=0x1b0) returned 1 [0115.689] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4da50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.689] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.689] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\PUSSY.TXT") returned 152 [0115.689] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.690] lstrlenA (lpString="abcd") returned 4 [0115.690] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.691] CloseHandle (hObject=0x184) returned 1 [0115.691] GetProcessHeap () returned 0x4c0000 [0115.691] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.691] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="bg", cAlternateFileName="")) returned 1 [0115.691] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0115.691] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0115.691] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0115.691] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0115.691] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0115.692] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0115.692] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0115.692] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg") returned 142 [0115.692] GetProcessHeap () returned 0x4c0000 [0115.692] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.692] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg" [0115.692] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\*" [0115.692] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.692] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.692] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.692] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.692] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.692] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.692] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.692] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.692] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.693] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.693] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.693] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.693] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.693] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.693] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.693] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4da50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x13f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.693] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.693] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.693] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.693] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.693] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.693] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.693] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.693] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json") returned 156 [0115.693] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.693] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.693] lstrlenW (lpString=".json") returned 5 [0115.693] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.694] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=319) returned 1 [0115.694] CloseHandle (hObject=0x1b0) returned 1 [0115.694] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4da50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x13f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.694] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.694] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\PUSSY.TXT") returned 152 [0115.694] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.695] lstrlenA (lpString="abcd") returned 4 [0115.695] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.696] CloseHandle (hObject=0x184) returned 1 [0115.696] GetProcessHeap () returned 0x4c0000 [0115.696] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.696] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ca", cAlternateFileName="")) returned 1 [0115.696] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0115.696] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0115.696] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0115.696] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0115.696] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0115.696] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0115.696] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0115.696] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca") returned 142 [0115.696] GetProcessHeap () returned 0x4c0000 [0115.696] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.696] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca" [0115.697] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\*" [0115.697] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.697] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.697] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.697] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.697] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.697] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.697] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.697] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.697] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.697] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.697] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.697] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.697] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.697] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.697] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.697] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4da50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x109, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.697] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.698] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.698] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.698] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.698] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.698] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.698] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.698] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json") returned 156 [0115.698] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.698] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.698] lstrlenW (lpString=".json") returned 5 [0115.698] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.699] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=265) returned 1 [0115.699] CloseHandle (hObject=0x1b0) returned 1 [0115.701] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4da50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x109, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.701] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.702] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\PUSSY.TXT") returned 152 [0115.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.702] lstrlenA (lpString="abcd") returned 4 [0115.702] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.704] CloseHandle (hObject=0x184) returned 1 [0115.704] GetProcessHeap () returned 0x4c0000 [0115.704] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.704] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="cs", cAlternateFileName="")) returned 1 [0115.704] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0115.704] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0115.704] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0115.704] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0115.704] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0115.704] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0115.704] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0115.704] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs") returned 142 [0115.704] GetProcessHeap () returned 0x4c0000 [0115.704] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.704] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs" [0115.704] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\*" [0115.704] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.705] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.705] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.705] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.705] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.705] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.705] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.705] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.705] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.705] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.705] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.705] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.705] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.705] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.705] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.705] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4da50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x103, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.705] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.705] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.705] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.705] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.705] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.705] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.705] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.705] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json") returned 156 [0115.705] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.705] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.705] lstrlenW (lpString=".json") returned 5 [0115.706] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.706] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=259) returned 1 [0115.706] CloseHandle (hObject=0x1b0) returned 1 [0115.706] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4da50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x103, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.706] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.706] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\PUSSY.TXT") returned 152 [0115.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.707] lstrlenA (lpString="abcd") returned 4 [0115.707] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.708] CloseHandle (hObject=0x184) returned 1 [0115.708] GetProcessHeap () returned 0x4c0000 [0115.708] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.708] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="da", cAlternateFileName="")) returned 1 [0115.708] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0115.708] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0115.708] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0115.708] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0115.708] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0115.708] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0115.708] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0115.708] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da") returned 142 [0115.708] GetProcessHeap () returned 0x4c0000 [0115.708] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.709] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da" [0115.709] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\*" [0115.709] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.709] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.709] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.709] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.709] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.709] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.709] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.709] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4cab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e4cab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.709] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.709] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.709] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.709] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.709] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.709] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.709] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.709] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4da50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.709] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.709] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.710] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.710] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.710] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.710] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.710] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.710] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json") returned 156 [0115.710] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.710] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.710] lstrlenW (lpString=".json") returned 5 [0115.710] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.712] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=243) returned 1 [0115.712] CloseHandle (hObject=0x1b0) returned 1 [0115.712] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e4cab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e4da50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.712] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.713] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\PUSSY.TXT") returned 152 [0115.713] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.713] lstrlenA (lpString="abcd") returned 4 [0115.713] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.714] CloseHandle (hObject=0x184) returned 1 [0115.714] GetProcessHeap () returned 0x4c0000 [0115.714] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.714] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e72c10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e72c10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="de", cAlternateFileName="")) returned 1 [0115.714] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0115.714] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0115.715] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0115.715] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0115.715] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0115.715] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0115.715] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0115.715] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de") returned 142 [0115.715] GetProcessHeap () returned 0x4c0000 [0115.715] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.715] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de" [0115.715] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\*" [0115.715] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e72c10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e72c10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.715] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.715] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.715] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.715] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.715] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.715] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.715] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e72c10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e72c10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.715] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.716] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.716] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.716] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.716] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.716] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.716] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.716] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e74b50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x100, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.716] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.716] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.716] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.716] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.716] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.716] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.716] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.716] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json") returned 156 [0115.716] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.716] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.716] lstrlenW (lpString=".json") returned 5 [0115.716] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.717] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=256) returned 1 [0115.717] CloseHandle (hObject=0x1b0) returned 1 [0115.717] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e74b50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x100, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.717] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.717] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\PUSSY.TXT") returned 152 [0115.717] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.717] lstrlenA (lpString="abcd") returned 4 [0115.717] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.719] CloseHandle (hObject=0x184) returned 1 [0115.719] GetProcessHeap () returned 0x4c0000 [0115.719] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.719] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e72c10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e72c10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="el", cAlternateFileName="")) returned 1 [0115.719] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0115.719] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0115.719] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0115.719] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0115.719] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0115.719] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0115.719] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0115.719] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el") returned 142 [0115.719] GetProcessHeap () returned 0x4c0000 [0115.719] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.719] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el" [0115.719] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\*" [0115.720] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e72c10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e72c10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.720] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.720] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.720] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.720] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.720] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.720] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.720] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e72c10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e72c10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.720] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.720] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.720] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.720] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.720] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.720] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.720] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.720] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e74b50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x149, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.720] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.720] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.720] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.721] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.721] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.721] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.721] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.721] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json") returned 156 [0115.721] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.721] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.721] lstrlenW (lpString=".json") returned 5 [0115.721] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.722] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=329) returned 1 [0115.722] CloseHandle (hObject=0x1b0) returned 1 [0115.722] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e74b50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x149, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.722] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.722] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\PUSSY.TXT") returned 152 [0115.722] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.723] lstrlenA (lpString="abcd") returned 4 [0115.723] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.724] CloseHandle (hObject=0x184) returned 1 [0115.724] GetProcessHeap () returned 0x4c0000 [0115.724] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.724] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e72c10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e72c10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en_GB", cAlternateFileName="")) returned 1 [0115.724] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0115.724] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0115.724] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0115.724] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0115.724] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0115.724] lstrcmpiW (lpString1="en_GB", lpString2=".") returned 1 [0115.724] lstrcmpiW (lpString1="en_GB", lpString2="..") returned 1 [0115.724] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB") returned 145 [0115.724] GetProcessHeap () returned 0x4c0000 [0115.724] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.725] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB" [0115.725] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\*" [0115.725] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e72c10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e72c10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.725] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.725] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.725] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.725] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.725] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.725] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.725] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e72c10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e72c10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.725] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.725] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.725] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.725] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.725] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.725] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.726] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.726] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e74b50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.726] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.726] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.726] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.726] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.726] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.726] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.726] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.726] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json") returned 159 [0115.726] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.726] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.726] lstrlenW (lpString=".json") returned 5 [0115.726] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.726] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=249) returned 1 [0115.727] CloseHandle (hObject=0x1b0) returned 1 [0115.727] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e74b50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.727] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.727] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\PUSSY.TXT") returned 155 [0115.727] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.727] lstrlenA (lpString="abcd") returned 4 [0115.727] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.728] CloseHandle (hObject=0x184) returned 1 [0115.729] GetProcessHeap () returned 0x4c0000 [0115.729] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.729] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e98d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e98d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en_US", cAlternateFileName="")) returned 1 [0115.729] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0115.729] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0115.729] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0115.729] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0115.729] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0115.729] lstrcmpiW (lpString1="en_US", lpString2=".") returned 1 [0115.729] lstrcmpiW (lpString1="en_US", lpString2="..") returned 1 [0115.729] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US") returned 145 [0115.729] GetProcessHeap () returned 0x4c0000 [0115.729] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.729] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US" [0115.729] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\*" [0115.729] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e98d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e98d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.729] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.730] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.730] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.730] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.730] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.730] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.730] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e72c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e98d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e98d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.730] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.730] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.730] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.730] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.730] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.730] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.730] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.730] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e99540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.730] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.730] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.730] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.730] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.730] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.730] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.730] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.730] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json") returned 159 [0115.730] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.730] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.730] lstrlenW (lpString=".json") returned 5 [0115.730] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.731] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.732] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=249) returned 1 [0115.732] CloseHandle (hObject=0x1b0) returned 1 [0115.732] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e99540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.732] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.732] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\PUSSY.TXT") returned 155 [0115.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.733] lstrlenA (lpString="abcd") returned 4 [0115.733] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.734] CloseHandle (hObject=0x184) returned 1 [0115.734] GetProcessHeap () returned 0x4c0000 [0115.734] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.734] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e98d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e98d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es", cAlternateFileName="")) returned 1 [0115.734] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0115.734] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0115.734] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0115.734] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0115.734] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0115.734] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0115.734] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0115.735] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es") returned 142 [0115.735] GetProcessHeap () returned 0x4c0000 [0115.735] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.735] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es" [0115.735] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\*" [0115.735] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e98d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e98d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.735] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.735] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.735] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.735] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.735] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.735] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.735] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e98d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e98d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.735] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.735] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.735] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.735] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.735] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.736] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.736] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.736] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e99540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x103, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.736] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.736] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.736] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.736] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.736] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.736] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.736] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.736] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json") returned 156 [0115.736] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.736] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.736] lstrlenW (lpString=".json") returned 5 [0115.736] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.736] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.737] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=259) returned 1 [0115.737] CloseHandle (hObject=0x1b0) returned 1 [0115.737] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e99540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x103, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.737] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.737] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\PUSSY.TXT") returned 152 [0115.737] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.737] lstrlenA (lpString="abcd") returned 4 [0115.737] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.739] CloseHandle (hObject=0x184) returned 1 [0115.739] GetProcessHeap () returned 0x4c0000 [0115.739] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.739] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e98d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e98d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es_419", cAlternateFileName="")) returned 1 [0115.739] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0115.739] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0115.739] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0115.739] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0115.739] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0115.739] lstrcmpiW (lpString1="es_419", lpString2=".") returned 1 [0115.739] lstrcmpiW (lpString1="es_419", lpString2="..") returned 1 [0115.739] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419") returned 146 [0115.739] GetProcessHeap () returned 0x4c0000 [0115.739] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.739] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419" [0115.739] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\*" [0115.739] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e98d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e98d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.740] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.740] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.740] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.740] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.740] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.740] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.740] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e98d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e98d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.740] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.740] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.740] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.740] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.740] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.740] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.740] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.740] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e99540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x103, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.740] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.740] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.740] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.740] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.740] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.740] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.741] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.741] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json") returned 160 [0115.741] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.741] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.741] lstrlenW (lpString=".json") returned 5 [0115.741] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.742] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=259) returned 1 [0115.742] CloseHandle (hObject=0x1b0) returned 1 [0115.742] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e99540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x103, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.742] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.742] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\PUSSY.TXT") returned 156 [0115.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.743] lstrlenA (lpString="abcd") returned 4 [0115.743] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.744] CloseHandle (hObject=0x184) returned 1 [0115.744] GetProcessHeap () returned 0x4c0000 [0115.744] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.744] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e98d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e98d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="et", cAlternateFileName="")) returned 1 [0115.744] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0115.744] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0115.744] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0115.744] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0115.744] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0115.744] lstrcmpiW (lpString1="et", lpString2=".") returned 1 [0115.744] lstrcmpiW (lpString1="et", lpString2="..") returned 1 [0115.744] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et") returned 142 [0115.744] GetProcessHeap () returned 0x4c0000 [0115.744] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.744] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et" [0115.744] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\*" [0115.745] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e98d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e98d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.745] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.745] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.745] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.745] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.745] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.745] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.745] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e98d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86e98d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.745] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.745] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.745] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.745] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.745] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.745] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.745] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.745] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e99540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.745] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.745] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.745] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.746] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.746] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.746] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.746] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.746] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json") returned 156 [0115.746] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.746] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.746] lstrlenW (lpString=".json") returned 5 [0115.746] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.746] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=251) returned 1 [0115.746] CloseHandle (hObject=0x1b0) returned 1 [0115.746] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86e98d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86e99540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.746] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.747] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\PUSSY.TXT") returned 152 [0115.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.747] lstrlenA (lpString="abcd") returned 4 [0115.747] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.748] CloseHandle (hObject=0x184) returned 1 [0115.748] GetProcessHeap () returned 0x4c0000 [0115.748] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.748] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ebeed0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ebeed0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="eu", cAlternateFileName="")) returned 1 [0115.749] lstrcmpiW (lpString1="eu", lpString2="Windows") returned -1 [0115.749] lstrcmpiW (lpString1="eu", lpString2="Program Files") returned -1 [0115.749] lstrcmpiW (lpString1="eu", lpString2="Program Files (x86)") returned -1 [0115.749] lstrcmpiW (lpString1="eu", lpString2="$Recycle.bin") returned 1 [0115.749] lstrcmpiW (lpString1="eu", lpString2="System Volume Information") returned -1 [0115.749] lstrcmpiW (lpString1="eu", lpString2=".") returned 1 [0115.749] lstrcmpiW (lpString1="eu", lpString2="..") returned 1 [0115.749] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu") returned 142 [0115.749] GetProcessHeap () returned 0x4c0000 [0115.749] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.749] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu" [0115.749] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\*" [0115.749] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ebeed0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ebeed0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.749] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.749] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.749] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.750] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.750] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.750] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.750] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ebeed0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ebeed0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.750] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.750] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.750] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.750] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.750] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.750] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.750] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.750] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ec0640, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xd3d59700, ftLastWriteTime.dwHighDateTime=0x1d10aaf, nFileSizeHigh=0x0, nFileSizeLow=0xf3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.750] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.750] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.750] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.750] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.750] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.750] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.750] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.750] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json") returned 156 [0115.750] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.750] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.751] lstrlenW (lpString=".json") returned 5 [0115.751] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.937] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=243) returned 1 [0115.937] CloseHandle (hObject=0x1b0) returned 1 [0115.937] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ec0640, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xd3d59700, ftLastWriteTime.dwHighDateTime=0x1d10aaf, nFileSizeHigh=0x0, nFileSizeLow=0xf3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.937] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.937] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\PUSSY.TXT") returned 152 [0115.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.938] lstrlenA (lpString="abcd") returned 4 [0115.939] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.940] CloseHandle (hObject=0x184) returned 1 [0115.940] GetProcessHeap () returned 0x4c0000 [0115.940] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.940] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ebeed0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ebeed0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fi", cAlternateFileName="")) returned 1 [0115.940] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0115.940] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0115.940] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0115.940] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0115.940] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0115.940] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0115.940] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0115.940] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi") returned 142 [0115.940] GetProcessHeap () returned 0x4c0000 [0115.940] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.940] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi" [0115.940] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\*" [0115.940] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ebeed0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ebeed0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.941] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.941] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.941] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.941] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.941] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.941] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.941] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ebeed0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ebeed0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.941] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.941] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.941] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.941] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.941] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.941] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.941] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.941] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ec0640, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x101, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.941] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.941] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.941] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.941] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.941] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.942] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.942] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.942] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json") returned 156 [0115.942] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.942] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.942] lstrlenW (lpString=".json") returned 5 [0115.942] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.942] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=257) returned 1 [0115.942] CloseHandle (hObject=0x1b0) returned 1 [0115.942] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ec0640, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x101, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.942] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.943] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\PUSSY.TXT") returned 152 [0115.943] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.943] lstrlenA (lpString="abcd") returned 4 [0115.943] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.944] CloseHandle (hObject=0x184) returned 1 [0115.944] GetProcessHeap () returned 0x4c0000 [0115.944] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.944] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ee5030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fil", cAlternateFileName="")) returned 1 [0115.945] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0115.945] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0115.945] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0115.945] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0115.945] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0115.945] lstrcmpiW (lpString1="fil", lpString2=".") returned 1 [0115.945] lstrcmpiW (lpString1="fil", lpString2="..") returned 1 [0115.945] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil") returned 143 [0115.945] GetProcessHeap () returned 0x4c0000 [0115.945] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.945] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil" [0115.945] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\*" [0115.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ee5030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.945] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.945] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.945] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.945] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.945] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.946] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.946] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ebeed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ee5030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.946] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.946] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.946] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.946] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.946] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.946] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.946] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.946] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.946] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.946] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.946] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.946] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.946] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.946] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.946] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.946] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json") returned 157 [0115.946] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.946] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.946] lstrlenW (lpString=".json") returned 5 [0115.946] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.955] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=260) returned 1 [0115.955] CloseHandle (hObject=0x1b0) returned 1 [0115.956] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.956] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.956] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\PUSSY.TXT") returned 153 [0115.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.957] lstrlenA (lpString="abcd") returned 4 [0115.957] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.958] CloseHandle (hObject=0x184) returned 1 [0115.958] GetProcessHeap () returned 0x4c0000 [0115.958] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.958] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ee5030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fr", cAlternateFileName="")) returned 1 [0115.958] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0115.958] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0115.958] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0115.958] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0115.958] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0115.958] lstrcmpiW (lpString1="fr", lpString2=".") returned 1 [0115.958] lstrcmpiW (lpString1="fr", lpString2="..") returned 1 [0115.958] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr") returned 142 [0115.958] GetProcessHeap () returned 0x4c0000 [0115.958] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.959] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr" [0115.959] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\*" [0115.959] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ee5030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.959] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.959] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.959] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.959] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.959] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.959] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.959] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ee5030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.959] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.959] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.959] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.959] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.959] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.960] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.960] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.960] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.960] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.960] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.960] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.960] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.960] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.960] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.960] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.960] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json") returned 156 [0115.960] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.960] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.960] lstrlenW (lpString=".json") returned 5 [0115.960] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.961] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=252) returned 1 [0115.961] CloseHandle (hObject=0x1b0) returned 1 [0115.961] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.961] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.961] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\PUSSY.TXT") returned 152 [0115.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.961] lstrlenA (lpString="abcd") returned 4 [0115.961] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.962] CloseHandle (hObject=0x184) returned 1 [0115.963] GetProcessHeap () returned 0x4c0000 [0115.963] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.963] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ee5030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="he", cAlternateFileName="")) returned 1 [0115.963] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0115.963] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0115.963] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0115.963] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0115.963] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0115.963] lstrcmpiW (lpString1="he", lpString2=".") returned 1 [0115.963] lstrcmpiW (lpString1="he", lpString2="..") returned 1 [0115.963] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he") returned 142 [0115.963] GetProcessHeap () returned 0x4c0000 [0115.963] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.963] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he" [0115.963] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\*" [0115.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ee5030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.963] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.964] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.964] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.964] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.964] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.964] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.964] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ee5030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.964] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.964] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.964] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.964] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.964] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.964] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.964] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.964] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.964] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.964] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.964] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.964] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.964] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.964] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.964] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.964] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json") returned 156 [0115.964] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.964] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.965] lstrlenW (lpString=".json") returned 5 [0115.965] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.966] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=278) returned 1 [0115.966] CloseHandle (hObject=0x1b0) returned 1 [0115.966] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.966] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.966] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\PUSSY.TXT") returned 152 [0115.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.978] lstrlenA (lpString="abcd") returned 4 [0115.978] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.979] CloseHandle (hObject=0x184) returned 1 [0115.979] GetProcessHeap () returned 0x4c0000 [0115.979] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.979] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ee5030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hi", cAlternateFileName="")) returned 1 [0115.979] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0115.979] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0115.979] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0115.979] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0115.979] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0115.979] lstrcmpiW (lpString1="hi", lpString2=".") returned 1 [0115.979] lstrcmpiW (lpString1="hi", lpString2="..") returned 1 [0115.979] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi") returned 142 [0115.979] GetProcessHeap () returned 0x4c0000 [0115.979] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.979] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi" [0115.980] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\*" [0115.980] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ee5030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.980] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.980] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.980] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.980] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.980] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.980] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.980] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ee5030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.980] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.980] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.980] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.980] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.980] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.980] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.980] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.981] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x159, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.981] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.981] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.981] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.981] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.981] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.981] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.981] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.981] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json") returned 156 [0115.981] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.981] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.981] lstrlenW (lpString=".json") returned 5 [0115.981] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.982] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=345) returned 1 [0115.982] CloseHandle (hObject=0x1b0) returned 1 [0115.982] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ee5030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ee5030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x159, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.982] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.982] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\PUSSY.TXT") returned 152 [0115.982] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.982] lstrlenA (lpString="abcd") returned 4 [0115.982] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.984] CloseHandle (hObject=0x184) returned 1 [0115.984] GetProcessHeap () returned 0x4c0000 [0115.984] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.984] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hr", cAlternateFileName="")) returned 1 [0115.984] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0115.984] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0115.984] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0115.984] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0115.984] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0115.984] lstrcmpiW (lpString1="hr", lpString2=".") returned 1 [0115.984] lstrcmpiW (lpString1="hr", lpString2="..") returned 1 [0115.984] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr") returned 142 [0115.984] GetProcessHeap () returned 0x4c0000 [0115.984] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.984] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr" [0115.984] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\*" [0115.984] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.985] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.985] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.985] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.985] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.985] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.985] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.985] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.985] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.985] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.985] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.985] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.985] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.985] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.985] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.985] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0c130, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x107, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.985] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.985] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.985] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.985] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.985] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.985] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.985] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.985] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json") returned 156 [0115.985] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.986] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.986] lstrlenW (lpString=".json") returned 5 [0115.986] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.986] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.987] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=263) returned 1 [0115.987] CloseHandle (hObject=0x1b0) returned 1 [0115.987] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0c130, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x107, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.987] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.987] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\PUSSY.TXT") returned 152 [0115.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.988] lstrlenA (lpString="abcd") returned 4 [0115.988] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.989] CloseHandle (hObject=0x184) returned 1 [0115.989] GetProcessHeap () returned 0x4c0000 [0115.989] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.989] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hu", cAlternateFileName="")) returned 1 [0115.990] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0115.990] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0115.990] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0115.990] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0115.990] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0115.990] lstrcmpiW (lpString1="hu", lpString2=".") returned 1 [0115.990] lstrcmpiW (lpString1="hu", lpString2="..") returned 1 [0115.990] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu") returned 142 [0115.990] GetProcessHeap () returned 0x4c0000 [0115.990] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.990] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu" [0115.990] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\*" [0115.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.990] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.990] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.990] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.990] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.990] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.991] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.991] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.991] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.991] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.991] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.991] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.991] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.991] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.991] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.991] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0c130, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x108, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.991] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.991] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.991] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.991] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.991] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.991] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.991] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.991] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json") returned 156 [0115.991] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.991] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.991] lstrlenW (lpString=".json") returned 5 [0115.991] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.991] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.992] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=264) returned 1 [0115.992] CloseHandle (hObject=0x1b0) returned 1 [0115.992] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0c130, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x108, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.992] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.992] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\PUSSY.TXT") returned 152 [0115.992] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.993] lstrlenA (lpString="abcd") returned 4 [0115.993] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.994] CloseHandle (hObject=0x184) returned 1 [0115.994] GetProcessHeap () returned 0x4c0000 [0115.994] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.994] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="id", cAlternateFileName="")) returned 1 [0115.994] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0115.994] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0115.994] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0115.994] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0115.994] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0115.994] lstrcmpiW (lpString1="id", lpString2=".") returned 1 [0115.994] lstrcmpiW (lpString1="id", lpString2="..") returned 1 [0115.994] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id") returned 142 [0115.994] GetProcessHeap () returned 0x4c0000 [0115.994] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0115.994] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id" [0115.994] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\*" [0115.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0115.995] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0115.995] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0115.995] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0115.995] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0115.995] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0115.995] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.995] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0115.995] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0115.995] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0115.995] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0115.995] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0115.995] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0115.995] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.995] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.995] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0c130, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x105, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0115.995] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0115.995] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0115.995] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0115.996] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0115.996] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0115.996] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0115.996] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0115.996] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json") returned 156 [0115.996] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0115.996] PathFindExtensionW (pszPath="messages.json") returned=".json" [0115.996] lstrlenW (lpString=".json") returned 5 [0115.996] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0115.996] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0115.997] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=261) returned 1 [0115.997] CloseHandle (hObject=0x1b0) returned 1 [0115.997] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0c130, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x105, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0115.997] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0115.997] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\PUSSY.TXT") returned 152 [0115.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0115.998] lstrlenA (lpString="abcd") returned 4 [0115.998] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0115.999] CloseHandle (hObject=0x184) returned 1 [0115.999] GetProcessHeap () returned 0x4c0000 [0115.999] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.999] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="it", cAlternateFileName="")) returned 1 [0115.999] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0115.999] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0115.999] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0115.999] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0115.999] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0116.000] lstrcmpiW (lpString1="it", lpString2=".") returned 1 [0116.000] lstrcmpiW (lpString1="it", lpString2="..") returned 1 [0116.000] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it") returned 142 [0116.000] GetProcessHeap () returned 0x4c0000 [0116.000] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.000] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it" [0116.000] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\*" [0116.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.000] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.000] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.000] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.000] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.000] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.000] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.000] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.000] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.000] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.000] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.000] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.001] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.001] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.001] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.001] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0c130, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.001] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.001] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.001] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.001] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.001] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.001] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.001] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.001] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json") returned 156 [0116.001] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.001] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.001] lstrlenW (lpString=".json") returned 5 [0116.001] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.002] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=258) returned 1 [0116.002] CloseHandle (hObject=0x1b0) returned 1 [0116.002] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0c130, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.002] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.002] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\PUSSY.TXT") returned 152 [0116.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.002] lstrlenA (lpString="abcd") returned 4 [0116.002] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.004] CloseHandle (hObject=0x184) returned 1 [0116.004] GetProcessHeap () returned 0x4c0000 [0116.004] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.004] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ja", cAlternateFileName="")) returned 1 [0116.004] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0116.004] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0116.004] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0116.004] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0116.004] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0116.004] lstrcmpiW (lpString1="ja", lpString2=".") returned 1 [0116.004] lstrcmpiW (lpString1="ja", lpString2="..") returned 1 [0116.004] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja") returned 142 [0116.004] GetProcessHeap () returned 0x4c0000 [0116.004] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.004] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja" [0116.004] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\*" [0116.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.005] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.005] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.005] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.005] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.005] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.005] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.005] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.005] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.005] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.005] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.005] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.005] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.005] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.005] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.005] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0c130, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x125, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.005] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.005] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.005] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.005] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.005] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.005] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.005] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.005] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json") returned 156 [0116.005] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.005] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.006] lstrlenW (lpString=".json") returned 5 [0116.006] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.047] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=293) returned 1 [0116.047] CloseHandle (hObject=0x1b0) returned 1 [0116.047] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0c130, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x125, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.047] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.047] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\PUSSY.TXT") returned 152 [0116.047] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.048] lstrlenA (lpString="abcd") returned 4 [0116.048] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.049] CloseHandle (hObject=0x184) returned 1 [0116.049] GetProcessHeap () returned 0x4c0000 [0116.049] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.049] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ko", cAlternateFileName="")) returned 1 [0116.049] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0116.049] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0116.049] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0116.049] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0116.049] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0116.049] lstrcmpiW (lpString1="ko", lpString2=".") returned 1 [0116.049] lstrcmpiW (lpString1="ko", lpString2="..") returned 1 [0116.049] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko") returned 142 [0116.050] GetProcessHeap () returned 0x4c0000 [0116.050] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.050] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko" [0116.050] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\*" [0116.050] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.050] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.050] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.050] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.050] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.050] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.050] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.050] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0b190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f0b190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.050] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.050] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.050] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.050] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.051] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.051] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.051] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.051] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0c130, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x119, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.051] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.051] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.051] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.051] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.051] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.051] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.051] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.051] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json") returned 156 [0116.051] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.051] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.051] lstrlenW (lpString=".json") returned 5 [0116.051] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.052] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=281) returned 1 [0116.052] CloseHandle (hObject=0x1b0) returned 1 [0116.052] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f0b190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f0c130, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x119, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.052] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.052] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\PUSSY.TXT") returned 152 [0116.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.053] lstrlenA (lpString="abcd") returned 4 [0116.053] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.054] CloseHandle (hObject=0x184) returned 1 [0116.054] GetProcessHeap () returned 0x4c0000 [0116.054] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.054] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lt", cAlternateFileName="")) returned 1 [0116.054] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0116.054] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0116.054] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0116.054] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0116.054] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0116.054] lstrcmpiW (lpString1="lt", lpString2=".") returned 1 [0116.054] lstrcmpiW (lpString1="lt", lpString2="..") returned 1 [0116.054] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt") returned 142 [0116.054] GetProcessHeap () returned 0x4c0000 [0116.054] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.054] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt" [0116.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\*" [0116.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.055] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.055] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.055] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.055] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.055] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.055] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.055] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.055] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.055] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.055] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.055] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.055] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.055] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.055] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.055] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f33230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x11d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.055] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.055] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.055] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.055] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.055] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.055] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.055] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.056] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json") returned 156 [0116.056] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.056] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.056] lstrlenW (lpString=".json") returned 5 [0116.056] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.056] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.057] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=285) returned 1 [0116.057] CloseHandle (hObject=0x1b0) returned 1 [0116.057] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f33230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x11d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.057] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.057] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\PUSSY.TXT") returned 152 [0116.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.058] lstrlenA (lpString="abcd") returned 4 [0116.058] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.059] CloseHandle (hObject=0x184) returned 1 [0116.059] GetProcessHeap () returned 0x4c0000 [0116.059] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.059] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lv", cAlternateFileName="")) returned 1 [0116.059] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0116.059] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0116.059] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0116.059] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0116.059] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0116.059] lstrcmpiW (lpString1="lv", lpString2=".") returned 1 [0116.059] lstrcmpiW (lpString1="lv", lpString2="..") returned 1 [0116.059] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv") returned 142 [0116.059] GetProcessHeap () returned 0x4c0000 [0116.059] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.059] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv" [0116.060] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\*" [0116.060] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.060] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.060] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.060] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.060] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.060] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.060] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.060] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.060] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.060] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.060] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.060] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.060] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.060] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.060] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.061] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f33230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.061] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.061] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.061] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.061] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.061] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.061] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.061] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.061] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json") returned 156 [0116.061] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.061] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.061] lstrlenW (lpString=".json") returned 5 [0116.061] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.061] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.062] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=258) returned 1 [0116.062] CloseHandle (hObject=0x1b0) returned 1 [0116.062] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f33230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.062] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.062] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\PUSSY.TXT") returned 152 [0116.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.062] lstrlenA (lpString="abcd") returned 4 [0116.063] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.064] CloseHandle (hObject=0x184) returned 1 [0116.064] GetProcessHeap () returned 0x4c0000 [0116.064] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.064] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ms", cAlternateFileName="")) returned 1 [0116.064] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0116.064] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0116.064] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0116.064] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0116.064] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0116.064] lstrcmpiW (lpString1="ms", lpString2=".") returned 1 [0116.064] lstrcmpiW (lpString1="ms", lpString2="..") returned 1 [0116.064] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms") returned 142 [0116.064] GetProcessHeap () returned 0x4c0000 [0116.064] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.064] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms" [0116.064] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\*" [0116.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.065] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.065] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.065] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.065] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.065] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.065] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.065] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.065] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.065] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.065] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.065] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.065] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.065] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.065] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.065] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f33230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.065] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.065] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.065] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.065] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.065] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.065] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.065] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.066] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json") returned 156 [0116.066] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.066] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.066] lstrlenW (lpString=".json") returned 5 [0116.066] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.067] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=254) returned 1 [0116.067] CloseHandle (hObject=0x1b0) returned 1 [0116.067] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f33230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.067] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.067] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\PUSSY.TXT") returned 152 [0116.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.068] lstrlenA (lpString="abcd") returned 4 [0116.068] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.073] CloseHandle (hObject=0x184) returned 1 [0116.073] GetProcessHeap () returned 0x4c0000 [0116.073] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.073] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="nl", cAlternateFileName="")) returned 1 [0116.074] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0116.074] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0116.074] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0116.074] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0116.074] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0116.074] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0116.074] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0116.074] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl") returned 142 [0116.074] GetProcessHeap () returned 0x4c0000 [0116.074] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.074] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl" [0116.074] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\*" [0116.074] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.075] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.075] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.075] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.075] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.075] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.075] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.075] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.075] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.075] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.075] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.075] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.075] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.075] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.075] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.075] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f33230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.075] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.075] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.075] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.075] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.075] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.075] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.075] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.075] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json") returned 156 [0116.075] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.075] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.076] lstrlenW (lpString=".json") returned 5 [0116.076] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.076] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=242) returned 1 [0116.076] CloseHandle (hObject=0x1b0) returned 1 [0116.076] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f33230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.076] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.077] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\PUSSY.TXT") returned 152 [0116.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.077] lstrlenA (lpString="abcd") returned 4 [0116.077] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.078] CloseHandle (hObject=0x184) returned 1 [0116.078] GetProcessHeap () returned 0x4c0000 [0116.078] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.079] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="no", cAlternateFileName="")) returned 1 [0116.079] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0116.079] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0116.079] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0116.079] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0116.079] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0116.079] lstrcmpiW (lpString1="no", lpString2=".") returned 1 [0116.079] lstrcmpiW (lpString1="no", lpString2="..") returned 1 [0116.079] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no") returned 142 [0116.079] GetProcessHeap () returned 0x4c0000 [0116.079] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.079] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no" [0116.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\*" [0116.079] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.079] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.079] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.080] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.080] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.080] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.080] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.080] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f312f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f312f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.080] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.080] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.080] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.080] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.080] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.080] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.080] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.080] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f33230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xd3d59700, ftLastWriteTime.dwHighDateTime=0x1d10aaf, nFileSizeHigh=0x0, nFileSizeLow=0xda, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.080] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.080] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.080] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.080] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.080] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.080] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.080] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.080] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json") returned 156 [0116.080] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.080] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.080] lstrlenW (lpString=".json") returned 5 [0116.080] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.082] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=218) returned 1 [0116.082] CloseHandle (hObject=0x1b0) returned 1 [0116.084] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f312f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f33230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xd3d59700, ftLastWriteTime.dwHighDateTime=0x1d10aaf, nFileSizeHigh=0x0, nFileSizeLow=0xda, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.084] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.084] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\PUSSY.TXT") returned 152 [0116.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.084] lstrlenA (lpString="abcd") returned 4 [0116.084] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.086] CloseHandle (hObject=0x184) returned 1 [0116.086] GetProcessHeap () returned 0x4c0000 [0116.086] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.086] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pl", cAlternateFileName="")) returned 1 [0116.086] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0116.086] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0116.086] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0116.086] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0116.086] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0116.086] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0116.086] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0116.086] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl") returned 142 [0116.086] GetProcessHeap () returned 0x4c0000 [0116.086] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.086] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl" [0116.086] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\*" [0116.086] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.087] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.087] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.087] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.087] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.087] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.087] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.087] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.087] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.087] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.087] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.087] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.087] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.087] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.087] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.087] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57c20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x101, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.087] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.087] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.087] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.087] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.087] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.087] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.087] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.088] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json") returned 156 [0116.088] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.088] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.088] lstrlenW (lpString=".json") returned 5 [0116.088] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.088] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.088] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=257) returned 1 [0116.088] CloseHandle (hObject=0x1b0) returned 1 [0116.088] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57c20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x101, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.089] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.089] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\PUSSY.TXT") returned 152 [0116.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.089] lstrlenA (lpString="abcd") returned 4 [0116.089] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.090] CloseHandle (hObject=0x184) returned 1 [0116.090] GetProcessHeap () returned 0x4c0000 [0116.090] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.091] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_BR", cAlternateFileName="")) returned 1 [0116.091] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0116.091] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0116.091] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0116.091] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0116.091] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0116.091] lstrcmpiW (lpString1="pt_BR", lpString2=".") returned 1 [0116.091] lstrcmpiW (lpString1="pt_BR", lpString2="..") returned 1 [0116.091] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR") returned 145 [0116.091] GetProcessHeap () returned 0x4c0000 [0116.091] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.091] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR" [0116.091] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\*" [0116.091] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.091] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.091] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.091] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.091] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.091] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.092] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.092] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.092] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.092] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.092] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.092] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.092] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.092] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.092] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.092] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57c20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.092] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.092] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.092] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.092] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.092] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.092] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.092] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.092] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json") returned 159 [0116.092] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.092] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.092] lstrlenW (lpString=".json") returned 5 [0116.092] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.094] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=246) returned 1 [0116.094] CloseHandle (hObject=0x1b0) returned 1 [0116.094] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57c20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.094] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.094] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\PUSSY.TXT") returned 155 [0116.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.095] lstrlenA (lpString="abcd") returned 4 [0116.095] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.096] CloseHandle (hObject=0x184) returned 1 [0116.096] GetProcessHeap () returned 0x4c0000 [0116.096] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.096] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_PT", cAlternateFileName="")) returned 1 [0116.096] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0116.096] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0116.096] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0116.096] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0116.096] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0116.096] lstrcmpiW (lpString1="pt_PT", lpString2=".") returned 1 [0116.096] lstrcmpiW (lpString1="pt_PT", lpString2="..") returned 1 [0116.096] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT") returned 145 [0116.096] GetProcessHeap () returned 0x4c0000 [0116.096] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.096] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT" [0116.097] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\*" [0116.097] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.097] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.097] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.097] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.097] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.097] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.097] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.097] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.097] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.097] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.097] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.097] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.097] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.097] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.097] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.097] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57c20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x108, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.098] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.098] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.098] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.098] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.098] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.098] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.098] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.098] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json") returned 159 [0116.098] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.098] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.098] lstrlenW (lpString=".json") returned 5 [0116.098] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.098] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=264) returned 1 [0116.098] CloseHandle (hObject=0x1b0) returned 1 [0116.099] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57c20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x108, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.099] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.099] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\PUSSY.TXT") returned 155 [0116.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.099] lstrlenA (lpString="abcd") returned 4 [0116.099] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.100] CloseHandle (hObject=0x184) returned 1 [0116.101] GetProcessHeap () returned 0x4c0000 [0116.101] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.101] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ro", cAlternateFileName="")) returned 1 [0116.101] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0116.101] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0116.101] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0116.101] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0116.101] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0116.101] lstrcmpiW (lpString1="ro", lpString2=".") returned 1 [0116.101] lstrcmpiW (lpString1="ro", lpString2="..") returned 1 [0116.101] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro") returned 142 [0116.101] GetProcessHeap () returned 0x4c0000 [0116.101] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.101] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro" [0116.101] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\*" [0116.101] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.102] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.102] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.102] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.102] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.102] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.102] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.102] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.102] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.102] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.102] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.102] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.102] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.102] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.102] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.102] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57c20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x119, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.102] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.102] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.102] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.102] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.102] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.102] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.102] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.102] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json") returned 156 [0116.102] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.102] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.103] lstrlenW (lpString=".json") returned 5 [0116.103] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.103] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.104] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=281) returned 1 [0116.104] CloseHandle (hObject=0x1b0) returned 1 [0116.104] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57c20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x119, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.104] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.104] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\PUSSY.TXT") returned 152 [0116.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.105] lstrlenA (lpString="abcd") returned 4 [0116.105] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.106] CloseHandle (hObject=0x184) returned 1 [0116.106] GetProcessHeap () returned 0x4c0000 [0116.106] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.106] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ru", cAlternateFileName="")) returned 1 [0116.106] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0116.106] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0116.106] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0116.106] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0116.106] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0116.106] lstrcmpiW (lpString1="ru", lpString2=".") returned 1 [0116.106] lstrcmpiW (lpString1="ru", lpString2="..") returned 1 [0116.106] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru") returned 142 [0116.106] GetProcessHeap () returned 0x4c0000 [0116.106] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.106] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru" [0116.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\*" [0116.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.107] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.107] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.107] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.107] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.107] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.107] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.107] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.107] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.107] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.107] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.107] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.107] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.107] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.107] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.107] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57c20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.107] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.107] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.107] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.107] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.107] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.107] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.107] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.107] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json") returned 156 [0116.108] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.108] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.108] lstrlenW (lpString=".json") returned 5 [0116.108] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.108] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=338) returned 1 [0116.108] CloseHandle (hObject=0x1b0) returned 1 [0116.108] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57c20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.108] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.108] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\PUSSY.TXT") returned 152 [0116.109] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.109] lstrlenA (lpString="abcd") returned 4 [0116.109] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.110] CloseHandle (hObject=0x184) returned 1 [0116.110] GetProcessHeap () returned 0x4c0000 [0116.110] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.110] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sk", cAlternateFileName="")) returned 1 [0116.110] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0116.110] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0116.110] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0116.110] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0116.111] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0116.111] lstrcmpiW (lpString1="sk", lpString2=".") returned 1 [0116.111] lstrcmpiW (lpString1="sk", lpString2="..") returned 1 [0116.111] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk") returned 142 [0116.111] GetProcessHeap () returned 0x4c0000 [0116.111] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.111] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk" [0116.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\*" [0116.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.111] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.111] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.111] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.111] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.111] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.111] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.111] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f57450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86f57450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.111] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.112] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.112] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.112] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.112] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.112] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.112] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.112] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f7ed20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x112, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.112] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.112] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.112] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.112] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.112] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.112] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.112] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.112] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json") returned 156 [0116.112] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.112] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.112] lstrlenW (lpString=".json") returned 5 [0116.112] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.113] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=274) returned 1 [0116.113] CloseHandle (hObject=0x1b0) returned 1 [0116.113] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86f57450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86f7ed20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x112, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.114] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.114] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\PUSSY.TXT") returned 152 [0116.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.114] lstrlenA (lpString="abcd") returned 4 [0116.114] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.115] CloseHandle (hObject=0x184) returned 1 [0116.115] GetProcessHeap () returned 0x4c0000 [0116.115] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.115] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fc9870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fc9870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sl", cAlternateFileName="")) returned 1 [0116.115] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0116.116] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0116.116] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0116.116] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0116.116] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0116.116] lstrcmpiW (lpString1="sl", lpString2=".") returned 1 [0116.116] lstrcmpiW (lpString1="sl", lpString2="..") returned 1 [0116.116] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl") returned 142 [0116.116] GetProcessHeap () returned 0x4c0000 [0116.116] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.116] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl" [0116.116] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\*" [0116.116] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fc9870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fc9870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.116] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.116] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.116] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.116] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.116] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.117] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.117] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fc9870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fc9870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.117] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.117] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.117] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.117] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.117] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.117] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.117] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.117] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fca810, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.117] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.117] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.117] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.117] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.117] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.117] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.117] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.117] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json") returned 156 [0116.117] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.117] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.117] lstrlenW (lpString=".json") returned 5 [0116.117] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.118] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=268) returned 1 [0116.118] CloseHandle (hObject=0x1b0) returned 1 [0116.118] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fca810, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.118] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.118] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\PUSSY.TXT") returned 152 [0116.118] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.119] lstrlenA (lpString="abcd") returned 4 [0116.119] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.120] CloseHandle (hObject=0x184) returned 1 [0116.120] GetProcessHeap () returned 0x4c0000 [0116.120] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.120] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fc9870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fc9870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sr", cAlternateFileName="")) returned 1 [0116.120] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0116.120] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0116.120] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0116.120] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0116.120] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0116.120] lstrcmpiW (lpString1="sr", lpString2=".") returned 1 [0116.120] lstrcmpiW (lpString1="sr", lpString2="..") returned 1 [0116.120] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr") returned 142 [0116.120] GetProcessHeap () returned 0x4c0000 [0116.120] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.121] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr" [0116.121] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\*" [0116.121] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fc9870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fc9870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.121] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.121] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.121] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.121] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.121] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.121] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.121] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fc9870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fc9870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.121] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.121] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.121] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.121] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.121] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.121] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.121] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.122] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fca810, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x11f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.122] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.122] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.122] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.122] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.122] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.122] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.122] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.122] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json") returned 156 [0116.122] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.122] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.122] lstrlenW (lpString=".json") returned 5 [0116.122] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.123] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=287) returned 1 [0116.123] CloseHandle (hObject=0x1b0) returned 1 [0116.123] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fca810, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x11f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.123] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.124] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\PUSSY.TXT") returned 152 [0116.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.124] lstrlenA (lpString="abcd") returned 4 [0116.124] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.125] CloseHandle (hObject=0x184) returned 1 [0116.126] GetProcessHeap () returned 0x4c0000 [0116.126] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.126] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fc9870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fc9870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sv", cAlternateFileName="")) returned 1 [0116.126] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0116.126] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0116.126] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0116.126] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0116.126] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0116.126] lstrcmpiW (lpString1="sv", lpString2=".") returned 1 [0116.126] lstrcmpiW (lpString1="sv", lpString2="..") returned 1 [0116.126] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv") returned 142 [0116.126] GetProcessHeap () returned 0x4c0000 [0116.126] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.126] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv" [0116.126] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\*" [0116.126] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fc9870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fc9870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.127] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.127] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.127] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.127] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.127] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.127] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.127] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fc9870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fc9870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.127] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.127] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.127] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.127] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.127] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.127] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.127] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.127] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fca810, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.127] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.127] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.127] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.127] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.127] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.127] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.127] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.127] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json") returned 156 [0116.127] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.127] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.128] lstrlenW (lpString=".json") returned 5 [0116.128] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.128] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=253) returned 1 [0116.128] CloseHandle (hObject=0x1b0) returned 1 [0116.128] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fc9870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fca810, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.128] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.128] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\PUSSY.TXT") returned 152 [0116.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.129] lstrlenA (lpString="abcd") returned 4 [0116.129] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.130] CloseHandle (hObject=0x184) returned 1 [0116.130] GetProcessHeap () returned 0x4c0000 [0116.130] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.130] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="th", cAlternateFileName="")) returned 1 [0116.130] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0116.130] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0116.130] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0116.130] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0116.130] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0116.130] lstrcmpiW (lpString1="th", lpString2=".") returned 1 [0116.130] lstrcmpiW (lpString1="th", lpString2="..") returned 1 [0116.131] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th") returned 142 [0116.131] GetProcessHeap () returned 0x4c0000 [0116.131] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.131] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th" [0116.131] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\*" [0116.131] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.131] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.131] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.131] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.131] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.131] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.131] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.131] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.131] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.131] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.131] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.132] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.132] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.132] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.132] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.132] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ff1910, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x164, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.132] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.132] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.132] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.132] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.132] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.132] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.132] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.132] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json") returned 156 [0116.132] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.132] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.132] lstrlenW (lpString=".json") returned 5 [0116.132] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.132] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.133] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=356) returned 1 [0116.133] CloseHandle (hObject=0x1b0) returned 1 [0116.134] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ff1910, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x164, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.134] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.134] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\PUSSY.TXT") returned 152 [0116.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.134] lstrlenA (lpString="abcd") returned 4 [0116.134] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.135] CloseHandle (hObject=0x184) returned 1 [0116.135] GetProcessHeap () returned 0x4c0000 [0116.136] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.136] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="tr", cAlternateFileName="")) returned 1 [0116.136] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0116.136] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0116.136] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0116.136] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0116.136] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0116.136] lstrcmpiW (lpString1="tr", lpString2=".") returned 1 [0116.136] lstrcmpiW (lpString1="tr", lpString2="..") returned 1 [0116.136] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr") returned 142 [0116.136] GetProcessHeap () returned 0x4c0000 [0116.136] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.136] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr" [0116.136] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\*" [0116.136] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.136] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.136] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.137] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.137] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.137] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.137] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.137] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.137] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.137] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.137] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.137] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.137] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.137] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.137] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.137] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ff1910, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.137] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.137] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.137] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.137] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.137] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.137] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.137] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.137] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json") returned 156 [0116.137] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.137] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.137] lstrlenW (lpString=".json") returned 5 [0116.137] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.138] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=270) returned 1 [0116.138] CloseHandle (hObject=0x1b0) returned 1 [0116.138] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ff1910, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.138] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.138] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\PUSSY.TXT") returned 152 [0116.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.139] lstrlenA (lpString="abcd") returned 4 [0116.139] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.140] CloseHandle (hObject=0x184) returned 1 [0116.140] GetProcessHeap () returned 0x4c0000 [0116.140] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.140] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="uk", cAlternateFileName="")) returned 1 [0116.140] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0116.140] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0116.140] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0116.140] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0116.141] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0116.141] lstrcmpiW (lpString1="uk", lpString2=".") returned 1 [0116.141] lstrcmpiW (lpString1="uk", lpString2="..") returned 1 [0116.141] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk") returned 142 [0116.141] GetProcessHeap () returned 0x4c0000 [0116.141] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.141] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk" [0116.141] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\*" [0116.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.141] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.141] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.141] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.141] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.141] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.141] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.141] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.141] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.142] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.142] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.142] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.142] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.142] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.142] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.142] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ff1910, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x161, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.142] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.142] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.142] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.142] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.142] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.142] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.142] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.142] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json") returned 156 [0116.142] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.142] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.142] lstrlenW (lpString=".json") returned 5 [0116.142] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.143] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=353) returned 1 [0116.143] CloseHandle (hObject=0x1b0) returned 1 [0116.144] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ff1910, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x161, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.144] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.144] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\PUSSY.TXT") returned 152 [0116.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.144] lstrlenA (lpString="abcd") returned 4 [0116.144] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.145] CloseHandle (hObject=0x184) returned 1 [0116.145] GetProcessHeap () returned 0x4c0000 [0116.145] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.146] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="vi", cAlternateFileName="")) returned 1 [0116.146] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0116.146] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0116.146] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0116.146] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0116.146] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0116.146] lstrcmpiW (lpString1="vi", lpString2=".") returned 1 [0116.146] lstrcmpiW (lpString1="vi", lpString2="..") returned 1 [0116.146] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi") returned 142 [0116.146] GetProcessHeap () returned 0x4c0000 [0116.146] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.146] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi" [0116.146] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\*" [0116.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.146] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.146] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.146] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.146] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.146] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.147] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.147] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.147] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.147] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.147] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.147] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.147] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.147] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.147] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.147] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ff1910, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x117, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.147] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.147] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.147] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.147] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.147] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.147] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.147] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.147] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json") returned 156 [0116.147] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.147] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.147] lstrlenW (lpString=".json") returned 5 [0116.147] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.148] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=279) returned 1 [0116.148] CloseHandle (hObject=0x1b0) returned 1 [0116.148] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ff1910, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x117, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.148] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.148] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\PUSSY.TXT") returned 152 [0116.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.148] lstrlenA (lpString="abcd") returned 4 [0116.148] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.149] CloseHandle (hObject=0x184) returned 1 [0116.149] GetProcessHeap () returned 0x4c0000 [0116.149] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.149] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_CN", cAlternateFileName="")) returned 1 [0116.149] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0116.150] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0116.150] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0116.150] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0116.150] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0116.150] lstrcmpiW (lpString1="zh_CN", lpString2=".") returned 1 [0116.150] lstrcmpiW (lpString1="zh_CN", lpString2="..") returned 1 [0116.150] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN") returned 145 [0116.150] GetProcessHeap () returned 0x4c0000 [0116.150] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.150] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN" [0116.150] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\*" [0116.150] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.150] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.150] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.150] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.150] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.150] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.150] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.150] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86fef9d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86fef9d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.150] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.151] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.151] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.151] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.151] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.151] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.151] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.151] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ff1910, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x111, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.151] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.151] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.151] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.151] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.151] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.151] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.151] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.151] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json") returned 159 [0116.151] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.151] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.151] lstrlenW (lpString=".json") returned 5 [0116.151] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.152] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=273) returned 1 [0116.152] CloseHandle (hObject=0x1b0) returned 1 [0116.152] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ff1910, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x111, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.152] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.152] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\PUSSY.TXT") returned 155 [0116.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.153] lstrlenA (lpString="abcd") returned 4 [0116.153] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.154] CloseHandle (hObject=0x184) returned 1 [0116.154] GetProcessHeap () returned 0x4c0000 [0116.154] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.154] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87015b30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x87015b30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 1 [0116.154] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0116.154] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0116.154] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0116.154] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0116.154] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0116.154] lstrcmpiW (lpString1="zh_TW", lpString2=".") returned 1 [0116.154] lstrcmpiW (lpString1="zh_TW", lpString2="..") returned 1 [0116.154] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW") returned 145 [0116.154] GetProcessHeap () returned 0x4c0000 [0116.154] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.154] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW" [0116.154] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\*" [0116.154] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87015b30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x87015b30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.154] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.154] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.154] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.154] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.155] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.155] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.155] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87015b30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x87015b30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.155] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.155] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.155] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.155] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.155] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.155] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.155] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.155] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87015b30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87016300, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.155] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.155] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.155] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.155] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.155] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.155] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.155] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.155] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json") returned 159 [0116.155] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.155] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.155] lstrlenW (lpString=".json") returned 5 [0116.155] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.155] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.156] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=267) returned 1 [0116.156] CloseHandle (hObject=0x1b0) returned 1 [0116.156] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87015b30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87016300, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.156] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.156] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\PUSSY.TXT") returned 155 [0116.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0116.156] lstrlenA (lpString="abcd") returned 4 [0116.156] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.157] CloseHandle (hObject=0x184) returned 1 [0116.157] GetProcessHeap () returned 0x4c0000 [0116.157] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.157] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86fef9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87015b30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x87015b30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 0 [0116.157] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0116.157] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\PUSSY.TXT") returned 149 [0116.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0116.243] lstrlenA (lpString="abcd") returned 4 [0116.243] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0116.244] CloseHandle (hObject=0x16c) returned 1 [0116.244] GetProcessHeap () returned 0x4c0000 [0116.244] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0116.247] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x87015b30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87015b30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x87015b30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 1 [0116.247] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0116.247] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0116.247] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0116.247] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0116.247] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0116.247] lstrcmpiW (lpString1="_metadata", lpString2=".") returned 1 [0116.247] lstrcmpiW (lpString1="_metadata", lpString2="..") returned 1 [0116.247] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata") returned 140 [0116.247] GetProcessHeap () returned 0x4c0000 [0116.248] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0116.248] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata" [0116.248] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\*" [0116.248] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x87015b30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87015b30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x87015b30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0116.249] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.249] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.249] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.249] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.249] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.249] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.249] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x87015b30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87015b30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x87015b30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0116.249] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.249] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.249] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.249] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.249] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.249] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.249] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.249] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87015b30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87016300, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xd3d59700, ftLastWriteTime.dwHighDateTime=0x1d10aaf, nFileSizeHigh=0x0, nFileSizeLow=0x2bd5, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 1 [0116.250] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0116.250] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0116.250] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0116.250] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0116.250] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0116.250] lstrcmpiW (lpString1="verified_contents.json", lpString2=".") returned 1 [0116.250] lstrcmpiW (lpString1="verified_contents.json", lpString2="..") returned 1 [0116.250] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json") returned 163 [0116.250] lstrcmpW (lpString1="verified_contents.json", lpString2="PUSSY.TXT") returned 1 [0116.250] PathFindExtensionW (pszPath="verified_contents.json") returned=".json" [0116.250] lstrlenW (lpString=".json") returned 5 [0116.250] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0116.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0116.251] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289638 | out: lpFileSize=0x289638*=11221) returned 1 [0116.251] GetProcessHeap () returned 0x4c0000 [0116.251] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0116.262] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="73") returned 2 [0116.262] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="F7") returned 2 [0116.262] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="AD") returned 2 [0116.262] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="2A") returned 2 [0116.262] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="CA") returned 2 [0116.262] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="3C") returned 2 [0116.262] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="00") returned 2 [0116.262] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="5B") returned 2 [0116.263] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="A7") returned 2 [0116.263] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="CA") returned 2 [0116.263] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="4F") returned 2 [0116.263] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="04") returned 2 [0116.263] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="63") returned 2 [0116.263] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="FA") returned 2 [0116.263] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="4D") returned 2 [0116.263] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="A2") returned 2 [0116.263] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="56") returned 2 [0116.263] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="E9") returned 2 [0116.263] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="EB") returned 2 [0116.263] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="E4") returned 2 [0116.263] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="E2") returned 2 [0116.263] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="44") returned 2 [0116.263] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="20") returned 2 [0116.263] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="59") returned 2 [0116.263] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="45") returned 2 [0116.263] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="1A") returned 2 [0116.263] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="E3") returned 2 [0116.263] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="A2") returned 2 [0116.263] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="0D") returned 2 [0116.263] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="0A") returned 2 [0116.263] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="14") returned 2 [0116.263] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="6A") returned 2 [0116.273] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json" [0116.273] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json" [0116.273] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json", lpString2=".73F7AD2ACA3C005BA7CA4F0463FA4DA256E9EBE4E2442059451AE3A20D0A146A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.73F7AD2ACA3C005BA7CA4F0463FA4DA256E9EBE4E2442059451AE3A20D0A146A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.73F7AD2ACA3C005BA7CA4F0463FA4DA256E9EBE4E2442059451AE3A20D0A146A" [0116.273] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0116.273] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0116.273] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87015b30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87016300, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xd3d59700, ftLastWriteTime.dwHighDateTime=0x1d10aaf, nFileSizeHigh=0x0, nFileSizeLow=0x2bd5, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 0 [0116.273] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0116.273] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\PUSSY.TXT") returned 150 [0116.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0116.274] lstrlenA (lpString="abcd") returned 4 [0116.274] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0116.276] CloseHandle (hObject=0x16c) returned 1 [0116.276] GetProcessHeap () returned 0x4c0000 [0116.276] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0116.276] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x87015b30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x87015b30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x87015b30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 0 [0116.276] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0116.276] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\PUSSY.TXT") returned 140 [0116.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0116.277] lstrlenA (lpString="abcd") returned 4 [0116.277] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0116.277] CloseHandle (hObject=0x178) returned 1 [0116.277] GetProcessHeap () returned 0x4c0000 [0116.277] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0116.279] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86e26950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x871928f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x871928f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="14.1_0", cAlternateFileName="")) returned 0 [0116.279] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0116.279] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\PUSSY.TXT") returned 133 [0116.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0116.279] lstrlenA (lpString="abcd") returned 4 [0116.279] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0116.281] CloseHandle (hObject=0x18c) returned 1 [0116.281] GetProcessHeap () returned 0x4c0000 [0116.281] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0116.281] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81a42ff0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9174a630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9174a630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="blpcfgokakmgnkcojhhkbfbldkacnbeo", cAlternateFileName="BLPCFG~1")) returned 1 [0116.281] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="Windows") returned -1 [0116.281] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="Program Files") returned -1 [0116.281] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="Program Files (x86)") returned -1 [0116.281] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="$Recycle.bin") returned 1 [0116.281] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="System Volume Information") returned -1 [0116.281] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2=".") returned 1 [0116.281] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="..") returned 1 [0116.281] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo") returned 123 [0116.281] GetProcessHeap () returned 0x4c0000 [0116.281] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0116.281] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo" [0116.281] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\*" [0116.282] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81a42ff0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9174a630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9174a630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0116.282] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.282] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.282] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.282] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.282] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.282] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.282] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81a42ff0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9174a630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9174a630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0116.282] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.282] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.282] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.282] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.282] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.282] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.282] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.282] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85639950, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="4.2.8_0", cAlternateFileName="4278E1~1.8_0")) returned 1 [0116.282] lstrcmpiW (lpString1="4.2.8_0", lpString2="Windows") returned -1 [0116.282] lstrcmpiW (lpString1="4.2.8_0", lpString2="Program Files") returned -1 [0116.282] lstrcmpiW (lpString1="4.2.8_0", lpString2="Program Files (x86)") returned -1 [0116.282] lstrcmpiW (lpString1="4.2.8_0", lpString2="$Recycle.bin") returned 1 [0116.282] lstrcmpiW (lpString1="4.2.8_0", lpString2="System Volume Information") returned -1 [0116.282] lstrcmpiW (lpString1="4.2.8_0", lpString2=".") returned 1 [0116.282] lstrcmpiW (lpString1="4.2.8_0", lpString2="..") returned 1 [0116.282] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0") returned 131 [0116.283] GetProcessHeap () returned 0x4c0000 [0116.283] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0116.283] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0" [0116.283] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\*" [0116.283] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85639950, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0116.286] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.286] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.286] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.286] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.286] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.287] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.287] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85639950, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.287] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.287] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.287] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.287] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.287] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.287] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.287] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.287] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85639950, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd4e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="128.png", cAlternateFileName="")) returned 1 [0116.287] lstrcmpiW (lpString1="128.png", lpString2="Windows") returned -1 [0116.287] lstrcmpiW (lpString1="128.png", lpString2="Program Files") returned -1 [0116.287] lstrcmpiW (lpString1="128.png", lpString2="Program Files (x86)") returned -1 [0116.287] lstrcmpiW (lpString1="128.png", lpString2="$Recycle.bin") returned 1 [0116.287] lstrcmpiW (lpString1="128.png", lpString2="System Volume Information") returned -1 [0116.287] lstrcmpiW (lpString1="128.png", lpString2=".") returned 1 [0116.287] lstrcmpiW (lpString1="128.png", lpString2="..") returned 1 [0116.287] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png") returned 139 [0116.287] lstrcmpW (lpString1="128.png", lpString2="PUSSY.TXT") returned -1 [0116.287] PathFindExtensionW (pszPath="128.png") returned=".png" [0116.287] lstrlenW (lpString=".png") returned 4 [0116.288] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0116.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.289] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=3406) returned 1 [0116.289] GetProcessHeap () returned 0x4c0000 [0116.289] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0116.299] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="CA") returned 2 [0116.299] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="F0") returned 2 [0116.299] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="85") returned 2 [0116.299] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="52") returned 2 [0116.300] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="B0") returned 2 [0116.300] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="B0") returned 2 [0116.300] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="3C") returned 2 [0116.300] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="2F") returned 2 [0116.300] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="00") returned 2 [0116.300] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="C3") returned 2 [0116.300] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="F5") returned 2 [0116.300] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="B8") returned 2 [0116.300] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="8E") returned 2 [0116.300] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="6C") returned 2 [0116.300] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="D8") returned 2 [0116.300] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="6B") returned 2 [0116.300] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="87") returned 2 [0116.300] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="C6") returned 2 [0116.300] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="55") returned 2 [0116.300] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="04") returned 2 [0116.300] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="F3") returned 2 [0116.300] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="32") returned 2 [0116.300] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="23") returned 2 [0116.300] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="96") returned 2 [0116.300] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="3C") returned 2 [0116.300] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="D0") returned 2 [0116.300] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="55") returned 2 [0116.300] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="50") returned 2 [0116.300] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="07") returned 2 [0116.300] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="D5") returned 2 [0116.300] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="72") returned 2 [0116.301] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="7D") returned 2 [0116.309] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png" [0116.309] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png" [0116.309] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png", lpString2=".CAF08552B0B03C2F00C3F5B88E6CD86B87C65504F33223963CD0555007D5727D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.CAF08552B0B03C2F00C3F5B88E6CD86B87C65504F33223963CD0555007D5727D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.CAF08552B0B03C2F00C3F5B88E6CD86B87C65504F33223963CD0555007D5727D" [0116.310] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0116.310] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0116.310] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2d8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0116.310] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0116.310] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0116.310] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0116.310] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0116.310] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0116.310] lstrcmpiW (lpString1="manifest.json", lpString2=".") returned 1 [0116.310] lstrcmpiW (lpString1="manifest.json", lpString2="..") returned 1 [0116.310] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json") returned 145 [0116.310] lstrcmpW (lpString1="manifest.json", lpString2="PUSSY.TXT") returned -1 [0116.310] PathFindExtensionW (pszPath="manifest.json") returned=".json" [0116.310] lstrlenW (lpString=".json") returned 5 [0116.310] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0116.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.311] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=728) returned 1 [0116.312] GetProcessHeap () returned 0x4c0000 [0116.312] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0116.321] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="D9") returned 2 [0116.321] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="39") returned 2 [0116.321] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="50") returned 2 [0116.322] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="5F") returned 2 [0116.322] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="9C") returned 2 [0116.322] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="F0") returned 2 [0116.322] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="CD") returned 2 [0116.322] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="B9") returned 2 [0116.322] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="1D") returned 2 [0116.322] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="D6") returned 2 [0116.322] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="F9") returned 2 [0116.322] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="8E") returned 2 [0116.322] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="46") returned 2 [0116.322] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="EA") returned 2 [0116.322] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="C3") returned 2 [0116.322] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="70") returned 2 [0116.322] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="9A") returned 2 [0116.322] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="A6") returned 2 [0116.322] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="80") returned 2 [0116.322] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="51") returned 2 [0116.322] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="55") returned 2 [0116.322] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="75") returned 2 [0116.322] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="A0") returned 2 [0116.322] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="59") returned 2 [0116.322] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="D6") returned 2 [0116.322] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="10") returned 2 [0116.322] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="58") returned 2 [0116.322] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="77") returned 2 [0116.322] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="A2") returned 2 [0116.322] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="05") returned 2 [0116.322] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="62") returned 2 [0116.322] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="68") returned 2 [0116.331] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json" [0116.331] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json" [0116.331] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json", lpString2=".D939505F9CF0CDB91DD6F98E46EAC3709AA680515575A059D6105877A2056268" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.D939505F9CF0CDB91DD6F98E46EAC3709AA680515575A059D6105877A2056268") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.D939505F9CF0CDB91DD6F98E46EAC3709AA680515575A059D6105877A2056268" [0116.331] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0116.331] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0116.331] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_locales", cAlternateFileName="")) returned 1 [0116.331] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0116.331] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0116.331] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0116.331] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0116.331] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0116.331] lstrcmpiW (lpString1="_locales", lpString2=".") returned 1 [0116.331] lstrcmpiW (lpString1="_locales", lpString2="..") returned 1 [0116.331] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales") returned 140 [0116.331] GetProcessHeap () returned 0x4c0000 [0116.332] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0116.332] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales" [0116.332] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\*" [0116.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0116.375] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.375] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.375] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.375] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.375] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.375] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.375] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0116.375] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.375] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.375] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.375] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.375] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.375] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.376] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.376] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ar", cAlternateFileName="")) returned 1 [0116.376] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0116.376] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0116.376] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0116.376] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0116.376] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0116.376] lstrcmpiW (lpString1="ar", lpString2=".") returned 1 [0116.376] lstrcmpiW (lpString1="ar", lpString2="..") returned 1 [0116.376] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar") returned 143 [0116.376] GetProcessHeap () returned 0x4c0000 [0116.376] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b380a0 [0116.378] lstrcpyW (in: lpString1=0x3b380a0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar" [0116.378] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\*" [0116.378] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.378] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.378] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.378] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.378] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.378] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.378] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.378] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.378] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.378] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.378] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.378] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.378] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.379] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.379] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.379] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.379] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.379] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.379] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.379] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.379] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.379] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.379] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.379] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json") returned 157 [0116.379] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.379] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.379] lstrlenW (lpString=".json") returned 5 [0116.379] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.379] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0116.380] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.380] CloseHandle (hObject=0x114) returned 1 [0116.380] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.380] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.380] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\PUSSY.TXT") returned 153 [0116.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.387] lstrlenA (lpString="abcd") returned 4 [0116.387] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.388] CloseHandle (hObject=0x17c) returned 1 [0116.388] GetProcessHeap () returned 0x4c0000 [0116.388] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0116.388] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="bg", cAlternateFileName="")) returned 1 [0116.388] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0116.388] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0116.388] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0116.388] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0116.388] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0116.388] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0116.388] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0116.388] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg") returned 143 [0116.388] GetProcessHeap () returned 0x4c0000 [0116.388] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b380a0 [0116.388] lstrcpyW (in: lpString1=0x3b380a0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg" [0116.388] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\*" [0116.388] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.389] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.389] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.389] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.389] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.390] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.390] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.390] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.390] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.390] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.390] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.390] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.390] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.390] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.390] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.390] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.390] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.390] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.390] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.390] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.390] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.390] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.390] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.390] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json") returned 157 [0116.390] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.390] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.390] lstrlenW (lpString=".json") returned 5 [0116.390] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0116.391] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.391] CloseHandle (hObject=0x114) returned 1 [0116.391] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.391] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.391] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\PUSSY.TXT") returned 153 [0116.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.392] lstrlenA (lpString="abcd") returned 4 [0116.392] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.393] CloseHandle (hObject=0x17c) returned 1 [0116.393] GetProcessHeap () returned 0x4c0000 [0116.393] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0116.393] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ca", cAlternateFileName="")) returned 1 [0116.393] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0116.393] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0116.393] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0116.393] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0116.393] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0116.393] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0116.393] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0116.393] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca") returned 143 [0116.393] GetProcessHeap () returned 0x4c0000 [0116.393] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b380a0 [0116.393] lstrcpyW (in: lpString1=0x3b380a0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca" [0116.393] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\*" [0116.393] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.394] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.394] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.394] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.394] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.394] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.394] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.394] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.394] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.394] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.394] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.394] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.394] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.394] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.394] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.394] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.394] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.394] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.394] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.394] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.395] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.395] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.395] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.395] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json") returned 157 [0116.395] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.395] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.395] lstrlenW (lpString=".json") returned 5 [0116.395] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0116.395] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.395] CloseHandle (hObject=0x114) returned 1 [0116.396] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.396] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.396] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\PUSSY.TXT") returned 153 [0116.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.396] lstrlenA (lpString="abcd") returned 4 [0116.396] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.397] CloseHandle (hObject=0x17c) returned 1 [0116.397] GetProcessHeap () returned 0x4c0000 [0116.397] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0116.397] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="cs", cAlternateFileName="")) returned 1 [0116.398] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0116.398] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0116.398] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0116.398] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0116.398] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0116.398] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0116.398] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0116.398] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs") returned 143 [0116.398] GetProcessHeap () returned 0x4c0000 [0116.398] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b380a0 [0116.398] lstrcpyW (in: lpString1=0x3b380a0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs" [0116.398] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\*" [0116.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.399] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.399] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.399] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.399] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.399] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.399] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.399] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.399] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.399] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.399] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.399] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.399] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.399] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.399] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.399] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.400] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.400] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.400] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.400] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.400] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.400] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.400] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.400] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json") returned 157 [0116.400] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.400] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.400] lstrlenW (lpString=".json") returned 5 [0116.400] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0116.400] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.400] CloseHandle (hObject=0x114) returned 1 [0116.401] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.401] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.401] wnsprintfW (in: pszDest=0x3b380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\PUSSY.TXT") returned 153 [0116.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.401] lstrlenA (lpString="abcd") returned 4 [0116.401] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.403] CloseHandle (hObject=0x17c) returned 1 [0116.430] GetProcessHeap () returned 0x4c0000 [0116.430] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0116.432] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="da", cAlternateFileName="")) returned 1 [0116.432] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0116.432] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0116.432] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0116.432] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0116.432] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0116.432] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0116.432] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0116.432] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da") returned 143 [0116.432] GetProcessHeap () returned 0x4c0000 [0116.432] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.433] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da" [0116.433] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\*" [0116.433] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.434] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.434] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.434] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.434] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.434] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.434] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.434] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.434] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.434] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.434] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.434] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.434] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.434] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.434] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.435] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.435] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.435] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.435] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.435] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.435] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.435] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.435] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.435] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json") returned 157 [0116.435] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.435] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.435] lstrlenW (lpString=".json") returned 5 [0116.435] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.436] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.436] CloseHandle (hObject=0x17c) returned 1 [0116.436] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.436] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.436] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\PUSSY.TXT") returned 153 [0116.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.437] lstrlenA (lpString="abcd") returned 4 [0116.437] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.438] CloseHandle (hObject=0x1b0) returned 1 [0116.438] GetProcessHeap () returned 0x4c0000 [0116.439] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.439] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="de", cAlternateFileName="")) returned 1 [0116.439] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0116.439] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0116.439] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0116.439] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0116.439] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0116.439] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0116.439] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0116.439] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de") returned 143 [0116.439] GetProcessHeap () returned 0x4c0000 [0116.439] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.439] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de" [0116.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\*" [0116.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.441] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.441] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.441] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.441] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.441] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.441] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.441] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.441] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.441] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.441] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.442] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.442] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.442] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.442] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.442] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.442] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.442] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.442] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.442] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.442] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.442] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.442] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.442] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json") returned 157 [0116.442] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.442] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.442] lstrlenW (lpString=".json") returned 5 [0116.442] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.443] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.443] CloseHandle (hObject=0x17c) returned 1 [0116.443] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.443] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.443] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\PUSSY.TXT") returned 153 [0116.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.443] lstrlenA (lpString="abcd") returned 4 [0116.444] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.445] CloseHandle (hObject=0x1b0) returned 1 [0116.445] GetProcessHeap () returned 0x4c0000 [0116.445] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.445] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="el", cAlternateFileName="")) returned 1 [0116.445] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0116.445] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0116.445] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0116.445] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0116.445] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0116.445] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0116.445] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0116.445] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el") returned 143 [0116.445] GetProcessHeap () returned 0x4c0000 [0116.445] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.445] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el" [0116.445] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\*" [0116.445] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.446] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.446] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.446] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.446] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.446] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.446] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.446] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.446] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.446] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.446] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.446] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.446] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.446] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.446] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.446] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.446] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.446] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.446] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.446] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.446] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.446] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.447] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.447] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json") returned 157 [0116.447] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.447] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.447] lstrlenW (lpString=".json") returned 5 [0116.447] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.447] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.447] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.447] CloseHandle (hObject=0x17c) returned 1 [0116.447] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.447] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.448] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\PUSSY.TXT") returned 153 [0116.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.448] lstrlenA (lpString="abcd") returned 4 [0116.448] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.449] CloseHandle (hObject=0x1b0) returned 1 [0116.449] GetProcessHeap () returned 0x4c0000 [0116.449] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.449] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en", cAlternateFileName="")) returned 1 [0116.449] lstrcmpiW (lpString1="en", lpString2="Windows") returned -1 [0116.449] lstrcmpiW (lpString1="en", lpString2="Program Files") returned -1 [0116.450] lstrcmpiW (lpString1="en", lpString2="Program Files (x86)") returned -1 [0116.450] lstrcmpiW (lpString1="en", lpString2="$Recycle.bin") returned 1 [0116.450] lstrcmpiW (lpString1="en", lpString2="System Volume Information") returned -1 [0116.450] lstrcmpiW (lpString1="en", lpString2=".") returned 1 [0116.450] lstrcmpiW (lpString1="en", lpString2="..") returned 1 [0116.450] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en") returned 143 [0116.450] GetProcessHeap () returned 0x4c0000 [0116.450] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.450] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en" [0116.450] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\*" [0116.450] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.451] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.451] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.451] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.451] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.451] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.451] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.451] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.451] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.451] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.451] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.451] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.452] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.452] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.452] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.452] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.452] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.452] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.452] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.452] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.452] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.452] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.452] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.452] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json") returned 157 [0116.452] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.452] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.452] lstrlenW (lpString=".json") returned 5 [0116.452] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.452] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.453] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.453] CloseHandle (hObject=0x17c) returned 1 [0116.453] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.453] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.453] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\PUSSY.TXT") returned 153 [0116.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.453] lstrlenA (lpString="abcd") returned 4 [0116.453] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.455] CloseHandle (hObject=0x1b0) returned 1 [0116.455] GetProcessHeap () returned 0x4c0000 [0116.455] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.455] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es", cAlternateFileName="")) returned 1 [0116.455] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0116.455] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0116.455] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0116.455] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0116.455] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0116.455] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0116.455] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0116.455] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es") returned 143 [0116.455] GetProcessHeap () returned 0x4c0000 [0116.455] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.455] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es" [0116.455] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\*" [0116.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.456] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.456] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.456] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.456] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.456] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.456] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.456] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.458] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.458] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.458] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.458] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.458] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.458] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.458] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.458] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.458] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.458] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.458] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.458] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.458] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.458] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.458] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json") returned 157 [0116.458] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.458] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.458] lstrlenW (lpString=".json") returned 5 [0116.458] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.459] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.459] CloseHandle (hObject=0x17c) returned 1 [0116.460] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.460] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.460] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\PUSSY.TXT") returned 153 [0116.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.461] lstrlenA (lpString="abcd") returned 4 [0116.461] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.462] CloseHandle (hObject=0x1b0) returned 1 [0116.462] GetProcessHeap () returned 0x4c0000 [0116.462] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.462] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fi", cAlternateFileName="")) returned 1 [0116.462] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0116.462] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0116.462] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0116.462] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0116.462] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0116.462] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0116.462] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0116.463] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi") returned 143 [0116.463] GetProcessHeap () returned 0x4c0000 [0116.463] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.463] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi" [0116.463] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\*" [0116.463] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.464] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.464] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.464] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.464] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.464] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.464] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.464] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.464] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.464] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.464] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.464] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.464] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.464] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.464] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.464] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.464] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.464] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.464] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.464] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.465] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.465] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.465] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.465] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json") returned 157 [0116.465] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.465] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.465] lstrlenW (lpString=".json") returned 5 [0116.465] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.465] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.465] CloseHandle (hObject=0x17c) returned 1 [0116.465] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.466] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.466] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\PUSSY.TXT") returned 153 [0116.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.466] lstrlenA (lpString="abcd") returned 4 [0116.466] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.467] CloseHandle (hObject=0x1b0) returned 1 [0116.468] GetProcessHeap () returned 0x4c0000 [0116.468] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.468] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fil", cAlternateFileName="")) returned 1 [0116.468] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0116.468] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0116.468] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0116.468] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0116.468] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0116.468] lstrcmpiW (lpString1="fil", lpString2=".") returned 1 [0116.468] lstrcmpiW (lpString1="fil", lpString2="..") returned 1 [0116.468] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil") returned 144 [0116.468] GetProcessHeap () returned 0x4c0000 [0116.468] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.468] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil" [0116.468] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\*" [0116.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.468] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.468] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.469] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.469] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.469] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.469] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.469] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.469] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.469] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.469] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.469] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.469] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.469] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.469] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.469] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.469] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.469] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.469] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.469] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.469] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.469] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.469] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.469] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json") returned 158 [0116.469] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.469] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.469] lstrlenW (lpString=".json") returned 5 [0116.469] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.470] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.470] CloseHandle (hObject=0x17c) returned 1 [0116.470] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.470] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.470] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\PUSSY.TXT") returned 154 [0116.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.471] lstrlenA (lpString="abcd") returned 4 [0116.471] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.472] CloseHandle (hObject=0x1b0) returned 1 [0116.472] GetProcessHeap () returned 0x4c0000 [0116.472] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.472] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fr", cAlternateFileName="")) returned 1 [0116.472] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0116.472] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0116.472] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0116.472] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0116.472] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0116.472] lstrcmpiW (lpString1="fr", lpString2=".") returned 1 [0116.472] lstrcmpiW (lpString1="fr", lpString2="..") returned 1 [0116.472] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr") returned 143 [0116.472] GetProcessHeap () returned 0x4c0000 [0116.472] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.472] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr" [0116.472] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\*" [0116.472] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.474] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.474] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.474] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.474] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.474] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.474] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.474] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.474] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.474] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.474] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.474] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.474] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.474] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.474] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.474] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.474] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.474] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.474] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.474] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.474] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.475] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.475] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.475] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json") returned 157 [0116.475] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.475] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.475] lstrlenW (lpString=".json") returned 5 [0116.475] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.475] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.475] CloseHandle (hObject=0x17c) returned 1 [0116.475] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.475] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.475] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\PUSSY.TXT") returned 153 [0116.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.476] lstrlenA (lpString="abcd") returned 4 [0116.476] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.477] CloseHandle (hObject=0x1b0) returned 1 [0116.477] GetProcessHeap () returned 0x4c0000 [0116.477] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.477] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="he", cAlternateFileName="")) returned 1 [0116.477] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0116.477] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0116.477] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0116.478] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0116.478] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0116.478] lstrcmpiW (lpString1="he", lpString2=".") returned 1 [0116.478] lstrcmpiW (lpString1="he", lpString2="..") returned 1 [0116.478] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he") returned 143 [0116.478] GetProcessHeap () returned 0x4c0000 [0116.478] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.478] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he" [0116.478] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\*" [0116.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.478] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.478] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.478] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.478] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.478] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.478] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.478] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.479] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.479] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.479] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.479] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.479] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.479] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.479] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.479] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.479] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.479] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.479] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.479] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.479] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.479] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.479] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.479] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json") returned 157 [0116.479] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.479] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.479] lstrlenW (lpString=".json") returned 5 [0116.479] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.480] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.480] CloseHandle (hObject=0x17c) returned 1 [0116.480] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.480] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.480] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\PUSSY.TXT") returned 153 [0116.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.480] lstrlenA (lpString="abcd") returned 4 [0116.480] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.482] CloseHandle (hObject=0x1b0) returned 1 [0116.482] GetProcessHeap () returned 0x4c0000 [0116.482] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.482] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hi", cAlternateFileName="")) returned 1 [0116.482] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0116.482] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0116.482] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0116.482] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0116.482] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0116.482] lstrcmpiW (lpString1="hi", lpString2=".") returned 1 [0116.482] lstrcmpiW (lpString1="hi", lpString2="..") returned 1 [0116.482] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi") returned 143 [0116.482] GetProcessHeap () returned 0x4c0000 [0116.482] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.482] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi" [0116.483] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\*" [0116.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.484] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.484] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.484] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.484] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.484] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.484] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.484] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.484] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.484] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.484] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.484] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.484] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.484] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.484] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.484] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.484] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.484] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.484] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.484] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.484] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.484] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.485] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.485] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json") returned 157 [0116.485] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.485] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.485] lstrlenW (lpString=".json") returned 5 [0116.485] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.485] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.485] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.485] CloseHandle (hObject=0x17c) returned 1 [0116.485] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.485] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.485] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\PUSSY.TXT") returned 153 [0116.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.486] lstrlenA (lpString="abcd") returned 4 [0116.486] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.487] CloseHandle (hObject=0x1b0) returned 1 [0116.487] GetProcessHeap () returned 0x4c0000 [0116.487] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.487] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hr", cAlternateFileName="")) returned 1 [0116.487] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0116.487] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0116.487] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0116.487] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0116.488] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0116.488] lstrcmpiW (lpString1="hr", lpString2=".") returned 1 [0116.488] lstrcmpiW (lpString1="hr", lpString2="..") returned 1 [0116.488] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr") returned 143 [0116.488] GetProcessHeap () returned 0x4c0000 [0116.488] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.488] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr" [0116.488] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\*" [0116.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.488] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.488] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.488] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.488] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.488] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.488] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.488] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.488] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.488] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.489] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.489] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.489] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.489] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.489] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.489] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.489] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.489] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.489] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.489] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.489] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.489] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.489] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.489] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json") returned 157 [0116.489] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.489] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.489] lstrlenW (lpString=".json") returned 5 [0116.489] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.490] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.490] CloseHandle (hObject=0x17c) returned 1 [0116.490] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.490] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.490] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\PUSSY.TXT") returned 153 [0116.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.490] lstrlenA (lpString="abcd") returned 4 [0116.490] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.491] CloseHandle (hObject=0x1b0) returned 1 [0116.491] GetProcessHeap () returned 0x4c0000 [0116.492] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.492] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hu", cAlternateFileName="")) returned 1 [0116.492] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0116.492] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0116.492] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0116.492] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0116.492] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0116.492] lstrcmpiW (lpString1="hu", lpString2=".") returned 1 [0116.492] lstrcmpiW (lpString1="hu", lpString2="..") returned 1 [0116.492] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu") returned 143 [0116.492] GetProcessHeap () returned 0x4c0000 [0116.492] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.492] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu" [0116.492] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\*" [0116.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.493] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.493] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.493] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.493] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.493] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.493] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.493] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.493] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.493] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.493] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.494] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.494] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.494] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.494] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.494] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.494] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.494] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.494] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.494] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.494] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.494] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.494] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.494] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json") returned 157 [0116.494] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.494] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.494] lstrlenW (lpString=".json") returned 5 [0116.494] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.495] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.495] CloseHandle (hObject=0x17c) returned 1 [0116.495] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.495] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.495] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\PUSSY.TXT") returned 153 [0116.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.495] lstrlenA (lpString="abcd") returned 4 [0116.495] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.497] CloseHandle (hObject=0x1b0) returned 1 [0116.497] GetProcessHeap () returned 0x4c0000 [0116.497] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.497] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="id", cAlternateFileName="")) returned 1 [0116.497] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0116.497] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0116.497] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0116.497] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0116.497] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0116.497] lstrcmpiW (lpString1="id", lpString2=".") returned 1 [0116.497] lstrcmpiW (lpString1="id", lpString2="..") returned 1 [0116.497] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id") returned 143 [0116.497] GetProcessHeap () returned 0x4c0000 [0116.497] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.497] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id" [0116.497] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\*" [0116.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.498] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.498] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.498] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.498] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.498] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.498] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.498] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.498] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.498] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.498] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.498] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.498] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.498] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.498] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.498] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.498] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.498] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.498] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.498] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.499] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.499] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.499] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.499] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json") returned 157 [0116.499] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.499] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.499] lstrlenW (lpString=".json") returned 5 [0116.499] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.499] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.499] CloseHandle (hObject=0x17c) returned 1 [0116.499] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.499] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.500] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\PUSSY.TXT") returned 153 [0116.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.500] lstrlenA (lpString="abcd") returned 4 [0116.500] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.501] CloseHandle (hObject=0x1b0) returned 1 [0116.501] GetProcessHeap () returned 0x4c0000 [0116.501] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.501] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="it", cAlternateFileName="")) returned 1 [0116.501] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0116.501] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0116.501] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0116.501] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0116.502] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0116.502] lstrcmpiW (lpString1="it", lpString2=".") returned 1 [0116.502] lstrcmpiW (lpString1="it", lpString2="..") returned 1 [0116.502] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it") returned 143 [0116.502] GetProcessHeap () returned 0x4c0000 [0116.502] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.502] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it" [0116.502] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\*" [0116.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.503] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.503] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.503] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.503] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.503] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.503] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.503] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.503] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.503] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.503] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.503] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.503] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.503] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.503] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.503] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.504] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.504] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.504] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.504] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.504] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.504] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.504] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.504] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json") returned 157 [0116.504] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.504] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.504] lstrlenW (lpString=".json") returned 5 [0116.504] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.504] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.504] CloseHandle (hObject=0x17c) returned 1 [0116.505] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.505] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.505] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\PUSSY.TXT") returned 153 [0116.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.505] lstrlenA (lpString="abcd") returned 4 [0116.505] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.506] CloseHandle (hObject=0x1b0) returned 1 [0116.506] GetProcessHeap () returned 0x4c0000 [0116.507] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.507] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ja", cAlternateFileName="")) returned 1 [0116.507] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0116.507] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0116.507] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0116.507] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0116.507] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0116.507] lstrcmpiW (lpString1="ja", lpString2=".") returned 1 [0116.507] lstrcmpiW (lpString1="ja", lpString2="..") returned 1 [0116.507] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja") returned 143 [0116.507] GetProcessHeap () returned 0x4c0000 [0116.507] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.507] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja" [0116.507] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\*" [0116.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.507] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.507] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.507] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.508] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.508] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.508] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.508] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.508] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.508] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.508] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.508] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.508] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.508] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.508] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.508] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.508] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.508] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.508] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.508] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.508] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.508] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.508] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.508] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json") returned 157 [0116.508] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.508] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.508] lstrlenW (lpString=".json") returned 5 [0116.508] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.509] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.509] CloseHandle (hObject=0x17c) returned 1 [0116.509] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.509] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.509] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\PUSSY.TXT") returned 153 [0116.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.510] lstrlenA (lpString="abcd") returned 4 [0116.510] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.511] CloseHandle (hObject=0x1b0) returned 1 [0116.511] GetProcessHeap () returned 0x4c0000 [0116.511] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.511] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ko", cAlternateFileName="")) returned 1 [0116.511] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0116.511] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0116.511] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0116.511] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0116.511] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0116.511] lstrcmpiW (lpString1="ko", lpString2=".") returned 1 [0116.511] lstrcmpiW (lpString1="ko", lpString2="..") returned 1 [0116.511] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko") returned 143 [0116.511] GetProcessHeap () returned 0x4c0000 [0116.511] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.511] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko" [0116.512] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\*" [0116.512] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.513] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.513] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.513] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.513] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.513] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.513] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.513] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.514] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.514] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.514] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.514] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.514] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.514] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.514] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.514] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.514] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.514] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.514] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.514] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.514] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.514] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.514] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.514] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json") returned 157 [0116.514] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.514] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.514] lstrlenW (lpString=".json") returned 5 [0116.514] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.515] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.515] CloseHandle (hObject=0x17c) returned 1 [0116.515] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.515] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.515] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\PUSSY.TXT") returned 153 [0116.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.516] lstrlenA (lpString="abcd") returned 4 [0116.516] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.517] CloseHandle (hObject=0x1b0) returned 1 [0116.517] GetProcessHeap () returned 0x4c0000 [0116.517] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.517] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lt", cAlternateFileName="")) returned 1 [0116.517] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0116.517] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0116.517] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0116.517] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0116.517] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0116.517] lstrcmpiW (lpString1="lt", lpString2=".") returned 1 [0116.517] lstrcmpiW (lpString1="lt", lpString2="..") returned 1 [0116.517] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt") returned 143 [0116.517] GetProcessHeap () returned 0x4c0000 [0116.517] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.518] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt" [0116.518] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\*" [0116.518] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.518] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.518] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.518] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.518] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.518] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.518] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.518] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.518] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.518] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.518] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.518] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.518] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.518] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.518] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.518] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.518] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.519] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.519] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.519] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.519] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.519] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.519] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.519] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json") returned 157 [0116.519] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.519] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.519] lstrlenW (lpString=".json") returned 5 [0116.519] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.519] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.519] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.519] CloseHandle (hObject=0x17c) returned 1 [0116.520] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.520] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.520] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\PUSSY.TXT") returned 153 [0116.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.520] lstrlenA (lpString="abcd") returned 4 [0116.520] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.522] CloseHandle (hObject=0x1b0) returned 1 [0116.522] GetProcessHeap () returned 0x4c0000 [0116.522] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.522] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lv", cAlternateFileName="")) returned 1 [0116.522] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0116.522] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0116.522] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0116.522] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0116.522] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0116.522] lstrcmpiW (lpString1="lv", lpString2=".") returned 1 [0116.522] lstrcmpiW (lpString1="lv", lpString2="..") returned 1 [0116.522] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv") returned 143 [0116.522] GetProcessHeap () returned 0x4c0000 [0116.522] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.522] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv" [0116.522] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\*" [0116.522] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.523] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.524] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.524] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.524] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.524] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.524] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.524] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.524] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.524] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.524] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.524] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.524] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.524] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.524] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.524] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.524] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.524] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.524] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.524] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.524] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.524] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.524] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.524] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json") returned 157 [0116.525] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.525] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.525] lstrlenW (lpString=".json") returned 5 [0116.525] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.525] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.525] CloseHandle (hObject=0x17c) returned 1 [0116.525] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.525] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.525] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\PUSSY.TXT") returned 153 [0116.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.526] lstrlenA (lpString="abcd") returned 4 [0116.526] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.527] CloseHandle (hObject=0x1b0) returned 1 [0116.527] GetProcessHeap () returned 0x4c0000 [0116.527] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.527] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="nl", cAlternateFileName="")) returned 1 [0116.527] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0116.527] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0116.527] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0116.527] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0116.527] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0116.528] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0116.528] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0116.528] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl") returned 143 [0116.528] GetProcessHeap () returned 0x4c0000 [0116.528] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.528] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl" [0116.528] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\*" [0116.528] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.528] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.528] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.528] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.528] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.528] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.528] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.528] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.528] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.529] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.529] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.529] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.529] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.529] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.529] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.529] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.529] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.529] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.529] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.529] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.529] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.529] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.529] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.529] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json") returned 157 [0116.529] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.529] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.529] lstrlenW (lpString=".json") returned 5 [0116.529] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.530] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.530] CloseHandle (hObject=0x17c) returned 1 [0116.530] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.530] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.530] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\PUSSY.TXT") returned 153 [0116.530] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.531] lstrlenA (lpString="abcd") returned 4 [0116.531] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.532] CloseHandle (hObject=0x1b0) returned 1 [0116.532] GetProcessHeap () returned 0x4c0000 [0116.532] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.532] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="no", cAlternateFileName="")) returned 1 [0116.532] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0116.532] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0116.532] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0116.532] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0116.532] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0116.532] lstrcmpiW (lpString1="no", lpString2=".") returned 1 [0116.532] lstrcmpiW (lpString1="no", lpString2="..") returned 1 [0116.532] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no") returned 143 [0116.532] GetProcessHeap () returned 0x4c0000 [0116.532] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.532] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no" [0116.532] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\*" [0116.532] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.533] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.533] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.533] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.533] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.534] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.534] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.534] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.534] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.534] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.534] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.534] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.534] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.534] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.534] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.534] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c12fb00, ftLastWriteTime.dwHighDateTime=0x1d0f3ee, nFileSizeHigh=0x0, nFileSizeLow=0x9f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.534] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.534] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.534] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.534] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.534] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.534] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.534] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.534] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json") returned 157 [0116.534] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.534] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.534] lstrlenW (lpString=".json") returned 5 [0116.534] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.535] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=159) returned 1 [0116.535] CloseHandle (hObject=0x17c) returned 1 [0116.535] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c12fb00, ftLastWriteTime.dwHighDateTime=0x1d0f3ee, nFileSizeHigh=0x0, nFileSizeLow=0x9f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.535] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.535] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\PUSSY.TXT") returned 153 [0116.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.536] lstrlenA (lpString="abcd") returned 4 [0116.536] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.537] CloseHandle (hObject=0x1b0) returned 1 [0116.537] GetProcessHeap () returned 0x4c0000 [0116.537] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.537] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pl", cAlternateFileName="")) returned 1 [0116.537] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0116.537] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0116.537] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0116.537] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0116.537] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0116.537] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0116.537] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0116.537] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl") returned 143 [0116.537] GetProcessHeap () returned 0x4c0000 [0116.537] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.537] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl" [0116.538] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\*" [0116.538] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.538] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.538] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.538] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.538] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.538] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.538] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.538] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.538] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.538] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.538] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.538] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.538] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.538] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.538] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.538] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.539] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.539] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.539] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.539] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.539] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.539] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.539] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.539] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json") returned 157 [0116.539] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.539] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.539] lstrlenW (lpString=".json") returned 5 [0116.539] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.539] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.539] CloseHandle (hObject=0x17c) returned 1 [0116.539] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.540] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.540] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\PUSSY.TXT") returned 153 [0116.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.540] lstrlenA (lpString="abcd") returned 4 [0116.540] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.541] CloseHandle (hObject=0x1b0) returned 1 [0116.541] GetProcessHeap () returned 0x4c0000 [0116.541] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.541] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_BR", cAlternateFileName="")) returned 1 [0116.541] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0116.542] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0116.542] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0116.542] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0116.542] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0116.542] lstrcmpiW (lpString1="pt_BR", lpString2=".") returned 1 [0116.542] lstrcmpiW (lpString1="pt_BR", lpString2="..") returned 1 [0116.542] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR") returned 146 [0116.542] GetProcessHeap () returned 0x4c0000 [0116.542] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.542] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR" [0116.542] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\*" [0116.542] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.543] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.543] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.543] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.543] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.543] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.543] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.543] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.543] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.543] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.543] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.543] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.543] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.544] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.544] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.544] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.544] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.544] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.544] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.544] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.544] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.544] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.544] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.544] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json") returned 160 [0116.544] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.544] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.544] lstrlenW (lpString=".json") returned 5 [0116.544] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.544] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.544] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.545] CloseHandle (hObject=0x17c) returned 1 [0116.545] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.545] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.545] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\PUSSY.TXT") returned 156 [0116.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.545] lstrlenA (lpString="abcd") returned 4 [0116.545] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.547] CloseHandle (hObject=0x1b0) returned 1 [0116.547] GetProcessHeap () returned 0x4c0000 [0116.547] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.547] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_PT", cAlternateFileName="")) returned 1 [0116.547] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0116.547] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0116.547] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0116.547] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0116.547] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0116.547] lstrcmpiW (lpString1="pt_PT", lpString2=".") returned 1 [0116.547] lstrcmpiW (lpString1="pt_PT", lpString2="..") returned 1 [0116.547] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT") returned 146 [0116.547] GetProcessHeap () returned 0x4c0000 [0116.547] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.547] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT" [0116.547] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\*" [0116.547] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.549] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.549] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.549] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.549] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.549] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.549] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.549] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.549] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.549] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.549] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.549] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.549] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.549] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.549] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.549] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.549] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.549] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.549] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.549] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.549] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.550] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.550] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.550] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json") returned 160 [0116.550] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.550] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.550] lstrlenW (lpString=".json") returned 5 [0116.550] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.550] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.550] CloseHandle (hObject=0x17c) returned 1 [0116.550] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.550] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.551] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\PUSSY.TXT") returned 156 [0116.551] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.551] lstrlenA (lpString="abcd") returned 4 [0116.551] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.552] CloseHandle (hObject=0x1b0) returned 1 [0116.552] GetProcessHeap () returned 0x4c0000 [0116.552] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.552] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ro", cAlternateFileName="")) returned 1 [0116.552] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0116.552] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0116.552] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0116.553] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0116.553] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0116.553] lstrcmpiW (lpString1="ro", lpString2=".") returned 1 [0116.553] lstrcmpiW (lpString1="ro", lpString2="..") returned 1 [0116.553] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro") returned 143 [0116.553] GetProcessHeap () returned 0x4c0000 [0116.553] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.553] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro" [0116.553] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\*" [0116.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.571] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.571] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.571] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.571] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.571] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.571] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.571] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.571] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.572] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.572] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.572] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.572] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.572] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.572] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.572] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.572] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.572] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.572] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.572] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.572] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.572] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.572] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.572] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json") returned 157 [0116.572] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.572] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.572] lstrlenW (lpString=".json") returned 5 [0116.572] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.573] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.573] CloseHandle (hObject=0x17c) returned 1 [0116.573] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.573] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.573] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\PUSSY.TXT") returned 153 [0116.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.574] lstrlenA (lpString="abcd") returned 4 [0116.574] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.575] CloseHandle (hObject=0x1b0) returned 1 [0116.575] GetProcessHeap () returned 0x4c0000 [0116.575] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.575] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ru", cAlternateFileName="")) returned 1 [0116.575] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0116.575] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0116.575] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0116.575] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0116.575] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0116.575] lstrcmpiW (lpString1="ru", lpString2=".") returned 1 [0116.576] lstrcmpiW (lpString1="ru", lpString2="..") returned 1 [0116.576] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru") returned 143 [0116.576] GetProcessHeap () returned 0x4c0000 [0116.576] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.576] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru" [0116.576] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\*" [0116.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.576] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.576] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.576] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.576] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.576] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.576] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.576] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.576] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.576] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.577] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.577] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.577] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.577] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.577] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.577] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.577] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.577] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.577] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.577] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.577] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.577] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.577] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.577] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json") returned 157 [0116.577] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.577] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.577] lstrlenW (lpString=".json") returned 5 [0116.577] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.578] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.578] CloseHandle (hObject=0x17c) returned 1 [0116.578] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.578] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.578] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\PUSSY.TXT") returned 153 [0116.578] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.578] lstrlenA (lpString="abcd") returned 4 [0116.578] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.580] CloseHandle (hObject=0x1b0) returned 1 [0116.580] GetProcessHeap () returned 0x4c0000 [0116.580] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.580] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sk", cAlternateFileName="")) returned 1 [0116.580] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0116.580] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0116.580] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0116.580] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0116.580] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0116.580] lstrcmpiW (lpString1="sk", lpString2=".") returned 1 [0116.580] lstrcmpiW (lpString1="sk", lpString2="..") returned 1 [0116.580] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk") returned 143 [0116.580] GetProcessHeap () returned 0x4c0000 [0116.580] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.580] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk" [0116.581] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\*" [0116.581] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.582] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.582] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.582] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.582] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.582] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.582] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.582] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.582] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.582] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.582] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.582] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.582] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.582] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.582] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.582] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.582] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.582] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.582] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.582] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.582] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.582] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.582] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.583] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json") returned 157 [0116.583] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.583] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.583] lstrlenW (lpString=".json") returned 5 [0116.583] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.583] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.583] CloseHandle (hObject=0x17c) returned 1 [0116.583] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.583] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.583] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\PUSSY.TXT") returned 153 [0116.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.584] lstrlenA (lpString="abcd") returned 4 [0116.584] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.585] CloseHandle (hObject=0x1b0) returned 1 [0116.585] GetProcessHeap () returned 0x4c0000 [0116.585] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.585] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sl", cAlternateFileName="")) returned 1 [0116.585] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0116.585] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0116.585] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0116.585] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0116.585] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0116.586] lstrcmpiW (lpString1="sl", lpString2=".") returned 1 [0116.586] lstrcmpiW (lpString1="sl", lpString2="..") returned 1 [0116.586] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl") returned 143 [0116.586] GetProcessHeap () returned 0x4c0000 [0116.586] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.586] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl" [0116.586] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\*" [0116.586] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.586] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.586] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.586] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.586] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.586] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.586] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.586] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.586] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.586] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.586] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.586] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.586] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.587] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.587] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.587] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.587] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.587] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.587] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.587] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.587] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.587] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.587] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.587] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json") returned 157 [0116.587] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.587] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.587] lstrlenW (lpString=".json") returned 5 [0116.587] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.588] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.588] CloseHandle (hObject=0x17c) returned 1 [0116.588] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.588] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.588] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\PUSSY.TXT") returned 153 [0116.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.588] lstrlenA (lpString="abcd") returned 4 [0116.588] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.589] CloseHandle (hObject=0x1b0) returned 1 [0116.590] GetProcessHeap () returned 0x4c0000 [0116.590] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.590] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sr", cAlternateFileName="")) returned 1 [0116.590] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0116.590] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0116.590] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0116.590] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0116.590] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0116.590] lstrcmpiW (lpString1="sr", lpString2=".") returned 1 [0116.590] lstrcmpiW (lpString1="sr", lpString2="..") returned 1 [0116.590] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr") returned 143 [0116.590] GetProcessHeap () returned 0x4c0000 [0116.590] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.590] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr" [0116.590] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\*" [0116.590] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.591] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.591] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.591] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.591] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.591] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.591] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.591] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.592] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.592] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.592] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.592] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.592] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.592] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.592] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.592] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.592] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.592] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.592] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.592] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.592] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.592] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.592] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.592] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json") returned 157 [0116.592] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.592] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.592] lstrlenW (lpString=".json") returned 5 [0116.592] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.592] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.593] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.593] CloseHandle (hObject=0x17c) returned 1 [0116.593] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.593] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.593] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\PUSSY.TXT") returned 153 [0116.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.593] lstrlenA (lpString="abcd") returned 4 [0116.594] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.595] CloseHandle (hObject=0x1b0) returned 1 [0116.595] GetProcessHeap () returned 0x4c0000 [0116.595] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.595] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sv", cAlternateFileName="")) returned 1 [0116.595] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0116.595] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0116.595] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0116.595] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0116.595] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0116.595] lstrcmpiW (lpString1="sv", lpString2=".") returned 1 [0116.595] lstrcmpiW (lpString1="sv", lpString2="..") returned 1 [0116.595] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv") returned 143 [0116.595] GetProcessHeap () returned 0x4c0000 [0116.595] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.595] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv" [0116.595] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\*" [0116.595] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.596] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.596] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.596] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.596] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.596] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.596] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.596] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.596] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.596] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.596] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.596] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.596] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.596] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.596] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.596] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.596] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.596] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.596] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.596] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.596] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.597] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.597] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.597] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json") returned 157 [0116.597] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.597] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.597] lstrlenW (lpString=".json") returned 5 [0116.597] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.597] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.597] CloseHandle (hObject=0x17c) returned 1 [0116.597] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.597] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.597] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\PUSSY.TXT") returned 153 [0116.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.598] lstrlenA (lpString="abcd") returned 4 [0116.598] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.599] CloseHandle (hObject=0x1b0) returned 1 [0116.599] GetProcessHeap () returned 0x4c0000 [0116.599] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.599] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="th", cAlternateFileName="")) returned 1 [0116.599] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0116.599] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0116.599] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0116.599] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0116.599] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0116.599] lstrcmpiW (lpString1="th", lpString2=".") returned 1 [0116.600] lstrcmpiW (lpString1="th", lpString2="..") returned 1 [0116.600] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th") returned 143 [0116.600] GetProcessHeap () returned 0x4c0000 [0116.600] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.600] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th" [0116.600] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\*" [0116.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.601] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.601] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.601] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.601] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.601] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.601] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.601] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.601] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.601] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.601] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.601] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.601] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.601] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.601] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.601] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.601] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.601] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.601] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.602] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.602] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.602] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.602] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.602] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json") returned 157 [0116.602] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.602] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.602] lstrlenW (lpString=".json") returned 5 [0116.602] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.602] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.602] CloseHandle (hObject=0x17c) returned 1 [0116.602] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.603] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.603] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\PUSSY.TXT") returned 153 [0116.603] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.603] lstrlenA (lpString="abcd") returned 4 [0116.603] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.604] CloseHandle (hObject=0x1b0) returned 1 [0116.604] GetProcessHeap () returned 0x4c0000 [0116.604] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.604] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="tr", cAlternateFileName="")) returned 1 [0116.604] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0116.605] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0116.605] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0116.605] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0116.605] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0116.605] lstrcmpiW (lpString1="tr", lpString2=".") returned 1 [0116.605] lstrcmpiW (lpString1="tr", lpString2="..") returned 1 [0116.605] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr") returned 143 [0116.605] GetProcessHeap () returned 0x4c0000 [0116.605] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.605] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr" [0116.605] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\*" [0116.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.605] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.605] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.605] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.605] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.605] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.605] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.605] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.605] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.606] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.606] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.606] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.606] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.606] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.606] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.606] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.606] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.606] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.606] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.606] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.606] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.606] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.606] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.606] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json") returned 157 [0116.606] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.606] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.606] lstrlenW (lpString=".json") returned 5 [0116.606] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.607] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.607] CloseHandle (hObject=0x17c) returned 1 [0116.607] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.607] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.608] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\PUSSY.TXT") returned 153 [0116.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.611] lstrlenA (lpString="abcd") returned 4 [0116.611] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.612] CloseHandle (hObject=0x1b0) returned 1 [0116.612] GetProcessHeap () returned 0x4c0000 [0116.612] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.612] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="uk", cAlternateFileName="")) returned 1 [0116.612] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0116.612] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0116.612] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0116.612] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0116.612] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0116.612] lstrcmpiW (lpString1="uk", lpString2=".") returned 1 [0116.612] lstrcmpiW (lpString1="uk", lpString2="..") returned 1 [0116.612] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk") returned 143 [0116.612] GetProcessHeap () returned 0x4c0000 [0116.612] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.612] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk" [0116.612] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\*" [0116.612] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.614] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.614] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.614] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.614] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.614] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.614] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.614] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.614] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.614] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.614] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.614] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.614] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.614] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.614] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.614] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.615] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.615] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.615] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.615] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.615] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.615] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.615] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.615] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json") returned 157 [0116.615] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.615] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.615] lstrlenW (lpString=".json") returned 5 [0116.615] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.616] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.616] CloseHandle (hObject=0x17c) returned 1 [0116.616] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.616] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.616] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\PUSSY.TXT") returned 153 [0116.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.619] lstrlenA (lpString="abcd") returned 4 [0116.620] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.621] CloseHandle (hObject=0x1b0) returned 1 [0116.621] GetProcessHeap () returned 0x4c0000 [0116.621] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.621] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="vi", cAlternateFileName="")) returned 1 [0116.621] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0116.621] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0116.621] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0116.621] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0116.621] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0116.621] lstrcmpiW (lpString1="vi", lpString2=".") returned 1 [0116.621] lstrcmpiW (lpString1="vi", lpString2="..") returned 1 [0116.621] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi") returned 143 [0116.621] GetProcessHeap () returned 0x4c0000 [0116.621] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.621] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi" [0116.621] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\*" [0116.621] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.622] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.622] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.622] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.622] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.622] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.622] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.622] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.622] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.622] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.622] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.622] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.622] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.622] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.622] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.622] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.622] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.622] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.622] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.622] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.623] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.623] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.623] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.623] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json") returned 157 [0116.623] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.623] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.623] lstrlenW (lpString=".json") returned 5 [0116.623] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.624] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.624] CloseHandle (hObject=0x17c) returned 1 [0116.624] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.624] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.624] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\PUSSY.TXT") returned 153 [0116.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.625] lstrlenA (lpString="abcd") returned 4 [0116.625] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.626] CloseHandle (hObject=0x1b0) returned 1 [0116.626] GetProcessHeap () returned 0x4c0000 [0116.626] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.626] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_CN", cAlternateFileName="")) returned 1 [0116.626] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0116.626] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0116.626] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0116.626] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0116.626] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0116.626] lstrcmpiW (lpString1="zh_CN", lpString2=".") returned 1 [0116.626] lstrcmpiW (lpString1="zh_CN", lpString2="..") returned 1 [0116.626] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN") returned 146 [0116.626] GetProcessHeap () returned 0x4c0000 [0116.626] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.626] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN" [0116.626] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\*" [0116.626] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.627] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.627] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.627] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.627] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.627] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.628] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.628] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.628] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.628] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.628] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.628] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.628] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.628] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.628] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.628] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.628] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.628] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.628] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.628] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.628] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.628] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.628] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.628] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json") returned 160 [0116.628] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.628] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.628] lstrlenW (lpString=".json") returned 5 [0116.628] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.629] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.629] CloseHandle (hObject=0x17c) returned 1 [0116.629] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.629] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.629] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\PUSSY.TXT") returned 156 [0116.629] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.630] lstrlenA (lpString="abcd") returned 4 [0116.630] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.631] CloseHandle (hObject=0x1b0) returned 1 [0116.631] GetProcessHeap () returned 0x4c0000 [0116.631] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.631] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 1 [0116.631] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0116.631] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0116.631] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0116.631] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0116.631] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0116.631] lstrcmpiW (lpString1="zh_TW", lpString2=".") returned 1 [0116.631] lstrcmpiW (lpString1="zh_TW", lpString2="..") returned 1 [0116.631] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW") returned 146 [0116.631] GetProcessHeap () returned 0x4c0000 [0116.631] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.631] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW" [0116.631] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\*" [0116.632] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.632] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.632] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.632] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.632] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.632] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.632] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.632] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.632] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.632] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.632] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.632] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.632] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.632] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.632] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.632] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.632] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.632] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.633] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.633] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.633] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.633] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.633] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.633] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json") returned 160 [0116.633] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.633] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.633] lstrlenW (lpString=".json") returned 5 [0116.633] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0116.633] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0116.633] CloseHandle (hObject=0x17c) returned 1 [0116.633] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.634] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.634] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\PUSSY.TXT") returned 156 [0116.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0116.634] lstrlenA (lpString="abcd") returned 4 [0116.634] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.635] CloseHandle (hObject=0x1b0) returned 1 [0116.635] GetProcessHeap () returned 0x4c0000 [0116.635] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.635] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 0 [0116.635] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0116.636] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\PUSSY.TXT") returned 150 [0116.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0116.636] lstrlenA (lpString="abcd") returned 4 [0116.636] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0116.637] CloseHandle (hObject=0x1ac) returned 1 [0116.637] GetProcessHeap () returned 0x4c0000 [0116.637] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0116.644] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 1 [0116.644] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0116.644] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0116.644] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0116.644] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0116.644] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0116.644] lstrcmpiW (lpString1="_metadata", lpString2=".") returned 1 [0116.644] lstrcmpiW (lpString1="_metadata", lpString2="..") returned 1 [0116.644] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata") returned 141 [0116.644] GetProcessHeap () returned 0x4c0000 [0116.644] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0116.645] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata" [0116.645] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\*" [0116.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0116.645] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.645] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.645] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.646] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.646] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.646] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.646] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0116.646] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.646] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.646] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.646] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.646] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.646] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.646] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.646] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x628aed00, ftLastWriteTime.dwHighDateTime=0x1d0f5b2, nFileSizeHigh=0x0, nFileSizeLow=0x2769, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 1 [0116.646] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0116.646] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0116.646] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0116.646] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0116.646] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0116.647] lstrcmpiW (lpString1="verified_contents.json", lpString2=".") returned 1 [0116.647] lstrcmpiW (lpString1="verified_contents.json", lpString2="..") returned 1 [0116.647] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json") returned 164 [0116.647] lstrcmpW (lpString1="verified_contents.json", lpString2="PUSSY.TXT") returned 1 [0116.647] PathFindExtensionW (pszPath="verified_contents.json") returned=".json" [0116.647] lstrlenW (lpString=".json") returned 5 [0116.647] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0116.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.647] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x289638 | out: lpFileSize=0x289638*=10089) returned 1 [0116.647] GetProcessHeap () returned 0x4c0000 [0116.648] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0116.663] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="2C") returned 2 [0116.663] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="B6") returned 2 [0116.663] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="DE") returned 2 [0116.663] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="B8") returned 2 [0116.663] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="69") returned 2 [0116.663] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="25") returned 2 [0116.663] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="B3") returned 2 [0116.663] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="4B") returned 2 [0116.663] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="AD") returned 2 [0116.663] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="2D") returned 2 [0116.663] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="40") returned 2 [0116.663] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="4B") returned 2 [0116.663] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="71") returned 2 [0116.663] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="CD") returned 2 [0116.663] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="6E") returned 2 [0116.664] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="DA") returned 2 [0116.664] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="34") returned 2 [0116.664] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="51") returned 2 [0116.664] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="42") returned 2 [0116.664] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="C8") returned 2 [0116.664] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="69") returned 2 [0116.664] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="C3") returned 2 [0116.664] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="0A") returned 2 [0116.664] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="CF") returned 2 [0116.664] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="F0") returned 2 [0116.664] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="F2") returned 2 [0116.664] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="3F") returned 2 [0116.664] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="C7") returned 2 [0116.664] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="7A") returned 2 [0116.664] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="80") returned 2 [0116.664] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="91") returned 2 [0116.664] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="1D") returned 2 [0116.673] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json" [0116.673] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json" [0116.673] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json", lpString2=".2CB6DEB86925B34BAD2D404B71CD6EDA345142C869C30ACFF0F23FC77A80911D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.2CB6DEB86925B34BAD2D404B71CD6EDA345142C869C30ACFF0F23FC77A80911D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.2CB6DEB86925B34BAD2D404B71CD6EDA345142C869C30ACFF0F23FC77A80911D" [0116.673] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0116.674] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0116.674] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x628aed00, ftLastWriteTime.dwHighDateTime=0x1d0f5b2, nFileSizeHigh=0x0, nFileSizeLow=0x2769, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 0 [0116.674] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0116.674] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\PUSSY.TXT") returned 151 [0116.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0116.674] lstrlenA (lpString="abcd") returned 4 [0116.674] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0116.675] CloseHandle (hObject=0x1ac) returned 1 [0116.675] GetProcessHeap () returned 0x4c0000 [0116.675] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0116.675] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 0 [0116.676] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0116.676] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\PUSSY.TXT") returned 141 [0116.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0116.676] lstrlenA (lpString="abcd") returned 4 [0116.676] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0116.677] CloseHandle (hObject=0x178) returned 1 [0116.677] GetProcessHeap () returned 0x4c0000 [0116.677] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0116.679] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85639950, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="4.2.8_0", cAlternateFileName="4278E1~1.8_0")) returned 0 [0116.679] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0116.679] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\PUSSY.TXT") returned 133 [0116.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0116.679] lstrlenA (lpString="abcd") returned 4 [0116.679] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0116.681] CloseHandle (hObject=0x18c) returned 1 [0116.681] GetProcessHeap () returned 0x4c0000 [0116.681] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0116.681] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x844bb8e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844c0700, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844c0700, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="felcaaldnbdncclmgdcncolpebgiejap", cAlternateFileName="FELCAA~1")) returned 1 [0116.681] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="Windows") returned -1 [0116.681] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="Program Files") returned -1 [0116.681] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="Program Files (x86)") returned -1 [0116.681] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="$Recycle.bin") returned 1 [0116.681] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="System Volume Information") returned -1 [0116.681] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2=".") returned 1 [0116.681] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="..") returned 1 [0116.681] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap") returned 123 [0116.681] GetProcessHeap () returned 0x4c0000 [0116.681] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0116.681] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap" [0116.681] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\*" [0116.682] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x844bb8e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844c0700, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844c0700, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0116.683] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.683] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.683] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.683] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.683] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.683] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.683] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x844bb8e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844c0700, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844c0700, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0116.683] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.683] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.683] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.683] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.683] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.683] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.683] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.683] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8401b790, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844b1ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="1.1_0", cAlternateFileName="")) returned 1 [0116.683] lstrcmpiW (lpString1="1.1_0", lpString2="Windows") returned -1 [0116.683] lstrcmpiW (lpString1="1.1_0", lpString2="Program Files") returned -1 [0116.684] lstrcmpiW (lpString1="1.1_0", lpString2="Program Files (x86)") returned -1 [0116.684] lstrcmpiW (lpString1="1.1_0", lpString2="$Recycle.bin") returned 1 [0116.684] lstrcmpiW (lpString1="1.1_0", lpString2="System Volume Information") returned -1 [0116.684] lstrcmpiW (lpString1="1.1_0", lpString2=".") returned 1 [0116.684] lstrcmpiW (lpString1="1.1_0", lpString2="..") returned 1 [0116.684] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0") returned 129 [0116.684] GetProcessHeap () returned 0x4c0000 [0116.684] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0116.685] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0" [0116.685] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\*" [0116.685] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8401b790, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844b1ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0116.719] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.720] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.720] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.720] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.720] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.720] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.722] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8401b790, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844b1ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.723] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.723] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.723] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.723] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.723] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.723] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.723] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.723] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84234950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844b1ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd47, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="icon_128.png", cAlternateFileName="")) returned 1 [0116.723] lstrcmpiW (lpString1="icon_128.png", lpString2="Windows") returned -1 [0116.723] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files") returned -1 [0116.723] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files (x86)") returned -1 [0116.723] lstrcmpiW (lpString1="icon_128.png", lpString2="$Recycle.bin") returned 1 [0116.723] lstrcmpiW (lpString1="icon_128.png", lpString2="System Volume Information") returned -1 [0116.723] lstrcmpiW (lpString1="icon_128.png", lpString2=".") returned 1 [0116.723] lstrcmpiW (lpString1="icon_128.png", lpString2="..") returned 1 [0116.723] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png") returned 142 [0116.723] lstrcmpW (lpString1="icon_128.png", lpString2="PUSSY.TXT") returned -1 [0116.723] PathFindExtensionW (pszPath="icon_128.png") returned=".png" [0116.723] lstrlenW (lpString=".png") returned 4 [0116.723] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0116.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0116.724] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=3399) returned 1 [0116.725] GetProcessHeap () returned 0x4c0000 [0116.725] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0116.734] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="2C") returned 2 [0116.734] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="63") returned 2 [0116.734] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="57") returned 2 [0116.734] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="AD") returned 2 [0116.734] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="8B") returned 2 [0116.734] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="9E") returned 2 [0116.734] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="1B") returned 2 [0116.734] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="51") returned 2 [0116.734] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="6F") returned 2 [0116.734] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="59") returned 2 [0116.734] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="23") returned 2 [0116.734] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="8D") returned 2 [0116.734] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="FF") returned 2 [0116.734] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="BE") returned 2 [0116.734] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="7A") returned 2 [0116.734] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="9D") returned 2 [0116.734] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="AE") returned 2 [0116.734] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="ED") returned 2 [0116.734] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="23") returned 2 [0116.734] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="63") returned 2 [0116.734] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="A6") returned 2 [0116.734] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="10") returned 2 [0116.734] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="92") returned 2 [0116.734] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="32") returned 2 [0116.734] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="47") returned 2 [0116.734] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="8E") returned 2 [0116.734] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="D7") returned 2 [0116.734] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="DE") returned 2 [0116.734] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="20") returned 2 [0116.734] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="8D") returned 2 [0116.735] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="FA") returned 2 [0116.735] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="02") returned 2 [0116.743] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png" [0116.743] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png" [0116.743] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png", lpString2=".2C6357AD8B9E1B516F59238DFFBE7A9DAEED2363A6109232478ED7DE208DFA02" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.2C6357AD8B9E1B516F59238DFFBE7A9DAEED2363A6109232478ED7DE208DFA02") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.2C6357AD8B9E1B516F59238DFFBE7A9DAEED2363A6109232478ED7DE208DFA02" [0116.744] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0116.744] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0116.744] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84239770, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844b1ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x9d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="icon_16.png", cAlternateFileName="")) returned 1 [0116.744] lstrcmpiW (lpString1="icon_16.png", lpString2="Windows") returned -1 [0116.751] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files") returned -1 [0116.751] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files (x86)") returned -1 [0116.751] lstrcmpiW (lpString1="icon_16.png", lpString2="$Recycle.bin") returned 1 [0116.751] lstrcmpiW (lpString1="icon_16.png", lpString2="System Volume Information") returned -1 [0116.751] lstrcmpiW (lpString1="icon_16.png", lpString2=".") returned 1 [0116.751] lstrcmpiW (lpString1="icon_16.png", lpString2="..") returned 1 [0116.751] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png") returned 141 [0116.751] lstrcmpW (lpString1="icon_16.png", lpString2="PUSSY.TXT") returned -1 [0116.751] PathFindExtensionW (pszPath="icon_16.png") returned=".png" [0116.751] lstrlenW (lpString=".png") returned 4 [0116.751] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0116.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0116.752] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=157) returned 1 [0116.753] CloseHandle (hObject=0x1ac) returned 1 [0116.753] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8423be80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8423e590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbcc13a00, ftLastWriteTime.dwHighDateTime=0x1d03f5e, nFileSizeHigh=0x0, nFileSizeLow=0x5c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="main.html", cAlternateFileName="MAIN~1.HTM")) returned 1 [0116.753] lstrcmpiW (lpString1="main.html", lpString2="Windows") returned -1 [0116.753] lstrcmpiW (lpString1="main.html", lpString2="Program Files") returned -1 [0116.753] lstrcmpiW (lpString1="main.html", lpString2="Program Files (x86)") returned -1 [0116.753] lstrcmpiW (lpString1="main.html", lpString2="$Recycle.bin") returned 1 [0116.753] lstrcmpiW (lpString1="main.html", lpString2="System Volume Information") returned -1 [0116.753] lstrcmpiW (lpString1="main.html", lpString2=".") returned 1 [0116.753] lstrcmpiW (lpString1="main.html", lpString2="..") returned 1 [0116.753] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html") returned 139 [0116.753] lstrcmpW (lpString1="main.html", lpString2="PUSSY.TXT") returned -1 [0116.753] PathFindExtensionW (pszPath="main.html") returned=".html" [0116.753] lstrlenW (lpString=".html") returned 5 [0116.753] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0116.753] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0116.754] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=92) returned 1 [0116.754] CloseHandle (hObject=0x1ac) returned 1 [0116.754] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84240ca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84240ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbcc13a00, ftLastWriteTime.dwHighDateTime=0x1d03f5e, nFileSizeHigh=0x0, nFileSizeLow=0x5f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="main.js", cAlternateFileName="")) returned 1 [0116.754] lstrcmpiW (lpString1="main.js", lpString2="Windows") returned -1 [0116.754] lstrcmpiW (lpString1="main.js", lpString2="Program Files") returned -1 [0116.754] lstrcmpiW (lpString1="main.js", lpString2="Program Files (x86)") returned -1 [0116.754] lstrcmpiW (lpString1="main.js", lpString2="$Recycle.bin") returned 1 [0116.754] lstrcmpiW (lpString1="main.js", lpString2="System Volume Information") returned -1 [0116.754] lstrcmpiW (lpString1="main.js", lpString2=".") returned 1 [0116.754] lstrcmpiW (lpString1="main.js", lpString2="..") returned 1 [0116.754] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js") returned 137 [0116.754] lstrcmpW (lpString1="main.js", lpString2="PUSSY.TXT") returned -1 [0116.754] PathFindExtensionW (pszPath="main.js") returned=".js" [0116.754] lstrlenW (lpString=".js") returned 3 [0116.754] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0116.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0116.754] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=95) returned 1 [0116.755] CloseHandle (hObject=0x1ac) returned 1 [0116.755] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x840205b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84245ac0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844aa770, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0116.755] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0116.755] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0116.755] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0116.755] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0116.755] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0116.755] lstrcmpiW (lpString1="manifest.json", lpString2=".") returned 1 [0116.755] lstrcmpiW (lpString1="manifest.json", lpString2="..") returned 1 [0116.755] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json") returned 143 [0116.755] lstrcmpW (lpString1="manifest.json", lpString2="PUSSY.TXT") returned -1 [0116.755] PathFindExtensionW (pszPath="manifest.json") returned=".json" [0116.755] lstrlenW (lpString=".json") returned 5 [0116.755] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0116.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0116.755] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=726) returned 1 [0116.756] GetProcessHeap () returned 0x4c0000 [0116.756] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0116.766] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="CF") returned 2 [0116.766] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="24") returned 2 [0116.766] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="99") returned 2 [0116.766] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="67") returned 2 [0116.766] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="14") returned 2 [0116.766] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="D0") returned 2 [0116.766] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="C6") returned 2 [0116.766] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="26") returned 2 [0116.766] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="46") returned 2 [0116.766] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="5C") returned 2 [0116.766] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="21") returned 2 [0116.766] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="AB") returned 2 [0116.766] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="10") returned 2 [0116.766] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="78") returned 2 [0116.766] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="84") returned 2 [0116.766] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="EB") returned 2 [0116.766] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="AE") returned 2 [0116.766] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="20") returned 2 [0116.766] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="EF") returned 2 [0116.766] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="58") returned 2 [0116.766] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="21") returned 2 [0116.766] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="08") returned 2 [0116.767] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="97") returned 2 [0116.767] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="45") returned 2 [0116.767] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="F7") returned 2 [0116.767] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="81") returned 2 [0116.767] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="B9") returned 2 [0116.767] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="54") returned 2 [0116.767] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="BC") returned 2 [0116.767] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="57") returned 2 [0116.767] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="E5") returned 2 [0116.767] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="1E") returned 2 [0116.775] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json" [0116.775] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json" [0116.775] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json", lpString2=".CF24996714D0C626465C21AB107884EBAE20EF5821089745F781B954BC57E51E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.CF24996714D0C626465C21AB107884EBAE20EF5821089745F781B954BC57E51E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.CF24996714D0C626465C21AB107884EBAE20EF5821089745F781B954BC57E51E" [0116.775] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0116.775] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0116.776] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8402f010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8422fb30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8422fb30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_locales", cAlternateFileName="")) returned 1 [0116.776] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0116.778] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0116.778] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0116.778] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0116.778] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0116.778] lstrcmpiW (lpString1="_locales", lpString2=".") returned 1 [0116.778] lstrcmpiW (lpString1="_locales", lpString2="..") returned 1 [0116.780] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales") returned 138 [0116.780] GetProcessHeap () returned 0x4c0000 [0116.780] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0116.780] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales" [0116.780] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\*" [0116.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8402f010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8422fb30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8422fb30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0116.782] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.782] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.782] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.782] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.782] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.782] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.782] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8402f010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8422fb30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8422fb30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0116.782] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.782] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.782] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.782] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.782] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.782] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.782] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.782] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84036540, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8403b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8403b360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ar", cAlternateFileName="")) returned 1 [0116.783] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0116.783] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0116.783] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0116.783] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0116.783] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0116.783] lstrcmpiW (lpString1="ar", lpString2=".") returned 1 [0116.783] lstrcmpiW (lpString1="ar", lpString2="..") returned 1 [0116.783] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar") returned 141 [0116.783] GetProcessHeap () returned 0x4c0000 [0116.783] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.783] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar" [0116.783] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\*" [0116.783] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84036540, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8403b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8403b360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.783] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.783] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.783] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.783] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.783] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.783] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.783] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84036540, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8403b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8403b360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.783] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.784] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.784] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.784] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.784] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.784] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.784] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.784] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8403b360, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8403b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.784] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.784] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.784] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.784] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.784] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.784] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.784] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.784] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json") returned 155 [0116.784] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.784] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.784] lstrlenW (lpString=".json") returned 5 [0116.784] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.784] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.786] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=254) returned 1 [0116.786] CloseHandle (hObject=0x16c) returned 1 [0116.786] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8403b360, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8403b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.786] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.786] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\PUSSY.TXT") returned 151 [0116.786] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.786] lstrlenA (lpString="abcd") returned 4 [0116.786] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.787] CloseHandle (hObject=0x17c) returned 1 [0116.787] GetProcessHeap () returned 0x4c0000 [0116.787] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.787] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x840512f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84056110, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84056110, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="bg", cAlternateFileName="")) returned 1 [0116.787] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0116.788] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0116.788] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0116.788] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0116.788] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0116.788] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0116.788] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0116.788] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg") returned 141 [0116.788] GetProcessHeap () returned 0x4c0000 [0116.788] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.788] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg" [0116.788] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\*" [0116.788] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x840512f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84056110, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84056110, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.788] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.788] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.788] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.788] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.788] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.788] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.788] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x840512f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84056110, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84056110, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.788] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.788] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.789] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.789] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.789] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.789] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.789] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.789] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84056110, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84058820, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x12f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.789] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.789] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.789] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.789] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.789] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.789] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.789] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.789] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json") returned 155 [0116.789] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.789] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.789] lstrlenW (lpString=".json") returned 5 [0116.789] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.789] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.790] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=303) returned 1 [0116.790] CloseHandle (hObject=0x16c) returned 1 [0116.790] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84056110, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84058820, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x12f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.790] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.790] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\PUSSY.TXT") returned 151 [0116.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.790] lstrlenA (lpString="abcd") returned 4 [0116.790] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.791] CloseHandle (hObject=0x17c) returned 1 [0116.791] GetProcessHeap () returned 0x4c0000 [0116.791] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.791] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84062460, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84067280, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84067280, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ca", cAlternateFileName="")) returned 1 [0116.791] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0116.791] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0116.791] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0116.791] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0116.791] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0116.792] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0116.792] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0116.792] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca") returned 141 [0116.792] GetProcessHeap () returned 0x4c0000 [0116.792] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.792] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca" [0116.792] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\*" [0116.792] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84062460, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84067280, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84067280, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.792] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.792] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.792] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.792] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.792] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.792] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.792] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84062460, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84067280, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84067280, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.792] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.792] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.792] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.792] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.792] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.793] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.793] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.793] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84067280, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84067280, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.793] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.793] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.793] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.793] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.793] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.793] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.793] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.793] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json") returned 155 [0116.793] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.793] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.793] lstrlenW (lpString=".json") returned 5 [0116.793] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.807] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=229) returned 1 [0116.807] CloseHandle (hObject=0x16c) returned 1 [0116.807] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84067280, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84067280, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.808] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.808] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\PUSSY.TXT") returned 151 [0116.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.808] lstrlenA (lpString="abcd") returned 4 [0116.808] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.809] CloseHandle (hObject=0x17c) returned 1 [0116.809] GetProcessHeap () returned 0x4c0000 [0116.809] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.809] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8406e7b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8407f920, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8407f920, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="cs", cAlternateFileName="")) returned 1 [0116.810] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0116.810] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0116.810] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0116.810] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0116.810] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0116.810] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0116.810] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0116.810] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs") returned 141 [0116.810] GetProcessHeap () returned 0x4c0000 [0116.810] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.810] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs" [0116.810] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\*" [0116.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8406e7b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8407f920, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8407f920, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.810] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.810] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.810] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.810] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.811] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.811] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.811] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8406e7b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8407f920, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8407f920, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.811] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.811] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.811] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.811] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.811] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.811] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.811] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.811] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8407f920, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84082030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xda, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.811] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.811] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.811] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.811] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.811] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.811] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.811] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.811] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json") returned 155 [0116.811] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.812] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.812] lstrlenW (lpString=".json") returned 5 [0116.812] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.812] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=218) returned 1 [0116.812] CloseHandle (hObject=0x16c) returned 1 [0116.812] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8407f920, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84082030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xda, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.812] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.812] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\PUSSY.TXT") returned 151 [0116.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.813] lstrlenA (lpString="abcd") returned 4 [0116.813] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.814] CloseHandle (hObject=0x17c) returned 1 [0116.814] GetProcessHeap () returned 0x4c0000 [0116.814] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.814] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8408bc70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84090a90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84090a90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="da", cAlternateFileName="")) returned 1 [0116.815] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0116.815] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0116.815] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0116.815] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0116.815] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0116.815] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0116.815] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0116.815] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da") returned 141 [0116.815] GetProcessHeap () returned 0x4c0000 [0116.815] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.815] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da" [0116.815] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\*" [0116.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8408bc70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84090a90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84090a90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.815] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.815] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.815] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.815] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.815] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.816] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.816] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8408bc70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84090a90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84090a90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.816] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.816] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.816] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.816] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.816] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.816] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.816] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.816] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84090a90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84090a90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.816] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.816] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.816] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.816] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.816] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.816] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.816] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.816] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json") returned 155 [0116.816] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.816] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.816] lstrlenW (lpString=".json") returned 5 [0116.816] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.816] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.818] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=207) returned 1 [0116.818] CloseHandle (hObject=0x16c) returned 1 [0116.818] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84090a90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84090a90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.818] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.818] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\PUSSY.TXT") returned 151 [0116.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.819] lstrlenA (lpString="abcd") returned 4 [0116.819] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.820] CloseHandle (hObject=0x17c) returned 1 [0116.820] GetProcessHeap () returned 0x4c0000 [0116.820] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.820] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84097fc0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8409cde0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8409cde0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="de", cAlternateFileName="")) returned 1 [0116.820] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0116.820] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0116.820] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0116.820] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0116.820] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0116.820] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0116.820] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0116.821] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de") returned 141 [0116.821] GetProcessHeap () returned 0x4c0000 [0116.821] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.821] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de" [0116.821] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\*" [0116.821] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84097fc0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8409cde0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8409cde0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.821] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.821] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.821] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.821] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.821] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.821] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.821] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84097fc0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8409cde0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8409cde0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.821] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.821] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.821] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.821] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.821] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.822] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.822] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.822] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8409cde0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8409cde0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.822] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.822] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.822] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.822] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.822] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.822] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.822] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.822] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json") returned 155 [0116.822] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.822] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.822] lstrlenW (lpString=".json") returned 5 [0116.822] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.823] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=220) returned 1 [0116.823] CloseHandle (hObject=0x16c) returned 1 [0116.823] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8409cde0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8409cde0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.823] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.823] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\PUSSY.TXT") returned 151 [0116.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.824] lstrlenA (lpString="abcd") returned 4 [0116.824] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.825] CloseHandle (hObject=0x17c) returned 1 [0116.825] GetProcessHeap () returned 0x4c0000 [0116.825] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.825] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841147f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84116f00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84116f00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="el", cAlternateFileName="")) returned 1 [0116.825] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0116.825] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0116.825] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0116.825] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0116.825] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0116.825] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0116.825] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0116.825] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el") returned 141 [0116.826] GetProcessHeap () returned 0x4c0000 [0116.826] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.826] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el" [0116.826] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\*" [0116.826] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841147f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84116f00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84116f00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.826] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.826] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.826] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.826] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.826] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.826] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.826] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841147f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84116f00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84116f00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.826] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.826] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.826] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.826] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.827] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.827] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.827] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.827] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84116f00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84116f00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x130, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.827] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.827] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.827] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.827] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.827] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.827] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.827] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.827] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json") returned 155 [0116.827] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.827] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.827] lstrlenW (lpString=".json") returned 5 [0116.827] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.828] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=304) returned 1 [0116.828] CloseHandle (hObject=0x16c) returned 1 [0116.828] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84116f00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84116f00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x130, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.829] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.829] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\PUSSY.TXT") returned 151 [0116.829] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.829] lstrlenA (lpString="abcd") returned 4 [0116.829] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.830] CloseHandle (hObject=0x17c) returned 1 [0116.830] GetProcessHeap () returned 0x4c0000 [0116.830] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.830] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8411bd20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84120b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84120b40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en_GB", cAlternateFileName="")) returned 1 [0116.830] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0116.830] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0116.830] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0116.831] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0116.831] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0116.831] lstrcmpiW (lpString1="en_GB", lpString2=".") returned 1 [0116.831] lstrcmpiW (lpString1="en_GB", lpString2="..") returned 1 [0116.831] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB") returned 144 [0116.831] GetProcessHeap () returned 0x4c0000 [0116.831] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.831] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB" [0116.831] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\*" [0116.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8411bd20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84120b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84120b40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.831] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.831] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.831] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.831] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.831] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.831] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.831] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8411bd20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84120b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84120b40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.832] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.832] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.832] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.832] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.832] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.832] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.832] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.832] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84120b40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84120b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.832] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.832] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.832] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.832] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.832] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.832] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.832] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.832] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json") returned 158 [0116.832] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.832] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.832] lstrlenW (lpString=".json") returned 5 [0116.832] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.833] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=213) returned 1 [0116.833] CloseHandle (hObject=0x16c) returned 1 [0116.833] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84120b40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84120b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.833] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.833] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\PUSSY.TXT") returned 154 [0116.833] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.834] lstrlenA (lpString="abcd") returned 4 [0116.834] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.835] CloseHandle (hObject=0x17c) returned 1 [0116.835] GetProcessHeap () returned 0x4c0000 [0116.835] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.835] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8412a780, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8412ce90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8412ce90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en_US", cAlternateFileName="")) returned 1 [0116.835] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0116.835] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0116.835] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0116.835] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0116.835] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0116.835] lstrcmpiW (lpString1="en_US", lpString2=".") returned 1 [0116.835] lstrcmpiW (lpString1="en_US", lpString2="..") returned 1 [0116.835] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US") returned 144 [0116.835] GetProcessHeap () returned 0x4c0000 [0116.835] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.835] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US" [0116.835] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\*" [0116.835] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8412a780, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8412ce90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8412ce90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.836] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.836] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.836] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.836] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.836] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.836] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.836] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8412a780, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8412ce90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8412ce90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.836] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.836] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.836] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.836] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.836] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.836] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.836] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.836] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8412ce90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8412ce90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.836] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.836] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.836] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.836] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.836] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.836] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.837] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.837] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json") returned 158 [0116.837] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.837] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.837] lstrlenW (lpString=".json") returned 5 [0116.837] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.839] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=213) returned 1 [0116.839] CloseHandle (hObject=0x16c) returned 1 [0116.839] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8412ce90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8412ce90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.839] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.839] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\PUSSY.TXT") returned 154 [0116.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.840] lstrlenA (lpString="abcd") returned 4 [0116.840] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.841] CloseHandle (hObject=0x17c) returned 1 [0116.841] GetProcessHeap () returned 0x4c0000 [0116.841] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.841] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84131cb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841343c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841343c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es", cAlternateFileName="")) returned 1 [0116.841] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0116.841] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0116.841] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0116.841] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0116.841] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0116.841] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0116.841] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0116.841] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es") returned 141 [0116.841] GetProcessHeap () returned 0x4c0000 [0116.841] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.841] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es" [0116.842] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\*" [0116.842] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84131cb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841343c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841343c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.843] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.843] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.843] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.843] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.843] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.843] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.843] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84131cb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841343c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841343c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.843] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.843] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.843] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.843] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.843] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.843] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.843] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.843] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841343c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841343c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.843] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.843] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.843] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.843] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.843] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.843] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.843] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.843] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json") returned 155 [0116.843] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.843] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.844] lstrlenW (lpString=".json") returned 5 [0116.844] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.844] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=229) returned 1 [0116.844] CloseHandle (hObject=0x16c) returned 1 [0116.844] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841343c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841343c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.844] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.844] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\PUSSY.TXT") returned 151 [0116.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.845] lstrlenA (lpString="abcd") returned 4 [0116.845] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.846] CloseHandle (hObject=0x17c) returned 1 [0116.846] GetProcessHeap () returned 0x4c0000 [0116.846] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.846] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841391e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8413b8f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8413b8f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es_419", cAlternateFileName="")) returned 1 [0116.846] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0116.846] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0116.846] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0116.846] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0116.846] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0116.846] lstrcmpiW (lpString1="es_419", lpString2=".") returned 1 [0116.846] lstrcmpiW (lpString1="es_419", lpString2="..") returned 1 [0116.846] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419") returned 145 [0116.846] GetProcessHeap () returned 0x4c0000 [0116.846] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.846] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419" [0116.846] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\*" [0116.847] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841391e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8413b8f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8413b8f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.847] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.847] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.847] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.847] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.847] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.847] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.847] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841391e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8413b8f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8413b8f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.847] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.847] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.847] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.847] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.847] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.847] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.847] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.847] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8413b8f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8413b8f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.847] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.847] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.847] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.848] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.848] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.848] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.848] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.848] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json") returned 159 [0116.848] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.848] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.848] lstrlenW (lpString=".json") returned 5 [0116.848] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.849] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=229) returned 1 [0116.849] CloseHandle (hObject=0x16c) returned 1 [0116.849] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8413b8f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8413b8f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.849] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.849] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\PUSSY.TXT") returned 155 [0116.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.850] lstrlenA (lpString="abcd") returned 4 [0116.850] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.851] CloseHandle (hObject=0x17c) returned 1 [0116.851] GetProcessHeap () returned 0x4c0000 [0116.851] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.851] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84140710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84142e20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84142e20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="et", cAlternateFileName="")) returned 1 [0116.851] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0116.851] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0116.851] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0116.851] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0116.851] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0116.851] lstrcmpiW (lpString1="et", lpString2=".") returned 1 [0116.851] lstrcmpiW (lpString1="et", lpString2="..") returned 1 [0116.851] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et") returned 141 [0116.851] GetProcessHeap () returned 0x4c0000 [0116.851] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.852] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et" [0116.852] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\*" [0116.852] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84140710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84142e20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84142e20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.852] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.852] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.852] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.852] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.852] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.852] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.852] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84140710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84142e20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84142e20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.852] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.852] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.852] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.852] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.852] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.852] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.853] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.853] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84142e20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84142e20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.853] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.853] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.853] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.853] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.853] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.853] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.853] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.853] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json") returned 155 [0116.853] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.853] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.853] lstrlenW (lpString=".json") returned 5 [0116.853] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.853] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.853] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=226) returned 1 [0116.854] CloseHandle (hObject=0x16c) returned 1 [0116.854] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84142e20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84142e20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.854] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.854] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\PUSSY.TXT") returned 151 [0116.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.854] lstrlenA (lpString="abcd") returned 4 [0116.854] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.855] CloseHandle (hObject=0x17c) returned 1 [0116.855] GetProcessHeap () returned 0x4c0000 [0116.856] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.856] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84147c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8414a350, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8414a350, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fi", cAlternateFileName="")) returned 1 [0116.856] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0116.856] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0116.856] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0116.856] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0116.856] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0116.856] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0116.856] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0116.856] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi") returned 141 [0116.856] GetProcessHeap () returned 0x4c0000 [0116.856] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.856] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi" [0116.856] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\*" [0116.856] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84147c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8414a350, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8414a350, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.856] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.856] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.857] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.857] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.857] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.857] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.857] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84147c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8414a350, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8414a350, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.857] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.857] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.857] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.857] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.857] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.857] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.857] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.857] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8414a350, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8414f170, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.857] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.857] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.857] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.857] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.857] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.857] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.857] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.857] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json") returned 155 [0116.857] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.857] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.858] lstrlenW (lpString=".json") returned 5 [0116.858] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.859] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=220) returned 1 [0116.859] CloseHandle (hObject=0x16c) returned 1 [0116.859] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8414a350, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8414f170, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.859] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.859] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\PUSSY.TXT") returned 151 [0116.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.860] lstrlenA (lpString="abcd") returned 4 [0116.860] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.861] CloseHandle (hObject=0x17c) returned 1 [0116.861] GetProcessHeap () returned 0x4c0000 [0116.861] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.861] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84153f90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841566a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841566a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fil", cAlternateFileName="")) returned 1 [0116.861] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0116.861] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0116.861] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0116.861] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0116.861] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0116.861] lstrcmpiW (lpString1="fil", lpString2=".") returned 1 [0116.861] lstrcmpiW (lpString1="fil", lpString2="..") returned 1 [0116.861] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil") returned 142 [0116.861] GetProcessHeap () returned 0x4c0000 [0116.861] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.861] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil" [0116.861] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\*" [0116.861] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84153f90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841566a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841566a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.862] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.862] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.862] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.862] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.862] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.862] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.862] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84153f90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841566a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841566a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.862] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.862] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.862] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.862] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.862] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.862] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.862] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.862] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841566a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841566a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.862] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.862] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.862] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.863] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.863] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.863] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.863] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.863] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json") returned 156 [0116.863] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.863] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.863] lstrlenW (lpString=".json") returned 5 [0116.863] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.863] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=223) returned 1 [0116.863] CloseHandle (hObject=0x16c) returned 1 [0116.863] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841566a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841566a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.864] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.864] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\PUSSY.TXT") returned 152 [0116.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.864] lstrlenA (lpString="abcd") returned 4 [0116.864] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.866] CloseHandle (hObject=0x17c) returned 1 [0116.866] GetProcessHeap () returned 0x4c0000 [0116.866] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.866] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8415b4c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8415dbd0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8415dbd0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fr", cAlternateFileName="")) returned 1 [0116.866] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0116.866] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0116.866] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0116.866] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0116.866] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0116.866] lstrcmpiW (lpString1="fr", lpString2=".") returned 1 [0116.866] lstrcmpiW (lpString1="fr", lpString2="..") returned 1 [0116.866] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr") returned 141 [0116.866] GetProcessHeap () returned 0x4c0000 [0116.866] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0116.866] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr" [0116.866] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\*" [0116.866] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8415b4c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8415dbd0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8415dbd0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.867] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.867] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.867] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.867] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.867] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.867] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.867] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8415b4c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8415dbd0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8415dbd0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.867] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.867] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.867] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.867] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.867] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.867] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.867] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.867] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8415dbd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8415dbd0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.867] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.867] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.867] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.867] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.867] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.867] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.867] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.867] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json") returned 155 [0116.867] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.868] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.868] lstrlenW (lpString=".json") returned 5 [0116.868] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.870] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=226) returned 1 [0116.870] CloseHandle (hObject=0x16c) returned 1 [0116.871] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8415dbd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8415dbd0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.871] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.871] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\PUSSY.TXT") returned 151 [0116.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.874] lstrlenA (lpString="abcd") returned 4 [0116.874] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.875] CloseHandle (hObject=0x17c) returned 1 [0116.875] GetProcessHeap () returned 0x4c0000 [0116.875] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.875] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841629f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84165100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84165100, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="he", cAlternateFileName="")) returned 1 [0116.875] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0116.875] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0116.875] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0116.875] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0116.875] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0116.875] lstrcmpiW (lpString1="he", lpString2=".") returned 1 [0116.875] lstrcmpiW (lpString1="he", lpString2="..") returned 1 [0116.875] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he") returned 141 [0116.875] GetProcessHeap () returned 0x4c0000 [0116.875] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.875] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he" [0116.875] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\*" [0116.875] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841629f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84165100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84165100, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.876] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.876] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.876] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.876] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.876] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.876] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.876] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841629f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84165100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84165100, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.876] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.876] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.876] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.876] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.876] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.876] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.876] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.876] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84165100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84165100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xee, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.876] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.876] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.876] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.877] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.877] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.877] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.877] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.877] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json") returned 155 [0116.877] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.877] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.877] lstrlenW (lpString=".json") returned 5 [0116.877] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.877] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=238) returned 1 [0116.877] CloseHandle (hObject=0x16c) returned 1 [0116.877] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84165100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84165100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xee, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.878] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.878] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\PUSSY.TXT") returned 151 [0116.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.878] lstrlenA (lpString="abcd") returned 4 [0116.878] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.879] CloseHandle (hObject=0x17c) returned 1 [0116.879] GetProcessHeap () returned 0x4c0000 [0116.879] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.880] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84169f20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8416c630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8416c630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hi", cAlternateFileName="")) returned 1 [0116.880] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0116.880] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0116.880] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0116.880] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0116.880] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0116.880] lstrcmpiW (lpString1="hi", lpString2=".") returned 1 [0116.880] lstrcmpiW (lpString1="hi", lpString2="..") returned 1 [0116.880] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi") returned 141 [0116.880] GetProcessHeap () returned 0x4c0000 [0116.880] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.880] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi" [0116.880] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\*" [0116.880] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84169f20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8416c630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8416c630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.880] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.880] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.880] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.880] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.881] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.881] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.881] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84169f20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8416c630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8416c630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.881] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.881] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.881] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.881] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.881] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.881] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.881] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.881] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8416c630, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8416c630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.881] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.881] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.881] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.881] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.881] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.881] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.881] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.881] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json") returned 155 [0116.881] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.881] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.881] lstrlenW (lpString=".json") returned 5 [0116.881] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.881] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.883] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=282) returned 1 [0116.883] CloseHandle (hObject=0x16c) returned 1 [0116.883] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8416c630, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8416c630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.883] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.883] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\PUSSY.TXT") returned 151 [0116.883] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.883] lstrlenA (lpString="abcd") returned 4 [0116.883] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.885] CloseHandle (hObject=0x17c) returned 1 [0116.885] GetProcessHeap () returned 0x4c0000 [0116.885] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.885] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84171450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84173b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84173b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hu", cAlternateFileName="")) returned 1 [0116.885] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0116.885] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0116.885] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0116.885] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0116.885] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0116.885] lstrcmpiW (lpString1="hu", lpString2=".") returned 1 [0116.885] lstrcmpiW (lpString1="hu", lpString2="..") returned 1 [0116.885] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu") returned 141 [0116.885] GetProcessHeap () returned 0x4c0000 [0116.885] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.885] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu" [0116.885] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\*" [0116.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84171450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84173b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84173b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.886] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.886] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.886] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.886] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.886] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.886] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.886] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84171450, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84173b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84173b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.886] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.886] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.886] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.886] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.886] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.886] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.886] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.886] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84173b60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84173b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.886] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.886] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.886] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.887] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.887] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.887] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.887] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.887] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json") returned 155 [0116.887] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.887] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.887] lstrlenW (lpString=".json") returned 5 [0116.887] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.887] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=235) returned 1 [0116.887] CloseHandle (hObject=0x16c) returned 1 [0116.887] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84173b60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84173b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.888] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.888] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\PUSSY.TXT") returned 151 [0116.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.888] lstrlenA (lpString="abcd") returned 4 [0116.888] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.889] CloseHandle (hObject=0x17c) returned 1 [0116.890] GetProcessHeap () returned 0x4c0000 [0116.890] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.890] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84176270, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8417b090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8417b090, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="id", cAlternateFileName="")) returned 1 [0116.890] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0116.890] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0116.890] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0116.890] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0116.890] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0116.890] lstrcmpiW (lpString1="id", lpString2=".") returned 1 [0116.890] lstrcmpiW (lpString1="id", lpString2="..") returned 1 [0116.890] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id") returned 141 [0116.890] GetProcessHeap () returned 0x4c0000 [0116.890] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.890] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id" [0116.890] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\*" [0116.890] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84176270, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8417b090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8417b090, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.890] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.890] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.891] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.891] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.891] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.891] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.891] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84176270, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8417b090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8417b090, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.891] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.891] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.891] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.891] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.891] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.891] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.891] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.891] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8417b090, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8417b090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.891] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.891] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.891] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.891] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.891] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.891] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.891] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.891] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json") returned 155 [0116.891] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.891] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.891] lstrlenW (lpString=".json") returned 5 [0116.891] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.893] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=216) returned 1 [0116.893] CloseHandle (hObject=0x16c) returned 1 [0116.894] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8417b090, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8417b090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.894] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.894] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\PUSSY.TXT") returned 151 [0116.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.894] lstrlenA (lpString="abcd") returned 4 [0116.894] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.896] CloseHandle (hObject=0x17c) returned 1 [0116.896] GetProcessHeap () returned 0x4c0000 [0116.896] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.896] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8417feb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841825c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841825c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="it", cAlternateFileName="")) returned 1 [0116.896] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0116.896] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0116.896] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0116.896] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0116.896] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0116.896] lstrcmpiW (lpString1="it", lpString2=".") returned 1 [0116.896] lstrcmpiW (lpString1="it", lpString2="..") returned 1 [0116.896] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it") returned 141 [0116.896] GetProcessHeap () returned 0x4c0000 [0116.896] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.896] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it" [0116.896] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\*" [0116.896] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8417feb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841825c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841825c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.897] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.897] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.897] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.897] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.897] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.897] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.897] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8417feb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841825c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841825c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.897] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.897] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.897] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.897] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.897] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.897] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.897] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.897] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841825c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841825c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.897] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.897] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.897] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.897] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.897] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.897] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.897] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.898] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json") returned 155 [0116.898] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.898] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.898] lstrlenW (lpString=".json") returned 5 [0116.898] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.898] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=215) returned 1 [0116.898] CloseHandle (hObject=0x16c) returned 1 [0116.898] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841825c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841825c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.898] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.898] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\PUSSY.TXT") returned 151 [0116.899] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.899] lstrlenA (lpString="abcd") returned 4 [0116.899] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.900] CloseHandle (hObject=0x17c) returned 1 [0116.900] GetProcessHeap () returned 0x4c0000 [0116.900] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.900] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841873e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84189af0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84189af0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ja", cAlternateFileName="")) returned 1 [0116.900] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0116.900] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0116.901] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0116.901] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0116.901] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0116.901] lstrcmpiW (lpString1="ja", lpString2=".") returned 1 [0116.901] lstrcmpiW (lpString1="ja", lpString2="..") returned 1 [0116.901] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja") returned 141 [0116.901] GetProcessHeap () returned 0x4c0000 [0116.901] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.901] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja" [0116.901] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\*" [0116.901] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841873e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84189af0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84189af0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.901] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.901] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.901] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.901] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.901] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.901] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.902] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841873e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84189af0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84189af0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.902] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.902] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.902] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.902] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.902] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.902] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.902] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.902] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84189af0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84189af0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.902] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.902] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.902] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.902] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.902] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.902] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.902] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.902] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json") returned 155 [0116.902] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.902] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.902] lstrlenW (lpString=".json") returned 5 [0116.902] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.904] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=245) returned 1 [0116.904] CloseHandle (hObject=0x16c) returned 1 [0116.904] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84189af0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84189af0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b43b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.904] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.904] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\PUSSY.TXT") returned 151 [0116.904] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.904] lstrlenA (lpString="abcd") returned 4 [0116.904] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.906] CloseHandle (hObject=0x17c) returned 1 [0116.906] GetProcessHeap () returned 0x4c0000 [0116.906] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.906] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8418e910, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84191020, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84191020, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ko", cAlternateFileName="")) returned 1 [0116.906] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0116.906] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0116.906] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0116.906] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0116.906] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0116.906] lstrcmpiW (lpString1="ko", lpString2=".") returned 1 [0116.906] lstrcmpiW (lpString1="ko", lpString2="..") returned 1 [0116.906] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko") returned 141 [0116.906] GetProcessHeap () returned 0x4c0000 [0116.906] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.906] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko" [0116.906] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\*" [0116.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8418e910, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84191020, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84191020, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.907] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.907] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.907] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.907] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.907] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.907] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.907] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8418e910, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84191020, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84191020, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.907] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.907] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.907] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.907] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.907] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.907] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.907] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.907] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84191020, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84191020, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.907] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.907] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.907] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.907] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.907] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.907] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.907] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.908] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json") returned 155 [0116.908] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.908] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.908] lstrlenW (lpString=".json") returned 5 [0116.908] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.908] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=224) returned 1 [0116.908] CloseHandle (hObject=0x16c) returned 1 [0116.908] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84191020, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84191020, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.908] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.908] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\PUSSY.TXT") returned 151 [0116.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.909] lstrlenA (lpString="abcd") returned 4 [0116.909] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.910] CloseHandle (hObject=0x17c) returned 1 [0116.910] GetProcessHeap () returned 0x4c0000 [0116.910] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.911] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84195e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84198550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84198550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lt", cAlternateFileName="")) returned 1 [0116.911] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0116.911] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0116.911] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0116.911] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0116.911] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0116.911] lstrcmpiW (lpString1="lt", lpString2=".") returned 1 [0116.911] lstrcmpiW (lpString1="lt", lpString2="..") returned 1 [0116.911] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt") returned 141 [0116.911] GetProcessHeap () returned 0x4c0000 [0116.911] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.911] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt" [0116.911] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\*" [0116.911] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84195e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84198550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84198550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.911] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.912] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.912] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.912] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.912] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.912] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.912] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84195e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84198550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84198550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.912] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.912] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.912] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.912] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.912] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.912] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.912] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.912] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84198550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8419d370, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.912] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.912] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.912] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.912] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.912] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.912] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.912] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.912] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json") returned 155 [0116.912] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.912] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.913] lstrlenW (lpString=".json") returned 5 [0116.913] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.913] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.914] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=235) returned 1 [0116.914] CloseHandle (hObject=0x16c) returned 1 [0116.914] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84198550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8419d370, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.914] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.914] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\PUSSY.TXT") returned 151 [0116.914] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.915] lstrlenA (lpString="abcd") returned 4 [0116.915] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.916] CloseHandle (hObject=0x17c) returned 1 [0116.916] GetProcessHeap () returned 0x4c0000 [0116.916] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.916] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8419fa80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841a2190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841a2190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lv", cAlternateFileName="")) returned 1 [0116.916] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0116.916] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0116.916] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0116.916] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0116.916] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0116.916] lstrcmpiW (lpString1="lv", lpString2=".") returned 1 [0116.916] lstrcmpiW (lpString1="lv", lpString2="..") returned 1 [0116.916] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv") returned 141 [0116.916] GetProcessHeap () returned 0x4c0000 [0116.916] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.917] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv" [0116.917] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\*" [0116.917] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8419fa80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841a2190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841a2190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.917] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.917] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.917] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.917] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.917] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.917] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.917] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8419fa80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841a2190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841a2190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.917] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.917] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.917] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.917] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.917] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.917] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.917] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.918] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841a2190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841a48a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.918] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.918] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.918] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.918] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.918] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.918] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.918] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.918] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json") returned 155 [0116.918] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.918] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.918] lstrlenW (lpString=".json") returned 5 [0116.918] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.918] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.919] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=229) returned 1 [0116.919] CloseHandle (hObject=0x16c) returned 1 [0116.919] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841a2190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841a48a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.919] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.919] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\PUSSY.TXT") returned 151 [0116.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.920] lstrlenA (lpString="abcd") returned 4 [0116.920] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.921] CloseHandle (hObject=0x17c) returned 1 [0116.921] GetProcessHeap () returned 0x4c0000 [0116.921] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.921] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841a6fb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841a96c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841a96c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ms", cAlternateFileName="")) returned 1 [0116.921] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0116.921] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0116.921] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0116.921] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0116.921] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0116.921] lstrcmpiW (lpString1="ms", lpString2=".") returned 1 [0116.921] lstrcmpiW (lpString1="ms", lpString2="..") returned 1 [0116.921] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms") returned 141 [0116.921] GetProcessHeap () returned 0x4c0000 [0116.921] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.921] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms" [0116.921] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\*" [0116.921] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841a6fb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841a96c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841a96c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.922] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.922] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.922] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.922] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.922] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.922] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.922] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841a6fb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841a96c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841a96c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.922] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.922] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.922] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.922] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.922] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.922] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.922] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.922] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841a96c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841a96c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.922] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.922] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.922] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.922] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.922] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.922] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.922] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.923] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json") returned 155 [0116.923] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.923] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.923] lstrlenW (lpString=".json") returned 5 [0116.923] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.923] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.926] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=208) returned 1 [0116.926] CloseHandle (hObject=0x16c) returned 1 [0116.926] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841a96c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841a96c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.926] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.926] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\PUSSY.TXT") returned 151 [0116.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.927] lstrlenA (lpString="abcd") returned 4 [0116.927] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.928] CloseHandle (hObject=0x17c) returned 1 [0116.928] GetProcessHeap () returned 0x4c0000 [0116.928] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.928] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841ae4e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841b0bf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841b0bf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="nl", cAlternateFileName="")) returned 1 [0116.928] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0116.928] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0116.929] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0116.929] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0116.929] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0116.929] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0116.929] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0116.929] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl") returned 141 [0116.929] GetProcessHeap () returned 0x4c0000 [0116.929] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.929] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl" [0116.929] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\*" [0116.929] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841ae4e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841b0bf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841b0bf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.929] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.929] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.929] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.930] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.930] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.930] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.930] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841ae4e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841b0bf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841b0bf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.930] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.930] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.930] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.930] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.930] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.930] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.930] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.930] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841b0bf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841b0bf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.930] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.930] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.930] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.930] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.930] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.930] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.930] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.930] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json") returned 155 [0116.930] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.930] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.930] lstrlenW (lpString=".json") returned 5 [0116.930] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.931] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=221) returned 1 [0116.931] CloseHandle (hObject=0x16c) returned 1 [0116.931] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841b0bf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841b0bf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.931] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.931] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\PUSSY.TXT") returned 151 [0116.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.932] lstrlenA (lpString="abcd") returned 4 [0116.932] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.933] CloseHandle (hObject=0x17c) returned 1 [0116.933] GetProcessHeap () returned 0x4c0000 [0116.933] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.933] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841b5a10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841b8120, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841b8120, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="no", cAlternateFileName="")) returned 1 [0116.933] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0116.933] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0116.933] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0116.933] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0116.933] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0116.934] lstrcmpiW (lpString1="no", lpString2=".") returned 1 [0116.934] lstrcmpiW (lpString1="no", lpString2="..") returned 1 [0116.934] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no") returned 141 [0116.934] GetProcessHeap () returned 0x4c0000 [0116.934] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.934] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no" [0116.934] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\*" [0116.934] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841b5a10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841b8120, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841b8120, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.934] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.934] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.934] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.934] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.934] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.934] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.934] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841b5a10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841b8120, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841b8120, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.934] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.934] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.934] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.935] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.935] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.935] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.935] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.935] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841b8120, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841b8120, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbcc13a00, ftLastWriteTime.dwHighDateTime=0x1d03f5e, nFileSizeHigh=0x0, nFileSizeLow=0xbf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.935] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.935] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.935] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.935] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.935] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.935] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.935] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.935] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json") returned 155 [0116.935] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.937] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.937] lstrlenW (lpString=".json") returned 5 [0116.937] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.938] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=191) returned 1 [0116.938] CloseHandle (hObject=0x16c) returned 1 [0116.938] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841b8120, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841b8120, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbcc13a00, ftLastWriteTime.dwHighDateTime=0x1d03f5e, nFileSizeHigh=0x0, nFileSizeLow=0xbf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.938] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.938] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\PUSSY.TXT") returned 151 [0116.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.939] lstrlenA (lpString="abcd") returned 4 [0116.939] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.940] CloseHandle (hObject=0x17c) returned 1 [0116.940] GetProcessHeap () returned 0x4c0000 [0116.940] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.940] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841bcf40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841bf650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841bf650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pl", cAlternateFileName="")) returned 1 [0116.940] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0116.940] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0116.940] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0116.940] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0116.940] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0116.940] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0116.940] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0116.940] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl") returned 141 [0116.940] GetProcessHeap () returned 0x4c0000 [0116.940] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.940] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl" [0116.941] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\*" [0116.941] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841bcf40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841bf650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841bf650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.941] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.941] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.941] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.941] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.941] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.941] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.941] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841bcf40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841bf650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841bf650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.941] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.941] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.941] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.941] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.941] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.941] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.941] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.941] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841bf650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841bf650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.942] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.942] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.942] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.942] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.942] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.942] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.942] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.942] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json") returned 155 [0116.942] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.942] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.942] lstrlenW (lpString=".json") returned 5 [0116.942] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.942] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=209) returned 1 [0116.943] CloseHandle (hObject=0x16c) returned 1 [0116.943] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841bf650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841bf650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.943] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.943] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\PUSSY.TXT") returned 151 [0116.943] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.943] lstrlenA (lpString="abcd") returned 4 [0116.943] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.945] CloseHandle (hObject=0x17c) returned 1 [0116.945] GetProcessHeap () returned 0x4c0000 [0116.945] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.945] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841c6b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841c9290, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841c9290, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_BR", cAlternateFileName="")) returned 1 [0116.945] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0116.945] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0116.945] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0116.945] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0116.945] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0116.945] lstrcmpiW (lpString1="pt_BR", lpString2=".") returned 1 [0116.945] lstrcmpiW (lpString1="pt_BR", lpString2="..") returned 1 [0116.945] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR") returned 144 [0116.945] GetProcessHeap () returned 0x4c0000 [0116.945] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.945] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR" [0116.945] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\*" [0116.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841c6b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841c9290, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841c9290, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.946] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.946] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.946] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.946] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.946] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.946] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.946] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841c6b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841c9290, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841c9290, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.946] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.946] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.946] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.946] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.946] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.946] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.946] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.946] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841c9290, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841c9290, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.946] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.946] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.946] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.946] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.946] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.946] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.946] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.946] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0116.946] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.947] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.947] lstrlenW (lpString=".json") returned 5 [0116.947] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.948] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=213) returned 1 [0116.948] CloseHandle (hObject=0x16c) returned 1 [0116.948] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841c9290, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841c9290, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.948] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.948] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\PUSSY.TXT") returned 154 [0116.948] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.949] lstrlenA (lpString="abcd") returned 4 [0116.949] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.950] CloseHandle (hObject=0x17c) returned 1 [0116.950] GetProcessHeap () returned 0x4c0000 [0116.950] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.950] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841ce0b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841d07c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841d07c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_PT", cAlternateFileName="")) returned 1 [0116.950] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0116.950] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0116.950] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0116.950] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0116.950] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0116.950] lstrcmpiW (lpString1="pt_PT", lpString2=".") returned 1 [0116.950] lstrcmpiW (lpString1="pt_PT", lpString2="..") returned 1 [0116.950] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT") returned 144 [0116.950] GetProcessHeap () returned 0x4c0000 [0116.950] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.950] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT" [0116.951] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\*" [0116.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841ce0b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841d07c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841d07c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.951] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.951] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.951] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.951] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.951] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.951] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.951] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841ce0b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841d07c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841d07c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.951] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.951] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.951] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.951] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.952] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.952] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.952] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.952] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841d07c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841d07c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.952] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.952] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.952] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.952] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.952] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.952] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.952] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.952] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0116.952] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.952] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.952] lstrlenW (lpString=".json") returned 5 [0116.952] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.953] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=230) returned 1 [0116.953] CloseHandle (hObject=0x16c) returned 1 [0116.953] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841d07c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841d07c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.953] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.953] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\PUSSY.TXT") returned 154 [0116.953] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.953] lstrlenA (lpString="abcd") returned 4 [0116.954] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.955] CloseHandle (hObject=0x17c) returned 1 [0116.955] GetProcessHeap () returned 0x4c0000 [0116.955] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.955] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841d55e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841d7cf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841d7cf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ro", cAlternateFileName="")) returned 1 [0116.955] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0116.955] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0116.955] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0116.955] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0116.955] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0116.955] lstrcmpiW (lpString1="ro", lpString2=".") returned 1 [0116.955] lstrcmpiW (lpString1="ro", lpString2="..") returned 1 [0116.955] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro") returned 141 [0116.955] GetProcessHeap () returned 0x4c0000 [0116.955] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.955] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro" [0116.956] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\*" [0116.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841d55e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841d7cf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841d7cf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.956] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.956] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.956] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.956] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.956] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.956] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.956] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841d55e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841d7cf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841d7cf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.956] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.956] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.956] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.956] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.956] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.956] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.956] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.956] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841d7cf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841d7cf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.957] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.957] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.957] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.957] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.957] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.957] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.957] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.957] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json") returned 155 [0116.957] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.957] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.957] lstrlenW (lpString=".json") returned 5 [0116.957] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.957] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.958] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=226) returned 1 [0116.958] CloseHandle (hObject=0x16c) returned 1 [0116.958] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841d7cf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841d7cf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.958] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.958] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\PUSSY.TXT") returned 151 [0116.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.959] lstrlenA (lpString="abcd") returned 4 [0116.959] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.960] CloseHandle (hObject=0x17c) returned 1 [0116.960] GetProcessHeap () returned 0x4c0000 [0116.960] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.960] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841dcb10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841df220, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841df220, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ru", cAlternateFileName="")) returned 1 [0116.960] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0116.960] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0116.960] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0116.961] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0116.961] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0116.961] lstrcmpiW (lpString1="ru", lpString2=".") returned 1 [0116.961] lstrcmpiW (lpString1="ru", lpString2="..") returned 1 [0116.961] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru") returned 141 [0116.961] GetProcessHeap () returned 0x4c0000 [0116.961] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.961] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru" [0116.961] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\*" [0116.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841dcb10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841df220, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841df220, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.961] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.961] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.961] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.961] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.961] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.961] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.961] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841dcb10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841df220, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841df220, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.962] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.962] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.962] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.962] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.962] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.962] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.962] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.962] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841df220, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841df220, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.962] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.962] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.962] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.962] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.962] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.962] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.962] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.962] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json") returned 155 [0116.962] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.962] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.962] lstrlenW (lpString=".json") returned 5 [0116.962] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.963] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=254) returned 1 [0116.963] CloseHandle (hObject=0x16c) returned 1 [0116.963] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841df220, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841df220, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.963] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.963] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\PUSSY.TXT") returned 151 [0116.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.963] lstrlenA (lpString="abcd") returned 4 [0116.964] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.965] CloseHandle (hObject=0x17c) returned 1 [0116.965] GetProcessHeap () returned 0x4c0000 [0116.965] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.965] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841eb570, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841f0390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841f0390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sk", cAlternateFileName="")) returned 1 [0116.965] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0116.965] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0116.965] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0116.965] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0116.965] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0116.965] lstrcmpiW (lpString1="sk", lpString2=".") returned 1 [0116.965] lstrcmpiW (lpString1="sk", lpString2="..") returned 1 [0116.965] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk") returned 141 [0116.965] GetProcessHeap () returned 0x4c0000 [0116.965] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.965] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk" [0116.965] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\*" [0116.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841eb570, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841f0390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841f0390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.966] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.966] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.966] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.966] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.966] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.966] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.966] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841eb570, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841f0390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841f0390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.966] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.966] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.966] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.966] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.966] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.966] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.966] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.966] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841f0390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841f0390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.966] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.966] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.966] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.966] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.967] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.967] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.967] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.967] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json") returned 155 [0116.967] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.967] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.967] lstrlenW (lpString=".json") returned 5 [0116.967] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.968] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=219) returned 1 [0116.968] CloseHandle (hObject=0x16c) returned 1 [0116.968] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841f0390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841f0390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.968] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.968] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\PUSSY.TXT") returned 151 [0116.968] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.969] lstrlenA (lpString="abcd") returned 4 [0116.969] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.970] CloseHandle (hObject=0x17c) returned 1 [0116.970] GetProcessHeap () returned 0x4c0000 [0116.970] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.970] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841f51b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841f78c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841f78c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sl", cAlternateFileName="")) returned 1 [0116.970] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0116.970] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0116.970] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0116.970] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0116.970] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0116.970] lstrcmpiW (lpString1="sl", lpString2=".") returned 1 [0116.970] lstrcmpiW (lpString1="sl", lpString2="..") returned 1 [0116.970] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl") returned 141 [0116.970] GetProcessHeap () returned 0x4c0000 [0116.970] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.971] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl" [0116.971] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\*" [0116.971] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841f51b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841f78c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841f78c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.971] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.971] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.971] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.971] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.971] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.971] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.971] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841f51b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841f78c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841f78c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.971] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.971] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.971] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.971] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.971] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.971] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.971] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.971] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841f78c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841f78c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.972] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.972] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.972] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.972] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.972] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.972] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.972] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.972] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json") returned 155 [0116.972] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.972] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.972] lstrlenW (lpString=".json") returned 5 [0116.972] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.972] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.972] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=222) returned 1 [0116.972] CloseHandle (hObject=0x16c) returned 1 [0116.973] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841f78c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841f78c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.973] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.973] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\PUSSY.TXT") returned 151 [0116.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.973] lstrlenA (lpString="abcd") returned 4 [0116.973] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.974] CloseHandle (hObject=0x17c) returned 1 [0116.974] GetProcessHeap () returned 0x4c0000 [0116.974] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.974] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841fc6e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841fedf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841fedf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sr", cAlternateFileName="")) returned 1 [0116.975] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0116.975] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0116.975] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0116.975] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0116.975] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0116.975] lstrcmpiW (lpString1="sr", lpString2=".") returned 1 [0116.975] lstrcmpiW (lpString1="sr", lpString2="..") returned 1 [0116.975] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr") returned 141 [0116.975] GetProcessHeap () returned 0x4c0000 [0116.975] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.975] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr" [0116.975] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\*" [0116.975] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841fc6e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841fedf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841fedf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.975] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.975] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.975] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.975] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.976] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.976] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.976] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x841fc6e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841fedf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x841fedf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.976] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.976] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.976] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.976] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.976] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.976] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.976] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.976] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841fedf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841fedf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xec, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.976] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.976] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.976] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.976] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.976] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.976] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.976] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.976] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json") returned 155 [0116.976] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.976] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.976] lstrlenW (lpString=".json") returned 5 [0116.976] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.976] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.978] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=236) returned 1 [0116.978] CloseHandle (hObject=0x16c) returned 1 [0116.978] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x841fedf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x841fedf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b6ac0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xec, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.978] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.978] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\PUSSY.TXT") returned 151 [0116.978] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.979] lstrlenA (lpString="abcd") returned 4 [0116.979] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.980] CloseHandle (hObject=0x17c) returned 1 [0116.981] GetProcessHeap () returned 0x4c0000 [0116.981] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.981] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84203c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84206320, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84206320, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sv", cAlternateFileName="")) returned 1 [0116.981] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0116.981] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0116.981] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0116.981] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0116.981] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0116.981] lstrcmpiW (lpString1="sv", lpString2=".") returned 1 [0116.981] lstrcmpiW (lpString1="sv", lpString2="..") returned 1 [0116.981] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv") returned 141 [0116.981] GetProcessHeap () returned 0x4c0000 [0116.981] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.981] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv" [0116.981] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\*" [0116.981] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84203c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84206320, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84206320, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.982] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.982] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.982] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.982] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.982] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.982] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.982] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84203c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84206320, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84206320, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.982] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.982] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.982] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.982] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.982] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.982] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.982] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.982] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84206320, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84206320, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.982] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.982] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.982] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.982] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.983] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.983] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.983] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.983] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json") returned 155 [0116.983] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.983] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.983] lstrlenW (lpString=".json") returned 5 [0116.983] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.983] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=216) returned 1 [0116.983] CloseHandle (hObject=0x16c) returned 1 [0116.983] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84206320, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84206320, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.983] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.984] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\PUSSY.TXT") returned 151 [0116.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.984] lstrlenA (lpString="abcd") returned 4 [0116.984] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.985] CloseHandle (hObject=0x17c) returned 1 [0116.985] GetProcessHeap () returned 0x4c0000 [0116.985] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.985] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8420b140, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8420d850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8420d850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="th", cAlternateFileName="")) returned 1 [0116.985] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0116.985] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0116.985] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0116.986] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0116.986] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0116.986] lstrcmpiW (lpString1="th", lpString2=".") returned 1 [0116.986] lstrcmpiW (lpString1="th", lpString2="..") returned 1 [0116.986] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th") returned 141 [0116.986] GetProcessHeap () returned 0x4c0000 [0116.986] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.986] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th" [0116.986] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\*" [0116.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8420b140, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8420d850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8420d850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.986] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.986] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.986] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.986] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.986] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.986] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.986] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8420b140, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8420d850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8420d850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.986] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.987] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.987] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.987] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.987] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.987] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.987] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.987] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8420d850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8420d850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.987] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.987] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.987] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.987] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.987] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.987] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.987] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.987] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json") returned 155 [0116.987] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.987] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.987] lstrlenW (lpString=".json") returned 5 [0116.987] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.989] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=266) returned 1 [0116.989] CloseHandle (hObject=0x16c) returned 1 [0116.989] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8420d850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8420d850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.989] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.989] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\PUSSY.TXT") returned 151 [0116.990] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.990] lstrlenA (lpString="abcd") returned 4 [0116.990] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.991] CloseHandle (hObject=0x17c) returned 1 [0116.992] GetProcessHeap () returned 0x4c0000 [0116.992] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.992] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84212670, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84212670, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84212670, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="tr", cAlternateFileName="")) returned 1 [0116.992] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0116.992] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0116.992] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0116.992] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0116.992] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0116.992] lstrcmpiW (lpString1="tr", lpString2=".") returned 1 [0116.992] lstrcmpiW (lpString1="tr", lpString2="..") returned 1 [0116.992] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr") returned 141 [0116.992] GetProcessHeap () returned 0x4c0000 [0116.992] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.992] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr" [0116.992] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\*" [0116.992] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84212670, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84212670, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84212670, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.992] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.992] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.993] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.993] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.993] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.993] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.993] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84212670, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84212670, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84212670, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.993] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.993] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.993] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.993] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.993] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.993] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.993] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.993] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84212670, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84214d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.993] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.993] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.993] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.993] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.993] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.993] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.993] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.993] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json") returned 155 [0116.993] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.993] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.993] lstrlenW (lpString=".json") returned 5 [0116.993] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.994] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=225) returned 1 [0116.994] CloseHandle (hObject=0x16c) returned 1 [0116.994] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84212670, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84214d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.994] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0116.994] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\PUSSY.TXT") returned 151 [0116.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0116.995] lstrlenA (lpString="abcd") returned 4 [0116.995] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0116.996] CloseHandle (hObject=0x17c) returned 1 [0116.996] GetProcessHeap () returned 0x4c0000 [0116.996] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.996] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84219ba0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8421c2b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8421c2b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="uk", cAlternateFileName="")) returned 1 [0116.996] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0116.996] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0116.996] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0116.996] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0116.996] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0116.996] lstrcmpiW (lpString1="uk", lpString2=".") returned 1 [0116.996] lstrcmpiW (lpString1="uk", lpString2="..") returned 1 [0116.996] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk") returned 141 [0116.996] GetProcessHeap () returned 0x4c0000 [0116.996] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0116.996] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk" [0116.997] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\*" [0116.997] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84219ba0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8421c2b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8421c2b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0116.997] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0116.997] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0116.997] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0116.997] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0116.997] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0116.997] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.997] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84219ba0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8421c2b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8421c2b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0116.997] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0116.997] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0116.997] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0116.997] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0116.997] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0116.997] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.997] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.998] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8421c2b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8421c2b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0116.998] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0116.998] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0116.998] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0116.998] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0116.998] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0116.998] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0116.998] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0116.998] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json") returned 155 [0116.998] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0116.998] PathFindExtensionW (pszPath="messages.json") returned=".json" [0116.998] lstrlenW (lpString=".json") returned 5 [0116.998] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0116.998] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0116.999] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=254) returned 1 [0116.999] CloseHandle (hObject=0x16c) returned 1 [0116.999] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8421c2b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8421c2b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0116.999] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.000] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\PUSSY.TXT") returned 151 [0117.000] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0117.000] lstrlenA (lpString="abcd") returned 4 [0117.000] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.001] CloseHandle (hObject=0x17c) returned 1 [0117.001] GetProcessHeap () returned 0x4c0000 [0117.001] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.001] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x842210d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x842237e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x842237e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="vi", cAlternateFileName="")) returned 1 [0117.001] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0117.001] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0117.002] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0117.002] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0117.002] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0117.002] lstrcmpiW (lpString1="vi", lpString2=".") returned 1 [0117.002] lstrcmpiW (lpString1="vi", lpString2="..") returned 1 [0117.002] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi") returned 141 [0117.002] GetProcessHeap () returned 0x4c0000 [0117.002] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.002] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi" [0117.002] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\*" [0117.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x842210d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x842237e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x842237e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.002] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.002] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.002] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.002] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.002] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.002] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.002] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x842210d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x842237e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x842237e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.002] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.003] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.003] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.003] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.003] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.003] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.003] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.003] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x842237e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x842237e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.003] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.003] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.003] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.003] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.003] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.003] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.003] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.003] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json") returned 155 [0117.003] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.003] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.003] lstrlenW (lpString=".json") returned 5 [0117.003] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0117.004] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=227) returned 1 [0117.004] CloseHandle (hObject=0x16c) returned 1 [0117.004] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x842237e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x842237e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.004] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.004] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\PUSSY.TXT") returned 151 [0117.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0117.004] lstrlenA (lpString="abcd") returned 4 [0117.005] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.006] CloseHandle (hObject=0x17c) returned 1 [0117.006] GetProcessHeap () returned 0x4c0000 [0117.006] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.006] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84228600, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8422ad10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8422ad10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_CN", cAlternateFileName="")) returned 1 [0117.006] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0117.006] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0117.006] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0117.006] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0117.006] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0117.006] lstrcmpiW (lpString1="zh_CN", lpString2=".") returned 1 [0117.006] lstrcmpiW (lpString1="zh_CN", lpString2="..") returned 1 [0117.006] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN") returned 144 [0117.006] GetProcessHeap () returned 0x4c0000 [0117.006] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.006] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN" [0117.006] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\*" [0117.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84228600, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8422ad10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8422ad10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.007] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.007] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.007] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.007] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.007] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.007] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.007] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84228600, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8422ad10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8422ad10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.007] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.007] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.007] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.007] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.007] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.007] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.007] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.007] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8422ad10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8422ad10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.007] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.007] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.007] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.007] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.007] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.007] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.007] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.007] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0117.008] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.008] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.008] lstrlenW (lpString=".json") returned 5 [0117.008] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0117.008] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=212) returned 1 [0117.008] CloseHandle (hObject=0x16c) returned 1 [0117.008] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8422ad10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8422ad10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.008] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.009] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\PUSSY.TXT") returned 154 [0117.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0117.009] lstrlenA (lpString="abcd") returned 4 [0117.009] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.010] CloseHandle (hObject=0x17c) returned 1 [0117.010] GetProcessHeap () returned 0x4c0000 [0117.010] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.010] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8422fb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84232240, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84232240, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 1 [0117.010] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0117.010] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0117.011] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0117.011] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0117.011] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0117.011] lstrcmpiW (lpString1="zh_TW", lpString2=".") returned 1 [0117.011] lstrcmpiW (lpString1="zh_TW", lpString2="..") returned 1 [0117.011] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW") returned 144 [0117.011] GetProcessHeap () returned 0x4c0000 [0117.011] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.011] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW" [0117.011] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\*" [0117.011] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8422fb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84232240, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84232240, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.011] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.011] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.011] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.011] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.011] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.011] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.011] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8422fb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84232240, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84232240, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.012] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.012] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.012] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.012] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.012] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.012] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.012] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.012] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84232240, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84232240, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.012] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.012] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.012] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.012] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.012] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.012] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.012] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.012] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0117.012] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.012] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.012] lstrlenW (lpString=".json") returned 5 [0117.012] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0117.013] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=212) returned 1 [0117.013] CloseHandle (hObject=0x16c) returned 1 [0117.013] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84232240, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84232240, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b91d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.013] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.013] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\PUSSY.TXT") returned 154 [0117.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0117.014] lstrlenA (lpString="abcd") returned 4 [0117.014] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.015] CloseHandle (hObject=0x17c) returned 1 [0117.015] GetProcessHeap () returned 0x4c0000 [0117.015] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.015] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8422fb30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84232240, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84232240, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 0 [0117.015] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0117.015] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\PUSSY.TXT") returned 148 [0117.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0117.016] lstrlenA (lpString="abcd") returned 4 [0117.016] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0117.017] CloseHandle (hObject=0x1ac) returned 1 [0117.017] GetProcessHeap () returned 0x4c0000 [0117.017] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0117.021] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x842481d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844eed30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844eed30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 1 [0117.021] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0117.021] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0117.021] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0117.021] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0117.021] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0117.021] lstrcmpiW (lpString1="_metadata", lpString2=".") returned 1 [0117.021] lstrcmpiW (lpString1="_metadata", lpString2="..") returned 1 [0117.021] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata") returned 139 [0117.022] GetProcessHeap () returned 0x4c0000 [0117.022] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0117.022] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata" [0117.022] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\*" [0117.022] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x842481d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844eed30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844eed30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0117.023] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.023] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.023] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.023] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.023] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.023] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.023] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x842481d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844eed30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844eed30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0117.023] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.023] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.024] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.024] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.024] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.024] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.024] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.024] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x844eed30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844eed30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844eed30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="computed_hashes.json", cAlternateFileName="COMPUT~1.JSO")) returned 1 [0117.024] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0117.024] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0117.024] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0117.024] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0117.024] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0117.024] lstrcmpiW (lpString1="computed_hashes.json", lpString2=".") returned 1 [0117.024] lstrcmpiW (lpString1="computed_hashes.json", lpString2="..") returned 1 [0117.024] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json") returned 160 [0117.024] lstrcmpW (lpString1="computed_hashes.json", lpString2="PUSSY.TXT") returned -1 [0117.024] PathFindExtensionW (pszPath="computed_hashes.json") returned=".json" [0117.024] lstrlenW (lpString=".json") returned 5 [0117.024] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0117.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.025] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x289638 | out: lpFileSize=0x289638*=352) returned 1 [0117.025] CloseHandle (hObject=0x17c) returned 1 [0117.025] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8424a8e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8424a8e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbcc13a00, ftLastWriteTime.dwHighDateTime=0x1d03f5e, nFileSizeHigh=0x0, nFileSizeLow=0x2b56, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 1 [0117.025] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0117.025] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0117.025] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0117.025] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0117.025] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0117.025] lstrcmpiW (lpString1="verified_contents.json", lpString2=".") returned 1 [0117.025] lstrcmpiW (lpString1="verified_contents.json", lpString2="..") returned 1 [0117.025] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json") returned 162 [0117.025] lstrcmpW (lpString1="verified_contents.json", lpString2="PUSSY.TXT") returned 1 [0117.025] PathFindExtensionW (pszPath="verified_contents.json") returned=".json" [0117.025] lstrlenW (lpString=".json") returned 5 [0117.025] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0117.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.027] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x289638 | out: lpFileSize=0x289638*=11094) returned 1 [0117.027] GetProcessHeap () returned 0x4c0000 [0117.027] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0117.040] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="DA") returned 2 [0117.040] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="63") returned 2 [0117.040] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="00") returned 2 [0117.041] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="50") returned 2 [0117.041] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="7F") returned 2 [0117.041] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="C1") returned 2 [0117.041] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="62") returned 2 [0117.041] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="F9") returned 2 [0117.041] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="11") returned 2 [0117.041] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="C6") returned 2 [0117.041] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="AC") returned 2 [0117.041] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="5C") returned 2 [0117.041] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="0B") returned 2 [0117.041] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="AF") returned 2 [0117.041] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="0D") returned 2 [0117.041] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="DA") returned 2 [0117.041] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="38") returned 2 [0117.041] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="F7") returned 2 [0117.041] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="DC") returned 2 [0117.041] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="91") returned 2 [0117.041] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="B1") returned 2 [0117.041] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="F7") returned 2 [0117.041] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="1C") returned 2 [0117.041] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="66") returned 2 [0117.041] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="91") returned 2 [0117.041] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="48") returned 2 [0117.041] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="A3") returned 2 [0117.041] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="C1") returned 2 [0117.041] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="B3") returned 2 [0117.042] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="73") returned 2 [0117.042] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="88") returned 2 [0117.042] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="57") returned 2 [0117.054] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json" [0117.054] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json" [0117.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json", lpString2=".DA6300507FC162F911C6AC5C0BAF0DDA38F7DC91B1F71C669148A3C1B3738857" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.DA6300507FC162F911C6AC5C0BAF0DDA38F7DC91B1F71C669148A3C1B3738857") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.DA6300507FC162F911C6AC5C0BAF0DDA38F7DC91B1F71C669148A3C1B3738857" [0117.054] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.054] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0117.054] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8424a8e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8424a8e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbcc13a00, ftLastWriteTime.dwHighDateTime=0x1d03f5e, nFileSizeHigh=0x0, nFileSizeLow=0x2b56, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 0 [0117.054] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0117.055] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\PUSSY.TXT") returned 149 [0117.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0117.079] lstrlenA (lpString="abcd") returned 4 [0117.079] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0117.081] CloseHandle (hObject=0x17c) returned 1 [0117.081] GetProcessHeap () returned 0x4c0000 [0117.081] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0117.083] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x842481d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844eed30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844eed30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 0 [0117.083] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0117.084] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\PUSSY.TXT") returned 139 [0117.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0117.085] lstrlenA (lpString="abcd") returned 4 [0117.085] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0117.086] CloseHandle (hObject=0x178) returned 1 [0117.086] GetProcessHeap () returned 0x4c0000 [0117.086] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0117.086] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8401b790, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844b1ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="1.1_0", cAlternateFileName="")) returned 0 [0117.086] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0117.087] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\PUSSY.TXT") returned 133 [0117.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0117.090] lstrlenA (lpString="abcd") returned 4 [0117.090] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0117.091] CloseHandle (hObject=0x18c) returned 1 [0117.091] GetProcessHeap () returned 0x4c0000 [0117.091] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0117.093] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x862fc2f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86322450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86322450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ghbmnnjooekpmoecnnnilnnbdlolhkhi", cAlternateFileName="GHBMNN~1")) returned 1 [0117.093] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Windows") returned -1 [0117.093] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Program Files") returned -1 [0117.093] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Program Files (x86)") returned -1 [0117.093] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="$Recycle.bin") returned 1 [0117.093] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="System Volume Information") returned -1 [0117.093] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2=".") returned 1 [0117.093] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="..") returned 1 [0117.093] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi") returned 123 [0117.093] GetProcessHeap () returned 0x4c0000 [0117.093] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0117.094] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi" [0117.094] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\*" [0117.094] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x862fc2f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86322450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86322450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0117.095] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.096] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.096] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.096] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.096] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.096] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.096] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x862fc2f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86322450, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86322450, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0117.096] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.096] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.096] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.096] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.096] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.096] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.096] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.096] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x862fc2f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="1.4_0", cAlternateFileName="")) returned 1 [0117.096] lstrcmpiW (lpString1="1.4_0", lpString2="Windows") returned -1 [0117.096] lstrcmpiW (lpString1="1.4_0", lpString2="Program Files") returned -1 [0117.096] lstrcmpiW (lpString1="1.4_0", lpString2="Program Files (x86)") returned -1 [0117.096] lstrcmpiW (lpString1="1.4_0", lpString2="$Recycle.bin") returned 1 [0117.096] lstrcmpiW (lpString1="1.4_0", lpString2="System Volume Information") returned -1 [0117.096] lstrcmpiW (lpString1="1.4_0", lpString2=".") returned 1 [0117.096] lstrcmpiW (lpString1="1.4_0", lpString2="..") returned 1 [0117.096] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0") returned 129 [0117.096] GetProcessHeap () returned 0x4c0000 [0117.096] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0117.098] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0" [0117.098] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\*" [0117.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x862fc2f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0117.099] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.099] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.099] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.100] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.100] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.100] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.100] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x862fc2f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.100] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.100] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.100] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.100] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.100] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.100] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.100] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.100] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x862fc2f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1378, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="128.png", cAlternateFileName="")) returned 1 [0117.100] lstrcmpiW (lpString1="128.png", lpString2="Windows") returned -1 [0117.100] lstrcmpiW (lpString1="128.png", lpString2="Program Files") returned -1 [0117.100] lstrcmpiW (lpString1="128.png", lpString2="Program Files (x86)") returned -1 [0117.100] lstrcmpiW (lpString1="128.png", lpString2="$Recycle.bin") returned 1 [0117.100] lstrcmpiW (lpString1="128.png", lpString2="System Volume Information") returned -1 [0117.100] lstrcmpiW (lpString1="128.png", lpString2=".") returned 1 [0117.100] lstrcmpiW (lpString1="128.png", lpString2="..") returned 1 [0117.100] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png") returned 137 [0117.100] lstrcmpW (lpString1="128.png", lpString2="PUSSY.TXT") returned -1 [0117.101] PathFindExtensionW (pszPath="128.png") returned=".png" [0117.101] lstrlenW (lpString=".png") returned 4 [0117.101] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0117.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.101] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=4984) returned 1 [0117.101] GetProcessHeap () returned 0x4c0000 [0117.101] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0117.113] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="AD") returned 2 [0117.113] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="30") returned 2 [0117.113] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="59") returned 2 [0117.113] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="91") returned 2 [0117.113] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="00") returned 2 [0117.113] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="42") returned 2 [0117.113] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="92") returned 2 [0117.113] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="6E") returned 2 [0117.113] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="FC") returned 2 [0117.113] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="C2") returned 2 [0117.113] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="42") returned 2 [0117.113] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="34") returned 2 [0117.113] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="58") returned 2 [0117.113] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="D4") returned 2 [0117.114] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="5D") returned 2 [0117.114] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="1F") returned 2 [0117.114] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="E0") returned 2 [0117.114] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="57") returned 2 [0117.114] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="40") returned 2 [0117.114] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="5A") returned 2 [0117.114] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="56") returned 2 [0117.114] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="B5") returned 2 [0117.114] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="D6") returned 2 [0117.114] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="40") returned 2 [0117.114] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="44") returned 2 [0117.114] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="C2") returned 2 [0117.114] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="96") returned 2 [0117.114] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="69") returned 2 [0117.114] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="0F") returned 2 [0117.114] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="3C") returned 2 [0117.114] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="80") returned 2 [0117.114] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="09") returned 2 [0117.122] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png" [0117.123] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png" [0117.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png", lpString2=".AD3059910042926EFCC2423458D45D1FE057405A56B5D64044C296690F3C8009" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.AD3059910042926EFCC2423458D45D1FE057405A56B5D64044C296690F3C8009") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.AD3059910042926EFCC2423458D45D1FE057405A56B5D64044C296690F3C8009" [0117.123] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.123] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0117.123] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86012940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86012940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x1103, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="contentscript_bin_prod.js", cAlternateFileName="CONTEN~1.JS")) returned 1 [0117.123] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="Windows") returned -1 [0117.123] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="Program Files") returned -1 [0117.123] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="Program Files (x86)") returned -1 [0117.123] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="$Recycle.bin") returned 1 [0117.123] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="System Volume Information") returned -1 [0117.123] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2=".") returned 1 [0117.123] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="..") returned 1 [0117.123] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js") returned 155 [0117.123] lstrcmpW (lpString1="contentscript_bin_prod.js", lpString2="PUSSY.TXT") returned -1 [0117.124] PathFindExtensionW (pszPath="contentscript_bin_prod.js") returned=".js" [0117.124] lstrlenW (lpString=".js") returned 3 [0117.124] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0117.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.153] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=4355) returned 1 [0117.153] GetProcessHeap () returned 0x4c0000 [0117.153] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0117.163] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="86") returned 2 [0117.163] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="10") returned 2 [0117.163] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="03") returned 2 [0117.163] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="BE") returned 2 [0117.163] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="79") returned 2 [0117.163] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="56") returned 2 [0117.163] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="99") returned 2 [0117.163] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="42") returned 2 [0117.163] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="2E") returned 2 [0117.163] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="21") returned 2 [0117.163] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="D7") returned 2 [0117.163] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="97") returned 2 [0117.163] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="29") returned 2 [0117.163] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="79") returned 2 [0117.163] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="4D") returned 2 [0117.163] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="5F") returned 2 [0117.163] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="C7") returned 2 [0117.163] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="15") returned 2 [0117.163] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="D4") returned 2 [0117.163] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="C0") returned 2 [0117.163] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="1C") returned 2 [0117.163] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="E5") returned 2 [0117.163] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="01") returned 2 [0117.163] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="19") returned 2 [0117.163] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="63") returned 2 [0117.163] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="F7") returned 2 [0117.163] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="A1") returned 2 [0117.163] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="28") returned 2 [0117.164] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="03") returned 2 [0117.164] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="0B") returned 2 [0117.164] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="1A") returned 2 [0117.164] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="47") returned 2 [0117.172] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js" [0117.172] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js" [0117.172] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js", lpString2=".861003BE795699422E21D79729794D5FC715D4C01CE5011963F7A128030B1A47" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.861003BE795699422E21D79729794D5FC715D4C01CE5011963F7A128030B1A47") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.861003BE795699422E21D79729794D5FC715D4C01CE5011963F7A128030B1A47" [0117.172] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.173] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0117.173] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86012940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86012940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x356, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="dasherSettingSchema.json", cAlternateFileName="DASHER~1.JSO")) returned 1 [0117.173] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="Windows") returned -1 [0117.173] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="Program Files") returned -1 [0117.173] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="Program Files (x86)") returned -1 [0117.173] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="$Recycle.bin") returned 1 [0117.173] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="System Volume Information") returned -1 [0117.173] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2=".") returned 1 [0117.173] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="..") returned 1 [0117.173] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json") returned 154 [0117.173] lstrcmpW (lpString1="dasherSettingSchema.json", lpString2="PUSSY.TXT") returned -1 [0117.173] PathFindExtensionW (pszPath="dasherSettingSchema.json") returned=".json" [0117.173] lstrlenW (lpString=".json") returned 5 [0117.174] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0117.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dashersettingschema.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0117.174] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=854) returned 1 [0117.174] GetProcessHeap () returned 0x4c0000 [0117.174] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0117.183] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="F9") returned 2 [0117.183] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="AF") returned 2 [0117.183] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="4D") returned 2 [0117.184] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="C8") returned 2 [0117.184] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="BF") returned 2 [0117.184] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="8E") returned 2 [0117.184] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="8C") returned 2 [0117.184] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="ED") returned 2 [0117.184] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="47") returned 2 [0117.184] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="61") returned 2 [0117.184] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="13") returned 2 [0117.184] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="70") returned 2 [0117.184] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="39") returned 2 [0117.184] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="5A") returned 2 [0117.184] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="B8") returned 2 [0117.184] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="F0") returned 2 [0117.184] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="DD") returned 2 [0117.184] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="D7") returned 2 [0117.184] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="D0") returned 2 [0117.184] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="57") returned 2 [0117.184] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="59") returned 2 [0117.184] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="4E") returned 2 [0117.184] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="92") returned 2 [0117.184] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="6D") returned 2 [0117.184] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="6B") returned 2 [0117.184] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="36") returned 2 [0117.184] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="71") returned 2 [0117.184] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="6F") returned 2 [0117.184] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="9F") returned 2 [0117.184] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="41") returned 2 [0117.184] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="41") returned 2 [0117.184] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="0C") returned 2 [0117.194] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json" [0117.195] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json" [0117.195] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json", lpString2=".F9AF4DC8BF8E8CED47611370395AB8F0DDD7D057594E926D6B36716F9F41410C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json.F9AF4DC8BF8E8CED47611370395AB8F0DDD7D057594E926D6B36716F9F41410C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json.F9AF4DC8BF8E8CED47611370395AB8F0DDD7D057594E926D6B36716F9F41410C" [0117.195] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.195] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0117.195] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86012940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86012940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x5b6c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="eventpage_bin_prod.js", cAlternateFileName="EVENTP~1.JS")) returned 1 [0117.195] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="Windows") returned -1 [0117.195] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="Program Files") returned -1 [0117.195] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="Program Files (x86)") returned -1 [0117.195] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="$Recycle.bin") returned 1 [0117.195] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="System Volume Information") returned -1 [0117.195] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2=".") returned 1 [0117.195] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="..") returned 1 [0117.195] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js") returned 151 [0117.196] lstrcmpW (lpString1="eventpage_bin_prod.js", lpString2="PUSSY.TXT") returned -1 [0117.196] PathFindExtensionW (pszPath="eventpage_bin_prod.js") returned=".js" [0117.196] lstrlenW (lpString=".js") returned 3 [0117.196] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0117.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0117.196] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=23404) returned 1 [0117.196] GetProcessHeap () returned 0x4c0000 [0117.196] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0117.209] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="CB") returned 2 [0117.209] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="5C") returned 2 [0117.209] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="16") returned 2 [0117.209] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="A1") returned 2 [0117.209] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="05") returned 2 [0117.209] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="8D") returned 2 [0117.209] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="9D") returned 2 [0117.209] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="16") returned 2 [0117.209] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="E4") returned 2 [0117.209] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="52") returned 2 [0117.210] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="97") returned 2 [0117.210] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="00") returned 2 [0117.210] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="72") returned 2 [0117.210] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="C6") returned 2 [0117.210] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="AE") returned 2 [0117.210] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="B9") returned 2 [0117.210] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="16") returned 2 [0117.210] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="19") returned 2 [0117.210] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="DF") returned 2 [0117.210] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="A5") returned 2 [0117.210] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="73") returned 2 [0117.210] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="31") returned 2 [0117.210] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="95") returned 2 [0117.210] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="35") returned 2 [0117.210] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="5E") returned 2 [0117.210] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="21") returned 2 [0117.210] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="EB") returned 2 [0117.210] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="3B") returned 2 [0117.210] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="5C") returned 2 [0117.210] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="DD") returned 2 [0117.210] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="B7") returned 2 [0117.210] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="49") returned 2 [0117.228] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js" [0117.229] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js" [0117.229] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js", lpString2=".CB5C16A1058D9D16E452970072C6AEB91619DFA5733195355E21EB3B5CDDB749" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.CB5C16A1058D9D16E452970072C6AEB91619DFA5733195355E21EB3B5CDDB749") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.CB5C16A1058D9D16E452970072C6AEB91619DFA5733195355E21EB3B5CDDB749" [0117.229] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.229] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0117.230] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86012940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0117.230] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0117.230] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0117.230] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0117.230] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0117.252] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0117.252] lstrcmpiW (lpString1="manifest.json", lpString2=".") returned 1 [0117.252] lstrcmpiW (lpString1="manifest.json", lpString2="..") returned 1 [0117.252] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json") returned 143 [0117.252] lstrcmpW (lpString1="manifest.json", lpString2="PUSSY.TXT") returned -1 [0117.252] PathFindExtensionW (pszPath="manifest.json") returned=".json" [0117.253] lstrlenW (lpString=".json") returned 5 [0117.253] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0117.253] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.253] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=1457) returned 1 [0117.253] GetProcessHeap () returned 0x4c0000 [0117.253] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0117.262] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="FB") returned 2 [0117.262] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="90") returned 2 [0117.262] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="C6") returned 2 [0117.262] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="F6") returned 2 [0117.262] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="CB") returned 2 [0117.262] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="84") returned 2 [0117.262] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="41") returned 2 [0117.262] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="8C") returned 2 [0117.262] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="0D") returned 2 [0117.262] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="BA") returned 2 [0117.262] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="C2") returned 2 [0117.262] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="53") returned 2 [0117.262] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="FE") returned 2 [0117.262] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="B0") returned 2 [0117.262] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="D1") returned 2 [0117.262] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="E8") returned 2 [0117.262] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="F7") returned 2 [0117.262] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="C1") returned 2 [0117.262] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="A7") returned 2 [0117.262] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="E2") returned 2 [0117.263] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="79") returned 2 [0117.263] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="86") returned 2 [0117.263] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="21") returned 2 [0117.308] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="90") returned 2 [0117.308] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="96") returned 2 [0117.308] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="E8") returned 2 [0117.309] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="8C") returned 2 [0117.318] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="A1") returned 2 [0117.318] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="89") returned 2 [0117.318] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="70") returned 2 [0117.318] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="C8") returned 2 [0117.318] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="3E") returned 2 [0117.329] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json" [0117.329] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json" [0117.329] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json", lpString2=".FB90C6F6CB84418C0DBAC253FEB0D1E8F7C1A7E27986219096E88CA18970C83E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.FB90C6F6CB84418C0DBAC253FEB0D1E8F7C1A7E27986219096E88CA18970C83E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.FB90C6F6CB84418C0DBAC253FEB0D1E8F7C1A7E27986219096E88CA18970C83E" [0117.329] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.329] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0117.330] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86012940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86012940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="page_embed_script.js", cAlternateFileName="PAGE_E~1.JS")) returned 1 [0117.330] lstrcmpiW (lpString1="page_embed_script.js", lpString2="Windows") returned -1 [0117.333] lstrcmpiW (lpString1="page_embed_script.js", lpString2="Program Files") returned -1 [0117.333] lstrcmpiW (lpString1="page_embed_script.js", lpString2="Program Files (x86)") returned -1 [0117.333] lstrcmpiW (lpString1="page_embed_script.js", lpString2="$Recycle.bin") returned 1 [0117.333] lstrcmpiW (lpString1="page_embed_script.js", lpString2="System Volume Information") returned -1 [0117.333] lstrcmpiW (lpString1="page_embed_script.js", lpString2=".") returned 1 [0117.333] lstrcmpiW (lpString1="page_embed_script.js", lpString2="..") returned 1 [0117.333] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js") returned 150 [0117.333] lstrcmpW (lpString1="page_embed_script.js", lpString2="PUSSY.TXT") returned -1 [0117.333] PathFindExtensionW (pszPath="page_embed_script.js") returned=".js" [0117.333] lstrlenW (lpString=".js") returned 3 [0117.333] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0117.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0117.334] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=224) returned 1 [0117.334] CloseHandle (hObject=0x184) returned 1 [0117.335] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_locales", cAlternateFileName="")) returned 1 [0117.335] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0117.335] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0117.335] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0117.335] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0117.335] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0117.335] lstrcmpiW (lpString1="_locales", lpString2=".") returned 1 [0117.335] lstrcmpiW (lpString1="_locales", lpString2="..") returned 1 [0117.335] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales") returned 138 [0117.335] GetProcessHeap () returned 0x4c0000 [0117.335] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0117.335] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales" [0117.335] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\*" [0117.335] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0117.337] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.337] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.337] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.337] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.337] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.337] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.337] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0117.339] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.339] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.339] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.339] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.339] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.339] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.339] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.339] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dd4d90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dd4d90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="af", cAlternateFileName="")) returned 1 [0117.339] lstrcmpiW (lpString1="af", lpString2="Windows") returned -1 [0117.339] lstrcmpiW (lpString1="af", lpString2="Program Files") returned -1 [0117.339] lstrcmpiW (lpString1="af", lpString2="Program Files (x86)") returned -1 [0117.339] lstrcmpiW (lpString1="af", lpString2="$Recycle.bin") returned 1 [0117.339] lstrcmpiW (lpString1="af", lpString2="System Volume Information") returned -1 [0117.339] lstrcmpiW (lpString1="af", lpString2=".") returned 1 [0117.339] lstrcmpiW (lpString1="af", lpString2="..") returned 1 [0117.339] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af") returned 141 [0117.339] GetProcessHeap () returned 0x4c0000 [0117.339] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.339] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af" [0117.339] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\*" [0117.339] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dd4d90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dd4d90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.340] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.340] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.340] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.340] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.340] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.340] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.340] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dd4d90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dd4d90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.341] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.341] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.341] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.341] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.341] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.341] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.341] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.341] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dd4d90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x84, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.341] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.341] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.341] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.341] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.341] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.341] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.341] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.341] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json") returned 155 [0117.341] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.341] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.341] lstrlenW (lpString=".json") returned 5 [0117.341] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.342] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=132) returned 1 [0117.342] CloseHandle (hObject=0x198) returned 1 [0117.342] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dd4d90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x84, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.342] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.342] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\PUSSY.TXT") returned 151 [0117.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.342] lstrlenA (lpString="abcd") returned 4 [0117.343] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.343] CloseHandle (hObject=0x114) returned 1 [0117.343] GetProcessHeap () returned 0x4c0000 [0117.343] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.344] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="am", cAlternateFileName="")) returned 1 [0117.344] lstrcmpiW (lpString1="am", lpString2="Windows") returned -1 [0117.344] lstrcmpiW (lpString1="am", lpString2="Program Files") returned -1 [0117.344] lstrcmpiW (lpString1="am", lpString2="Program Files (x86)") returned -1 [0117.344] lstrcmpiW (lpString1="am", lpString2="$Recycle.bin") returned 1 [0117.344] lstrcmpiW (lpString1="am", lpString2="System Volume Information") returned -1 [0117.344] lstrcmpiW (lpString1="am", lpString2=".") returned 1 [0117.344] lstrcmpiW (lpString1="am", lpString2="..") returned 1 [0117.344] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am") returned 141 [0117.344] GetProcessHeap () returned 0x4c0000 [0117.344] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.344] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am" [0117.344] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\*" [0117.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.344] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.344] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.344] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.344] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.344] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.344] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.345] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.345] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.345] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.345] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.345] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.345] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.345] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.345] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.345] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfbe90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x103, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.345] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.345] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.345] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.345] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.345] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.345] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.345] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.345] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json") returned 155 [0117.345] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.345] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.345] lstrlenW (lpString=".json") returned 5 [0117.345] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.346] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=259) returned 1 [0117.346] CloseHandle (hObject=0x198) returned 1 [0117.346] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfbe90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x103, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.346] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.346] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\PUSSY.TXT") returned 151 [0117.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.346] lstrlenA (lpString="abcd") returned 4 [0117.346] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.347] CloseHandle (hObject=0x114) returned 1 [0117.347] GetProcessHeap () returned 0x4c0000 [0117.347] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.347] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ar", cAlternateFileName="")) returned 1 [0117.347] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0117.348] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0117.348] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0117.348] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0117.348] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0117.348] lstrcmpiW (lpString1="ar", lpString2=".") returned 1 [0117.348] lstrcmpiW (lpString1="ar", lpString2="..") returned 1 [0117.348] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar") returned 141 [0117.348] GetProcessHeap () returned 0x4c0000 [0117.348] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.348] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar" [0117.348] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\*" [0117.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.349] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.349] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.349] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.349] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.349] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.349] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.349] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.349] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.349] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.349] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.349] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.349] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.349] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.349] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.349] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfbe90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.349] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.349] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.349] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.349] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.349] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.349] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.349] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.349] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json") returned 155 [0117.349] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.349] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.349] lstrlenW (lpString=".json") returned 5 [0117.350] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.350] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=237) returned 1 [0117.350] CloseHandle (hObject=0x198) returned 1 [0117.350] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfbe90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.350] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.350] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\PUSSY.TXT") returned 151 [0117.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.350] lstrlenA (lpString="abcd") returned 4 [0117.350] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.351] CloseHandle (hObject=0x114) returned 1 [0117.351] GetProcessHeap () returned 0x4c0000 [0117.351] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.351] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="az", cAlternateFileName="")) returned 1 [0117.352] lstrcmpiW (lpString1="az", lpString2="Windows") returned -1 [0117.352] lstrcmpiW (lpString1="az", lpString2="Program Files") returned -1 [0117.352] lstrcmpiW (lpString1="az", lpString2="Program Files (x86)") returned -1 [0117.352] lstrcmpiW (lpString1="az", lpString2="$Recycle.bin") returned 1 [0117.352] lstrcmpiW (lpString1="az", lpString2="System Volume Information") returned -1 [0117.352] lstrcmpiW (lpString1="az", lpString2=".") returned 1 [0117.352] lstrcmpiW (lpString1="az", lpString2="..") returned 1 [0117.352] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az") returned 141 [0117.352] GetProcessHeap () returned 0x4c0000 [0117.352] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.352] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az" [0117.352] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\*" [0117.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.352] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.352] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.352] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.352] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.352] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.352] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.352] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.352] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.352] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.352] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.353] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.353] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.353] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.353] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.353] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfbe90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0xa7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.353] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.353] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.353] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.353] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.353] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.353] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.353] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.353] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json") returned 155 [0117.353] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.353] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.353] lstrlenW (lpString=".json") returned 5 [0117.353] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.353] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=167) returned 1 [0117.353] CloseHandle (hObject=0x198) returned 1 [0117.353] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfbe90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0xa7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.354] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.354] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\PUSSY.TXT") returned 151 [0117.354] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.354] lstrlenA (lpString="abcd") returned 4 [0117.354] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.355] CloseHandle (hObject=0x114) returned 1 [0117.355] GetProcessHeap () returned 0x4c0000 [0117.355] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.355] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="bg", cAlternateFileName="")) returned 1 [0117.355] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0117.355] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0117.356] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0117.356] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0117.356] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0117.356] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0117.356] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0117.356] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg") returned 141 [0117.356] GetProcessHeap () returned 0x4c0000 [0117.356] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.356] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg" [0117.356] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\*" [0117.356] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.357] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.357] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.357] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.357] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.357] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.357] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.357] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.357] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.357] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.357] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.357] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.357] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.357] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.357] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.357] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfbe90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x114, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.357] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.358] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.358] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.358] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.358] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.358] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.358] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.358] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json") returned 155 [0117.358] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.358] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.358] lstrlenW (lpString=".json") returned 5 [0117.358] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.358] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=276) returned 1 [0117.359] CloseHandle (hObject=0x198) returned 1 [0117.359] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfbe90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x114, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.359] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.359] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\PUSSY.TXT") returned 151 [0117.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.359] lstrlenA (lpString="abcd") returned 4 [0117.359] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.360] CloseHandle (hObject=0x114) returned 1 [0117.361] GetProcessHeap () returned 0x4c0000 [0117.361] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.361] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="bn", cAlternateFileName="")) returned 1 [0117.361] lstrcmpiW (lpString1="bn", lpString2="Windows") returned -1 [0117.361] lstrcmpiW (lpString1="bn", lpString2="Program Files") returned -1 [0117.361] lstrcmpiW (lpString1="bn", lpString2="Program Files (x86)") returned -1 [0117.361] lstrcmpiW (lpString1="bn", lpString2="$Recycle.bin") returned 1 [0117.361] lstrcmpiW (lpString1="bn", lpString2="System Volume Information") returned -1 [0117.361] lstrcmpiW (lpString1="bn", lpString2=".") returned 1 [0117.361] lstrcmpiW (lpString1="bn", lpString2="..") returned 1 [0117.361] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn") returned 141 [0117.361] GetProcessHeap () returned 0x4c0000 [0117.361] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.361] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn" [0117.361] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\*" [0117.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.362] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.362] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.362] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.362] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.362] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.362] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.362] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.362] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.362] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.362] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.362] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.362] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.362] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.362] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.362] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfbe90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x14b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.362] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.362] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.362] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.362] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.362] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.362] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.362] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.362] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json") returned 155 [0117.362] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.362] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.363] lstrlenW (lpString=".json") returned 5 [0117.363] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.363] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=331) returned 1 [0117.363] CloseHandle (hObject=0x198) returned 1 [0117.363] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfbe90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x14b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.363] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.363] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\PUSSY.TXT") returned 151 [0117.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.364] lstrlenA (lpString="abcd") returned 4 [0117.364] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.365] CloseHandle (hObject=0x114) returned 1 [0117.365] GetProcessHeap () returned 0x4c0000 [0117.365] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.365] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ca", cAlternateFileName="")) returned 1 [0117.365] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0117.365] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0117.365] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0117.365] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0117.366] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0117.366] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0117.366] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0117.366] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca") returned 141 [0117.366] GetProcessHeap () returned 0x4c0000 [0117.366] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.366] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca" [0117.366] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\*" [0117.366] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.367] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.367] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.367] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.367] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.367] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.367] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.367] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfaef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85dfaef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.367] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.367] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.367] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.367] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.367] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.367] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.368] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.368] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfbe90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.368] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.368] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.368] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.368] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.368] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.368] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.368] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.368] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json") returned 155 [0117.368] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.368] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.368] lstrlenW (lpString=".json") returned 5 [0117.368] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.368] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.369] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=207) returned 1 [0117.369] CloseHandle (hObject=0x198) returned 1 [0117.369] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85dfaef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85dfbe90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.369] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.369] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\PUSSY.TXT") returned 151 [0117.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.370] lstrlenA (lpString="abcd") returned 4 [0117.370] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.371] CloseHandle (hObject=0x114) returned 1 [0117.371] GetProcessHeap () returned 0x4c0000 [0117.371] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.371] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="cs", cAlternateFileName="")) returned 1 [0117.371] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0117.371] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0117.371] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0117.371] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0117.371] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0117.371] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0117.371] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0117.371] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs") returned 141 [0117.371] GetProcessHeap () returned 0x4c0000 [0117.371] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.371] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs" [0117.372] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\*" [0117.372] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.372] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.372] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.372] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.372] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.372] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.372] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.372] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.372] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.372] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.372] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.372] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.372] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.372] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.372] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.373] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e256a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xad, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.373] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.373] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.373] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.373] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.373] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.373] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.373] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.373] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json") returned 155 [0117.373] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.373] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.373] lstrlenW (lpString=".json") returned 5 [0117.373] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.374] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=173) returned 1 [0117.374] CloseHandle (hObject=0x198) returned 1 [0117.374] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e256a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xad, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.374] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.374] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\PUSSY.TXT") returned 151 [0117.374] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.374] lstrlenA (lpString="abcd") returned 4 [0117.375] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.376] CloseHandle (hObject=0x114) returned 1 [0117.376] GetProcessHeap () returned 0x4c0000 [0117.376] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.376] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="da", cAlternateFileName="")) returned 1 [0117.376] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0117.376] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0117.376] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0117.376] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0117.376] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0117.376] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0117.376] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0117.376] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da") returned 141 [0117.376] GetProcessHeap () returned 0x4c0000 [0117.376] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.376] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da" [0117.376] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\*" [0117.376] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.377] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.377] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.377] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.377] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.377] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.377] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.377] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.377] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.377] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.377] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.377] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.377] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.377] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.377] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.378] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e256a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xac, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.378] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.378] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.378] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.378] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.378] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.378] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.378] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.378] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json") returned 155 [0117.378] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.378] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.378] lstrlenW (lpString=".json") returned 5 [0117.378] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.378] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=172) returned 1 [0117.378] CloseHandle (hObject=0x198) returned 1 [0117.378] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e256a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xac, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.379] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.379] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\PUSSY.TXT") returned 151 [0117.379] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.379] lstrlenA (lpString="abcd") returned 4 [0117.379] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.380] CloseHandle (hObject=0x114) returned 1 [0117.380] GetProcessHeap () returned 0x4c0000 [0117.380] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.380] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="de", cAlternateFileName="")) returned 1 [0117.381] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0117.381] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0117.381] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0117.381] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0117.381] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0117.381] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0117.381] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0117.381] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de") returned 141 [0117.381] GetProcessHeap () returned 0x4c0000 [0117.381] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.381] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de" [0117.381] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\*" [0117.381] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.381] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.381] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.381] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.381] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.381] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.381] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.381] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.381] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.381] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.382] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.382] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.382] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.382] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.382] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.382] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e256a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.382] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.382] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.382] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.382] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.382] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.382] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.382] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.382] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json") returned 155 [0117.382] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.382] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.382] lstrlenW (lpString=".json") returned 5 [0117.382] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.382] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=193) returned 1 [0117.382] CloseHandle (hObject=0x198) returned 1 [0117.383] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e256a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.383] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.383] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\PUSSY.TXT") returned 151 [0117.383] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.383] lstrlenA (lpString="abcd") returned 4 [0117.383] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.384] CloseHandle (hObject=0x114) returned 1 [0117.384] GetProcessHeap () returned 0x4c0000 [0117.384] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.384] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="el", cAlternateFileName="")) returned 1 [0117.384] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0117.384] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0117.384] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0117.384] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0117.384] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0117.384] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0117.384] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0117.384] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el") returned 141 [0117.384] GetProcessHeap () returned 0x4c0000 [0117.384] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.385] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el" [0117.385] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\*" [0117.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.385] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.386] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.386] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.386] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.386] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.386] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.386] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.386] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.386] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.386] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.386] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.386] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.386] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.386] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.386] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e256a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x12a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.386] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.386] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.386] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.386] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.386] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.386] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.386] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.386] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json") returned 155 [0117.386] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.386] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.386] lstrlenW (lpString=".json") returned 5 [0117.386] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.387] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=298) returned 1 [0117.387] CloseHandle (hObject=0x198) returned 1 [0117.387] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e256a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x12a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.387] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.387] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\PUSSY.TXT") returned 151 [0117.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.387] lstrlenA (lpString="abcd") returned 4 [0117.387] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.388] CloseHandle (hObject=0x114) returned 1 [0117.388] GetProcessHeap () returned 0x4c0000 [0117.388] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.388] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="en_GB", cAlternateFileName="")) returned 1 [0117.389] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0117.389] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0117.389] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0117.389] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0117.389] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0117.389] lstrcmpiW (lpString1="en_GB", lpString2=".") returned 1 [0117.389] lstrcmpiW (lpString1="en_GB", lpString2="..") returned 1 [0117.389] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB") returned 144 [0117.389] GetProcessHeap () returned 0x4c0000 [0117.389] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.389] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB" [0117.389] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\*" [0117.389] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.389] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.389] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.389] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.389] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.389] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.390] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.390] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e23760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e23760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.390] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.390] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.390] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.390] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.390] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.390] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.390] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.390] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e256a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.390] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.390] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.390] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.390] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.390] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.390] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.390] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.390] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json") returned 158 [0117.390] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.390] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.390] lstrlenW (lpString=".json") returned 5 [0117.390] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.391] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=178) returned 1 [0117.391] CloseHandle (hObject=0x198) returned 1 [0117.391] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e256a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.391] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.391] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\PUSSY.TXT") returned 154 [0117.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.392] lstrlenA (lpString="abcd") returned 4 [0117.392] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.393] CloseHandle (hObject=0x114) returned 1 [0117.393] GetProcessHeap () returned 0x4c0000 [0117.393] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.393] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="en_US", cAlternateFileName="")) returned 1 [0117.393] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0117.393] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0117.393] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0117.393] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0117.393] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0117.393] lstrcmpiW (lpString1="en_US", lpString2=".") returned 1 [0117.393] lstrcmpiW (lpString1="en_US", lpString2="..") returned 1 [0117.393] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US") returned 144 [0117.393] GetProcessHeap () returned 0x4c0000 [0117.393] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.393] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US" [0117.393] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\*" [0117.394] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.395] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.395] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.395] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.395] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.395] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.395] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.395] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e23760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.395] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.395] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.395] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.395] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.395] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.395] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.395] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.395] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e4a090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x109, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.395] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.395] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.395] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.395] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.395] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.395] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.395] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.396] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json") returned 158 [0117.396] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.396] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.396] lstrlenW (lpString=".json") returned 5 [0117.396] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.396] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=265) returned 1 [0117.396] CloseHandle (hObject=0x198) returned 1 [0117.396] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e4a090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x109, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.396] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.396] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\PUSSY.TXT") returned 154 [0117.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.397] lstrlenA (lpString="abcd") returned 4 [0117.397] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.398] CloseHandle (hObject=0x114) returned 1 [0117.398] GetProcessHeap () returned 0x4c0000 [0117.398] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.398] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="es", cAlternateFileName="")) returned 1 [0117.398] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0117.398] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0117.398] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0117.398] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0117.399] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0117.399] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0117.399] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0117.399] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es") returned 141 [0117.399] GetProcessHeap () returned 0x4c0000 [0117.399] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.399] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es" [0117.399] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\*" [0117.399] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.399] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.399] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.399] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.399] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.399] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.399] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.399] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.399] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.399] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.399] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.400] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.400] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.400] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.400] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.400] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e4a090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.400] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.400] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.400] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.400] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.400] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.400] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.400] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.400] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json") returned 155 [0117.400] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.400] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.400] lstrlenW (lpString=".json") returned 5 [0117.400] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.400] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=204) returned 1 [0117.400] CloseHandle (hObject=0x198) returned 1 [0117.400] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e4a090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.401] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.401] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\PUSSY.TXT") returned 151 [0117.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.401] lstrlenA (lpString="abcd") returned 4 [0117.401] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.402] CloseHandle (hObject=0x114) returned 1 [0117.402] GetProcessHeap () returned 0x4c0000 [0117.402] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.402] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="es_419", cAlternateFileName="")) returned 1 [0117.402] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0117.402] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0117.402] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0117.402] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0117.402] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0117.402] lstrcmpiW (lpString1="es_419", lpString2=".") returned 1 [0117.402] lstrcmpiW (lpString1="es_419", lpString2="..") returned 1 [0117.402] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419") returned 145 [0117.402] GetProcessHeap () returned 0x4c0000 [0117.402] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.402] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419" [0117.402] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\*" [0117.402] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.403] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.403] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.403] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.403] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.403] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.403] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.403] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.404] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.404] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.404] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.404] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.404] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.404] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.404] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.404] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e4a090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.404] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.404] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.404] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.404] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.404] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.404] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.404] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.404] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json") returned 159 [0117.404] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.404] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.404] lstrlenW (lpString=".json") returned 5 [0117.404] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.404] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=227) returned 1 [0117.404] CloseHandle (hObject=0x198) returned 1 [0117.405] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e4a090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.405] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.405] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\PUSSY.TXT") returned 155 [0117.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.405] lstrlenA (lpString="abcd") returned 4 [0117.405] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.406] CloseHandle (hObject=0x114) returned 1 [0117.406] GetProcessHeap () returned 0x4c0000 [0117.406] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.406] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="et", cAlternateFileName="")) returned 1 [0117.406] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0117.406] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0117.406] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0117.406] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0117.406] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0117.406] lstrcmpiW (lpString1="et", lpString2=".") returned 1 [0117.406] lstrcmpiW (lpString1="et", lpString2="..") returned 1 [0117.406] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et") returned 141 [0117.406] GetProcessHeap () returned 0x4c0000 [0117.406] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.406] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et" [0117.407] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\*" [0117.407] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.407] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.407] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.407] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.407] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.407] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.407] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.407] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.407] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.407] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.407] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.407] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.407] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.407] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.407] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.407] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e4a090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.407] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.407] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.407] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.407] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.407] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.407] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.407] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.407] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json") returned 155 [0117.408] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.408] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.408] lstrlenW (lpString=".json") returned 5 [0117.408] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.408] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=212) returned 1 [0117.408] CloseHandle (hObject=0x198) returned 1 [0117.408] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e4a090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.408] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.408] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\PUSSY.TXT") returned 151 [0117.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.409] lstrlenA (lpString="abcd") returned 4 [0117.409] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.410] CloseHandle (hObject=0x114) returned 1 [0117.410] GetProcessHeap () returned 0x4c0000 [0117.410] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.410] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="eu", cAlternateFileName="")) returned 1 [0117.410] lstrcmpiW (lpString1="eu", lpString2="Windows") returned -1 [0117.410] lstrcmpiW (lpString1="eu", lpString2="Program Files") returned -1 [0117.410] lstrcmpiW (lpString1="eu", lpString2="Program Files (x86)") returned -1 [0117.410] lstrcmpiW (lpString1="eu", lpString2="$Recycle.bin") returned 1 [0117.410] lstrcmpiW (lpString1="eu", lpString2="System Volume Information") returned -1 [0117.410] lstrcmpiW (lpString1="eu", lpString2=".") returned 1 [0117.410] lstrcmpiW (lpString1="eu", lpString2="..") returned 1 [0117.410] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu") returned 141 [0117.410] GetProcessHeap () returned 0x4c0000 [0117.410] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.410] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu" [0117.410] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\*" [0117.410] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.411] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.411] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.411] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.411] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.411] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.411] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.411] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.411] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.411] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.411] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.411] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.411] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.411] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.411] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.411] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e4a090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x98, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.411] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.412] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.412] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.412] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.412] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.412] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.412] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.412] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json") returned 155 [0117.412] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.412] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.412] lstrlenW (lpString=".json") returned 5 [0117.412] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.412] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=152) returned 1 [0117.412] CloseHandle (hObject=0x198) returned 1 [0117.412] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e4a090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x98, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.412] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.412] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\PUSSY.TXT") returned 151 [0117.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.413] lstrlenA (lpString="abcd") returned 4 [0117.413] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.414] CloseHandle (hObject=0x114) returned 1 [0117.414] GetProcessHeap () returned 0x4c0000 [0117.414] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.414] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="fa", cAlternateFileName="")) returned 1 [0117.414] lstrcmpiW (lpString1="fa", lpString2="Windows") returned -1 [0117.414] lstrcmpiW (lpString1="fa", lpString2="Program Files") returned -1 [0117.414] lstrcmpiW (lpString1="fa", lpString2="Program Files (x86)") returned -1 [0117.414] lstrcmpiW (lpString1="fa", lpString2="$Recycle.bin") returned 1 [0117.414] lstrcmpiW (lpString1="fa", lpString2="System Volume Information") returned -1 [0117.414] lstrcmpiW (lpString1="fa", lpString2=".") returned 1 [0117.414] lstrcmpiW (lpString1="fa", lpString2="..") returned 1 [0117.414] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa") returned 141 [0117.414] GetProcessHeap () returned 0x4c0000 [0117.414] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.414] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa" [0117.414] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\*" [0117.414] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.414] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.415] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.415] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.415] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.415] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.415] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.415] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e498c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e498c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.415] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.415] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.415] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.415] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.415] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.415] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.415] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.415] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e4a090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xff, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.415] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.415] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.415] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.415] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.415] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.415] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.415] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.415] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json") returned 155 [0117.415] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.415] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.415] lstrlenW (lpString=".json") returned 5 [0117.415] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.416] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=255) returned 1 [0117.416] CloseHandle (hObject=0x198) returned 1 [0117.416] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e4a090, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xff, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.416] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.416] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\PUSSY.TXT") returned 151 [0117.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.416] lstrlenA (lpString="abcd") returned 4 [0117.416] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.417] CloseHandle (hObject=0x114) returned 1 [0117.417] GetProcessHeap () returned 0x4c0000 [0117.417] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.417] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e6fa20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="fi", cAlternateFileName="")) returned 1 [0117.417] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0117.417] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0117.417] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0117.417] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0117.417] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0117.417] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0117.418] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0117.418] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi") returned 141 [0117.418] GetProcessHeap () returned 0x4c0000 [0117.418] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.418] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi" [0117.418] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\*" [0117.418] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e6fa20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.418] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.419] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.419] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.419] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.419] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.419] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.419] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e498c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e6fa20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.419] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.419] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.419] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.419] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.419] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.419] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.419] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.419] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e71190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.419] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.419] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.419] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.419] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.419] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.419] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.419] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.419] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json") returned 155 [0117.419] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.419] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.419] lstrlenW (lpString=".json") returned 5 [0117.419] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.420] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=183) returned 1 [0117.420] CloseHandle (hObject=0x198) returned 1 [0117.420] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e71190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.420] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.420] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\PUSSY.TXT") returned 151 [0117.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.420] lstrlenA (lpString="abcd") returned 4 [0117.420] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.421] CloseHandle (hObject=0x114) returned 1 [0117.421] GetProcessHeap () returned 0x4c0000 [0117.421] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.421] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e6fa20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="fil", cAlternateFileName="")) returned 1 [0117.421] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0117.421] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0117.421] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0117.421] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0117.422] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0117.422] lstrcmpiW (lpString1="fil", lpString2=".") returned 1 [0117.422] lstrcmpiW (lpString1="fil", lpString2="..") returned 1 [0117.422] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil") returned 142 [0117.422] GetProcessHeap () returned 0x4c0000 [0117.422] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.422] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil" [0117.422] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\*" [0117.422] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e6fa20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.422] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.422] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.422] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.422] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.422] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.422] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.422] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e6fa20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.422] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.422] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.422] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.422] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.422] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.422] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.422] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.422] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e71190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.422] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.423] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.423] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.423] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.423] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.423] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.423] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.423] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json") returned 156 [0117.423] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.423] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.423] lstrlenW (lpString=".json") returned 5 [0117.423] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.423] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=199) returned 1 [0117.423] CloseHandle (hObject=0x198) returned 1 [0117.423] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e71190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.423] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.423] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\PUSSY.TXT") returned 152 [0117.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0117.424] lstrlenA (lpString="abcd") returned 4 [0117.424] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.425] CloseHandle (hObject=0x114) returned 1 [0117.425] GetProcessHeap () returned 0x4c0000 [0117.425] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.425] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e6fa20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="fr", cAlternateFileName="")) returned 1 [0117.425] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0117.425] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0117.425] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0117.425] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0117.425] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0117.425] lstrcmpiW (lpString1="fr", lpString2=".") returned 1 [0117.425] lstrcmpiW (lpString1="fr", lpString2="..") returned 1 [0117.425] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr") returned 141 [0117.425] GetProcessHeap () returned 0x4c0000 [0117.425] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0117.425] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr" [0117.425] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\*" [0117.425] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e6fa20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.430] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.430] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.430] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.430] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.430] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.431] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.431] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e6fa20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.431] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.431] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.431] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.431] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.431] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.431] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.431] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.431] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e71190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xbb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.431] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.431] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.431] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.431] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.431] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.431] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.431] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.431] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json") returned 155 [0117.431] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.431] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.431] lstrlenW (lpString=".json") returned 5 [0117.431] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.431] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0117.432] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=187) returned 1 [0117.432] CloseHandle (hObject=0x1b0) returned 1 [0117.432] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e71190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xbb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.432] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.432] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\PUSSY.TXT") returned 151 [0117.432] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.451] lstrlenA (lpString="abcd") returned 4 [0117.451] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.452] CloseHandle (hObject=0x1b0) returned 1 [0117.452] GetProcessHeap () returned 0x4c0000 [0117.452] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0117.453] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e6fa20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="fr_CA", cAlternateFileName="")) returned 1 [0117.454] lstrcmpiW (lpString1="fr_CA", lpString2="Windows") returned -1 [0117.454] lstrcmpiW (lpString1="fr_CA", lpString2="Program Files") returned -1 [0117.454] lstrcmpiW (lpString1="fr_CA", lpString2="Program Files (x86)") returned -1 [0117.454] lstrcmpiW (lpString1="fr_CA", lpString2="$Recycle.bin") returned 1 [0117.454] lstrcmpiW (lpString1="fr_CA", lpString2="System Volume Information") returned -1 [0117.454] lstrcmpiW (lpString1="fr_CA", lpString2=".") returned 1 [0117.454] lstrcmpiW (lpString1="fr_CA", lpString2="..") returned 1 [0117.454] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA") returned 144 [0117.454] GetProcessHeap () returned 0x4c0000 [0117.454] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.455] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA" [0117.455] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\*" [0117.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e6fa20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.456] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.456] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.456] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.456] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.456] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.456] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.456] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e6fa20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.457] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.457] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.457] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.457] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.457] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.457] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.457] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.457] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e71190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.457] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.457] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.457] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.457] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.457] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.457] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.457] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.457] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json") returned 158 [0117.459] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.459] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.459] lstrlenW (lpString=".json") returned 5 [0117.459] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.459] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=210) returned 1 [0117.459] CloseHandle (hObject=0x17c) returned 1 [0117.459] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e71190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.459] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.460] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\PUSSY.TXT") returned 154 [0117.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.460] lstrlenA (lpString="abcd") returned 4 [0117.460] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.461] CloseHandle (hObject=0x1b0) returned 1 [0117.461] GetProcessHeap () returned 0x4c0000 [0117.461] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.461] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="gl", cAlternateFileName="")) returned 1 [0117.462] lstrcmpiW (lpString1="gl", lpString2="Windows") returned -1 [0117.462] lstrcmpiW (lpString1="gl", lpString2="Program Files") returned -1 [0117.462] lstrcmpiW (lpString1="gl", lpString2="Program Files (x86)") returned -1 [0117.462] lstrcmpiW (lpString1="gl", lpString2="$Recycle.bin") returned 1 [0117.462] lstrcmpiW (lpString1="gl", lpString2="System Volume Information") returned -1 [0117.462] lstrcmpiW (lpString1="gl", lpString2=".") returned 1 [0117.462] lstrcmpiW (lpString1="gl", lpString2="..") returned 1 [0117.462] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl") returned 141 [0117.462] GetProcessHeap () returned 0x4c0000 [0117.462] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.462] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl" [0117.462] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\*" [0117.462] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.462] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.462] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.462] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.463] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.463] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.463] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.463] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.463] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.463] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.463] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.463] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.463] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.463] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.463] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.463] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0xac, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.463] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.463] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.463] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.463] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.463] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.463] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.463] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.463] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json") returned 155 [0117.463] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.463] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.463] lstrlenW (lpString=".json") returned 5 [0117.463] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.465] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=172) returned 1 [0117.465] CloseHandle (hObject=0x17c) returned 1 [0117.465] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0xac, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.465] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.465] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\PUSSY.TXT") returned 151 [0117.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.466] lstrlenA (lpString="abcd") returned 4 [0117.466] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.467] CloseHandle (hObject=0x1b0) returned 1 [0117.467] GetProcessHeap () returned 0x4c0000 [0117.467] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.467] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="gu", cAlternateFileName="")) returned 1 [0117.467] lstrcmpiW (lpString1="gu", lpString2="Windows") returned -1 [0117.467] lstrcmpiW (lpString1="gu", lpString2="Program Files") returned -1 [0117.467] lstrcmpiW (lpString1="gu", lpString2="Program Files (x86)") returned -1 [0117.467] lstrcmpiW (lpString1="gu", lpString2="$Recycle.bin") returned 1 [0117.467] lstrcmpiW (lpString1="gu", lpString2="System Volume Information") returned -1 [0117.467] lstrcmpiW (lpString1="gu", lpString2=".") returned 1 [0117.467] lstrcmpiW (lpString1="gu", lpString2="..") returned 1 [0117.467] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu") returned 141 [0117.467] GetProcessHeap () returned 0x4c0000 [0117.467] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.468] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu" [0117.468] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\*" [0117.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.468] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.468] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.468] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.468] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.468] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.468] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.468] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.468] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.468] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.468] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.468] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.468] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.468] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.469] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.469] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x11e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.469] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.469] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.469] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.469] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.469] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.469] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.469] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.469] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json") returned 155 [0117.469] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.469] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.469] lstrlenW (lpString=".json") returned 5 [0117.469] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.470] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=286) returned 1 [0117.470] CloseHandle (hObject=0x17c) returned 1 [0117.470] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x11e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.470] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.470] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\PUSSY.TXT") returned 151 [0117.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.471] lstrlenA (lpString="abcd") returned 4 [0117.471] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.472] CloseHandle (hObject=0x1b0) returned 1 [0117.472] GetProcessHeap () returned 0x4c0000 [0117.472] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.472] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="hi", cAlternateFileName="")) returned 1 [0117.472] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0117.472] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0117.472] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0117.472] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0117.472] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0117.472] lstrcmpiW (lpString1="hi", lpString2=".") returned 1 [0117.472] lstrcmpiW (lpString1="hi", lpString2="..") returned 1 [0117.472] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi") returned 141 [0117.472] GetProcessHeap () returned 0x4c0000 [0117.472] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.472] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi" [0117.472] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\*" [0117.472] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.473] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.473] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.473] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.473] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.473] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.473] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.473] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.473] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.473] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.473] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.473] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.473] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.473] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.473] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.473] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x13e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.473] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.473] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.473] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.473] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.473] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.474] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.474] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.474] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json") returned 155 [0117.474] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.474] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.474] lstrlenW (lpString=".json") returned 5 [0117.474] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.475] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=318) returned 1 [0117.475] CloseHandle (hObject=0x17c) returned 1 [0117.476] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x13e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.476] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.476] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\PUSSY.TXT") returned 151 [0117.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.476] lstrlenA (lpString="abcd") returned 4 [0117.476] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.477] CloseHandle (hObject=0x1b0) returned 1 [0117.478] GetProcessHeap () returned 0x4c0000 [0117.478] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.478] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="hr", cAlternateFileName="")) returned 1 [0117.478] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0117.478] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0117.478] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0117.478] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0117.478] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0117.478] lstrcmpiW (lpString1="hr", lpString2=".") returned 1 [0117.478] lstrcmpiW (lpString1="hr", lpString2="..") returned 1 [0117.478] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr") returned 141 [0117.478] GetProcessHeap () returned 0x4c0000 [0117.478] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.478] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr" [0117.478] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\*" [0117.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.478] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.478] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.479] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.479] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.479] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.479] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.479] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.479] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.479] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.479] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.479] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.479] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.479] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.479] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.479] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.479] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.479] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.479] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.479] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.479] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.479] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.479] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.479] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json") returned 155 [0117.479] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.479] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.479] lstrlenW (lpString=".json") returned 5 [0117.479] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.480] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=200) returned 1 [0117.480] CloseHandle (hObject=0x17c) returned 1 [0117.480] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.480] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.480] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\PUSSY.TXT") returned 151 [0117.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.481] lstrlenA (lpString="abcd") returned 4 [0117.481] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.482] CloseHandle (hObject=0x1b0) returned 1 [0117.482] GetProcessHeap () returned 0x4c0000 [0117.482] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.482] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="hu", cAlternateFileName="")) returned 1 [0117.482] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0117.482] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0117.482] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0117.483] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0117.483] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0117.483] lstrcmpiW (lpString1="hu", lpString2=".") returned 1 [0117.483] lstrcmpiW (lpString1="hu", lpString2="..") returned 1 [0117.483] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu") returned 141 [0117.483] GetProcessHeap () returned 0x4c0000 [0117.483] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.483] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu" [0117.483] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\*" [0117.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.483] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.483] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.483] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.483] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.483] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.483] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.483] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85e95b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.483] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.484] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.484] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.484] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.484] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.484] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.484] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.484] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.484] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.484] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.484] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.484] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.484] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.484] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.484] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.484] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json") returned 155 [0117.484] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.484] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.484] lstrlenW (lpString=".json") returned 5 [0117.484] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.485] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=198) returned 1 [0117.486] CloseHandle (hObject=0x17c) returned 1 [0117.486] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e95b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e95b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.486] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.486] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\PUSSY.TXT") returned 151 [0117.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.486] lstrlenA (lpString="abcd") returned 4 [0117.486] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.487] CloseHandle (hObject=0x1b0) returned 1 [0117.488] GetProcessHeap () returned 0x4c0000 [0117.488] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.488] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="hy", cAlternateFileName="")) returned 1 [0117.488] lstrcmpiW (lpString1="hy", lpString2="Windows") returned -1 [0117.488] lstrcmpiW (lpString1="hy", lpString2="Program Files") returned -1 [0117.488] lstrcmpiW (lpString1="hy", lpString2="Program Files (x86)") returned -1 [0117.488] lstrcmpiW (lpString1="hy", lpString2="$Recycle.bin") returned 1 [0117.488] lstrcmpiW (lpString1="hy", lpString2="System Volume Information") returned -1 [0117.488] lstrcmpiW (lpString1="hy", lpString2=".") returned 1 [0117.488] lstrcmpiW (lpString1="hy", lpString2="..") returned 1 [0117.488] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy") returned 141 [0117.488] GetProcessHeap () returned 0x4c0000 [0117.488] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.488] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy" [0117.488] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\*" [0117.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.488] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.488] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.489] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.489] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.489] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.489] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.489] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.489] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.489] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.489] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.489] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.489] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.489] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.489] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.489] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebcc80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x299, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.489] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.489] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.489] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.489] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.489] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.489] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.489] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.489] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json") returned 155 [0117.489] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.489] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.489] lstrlenW (lpString=".json") returned 5 [0117.489] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.490] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=665) returned 1 [0117.490] GetProcessHeap () returned 0x4c0000 [0117.490] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0117.510] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="83") returned 2 [0117.510] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="F3") returned 2 [0117.510] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="7A") returned 2 [0117.510] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="E5") returned 2 [0117.510] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="BF") returned 2 [0117.510] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="0B") returned 2 [0117.510] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="CC") returned 2 [0117.510] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="D6") returned 2 [0117.510] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="B9") returned 2 [0117.510] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="1C") returned 2 [0117.510] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="D2") returned 2 [0117.510] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="4C") returned 2 [0117.510] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="71") returned 2 [0117.510] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="80") returned 2 [0117.510] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="1D") returned 2 [0117.510] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="2B") returned 2 [0117.510] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="9C") returned 2 [0117.510] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="AD") returned 2 [0117.510] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="FE") returned 2 [0117.510] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="0E") returned 2 [0117.510] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="3C") returned 2 [0117.510] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="07") returned 2 [0117.510] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="10") returned 2 [0117.510] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="A7") returned 2 [0117.511] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="AC") returned 2 [0117.511] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="25") returned 2 [0117.511] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="60") returned 2 [0117.511] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="3A") returned 2 [0117.511] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="40") returned 2 [0117.511] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="DE") returned 2 [0117.511] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="AC") returned 2 [0117.511] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="4F") returned 2 [0117.523] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json" [0117.523] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json" [0117.523] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json", lpString2=".83F37AE5BF0BCCD6B91CD24C71801D2B9CADFE0E3C0710A7AC25603A40DEAC4F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.83F37AE5BF0BCCD6B91CD24C71801D2B9CADFE0E3C0710A7AC25603A40DEAC4F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.83F37AE5BF0BCCD6B91CD24C71801D2B9CADFE0E3C0710A7AC25603A40DEAC4F" [0117.523] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.523] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0117.523] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebcc80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x299, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.523] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.523] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\PUSSY.TXT") returned 151 [0117.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.524] lstrlenA (lpString="abcd") returned 4 [0117.524] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.525] CloseHandle (hObject=0x1b0) returned 1 [0117.525] GetProcessHeap () returned 0x4c0000 [0117.525] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.525] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="id", cAlternateFileName="")) returned 1 [0117.525] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0117.525] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0117.526] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0117.526] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0117.526] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0117.526] lstrcmpiW (lpString1="id", lpString2=".") returned 1 [0117.526] lstrcmpiW (lpString1="id", lpString2="..") returned 1 [0117.526] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id") returned 141 [0117.526] GetProcessHeap () returned 0x4c0000 [0117.526] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.526] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id" [0117.526] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\*" [0117.526] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.526] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.526] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.526] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.526] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.526] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.526] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.526] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.526] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.526] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.526] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.527] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.527] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.527] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.527] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.527] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebcc80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xbb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.527] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.527] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.527] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.527] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.527] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.527] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.527] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.527] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json") returned 155 [0117.527] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.527] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.527] lstrlenW (lpString=".json") returned 5 [0117.527] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.533] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=187) returned 1 [0117.533] CloseHandle (hObject=0x1ac) returned 1 [0117.533] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebcc80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xbb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.533] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.533] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\PUSSY.TXT") returned 151 [0117.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.534] lstrlenA (lpString="abcd") returned 4 [0117.534] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.534] CloseHandle (hObject=0x1b0) returned 1 [0117.535] GetProcessHeap () returned 0x4c0000 [0117.535] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.535] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="is", cAlternateFileName="")) returned 1 [0117.535] lstrcmpiW (lpString1="is", lpString2="Windows") returned -1 [0117.535] lstrcmpiW (lpString1="is", lpString2="Program Files") returned -1 [0117.535] lstrcmpiW (lpString1="is", lpString2="Program Files (x86)") returned -1 [0117.535] lstrcmpiW (lpString1="is", lpString2="$Recycle.bin") returned 1 [0117.535] lstrcmpiW (lpString1="is", lpString2="System Volume Information") returned -1 [0117.535] lstrcmpiW (lpString1="is", lpString2=".") returned 1 [0117.535] lstrcmpiW (lpString1="is", lpString2="..") returned 1 [0117.535] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is") returned 141 [0117.535] GetProcessHeap () returned 0x4c0000 [0117.535] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.535] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is" [0117.535] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\*" [0117.535] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.535] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.535] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.535] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.535] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.535] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.535] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.536] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.536] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.536] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.536] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.536] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.536] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.536] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.536] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.536] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebcc80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0xb2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.536] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.536] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.536] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.536] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.536] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.536] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.536] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.536] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json") returned 155 [0117.536] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.536] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.536] lstrlenW (lpString=".json") returned 5 [0117.536] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.537] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=178) returned 1 [0117.537] CloseHandle (hObject=0x1ac) returned 1 [0117.537] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebcc80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0xb2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.537] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.537] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\PUSSY.TXT") returned 151 [0117.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.537] lstrlenA (lpString="abcd") returned 4 [0117.537] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.538] CloseHandle (hObject=0x1b0) returned 1 [0117.538] GetProcessHeap () returned 0x4c0000 [0117.538] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.538] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="it", cAlternateFileName="")) returned 1 [0117.538] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0117.539] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0117.539] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0117.539] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0117.539] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0117.539] lstrcmpiW (lpString1="it", lpString2=".") returned 1 [0117.539] lstrcmpiW (lpString1="it", lpString2="..") returned 1 [0117.539] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it") returned 141 [0117.539] GetProcessHeap () returned 0x4c0000 [0117.539] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.539] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it" [0117.539] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\*" [0117.539] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.539] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.539] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.539] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.539] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.539] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.539] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.539] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.539] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.539] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.539] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.540] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.540] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.540] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.540] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.540] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebcc80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.540] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.540] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.540] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.540] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.540] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.540] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.540] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.540] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json") returned 155 [0117.540] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.540] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.540] lstrlenW (lpString=".json") returned 5 [0117.540] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.541] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=182) returned 1 [0117.541] CloseHandle (hObject=0x1ac) returned 1 [0117.541] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebcc80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.541] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.542] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\PUSSY.TXT") returned 151 [0117.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.542] lstrlenA (lpString="abcd") returned 4 [0117.542] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.543] CloseHandle (hObject=0x1b0) returned 1 [0117.543] GetProcessHeap () returned 0x4c0000 [0117.543] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.543] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="iw", cAlternateFileName="")) returned 1 [0117.543] lstrcmpiW (lpString1="iw", lpString2="Windows") returned -1 [0117.543] lstrcmpiW (lpString1="iw", lpString2="Program Files") returned -1 [0117.543] lstrcmpiW (lpString1="iw", lpString2="Program Files (x86)") returned -1 [0117.543] lstrcmpiW (lpString1="iw", lpString2="$Recycle.bin") returned 1 [0117.543] lstrcmpiW (lpString1="iw", lpString2="System Volume Information") returned -1 [0117.543] lstrcmpiW (lpString1="iw", lpString2=".") returned 1 [0117.544] lstrcmpiW (lpString1="iw", lpString2="..") returned 1 [0117.544] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw") returned 141 [0117.544] GetProcessHeap () returned 0x4c0000 [0117.544] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.544] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw" [0117.544] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\*" [0117.544] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.544] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.544] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.544] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.544] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.544] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.544] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.544] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebbce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ebbce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.544] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.544] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.544] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.544] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.544] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.544] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.545] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.545] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebcc80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.545] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.545] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.545] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.545] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.545] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.545] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.545] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.545] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json") returned 155 [0117.545] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.545] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.545] lstrlenW (lpString=".json") returned 5 [0117.545] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.545] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=362) returned 1 [0117.545] CloseHandle (hObject=0x1ac) returned 1 [0117.545] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ebbce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ebcc80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.546] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.546] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\PUSSY.TXT") returned 151 [0117.546] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.546] lstrlenA (lpString="abcd") returned 4 [0117.546] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.547] CloseHandle (hObject=0x1b0) returned 1 [0117.547] GetProcessHeap () returned 0x4c0000 [0117.547] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.547] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ja", cAlternateFileName="")) returned 1 [0117.547] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0117.547] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0117.547] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0117.547] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0117.547] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0117.547] lstrcmpiW (lpString1="ja", lpString2=".") returned 1 [0117.547] lstrcmpiW (lpString1="ja", lpString2="..") returned 1 [0117.547] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja") returned 141 [0117.547] GetProcessHeap () returned 0x4c0000 [0117.547] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.547] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja" [0117.548] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\*" [0117.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.548] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.548] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.548] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.548] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.548] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.548] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.548] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.548] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.548] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.548] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.548] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.548] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.548] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.548] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.548] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee3d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.548] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.548] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.548] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.548] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.548] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.548] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.548] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.549] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json") returned 155 [0117.549] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.549] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.549] lstrlenW (lpString=".json") returned 5 [0117.549] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.550] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=251) returned 1 [0117.550] CloseHandle (hObject=0x1ac) returned 1 [0117.550] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee3d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.550] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.550] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\PUSSY.TXT") returned 151 [0117.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.550] lstrlenA (lpString="abcd") returned 4 [0117.550] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.551] CloseHandle (hObject=0x1b0) returned 1 [0117.551] GetProcessHeap () returned 0x4c0000 [0117.552] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.552] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ka", cAlternateFileName="")) returned 1 [0117.552] lstrcmpiW (lpString1="ka", lpString2="Windows") returned -1 [0117.552] lstrcmpiW (lpString1="ka", lpString2="Program Files") returned -1 [0117.552] lstrcmpiW (lpString1="ka", lpString2="Program Files (x86)") returned -1 [0117.552] lstrcmpiW (lpString1="ka", lpString2="$Recycle.bin") returned 1 [0117.552] lstrcmpiW (lpString1="ka", lpString2="System Volume Information") returned -1 [0117.552] lstrcmpiW (lpString1="ka", lpString2=".") returned 1 [0117.552] lstrcmpiW (lpString1="ka", lpString2="..") returned 1 [0117.552] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka") returned 141 [0117.552] GetProcessHeap () returned 0x4c0000 [0117.552] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.552] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka" [0117.552] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\*" [0117.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.552] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.552] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.552] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.552] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.552] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.552] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.552] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.552] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.552] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.553] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.553] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.553] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.553] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.553] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.553] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee3d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x165, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.553] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.553] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.553] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.553] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.553] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.553] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.553] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.553] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json") returned 155 [0117.553] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.553] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.553] lstrlenW (lpString=".json") returned 5 [0117.553] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.553] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=357) returned 1 [0117.553] CloseHandle (hObject=0x1ac) returned 1 [0117.553] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee3d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x165, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.554] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.554] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\PUSSY.TXT") returned 151 [0117.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.554] lstrlenA (lpString="abcd") returned 4 [0117.554] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.571] CloseHandle (hObject=0x1b0) returned 1 [0117.571] GetProcessHeap () returned 0x4c0000 [0117.571] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.571] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="km", cAlternateFileName="")) returned 1 [0117.571] lstrcmpiW (lpString1="km", lpString2="Windows") returned -1 [0117.572] lstrcmpiW (lpString1="km", lpString2="Program Files") returned -1 [0117.572] lstrcmpiW (lpString1="km", lpString2="Program Files (x86)") returned -1 [0117.572] lstrcmpiW (lpString1="km", lpString2="$Recycle.bin") returned 1 [0117.572] lstrcmpiW (lpString1="km", lpString2="System Volume Information") returned -1 [0117.572] lstrcmpiW (lpString1="km", lpString2=".") returned 1 [0117.572] lstrcmpiW (lpString1="km", lpString2="..") returned 1 [0117.572] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km") returned 141 [0117.572] GetProcessHeap () returned 0x4c0000 [0117.572] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.572] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km" [0117.572] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\*" [0117.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.572] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.572] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.572] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.572] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.572] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.572] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.572] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.572] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.573] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.573] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.573] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.573] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.573] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.573] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.573] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee3d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x25f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.573] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.573] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.573] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.573] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.573] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.573] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.573] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.573] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json") returned 155 [0117.573] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.573] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.573] lstrlenW (lpString=".json") returned 5 [0117.573] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.574] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=607) returned 1 [0117.574] GetProcessHeap () returned 0x4c0000 [0117.574] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0117.583] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="D5") returned 2 [0117.583] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="EA") returned 2 [0117.583] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="C7") returned 2 [0117.583] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="A7") returned 2 [0117.583] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="86") returned 2 [0117.583] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="C8") returned 2 [0117.583] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="24") returned 2 [0117.583] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="AD") returned 2 [0117.583] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="EF") returned 2 [0117.583] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="D3") returned 2 [0117.584] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="E8") returned 2 [0117.584] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="A2") returned 2 [0117.584] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="B9") returned 2 [0117.584] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="D0") returned 2 [0117.584] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="1E") returned 2 [0117.584] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="1A") returned 2 [0117.584] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="FD") returned 2 [0117.584] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="C3") returned 2 [0117.584] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="E9") returned 2 [0117.584] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="15") returned 2 [0117.584] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="24") returned 2 [0117.584] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="ED") returned 2 [0117.584] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="22") returned 2 [0117.584] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="38") returned 2 [0117.584] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="25") returned 2 [0117.584] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="7F") returned 2 [0117.584] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="B8") returned 2 [0117.584] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="57") returned 2 [0117.584] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="F6") returned 2 [0117.584] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="32") returned 2 [0117.584] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="94") returned 2 [0117.584] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="65") returned 2 [0117.594] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json" [0117.594] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json" [0117.594] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json", lpString2=".D5EAC7A786C824ADEFD3E8A2B9D01E1AFDC3E91524ED2238257FB857F6329465" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.D5EAC7A786C824ADEFD3E8A2B9D01E1AFDC3E91524ED2238257FB857F6329465") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.D5EAC7A786C824ADEFD3E8A2B9D01E1AFDC3E91524ED2238257FB857F6329465" [0117.594] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.594] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0117.594] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee3d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x25f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.594] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.594] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\PUSSY.TXT") returned 151 [0117.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.595] lstrlenA (lpString="abcd") returned 4 [0117.595] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.596] CloseHandle (hObject=0x1b0) returned 1 [0117.596] GetProcessHeap () returned 0x4c0000 [0117.596] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.596] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="kn", cAlternateFileName="")) returned 1 [0117.596] lstrcmpiW (lpString1="kn", lpString2="Windows") returned -1 [0117.596] lstrcmpiW (lpString1="kn", lpString2="Program Files") returned -1 [0117.597] lstrcmpiW (lpString1="kn", lpString2="Program Files (x86)") returned -1 [0117.597] lstrcmpiW (lpString1="kn", lpString2="$Recycle.bin") returned 1 [0117.597] lstrcmpiW (lpString1="kn", lpString2="System Volume Information") returned -1 [0117.597] lstrcmpiW (lpString1="kn", lpString2=".") returned 1 [0117.597] lstrcmpiW (lpString1="kn", lpString2="..") returned 1 [0117.597] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn") returned 141 [0117.597] GetProcessHeap () returned 0x4c0000 [0117.597] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.597] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn" [0117.597] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\*" [0117.597] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.597] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.597] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.597] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.597] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.597] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.597] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.597] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.597] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.597] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.597] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.597] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.597] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.597] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.598] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.598] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee3d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x147, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.598] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.598] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.598] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.598] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.598] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.598] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.598] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.598] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json") returned 155 [0117.598] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.598] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.598] lstrlenW (lpString=".json") returned 5 [0117.598] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.598] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.598] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=327) returned 1 [0117.598] CloseHandle (hObject=0x17c) returned 1 [0117.599] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee3d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x147, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.599] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.599] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\PUSSY.TXT") returned 151 [0117.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.599] lstrlenA (lpString="abcd") returned 4 [0117.599] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.600] CloseHandle (hObject=0x1b0) returned 1 [0117.601] GetProcessHeap () returned 0x4c0000 [0117.601] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.601] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ko", cAlternateFileName="")) returned 1 [0117.601] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0117.601] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0117.601] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0117.601] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0117.601] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0117.601] lstrcmpiW (lpString1="ko", lpString2=".") returned 1 [0117.601] lstrcmpiW (lpString1="ko", lpString2="..") returned 1 [0117.601] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko") returned 141 [0117.601] GetProcessHeap () returned 0x4c0000 [0117.601] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.601] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko" [0117.601] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\*" [0117.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.601] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.601] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.601] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.601] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.601] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.601] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.601] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee1e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85ee1e40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.602] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.602] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.602] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.602] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.602] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.602] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.602] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.602] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee3d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.602] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.602] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.602] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.602] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.602] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.602] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.602] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.602] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json") returned 155 [0117.602] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.602] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.602] lstrlenW (lpString=".json") returned 5 [0117.602] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.610] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=217) returned 1 [0117.610] CloseHandle (hObject=0x17c) returned 1 [0117.610] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85ee1e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85ee3d80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.610] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.610] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\PUSSY.TXT") returned 151 [0117.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.611] lstrlenA (lpString="abcd") returned 4 [0117.611] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.612] CloseHandle (hObject=0x1b0) returned 1 [0117.612] GetProcessHeap () returned 0x4c0000 [0117.612] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.612] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="lo", cAlternateFileName="")) returned 1 [0117.612] lstrcmpiW (lpString1="lo", lpString2="Windows") returned -1 [0117.612] lstrcmpiW (lpString1="lo", lpString2="Program Files") returned -1 [0117.612] lstrcmpiW (lpString1="lo", lpString2="Program Files (x86)") returned -1 [0117.612] lstrcmpiW (lpString1="lo", lpString2="$Recycle.bin") returned 1 [0117.612] lstrcmpiW (lpString1="lo", lpString2="System Volume Information") returned -1 [0117.612] lstrcmpiW (lpString1="lo", lpString2=".") returned 1 [0117.612] lstrcmpiW (lpString1="lo", lpString2="..") returned 1 [0117.612] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo") returned 141 [0117.612] GetProcessHeap () returned 0x4c0000 [0117.612] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.612] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo" [0117.613] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\*" [0117.613] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.613] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.613] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.613] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.613] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.613] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.613] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.613] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.613] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.613] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.613] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.613] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.613] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.613] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.613] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.613] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f08770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x1c2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.613] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.613] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.613] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.613] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.613] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.613] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.613] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.613] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json") returned 155 [0117.613] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.614] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.614] lstrlenW (lpString=".json") returned 5 [0117.614] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.614] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=450) returned 1 [0117.614] CloseHandle (hObject=0x17c) returned 1 [0117.614] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f08770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x1c2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.614] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.614] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\PUSSY.TXT") returned 151 [0117.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.615] lstrlenA (lpString="abcd") returned 4 [0117.615] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.616] CloseHandle (hObject=0x1b0) returned 1 [0117.617] GetProcessHeap () returned 0x4c0000 [0117.617] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.617] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="lt", cAlternateFileName="")) returned 1 [0117.617] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0117.617] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0117.617] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0117.617] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0117.617] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0117.617] lstrcmpiW (lpString1="lt", lpString2=".") returned 1 [0117.617] lstrcmpiW (lpString1="lt", lpString2="..") returned 1 [0117.617] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt") returned 141 [0117.617] GetProcessHeap () returned 0x4c0000 [0117.618] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.618] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt" [0117.618] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\*" [0117.618] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.618] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.618] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.618] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.618] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.618] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.618] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.618] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.618] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.618] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.618] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.618] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.618] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.618] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.618] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.618] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f08770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.618] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.618] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.618] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.618] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.618] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.618] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.619] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.619] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json") returned 155 [0117.619] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.619] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.619] lstrlenW (lpString=".json") returned 5 [0117.619] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.620] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=213) returned 1 [0117.620] CloseHandle (hObject=0x17c) returned 1 [0117.620] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f08770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.620] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.620] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\PUSSY.TXT") returned 151 [0117.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.620] lstrlenA (lpString="abcd") returned 4 [0117.620] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.622] CloseHandle (hObject=0x1b0) returned 1 [0117.622] GetProcessHeap () returned 0x4c0000 [0117.622] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.622] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="lv", cAlternateFileName="")) returned 1 [0117.622] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0117.622] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0117.622] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0117.622] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0117.622] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0117.622] lstrcmpiW (lpString1="lv", lpString2=".") returned 1 [0117.622] lstrcmpiW (lpString1="lv", lpString2="..") returned 1 [0117.622] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv") returned 141 [0117.622] GetProcessHeap () returned 0x4c0000 [0117.622] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.622] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv" [0117.622] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\*" [0117.622] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.623] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.623] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.623] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.623] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.623] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.623] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.623] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.623] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.623] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.623] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.623] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.623] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.623] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.623] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.623] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f08770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.623] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.623] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.623] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.623] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.623] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.623] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.623] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.623] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json") returned 155 [0117.623] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.623] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.624] lstrlenW (lpString=".json") returned 5 [0117.624] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.624] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=198) returned 1 [0117.624] CloseHandle (hObject=0x17c) returned 1 [0117.624] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f08770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.624] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.624] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\PUSSY.TXT") returned 151 [0117.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.625] lstrlenA (lpString="abcd") returned 4 [0117.625] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.626] CloseHandle (hObject=0x1b0) returned 1 [0117.626] GetProcessHeap () returned 0x4c0000 [0117.626] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.626] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ml", cAlternateFileName="")) returned 1 [0117.626] lstrcmpiW (lpString1="ml", lpString2="Windows") returned -1 [0117.626] lstrcmpiW (lpString1="ml", lpString2="Program Files") returned -1 [0117.626] lstrcmpiW (lpString1="ml", lpString2="Program Files (x86)") returned -1 [0117.626] lstrcmpiW (lpString1="ml", lpString2="$Recycle.bin") returned 1 [0117.626] lstrcmpiW (lpString1="ml", lpString2="System Volume Information") returned -1 [0117.626] lstrcmpiW (lpString1="ml", lpString2=".") returned 1 [0117.626] lstrcmpiW (lpString1="ml", lpString2="..") returned 1 [0117.626] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml") returned 141 [0117.626] GetProcessHeap () returned 0x4c0000 [0117.626] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.626] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml" [0117.626] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\*" [0117.626] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.627] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.627] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.627] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.627] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.627] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.627] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.627] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.627] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.627] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.627] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.627] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.627] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.627] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.627] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.627] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f08770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x183, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.627] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.627] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.627] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.627] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.627] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.627] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.627] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.627] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json") returned 155 [0117.627] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.627] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.628] lstrlenW (lpString=".json") returned 5 [0117.628] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.629] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=387) returned 1 [0117.629] CloseHandle (hObject=0x17c) returned 1 [0117.629] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f08770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x183, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.629] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.629] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\PUSSY.TXT") returned 151 [0117.629] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.630] lstrlenA (lpString="abcd") returned 4 [0117.630] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.631] CloseHandle (hObject=0x1b0) returned 1 [0117.631] GetProcessHeap () returned 0x4c0000 [0117.631] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.631] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="mn", cAlternateFileName="")) returned 1 [0117.631] lstrcmpiW (lpString1="mn", lpString2="Windows") returned -1 [0117.631] lstrcmpiW (lpString1="mn", lpString2="Program Files") returned -1 [0117.631] lstrcmpiW (lpString1="mn", lpString2="Program Files (x86)") returned -1 [0117.631] lstrcmpiW (lpString1="mn", lpString2="$Recycle.bin") returned 1 [0117.631] lstrcmpiW (lpString1="mn", lpString2="System Volume Information") returned -1 [0117.631] lstrcmpiW (lpString1="mn", lpString2=".") returned 1 [0117.631] lstrcmpiW (lpString1="mn", lpString2="..") returned 1 [0117.631] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn") returned 141 [0117.631] GetProcessHeap () returned 0x4c0000 [0117.631] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.631] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn" [0117.631] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\*" [0117.631] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.632] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.632] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.632] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.632] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.632] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.632] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.632] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f07fa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f07fa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.632] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.632] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.632] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.632] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.632] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.632] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.632] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.632] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f08770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x1c3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.632] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.632] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.632] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.632] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.632] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.632] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.632] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.632] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json") returned 155 [0117.632] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.632] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.632] lstrlenW (lpString=".json") returned 5 [0117.632] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.632] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.633] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=451) returned 1 [0117.633] CloseHandle (hObject=0x17c) returned 1 [0117.633] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f08770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x1c3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.633] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.633] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\PUSSY.TXT") returned 151 [0117.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.634] lstrlenA (lpString="abcd") returned 4 [0117.634] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.635] CloseHandle (hObject=0x1b0) returned 1 [0117.635] GetProcessHeap () returned 0x4c0000 [0117.635] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.635] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2e100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f2e100, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="mr", cAlternateFileName="")) returned 1 [0117.635] lstrcmpiW (lpString1="mr", lpString2="Windows") returned -1 [0117.635] lstrcmpiW (lpString1="mr", lpString2="Program Files") returned -1 [0117.635] lstrcmpiW (lpString1="mr", lpString2="Program Files (x86)") returned -1 [0117.635] lstrcmpiW (lpString1="mr", lpString2="$Recycle.bin") returned 1 [0117.635] lstrcmpiW (lpString1="mr", lpString2="System Volume Information") returned -1 [0117.635] lstrcmpiW (lpString1="mr", lpString2=".") returned 1 [0117.635] lstrcmpiW (lpString1="mr", lpString2="..") returned 1 [0117.635] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr") returned 141 [0117.635] GetProcessHeap () returned 0x4c0000 [0117.635] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.635] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr" [0117.635] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\*" [0117.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2e100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f2e100, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.636] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.636] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.636] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.636] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.636] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.636] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.636] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f07fa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2e100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f2e100, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.636] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.636] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.636] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.636] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.636] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.636] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.636] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.636] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2f870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x12c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.636] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.636] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.636] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.636] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.636] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.636] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.636] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.636] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json") returned 155 [0117.636] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.636] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.636] lstrlenW (lpString=".json") returned 5 [0117.636] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.638] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=300) returned 1 [0117.638] CloseHandle (hObject=0x17c) returned 1 [0117.638] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2f870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x12c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.638] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.638] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\PUSSY.TXT") returned 151 [0117.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.639] lstrlenA (lpString="abcd") returned 4 [0117.639] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.640] CloseHandle (hObject=0x1b0) returned 1 [0117.640] GetProcessHeap () returned 0x4c0000 [0117.640] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.640] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2e100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f2e100, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ms", cAlternateFileName="")) returned 1 [0117.640] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0117.640] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0117.640] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0117.640] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0117.640] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0117.640] lstrcmpiW (lpString1="ms", lpString2=".") returned 1 [0117.640] lstrcmpiW (lpString1="ms", lpString2="..") returned 1 [0117.640] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms") returned 141 [0117.640] GetProcessHeap () returned 0x4c0000 [0117.640] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.640] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms" [0117.640] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\*" [0117.640] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2e100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f2e100, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.641] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.641] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.641] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.641] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.641] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.641] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.641] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2e100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f2e100, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.641] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.641] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.641] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.641] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.641] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.641] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.641] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.641] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2f870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.641] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.641] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.641] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.641] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.641] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.641] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.641] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.641] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json") returned 155 [0117.641] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.642] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.642] lstrlenW (lpString=".json") returned 5 [0117.642] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.642] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=203) returned 1 [0117.642] CloseHandle (hObject=0x17c) returned 1 [0117.642] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2f870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.642] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.642] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\PUSSY.TXT") returned 151 [0117.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.643] lstrlenA (lpString="abcd") returned 4 [0117.643] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.643] CloseHandle (hObject=0x1b0) returned 1 [0117.644] GetProcessHeap () returned 0x4c0000 [0117.644] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.644] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2e100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f2e100, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ne", cAlternateFileName="")) returned 1 [0117.644] lstrcmpiW (lpString1="ne", lpString2="Windows") returned -1 [0117.644] lstrcmpiW (lpString1="ne", lpString2="Program Files") returned -1 [0117.644] lstrcmpiW (lpString1="ne", lpString2="Program Files (x86)") returned -1 [0117.644] lstrcmpiW (lpString1="ne", lpString2="$Recycle.bin") returned 1 [0117.644] lstrcmpiW (lpString1="ne", lpString2="System Volume Information") returned -1 [0117.644] lstrcmpiW (lpString1="ne", lpString2=".") returned 1 [0117.644] lstrcmpiW (lpString1="ne", lpString2="..") returned 1 [0117.644] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne") returned 141 [0117.644] GetProcessHeap () returned 0x4c0000 [0117.644] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.644] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne" [0117.644] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\*" [0117.644] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2e100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f2e100, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.644] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.644] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.644] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.644] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.644] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.644] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.644] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2e100, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f2e100, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.645] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.645] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.645] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.645] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.645] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.645] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.645] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.645] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2f870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x20b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.645] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.645] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.645] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.645] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.645] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.645] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.645] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.645] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json") returned 155 [0117.645] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.645] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.645] lstrlenW (lpString=".json") returned 5 [0117.645] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.645] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=523) returned 1 [0117.645] GetProcessHeap () returned 0x4c0000 [0117.646] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0117.655] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="A9") returned 2 [0117.655] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="A6") returned 2 [0117.655] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="9F") returned 2 [0117.656] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="08") returned 2 [0117.656] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="95") returned 2 [0117.656] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="07") returned 2 [0117.656] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="87") returned 2 [0117.656] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="35") returned 2 [0117.656] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="6E") returned 2 [0117.656] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="3D") returned 2 [0117.656] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="80") returned 2 [0117.656] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="EB") returned 2 [0117.656] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="9D") returned 2 [0117.656] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="C1") returned 2 [0117.656] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="2F") returned 2 [0117.656] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="BF") returned 2 [0117.656] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="EB") returned 2 [0117.656] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="00") returned 2 [0117.656] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="B6") returned 2 [0117.656] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="1B") returned 2 [0117.656] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="A5") returned 2 [0117.656] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="FD") returned 2 [0117.656] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="7C") returned 2 [0117.656] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="42") returned 2 [0117.656] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="FB") returned 2 [0117.656] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="07") returned 2 [0117.656] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="44") returned 2 [0117.656] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="3D") returned 2 [0117.656] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="11") returned 2 [0117.656] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="B5") returned 2 [0117.656] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="6D") returned 2 [0117.656] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="73") returned 2 [0117.666] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json" [0117.666] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json" [0117.666] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json", lpString2=".A9A69F08950787356E3D80EB9DC12FBFEB00B61BA5FD7C42FB07443D11B56D73" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.A9A69F08950787356E3D80EB9DC12FBFEB00B61BA5FD7C42FB07443D11B56D73") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.A9A69F08950787356E3D80EB9DC12FBFEB00B61BA5FD7C42FB07443D11B56D73" [0117.667] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.667] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0117.667] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f2f870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x20b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.667] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.667] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\PUSSY.TXT") returned 151 [0117.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.668] lstrlenA (lpString="abcd") returned 4 [0117.668] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.669] CloseHandle (hObject=0x1b0) returned 1 [0117.669] GetProcessHeap () returned 0x4c0000 [0117.669] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.669] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f54260, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="nl", cAlternateFileName="")) returned 1 [0117.669] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0117.669] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0117.669] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0117.669] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0117.669] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0117.669] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0117.669] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0117.670] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl") returned 141 [0117.670] GetProcessHeap () returned 0x4c0000 [0117.670] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.670] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl" [0117.670] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\*" [0117.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f54260, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.671] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.671] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.671] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.671] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.671] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.671] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.671] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f2e100, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f54260, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.671] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.671] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.671] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.671] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.671] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.671] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.671] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.671] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.671] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.671] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.671] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.671] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.672] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.672] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.672] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.672] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json") returned 155 [0117.672] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.672] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.672] lstrlenW (lpString=".json") returned 5 [0117.672] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.672] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.672] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=177) returned 1 [0117.673] CloseHandle (hObject=0x1ac) returned 1 [0117.673] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.673] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.673] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\PUSSY.TXT") returned 151 [0117.673] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.673] lstrlenA (lpString="abcd") returned 4 [0117.673] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.674] CloseHandle (hObject=0x1b0) returned 1 [0117.674] GetProcessHeap () returned 0x4c0000 [0117.674] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.674] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f54260, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="no", cAlternateFileName="")) returned 1 [0117.674] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0117.674] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0117.675] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0117.675] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0117.675] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0117.675] lstrcmpiW (lpString1="no", lpString2=".") returned 1 [0117.675] lstrcmpiW (lpString1="no", lpString2="..") returned 1 [0117.675] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no") returned 141 [0117.675] GetProcessHeap () returned 0x4c0000 [0117.675] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.675] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no" [0117.675] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\*" [0117.675] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f54260, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.675] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.675] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.675] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.675] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.675] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.675] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.675] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f54260, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.675] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.675] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.675] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.675] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.675] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.675] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.675] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.675] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x96, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.676] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.676] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.676] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.676] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.676] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.676] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.676] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.676] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json") returned 155 [0117.676] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.676] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.676] lstrlenW (lpString=".json") returned 5 [0117.676] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.676] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=150) returned 1 [0117.676] CloseHandle (hObject=0x1ac) returned 1 [0117.676] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x96, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.676] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.677] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\PUSSY.TXT") returned 151 [0117.677] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.677] lstrlenA (lpString="abcd") returned 4 [0117.677] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.678] CloseHandle (hObject=0x1b0) returned 1 [0117.678] GetProcessHeap () returned 0x4c0000 [0117.678] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.678] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f54260, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="pl", cAlternateFileName="")) returned 1 [0117.678] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0117.678] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0117.678] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0117.678] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0117.678] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0117.678] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0117.678] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0117.678] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl") returned 141 [0117.679] GetProcessHeap () returned 0x4c0000 [0117.679] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.679] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl" [0117.679] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\*" [0117.679] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f54260, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.682] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.682] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.682] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.682] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.682] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.682] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.682] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f54260, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.682] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.682] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.682] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.682] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.682] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.682] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.682] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.682] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.682] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.682] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.682] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.682] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.682] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.683] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.683] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.683] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json") returned 155 [0117.683] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.683] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.683] lstrlenW (lpString=".json") returned 5 [0117.683] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.683] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=180) returned 1 [0117.683] CloseHandle (hObject=0x1ac) returned 1 [0117.683] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.683] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.683] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\PUSSY.TXT") returned 151 [0117.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.684] lstrlenA (lpString="abcd") returned 4 [0117.684] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.685] CloseHandle (hObject=0x1b0) returned 1 [0117.685] GetProcessHeap () returned 0x4c0000 [0117.685] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.685] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f54260, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="pt_BR", cAlternateFileName="")) returned 1 [0117.685] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0117.685] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0117.685] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0117.685] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0117.685] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0117.685] lstrcmpiW (lpString1="pt_BR", lpString2=".") returned 1 [0117.686] lstrcmpiW (lpString1="pt_BR", lpString2="..") returned 1 [0117.686] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR") returned 144 [0117.686] GetProcessHeap () returned 0x4c0000 [0117.686] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.686] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR" [0117.686] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\*" [0117.686] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f54260, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.686] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.686] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.686] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.686] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.686] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.686] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.686] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f54260, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.686] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.686] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.686] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.686] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.686] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.686] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.686] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.686] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xbb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.686] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.687] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.687] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.687] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.687] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.687] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.687] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.687] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json") returned 158 [0117.687] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.687] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.687] lstrlenW (lpString=".json") returned 5 [0117.687] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.687] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.687] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=187) returned 1 [0117.688] CloseHandle (hObject=0x1ac) returned 1 [0117.688] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f54260, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xbb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.688] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.688] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\PUSSY.TXT") returned 154 [0117.688] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.688] lstrlenA (lpString="abcd") returned 4 [0117.688] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.689] CloseHandle (hObject=0x1b0) returned 1 [0117.689] GetProcessHeap () returned 0x4c0000 [0117.689] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.689] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="pt_PT", cAlternateFileName="")) returned 1 [0117.689] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0117.689] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0117.689] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0117.689] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0117.689] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0117.690] lstrcmpiW (lpString1="pt_PT", lpString2=".") returned 1 [0117.690] lstrcmpiW (lpString1="pt_PT", lpString2="..") returned 1 [0117.690] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT") returned 144 [0117.690] GetProcessHeap () returned 0x4c0000 [0117.690] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.690] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT" [0117.690] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\*" [0117.690] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.691] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.691] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.691] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.691] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.691] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.691] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.691] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f54260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.691] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.691] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.691] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.691] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.691] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.691] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.691] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.691] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.691] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.691] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.691] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.691] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.691] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.691] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.691] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.691] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json") returned 158 [0117.691] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.691] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.691] lstrlenW (lpString=".json") returned 5 [0117.691] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.692] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=198) returned 1 [0117.692] CloseHandle (hObject=0x1ac) returned 1 [0117.692] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.692] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.692] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\PUSSY.TXT") returned 154 [0117.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.695] lstrlenA (lpString="abcd") returned 4 [0117.695] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.696] CloseHandle (hObject=0x1b0) returned 1 [0117.696] GetProcessHeap () returned 0x4c0000 [0117.696] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.696] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ro", cAlternateFileName="")) returned 1 [0117.696] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0117.696] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0117.696] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0117.696] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0117.696] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0117.696] lstrcmpiW (lpString1="ro", lpString2=".") returned 1 [0117.696] lstrcmpiW (lpString1="ro", lpString2="..") returned 1 [0117.696] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro") returned 141 [0117.696] GetProcessHeap () returned 0x4c0000 [0117.696] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.696] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro" [0117.696] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\*" [0117.696] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.696] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.696] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.696] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.697] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.697] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.697] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.697] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.697] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.697] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.697] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.697] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.697] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.697] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.697] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.697] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.697] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.697] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.697] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.697] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.697] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.697] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.697] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.697] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json") returned 155 [0117.697] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.697] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.697] lstrlenW (lpString=".json") returned 5 [0117.697] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.698] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=175) returned 1 [0117.698] CloseHandle (hObject=0x1ac) returned 1 [0117.698] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.698] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.698] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\PUSSY.TXT") returned 151 [0117.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.698] lstrlenA (lpString="abcd") returned 4 [0117.698] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.699] CloseHandle (hObject=0x1b0) returned 1 [0117.699] GetProcessHeap () returned 0x4c0000 [0117.699] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.700] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ru", cAlternateFileName="")) returned 1 [0117.700] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0117.700] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0117.700] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0117.700] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0117.700] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0117.700] lstrcmpiW (lpString1="ru", lpString2=".") returned 1 [0117.700] lstrcmpiW (lpString1="ru", lpString2="..") returned 1 [0117.700] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru") returned 141 [0117.700] GetProcessHeap () returned 0x4c0000 [0117.700] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.700] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru" [0117.700] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\*" [0117.700] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.701] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.701] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.701] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.701] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.701] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.701] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.701] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.701] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.701] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.701] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.701] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.701] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.701] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.701] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.701] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x119, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.701] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.701] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.701] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.701] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.701] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.701] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.701] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.701] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json") returned 155 [0117.702] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.702] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.702] lstrlenW (lpString=".json") returned 5 [0117.702] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.702] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=281) returned 1 [0117.702] CloseHandle (hObject=0x1ac) returned 1 [0117.703] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x119, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.703] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.703] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\PUSSY.TXT") returned 151 [0117.703] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.703] lstrlenA (lpString="abcd") returned 4 [0117.703] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.704] CloseHandle (hObject=0x1b0) returned 1 [0117.704] GetProcessHeap () returned 0x4c0000 [0117.704] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.705] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="si", cAlternateFileName="")) returned 1 [0117.705] lstrcmpiW (lpString1="si", lpString2="Windows") returned -1 [0117.705] lstrcmpiW (lpString1="si", lpString2="Program Files") returned 1 [0117.705] lstrcmpiW (lpString1="si", lpString2="Program Files (x86)") returned 1 [0117.705] lstrcmpiW (lpString1="si", lpString2="$Recycle.bin") returned 1 [0117.705] lstrcmpiW (lpString1="si", lpString2="System Volume Information") returned -1 [0117.705] lstrcmpiW (lpString1="si", lpString2=".") returned 1 [0117.705] lstrcmpiW (lpString1="si", lpString2="..") returned 1 [0117.705] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si") returned 141 [0117.705] GetProcessHeap () returned 0x4c0000 [0117.705] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.705] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si" [0117.705] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\*" [0117.705] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.705] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.705] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.705] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.705] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.705] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.705] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.705] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.706] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.706] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.706] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.706] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.706] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.706] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.706] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.706] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.706] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.706] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.706] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.706] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.706] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.706] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.706] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.706] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json") returned 155 [0117.706] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.706] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.706] lstrlenW (lpString=".json") returned 5 [0117.706] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.706] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=334) returned 1 [0117.707] CloseHandle (hObject=0x1ac) returned 1 [0117.707] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.707] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.707] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\PUSSY.TXT") returned 151 [0117.707] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.707] lstrlenA (lpString="abcd") returned 4 [0117.707] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.708] CloseHandle (hObject=0x1b0) returned 1 [0117.708] GetProcessHeap () returned 0x4c0000 [0117.708] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.708] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="sk", cAlternateFileName="")) returned 1 [0117.708] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0117.708] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0117.708] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0117.708] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0117.708] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0117.708] lstrcmpiW (lpString1="sk", lpString2=".") returned 1 [0117.708] lstrcmpiW (lpString1="sk", lpString2="..") returned 1 [0117.708] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk") returned 141 [0117.708] GetProcessHeap () returned 0x4c0000 [0117.709] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.709] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk" [0117.709] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\*" [0117.709] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.710] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.710] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.710] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.710] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.710] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.710] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.710] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.711] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.711] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.711] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.711] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.711] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.711] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.711] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.711] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.711] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.711] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.711] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.711] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.711] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.711] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.711] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.711] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json") returned 155 [0117.711] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.711] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.711] lstrlenW (lpString=".json") returned 5 [0117.711] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.711] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.712] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=197) returned 1 [0117.712] CloseHandle (hObject=0x1ac) returned 1 [0117.712] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.712] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.712] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\PUSSY.TXT") returned 151 [0117.712] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.712] lstrlenA (lpString="abcd") returned 4 [0117.712] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.713] CloseHandle (hObject=0x1b0) returned 1 [0117.714] GetProcessHeap () returned 0x4c0000 [0117.714] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.714] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="sl", cAlternateFileName="")) returned 1 [0117.714] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0117.714] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0117.714] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0117.714] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0117.714] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0117.714] lstrcmpiW (lpString1="sl", lpString2=".") returned 1 [0117.714] lstrcmpiW (lpString1="sl", lpString2="..") returned 1 [0117.714] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl") returned 141 [0117.714] GetProcessHeap () returned 0x4c0000 [0117.714] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.714] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl" [0117.714] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\*" [0117.714] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.714] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.714] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.714] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.714] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.714] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.714] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.714] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7a3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85f7a3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.715] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.715] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.715] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.715] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.715] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.715] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.715] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.715] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.715] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.715] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.715] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.715] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.715] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.715] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.715] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.715] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json") returned 155 [0117.715] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.715] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.715] lstrlenW (lpString=".json") returned 5 [0117.715] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.715] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.716] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=190) returned 1 [0117.716] CloseHandle (hObject=0x1ac) returned 1 [0117.716] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85f7a3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85f7b360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.716] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.716] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\PUSSY.TXT") returned 151 [0117.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.716] lstrlenA (lpString="abcd") returned 4 [0117.716] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.717] CloseHandle (hObject=0x1b0) returned 1 [0117.717] GetProcessHeap () returned 0x4c0000 [0117.717] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.717] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="sr", cAlternateFileName="")) returned 1 [0117.717] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0117.717] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0117.717] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0117.717] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0117.718] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0117.718] lstrcmpiW (lpString1="sr", lpString2=".") returned 1 [0117.718] lstrcmpiW (lpString1="sr", lpString2="..") returned 1 [0117.718] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr") returned 141 [0117.718] GetProcessHeap () returned 0x4c0000 [0117.718] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.718] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr" [0117.718] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\*" [0117.718] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.719] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.719] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.719] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.719] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.719] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.719] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.719] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.719] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.720] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.720] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.720] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.720] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.720] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.720] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.720] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa2460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.720] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.720] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.720] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.720] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.720] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.720] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.720] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.720] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json") returned 155 [0117.720] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.720] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.720] lstrlenW (lpString=".json") returned 5 [0117.720] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.720] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=260) returned 1 [0117.721] CloseHandle (hObject=0x1ac) returned 1 [0117.721] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa2460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.721] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.721] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\PUSSY.TXT") returned 151 [0117.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.721] lstrlenA (lpString="abcd") returned 4 [0117.721] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.722] CloseHandle (hObject=0x1b0) returned 1 [0117.722] GetProcessHeap () returned 0x4c0000 [0117.722] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.722] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="sv", cAlternateFileName="")) returned 1 [0117.722] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0117.722] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0117.722] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0117.722] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0117.722] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0117.722] lstrcmpiW (lpString1="sv", lpString2=".") returned 1 [0117.722] lstrcmpiW (lpString1="sv", lpString2="..") returned 1 [0117.723] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv") returned 141 [0117.723] GetProcessHeap () returned 0x4c0000 [0117.723] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.723] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv" [0117.723] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\*" [0117.723] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.723] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.723] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.723] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.723] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.723] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.723] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.723] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.723] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.723] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.723] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.723] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.723] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.723] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.723] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.723] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa2460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.723] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.723] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.723] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.723] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.724] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.724] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.724] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.724] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json") returned 155 [0117.724] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.724] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.724] lstrlenW (lpString=".json") returned 5 [0117.724] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.724] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.724] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=179) returned 1 [0117.724] CloseHandle (hObject=0x1ac) returned 1 [0117.724] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa2460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.724] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.724] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\PUSSY.TXT") returned 151 [0117.724] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.725] lstrlenA (lpString="abcd") returned 4 [0117.725] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.726] CloseHandle (hObject=0x1b0) returned 1 [0117.726] GetProcessHeap () returned 0x4c0000 [0117.726] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.726] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="sw", cAlternateFileName="")) returned 1 [0117.726] lstrcmpiW (lpString1="sw", lpString2="Windows") returned -1 [0117.726] lstrcmpiW (lpString1="sw", lpString2="Program Files") returned 1 [0117.726] lstrcmpiW (lpString1="sw", lpString2="Program Files (x86)") returned 1 [0117.726] lstrcmpiW (lpString1="sw", lpString2="$Recycle.bin") returned 1 [0117.726] lstrcmpiW (lpString1="sw", lpString2="System Volume Information") returned -1 [0117.726] lstrcmpiW (lpString1="sw", lpString2=".") returned 1 [0117.726] lstrcmpiW (lpString1="sw", lpString2="..") returned 1 [0117.726] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw") returned 141 [0117.726] GetProcessHeap () returned 0x4c0000 [0117.726] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.726] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw" [0117.726] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\*" [0117.726] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.727] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.727] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.727] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.727] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.727] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.727] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.727] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.727] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.727] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.727] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.728] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.728] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.728] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.728] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.728] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa2460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.728] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.728] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.728] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.728] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.728] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.728] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.728] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.728] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json") returned 155 [0117.728] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.728] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.728] lstrlenW (lpString=".json") returned 5 [0117.728] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.728] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.729] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=196) returned 1 [0117.729] CloseHandle (hObject=0x1ac) returned 1 [0117.729] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa2460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.729] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.729] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\PUSSY.TXT") returned 151 [0117.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.729] lstrlenA (lpString="abcd") returned 4 [0117.729] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.730] CloseHandle (hObject=0x1b0) returned 1 [0117.730] GetProcessHeap () returned 0x4c0000 [0117.731] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.731] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ta", cAlternateFileName="")) returned 1 [0117.731] lstrcmpiW (lpString1="ta", lpString2="Windows") returned -1 [0117.731] lstrcmpiW (lpString1="ta", lpString2="Program Files") returned 1 [0117.731] lstrcmpiW (lpString1="ta", lpString2="Program Files (x86)") returned 1 [0117.731] lstrcmpiW (lpString1="ta", lpString2="$Recycle.bin") returned 1 [0117.731] lstrcmpiW (lpString1="ta", lpString2="System Volume Information") returned 1 [0117.731] lstrcmpiW (lpString1="ta", lpString2=".") returned 1 [0117.731] lstrcmpiW (lpString1="ta", lpString2="..") returned 1 [0117.731] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta") returned 141 [0117.731] GetProcessHeap () returned 0x4c0000 [0117.731] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.731] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta" [0117.731] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\*" [0117.731] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.731] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.731] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.731] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.731] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.731] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.731] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.731] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.732] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.732] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.732] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.732] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.732] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.732] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.732] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.732] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa2460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x150, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.732] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.732] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.732] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.732] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.732] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.732] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.732] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.732] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json") returned 155 [0117.732] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.732] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.732] lstrlenW (lpString=".json") returned 5 [0117.732] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.732] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=336) returned 1 [0117.732] CloseHandle (hObject=0x1ac) returned 1 [0117.733] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa2460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x150, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.733] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.733] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\PUSSY.TXT") returned 151 [0117.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.733] lstrlenA (lpString="abcd") returned 4 [0117.733] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.734] CloseHandle (hObject=0x1b0) returned 1 [0117.734] GetProcessHeap () returned 0x4c0000 [0117.734] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.734] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="te", cAlternateFileName="")) returned 1 [0117.734] lstrcmpiW (lpString1="te", lpString2="Windows") returned -1 [0117.734] lstrcmpiW (lpString1="te", lpString2="Program Files") returned 1 [0117.734] lstrcmpiW (lpString1="te", lpString2="Program Files (x86)") returned 1 [0117.734] lstrcmpiW (lpString1="te", lpString2="$Recycle.bin") returned 1 [0117.734] lstrcmpiW (lpString1="te", lpString2="System Volume Information") returned 1 [0117.734] lstrcmpiW (lpString1="te", lpString2=".") returned 1 [0117.734] lstrcmpiW (lpString1="te", lpString2="..") returned 1 [0117.734] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te") returned 141 [0117.734] GetProcessHeap () returned 0x4c0000 [0117.734] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.734] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te" [0117.734] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\*" [0117.734] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.735] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.735] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.735] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.735] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.735] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.735] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.735] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa0520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fa0520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.735] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.736] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.736] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.736] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.736] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.736] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.736] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.736] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa2460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x115, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.736] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.736] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.736] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.736] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.736] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.736] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.736] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.736] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json") returned 155 [0117.736] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.736] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.736] lstrlenW (lpString=".json") returned 5 [0117.736] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.736] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.736] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=277) returned 1 [0117.736] CloseHandle (hObject=0x1ac) returned 1 [0117.737] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fa0520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fa2460, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x115, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.737] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.737] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\PUSSY.TXT") returned 151 [0117.737] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.737] lstrlenA (lpString="abcd") returned 4 [0117.737] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.738] CloseHandle (hObject=0x1b0) returned 1 [0117.738] GetProcessHeap () returned 0x4c0000 [0117.738] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.738] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="th", cAlternateFileName="")) returned 1 [0117.738] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0117.738] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0117.738] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0117.738] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0117.738] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0117.738] lstrcmpiW (lpString1="th", lpString2=".") returned 1 [0117.738] lstrcmpiW (lpString1="th", lpString2="..") returned 1 [0117.738] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th") returned 141 [0117.738] GetProcessHeap () returned 0x4c0000 [0117.738] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.738] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th" [0117.739] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\*" [0117.739] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.739] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.739] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.739] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.739] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.739] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.739] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.739] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.739] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.739] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.739] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.739] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.739] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.739] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.739] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.739] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6e50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x125, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.739] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.739] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.739] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.739] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.739] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.739] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.740] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.740] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json") returned 155 [0117.740] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.740] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.740] lstrlenW (lpString=".json") returned 5 [0117.740] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.740] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=293) returned 1 [0117.740] CloseHandle (hObject=0x1ac) returned 1 [0117.740] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6e50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x125, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.740] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.740] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\PUSSY.TXT") returned 151 [0117.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.741] lstrlenA (lpString="abcd") returned 4 [0117.741] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.742] CloseHandle (hObject=0x1b0) returned 1 [0117.742] GetProcessHeap () returned 0x4c0000 [0117.742] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.742] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="tr", cAlternateFileName="")) returned 1 [0117.742] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0117.742] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0117.742] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0117.742] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0117.742] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0117.742] lstrcmpiW (lpString1="tr", lpString2=".") returned 1 [0117.742] lstrcmpiW (lpString1="tr", lpString2="..") returned 1 [0117.742] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr") returned 141 [0117.742] GetProcessHeap () returned 0x4c0000 [0117.742] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.742] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr" [0117.742] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\*" [0117.742] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.744] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.744] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.744] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.744] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.744] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.744] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.744] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.744] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.744] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.744] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.744] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.744] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.744] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.744] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.744] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6e50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.744] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.744] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.744] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.744] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.744] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.744] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.744] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.744] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json") returned 155 [0117.744] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.744] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.744] lstrlenW (lpString=".json") returned 5 [0117.744] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.745] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=205) returned 1 [0117.745] CloseHandle (hObject=0x1ac) returned 1 [0117.745] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6e50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xcd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.745] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.745] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\PUSSY.TXT") returned 151 [0117.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.746] lstrlenA (lpString="abcd") returned 4 [0117.746] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.747] CloseHandle (hObject=0x1b0) returned 1 [0117.747] GetProcessHeap () returned 0x4c0000 [0117.747] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.747] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="uk", cAlternateFileName="")) returned 1 [0117.747] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0117.747] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0117.747] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0117.747] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0117.747] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0117.747] lstrcmpiW (lpString1="uk", lpString2=".") returned 1 [0117.747] lstrcmpiW (lpString1="uk", lpString2="..") returned 1 [0117.747] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk") returned 141 [0117.747] GetProcessHeap () returned 0x4c0000 [0117.747] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.748] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk" [0117.748] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\*" [0117.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.748] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.748] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.748] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.748] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.748] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.748] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.748] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.748] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.748] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.748] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.748] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.748] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.748] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.748] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.748] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6e50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x115, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.748] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.748] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.748] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.748] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.748] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.749] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.749] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.749] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json") returned 155 [0117.749] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.749] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.749] lstrlenW (lpString=".json") returned 5 [0117.749] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.749] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.749] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=277) returned 1 [0117.749] CloseHandle (hObject=0x1ac) returned 1 [0117.749] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6e50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x115, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.749] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.749] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\PUSSY.TXT") returned 151 [0117.749] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.750] lstrlenA (lpString="abcd") returned 4 [0117.750] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.751] CloseHandle (hObject=0x1b0) returned 1 [0117.751] GetProcessHeap () returned 0x4c0000 [0117.751] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.751] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ur", cAlternateFileName="")) returned 1 [0117.751] lstrcmpiW (lpString1="ur", lpString2="Windows") returned -1 [0117.751] lstrcmpiW (lpString1="ur", lpString2="Program Files") returned 1 [0117.751] lstrcmpiW (lpString1="ur", lpString2="Program Files (x86)") returned 1 [0117.751] lstrcmpiW (lpString1="ur", lpString2="$Recycle.bin") returned 1 [0117.751] lstrcmpiW (lpString1="ur", lpString2="System Volume Information") returned 1 [0117.751] lstrcmpiW (lpString1="ur", lpString2=".") returned 1 [0117.751] lstrcmpiW (lpString1="ur", lpString2="..") returned 1 [0117.751] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur") returned 141 [0117.751] GetProcessHeap () returned 0x4c0000 [0117.751] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.751] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur" [0117.751] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\*" [0117.751] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.752] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.752] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.752] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.752] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.752] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.752] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.752] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.752] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.752] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.752] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.752] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.753] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.753] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.753] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.753] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6e50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x177, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.753] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.753] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.753] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.753] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.753] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.753] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.753] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.753] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json") returned 155 [0117.753] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.753] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.753] lstrlenW (lpString=".json") returned 5 [0117.753] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.753] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.753] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=375) returned 1 [0117.753] CloseHandle (hObject=0x1ac) returned 1 [0117.754] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6e50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x177, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.754] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.754] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\PUSSY.TXT") returned 151 [0117.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.754] lstrlenA (lpString="abcd") returned 4 [0117.754] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.755] CloseHandle (hObject=0x1b0) returned 1 [0117.755] GetProcessHeap () returned 0x4c0000 [0117.755] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.755] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vi", cAlternateFileName="")) returned 1 [0117.755] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0117.755] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0117.755] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0117.755] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0117.755] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0117.755] lstrcmpiW (lpString1="vi", lpString2=".") returned 1 [0117.755] lstrcmpiW (lpString1="vi", lpString2="..") returned 1 [0117.755] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi") returned 141 [0117.755] GetProcessHeap () returned 0x4c0000 [0117.755] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.755] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi" [0117.755] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\*" [0117.756] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.756] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.756] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.756] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.756] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.756] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.756] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.756] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fc6680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.756] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.756] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.756] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.756] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.756] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.756] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.756] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.756] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6e50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.756] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.756] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.756] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.756] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.756] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.756] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.756] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.757] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json") returned 155 [0117.757] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.757] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.757] lstrlenW (lpString=".json") returned 5 [0117.757] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.757] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=221) returned 1 [0117.757] CloseHandle (hObject=0x1ac) returned 1 [0117.757] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fc6680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fc6e50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.757] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.757] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\PUSSY.TXT") returned 151 [0117.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.758] lstrlenA (lpString="abcd") returned 4 [0117.758] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.759] CloseHandle (hObject=0x1b0) returned 1 [0117.759] GetProcessHeap () returned 0x4c0000 [0117.759] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.759] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="zh_CN", cAlternateFileName="")) returned 1 [0117.759] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0117.759] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0117.759] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0117.759] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0117.759] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0117.759] lstrcmpiW (lpString1="zh_CN", lpString2=".") returned 1 [0117.759] lstrcmpiW (lpString1="zh_CN", lpString2="..") returned 1 [0117.759] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN") returned 144 [0117.759] GetProcessHeap () returned 0x4c0000 [0117.759] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.759] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN" [0117.759] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\*" [0117.759] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.760] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.760] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.760] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.760] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.761] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.761] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.761] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.761] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.761] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.761] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.761] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.761] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.761] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.761] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.761] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fedf50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.761] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.761] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.761] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.761] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.761] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.761] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.761] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.761] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json") returned 158 [0117.761] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.761] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.761] lstrlenW (lpString=".json") returned 5 [0117.761] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.761] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.762] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=176) returned 1 [0117.762] CloseHandle (hObject=0x1ac) returned 1 [0117.766] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fedf50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.766] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.766] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\PUSSY.TXT") returned 154 [0117.766] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.767] lstrlenA (lpString="abcd") returned 4 [0117.767] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.768] CloseHandle (hObject=0x1b0) returned 1 [0117.768] GetProcessHeap () returned 0x4c0000 [0117.768] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.768] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="zh_HK", cAlternateFileName="")) returned 1 [0117.768] lstrcmpiW (lpString1="zh_HK", lpString2="Windows") returned 1 [0117.768] lstrcmpiW (lpString1="zh_HK", lpString2="Program Files") returned 1 [0117.768] lstrcmpiW (lpString1="zh_HK", lpString2="Program Files (x86)") returned 1 [0117.768] lstrcmpiW (lpString1="zh_HK", lpString2="$Recycle.bin") returned 1 [0117.768] lstrcmpiW (lpString1="zh_HK", lpString2="System Volume Information") returned 1 [0117.768] lstrcmpiW (lpString1="zh_HK", lpString2=".") returned 1 [0117.768] lstrcmpiW (lpString1="zh_HK", lpString2="..") returned 1 [0117.768] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK") returned 144 [0117.768] GetProcessHeap () returned 0x4c0000 [0117.768] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.768] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK" [0117.768] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\*" [0117.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.768] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.768] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.769] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.769] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.769] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.769] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.769] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.769] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.769] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.769] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.769] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.769] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.769] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.769] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.769] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fedf50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0xd2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.769] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.769] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.769] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.769] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.769] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.769] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.769] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.769] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json") returned 158 [0117.769] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.769] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.769] lstrlenW (lpString=".json") returned 5 [0117.769] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.770] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=210) returned 1 [0117.770] CloseHandle (hObject=0x1ac) returned 1 [0117.770] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fedf50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0xd2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.770] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.770] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\PUSSY.TXT") returned 154 [0117.770] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.770] lstrlenA (lpString="abcd") returned 4 [0117.770] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.771] CloseHandle (hObject=0x1b0) returned 1 [0117.771] GetProcessHeap () returned 0x4c0000 [0117.771] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.771] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="zh_TW", cAlternateFileName="")) returned 1 [0117.771] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0117.771] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0117.772] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0117.772] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0117.772] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0117.772] lstrcmpiW (lpString1="zh_TW", lpString2=".") returned 1 [0117.772] lstrcmpiW (lpString1="zh_TW", lpString2="..") returned 1 [0117.772] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW") returned 144 [0117.772] GetProcessHeap () returned 0x4c0000 [0117.772] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.772] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW" [0117.772] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\*" [0117.772] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.773] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.773] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.773] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.773] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.773] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.773] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.773] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.773] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.773] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.773] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.773] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.773] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.773] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.773] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.773] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fedf50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xaa, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.773] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.773] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.773] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.773] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.773] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.773] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.773] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.774] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json") returned 158 [0117.774] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.774] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.774] lstrlenW (lpString=".json") returned 5 [0117.774] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.774] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=170) returned 1 [0117.774] CloseHandle (hObject=0x1ac) returned 1 [0117.774] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fedf50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xaa, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.774] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.774] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\PUSSY.TXT") returned 154 [0117.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.775] lstrlenA (lpString="abcd") returned 4 [0117.775] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.776] CloseHandle (hObject=0x1b0) returned 1 [0117.776] GetProcessHeap () returned 0x4c0000 [0117.776] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.776] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="zu", cAlternateFileName="")) returned 1 [0117.776] lstrcmpiW (lpString1="zu", lpString2="Windows") returned 1 [0117.776] lstrcmpiW (lpString1="zu", lpString2="Program Files") returned 1 [0117.776] lstrcmpiW (lpString1="zu", lpString2="Program Files (x86)") returned 1 [0117.776] lstrcmpiW (lpString1="zu", lpString2="$Recycle.bin") returned 1 [0117.776] lstrcmpiW (lpString1="zu", lpString2="System Volume Information") returned 1 [0117.776] lstrcmpiW (lpString1="zu", lpString2=".") returned 1 [0117.776] lstrcmpiW (lpString1="zu", lpString2="..") returned 1 [0117.776] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu") returned 141 [0117.776] GetProcessHeap () returned 0x4c0000 [0117.776] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0117.776] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu" [0117.776] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\*" [0117.776] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0117.777] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.777] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.777] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.777] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.777] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.777] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.777] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.777] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.777] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.777] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.777] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.777] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.777] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.777] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.777] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fedf50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0xc2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0117.777] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0117.777] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0117.777] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0117.777] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0117.777] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0117.777] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0117.777] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0117.777] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json") returned 155 [0117.777] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0117.777] PathFindExtensionW (pszPath="messages.json") returned=".json" [0117.777] lstrlenW (lpString=".json") returned 5 [0117.778] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0117.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.778] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=194) returned 1 [0117.778] CloseHandle (hObject=0x1ac) returned 1 [0117.778] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fedf50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0xc2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0117.778] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0117.778] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\PUSSY.TXT") returned 151 [0117.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0117.779] lstrlenA (lpString="abcd") returned 4 [0117.779] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0117.780] CloseHandle (hObject=0x1b0) returned 1 [0117.780] GetProcessHeap () returned 0x4c0000 [0117.780] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.780] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85fec7e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85fec7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85fec7e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="zu", cAlternateFileName="")) returned 0 [0117.780] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0117.780] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\PUSSY.TXT") returned 148 [0117.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0117.780] lstrlenA (lpString="abcd") returned 4 [0117.780] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0117.782] CloseHandle (hObject=0x184) returned 1 [0117.782] GetProcessHeap () returned 0x4c0000 [0117.782] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0117.786] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86012940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8636e710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8636e710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 1 [0117.786] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0117.786] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0117.786] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0117.786] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0117.786] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0117.786] lstrcmpiW (lpString1="_metadata", lpString2=".") returned 1 [0117.786] lstrcmpiW (lpString1="_metadata", lpString2="..") returned 1 [0117.786] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata") returned 139 [0117.786] GetProcessHeap () returned 0x4c0000 [0117.786] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0117.787] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata" [0117.787] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\*" [0117.787] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86012940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8636e710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8636e710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0117.798] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.798] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.798] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.798] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.798] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.798] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.798] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86012940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8636e710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8636e710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0117.799] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.799] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.799] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.799] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.799] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.799] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.799] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.799] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8636e710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8636e710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8636e710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xaf3, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="computed_hashes.json", cAlternateFileName="COMPUT~1.JSO")) returned 1 [0117.799] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0117.799] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0117.799] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0117.799] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0117.799] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0117.799] lstrcmpiW (lpString1="computed_hashes.json", lpString2=".") returned 1 [0117.799] lstrcmpiW (lpString1="computed_hashes.json", lpString2="..") returned 1 [0117.799] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json") returned 160 [0117.799] lstrcmpW (lpString1="computed_hashes.json", lpString2="PUSSY.TXT") returned -1 [0117.799] PathFindExtensionW (pszPath="computed_hashes.json") returned=".json" [0117.799] lstrlenW (lpString=".json") returned 5 [0117.799] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0117.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0117.800] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289638 | out: lpFileSize=0x289638*=2803) returned 1 [0117.800] GetProcessHeap () returned 0x4c0000 [0117.800] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0117.821] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="26") returned 2 [0117.821] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="C7") returned 2 [0117.821] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="CB") returned 2 [0117.821] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="B6") returned 2 [0117.821] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="99") returned 2 [0117.821] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="E1") returned 2 [0117.821] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="9C") returned 2 [0117.821] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="83") returned 2 [0117.821] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="C6") returned 2 [0117.821] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="A6") returned 2 [0117.821] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="63") returned 2 [0117.821] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="6E") returned 2 [0117.821] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="E3") returned 2 [0117.821] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="32") returned 2 [0117.821] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="28") returned 2 [0117.821] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="FA") returned 2 [0117.821] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="DD") returned 2 [0117.821] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="55") returned 2 [0117.821] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="AD") returned 2 [0117.821] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="13") returned 2 [0117.821] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="AD") returned 2 [0117.821] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="75") returned 2 [0117.821] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="9A") returned 2 [0117.821] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="9E") returned 2 [0117.822] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="DA") returned 2 [0117.822] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="C6") returned 2 [0117.822] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="E0") returned 2 [0117.822] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="2C") returned 2 [0117.822] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="9E") returned 2 [0117.822] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="5E") returned 2 [0117.822] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="19") returned 2 [0117.822] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="7E") returned 2 [0117.832] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json" [0117.832] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json" [0117.832] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json", lpString2=".26C7CBB699E19C83C6A6636EE33228FADD55AD13AD759A9EDAC6E02C9E5E197E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.26C7CBB699E19C83C6A6636EE33228FADD55AD13AD759A9EDAC6E02C9E5E197E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.26C7CBB699E19C83C6A6636EE33228FADD55AD13AD759A9EDAC6E02C9E5E197E" [0117.832] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.832] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0117.832] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86012940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86012940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x4454, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 1 [0117.833] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0117.833] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0117.836] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0117.836] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0117.837] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0117.837] lstrcmpiW (lpString1="verified_contents.json", lpString2=".") returned 1 [0117.837] lstrcmpiW (lpString1="verified_contents.json", lpString2="..") returned 1 [0117.837] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json") returned 162 [0117.837] lstrcmpW (lpString1="verified_contents.json", lpString2="PUSSY.TXT") returned 1 [0117.837] PathFindExtensionW (pszPath="verified_contents.json") returned=".json" [0117.837] lstrlenW (lpString=".json") returned 5 [0117.837] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0117.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0117.838] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x289638 | out: lpFileSize=0x289638*=17492) returned 1 [0117.838] GetProcessHeap () returned 0x4c0000 [0117.838] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0117.847] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="9A") returned 2 [0117.847] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="8D") returned 2 [0117.847] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="14") returned 2 [0117.847] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="A4") returned 2 [0117.847] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="F0") returned 2 [0117.848] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="F4") returned 2 [0117.848] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="C8") returned 2 [0117.848] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="3C") returned 2 [0117.848] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="8B") returned 2 [0117.848] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="66") returned 2 [0117.848] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="CE") returned 2 [0117.848] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="E9") returned 2 [0117.848] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="BC") returned 2 [0117.848] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="D2") returned 2 [0117.848] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="04") returned 2 [0117.848] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="92") returned 2 [0117.848] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="5F") returned 2 [0117.848] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="2D") returned 2 [0117.848] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="0F") returned 2 [0117.848] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="25") returned 2 [0117.848] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="40") returned 2 [0117.848] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="85") returned 2 [0117.848] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="2E") returned 2 [0117.848] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="E6") returned 2 [0117.848] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="17") returned 2 [0117.848] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="96") returned 2 [0117.848] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="FE") returned 2 [0117.848] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="E3") returned 2 [0117.848] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="F8") returned 2 [0117.848] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="B6") returned 2 [0117.848] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="25") returned 2 [0117.848] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="0B") returned 2 [0117.857] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json" [0117.857] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json" [0117.857] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json", lpString2=".9A8D14A4F0F4C83C8B66CEE9BCD204925F2D0F2540852EE61796FEE3F8B6250B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.9A8D14A4F0F4C83C8B66CEE9BCD204925F2D0F2540852EE61796FEE3F8B6250B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.9A8D14A4F0F4C83C8B66CEE9BCD204925F2D0F2540852EE61796FEE3F8B6250B" [0117.857] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.857] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0117.877] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86012940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86012940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x47d5c900, ftLastWriteTime.dwHighDateTime=0x1d1781e, nFileSizeHigh=0x0, nFileSizeLow=0x4454, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 0 [0117.877] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0117.877] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\PUSSY.TXT") returned 149 [0117.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0117.880] lstrlenA (lpString="abcd") returned 4 [0117.880] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0117.881] CloseHandle (hObject=0x17c) returned 1 [0117.881] GetProcessHeap () returned 0x4c0000 [0117.881] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0117.881] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86012940, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8636e710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8636e710, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 0 [0117.882] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0117.882] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\PUSSY.TXT") returned 139 [0117.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0117.882] lstrlenA (lpString="abcd") returned 4 [0117.882] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0117.883] CloseHandle (hObject=0x178) returned 1 [0117.883] GetProcessHeap () returned 0x4c0000 [0117.883] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0117.883] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85dd4d90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x862fc2f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x862fc2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="1.4_0", cAlternateFileName="")) returned 0 [0117.883] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0117.884] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\PUSSY.TXT") returned 133 [0117.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0117.884] lstrlenA (lpString="abcd") returned 4 [0117.884] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0117.885] CloseHandle (hObject=0x18c) returned 1 [0117.885] GetProcessHeap () returned 0x4c0000 [0117.885] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0117.888] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82ab7660, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82abeb90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82abeb90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="nmmhkkegccagdldgiimedpiccmgmieda", cAlternateFileName="NMMHKK~1")) returned 1 [0117.888] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="Windows") returned -1 [0117.888] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="Program Files") returned -1 [0117.888] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="Program Files (x86)") returned -1 [0117.888] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="$Recycle.bin") returned 1 [0117.888] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="System Volume Information") returned -1 [0117.888] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2=".") returned 1 [0117.888] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="..") returned 1 [0117.888] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda") returned 123 [0117.888] GetProcessHeap () returned 0x4c0000 [0117.888] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0117.889] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda" [0117.889] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\*" [0117.889] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82ab7660, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82abeb90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82abeb90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0117.889] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.889] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.889] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.889] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.889] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.889] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.889] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82ab7660, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82abeb90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82abeb90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0117.889] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.889] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.890] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.890] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.890] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.890] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.890] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.890] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82651e90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828e7880, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828e7880, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="1.0.0.2_0", cAlternateFileName="100~1.2_0")) returned 1 [0117.890] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="Windows") returned -1 [0117.890] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="Program Files") returned -1 [0117.890] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="Program Files (x86)") returned -1 [0117.890] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="$Recycle.bin") returned 1 [0117.890] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="System Volume Information") returned -1 [0117.890] lstrcmpiW (lpString1="1.0.0.2_0", lpString2=".") returned 1 [0117.890] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="..") returned 1 [0117.890] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0") returned 133 [0117.890] GetProcessHeap () returned 0x4c0000 [0117.890] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0117.891] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0" [0117.891] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\*" [0117.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82651e90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828e7880, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828e7880, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0117.893] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.893] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.893] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.893] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.894] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.894] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.894] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82651e90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828e7880, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828e7880, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0117.894] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.894] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.894] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.894] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.894] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.894] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.894] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.894] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82888510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8288ac20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xba221600, ftLastWriteTime.dwHighDateTime=0x1d297b0, nFileSizeHigh=0x0, nFileSizeLow=0x32a2e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="craw_background.js", cAlternateFileName="CRAW_B~1.JS")) returned 1 [0117.894] lstrcmpiW (lpString1="craw_background.js", lpString2="Windows") returned -1 [0117.894] lstrcmpiW (lpString1="craw_background.js", lpString2="Program Files") returned -1 [0117.894] lstrcmpiW (lpString1="craw_background.js", lpString2="Program Files (x86)") returned -1 [0117.894] lstrcmpiW (lpString1="craw_background.js", lpString2="$Recycle.bin") returned 1 [0117.894] lstrcmpiW (lpString1="craw_background.js", lpString2="System Volume Information") returned -1 [0117.894] lstrcmpiW (lpString1="craw_background.js", lpString2=".") returned 1 [0117.894] lstrcmpiW (lpString1="craw_background.js", lpString2="..") returned 1 [0117.894] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js") returned 152 [0117.894] lstrcmpW (lpString1="craw_background.js", lpString2="PUSSY.TXT") returned -1 [0117.894] PathFindExtensionW (pszPath="craw_background.js") returned=".js" [0117.895] lstrlenW (lpString=".js") returned 3 [0117.895] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0117.895] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0117.896] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=207406) returned 1 [0117.896] GetProcessHeap () returned 0x4c0000 [0117.896] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0117.908] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="51") returned 2 [0117.908] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="FE") returned 2 [0117.908] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="E1") returned 2 [0117.908] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="3F") returned 2 [0117.908] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="9A") returned 2 [0117.908] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="AA") returned 2 [0117.908] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="66") returned 2 [0117.908] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="5E") returned 2 [0117.908] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="B3") returned 2 [0117.908] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="2D") returned 2 [0117.908] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="8A") returned 2 [0117.908] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="E7") returned 2 [0117.908] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="9F") returned 2 [0117.908] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="11") returned 2 [0117.908] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="F8") returned 2 [0117.908] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="95") returned 2 [0117.908] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="41") returned 2 [0117.908] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="85") returned 2 [0117.908] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="35") returned 2 [0117.908] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="0B") returned 2 [0117.909] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="AF") returned 2 [0117.909] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="35") returned 2 [0117.909] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="F3") returned 2 [0117.909] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="18") returned 2 [0117.909] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="D1") returned 2 [0117.909] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="FD") returned 2 [0117.909] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="54") returned 2 [0117.909] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="8C") returned 2 [0117.909] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="2B") returned 2 [0117.909] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="04") returned 2 [0117.909] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="71") returned 2 [0117.909] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="69") returned 2 [0117.918] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js" [0117.918] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js" [0117.918] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js", lpString2=".51FEE13F9AAA665EB32D8AE79F11F8954185350BAF35F318D1FD548C2B047169" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.51FEE13F9AAA665EB32D8AE79F11F8954185350BAF35F318D1FD548C2B047169") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.51FEE13F9AAA665EB32D8AE79F11F8954185350BAF35F318D1FD548C2B047169" [0117.918] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.918] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0117.918] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8288d330, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82892150, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xba221600, ftLastWriteTime.dwHighDateTime=0x1d297b0, nFileSizeHigh=0x0, nFileSizeLow=0x3b059, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="craw_window.js", cAlternateFileName="CRAW_W~1.JS")) returned 1 [0117.918] lstrcmpiW (lpString1="craw_window.js", lpString2="Windows") returned -1 [0117.918] lstrcmpiW (lpString1="craw_window.js", lpString2="Program Files") returned -1 [0117.918] lstrcmpiW (lpString1="craw_window.js", lpString2="Program Files (x86)") returned -1 [0117.918] lstrcmpiW (lpString1="craw_window.js", lpString2="$Recycle.bin") returned 1 [0117.919] lstrcmpiW (lpString1="craw_window.js", lpString2="System Volume Information") returned -1 [0117.919] lstrcmpiW (lpString1="craw_window.js", lpString2=".") returned 1 [0117.919] lstrcmpiW (lpString1="craw_window.js", lpString2="..") returned 1 [0117.919] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js") returned 148 [0117.919] lstrcmpW (lpString1="craw_window.js", lpString2="PUSSY.TXT") returned -1 [0117.919] PathFindExtensionW (pszPath="craw_window.js") returned=".js" [0117.919] lstrlenW (lpString=".js") returned 3 [0117.919] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0117.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0117.920] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=241753) returned 1 [0117.921] GetProcessHeap () returned 0x4c0000 [0117.921] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0117.933] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="DB") returned 2 [0117.933] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="E5") returned 2 [0117.933] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="BF") returned 2 [0117.933] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="0A") returned 2 [0117.933] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="00") returned 2 [0117.933] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="E0") returned 2 [0117.933] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="3F") returned 2 [0117.933] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="7B") returned 2 [0117.933] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="11") returned 2 [0117.933] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="3E") returned 2 [0117.933] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="FF") returned 2 [0117.933] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="A3") returned 2 [0117.933] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="2B") returned 2 [0117.933] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="AE") returned 2 [0117.933] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="D2") returned 2 [0117.933] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="0B") returned 2 [0117.933] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="F6") returned 2 [0117.933] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="59") returned 2 [0117.935] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="41") returned 2 [0117.935] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="D7") returned 2 [0117.935] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="49") returned 2 [0117.935] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="DD") returned 2 [0117.935] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="C9") returned 2 [0117.935] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="51") returned 2 [0117.935] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="F0") returned 2 [0117.935] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="21") returned 2 [0117.935] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="CA") returned 2 [0117.935] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="6E") returned 2 [0117.935] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="7E") returned 2 [0117.935] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="B8") returned 2 [0117.935] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="29") returned 2 [0117.935] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="4E") returned 2 [0117.944] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js" [0117.944] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js" [0117.944] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js", lpString2=".DBE5BF0A00E03F7B113EFFA32BAED20BF65941D749DDC951F021CA6E7EB8294E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.DBE5BF0A00E03F7B113EFFA32BAED20BF65941D749DDC951F021CA6E7EB8294E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.DBE5BF0A00E03F7B113EFFA32BAED20BF65941D749DDC951F021CA6E7EB8294E" [0117.944] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.944] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0117.944] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82896f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82899680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82899680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="css", cAlternateFileName="")) returned 1 [0117.944] lstrcmpiW (lpString1="css", lpString2="Windows") returned -1 [0117.944] lstrcmpiW (lpString1="css", lpString2="Program Files") returned -1 [0117.945] lstrcmpiW (lpString1="css", lpString2="Program Files (x86)") returned -1 [0117.945] lstrcmpiW (lpString1="css", lpString2="$Recycle.bin") returned 1 [0117.945] lstrcmpiW (lpString1="css", lpString2="System Volume Information") returned -1 [0117.945] lstrcmpiW (lpString1="css", lpString2=".") returned 1 [0117.945] lstrcmpiW (lpString1="css", lpString2="..") returned 1 [0117.945] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css") returned 137 [0117.945] GetProcessHeap () returned 0x4c0000 [0117.945] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0117.945] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css" [0117.945] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\*" [0117.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82896f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82899680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82899680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0117.946] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.946] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.946] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.946] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.946] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.946] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.946] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82896f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82899680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82899680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0117.946] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.946] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.946] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.946] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.946] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.946] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.946] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.946] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82899680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82899680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaae46e00, ftLastWriteTime.dwHighDateTime=0x1cec2fb, nFileSizeHigh=0x0, nFileSizeLow=0x6cd, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="craw_window.css", cAlternateFileName="CRAW_W~1.CSS")) returned 1 [0117.946] lstrcmpiW (lpString1="craw_window.css", lpString2="Windows") returned -1 [0117.946] lstrcmpiW (lpString1="craw_window.css", lpString2="Program Files") returned -1 [0117.946] lstrcmpiW (lpString1="craw_window.css", lpString2="Program Files (x86)") returned -1 [0117.946] lstrcmpiW (lpString1="craw_window.css", lpString2="$Recycle.bin") returned 1 [0117.946] lstrcmpiW (lpString1="craw_window.css", lpString2="System Volume Information") returned -1 [0117.946] lstrcmpiW (lpString1="craw_window.css", lpString2=".") returned 1 [0117.946] lstrcmpiW (lpString1="craw_window.css", lpString2="..") returned 1 [0117.947] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css") returned 153 [0117.947] lstrcmpW (lpString1="craw_window.css", lpString2="PUSSY.TXT") returned -1 [0117.947] PathFindExtensionW (pszPath="craw_window.css") returned=".css" [0117.947] lstrlenW (lpString=".css") returned 4 [0117.947] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0117.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0117.947] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x289638 | out: lpFileSize=0x289638*=1741) returned 1 [0117.947] GetProcessHeap () returned 0x4c0000 [0117.947] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0117.956] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="1C") returned 2 [0117.956] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="11") returned 2 [0117.956] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="BA") returned 2 [0117.956] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="68") returned 2 [0117.957] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="8A") returned 2 [0117.957] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="EF") returned 2 [0117.957] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="4C") returned 2 [0117.957] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="7D") returned 2 [0117.957] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="B4") returned 2 [0117.957] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="6A") returned 2 [0117.957] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="62") returned 2 [0117.957] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="9E") returned 2 [0117.957] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="E2") returned 2 [0117.957] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="9E") returned 2 [0117.957] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="89") returned 2 [0117.957] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="D9") returned 2 [0117.957] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="74") returned 2 [0117.957] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="5B") returned 2 [0117.957] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="75") returned 2 [0117.957] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="6F") returned 2 [0117.957] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="72") returned 2 [0117.957] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="C3") returned 2 [0117.957] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="F6") returned 2 [0117.957] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="65") returned 2 [0117.957] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="93") returned 2 [0117.957] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="41") returned 2 [0117.957] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="E2") returned 2 [0117.957] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="69") returned 2 [0117.957] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="D3") returned 2 [0117.957] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="B2") returned 2 [0117.957] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="E5") returned 2 [0117.958] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="26") returned 2 [0117.971] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css" [0117.971] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css" [0117.971] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css", lpString2=".1C11BA688AEF4C7DB46A629EE29E89D9745B756F72C3F6659341E269D3B2E526" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.1C11BA688AEF4C7DB46A629EE29E89D9745B756F72C3F6659341E269D3B2E526") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.1C11BA688AEF4C7DB46A629EE29E89D9745B756F72C3F6659341E269D3B2E526" [0117.971] CreateIoCompletionPort (FileHandle=0x114, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0117.971] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0117.972] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82899680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82899680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaae46e00, ftLastWriteTime.dwHighDateTime=0x1cec2fb, nFileSizeHigh=0x0, nFileSizeLow=0x6cd, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="craw_window.css", cAlternateFileName="CRAW_W~1.CSS")) returned 0 [0117.973] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0117.973] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\PUSSY.TXT") returned 147 [0117.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0117.974] lstrlenA (lpString="abcd") returned 4 [0117.974] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0117.975] CloseHandle (hObject=0x16c) returned 1 [0117.975] GetProcessHeap () returned 0x4c0000 [0117.975] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0117.975] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8289e4a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828a0bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828a0bb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="html", cAlternateFileName="")) returned 1 [0117.975] lstrcmpiW (lpString1="html", lpString2="Windows") returned -1 [0117.976] lstrcmpiW (lpString1="html", lpString2="Program Files") returned -1 [0117.976] lstrcmpiW (lpString1="html", lpString2="Program Files (x86)") returned -1 [0117.976] lstrcmpiW (lpString1="html", lpString2="$Recycle.bin") returned 1 [0117.976] lstrcmpiW (lpString1="html", lpString2="System Volume Information") returned -1 [0117.976] lstrcmpiW (lpString1="html", lpString2=".") returned 1 [0117.976] lstrcmpiW (lpString1="html", lpString2="..") returned 1 [0117.976] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html") returned 138 [0117.976] GetProcessHeap () returned 0x4c0000 [0117.976] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0117.976] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html" [0117.976] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\*" [0117.976] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8289e4a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828a0bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828a0bb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0117.977] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0117.977] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0117.977] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0117.977] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0117.977] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0117.977] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.977] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8289e4a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828a0bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828a0bb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0117.977] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0117.977] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0117.977] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0117.977] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0117.977] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0117.977] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.977] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.977] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828a0bb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828a0bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe7591500, ftLastWriteTime.dwHighDateTime=0x1ce931e, nFileSizeHigh=0x0, nFileSizeLow=0x32a, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="craw_window.html", cAlternateFileName="CRAW_W~1.HTM")) returned 1 [0117.977] lstrcmpiW (lpString1="craw_window.html", lpString2="Windows") returned -1 [0117.978] lstrcmpiW (lpString1="craw_window.html", lpString2="Program Files") returned -1 [0117.978] lstrcmpiW (lpString1="craw_window.html", lpString2="Program Files (x86)") returned -1 [0117.978] lstrcmpiW (lpString1="craw_window.html", lpString2="$Recycle.bin") returned 1 [0117.978] lstrcmpiW (lpString1="craw_window.html", lpString2="System Volume Information") returned -1 [0117.978] lstrcmpiW (lpString1="craw_window.html", lpString2=".") returned 1 [0117.978] lstrcmpiW (lpString1="craw_window.html", lpString2="..") returned 1 [0117.978] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html") returned 155 [0117.978] lstrcmpW (lpString1="craw_window.html", lpString2="PUSSY.TXT") returned -1 [0117.978] PathFindExtensionW (pszPath="craw_window.html") returned=".html" [0117.978] lstrlenW (lpString=".html") returned 5 [0117.978] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0117.978] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0117.980] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x289638 | out: lpFileSize=0x289638*=810) returned 1 [0117.980] GetProcessHeap () returned 0x4c0000 [0117.980] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0118.032] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="53") returned 2 [0118.032] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="54") returned 2 [0118.032] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="90") returned 2 [0118.032] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="80") returned 2 [0118.032] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="C1") returned 2 [0118.032] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="09") returned 2 [0118.032] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="40") returned 2 [0118.032] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="23") returned 2 [0118.032] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="05") returned 2 [0118.032] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="58") returned 2 [0118.032] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="B0") returned 2 [0118.032] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="18") returned 2 [0118.032] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="46") returned 2 [0118.032] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="62") returned 2 [0118.032] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="8B") returned 2 [0118.032] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="08") returned 2 [0118.032] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="93") returned 2 [0118.032] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="4F") returned 2 [0118.033] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="3C") returned 2 [0118.033] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="2F") returned 2 [0118.033] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="7B") returned 2 [0118.033] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="5B") returned 2 [0118.033] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="47") returned 2 [0118.033] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="FD") returned 2 [0118.033] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="5F") returned 2 [0118.033] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="F3") returned 2 [0118.033] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="84") returned 2 [0118.033] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="C1") returned 2 [0118.033] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="C8") returned 2 [0118.033] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="CA") returned 2 [0118.033] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="3C") returned 2 [0118.033] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="63") returned 2 [0118.043] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html" [0118.043] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html" [0118.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html", lpString2=".53549080C10940230558B01846628B08934F3C2F7B5B47FD5FF384C1C8CA3C63" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.53549080C10940230558B01846628B08934F3C2F7B5B47FD5FF384C1C8CA3C63") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.53549080C10940230558B01846628B08934F3C2F7B5B47FD5FF384C1C8CA3C63" [0118.043] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.043] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0118.043] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828a0bb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828a0bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe7591500, ftLastWriteTime.dwHighDateTime=0x1ce931e, nFileSizeHigh=0x0, nFileSizeLow=0x32a, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="craw_window.html", cAlternateFileName="CRAW_W~1.HTM")) returned 0 [0118.043] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0118.043] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\PUSSY.TXT") returned 148 [0118.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0118.044] lstrlenA (lpString="abcd") returned 4 [0118.045] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0118.046] CloseHandle (hObject=0x16c) returned 1 [0118.046] GetProcessHeap () returned 0x4c0000 [0118.046] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0118.046] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828a32c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82aab310, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aab310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="images", cAlternateFileName="")) returned 1 [0118.046] lstrcmpiW (lpString1="images", lpString2="Windows") returned -1 [0118.046] lstrcmpiW (lpString1="images", lpString2="Program Files") returned -1 [0118.046] lstrcmpiW (lpString1="images", lpString2="Program Files (x86)") returned -1 [0118.046] lstrcmpiW (lpString1="images", lpString2="$Recycle.bin") returned 1 [0118.046] lstrcmpiW (lpString1="images", lpString2="System Volume Information") returned -1 [0118.046] lstrcmpiW (lpString1="images", lpString2=".") returned 1 [0118.046] lstrcmpiW (lpString1="images", lpString2="..") returned 1 [0118.046] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images") returned 140 [0118.046] GetProcessHeap () returned 0x4c0000 [0118.046] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0118.046] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images" [0118.046] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\*" [0118.046] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828a32c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82aab310, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aab310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0118.086] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.086] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.086] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.086] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.086] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.086] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.086] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828a32c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82aab310, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aab310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0118.086] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.086] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.086] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.086] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.086] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.086] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.086] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.086] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828a80e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828aa7f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe7591500, ftLastWriteTime.dwHighDateTime=0x1ce931e, nFileSizeHigh=0x0, nFileSizeLow=0x112dc, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="flapper.gif", cAlternateFileName="")) returned 1 [0118.086] lstrcmpiW (lpString1="flapper.gif", lpString2="Windows") returned -1 [0118.086] lstrcmpiW (lpString1="flapper.gif", lpString2="Program Files") returned -1 [0118.087] lstrcmpiW (lpString1="flapper.gif", lpString2="Program Files (x86)") returned -1 [0118.087] lstrcmpiW (lpString1="flapper.gif", lpString2="$Recycle.bin") returned 1 [0118.087] lstrcmpiW (lpString1="flapper.gif", lpString2="System Volume Information") returned -1 [0118.087] lstrcmpiW (lpString1="flapper.gif", lpString2=".") returned 1 [0118.087] lstrcmpiW (lpString1="flapper.gif", lpString2="..") returned 1 [0118.087] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif") returned 152 [0118.087] lstrcmpW (lpString1="flapper.gif", lpString2="PUSSY.TXT") returned -1 [0118.087] PathFindExtensionW (pszPath="flapper.gif") returned=".gif" [0118.087] lstrlenW (lpString=".gif") returned 4 [0118.087] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0118.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0118.088] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289638 | out: lpFileSize=0x289638*=70364) returned 1 [0118.088] GetProcessHeap () returned 0x4c0000 [0118.088] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0118.100] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="5C") returned 2 [0118.100] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="3E") returned 2 [0118.100] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="A6") returned 2 [0118.101] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="E9") returned 2 [0118.101] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="D6") returned 2 [0118.101] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="57") returned 2 [0118.101] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="44") returned 2 [0118.101] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="2D") returned 2 [0118.101] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="A0") returned 2 [0118.101] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="E9") returned 2 [0118.101] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="FD") returned 2 [0118.101] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="10") returned 2 [0118.101] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="E8") returned 2 [0118.101] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="6D") returned 2 [0118.101] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="C4") returned 2 [0118.101] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="FD") returned 2 [0118.101] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="0F") returned 2 [0118.101] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="55") returned 2 [0118.101] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="71") returned 2 [0118.101] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="82") returned 2 [0118.101] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="23") returned 2 [0118.101] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="24") returned 2 [0118.101] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="80") returned 2 [0118.101] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="3B") returned 2 [0118.101] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="10") returned 2 [0118.101] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="5E") returned 2 [0118.102] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="0A") returned 2 [0118.102] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="8F") returned 2 [0118.102] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="A4") returned 2 [0118.102] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="DD") returned 2 [0118.102] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="62") returned 2 [0118.102] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="73") returned 2 [0118.115] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif" [0118.115] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif" [0118.115] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif", lpString2=".5C3EA6E9D657442DA0E9FD10E86DC4FD0F5571822324803B105E0A8FA4DD6273" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.5C3EA6E9D657442DA0E9FD10E86DC4FD0F5571822324803B105E0A8FA4DD6273") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.5C3EA6E9D657442DA0E9FD10E86DC4FD0F5571822324803B105E0A8FA4DD6273" [0118.115] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.115] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0118.115] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828af610, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82aab310, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aab310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1109, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="icon_128.png", cAlternateFileName="")) returned 1 [0118.115] lstrcmpiW (lpString1="icon_128.png", lpString2="Windows") returned -1 [0118.115] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files") returned -1 [0118.115] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files (x86)") returned -1 [0118.115] lstrcmpiW (lpString1="icon_128.png", lpString2="$Recycle.bin") returned 1 [0118.115] lstrcmpiW (lpString1="icon_128.png", lpString2="System Volume Information") returned -1 [0118.115] lstrcmpiW (lpString1="icon_128.png", lpString2=".") returned 1 [0118.115] lstrcmpiW (lpString1="icon_128.png", lpString2="..") returned 1 [0118.115] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png") returned 153 [0118.115] lstrcmpW (lpString1="icon_128.png", lpString2="PUSSY.TXT") returned -1 [0118.116] PathFindExtensionW (pszPath="icon_128.png") returned=".png" [0118.116] lstrlenW (lpString=".png") returned 4 [0118.116] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0118.116] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0118.116] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x289638 | out: lpFileSize=0x289638*=4361) returned 1 [0118.117] GetProcessHeap () returned 0x4c0000 [0118.117] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0118.138] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="8A") returned 2 [0118.138] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="F9") returned 2 [0118.138] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="F8") returned 2 [0118.138] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="3D") returned 2 [0118.138] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="FC") returned 2 [0118.138] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="91") returned 2 [0118.138] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="39") returned 2 [0118.138] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="A7") returned 2 [0118.138] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="84") returned 2 [0118.138] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="49") returned 2 [0118.138] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="48") returned 2 [0118.138] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="E3") returned 2 [0118.138] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="82") returned 2 [0118.138] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="0E") returned 2 [0118.138] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="12") returned 2 [0118.138] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="C4") returned 2 [0118.138] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="4E") returned 2 [0118.138] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="2D") returned 2 [0118.138] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="B1") returned 2 [0118.138] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="92") returned 2 [0118.139] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="64") returned 2 [0118.139] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="AF") returned 2 [0118.139] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="CC") returned 2 [0118.139] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="7E") returned 2 [0118.139] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="F9") returned 2 [0118.139] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="62") returned 2 [0118.139] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="23") returned 2 [0118.139] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="06") returned 2 [0118.139] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="E5") returned 2 [0118.139] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="BB") returned 2 [0118.139] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="D6") returned 2 [0118.139] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="15") returned 2 [0118.153] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png" [0118.153] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png" [0118.153] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png", lpString2=".8AF9F83DFC9139A7844948E3820E12C44E2DB19264AFCC7EF9622306E5BBD615" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.8AF9F83DFC9139A7844948E3820E12C44E2DB19264AFCC7EF9622306E5BBD615") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.8AF9F83DFC9139A7844948E3820E12C44E2DB19264AFCC7EF9622306E5BBD615" [0118.153] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.154] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0118.157] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828c7cb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82aab310, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aab310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x22c, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="icon_16.png", cAlternateFileName="")) returned 1 [0118.157] lstrcmpiW (lpString1="icon_16.png", lpString2="Windows") returned -1 [0118.157] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files") returned -1 [0118.157] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files (x86)") returned -1 [0118.157] lstrcmpiW (lpString1="icon_16.png", lpString2="$Recycle.bin") returned 1 [0118.157] lstrcmpiW (lpString1="icon_16.png", lpString2="System Volume Information") returned -1 [0118.157] lstrcmpiW (lpString1="icon_16.png", lpString2=".") returned 1 [0118.157] lstrcmpiW (lpString1="icon_16.png", lpString2="..") returned 1 [0118.157] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png") returned 152 [0118.157] lstrcmpW (lpString1="icon_16.png", lpString2="PUSSY.TXT") returned -1 [0118.157] PathFindExtensionW (pszPath="icon_16.png") returned=".png" [0118.157] lstrlenW (lpString=".png") returned 4 [0118.157] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0118.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0118.162] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x289638 | out: lpFileSize=0x289638*=556) returned 1 [0118.162] GetProcessHeap () returned 0x4c0000 [0118.162] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0118.175] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="AB") returned 2 [0118.175] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="C0") returned 2 [0118.175] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="D2") returned 2 [0118.175] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="96") returned 2 [0118.175] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="6C") returned 2 [0118.175] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="A3") returned 2 [0118.175] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="64") returned 2 [0118.175] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="38") returned 2 [0118.175] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="65") returned 2 [0118.175] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="D4") returned 2 [0118.175] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="5D") returned 2 [0118.175] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="B0") returned 2 [0118.175] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="CB") returned 2 [0118.175] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="9E") returned 2 [0118.175] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="D4") returned 2 [0118.176] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="DB") returned 2 [0118.176] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="40") returned 2 [0118.176] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="15") returned 2 [0118.176] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="1D") returned 2 [0118.176] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="B2") returned 2 [0118.176] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="2B") returned 2 [0118.176] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="36") returned 2 [0118.176] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="12") returned 2 [0118.176] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="D8") returned 2 [0118.176] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="FA") returned 2 [0118.176] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="0E") returned 2 [0118.176] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="C2") returned 2 [0118.176] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="24") returned 2 [0118.176] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="4B") returned 2 [0118.176] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="A2") returned 2 [0118.176] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="C0") returned 2 [0118.176] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="0D") returned 2 [0118.187] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png" [0118.187] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png" [0118.187] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png", lpString2=".ABC0D2966CA3643865D45DB0CB9ED4DB40151DB22B3612D8FA0EC2244BA2C00D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.ABC0D2966CA3643865D45DB0CB9ED4DB40151DB22B3612D8FA0EC2244BA2C00D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.ABC0D2966CA3643865D45DB0CB9ED4DB40151DB22B3612D8FA0EC2244BA2C00D" [0118.187] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.187] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0118.187] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828ccad0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828ccad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe7591500, ftLastWriteTime.dwHighDateTime=0x1ce931e, nFileSizeHigh=0x0, nFileSizeLow=0xa0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="topbar_floating_button.png", cAlternateFileName="TOPBAR~1.PNG")) returned 1 [0118.187] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="Windows") returned -1 [0118.187] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="Program Files") returned 1 [0118.187] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="Program Files (x86)") returned 1 [0118.187] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="$Recycle.bin") returned 1 [0118.187] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="System Volume Information") returned 1 [0118.187] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2=".") returned 1 [0118.188] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="..") returned 1 [0118.188] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png") returned 167 [0118.188] lstrcmpW (lpString1="topbar_floating_button.png", lpString2="PUSSY.TXT") returned 1 [0118.188] PathFindExtensionW (pszPath="topbar_floating_button.png") returned=".png" [0118.188] lstrlenW (lpString=".png") returned 4 [0118.188] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0118.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b4 [0118.189] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x289638 | out: lpFileSize=0x289638*=160) returned 1 [0118.189] CloseHandle (hObject=0x1b4) returned 1 [0118.189] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828cf1e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828d18f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe7591500, ftLastWriteTime.dwHighDateTime=0x1ce931e, nFileSizeHigh=0x0, nFileSizeLow=0xfc, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="topbar_floating_button_close.png", cAlternateFileName="TOPBAR~2.PNG")) returned 1 [0118.189] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="Windows") returned -1 [0118.189] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="Program Files") returned 1 [0118.189] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="Program Files (x86)") returned 1 [0118.189] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="$Recycle.bin") returned 1 [0118.189] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="System Volume Information") returned 1 [0118.189] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2=".") returned 1 [0118.189] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="..") returned 1 [0118.189] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png") returned 173 [0118.189] lstrcmpW (lpString1="topbar_floating_button_close.png", lpString2="PUSSY.TXT") returned 1 [0118.189] PathFindExtensionW (pszPath="topbar_floating_button_close.png") returned=".png" [0118.189] lstrlenW (lpString=".png") returned 4 [0118.189] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0118.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b4 [0118.190] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x289638 | out: lpFileSize=0x289638*=252) returned 1 [0118.190] CloseHandle (hObject=0x1b4) returned 1 [0118.190] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828d6710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828d6710, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe7591500, ftLastWriteTime.dwHighDateTime=0x1ce931e, nFileSizeHigh=0x0, nFileSizeLow=0xa0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="topbar_floating_button_hover.png", cAlternateFileName="TOPBAR~3.PNG")) returned 1 [0118.190] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="Windows") returned -1 [0118.190] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="Program Files") returned 1 [0118.190] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="Program Files (x86)") returned 1 [0118.190] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="$Recycle.bin") returned 1 [0118.190] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="System Volume Information") returned 1 [0118.190] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2=".") returned 1 [0118.190] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="..") returned 1 [0118.190] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png") returned 173 [0118.190] lstrcmpW (lpString1="topbar_floating_button_hover.png", lpString2="PUSSY.TXT") returned 1 [0118.190] PathFindExtensionW (pszPath="topbar_floating_button_hover.png") returned=".png" [0118.190] lstrlenW (lpString=".png") returned 4 [0118.190] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0118.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b4 [0118.191] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x289638 | out: lpFileSize=0x289638*=160) returned 1 [0118.191] CloseHandle (hObject=0x1b4) returned 1 [0118.191] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828d8e20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828d8e20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe7591500, ftLastWriteTime.dwHighDateTime=0x1ce931e, nFileSizeHigh=0x0, nFileSizeLow=0xa6, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="topbar_floating_button_maximize.png", cAlternateFileName="TOPBAR~4.PNG")) returned 1 [0118.191] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="Windows") returned -1 [0118.191] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="Program Files") returned 1 [0118.191] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="Program Files (x86)") returned 1 [0118.191] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="$Recycle.bin") returned 1 [0118.191] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="System Volume Information") returned 1 [0118.191] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2=".") returned 1 [0118.191] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="..") returned 1 [0118.191] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png") returned 176 [0118.191] lstrcmpW (lpString1="topbar_floating_button_maximize.png", lpString2="PUSSY.TXT") returned 1 [0118.191] PathFindExtensionW (pszPath="topbar_floating_button_maximize.png") returned=".png" [0118.191] lstrlenW (lpString=".png") returned 4 [0118.191] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0118.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b4 [0118.193] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x289638 | out: lpFileSize=0x289638*=166) returned 1 [0118.193] CloseHandle (hObject=0x1b4) returned 1 [0118.193] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828ddc40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828ddc40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe7591500, ftLastWriteTime.dwHighDateTime=0x1ce931e, nFileSizeHigh=0x0, nFileSizeLow=0xa0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="topbar_floating_button_pressed.png", cAlternateFileName="TOF9E1~1.PNG")) returned 1 [0118.193] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="Windows") returned -1 [0118.193] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="Program Files") returned 1 [0118.193] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="Program Files (x86)") returned 1 [0118.193] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="$Recycle.bin") returned 1 [0118.193] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="System Volume Information") returned 1 [0118.237] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2=".") returned 1 [0118.237] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="..") returned 1 [0118.237] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png") returned 175 [0118.237] lstrcmpW (lpString1="topbar_floating_button_pressed.png", lpString2="PUSSY.TXT") returned 1 [0118.237] PathFindExtensionW (pszPath="topbar_floating_button_pressed.png") returned=".png" [0118.237] lstrlenW (lpString=".png") returned 4 [0118.237] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0118.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0118.238] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x289638 | out: lpFileSize=0x289638*=160) returned 1 [0118.238] CloseHandle (hObject=0x114) returned 1 [0118.238] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828ddc40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828ddc40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe7591500, ftLastWriteTime.dwHighDateTime=0x1ce931e, nFileSizeHigh=0x0, nFileSizeLow=0xa0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="topbar_floating_button_pressed.png", cAlternateFileName="TOF9E1~1.PNG")) returned 0 [0118.238] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0118.238] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\PUSSY.TXT") returned 150 [0118.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0118.239] lstrlenA (lpString="abcd") returned 4 [0118.239] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0118.240] CloseHandle (hObject=0x16c) returned 1 [0118.240] GetProcessHeap () returned 0x4c0000 [0118.240] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0118.240] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826545a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828e2a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aa3de0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x52a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0118.241] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0118.241] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0118.241] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0118.241] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0118.241] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0118.241] lstrcmpiW (lpString1="manifest.json", lpString2=".") returned 1 [0118.241] lstrcmpiW (lpString1="manifest.json", lpString2="..") returned 1 [0118.241] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json") returned 147 [0118.241] lstrcmpW (lpString1="manifest.json", lpString2="PUSSY.TXT") returned -1 [0118.241] PathFindExtensionW (pszPath="manifest.json") returned=".json" [0118.241] lstrlenW (lpString=".json") returned 5 [0118.241] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0118.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0118.241] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=1322) returned 1 [0118.242] GetProcessHeap () returned 0x4c0000 [0118.242] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0118.251] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="BE") returned 2 [0118.251] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="0A") returned 2 [0118.251] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="AD") returned 2 [0118.251] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="CD") returned 2 [0118.251] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="42") returned 2 [0118.251] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="5E") returned 2 [0118.252] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="62") returned 2 [0118.252] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="D7") returned 2 [0118.252] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="B5") returned 2 [0118.252] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="5C") returned 2 [0118.252] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="99") returned 2 [0118.252] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="97") returned 2 [0118.252] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="CD") returned 2 [0118.252] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="54") returned 2 [0118.252] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="7B") returned 2 [0118.252] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="DE") returned 2 [0118.252] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="0E") returned 2 [0118.252] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="7D") returned 2 [0118.252] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="8D") returned 2 [0118.252] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="99") returned 2 [0118.252] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="CC") returned 2 [0118.252] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="01") returned 2 [0118.252] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="43") returned 2 [0118.252] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="E1") returned 2 [0118.252] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="17") returned 2 [0118.252] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="DB") returned 2 [0118.252] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="DB") returned 2 [0118.252] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="81") returned 2 [0118.252] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="2C") returned 2 [0118.252] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="A6") returned 2 [0118.252] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="4F") returned 2 [0118.252] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="7F") returned 2 [0118.262] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json" [0118.262] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json" [0118.262] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json", lpString2=".BE0AADCD425E62D7B55C9997CD547BDE0E7D8D99CC0143E117DBDB812CA64F7F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.BE0AADCD425E62D7B55C9997CD547BDE0E7D8D99CC0143E117DBDB812CA64F7F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.BE0AADCD425E62D7B55C9997CD547BDE0E7D8D99CC0143E117DBDB812CA64F7F" [0118.262] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.262] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0118.262] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82665710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828836f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828836f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_locales", cAlternateFileName="")) returned 1 [0118.262] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0118.262] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0118.262] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0118.262] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0118.262] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0118.262] lstrcmpiW (lpString1="_locales", lpString2=".") returned 1 [0118.262] lstrcmpiW (lpString1="_locales", lpString2="..") returned 1 [0118.262] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales") returned 142 [0118.262] GetProcessHeap () returned 0x4c0000 [0118.262] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0118.262] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales" [0118.262] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\*" [0118.263] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82665710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828836f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828836f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0118.273] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.273] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.273] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.273] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.274] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.274] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.274] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82665710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828836f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828836f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0118.274] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.275] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.278] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.278] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8266a530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8266f350, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8266f350, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="bg", cAlternateFileName="")) returned 1 [0118.278] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0118.278] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0118.278] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0118.278] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0118.278] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0118.278] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0118.278] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0118.278] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg") returned 145 [0118.278] GetProcessHeap () returned 0x4c0000 [0118.278] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b600f0 [0118.278] lstrcpyW (in: lpString1=0x3b600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg" [0118.278] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\*" [0118.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8266a530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8266f350, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8266f350, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.279] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.279] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.279] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.279] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.279] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.279] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.279] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8266a530, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8266f350, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8266f350, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.279] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.279] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.279] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.279] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.279] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.279] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.279] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.279] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8266f350, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8266f350, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aab310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x376, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.279] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.279] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.279] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.279] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.279] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.279] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.280] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.280] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json") returned 159 [0118.280] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.280] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.280] lstrlenW (lpString=".json") returned 5 [0118.280] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0118.289] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=886) returned 1 [0118.290] GetProcessHeap () returned 0x4c0000 [0118.290] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0118.318] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="BB") returned 2 [0118.318] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="72") returned 2 [0118.318] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="0A") returned 2 [0118.318] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="11") returned 2 [0118.318] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="69") returned 2 [0118.318] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="D6") returned 2 [0118.318] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="AF") returned 2 [0118.318] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="66") returned 2 [0118.318] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="EE") returned 2 [0118.318] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="B6") returned 2 [0118.318] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="80") returned 2 [0118.318] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="82") returned 2 [0118.318] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="54") returned 2 [0118.318] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="B2") returned 2 [0118.319] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="2B") returned 2 [0118.319] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="25") returned 2 [0118.319] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="B0") returned 2 [0118.319] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="3C") returned 2 [0118.319] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="40") returned 2 [0118.319] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="37") returned 2 [0118.319] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="30") returned 2 [0118.319] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="93") returned 2 [0118.319] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="C7") returned 2 [0118.319] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="B4") returned 2 [0118.319] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="C3") returned 2 [0118.319] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="B4") returned 2 [0118.319] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="A7") returned 2 [0118.319] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="D2") returned 2 [0118.319] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="FF") returned 2 [0118.319] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="95") returned 2 [0118.319] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="57") returned 2 [0118.319] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="33") returned 2 [0118.332] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json" [0118.332] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json" [0118.332] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json", lpString2=".BB720A1169D6AF66EEB6808254B22B25B03C40373093C7B4C3B4A7D2FF955733" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.BB720A1169D6AF66EEB6808254B22B25B03C40373093C7B4C3B4A7D2FF955733") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.BB720A1169D6AF66EEB6808254B22B25B03C40373093C7B4C3B4A7D2FF955733" [0118.332] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.332] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0118.332] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8266f350, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8266f350, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aab310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x376, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.335] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.339] wnsprintfW (in: pszDest=0x3b600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\PUSSY.TXT") returned 155 [0118.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0118.340] lstrlenA (lpString="abcd") returned 4 [0118.340] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.341] CloseHandle (hObject=0x1b0) returned 1 [0118.341] GetProcessHeap () returned 0x4c0000 [0118.341] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0118.343] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82676880, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8267ddb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8267ddb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ca", cAlternateFileName="")) returned 1 [0118.343] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0118.343] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0118.343] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0118.343] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0118.343] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0118.343] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0118.343] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0118.343] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca") returned 145 [0118.343] GetProcessHeap () returned 0x4c0000 [0118.343] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0118.343] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca" [0118.343] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\*" [0118.343] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82676880, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8267ddb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8267ddb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.344] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.344] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.344] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.344] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.344] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.344] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.344] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82676880, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8267ddb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8267ddb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.344] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.344] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.344] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.344] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.344] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.344] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.344] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.344] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8267ddb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8267ddb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aab310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2c1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.344] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.344] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.344] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.344] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.344] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.344] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.344] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.345] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json") returned 159 [0118.345] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.345] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.345] lstrlenW (lpString=".json") returned 5 [0118.345] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0118.345] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=705) returned 1 [0118.345] GetProcessHeap () returned 0x4c0000 [0118.345] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54caf8 [0118.360] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="F6") returned 2 [0118.360] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="81") returned 2 [0118.360] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="6C") returned 2 [0118.360] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="E7") returned 2 [0118.360] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="87") returned 2 [0118.360] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="B8") returned 2 [0118.360] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="B8") returned 2 [0118.360] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="6D") returned 2 [0118.360] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="59") returned 2 [0118.360] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="BF") returned 2 [0118.360] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="E5") returned 2 [0118.360] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="DC") returned 2 [0118.360] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="6B") returned 2 [0118.360] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="6D") returned 2 [0118.360] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="2F") returned 2 [0118.360] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="9D") returned 2 [0118.360] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="28") returned 2 [0118.360] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="F2") returned 2 [0118.360] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="21") returned 2 [0118.360] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="25") returned 2 [0118.361] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="A9") returned 2 [0118.361] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="D8") returned 2 [0118.361] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="30") returned 2 [0118.361] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="8F") returned 2 [0118.361] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="99") returned 2 [0118.361] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="DA") returned 2 [0118.361] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="2C") returned 2 [0118.361] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="2C") returned 2 [0118.361] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="62") returned 2 [0118.361] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="00") returned 2 [0118.361] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="34") returned 2 [0118.361] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="72") returned 2 [0118.373] lstrcpyW (in: lpString1=0x55cb2c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json" [0118.373] lstrcpyW (in: lpString1=0x54cb2c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json" [0118.373] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json", lpString2=".F6816CE787B8B86D59BFE5DC6B6D2F9D28F22125A9D8308F99DA2C2C62003472" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.F6816CE787B8B86D59BFE5DC6B6D2F9D28F22125A9D8308F99DA2C2C62003472") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.F6816CE787B8B86D59BFE5DC6B6D2F9D28F22125A9D8308F99DA2C2C62003472" [0118.374] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x54caf8, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.374] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54caf8, lpOverlapped=0x54caf8) returned 1 [0118.374] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8267ddb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8267ddb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aab310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2c1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.377] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.377] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\PUSSY.TXT") returned 155 [0118.377] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0118.378] lstrlenA (lpString="abcd") returned 4 [0118.378] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.379] CloseHandle (hObject=0x1b0) returned 1 [0118.380] GetProcessHeap () returned 0x4c0000 [0118.380] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0118.383] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826a0090, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826a27a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826a27a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="cs", cAlternateFileName="")) returned 1 [0118.383] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0118.383] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0118.383] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0118.383] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0118.383] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0118.383] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0118.383] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0118.383] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs") returned 145 [0118.383] GetProcessHeap () returned 0x4c0000 [0118.383] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0118.384] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs" [0118.384] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\*" [0118.384] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826a0090, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826a27a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826a27a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.384] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.384] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.384] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.384] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.384] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.384] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.384] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826a0090, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826a27a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826a27a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.385] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.385] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.385] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.385] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.385] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.385] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.385] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.385] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826a27a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826a4eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x297, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.385] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.385] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.385] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.385] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.385] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.385] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.385] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.385] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json") returned 159 [0118.385] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.385] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.385] lstrlenW (lpString=".json") returned 5 [0118.385] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0118.387] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=663) returned 1 [0118.387] GetProcessHeap () returned 0x4c0000 [0118.387] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0118.403] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="BE") returned 2 [0118.403] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="B9") returned 2 [0118.403] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="97") returned 2 [0118.403] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="19") returned 2 [0118.403] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="CC") returned 2 [0118.403] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="30") returned 2 [0118.403] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="14") returned 2 [0118.403] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="5A") returned 2 [0118.403] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="7A") returned 2 [0118.403] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="9C") returned 2 [0118.403] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="1A") returned 2 [0118.403] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="38") returned 2 [0118.403] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="C3") returned 2 [0118.403] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="E4") returned 2 [0118.403] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="10") returned 2 [0118.403] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="79") returned 2 [0118.404] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="64") returned 2 [0118.404] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="B2") returned 2 [0118.404] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="C3") returned 2 [0118.404] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="2C") returned 2 [0118.404] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="52") returned 2 [0118.404] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="AD") returned 2 [0118.404] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="51") returned 2 [0118.404] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="89") returned 2 [0118.404] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="C6") returned 2 [0118.404] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="32") returned 2 [0118.404] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="AA") returned 2 [0118.404] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="08") returned 2 [0118.404] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="DF") returned 2 [0118.404] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="9C") returned 2 [0118.404] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="63") returned 2 [0118.404] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="69") returned 2 [0118.416] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json" [0118.417] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json" [0118.417] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json", lpString2=".BEB99719CC30145A7A9C1A38C3E4107964B2C32C52AD5189C632AA08DF9C6369" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.BEB99719CC30145A7A9C1A38C3E4107964B2C32C52AD5189C632AA08DF9C6369") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.BEB99719CC30145A7A9C1A38C3E4107964B2C32C52AD5189C632AA08DF9C6369" [0118.417] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.417] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0118.417] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826a27a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826a4eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x297, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.417] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.429] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\PUSSY.TXT") returned 155 [0118.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0118.429] lstrlenA (lpString="abcd") returned 4 [0118.430] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.431] CloseHandle (hObject=0x184) returned 1 [0118.431] GetProcessHeap () returned 0x4c0000 [0118.431] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0118.431] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826ac3e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826b1200, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826b1200, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="da", cAlternateFileName="")) returned 1 [0118.431] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0118.431] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0118.431] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0118.431] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0118.431] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0118.431] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0118.431] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0118.431] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da") returned 145 [0118.431] GetProcessHeap () returned 0x4c0000 [0118.431] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0118.432] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da" [0118.432] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\*" [0118.432] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826ac3e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826b1200, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826b1200, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.432] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.432] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.432] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.432] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.432] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.432] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.432] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826ac3e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826b1200, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826b1200, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.432] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.432] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.432] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.432] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.432] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.432] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.433] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.433] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826b1200, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826b1200, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.433] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.433] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.433] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.433] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.433] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.433] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.433] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.433] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json") returned 159 [0118.433] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.433] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.433] lstrlenW (lpString=".json") returned 5 [0118.433] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.433] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0118.434] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=642) returned 1 [0118.434] GetProcessHeap () returned 0x4c0000 [0118.434] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0118.448] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="41") returned 2 [0118.448] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="E5") returned 2 [0118.448] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="3C") returned 2 [0118.448] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="89") returned 2 [0118.449] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="C3") returned 2 [0118.449] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="4D") returned 2 [0118.449] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="B5") returned 2 [0118.449] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="9F") returned 2 [0118.449] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="06") returned 2 [0118.449] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="4E") returned 2 [0118.449] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="58") returned 2 [0118.449] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="01") returned 2 [0118.449] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="D8") returned 2 [0118.449] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="35") returned 2 [0118.449] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="6A") returned 2 [0118.449] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="4D") returned 2 [0118.449] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="9F") returned 2 [0118.449] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="C6") returned 2 [0118.449] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="89") returned 2 [0118.449] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="6F") returned 2 [0118.449] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="EA") returned 2 [0118.449] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="44") returned 2 [0118.449] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="91") returned 2 [0118.449] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="3E") returned 2 [0118.449] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="F6") returned 2 [0118.449] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="FE") returned 2 [0118.449] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="40") returned 2 [0118.449] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="83") returned 2 [0118.450] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="A3") returned 2 [0118.450] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="D9") returned 2 [0118.450] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="28") returned 2 [0118.450] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="0D") returned 2 [0118.463] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json" [0118.464] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json" [0118.464] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json", lpString2=".41E53C89C34DB59F064E5801D8356A4D9FC6896FEA44913EF6FE4083A3D9280D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.41E53C89C34DB59F064E5801D8356A4D9FC6896FEA44913EF6FE4083A3D9280D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.41E53C89C34DB59F064E5801D8356A4D9FC6896FEA44913EF6FE4083A3D9280D" [0118.464] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.464] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0118.464] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826b1200, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826b1200, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.464] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.465] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\PUSSY.TXT") returned 155 [0118.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0118.466] lstrlenA (lpString="abcd") returned 4 [0118.466] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.467] CloseHandle (hObject=0x184) returned 1 [0118.467] GetProcessHeap () returned 0x4c0000 [0118.467] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0118.467] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826b8730, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826bae40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826bae40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="de", cAlternateFileName="")) returned 1 [0118.467] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0118.467] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0118.467] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0118.467] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0118.467] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0118.467] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0118.467] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0118.467] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de") returned 145 [0118.467] GetProcessHeap () returned 0x4c0000 [0118.467] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0118.468] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de" [0118.468] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\*" [0118.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826b8730, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826bae40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826bae40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.468] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.468] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.468] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.468] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.468] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.468] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.468] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826b8730, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826bae40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826bae40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.468] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.468] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.468] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.468] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.469] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.469] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.469] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.469] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826bae40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826bae40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.469] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.469] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.469] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.469] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.469] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.469] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.469] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.469] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json") returned 159 [0118.469] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.469] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.469] lstrlenW (lpString=".json") returned 5 [0118.469] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0118.471] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=701) returned 1 [0118.471] GetProcessHeap () returned 0x4c0000 [0118.471] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0118.485] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="DE") returned 2 [0118.485] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="92") returned 2 [0118.485] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="54") returned 2 [0118.485] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="10") returned 2 [0118.485] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="C7") returned 2 [0118.485] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="82") returned 2 [0118.485] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="80") returned 2 [0118.485] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="C1") returned 2 [0118.485] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="FC") returned 2 [0118.485] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="02") returned 2 [0118.485] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="18") returned 2 [0118.485] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="44") returned 2 [0118.485] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="93") returned 2 [0118.485] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="4E") returned 2 [0118.486] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="37") returned 2 [0118.486] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="3B") returned 2 [0118.486] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="16") returned 2 [0118.486] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="1A") returned 2 [0118.486] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="52") returned 2 [0118.486] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="5A") returned 2 [0118.486] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="10") returned 2 [0118.486] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="D7") returned 2 [0118.486] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="B8") returned 2 [0118.486] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="6E") returned 2 [0118.486] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="05") returned 2 [0118.486] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="AB") returned 2 [0118.486] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="C9") returned 2 [0118.486] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="91") returned 2 [0118.486] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="47") returned 2 [0118.486] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="9D") returned 2 [0118.486] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="9F") returned 2 [0118.486] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="48") returned 2 [0118.504] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json" [0118.504] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json" [0118.504] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json", lpString2=".DE925410C78280C1FC021844934E373B161A525A10D7B86E05ABC991479D9F48" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.DE925410C78280C1FC021844934E373B161A525A10D7B86E05ABC991479D9F48") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.DE925410C78280C1FC021844934E373B161A525A10D7B86E05ABC991479D9F48" [0118.504] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.505] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0118.505] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826bae40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826bae40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.505] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.505] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\PUSSY.TXT") returned 155 [0118.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0118.506] lstrlenA (lpString="abcd") returned 4 [0118.506] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.507] CloseHandle (hObject=0x184) returned 1 [0118.507] GetProcessHeap () returned 0x4c0000 [0118.507] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0118.508] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826c2370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826c7190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826c7190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="el", cAlternateFileName="")) returned 1 [0118.508] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0118.508] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0118.508] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0118.508] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0118.508] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0118.508] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0118.508] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0118.508] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el") returned 145 [0118.508] GetProcessHeap () returned 0x4c0000 [0118.508] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0118.508] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el" [0118.508] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\*" [0118.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826c2370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826c7190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826c7190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.509] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.509] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.509] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.509] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.509] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.509] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.509] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826c2370, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826c7190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826c7190, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.509] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.509] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.509] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.509] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.509] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.509] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.509] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.509] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826c7190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826c7190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x36b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.509] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.509] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.509] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.510] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.510] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.510] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.510] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.510] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json") returned 159 [0118.510] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.510] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.510] lstrlenW (lpString=".json") returned 5 [0118.510] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0118.511] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=875) returned 1 [0118.511] GetProcessHeap () returned 0x4c0000 [0118.511] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0118.534] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="72") returned 2 [0118.534] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="30") returned 2 [0118.534] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="E6") returned 2 [0118.534] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="FE") returned 2 [0118.534] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="1D") returned 2 [0118.534] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="F5") returned 2 [0118.534] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="C3") returned 2 [0118.534] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="F4") returned 2 [0118.535] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="A3") returned 2 [0118.535] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="62") returned 2 [0118.535] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="9F") returned 2 [0118.535] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="56") returned 2 [0118.535] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="CF") returned 2 [0118.535] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="49") returned 2 [0118.535] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="82") returned 2 [0118.535] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="12") returned 2 [0118.535] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="15") returned 2 [0118.535] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="AE") returned 2 [0118.535] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="14") returned 2 [0118.535] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="18") returned 2 [0118.535] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="C5") returned 2 [0118.535] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="E3") returned 2 [0118.535] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="45") returned 2 [0118.535] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="E7") returned 2 [0118.535] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="58") returned 2 [0118.535] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="7C") returned 2 [0118.535] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="3C") returned 2 [0118.535] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="B1") returned 2 [0118.535] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="FF") returned 2 [0118.535] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="EC") returned 2 [0118.535] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="1D") returned 2 [0118.535] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="14") returned 2 [0118.553] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json" [0118.553] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json" [0118.553] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json", lpString2=".7230E6FE1DF5C3F4A3629F56CF49821215AE1418C5E345E7587C3CB1FFEC1D14" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.7230E6FE1DF5C3F4A3629F56CF49821215AE1418C5E345E7587C3CB1FFEC1D14") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.7230E6FE1DF5C3F4A3629F56CF49821215AE1418C5E345E7587C3CB1FFEC1D14" [0118.553] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.553] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0118.553] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826c7190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826c7190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x36b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.570] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.573] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\PUSSY.TXT") returned 155 [0118.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0118.573] lstrlenA (lpString="abcd") returned 4 [0118.573] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.575] CloseHandle (hObject=0x1ac) returned 1 [0118.575] GetProcessHeap () returned 0x4c0000 [0118.575] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0118.575] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826ce6c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826d0dd0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826d0dd0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en", cAlternateFileName="")) returned 1 [0118.575] lstrcmpiW (lpString1="en", lpString2="Windows") returned -1 [0118.575] lstrcmpiW (lpString1="en", lpString2="Program Files") returned -1 [0118.575] lstrcmpiW (lpString1="en", lpString2="Program Files (x86)") returned -1 [0118.575] lstrcmpiW (lpString1="en", lpString2="$Recycle.bin") returned 1 [0118.575] lstrcmpiW (lpString1="en", lpString2="System Volume Information") returned -1 [0118.575] lstrcmpiW (lpString1="en", lpString2=".") returned 1 [0118.575] lstrcmpiW (lpString1="en", lpString2="..") returned 1 [0118.575] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en") returned 145 [0118.575] GetProcessHeap () returned 0x4c0000 [0118.575] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0118.576] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en" [0118.576] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\*" [0118.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826ce6c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826d0dd0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826d0dd0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.576] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.576] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.576] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.576] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.576] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.576] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.576] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826ce6c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826d0dd0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826d0dd0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.576] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.576] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.576] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.576] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.576] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.576] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.576] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.577] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826d0dd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826d34e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x269, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.577] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.577] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.577] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.577] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.577] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.577] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.577] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.577] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json") returned 159 [0118.577] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.577] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.577] lstrlenW (lpString=".json") returned 5 [0118.577] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0118.578] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=617) returned 1 [0118.578] GetProcessHeap () returned 0x4c0000 [0118.578] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0118.590] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="29") returned 2 [0118.590] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="B7") returned 2 [0118.590] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="91") returned 2 [0118.590] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="13") returned 2 [0118.590] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="65") returned 2 [0118.590] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="7F") returned 2 [0118.590] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="87") returned 2 [0118.590] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="0C") returned 2 [0118.590] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="D5") returned 2 [0118.590] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="AA") returned 2 [0118.591] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="01") returned 2 [0118.591] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="B8") returned 2 [0118.591] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="AA") returned 2 [0118.591] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="CD") returned 2 [0118.591] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="33") returned 2 [0118.591] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="9A") returned 2 [0118.591] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="00") returned 2 [0118.591] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="FD") returned 2 [0118.591] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="48") returned 2 [0118.591] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="D3") returned 2 [0118.591] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="38") returned 2 [0118.591] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="7B") returned 2 [0118.591] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="D1") returned 2 [0118.591] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="83") returned 2 [0118.591] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="6D") returned 2 [0118.591] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="06") returned 2 [0118.591] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="5A") returned 2 [0118.591] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="E4") returned 2 [0118.591] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="79") returned 2 [0118.591] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="EA") returned 2 [0118.591] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="EC") returned 2 [0118.591] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="17") returned 2 [0118.603] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json" [0118.603] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json" [0118.603] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json", lpString2=".29B79113657F870CD5AA01B8AACD339A00FD48D3387BD1836D065AE479EAEC17" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.29B79113657F870CD5AA01B8AACD339A00FD48D3387BD1836D065AE479EAEC17") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.29B79113657F870CD5AA01B8AACD339A00FD48D3387BD1836D065AE479EAEC17" [0118.603] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.603] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0118.603] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826d0dd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826d34e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x269, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.603] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.603] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\PUSSY.TXT") returned 155 [0118.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0118.604] lstrlenA (lpString="abcd") returned 4 [0118.605] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.606] CloseHandle (hObject=0x1ac) returned 1 [0118.606] GetProcessHeap () returned 0x4c0000 [0118.606] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0118.610] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826d8300, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826df830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826df830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en_GB", cAlternateFileName="")) returned 1 [0118.610] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0118.610] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0118.610] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0118.610] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0118.610] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0118.610] lstrcmpiW (lpString1="en_GB", lpString2=".") returned 1 [0118.610] lstrcmpiW (lpString1="en_GB", lpString2="..") returned 1 [0118.610] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB") returned 148 [0118.610] GetProcessHeap () returned 0x4c0000 [0118.610] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0118.611] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB" [0118.611] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\*" [0118.612] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826d8300, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826df830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826df830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.612] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.612] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.612] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.612] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.612] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.612] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.612] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826d8300, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826df830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826df830, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.612] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.612] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.612] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.612] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.612] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.613] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.613] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.613] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826df830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826e1f40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x269, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.613] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.613] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.613] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.613] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.613] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.613] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.613] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.613] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json") returned 162 [0118.613] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.613] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.613] lstrlenW (lpString=".json") returned 5 [0118.613] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0118.614] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=617) returned 1 [0118.614] GetProcessHeap () returned 0x4c0000 [0118.614] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0118.628] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="6A") returned 2 [0118.628] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="AE") returned 2 [0118.628] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="16") returned 2 [0118.628] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="43") returned 2 [0118.628] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="80") returned 2 [0118.628] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="F7") returned 2 [0118.628] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="6B") returned 2 [0118.628] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="0C") returned 2 [0118.629] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="5E") returned 2 [0118.629] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="98") returned 2 [0118.629] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="CD") returned 2 [0118.629] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="C7") returned 2 [0118.629] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="DE") returned 2 [0118.629] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="F7") returned 2 [0118.629] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="20") returned 2 [0118.629] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="32") returned 2 [0118.629] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="BC") returned 2 [0118.629] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="41") returned 2 [0118.629] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="A2") returned 2 [0118.629] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="BE") returned 2 [0118.629] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="FA") returned 2 [0118.629] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="E3") returned 2 [0118.629] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="0A") returned 2 [0118.629] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="B6") returned 2 [0118.629] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="DF") returned 2 [0118.629] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="82") returned 2 [0118.629] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="18") returned 2 [0118.629] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="8C") returned 2 [0118.629] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="EE") returned 2 [0118.629] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="B8") returned 2 [0118.629] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="E6") returned 2 [0118.629] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="0F") returned 2 [0118.641] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json" [0118.641] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json" [0118.641] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json", lpString2=".6AAE164380F76B0C5E98CDC7DEF72032BC41A2BEFAE30AB6DF82188CEEB8E60F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json.6AAE164380F76B0C5E98CDC7DEF72032BC41A2BEFAE30AB6DF82188CEEB8E60F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json.6AAE164380F76B0C5E98CDC7DEF72032BC41A2BEFAE30AB6DF82188CEEB8E60F" [0118.641] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.641] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0118.641] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826df830, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826e1f40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x269, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.642] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.642] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\PUSSY.TXT") returned 158 [0118.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0118.643] lstrlenA (lpString="abcd") returned 4 [0118.643] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.644] CloseHandle (hObject=0x1ac) returned 1 [0118.644] GetProcessHeap () returned 0x4c0000 [0118.644] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0118.644] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826e9470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826ebb80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826ebb80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es", cAlternateFileName="")) returned 1 [0118.644] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0118.644] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0118.644] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0118.644] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0118.644] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0118.644] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0118.644] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0118.644] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es") returned 145 [0118.644] GetProcessHeap () returned 0x4c0000 [0118.644] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3ca0008 [0118.644] lstrcpyW (in: lpString1=0x3ca0008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es" [0118.645] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\*" [0118.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826e9470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826ebb80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826ebb80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.645] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.645] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.645] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.645] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.645] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.645] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.645] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826e9470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826ebb80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826ebb80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.645] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.645] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.645] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.645] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.645] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.645] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.645] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.646] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826ebb80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826ebb80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2b8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.646] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.646] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.646] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.646] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.646] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.646] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.646] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.646] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json") returned 159 [0118.646] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.646] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.646] lstrlenW (lpString=".json") returned 5 [0118.646] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0118.663] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=696) returned 1 [0118.663] GetProcessHeap () returned 0x4c0000 [0118.663] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0118.676] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="60") returned 2 [0118.676] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="2E") returned 2 [0118.676] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="C7") returned 2 [0118.676] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="32") returned 2 [0118.676] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="91") returned 2 [0118.676] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="E1") returned 2 [0118.676] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="41") returned 2 [0118.676] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="E0") returned 2 [0118.676] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="BA") returned 2 [0118.676] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="E8") returned 2 [0118.676] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="85") returned 2 [0118.676] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="76") returned 2 [0118.676] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="A7") returned 2 [0118.676] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="6F") returned 2 [0118.676] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="35") returned 2 [0118.677] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="B6") returned 2 [0118.677] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="27") returned 2 [0118.677] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="06") returned 2 [0118.677] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="DB") returned 2 [0118.677] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="6B") returned 2 [0118.677] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="EF") returned 2 [0118.677] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="9B") returned 2 [0118.677] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="C2") returned 2 [0118.677] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="0C") returned 2 [0118.677] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="80") returned 2 [0118.677] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="85") returned 2 [0118.677] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="D4") returned 2 [0118.677] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="24") returned 2 [0118.677] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="69") returned 2 [0118.677] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="C8") returned 2 [0118.677] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="FE") returned 2 [0118.677] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="53") returned 2 [0118.689] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json" [0118.690] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json" [0118.690] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json", lpString2=".602EC73291E141E0BAE88576A76F35B62706DB6BEF9BC20C8085D42469C8FE53" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.602EC73291E141E0BAE88576A76F35B62706DB6BEF9BC20C8085D42469C8FE53") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.602EC73291E141E0BAE88576A76F35B62706DB6BEF9BC20C8085D42469C8FE53" [0118.690] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.690] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0118.690] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826ebb80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826ebb80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2b8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.690] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.690] wnsprintfW (in: pszDest=0x3ca0008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\PUSSY.TXT") returned 155 [0118.691] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0118.691] lstrlenA (lpString="abcd") returned 4 [0118.692] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.693] CloseHandle (hObject=0x1ac) returned 1 [0118.693] GetProcessHeap () returned 0x4c0000 [0118.693] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0118.693] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826f30b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826f7ed0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826f7ed0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es_419", cAlternateFileName="")) returned 1 [0118.693] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0118.694] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0118.694] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0118.694] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0118.694] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0118.694] lstrcmpiW (lpString1="es_419", lpString2=".") returned 1 [0118.694] lstrcmpiW (lpString1="es_419", lpString2="..") returned 1 [0118.694] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419") returned 149 [0118.694] GetProcessHeap () returned 0x4c0000 [0118.694] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b88140 [0118.694] lstrcpyW (in: lpString1=0x3b88140, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419" [0118.694] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\*" [0118.694] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826f30b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826f7ed0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826f7ed0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.694] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.694] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.694] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.694] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.695] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.695] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.695] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826f30b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826f7ed0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x826f7ed0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.695] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.695] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.695] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.695] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.695] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.695] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.695] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.695] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826f7ed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826f7ed0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.695] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.695] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.695] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.695] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.695] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.695] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.695] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.695] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json") returned 163 [0118.695] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.695] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.695] lstrlenW (lpString=".json") returned 5 [0118.695] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.696] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0118.696] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=667) returned 1 [0118.696] GetProcessHeap () returned 0x4c0000 [0118.696] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ca0008 [0118.709] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="FB") returned 2 [0118.709] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="D7") returned 2 [0118.709] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="AF") returned 2 [0118.709] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="D8") returned 2 [0118.709] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="05") returned 2 [0118.709] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="83") returned 2 [0118.709] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="16") returned 2 [0118.709] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="D8") returned 2 [0118.709] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="05") returned 2 [0118.709] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="FB") returned 2 [0118.709] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="02") returned 2 [0118.709] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="1F") returned 2 [0118.709] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="8F") returned 2 [0118.709] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="79") returned 2 [0118.709] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="67") returned 2 [0118.709] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="52") returned 2 [0118.709] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="5D") returned 2 [0118.710] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="ED") returned 2 [0118.710] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="A3") returned 2 [0118.710] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="CF") returned 2 [0118.710] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="08") returned 2 [0118.710] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="AF") returned 2 [0118.710] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="67") returned 2 [0118.710] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="72") returned 2 [0118.710] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="0E") returned 2 [0118.710] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="C3") returned 2 [0118.710] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="90") returned 2 [0118.710] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="FB") returned 2 [0118.710] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="3B") returned 2 [0118.710] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="72") returned 2 [0118.710] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="DF") returned 2 [0118.710] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="5D") returned 2 [0118.736] lstrcpyW (in: lpString1=0x3cb003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json" [0118.736] lstrcpyW (in: lpString1=0x3ca003c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json" [0118.736] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json", lpString2=".FBD7AFD8058316D805FB021F8F7967525DEDA3CF08AF67720EC390FB3B72DF5D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.FBD7AFD8058316D805FB021F8F7967525DEDA3CF08AF67720EC390FB3B72DF5D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.FBD7AFD8058316D805FB021F8F7967525DEDA3CF08AF67720EC390FB3B72DF5D" [0118.736] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3ca0008, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.736] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ca0008, lpOverlapped=0x3ca0008) returned 1 [0118.737] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826f7ed0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x826f7ed0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.737] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.737] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\PUSSY.TXT") returned 159 [0118.737] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0118.748] lstrlenA (lpString="abcd") returned 4 [0118.749] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.750] CloseHandle (hObject=0x1ac) returned 1 [0118.750] GetProcessHeap () returned 0x4c0000 [0118.750] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0118.750] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826ff400, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82701b10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82701b10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="et", cAlternateFileName="")) returned 1 [0118.750] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0118.750] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0118.751] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0118.751] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0118.751] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0118.751] lstrcmpiW (lpString1="et", lpString2=".") returned 1 [0118.751] lstrcmpiW (lpString1="et", lpString2="..") returned 1 [0118.751] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et") returned 145 [0118.751] GetProcessHeap () returned 0x4c0000 [0118.751] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b88140 [0118.751] lstrcpyW (in: lpString1=0x3b88140, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et" [0118.751] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\*" [0118.751] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826ff400, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82701b10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82701b10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.751] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.751] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.751] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.752] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.752] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.752] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.752] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826ff400, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82701b10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82701b10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.752] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.752] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.752] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.752] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.752] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.752] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.752] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.752] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82701b10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82704220, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x261, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.752] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.752] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.752] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.752] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.752] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.752] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.752] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.752] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json") returned 159 [0118.752] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.752] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.753] lstrlenW (lpString=".json") returned 5 [0118.753] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.753] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0118.754] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=609) returned 1 [0118.754] GetProcessHeap () returned 0x4c0000 [0118.754] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0118.768] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="B6") returned 2 [0118.768] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="99") returned 2 [0118.768] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="37") returned 2 [0118.768] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="CE") returned 2 [0118.768] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="59") returned 2 [0118.768] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="E6") returned 2 [0118.768] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="9A") returned 2 [0118.768] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="5B") returned 2 [0118.768] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="12") returned 2 [0118.768] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="2D") returned 2 [0118.768] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="97") returned 2 [0118.768] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="A4") returned 2 [0118.768] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="75") returned 2 [0118.768] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="AF") returned 2 [0118.768] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="ED") returned 2 [0118.768] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="5A") returned 2 [0118.768] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="F3") returned 2 [0118.768] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="83") returned 2 [0118.768] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="78") returned 2 [0118.768] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="BD") returned 2 [0118.768] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="48") returned 2 [0118.768] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="C5") returned 2 [0118.768] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="F0") returned 2 [0118.769] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="DE") returned 2 [0118.769] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="4A") returned 2 [0118.769] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="91") returned 2 [0118.769] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="8E") returned 2 [0118.769] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="B0") returned 2 [0118.769] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="54") returned 2 [0118.769] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="E1") returned 2 [0118.769] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="99") returned 2 [0118.769] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="41") returned 2 [0118.781] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json" [0118.781] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json" [0118.781] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json", lpString2=".B69937CE59E69A5B122D97A475AFED5AF38378BD48C5F0DE4A918EB054E19941" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.B69937CE59E69A5B122D97A475AFED5AF38378BD48C5F0DE4A918EB054E19941") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.B69937CE59E69A5B122D97A475AFED5AF38378BD48C5F0DE4A918EB054E19941" [0118.781] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.781] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0118.781] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82701b10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82704220, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x261, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.781] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.781] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\PUSSY.TXT") returned 155 [0118.781] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0118.782] lstrlenA (lpString="abcd") returned 4 [0118.782] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.783] CloseHandle (hObject=0x1ac) returned 1 [0118.783] GetProcessHeap () returned 0x4c0000 [0118.783] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0118.783] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82709040, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8270de60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8270de60, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fi", cAlternateFileName="")) returned 1 [0118.783] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0118.783] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0118.783] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0118.784] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0118.784] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0118.784] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0118.784] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0118.784] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi") returned 145 [0118.784] GetProcessHeap () returned 0x4c0000 [0118.784] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b88140 [0118.784] lstrcpyW (in: lpString1=0x3b88140, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi" [0118.784] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\*" [0118.784] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82709040, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8270de60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8270de60, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.784] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.784] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.784] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.784] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.784] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.785] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.785] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82709040, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8270de60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8270de60, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.785] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.785] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.785] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.785] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.785] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.785] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.785] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.785] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8270de60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8270de60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2a1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.785] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.785] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.785] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.785] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.785] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.785] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.785] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.785] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json") returned 159 [0118.785] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.785] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.785] lstrlenW (lpString=".json") returned 5 [0118.785] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0118.786] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=673) returned 1 [0118.786] GetProcessHeap () returned 0x4c0000 [0118.786] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0118.800] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="99") returned 2 [0118.800] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="B6") returned 2 [0118.800] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="E0") returned 2 [0118.800] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="0D") returned 2 [0118.800] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="E5") returned 2 [0118.800] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="2E") returned 2 [0118.800] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="6B") returned 2 [0118.800] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="3D") returned 2 [0118.800] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="F4") returned 2 [0118.800] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="78") returned 2 [0118.800] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="97") returned 2 [0118.800] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="E4") returned 2 [0118.800] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="09") returned 2 [0118.800] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="3D") returned 2 [0118.800] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="65") returned 2 [0118.800] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="9E") returned 2 [0118.800] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="E4") returned 2 [0118.800] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="B5") returned 2 [0118.800] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="96") returned 2 [0118.800] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="0D") returned 2 [0118.800] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="B8") returned 2 [0118.801] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="45") returned 2 [0118.801] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="13") returned 2 [0118.801] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="40") returned 2 [0118.801] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="15") returned 2 [0118.801] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="24") returned 2 [0118.801] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="B3") returned 2 [0118.801] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="D9") returned 2 [0118.801] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="34") returned 2 [0118.801] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="27") returned 2 [0118.801] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="A2") returned 2 [0118.801] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="3E") returned 2 [0118.826] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json" [0118.826] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json" [0118.826] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json", lpString2=".99B6E00DE52E6B3DF47897E4093D659EE4B5960DB84513401524B3D93427A23E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.99B6E00DE52E6B3DF47897E4093D659EE4B5960DB84513401524B3D93427A23E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.99B6E00DE52E6B3DF47897E4093D659EE4B5960DB84513401524B3D93427A23E" [0118.827] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.827] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0118.828] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8270de60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8270de60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2a1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.828] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.828] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\PUSSY.TXT") returned 155 [0118.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0118.829] lstrlenA (lpString="abcd") returned 4 [0118.829] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.830] CloseHandle (hObject=0x1ac) returned 1 [0118.830] GetProcessHeap () returned 0x4c0000 [0118.830] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0118.830] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82715390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82717aa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82717aa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fil", cAlternateFileName="")) returned 1 [0118.830] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0118.830] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0118.830] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0118.830] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0118.830] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0118.831] lstrcmpiW (lpString1="fil", lpString2=".") returned 1 [0118.831] lstrcmpiW (lpString1="fil", lpString2="..") returned 1 [0118.831] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil") returned 146 [0118.831] GetProcessHeap () returned 0x4c0000 [0118.831] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b88140 [0118.831] lstrcpyW (in: lpString1=0x3b88140, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil" [0118.831] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\*" [0118.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82715390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82717aa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82717aa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.831] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.831] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.831] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.831] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.831] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.832] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.832] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82715390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82717aa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82717aa0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.832] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.832] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.832] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.832] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.832] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.832] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.832] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.832] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82717aa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82717aa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2b4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.832] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.832] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.832] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.832] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.832] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.832] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.832] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.832] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json") returned 160 [0118.832] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.832] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.833] lstrlenW (lpString=".json") returned 5 [0118.833] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.833] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0118.834] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=692) returned 1 [0118.834] GetProcessHeap () returned 0x4c0000 [0118.834] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0118.849] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="6A") returned 2 [0118.849] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="1A") returned 2 [0118.849] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="A5") returned 2 [0118.849] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="9E") returned 2 [0118.849] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="91") returned 2 [0118.849] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="4E") returned 2 [0118.849] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="18") returned 2 [0118.849] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="45") returned 2 [0118.849] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="D9") returned 2 [0118.849] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="F4") returned 2 [0118.849] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="5A") returned 2 [0118.849] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="65") returned 2 [0118.849] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="2B") returned 2 [0118.849] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="77") returned 2 [0118.850] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="5F") returned 2 [0118.850] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="CC") returned 2 [0118.850] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="B0") returned 2 [0118.850] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="E2") returned 2 [0118.850] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="29") returned 2 [0118.850] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="AD") returned 2 [0118.850] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="D9") returned 2 [0118.850] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="40") returned 2 [0118.850] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="15") returned 2 [0118.850] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="20") returned 2 [0118.850] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="4F") returned 2 [0118.850] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="BE") returned 2 [0118.850] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="D8") returned 2 [0118.850] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="C0") returned 2 [0118.850] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="97") returned 2 [0118.850] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="A2") returned 2 [0118.850] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="1A") returned 2 [0118.850] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="08") returned 2 [0118.862] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json" [0118.862] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json" [0118.862] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json", lpString2=".6A1AA59E914E1845D9F45A652B775FCCB0E229ADD94015204FBED8C097A21A08" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.6A1AA59E914E1845D9F45A652B775FCCB0E229ADD94015204FBED8C097A21A08") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.6A1AA59E914E1845D9F45A652B775FCCB0E229ADD94015204FBED8C097A21A08" [0118.863] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.863] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0118.863] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82717aa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82717aa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82aada20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2b4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.863] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.863] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\PUSSY.TXT") returned 156 [0118.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0118.864] lstrlenA (lpString="abcd") returned 4 [0118.864] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.865] CloseHandle (hObject=0x1ac) returned 1 [0118.865] GetProcessHeap () returned 0x4c0000 [0118.865] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0118.865] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8271efd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827216e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827216e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fr", cAlternateFileName="")) returned 1 [0118.865] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0118.865] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0118.865] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0118.866] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0118.866] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0118.866] lstrcmpiW (lpString1="fr", lpString2=".") returned 1 [0118.866] lstrcmpiW (lpString1="fr", lpString2="..") returned 1 [0118.866] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr") returned 145 [0118.866] GetProcessHeap () returned 0x4c0000 [0118.866] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b88140 [0118.866] lstrcpyW (in: lpString1=0x3b88140, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr" [0118.866] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\*" [0118.866] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8271efd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827216e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827216e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.866] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.867] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.867] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.867] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.867] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.867] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.867] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8271efd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827216e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827216e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.867] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.867] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.867] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.867] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.867] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.867] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.867] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.867] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827216e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82723df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2c4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.867] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.867] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.867] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.867] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.867] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.867] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.868] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.868] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json") returned 159 [0118.868] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.868] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.868] lstrlenW (lpString=".json") returned 5 [0118.868] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0118.869] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=708) returned 1 [0118.869] GetProcessHeap () returned 0x4c0000 [0118.869] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0118.883] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="8A") returned 2 [0118.883] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="B0") returned 2 [0118.883] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="2C") returned 2 [0118.883] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="95") returned 2 [0118.883] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="E8") returned 2 [0118.883] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="A8") returned 2 [0118.883] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="02") returned 2 [0118.883] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="8C") returned 2 [0118.883] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="62") returned 2 [0118.883] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="86") returned 2 [0118.883] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="AF") returned 2 [0118.883] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="77") returned 2 [0118.883] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="59") returned 2 [0118.883] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="2C") returned 2 [0118.883] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="CA") returned 2 [0118.883] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="DA") returned 2 [0118.883] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="86") returned 2 [0118.883] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="21") returned 2 [0118.884] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="61") returned 2 [0118.884] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="AA") returned 2 [0118.884] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="39") returned 2 [0118.884] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="2B") returned 2 [0118.884] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="EC") returned 2 [0118.884] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="67") returned 2 [0118.884] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="C0") returned 2 [0118.884] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="54") returned 2 [0118.884] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="D0") returned 2 [0118.884] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="EC") returned 2 [0118.884] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="DC") returned 2 [0118.884] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="DF") returned 2 [0118.884] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="BA") returned 2 [0118.884] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="4C") returned 2 [0118.896] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json" [0118.896] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json" [0118.896] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json", lpString2=".8AB02C95E8A8028C6286AF77592CCADA862161AA392BEC67C054D0ECDCDFBA4C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.8AB02C95E8A8028C6286AF77592CCADA862161AA392BEC67C054D0ECDCDFBA4C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.8AB02C95E8A8028C6286AF77592CCADA862161AA392BEC67C054D0ECDCDFBA4C" [0118.897] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.897] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0118.897] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827216e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82723df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2c4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.897] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.897] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\PUSSY.TXT") returned 155 [0118.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0118.898] lstrlenA (lpString="abcd") returned 4 [0118.898] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.899] CloseHandle (hObject=0x1ac) returned 1 [0118.899] GetProcessHeap () returned 0x4c0000 [0118.899] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0118.899] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82728c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8272da30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8272da30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hi", cAlternateFileName="")) returned 1 [0118.899] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0118.899] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0118.899] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0118.899] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0118.900] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0118.900] lstrcmpiW (lpString1="hi", lpString2=".") returned 1 [0118.900] lstrcmpiW (lpString1="hi", lpString2="..") returned 1 [0118.900] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi") returned 145 [0118.900] GetProcessHeap () returned 0x4c0000 [0118.900] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b88140 [0118.900] lstrcpyW (in: lpString1=0x3b88140, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi" [0118.900] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\*" [0118.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82728c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8272da30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8272da30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.900] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.900] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.900] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.900] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.901] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.901] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.901] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82728c10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8272da30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8272da30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.901] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.901] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.901] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.901] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.901] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.901] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.901] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.901] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8272da30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8272da30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3ad, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.901] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.901] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.901] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.901] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.901] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.901] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.901] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.901] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json") returned 159 [0118.902] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.902] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.902] lstrlenW (lpString=".json") returned 5 [0118.902] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b4 [0118.906] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=941) returned 1 [0118.907] GetProcessHeap () returned 0x4c0000 [0118.907] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c490b0 [0118.921] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="A2") returned 2 [0118.921] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="41") returned 2 [0118.921] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="42") returned 2 [0118.921] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="CC") returned 2 [0118.921] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="7C") returned 2 [0118.921] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="85") returned 2 [0118.921] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="0A") returned 2 [0118.921] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="FE") returned 2 [0118.922] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="12") returned 2 [0118.922] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="B0") returned 2 [0118.922] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="73") returned 2 [0118.922] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="FD") returned 2 [0118.922] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="7C") returned 2 [0118.922] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="4F") returned 2 [0118.922] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="C3") returned 2 [0118.922] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="EE") returned 2 [0118.922] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="DE") returned 2 [0118.922] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="AC") returned 2 [0118.922] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="C1") returned 2 [0118.922] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="72") returned 2 [0118.922] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="F0") returned 2 [0118.922] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="F8") returned 2 [0118.922] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="BA") returned 2 [0118.922] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="D9") returned 2 [0118.922] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="B0") returned 2 [0118.922] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="CE") returned 2 [0118.922] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="6C") returned 2 [0118.923] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="52") returned 2 [0118.923] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="72") returned 2 [0118.923] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="A8") returned 2 [0118.923] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="3C") returned 2 [0118.923] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="21") returned 2 [0118.941] lstrcpyW (in: lpString1=0x3c590e4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json" [0118.941] lstrcpyW (in: lpString1=0x3c490e4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json" [0118.941] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json", lpString2=".A24142CC7C850AFE12B073FD7C4FC3EEDEACC172F0F8BAD9B0CE6C5272A83C21" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.A24142CC7C850AFE12B073FD7C4FC3EEDEACC172F0F8BAD9B0CE6C5272A83C21") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.A24142CC7C850AFE12B073FD7C4FC3EEDEACC172F0F8BAD9B0CE6C5272A83C21" [0118.941] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0x94, CompletionKey=0x3c490b0, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.941] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c490b0, lpOverlapped=0x3c490b0) returned 1 [0118.941] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8272da30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8272da30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3ad, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.941] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.941] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\PUSSY.TXT") returned 155 [0118.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0118.958] lstrlenA (lpString="abcd") returned 4 [0118.958] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.960] CloseHandle (hObject=0x1ac) returned 1 [0118.960] GetProcessHeap () returned 0x4c0000 [0118.960] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0118.960] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827412b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827439c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827439c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hr", cAlternateFileName="")) returned 1 [0118.960] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0118.960] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0118.960] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0118.960] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0118.960] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0118.960] lstrcmpiW (lpString1="hr", lpString2=".") returned 1 [0118.960] lstrcmpiW (lpString1="hr", lpString2="..") returned 1 [0118.960] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr") returned 145 [0118.960] GetProcessHeap () returned 0x4c0000 [0118.960] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b88140 [0118.961] lstrcpyW (in: lpString1=0x3b88140, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr" [0118.961] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\*" [0118.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827412b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827439c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827439c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.961] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.961] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.961] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.961] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.961] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.961] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.961] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827412b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827439c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827439c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.962] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.962] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.962] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.962] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.962] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.962] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.962] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.962] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827439c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827460d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x279, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.962] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.962] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.962] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.962] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.962] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.962] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.962] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.962] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json") returned 159 [0118.962] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.962] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.962] lstrlenW (lpString=".json") returned 5 [0118.962] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0118.963] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=633) returned 1 [0118.963] GetProcessHeap () returned 0x4c0000 [0118.963] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c71100 [0118.978] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="89") returned 2 [0118.979] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="D0") returned 2 [0118.979] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="29") returned 2 [0118.979] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="19") returned 2 [0118.979] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="62") returned 2 [0118.979] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="BD") returned 2 [0118.979] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="C6") returned 2 [0118.979] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="44") returned 2 [0118.979] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="F7") returned 2 [0118.979] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="DD") returned 2 [0118.979] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="76") returned 2 [0118.979] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="C3") returned 2 [0118.979] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="A9") returned 2 [0118.979] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="17") returned 2 [0118.979] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="35") returned 2 [0118.979] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="79") returned 2 [0118.979] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="88") returned 2 [0118.979] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="62") returned 2 [0118.979] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="78") returned 2 [0118.979] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="CF") returned 2 [0118.979] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="AE") returned 2 [0118.979] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="94") returned 2 [0118.979] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="DA") returned 2 [0118.979] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="79") returned 2 [0118.980] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="A2") returned 2 [0118.980] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="3F") returned 2 [0118.980] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="DE") returned 2 [0118.980] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="1F") returned 2 [0118.980] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="D5") returned 2 [0118.980] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="A2") returned 2 [0118.980] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="D4") returned 2 [0118.980] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="2D") returned 2 [0118.992] lstrcpyW (in: lpString1=0x3c81134, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json" [0118.992] lstrcpyW (in: lpString1=0x3c71134, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json" [0118.992] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json", lpString2=".89D0291962BDC644F7DD76C3A9173579886278CFAE94DA79A23FDE1FD5A2D42D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.89D0291962BDC644F7DD76C3A9173579886278CFAE94DA79A23FDE1FD5A2D42D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.89D0291962BDC644F7DD76C3A9173579886278CFAE94DA79A23FDE1FD5A2D42D" [0118.992] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3c71100, NumberOfConcurrentThreads=0x0) returned 0x94 [0118.992] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c71100, lpOverlapped=0x3c71100) returned 1 [0118.992] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827439c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827460d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x279, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0118.992] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0118.992] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\PUSSY.TXT") returned 155 [0118.992] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0118.993] lstrlenA (lpString="abcd") returned 4 [0118.993] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0118.995] CloseHandle (hObject=0x1ac) returned 1 [0118.995] GetProcessHeap () returned 0x4c0000 [0118.995] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0118.995] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8274aef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8274d600, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8274d600, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hu", cAlternateFileName="")) returned 1 [0118.995] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0118.995] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0118.995] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0118.995] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0118.995] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0118.995] lstrcmpiW (lpString1="hu", lpString2=".") returned 1 [0118.995] lstrcmpiW (lpString1="hu", lpString2="..") returned 1 [0118.995] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu") returned 145 [0118.996] GetProcessHeap () returned 0x4c0000 [0118.996] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b88140 [0118.996] lstrcpyW (in: lpString1=0x3b88140, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu" [0118.996] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\*" [0118.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8274aef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8274d600, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8274d600, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0118.996] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.996] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0118.996] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0118.996] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0118.996] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0118.996] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0118.996] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8274aef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8274d600, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8274d600, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0118.996] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.997] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0118.997] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0118.997] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0118.997] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0118.997] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0118.997] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0118.997] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8274d600, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8274fd10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0118.997] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0118.997] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0118.997] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0118.997] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0118.997] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0118.997] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0118.997] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0118.997] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json") returned 159 [0118.997] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0118.997] PathFindExtensionW (pszPath="messages.json") returned=".json" [0118.997] lstrlenW (lpString=".json") returned 5 [0118.997] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0118.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1bc [0119.001] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=710) returned 1 [0119.001] GetProcessHeap () returned 0x4c0000 [0119.001] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3cc8058 [0119.016] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="15") returned 2 [0119.016] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="81") returned 2 [0119.016] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="C3") returned 2 [0119.016] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="38") returned 2 [0119.016] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="49") returned 2 [0119.016] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="DF") returned 2 [0119.016] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="A6") returned 2 [0119.017] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="CC") returned 2 [0119.017] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="36") returned 2 [0119.017] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="5B") returned 2 [0119.017] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="9C") returned 2 [0119.017] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="86") returned 2 [0119.017] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="E8") returned 2 [0119.017] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="69") returned 2 [0119.017] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="0C") returned 2 [0119.017] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="4D") returned 2 [0119.017] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="EA") returned 2 [0119.017] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="1A") returned 2 [0119.017] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="0C") returned 2 [0119.017] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="F8") returned 2 [0119.017] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="B2") returned 2 [0119.017] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="D1") returned 2 [0119.017] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="BE") returned 2 [0119.017] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="0C") returned 2 [0119.017] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="A3") returned 2 [0119.017] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="BE") returned 2 [0119.017] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="EF") returned 2 [0119.017] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="E9") returned 2 [0119.017] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="49") returned 2 [0119.017] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="A5") returned 2 [0119.017] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="EF") returned 2 [0119.018] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="7D") returned 2 [0119.030] lstrcpyW (in: lpString1=0x3cd808c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json" [0119.030] lstrcpyW (in: lpString1=0x3cc808c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json" [0119.030] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json", lpString2=".1581C33849DFA6CC365B9C86E8690C4DEA1A0CF8B2D1BE0CA3BEEFE949A5EF7D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.1581C33849DFA6CC365B9C86E8690C4DEA1A0CF8B2D1BE0CA3BEEFE949A5EF7D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.1581C33849DFA6CC365B9C86E8690C4DEA1A0CF8B2D1BE0CA3BEEFE949A5EF7D" [0119.030] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0x94, CompletionKey=0x3cc8058, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.030] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3cc8058, lpOverlapped=0x3cc8058) returned 1 [0119.030] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8274d600, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8274fd10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.030] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.031] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\PUSSY.TXT") returned 155 [0119.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0119.037] lstrlenA (lpString="abcd") returned 4 [0119.037] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.038] CloseHandle (hObject=0x1ac) returned 1 [0119.038] GetProcessHeap () returned 0x4c0000 [0119.038] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0119.038] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82752420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82752420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82752420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="id", cAlternateFileName="")) returned 1 [0119.038] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0119.038] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0119.038] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0119.038] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0119.039] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0119.039] lstrcmpiW (lpString1="id", lpString2=".") returned 1 [0119.039] lstrcmpiW (lpString1="id", lpString2="..") returned 1 [0119.039] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id") returned 145 [0119.039] GetProcessHeap () returned 0x4c0000 [0119.039] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b88140 [0119.039] lstrcpyW (in: lpString1=0x3b88140, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id" [0119.039] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\*" [0119.039] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82752420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82752420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82752420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.059] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.059] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.059] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.059] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.059] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.059] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.059] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82752420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82752420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82752420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.059] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.059] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.059] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.059] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.059] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.059] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.059] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.059] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82752420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82752420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x269, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.060] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.060] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.060] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.060] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.060] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.060] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.060] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.060] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json") returned 159 [0119.060] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.060] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.060] lstrlenW (lpString=".json") returned 5 [0119.060] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0119.061] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=617) returned 1 [0119.061] GetProcessHeap () returned 0x4c0000 [0119.061] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c490b0 [0119.110] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="26") returned 2 [0119.110] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="D4") returned 2 [0119.110] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="4C") returned 2 [0119.110] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="99") returned 2 [0119.110] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="FB") returned 2 [0119.110] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="D3") returned 2 [0119.110] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="A0") returned 2 [0119.110] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="85") returned 2 [0119.110] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="2D") returned 2 [0119.110] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="74") returned 2 [0119.110] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="74") returned 2 [0119.110] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="63") returned 2 [0119.110] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="0F") returned 2 [0119.110] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="2B") returned 2 [0119.110] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="BA") returned 2 [0119.110] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="2A") returned 2 [0119.110] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="0C") returned 2 [0119.110] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="BD") returned 2 [0119.110] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="FB") returned 2 [0119.110] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="07") returned 2 [0119.110] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="E1") returned 2 [0119.110] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="48") returned 2 [0119.111] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="7D") returned 2 [0119.111] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="31") returned 2 [0119.111] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="6E") returned 2 [0119.111] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="62") returned 2 [0119.111] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="E7") returned 2 [0119.111] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="52") returned 2 [0119.111] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="47") returned 2 [0119.111] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="10") returned 2 [0119.111] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="2B") returned 2 [0119.111] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="2A") returned 2 [0119.123] lstrcpyW (in: lpString1=0x3c590e4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json" [0119.123] lstrcpyW (in: lpString1=0x3c490e4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json" [0119.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json", lpString2=".26D44C99FBD3A0852D7474630F2BBA2A0CBDFB07E1487D316E62E75247102B2A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.26D44C99FBD3A0852D7474630F2BBA2A0CBDFB07E1487D316E62E75247102B2A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.26D44C99FBD3A0852D7474630F2BBA2A0CBDFB07E1487D316E62E75247102B2A" [0119.123] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x3c490b0, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.123] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c490b0, lpOverlapped=0x3c490b0) returned 1 [0119.124] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82752420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82752420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x269, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.127] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.127] wnsprintfW (in: pszDest=0x3b88140, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\PUSSY.TXT") returned 155 [0119.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0119.128] lstrlenA (lpString="abcd") returned 4 [0119.128] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.130] CloseHandle (hObject=0x1ac) returned 1 [0119.130] GetProcessHeap () returned 0x4c0000 [0119.130] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0119.130] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82759950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8275c060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8275c060, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="it", cAlternateFileName="")) returned 1 [0119.130] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0119.130] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0119.130] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0119.130] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0119.130] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0119.131] lstrcmpiW (lpString1="it", lpString2=".") returned 1 [0119.131] lstrcmpiW (lpString1="it", lpString2="..") returned 1 [0119.131] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it") returned 145 [0119.131] GetProcessHeap () returned 0x4c0000 [0119.131] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.132] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it" [0119.132] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\*" [0119.132] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82759950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8275c060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8275c060, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.133] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.133] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.133] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.133] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.133] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.133] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.133] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82759950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8275c060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8275c060, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.133] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.133] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.133] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.133] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.133] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.133] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.133] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.133] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8275c060, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8275c060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x26e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.133] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.133] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.133] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.133] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.134] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.134] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.134] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.134] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json") returned 159 [0119.134] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.134] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.134] lstrlenW (lpString=".json") returned 5 [0119.134] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0119.136] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=622) returned 1 [0119.136] GetProcessHeap () returned 0x4c0000 [0119.136] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c71100 [0119.148] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="05") returned 2 [0119.148] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="1A") returned 2 [0119.148] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="B1") returned 2 [0119.148] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="5F") returned 2 [0119.148] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="8B") returned 2 [0119.148] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="18") returned 2 [0119.148] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="C7") returned 2 [0119.148] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="47") returned 2 [0119.148] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="C8") returned 2 [0119.148] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="CA") returned 2 [0119.148] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="5F") returned 2 [0119.148] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="36") returned 2 [0119.148] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="3F") returned 2 [0119.148] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="05") returned 2 [0119.148] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="7A") returned 2 [0119.149] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="2B") returned 2 [0119.149] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="01") returned 2 [0119.149] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="E4") returned 2 [0119.149] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="C7") returned 2 [0119.149] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="D7") returned 2 [0119.149] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="18") returned 2 [0119.149] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="B2") returned 2 [0119.149] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="24") returned 2 [0119.149] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="C3") returned 2 [0119.149] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="C2") returned 2 [0119.149] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="F2") returned 2 [0119.149] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="4B") returned 2 [0119.149] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="CA") returned 2 [0119.149] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="AA") returned 2 [0119.149] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="37") returned 2 [0119.149] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="60") returned 2 [0119.149] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="55") returned 2 [0119.162] lstrcpyW (in: lpString1=0x3c81134, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json" [0119.162] lstrcpyW (in: lpString1=0x3c71134, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json" [0119.162] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json", lpString2=".051AB15F8B18C747C8CA5F363F057A2B01E4C7D718B224C3C2F24BCAAA376055" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.051AB15F8B18C747C8CA5F363F057A2B01E4C7D718B224C3C2F24BCAAA376055") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.051AB15F8B18C747C8CA5F363F057A2B01E4C7D718B224C3C2F24BCAAA376055" [0119.162] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3c71100, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.162] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c71100, lpOverlapped=0x3c71100) returned 1 [0119.162] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8275c060, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8275c060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x26e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.162] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.162] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\PUSSY.TXT") returned 155 [0119.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0119.163] lstrlenA (lpString="abcd") returned 4 [0119.163] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.165] CloseHandle (hObject=0x1ac) returned 1 [0119.165] GetProcessHeap () returned 0x4c0000 [0119.165] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.169] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82763590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82765ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82765ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ja", cAlternateFileName="")) returned 1 [0119.169] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0119.169] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0119.169] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0119.169] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0119.169] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0119.169] lstrcmpiW (lpString1="ja", lpString2=".") returned 1 [0119.169] lstrcmpiW (lpString1="ja", lpString2="..") returned 1 [0119.169] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja") returned 145 [0119.169] GetProcessHeap () returned 0x4c0000 [0119.169] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.171] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja" [0119.171] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\*" [0119.171] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82763590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82765ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82765ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.171] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.171] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.171] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.171] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.171] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.171] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.171] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82763590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82765ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82765ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.171] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.172] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.172] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.172] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.172] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.172] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.172] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.172] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82765ca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82765ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x30a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.172] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.172] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.172] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.172] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.172] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.172] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.172] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.172] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json") returned 159 [0119.172] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.172] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.172] lstrlenW (lpString=".json") returned 5 [0119.172] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0119.173] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=778) returned 1 [0119.173] GetProcessHeap () returned 0x4c0000 [0119.173] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c99150 [0119.188] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="97") returned 2 [0119.188] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="7C") returned 2 [0119.188] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="07") returned 2 [0119.188] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="29") returned 2 [0119.188] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="42") returned 2 [0119.188] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="90") returned 2 [0119.188] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="D3") returned 2 [0119.188] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="39") returned 2 [0119.188] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="BC") returned 2 [0119.188] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="5B") returned 2 [0119.188] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="FA") returned 2 [0119.188] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="07") returned 2 [0119.189] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="70") returned 2 [0119.189] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="4A") returned 2 [0119.189] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="92") returned 2 [0119.189] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="99") returned 2 [0119.189] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="A2") returned 2 [0119.189] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="ED") returned 2 [0119.189] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="78") returned 2 [0119.189] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="81") returned 2 [0119.189] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="49") returned 2 [0119.189] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="2F") returned 2 [0119.189] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="10") returned 2 [0119.189] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="47") returned 2 [0119.189] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="6B") returned 2 [0119.189] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="DE") returned 2 [0119.189] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="19") returned 2 [0119.189] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="5F") returned 2 [0119.189] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="74") returned 2 [0119.189] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="E2") returned 2 [0119.189] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="63") returned 2 [0119.189] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="79") returned 2 [0119.201] lstrcpyW (in: lpString1=0x3ca9184, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json" [0119.201] lstrcpyW (in: lpString1=0x3c99184, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json" [0119.202] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json", lpString2=".977C07294290D339BC5BFA07704A9299A2ED7881492F10476BDE195F74E26379" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.977C07294290D339BC5BFA07704A9299A2ED7881492F10476BDE195F74E26379") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.977C07294290D339BC5BFA07704A9299A2ED7881492F10476BDE195F74E26379" [0119.202] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3c99150, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.202] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c99150, lpOverlapped=0x3c99150) returned 1 [0119.202] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82765ca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82765ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x30a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.202] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.202] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\PUSSY.TXT") returned 155 [0119.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0119.203] lstrlenA (lpString="abcd") returned 4 [0119.203] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.204] CloseHandle (hObject=0x1ac) returned 1 [0119.204] GetProcessHeap () returned 0x4c0000 [0119.204] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.204] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8276d1d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8276f8e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8276f8e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ko", cAlternateFileName="")) returned 1 [0119.204] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0119.204] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0119.204] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0119.205] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0119.205] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0119.205] lstrcmpiW (lpString1="ko", lpString2=".") returned 1 [0119.205] lstrcmpiW (lpString1="ko", lpString2="..") returned 1 [0119.205] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko") returned 145 [0119.205] GetProcessHeap () returned 0x4c0000 [0119.205] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.205] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko" [0119.205] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\*" [0119.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8276d1d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8276f8e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8276f8e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.205] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.205] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.205] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.205] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.205] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.205] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.206] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8276d1d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8276f8e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8276f8e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.206] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.206] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.206] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.206] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.206] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.206] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.206] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.206] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8276f8e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8276f8e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.206] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.206] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.206] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.206] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.206] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.206] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.206] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.206] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json") returned 159 [0119.206] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.206] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.206] lstrlenW (lpString=".json") returned 5 [0119.206] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1bc [0119.306] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=669) returned 1 [0119.306] GetProcessHeap () returned 0x4c0000 [0119.306] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3cc11a0 [0119.316] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="DA") returned 2 [0119.316] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="64") returned 2 [0119.316] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="01") returned 2 [0119.316] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="EC") returned 2 [0119.316] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="47") returned 2 [0119.316] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="B5") returned 2 [0119.316] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="FF") returned 2 [0119.316] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="5A") returned 2 [0119.316] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="F6") returned 2 [0119.316] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="D0") returned 2 [0119.316] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="07") returned 2 [0119.316] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="D8") returned 2 [0119.316] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="21") returned 2 [0119.316] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="78") returned 2 [0119.316] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="15") returned 2 [0119.316] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="6D") returned 2 [0119.317] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="13") returned 2 [0119.317] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="84") returned 2 [0119.317] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="26") returned 2 [0119.317] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="03") returned 2 [0119.317] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="6B") returned 2 [0119.317] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="6B") returned 2 [0119.317] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="C9") returned 2 [0119.317] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="42") returned 2 [0119.317] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="65") returned 2 [0119.317] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="7A") returned 2 [0119.317] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="81") returned 2 [0119.317] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="8B") returned 2 [0119.317] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="B6") returned 2 [0119.317] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="11") returned 2 [0119.317] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="77") returned 2 [0119.317] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="05") returned 2 [0119.325] lstrcpyW (in: lpString1=0x3cd11d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json" [0119.325] lstrcpyW (in: lpString1=0x3cc11d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json" [0119.325] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json", lpString2=".DA6401EC47B5FF5AF6D007D82178156D138426036B6BC942657A818BB6117705" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.DA6401EC47B5FF5AF6D007D82178156D138426036B6BC942657A818BB6117705") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.DA6401EC47B5FF5AF6D007D82178156D138426036B6BC942657A818BB6117705" [0119.326] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0x94, CompletionKey=0x3cc11a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.326] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3cc11a0, lpOverlapped=0x3cc11a0) returned 1 [0119.328] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8276f8e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8276f8e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.329] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.329] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\PUSSY.TXT") returned 155 [0119.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0119.329] lstrlenA (lpString="abcd") returned 4 [0119.329] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.330] CloseHandle (hObject=0x1ac) returned 1 [0119.330] GetProcessHeap () returned 0x4c0000 [0119.331] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.331] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82776e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82779520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82779520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lt", cAlternateFileName="")) returned 1 [0119.331] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0119.331] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0119.331] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0119.331] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0119.331] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0119.331] lstrcmpiW (lpString1="lt", lpString2=".") returned 1 [0119.331] lstrcmpiW (lpString1="lt", lpString2="..") returned 1 [0119.331] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt") returned 145 [0119.331] GetProcessHeap () returned 0x4c0000 [0119.331] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.331] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt" [0119.331] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\*" [0119.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82776e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82779520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82779520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.332] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.332] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.332] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.332] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.332] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.332] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.332] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82776e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82779520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82779520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.332] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.332] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.332] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.332] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.332] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.332] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.332] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.332] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82779520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82779520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2ae, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.332] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.332] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.332] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.332] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.332] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.332] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.332] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.333] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json") returned 159 [0119.333] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.333] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.333] lstrlenW (lpString=".json") returned 5 [0119.333] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0119.333] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=686) returned 1 [0119.333] GetProcessHeap () returned 0x4c0000 [0119.333] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0119.345] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="30") returned 2 [0119.345] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="48") returned 2 [0119.345] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="9C") returned 2 [0119.345] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="63") returned 2 [0119.345] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="3B") returned 2 [0119.345] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="BE") returned 2 [0119.345] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="B4") returned 2 [0119.345] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="94") returned 2 [0119.345] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="AE") returned 2 [0119.345] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="0E") returned 2 [0119.345] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="40") returned 2 [0119.345] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="1A") returned 2 [0119.345] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="89") returned 2 [0119.345] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="EF") returned 2 [0119.345] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="5F") returned 2 [0119.345] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="FA") returned 2 [0119.346] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="21") returned 2 [0119.346] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="45") returned 2 [0119.346] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="D6") returned 2 [0119.346] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="85") returned 2 [0119.346] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="66") returned 2 [0119.346] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="41") returned 2 [0119.346] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="DF") returned 2 [0119.346] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="91") returned 2 [0119.346] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="5C") returned 2 [0119.346] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="2F") returned 2 [0119.346] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="A4") returned 2 [0119.346] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="FF") returned 2 [0119.346] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="9E") returned 2 [0119.346] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="3A") returned 2 [0119.346] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="C9") returned 2 [0119.346] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="2A") returned 2 [0119.355] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json" [0119.355] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json" [0119.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json", lpString2=".30489C633BBEB494AE0E401A89EF5FFA2145D6856641DF915C2FA4FF9E3AC92A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.30489C633BBEB494AE0E401A89EF5FFA2145D6856641DF915C2FA4FF9E3AC92A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.30489C633BBEB494AE0E401A89EF5FFA2145D6856641DF915C2FA4FF9E3AC92A" [0119.355] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.355] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0119.358] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82779520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82779520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2ae, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.358] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.358] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\PUSSY.TXT") returned 155 [0119.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0119.359] lstrlenA (lpString="abcd") returned 4 [0119.359] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.360] CloseHandle (hObject=0x1ac) returned 1 [0119.360] GetProcessHeap () returned 0x4c0000 [0119.360] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.360] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8277e340, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82783160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82783160, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lv", cAlternateFileName="")) returned 1 [0119.360] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0119.360] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0119.360] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0119.360] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0119.360] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0119.360] lstrcmpiW (lpString1="lv", lpString2=".") returned 1 [0119.360] lstrcmpiW (lpString1="lv", lpString2="..") returned 1 [0119.360] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv") returned 145 [0119.360] GetProcessHeap () returned 0x4c0000 [0119.360] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.360] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv" [0119.360] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\*" [0119.360] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8277e340, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82783160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82783160, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.361] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.361] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.361] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.361] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.361] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.361] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.361] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8277e340, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82783160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82783160, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.361] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.361] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.361] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.361] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.361] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.361] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.361] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.361] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82783160, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82783160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2bb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.361] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.361] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.361] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.361] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.361] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.361] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.361] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.361] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json") returned 159 [0119.361] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.362] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.362] lstrlenW (lpString=".json") returned 5 [0119.362] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0119.363] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=699) returned 1 [0119.363] GetProcessHeap () returned 0x4c0000 [0119.363] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0119.373] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="AB") returned 2 [0119.373] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="21") returned 2 [0119.373] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="44") returned 2 [0119.373] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="1C") returned 2 [0119.373] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="0E") returned 2 [0119.373] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="56") returned 2 [0119.373] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="F8") returned 2 [0119.373] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="6A") returned 2 [0119.373] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="5D") returned 2 [0119.373] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="9F") returned 2 [0119.373] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="88") returned 2 [0119.373] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="45") returned 2 [0119.373] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="B5") returned 2 [0119.373] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="BD") returned 2 [0119.373] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="23") returned 2 [0119.373] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="62") returned 2 [0119.373] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="6D") returned 2 [0119.373] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="87") returned 2 [0119.373] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="1E") returned 2 [0119.373] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="FA") returned 2 [0119.373] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="B0") returned 2 [0119.373] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="65") returned 2 [0119.373] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="61") returned 2 [0119.373] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="A8") returned 2 [0119.373] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="1F") returned 2 [0119.373] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="C4") returned 2 [0119.373] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="65") returned 2 [0119.373] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="06") returned 2 [0119.374] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="83") returned 2 [0119.374] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="5C") returned 2 [0119.374] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="CF") returned 2 [0119.374] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="3F") returned 2 [0119.382] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json" [0119.382] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json" [0119.382] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json", lpString2=".AB21441C0E56F86A5D9F8845B5BD23626D871EFAB06561A81FC46506835CCF3F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.AB21441C0E56F86A5D9F8845B5BD23626D871EFAB06561A81FC46506835CCF3F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.AB21441C0E56F86A5D9F8845B5BD23626D871EFAB06561A81FC46506835CCF3F" [0119.382] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.382] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0119.382] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82783160, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82783160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2bb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.382] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.382] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\PUSSY.TXT") returned 155 [0119.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0119.383] lstrlenA (lpString="abcd") returned 4 [0119.383] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.384] CloseHandle (hObject=0x1ac) returned 1 [0119.384] GetProcessHeap () returned 0x4c0000 [0119.384] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.384] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82787f80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8278a690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8278a690, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="nb", cAlternateFileName="")) returned 1 [0119.384] lstrcmpiW (lpString1="nb", lpString2="Windows") returned -1 [0119.384] lstrcmpiW (lpString1="nb", lpString2="Program Files") returned -1 [0119.384] lstrcmpiW (lpString1="nb", lpString2="Program Files (x86)") returned -1 [0119.384] lstrcmpiW (lpString1="nb", lpString2="$Recycle.bin") returned 1 [0119.384] lstrcmpiW (lpString1="nb", lpString2="System Volume Information") returned -1 [0119.384] lstrcmpiW (lpString1="nb", lpString2=".") returned 1 [0119.384] lstrcmpiW (lpString1="nb", lpString2="..") returned 1 [0119.384] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb") returned 145 [0119.384] GetProcessHeap () returned 0x4c0000 [0119.384] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.384] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb" [0119.385] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\*" [0119.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82787f80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8278a690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8278a690, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.385] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.385] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.385] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.385] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.385] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.385] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.385] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82787f80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8278a690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8278a690, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.385] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.385] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.385] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.385] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.385] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.385] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.385] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.385] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8278a690, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8278a690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x284, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.385] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.385] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.385] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.385] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.385] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.385] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.386] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.386] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json") returned 159 [0119.386] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.386] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.386] lstrlenW (lpString=".json") returned 5 [0119.386] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0119.386] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=644) returned 1 [0119.386] GetProcessHeap () returned 0x4c0000 [0119.386] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0119.397] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="32") returned 2 [0119.397] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="F6") returned 2 [0119.397] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="E7") returned 2 [0119.397] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="36") returned 2 [0119.397] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="09") returned 2 [0119.397] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="63") returned 2 [0119.397] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="EF") returned 2 [0119.397] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="40") returned 2 [0119.397] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="FB") returned 2 [0119.397] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="F2") returned 2 [0119.397] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="22") returned 2 [0119.397] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="00") returned 2 [0119.397] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="C6") returned 2 [0119.397] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="22") returned 2 [0119.397] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="CC") returned 2 [0119.397] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="05") returned 2 [0119.397] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="6A") returned 2 [0119.397] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="D0") returned 2 [0119.397] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="30") returned 2 [0119.397] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="DA") returned 2 [0119.397] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="3D") returned 2 [0119.397] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="8C") returned 2 [0119.397] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="F1") returned 2 [0119.397] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="55") returned 2 [0119.397] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="08") returned 2 [0119.397] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="DB") returned 2 [0119.397] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="D9") returned 2 [0119.398] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="DA") returned 2 [0119.398] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="C1") returned 2 [0119.398] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="2D") returned 2 [0119.398] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="22") returned 2 [0119.398] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="0E") returned 2 [0119.406] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json" [0119.406] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json" [0119.406] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json", lpString2=".32F6E7360963EF40FBF22200C622CC056AD030DA3D8CF15508DBD9DAC12D220E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.32F6E7360963EF40FBF22200C622CC056AD030DA3D8CF15508DBD9DAC12D220E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.32F6E7360963EF40FBF22200C622CC056AD030DA3D8CF15508DBD9DAC12D220E" [0119.406] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.406] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0119.406] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8278a690, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8278a690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x284, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.406] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.406] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\PUSSY.TXT") returned 155 [0119.406] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0119.407] lstrlenA (lpString="abcd") returned 4 [0119.407] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.408] CloseHandle (hObject=0x1ac) returned 1 [0119.408] GetProcessHeap () returned 0x4c0000 [0119.408] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.408] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82791bc0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827942d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827942d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="nl", cAlternateFileName="")) returned 1 [0119.408] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0119.408] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0119.408] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0119.408] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0119.408] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0119.408] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0119.408] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0119.408] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl") returned 145 [0119.408] GetProcessHeap () returned 0x4c0000 [0119.408] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.408] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl" [0119.408] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\*" [0119.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82791bc0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827942d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827942d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.409] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.409] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.409] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.409] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.409] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.409] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.409] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82791bc0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827942d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827942d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.409] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.409] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.409] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.409] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.409] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.409] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.409] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.409] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827942d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827969e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.409] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.409] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.409] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.409] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.409] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.409] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.409] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.409] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json") returned 159 [0119.409] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.409] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.409] lstrlenW (lpString=".json") returned 5 [0119.409] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0119.416] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=642) returned 1 [0119.416] GetProcessHeap () returned 0x4c0000 [0119.416] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0119.425] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="0F") returned 2 [0119.425] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="69") returned 2 [0119.425] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="CA") returned 2 [0119.425] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="D6") returned 2 [0119.425] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="2D") returned 2 [0119.425] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="14") returned 2 [0119.425] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="37") returned 2 [0119.425] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="2E") returned 2 [0119.425] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="5B") returned 2 [0119.425] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="44") returned 2 [0119.425] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="2A") returned 2 [0119.425] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="79") returned 2 [0119.426] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="54") returned 2 [0119.426] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="87") returned 2 [0119.426] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="48") returned 2 [0119.426] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="6D") returned 2 [0119.426] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="E7") returned 2 [0119.426] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="2E") returned 2 [0119.426] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="C1") returned 2 [0119.426] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="29") returned 2 [0119.426] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="DD") returned 2 [0119.426] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="D6") returned 2 [0119.426] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="C6") returned 2 [0119.426] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="10") returned 2 [0119.426] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="40") returned 2 [0119.426] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="36") returned 2 [0119.426] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="A6") returned 2 [0119.426] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="0A") returned 2 [0119.426] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="6C") returned 2 [0119.426] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="B7") returned 2 [0119.426] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="CB") returned 2 [0119.426] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="46") returned 2 [0119.436] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json" [0119.436] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json" [0119.436] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json", lpString2=".0F69CAD62D14372E5B442A795487486DE72EC129DDD6C6104036A60A6CB7CB46" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.0F69CAD62D14372E5B442A795487486DE72EC129DDD6C6104036A60A6CB7CB46") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.0F69CAD62D14372E5B442A795487486DE72EC129DDD6C6104036A60A6CB7CB46" [0119.436] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.436] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0119.437] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827942d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827969e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab0130, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.437] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.437] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\PUSSY.TXT") returned 155 [0119.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0119.438] lstrlenA (lpString="abcd") returned 4 [0119.438] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.439] CloseHandle (hObject=0x1ac) returned 1 [0119.439] GetProcessHeap () returned 0x4c0000 [0119.439] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.440] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8279b800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8279df10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8279df10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pl", cAlternateFileName="")) returned 1 [0119.440] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0119.440] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0119.440] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0119.440] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0119.440] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0119.440] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0119.440] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0119.440] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl") returned 145 [0119.440] GetProcessHeap () returned 0x4c0000 [0119.440] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.440] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl" [0119.440] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\*" [0119.440] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8279b800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8279df10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8279df10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.441] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.441] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.441] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.441] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.441] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.441] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.441] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8279b800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8279df10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8279df10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.441] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.441] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.441] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.441] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.441] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.441] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.441] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.441] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8279df10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8279df10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.441] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.441] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.441] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.441] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.441] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.441] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.441] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.441] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json") returned 159 [0119.442] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.442] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.442] lstrlenW (lpString=".json") returned 5 [0119.442] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b4 [0119.442] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=666) returned 1 [0119.443] GetProcessHeap () returned 0x4c0000 [0119.443] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0119.456] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="04") returned 2 [0119.456] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="E9") returned 2 [0119.456] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="0F") returned 2 [0119.456] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="B9") returned 2 [0119.456] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="87") returned 2 [0119.456] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="5F") returned 2 [0119.456] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="C9") returned 2 [0119.456] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="DC") returned 2 [0119.456] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="97") returned 2 [0119.456] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="CF") returned 2 [0119.456] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="69") returned 2 [0119.456] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="AC") returned 2 [0119.456] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="1F") returned 2 [0119.457] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="A6") returned 2 [0119.457] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="4B") returned 2 [0119.457] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="F2") returned 2 [0119.457] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="D4") returned 2 [0119.457] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="7E") returned 2 [0119.457] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="B3") returned 2 [0119.457] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="EA") returned 2 [0119.457] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="DF") returned 2 [0119.457] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="CD") returned 2 [0119.457] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="38") returned 2 [0119.457] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="E1") returned 2 [0119.457] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="FF") returned 2 [0119.457] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="CB") returned 2 [0119.458] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="07") returned 2 [0119.458] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="D9") returned 2 [0119.458] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="9D") returned 2 [0119.458] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="C8") returned 2 [0119.458] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="92") returned 2 [0119.458] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="25") returned 2 [0119.472] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json" [0119.472] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json" [0119.472] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json", lpString2=".04E90FB9875FC9DC97CF69AC1FA64BF2D47EB3EADFCD38E1FFCB07D99DC89225" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.04E90FB9875FC9DC97CF69AC1FA64BF2D47EB3EADFCD38E1FFCB07D99DC89225") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.04E90FB9875FC9DC97CF69AC1FA64BF2D47EB3EADFCD38E1FFCB07D99DC89225" [0119.472] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.472] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0119.474] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8279df10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8279df10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.474] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.474] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\PUSSY.TXT") returned 155 [0119.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0119.475] lstrlenA (lpString="abcd") returned 4 [0119.475] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.476] CloseHandle (hObject=0x1ac) returned 1 [0119.476] GetProcessHeap () returned 0x4c0000 [0119.476] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.476] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827a2d30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827a5440, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827a5440, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_BR", cAlternateFileName="")) returned 1 [0119.476] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0119.477] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0119.477] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0119.477] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0119.477] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0119.477] lstrcmpiW (lpString1="pt_BR", lpString2=".") returned 1 [0119.477] lstrcmpiW (lpString1="pt_BR", lpString2="..") returned 1 [0119.477] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR") returned 148 [0119.477] GetProcessHeap () returned 0x4c0000 [0119.477] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.477] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR" [0119.477] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\*" [0119.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827a2d30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827a5440, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827a5440, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.478] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.478] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.478] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.478] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.478] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.478] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.478] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827a2d30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827a5440, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827a5440, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.478] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.478] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.478] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.478] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.478] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.478] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.478] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.478] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827a5440, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827a5440, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.478] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.478] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.479] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.479] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.479] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.479] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.479] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.479] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json") returned 162 [0119.479] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.479] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.479] lstrlenW (lpString=".json") returned 5 [0119.479] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0119.481] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=667) returned 1 [0119.481] GetProcessHeap () returned 0x4c0000 [0119.481] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ce91f0 [0119.500] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="A1") returned 2 [0119.500] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="1F") returned 2 [0119.500] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="C3") returned 2 [0119.500] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="24") returned 2 [0119.500] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="2D") returned 2 [0119.500] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="0E") returned 2 [0119.500] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="B0") returned 2 [0119.501] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="10") returned 2 [0119.501] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="16") returned 2 [0119.501] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="92") returned 2 [0119.501] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="29") returned 2 [0119.501] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="05") returned 2 [0119.501] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="91") returned 2 [0119.501] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="9B") returned 2 [0119.501] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="02") returned 2 [0119.501] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="15") returned 2 [0119.501] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="B5") returned 2 [0119.501] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="0E") returned 2 [0119.501] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="58") returned 2 [0119.501] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="51") returned 2 [0119.501] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="C1") returned 2 [0119.501] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="BF") returned 2 [0119.501] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="D1") returned 2 [0119.501] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="04") returned 2 [0119.501] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="13") returned 2 [0119.501] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="1F") returned 2 [0119.501] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="40") returned 2 [0119.501] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="7F") returned 2 [0119.501] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="D5") returned 2 [0119.501] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="54") returned 2 [0119.502] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="68") returned 2 [0119.502] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="73") returned 2 [0119.513] lstrcpyW (in: lpString1=0x3cf9224, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json" [0119.513] lstrcpyW (in: lpString1=0x3ce9224, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json" [0119.513] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json", lpString2=".A11FC3242D0EB01016922905919B0215B50E5851C1BFD104131F407FD5546873" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json.A11FC3242D0EB01016922905919B0215B50E5851C1BFD104131F407FD5546873") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json.A11FC3242D0EB01016922905919B0215B50E5851C1BFD104131F407FD5546873" [0119.513] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x94, CompletionKey=0x3ce91f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.513] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ce91f0, lpOverlapped=0x3ce91f0) returned 1 [0119.513] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827a5440, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827a5440, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.513] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.513] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\PUSSY.TXT") returned 158 [0119.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0119.514] lstrlenA (lpString="abcd") returned 4 [0119.514] WriteFile (in: hFile=0x1ac, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.516] CloseHandle (hObject=0x1ac) returned 1 [0119.516] GetProcessHeap () returned 0x4c0000 [0119.516] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.516] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827aa260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827af080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827af080, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_PT", cAlternateFileName="")) returned 1 [0119.516] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0119.516] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0119.516] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0119.516] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0119.516] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0119.516] lstrcmpiW (lpString1="pt_PT", lpString2=".") returned 1 [0119.516] lstrcmpiW (lpString1="pt_PT", lpString2="..") returned 1 [0119.516] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT") returned 148 [0119.516] GetProcessHeap () returned 0x4c0000 [0119.516] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.516] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT" [0119.516] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\*" [0119.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827aa260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827af080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827af080, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.517] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.517] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.517] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.517] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.517] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.517] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.517] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827aa260, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827af080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827af080, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.517] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.517] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.517] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.517] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.517] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.517] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.518] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.518] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827af080, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827af080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x295, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.518] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.518] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.518] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.518] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.518] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.518] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.518] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.518] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json") returned 162 [0119.518] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.518] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.518] lstrlenW (lpString=".json") returned 5 [0119.518] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c4 [0119.519] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=661) returned 1 [0119.519] GetProcessHeap () returned 0x4c0000 [0119.519] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d11240 [0119.536] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="5B") returned 2 [0119.536] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="B9") returned 2 [0119.536] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="4F") returned 2 [0119.536] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="B9") returned 2 [0119.536] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="94") returned 2 [0119.536] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="68") returned 2 [0119.536] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="FA") returned 2 [0119.536] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="DB") returned 2 [0119.536] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="90") returned 2 [0119.536] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="5F") returned 2 [0119.536] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="56") returned 2 [0119.536] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="CA") returned 2 [0119.536] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="65") returned 2 [0119.536] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="B5") returned 2 [0119.536] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="D9") returned 2 [0119.536] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="23") returned 2 [0119.536] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="F1") returned 2 [0119.536] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="96") returned 2 [0119.537] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="C0") returned 2 [0119.537] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="F9") returned 2 [0119.537] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="FD") returned 2 [0119.537] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="E5") returned 2 [0119.537] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="46") returned 2 [0119.537] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="29") returned 2 [0119.537] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="36") returned 2 [0119.537] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="30") returned 2 [0119.537] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="BC") returned 2 [0119.537] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="D4") returned 2 [0119.537] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="45") returned 2 [0119.537] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="80") returned 2 [0119.537] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="37") returned 2 [0119.537] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="57") returned 2 [0119.576] lstrcpyW (in: lpString1=0x3d21274, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json" [0119.576] lstrcpyW (in: lpString1=0x3d11274, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json" [0119.576] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json", lpString2=".5BB94FB99468FADB905F56CA65B5D923F196C0F9FDE546293630BCD445803757" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json.5BB94FB99468FADB905F56CA65B5D923F196C0F9FDE546293630BCD445803757") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json.5BB94FB99468FADB905F56CA65B5D923F196C0F9FDE546293630BCD445803757" [0119.576] CreateIoCompletionPort (FileHandle=0x1c4, ExistingCompletionPort=0x94, CompletionKey=0x3d11240, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.576] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d11240, lpOverlapped=0x3d11240) returned 1 [0119.577] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827af080, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827af080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x295, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.577] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.577] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\PUSSY.TXT") returned 158 [0119.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0119.648] lstrlenA (lpString="abcd") returned 4 [0119.649] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.650] CloseHandle (hObject=0x1b8) returned 1 [0119.650] GetProcessHeap () returned 0x4c0000 [0119.650] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.658] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827b3ea0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827b65b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827b65b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ro", cAlternateFileName="")) returned 1 [0119.658] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0119.658] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0119.658] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0119.658] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0119.658] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0119.658] lstrcmpiW (lpString1="ro", lpString2=".") returned 1 [0119.658] lstrcmpiW (lpString1="ro", lpString2="..") returned 1 [0119.658] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro") returned 145 [0119.658] GetProcessHeap () returned 0x4c0000 [0119.658] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.659] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro" [0119.659] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\*" [0119.659] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827b3ea0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827b65b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827b65b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.660] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.660] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.660] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.660] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.660] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.660] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.660] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827b3ea0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827b65b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827b65b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.660] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.660] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.660] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.660] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.660] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.660] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.660] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.660] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827b65b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827b8cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.660] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.660] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.661] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.661] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.661] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.661] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.661] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.661] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json") returned 159 [0119.661] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.661] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.661] lstrlenW (lpString=".json") returned 5 [0119.661] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0119.668] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=668) returned 1 [0119.668] GetProcessHeap () returned 0x4c0000 [0119.668] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0119.683] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="87") returned 2 [0119.683] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="2C") returned 2 [0119.683] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="99") returned 2 [0119.683] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="8F") returned 2 [0119.683] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="C6") returned 2 [0119.683] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="3D") returned 2 [0119.683] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="8A") returned 2 [0119.683] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="20") returned 2 [0119.683] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="7B") returned 2 [0119.683] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="63") returned 2 [0119.683] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="21") returned 2 [0119.683] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="25") returned 2 [0119.683] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="EF") returned 2 [0119.683] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="17") returned 2 [0119.683] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="32") returned 2 [0119.683] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="84") returned 2 [0119.683] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="65") returned 2 [0119.683] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="5F") returned 2 [0119.683] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="D5") returned 2 [0119.683] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="FD") returned 2 [0119.683] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="72") returned 2 [0119.683] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="92") returned 2 [0119.683] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="1F") returned 2 [0119.683] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="DE") returned 2 [0119.683] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="63") returned 2 [0119.683] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="8A") returned 2 [0119.684] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="99") returned 2 [0119.684] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="B2") returned 2 [0119.684] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="00") returned 2 [0119.684] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="3B") returned 2 [0119.684] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="ED") returned 2 [0119.684] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="60") returned 2 [0119.694] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json" [0119.694] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json" [0119.694] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json", lpString2=".872C998FC63D8A207B632125EF173284655FD5FD72921FDE638A99B2003BED60" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.872C998FC63D8A207B632125EF173284655FD5FD72921FDE638A99B2003BED60") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.872C998FC63D8A207B632125EF173284655FD5FD72921FDE638A99B2003BED60" [0119.694] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.694] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0119.694] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827b65b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827b8cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.694] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.694] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\PUSSY.TXT") returned 155 [0119.694] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0119.695] lstrlenA (lpString="abcd") returned 4 [0119.695] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.696] CloseHandle (hObject=0x1b8) returned 1 [0119.696] GetProcessHeap () returned 0x4c0000 [0119.696] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.698] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827c7720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827cc540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827cc540, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ru", cAlternateFileName="")) returned 1 [0119.698] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0119.698] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0119.698] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0119.698] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0119.698] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0119.698] lstrcmpiW (lpString1="ru", lpString2=".") returned 1 [0119.698] lstrcmpiW (lpString1="ru", lpString2="..") returned 1 [0119.698] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru") returned 145 [0119.698] GetProcessHeap () returned 0x4c0000 [0119.698] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.699] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru" [0119.699] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\*" [0119.699] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827c7720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827cc540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827cc540, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.699] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.699] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.699] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.699] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.700] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.700] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.700] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827c7720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827cc540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827cc540, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.700] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.700] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.700] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.700] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.700] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.700] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.700] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.700] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827cc540, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827cec50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x30f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.700] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.700] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.700] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.700] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.700] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.700] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.700] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.700] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json") returned 159 [0119.700] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.700] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.700] lstrlenW (lpString=".json") returned 5 [0119.700] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.700] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0119.701] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=783) returned 1 [0119.701] GetProcessHeap () returned 0x4c0000 [0119.701] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0119.713] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="A9") returned 2 [0119.713] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="DB") returned 2 [0119.713] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="50") returned 2 [0119.713] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="D1") returned 2 [0119.713] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="F5") returned 2 [0119.713] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="BF") returned 2 [0119.713] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="BB") returned 2 [0119.713] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="9C") returned 2 [0119.713] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="F7") returned 2 [0119.713] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="FA") returned 2 [0119.713] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="0A") returned 2 [0119.713] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="DD") returned 2 [0119.713] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="B5") returned 2 [0119.713] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="C4") returned 2 [0119.713] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="AB") returned 2 [0119.713] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="16") returned 2 [0119.713] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="F7") returned 2 [0119.713] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="F2") returned 2 [0119.714] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="F9") returned 2 [0119.714] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="51") returned 2 [0119.714] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="AA") returned 2 [0119.714] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="89") returned 2 [0119.714] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="63") returned 2 [0119.714] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="86") returned 2 [0119.714] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="70") returned 2 [0119.714] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="3C") returned 2 [0119.714] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="C3") returned 2 [0119.714] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="A5") returned 2 [0119.714] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="7B") returned 2 [0119.714] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="DA") returned 2 [0119.714] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="44") returned 2 [0119.714] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="61") returned 2 [0119.725] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json" [0119.725] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json" [0119.725] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json", lpString2=".A9DB50D1F5BFBB9CF7FA0ADDB5C4AB16F7F2F951AA896386703CC3A57BDA4461" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.A9DB50D1F5BFBB9CF7FA0ADDB5C4AB16F7F2F951AA896386703CC3A57BDA4461") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.A9DB50D1F5BFBB9CF7FA0ADDB5C4AB16F7F2F951AA896386703CC3A57BDA4461" [0119.725] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.725] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0119.725] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827cc540, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827cec50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x30f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.725] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.725] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\PUSSY.TXT") returned 155 [0119.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0119.726] lstrlenA (lpString="abcd") returned 4 [0119.726] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.727] CloseHandle (hObject=0x1b8) returned 1 [0119.727] GetProcessHeap () returned 0x4c0000 [0119.727] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.727] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827e4be0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827e72f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827e72f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sk", cAlternateFileName="")) returned 1 [0119.727] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0119.727] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0119.727] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0119.727] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0119.728] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0119.728] lstrcmpiW (lpString1="sk", lpString2=".") returned 1 [0119.728] lstrcmpiW (lpString1="sk", lpString2="..") returned 1 [0119.728] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk") returned 145 [0119.728] GetProcessHeap () returned 0x4c0000 [0119.728] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.728] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk" [0119.728] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\*" [0119.728] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827e4be0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827e72f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827e72f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.728] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.728] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.728] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.728] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.728] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.728] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.728] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827e4be0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827e72f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827e72f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.728] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.728] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.728] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.728] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.728] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.728] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.729] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.729] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827e72f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827e9a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.729] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.729] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.729] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.729] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.729] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.729] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.729] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.729] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json") returned 159 [0119.729] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.729] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.729] lstrlenW (lpString=".json") returned 5 [0119.729] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0119.734] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=671) returned 1 [0119.734] GetProcessHeap () returned 0x4c0000 [0119.734] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0119.744] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="07") returned 2 [0119.744] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="81") returned 2 [0119.745] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="B4") returned 2 [0119.745] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="F2") returned 2 [0119.745] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="5F") returned 2 [0119.745] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="4C") returned 2 [0119.745] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="10") returned 2 [0119.745] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="94") returned 2 [0119.745] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="6A") returned 2 [0119.745] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="41") returned 2 [0119.745] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="7B") returned 2 [0119.745] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="CF") returned 2 [0119.745] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="95") returned 2 [0119.745] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="50") returned 2 [0119.745] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="F8") returned 2 [0119.745] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="A6") returned 2 [0119.745] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="7D") returned 2 [0119.745] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="19") returned 2 [0119.745] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="E2") returned 2 [0119.745] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="66") returned 2 [0119.745] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="0D") returned 2 [0119.745] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="7A") returned 2 [0119.745] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="47") returned 2 [0119.745] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="DA") returned 2 [0119.745] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="1E") returned 2 [0119.745] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="FA") returned 2 [0119.745] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="38") returned 2 [0119.745] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="85") returned 2 [0119.746] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="02") returned 2 [0119.746] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="D0") returned 2 [0119.746] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="1B") returned 2 [0119.746] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="3B") returned 2 [0119.754] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json" [0119.754] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json" [0119.754] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json", lpString2=".0781B4F25F4C10946A417BCF9550F8A67D19E2660D7A47DA1EFA388502D01B3B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.0781B4F25F4C10946A417BCF9550F8A67D19E2660D7A47DA1EFA388502D01B3B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.0781B4F25F4C10946A417BCF9550F8A67D19E2660D7A47DA1EFA388502D01B3B" [0119.754] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.754] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0119.754] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827e72f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827e9a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.754] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.754] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\PUSSY.TXT") returned 155 [0119.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0119.755] lstrlenA (lpString="abcd") returned 4 [0119.755] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.756] CloseHandle (hObject=0x1b8) returned 1 [0119.756] GetProcessHeap () returned 0x4c0000 [0119.756] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.756] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827f5d50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827fab70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827fab70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sl", cAlternateFileName="")) returned 1 [0119.756] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0119.757] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0119.757] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0119.757] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0119.757] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0119.757] lstrcmpiW (lpString1="sl", lpString2=".") returned 1 [0119.757] lstrcmpiW (lpString1="sl", lpString2="..") returned 1 [0119.757] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl") returned 145 [0119.757] GetProcessHeap () returned 0x4c0000 [0119.757] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.757] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl" [0119.757] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\*" [0119.757] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827f5d50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827fab70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827fab70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.757] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.757] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.757] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.757] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.758] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.758] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.758] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x827f5d50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827fab70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x827fab70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.758] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.758] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.758] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.758] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.758] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.758] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.758] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.758] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827fab70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827fd280, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.758] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.758] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.758] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.758] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.758] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.758] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.758] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.758] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json") returned 159 [0119.758] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.758] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.758] lstrlenW (lpString=".json") returned 5 [0119.758] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.758] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0119.765] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=642) returned 1 [0119.766] GetProcessHeap () returned 0x4c0000 [0119.766] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0119.778] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="9E") returned 2 [0119.778] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="23") returned 2 [0119.778] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="AD") returned 2 [0119.778] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="35") returned 2 [0119.778] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="89") returned 2 [0119.778] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="3B") returned 2 [0119.778] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="3D") returned 2 [0119.778] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="59") returned 2 [0119.778] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="39") returned 2 [0119.778] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="2C") returned 2 [0119.778] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="A9") returned 2 [0119.778] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="8E") returned 2 [0119.778] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="43") returned 2 [0119.779] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="5A") returned 2 [0119.779] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="CA") returned 2 [0119.779] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="A8") returned 2 [0119.779] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="D7") returned 2 [0119.779] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="1C") returned 2 [0119.779] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="D4") returned 2 [0119.779] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="FB") returned 2 [0119.779] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="AA") returned 2 [0119.779] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="3D") returned 2 [0119.779] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="11") returned 2 [0119.779] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="DA") returned 2 [0119.779] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="13") returned 2 [0119.779] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="D3") returned 2 [0119.779] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="A6") returned 2 [0119.779] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="08") returned 2 [0119.779] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="0B") returned 2 [0119.779] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="12") returned 2 [0119.779] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="CB") returned 2 [0119.779] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="0E") returned 2 [0119.791] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json" [0119.791] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json" [0119.791] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json", lpString2=".9E23AD35893B3D59392CA98E435ACAA8D71CD4FBAA3D11DA13D3A6080B12CB0E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.9E23AD35893B3D59392CA98E435ACAA8D71CD4FBAA3D11DA13D3A6080B12CB0E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.9E23AD35893B3D59392CA98E435ACAA8D71CD4FBAA3D11DA13D3A6080B12CB0E" [0119.791] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.792] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0119.793] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x827fab70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x827fd280, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.793] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.793] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\PUSSY.TXT") returned 155 [0119.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0119.794] lstrlenA (lpString="abcd") returned 4 [0119.794] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0119.795] CloseHandle (hObject=0x1b8) returned 1 [0119.795] GetProcessHeap () returned 0x4c0000 [0119.795] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.795] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828095d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8280e3f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8280e3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sr", cAlternateFileName="")) returned 1 [0119.795] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0119.795] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0119.795] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0119.795] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0119.795] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0119.795] lstrcmpiW (lpString1="sr", lpString2=".") returned 1 [0119.795] lstrcmpiW (lpString1="sr", lpString2="..") returned 1 [0119.796] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr") returned 145 [0119.796] GetProcessHeap () returned 0x4c0000 [0119.796] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0119.796] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr" [0119.796] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\*" [0119.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828095d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8280e3f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8280e3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0119.796] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0119.796] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0119.796] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0119.796] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0119.796] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0119.796] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.796] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828095d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8280e3f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8280e3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0119.796] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0119.797] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0119.797] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0119.797] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0119.797] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0119.797] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.797] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.797] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8280e3f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82821c70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0119.797] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0119.797] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0119.797] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0119.797] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0119.797] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0119.797] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0119.797] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0119.797] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json") returned 159 [0119.797] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0119.797] PathFindExtensionW (pszPath="messages.json") returned=".json" [0119.797] lstrlenW (lpString=".json") returned 5 [0119.797] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0119.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0119.799] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=812) returned 1 [0119.799] GetProcessHeap () returned 0x4c0000 [0119.799] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c490b0 [0119.831] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="4A") returned 2 [0119.831] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="EF") returned 2 [0119.831] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="AA") returned 2 [0119.831] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="33") returned 2 [0119.831] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="97") returned 2 [0119.831] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="0A") returned 2 [0119.831] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="E6") returned 2 [0119.831] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="3A") returned 2 [0119.831] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="2D") returned 2 [0119.831] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="96") returned 2 [0119.831] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="FA") returned 2 [0119.831] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="27") returned 2 [0119.831] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="7D") returned 2 [0119.831] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="E4") returned 2 [0119.831] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="23") returned 2 [0119.831] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="D2") returned 2 [0119.832] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="A7") returned 2 [0119.832] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="37") returned 2 [0119.832] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="33") returned 2 [0119.832] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="F5") returned 2 [0119.832] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="C0") returned 2 [0119.832] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="FB") returned 2 [0119.832] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="AA") returned 2 [0119.832] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="A4") returned 2 [0119.832] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="C9") returned 2 [0119.832] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="DF") returned 2 [0119.832] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="6F") returned 2 [0119.832] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="AD") returned 2 [0119.832] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="5E") returned 2 [0119.832] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="B2") returned 2 [0119.832] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="C3") returned 2 [0119.832] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="31") returned 2 [0119.842] lstrcpyW (in: lpString1=0x3c590e4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json" [0119.842] lstrcpyW (in: lpString1=0x3c490e4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json" [0119.842] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json", lpString2=".4AEFAA33970AE63A2D96FA277DE423D2A73733F5C0FBAAA4C9DF6FAD5EB2C331" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.4AEFAA33970AE63A2D96FA277DE423D2A73733F5C0FBAAA4C9DF6FAD5EB2C331") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.4AEFAA33970AE63A2D96FA277DE423D2A73733F5C0FBAAA4C9DF6FAD5EB2C331" [0119.842] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3c490b0, NumberOfConcurrentThreads=0x0) returned 0x94 [0119.842] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c490b0, lpOverlapped=0x3c490b0) returned 1 [0119.842] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8280e3f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82821c70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0119.842] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0119.842] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\PUSSY.TXT") returned 155 [0119.842] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0120.073] lstrlenA (lpString="abcd") returned 4 [0120.074] WriteFile (in: hFile=0x1b4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.075] CloseHandle (hObject=0x1b4) returned 1 [0120.075] GetProcessHeap () returned 0x4c0000 [0120.075] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.081] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8282b8b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828306d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828306d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sv", cAlternateFileName="")) returned 1 [0120.081] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0120.081] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0120.081] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0120.081] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0120.081] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0120.081] lstrcmpiW (lpString1="sv", lpString2=".") returned 1 [0120.081] lstrcmpiW (lpString1="sv", lpString2="..") returned 1 [0120.081] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv") returned 145 [0120.082] GetProcessHeap () returned 0x4c0000 [0120.082] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.083] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv" [0120.083] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\*" [0120.083] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8282b8b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828306d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828306d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.083] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.083] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.083] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.083] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.084] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.084] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.084] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8282b8b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828306d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828306d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.084] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.084] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.084] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.084] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.084] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.084] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.084] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.084] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828306d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8283ca20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x289, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.084] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.084] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.084] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.084] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.084] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.084] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.084] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.084] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json") returned 159 [0120.085] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.085] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.085] lstrlenW (lpString=".json") returned 5 [0120.085] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0120.086] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=649) returned 1 [0120.086] GetProcessHeap () returned 0x4c0000 [0120.086] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0120.099] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="FA") returned 2 [0120.100] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="58") returned 2 [0120.100] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="33") returned 2 [0120.100] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="94") returned 2 [0120.100] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="EC") returned 2 [0120.100] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="2B") returned 2 [0120.100] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="55") returned 2 [0120.100] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="22") returned 2 [0120.100] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="F1") returned 2 [0120.100] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="1E") returned 2 [0120.100] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="4B") returned 2 [0120.100] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="42") returned 2 [0120.100] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="00") returned 2 [0120.100] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="4F") returned 2 [0120.100] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="2B") returned 2 [0120.100] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="FF") returned 2 [0120.100] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="51") returned 2 [0120.100] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="F9") returned 2 [0120.100] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="0E") returned 2 [0120.101] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="6D") returned 2 [0120.101] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="75") returned 2 [0120.101] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="3E") returned 2 [0120.101] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="14") returned 2 [0120.101] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="0D") returned 2 [0120.101] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="30") returned 2 [0120.101] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="3E") returned 2 [0120.101] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="9F") returned 2 [0120.101] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="BE") returned 2 [0120.101] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="F9") returned 2 [0120.101] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="A6") returned 2 [0120.101] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="87") returned 2 [0120.101] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="0C") returned 2 [0120.112] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json" [0120.112] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json" [0120.112] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json", lpString2=".FA583394EC2B5522F11E4B42004F2BFF51F90E6D753E140D303E9FBEF9A6870C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.FA583394EC2B5522F11E4B42004F2BFF51F90E6D753E140D303E9FBEF9A6870C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.FA583394EC2B5522F11E4B42004F2BFF51F90E6D753E140D303E9FBEF9A6870C" [0120.112] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0120.112] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0120.112] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828306d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8283ca20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x289, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.112] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.112] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\PUSSY.TXT") returned 155 [0120.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0120.113] lstrlenA (lpString="abcd") returned 4 [0120.113] WriteFile (in: hFile=0x1b4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.114] CloseHandle (hObject=0x1b4) returned 1 [0120.114] GetProcessHeap () returned 0x4c0000 [0120.115] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.115] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8284db90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828529b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828529b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="th", cAlternateFileName="")) returned 1 [0120.115] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0120.115] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0120.115] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0120.115] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0120.115] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0120.115] lstrcmpiW (lpString1="th", lpString2=".") returned 1 [0120.115] lstrcmpiW (lpString1="th", lpString2="..") returned 1 [0120.115] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th") returned 145 [0120.115] GetProcessHeap () returned 0x4c0000 [0120.115] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.115] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th" [0120.115] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\*" [0120.115] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8284db90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828529b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828529b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.115] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.115] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.115] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.115] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.116] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.116] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.116] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8284db90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828529b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828529b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.116] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.116] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.116] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.116] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.116] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.116] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.116] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.116] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828529b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828529b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x44b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.116] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.116] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.116] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.116] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.116] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.116] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.116] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.116] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json") returned 159 [0120.116] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.116] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.116] lstrlenW (lpString=".json") returned 5 [0120.116] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.116] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.122] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=1099) returned 1 [0120.122] GetProcessHeap () returned 0x4c0000 [0120.122] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ce9008 [0120.135] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="F1") returned 2 [0120.135] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="6B") returned 2 [0120.135] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="B3") returned 2 [0120.135] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="EB") returned 2 [0120.135] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="20") returned 2 [0120.135] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="D0") returned 2 [0120.135] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="57") returned 2 [0120.135] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="41") returned 2 [0120.135] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="4A") returned 2 [0120.135] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="BF") returned 2 [0120.135] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="41") returned 2 [0120.135] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="A0") returned 2 [0120.135] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="E6") returned 2 [0120.135] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="CA") returned 2 [0120.135] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="7D") returned 2 [0120.135] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="F0") returned 2 [0120.135] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="E4") returned 2 [0120.135] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="3E") returned 2 [0120.135] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="30") returned 2 [0120.135] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="65") returned 2 [0120.135] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="71") returned 2 [0120.135] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="9A") returned 2 [0120.135] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="72") returned 2 [0120.135] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="2A") returned 2 [0120.135] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="41") returned 2 [0120.135] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="79") returned 2 [0120.135] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="C0") returned 2 [0120.135] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="98") returned 2 [0120.135] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="94") returned 2 [0120.135] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="09") returned 2 [0120.135] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="50") returned 2 [0120.136] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="4A") returned 2 [0120.144] lstrcpyW (in: lpString1=0x3cf903c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json" [0120.144] lstrcpyW (in: lpString1=0x3ce903c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json" [0120.144] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json", lpString2=".F16BB3EB20D057414ABF41A0E6CA7DF0E43E3065719A722A4179C0989409504A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.F16BB3EB20D057414ABF41A0E6CA7DF0E43E3065719A722A4179C0989409504A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.F16BB3EB20D057414ABF41A0E6CA7DF0E43E3065719A722A4179C0989409504A" [0120.144] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3ce9008, NumberOfConcurrentThreads=0x0) returned 0x94 [0120.145] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ce9008, lpOverlapped=0x3ce9008) returned 1 [0120.152] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828529b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828529b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x44b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.152] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.152] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\PUSSY.TXT") returned 155 [0120.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0120.153] lstrlenA (lpString="abcd") returned 4 [0120.153] WriteFile (in: hFile=0x1b4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.154] CloseHandle (hObject=0x1b4) returned 1 [0120.154] GetProcessHeap () returned 0x4c0000 [0120.154] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.154] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82863b20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82866230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82866230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="tr", cAlternateFileName="")) returned 1 [0120.154] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0120.154] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0120.154] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0120.154] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0120.154] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0120.154] lstrcmpiW (lpString1="tr", lpString2=".") returned 1 [0120.154] lstrcmpiW (lpString1="tr", lpString2="..") returned 1 [0120.154] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr") returned 145 [0120.154] GetProcessHeap () returned 0x4c0000 [0120.154] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.154] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr" [0120.154] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\*" [0120.154] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82863b20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82866230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82866230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.154] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.154] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.154] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.155] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.155] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.155] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.155] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82863b20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82866230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82866230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.155] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.155] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.155] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.155] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.155] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.155] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.155] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.155] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82866230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82866230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.155] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.155] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.155] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.155] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.155] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.155] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.155] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.155] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json") returned 159 [0120.155] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.155] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.155] lstrlenW (lpString=".json") returned 5 [0120.155] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.155] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c4 [0120.156] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=650) returned 1 [0120.156] GetProcessHeap () returned 0x4c0000 [0120.156] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d11058 [0120.165] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="72") returned 2 [0120.165] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="AB") returned 2 [0120.165] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="64") returned 2 [0120.165] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="66") returned 2 [0120.165] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="BD") returned 2 [0120.165] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="6E") returned 2 [0120.165] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="7E") returned 2 [0120.165] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="DD") returned 2 [0120.165] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="D5") returned 2 [0120.165] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="BC") returned 2 [0120.165] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="46") returned 2 [0120.165] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="60") returned 2 [0120.165] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="A6") returned 2 [0120.165] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="4E") returned 2 [0120.165] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="1E") returned 2 [0120.165] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="CF") returned 2 [0120.165] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="75") returned 2 [0120.165] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="62") returned 2 [0120.165] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="FE") returned 2 [0120.165] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="EA") returned 2 [0120.165] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="39") returned 2 [0120.165] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="21") returned 2 [0120.165] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="32") returned 2 [0120.165] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="11") returned 2 [0120.166] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="87") returned 2 [0120.166] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="D4") returned 2 [0120.166] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="1D") returned 2 [0120.166] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="58") returned 2 [0120.166] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="66") returned 2 [0120.166] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="21") returned 2 [0120.166] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="F9") returned 2 [0120.166] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="24") returned 2 [0120.174] lstrcpyW (in: lpString1=0x3d2108c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json" [0120.174] lstrcpyW (in: lpString1=0x3d1108c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json" [0120.174] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json", lpString2=".72AB6466BD6E7EDDD5BC4660A64E1ECF7562FEEA3921321187D41D586621F924" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.72AB6466BD6E7EDDD5BC4660A64E1ECF7562FEEA3921321187D41D586621F924") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.72AB6466BD6E7EDDD5BC4660A64E1ECF7562FEEA3921321187D41D586621F924" [0120.174] CreateIoCompletionPort (FileHandle=0x1c4, ExistingCompletionPort=0x94, CompletionKey=0x3d11058, NumberOfConcurrentThreads=0x0) returned 0x94 [0120.174] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d11058, lpOverlapped=0x3d11058) returned 1 [0120.178] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82866230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82866230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab2840, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.178] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.178] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\PUSSY.TXT") returned 155 [0120.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0120.180] lstrlenA (lpString="abcd") returned 4 [0120.181] WriteFile (in: hFile=0x1b4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.181] CloseHandle (hObject=0x1b4) returned 1 [0120.181] GetProcessHeap () returned 0x4c0000 [0120.182] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.184] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8286b050, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8286d760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8286d760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="uk", cAlternateFileName="")) returned 1 [0120.184] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0120.184] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0120.184] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0120.184] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0120.184] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0120.184] lstrcmpiW (lpString1="uk", lpString2=".") returned 1 [0120.184] lstrcmpiW (lpString1="uk", lpString2="..") returned 1 [0120.184] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk") returned 145 [0120.184] GetProcessHeap () returned 0x4c0000 [0120.184] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.185] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk" [0120.185] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\*" [0120.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8286b050, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8286d760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8286d760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.185] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.185] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.185] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.185] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.185] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.185] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.185] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8286b050, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8286d760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8286d760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.185] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.185] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.185] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.186] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.186] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.186] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.186] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.186] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8286d760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8286d760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab4f50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x315, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.186] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.186] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.186] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.186] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.186] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.186] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.186] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.186] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json") returned 159 [0120.186] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.186] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.186] lstrlenW (lpString=".json") returned 5 [0120.186] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c4 [0120.187] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=789) returned 1 [0120.187] GetProcessHeap () returned 0x4c0000 [0120.187] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d11058 [0120.198] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="79") returned 2 [0120.198] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="D3") returned 2 [0120.198] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="A9") returned 2 [0120.198] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="8C") returned 2 [0120.198] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="BF") returned 2 [0120.198] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="7B") returned 2 [0120.198] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="16") returned 2 [0120.199] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="81") returned 2 [0120.199] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="23") returned 2 [0120.199] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="74") returned 2 [0120.199] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="3D") returned 2 [0120.199] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="AD") returned 2 [0120.199] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="C8") returned 2 [0120.199] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="1C") returned 2 [0120.199] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="5E") returned 2 [0120.199] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="9E") returned 2 [0120.199] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="95") returned 2 [0120.199] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="9F") returned 2 [0120.199] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="92") returned 2 [0120.199] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="A2") returned 2 [0120.199] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="31") returned 2 [0120.199] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="D0") returned 2 [0120.199] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="66") returned 2 [0120.199] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="01") returned 2 [0120.199] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="C0") returned 2 [0120.199] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="00") returned 2 [0120.199] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="D6") returned 2 [0120.199] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="2E") returned 2 [0120.199] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="EC") returned 2 [0120.199] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="4E") returned 2 [0120.199] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="01") returned 2 [0120.199] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="27") returned 2 [0120.207] lstrcpyW (in: lpString1=0x3d2108c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json" [0120.207] lstrcpyW (in: lpString1=0x3d1108c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json" [0120.207] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json", lpString2=".79D3A98CBF7B168123743DADC81C5E9E959F92A231D06601C000D62EEC4E0127" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.79D3A98CBF7B168123743DADC81C5E9E959F92A231D06601C000D62EEC4E0127") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.79D3A98CBF7B168123743DADC81C5E9E959F92A231D06601C000D62EEC4E0127" [0120.207] CreateIoCompletionPort (FileHandle=0x1c4, ExistingCompletionPort=0x94, CompletionKey=0x3d11058, NumberOfConcurrentThreads=0x0) returned 0x94 [0120.207] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d11058, lpOverlapped=0x3d11058) returned 1 [0120.207] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8286d760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8286d760, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab4f50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x315, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.208] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.208] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\PUSSY.TXT") returned 155 [0120.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0120.208] lstrlenA (lpString="abcd") returned 4 [0120.208] WriteFile (in: hFile=0x1b4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.209] CloseHandle (hObject=0x1b4) returned 1 [0120.209] GetProcessHeap () returned 0x4c0000 [0120.209] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.210] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82872580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82874c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82874c90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="vi", cAlternateFileName="")) returned 1 [0120.210] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0120.210] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0120.210] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0120.210] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0120.210] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0120.210] lstrcmpiW (lpString1="vi", lpString2=".") returned 1 [0120.210] lstrcmpiW (lpString1="vi", lpString2="..") returned 1 [0120.210] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi") returned 145 [0120.210] GetProcessHeap () returned 0x4c0000 [0120.210] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.210] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi" [0120.210] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\*" [0120.210] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82872580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82874c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82874c90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.210] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.210] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.210] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.210] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.210] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.210] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.210] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82872580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82874c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82874c90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.210] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.210] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.210] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.211] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.211] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.211] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.211] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.211] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82874c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82874c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab4f50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.211] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.211] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.211] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.211] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.211] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.211] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.211] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.211] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json") returned 159 [0120.211] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.211] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.211] lstrlenW (lpString=".json") returned 5 [0120.211] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0120.212] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=720) returned 1 [0120.212] GetProcessHeap () returned 0x4c0000 [0120.212] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0120.223] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="5F") returned 2 [0120.223] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="CF") returned 2 [0120.223] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="63") returned 2 [0120.224] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="61") returned 2 [0120.224] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="1F") returned 2 [0120.224] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="3E") returned 2 [0120.224] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="51") returned 2 [0120.224] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="2D") returned 2 [0120.224] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="EC") returned 2 [0120.224] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="CA") returned 2 [0120.224] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="5F") returned 2 [0120.224] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="2B") returned 2 [0120.224] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="0E") returned 2 [0120.224] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="DB") returned 2 [0120.224] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="88") returned 2 [0120.224] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="8F") returned 2 [0120.224] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="3E") returned 2 [0120.224] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="5A") returned 2 [0120.224] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="E7") returned 2 [0120.224] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="70") returned 2 [0120.224] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="19") returned 2 [0120.224] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="70") returned 2 [0120.224] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="19") returned 2 [0120.224] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="D4") returned 2 [0120.224] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="27") returned 2 [0120.224] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="3E") returned 2 [0120.224] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="EA") returned 2 [0120.224] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="74") returned 2 [0120.225] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="37") returned 2 [0120.225] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="DC") returned 2 [0120.225] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="9E") returned 2 [0120.225] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="06") returned 2 [0120.233] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json" [0120.233] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json" [0120.233] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json", lpString2=".5FCF63611F3E512DECCA5F2B0EDB888F3E5AE770197019D4273EEA7437DC9E06" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.5FCF63611F3E512DECCA5F2B0EDB888F3E5AE770197019D4273EEA7437DC9E06") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.5FCF63611F3E512DECCA5F2B0EDB888F3E5AE770197019D4273EEA7437DC9E06" [0120.233] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0120.234] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0120.234] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82874c90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82874c90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab4f50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.234] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.234] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\PUSSY.TXT") returned 155 [0120.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0120.235] lstrlenA (lpString="abcd") returned 4 [0120.235] WriteFile (in: hFile=0x1b4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.236] CloseHandle (hObject=0x1b4) returned 1 [0120.236] GetProcessHeap () returned 0x4c0000 [0120.236] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.236] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82879ab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8287e8d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8287e8d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_CN", cAlternateFileName="")) returned 1 [0120.236] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0120.236] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0120.236] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0120.236] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0120.236] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0120.236] lstrcmpiW (lpString1="zh_CN", lpString2=".") returned 1 [0120.236] lstrcmpiW (lpString1="zh_CN", lpString2="..") returned 1 [0120.236] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN") returned 148 [0120.236] GetProcessHeap () returned 0x4c0000 [0120.236] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.236] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN" [0120.237] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\*" [0120.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82879ab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8287e8d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8287e8d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.237] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.237] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.237] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.237] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.237] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.237] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.237] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82879ab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8287e8d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8287e8d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.237] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.237] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.237] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.237] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.237] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8287e8d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8287e8d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab4f50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x253, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.237] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.237] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.237] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.237] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.237] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.237] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.238] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.238] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json") returned 162 [0120.238] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.238] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.238] lstrlenW (lpString=".json") returned 5 [0120.238] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0120.238] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=595) returned 1 [0120.238] GetProcessHeap () returned 0x4c0000 [0120.238] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0120.251] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="E0") returned 2 [0120.251] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="B5") returned 2 [0120.251] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="D4") returned 2 [0120.251] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="55") returned 2 [0120.251] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="99") returned 2 [0120.251] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="01") returned 2 [0120.252] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="A4") returned 2 [0120.252] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="A8") returned 2 [0120.252] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="F6") returned 2 [0120.252] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="8E") returned 2 [0120.252] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="E7") returned 2 [0120.252] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="6E") returned 2 [0120.252] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="0E") returned 2 [0120.252] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="6D") returned 2 [0120.252] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="98") returned 2 [0120.252] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="B1") returned 2 [0120.252] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="88") returned 2 [0120.252] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="40") returned 2 [0120.252] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="1E") returned 2 [0120.252] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="29") returned 2 [0120.252] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="0C") returned 2 [0120.252] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="3B") returned 2 [0120.252] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="33") returned 2 [0120.252] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="AD") returned 2 [0120.252] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="0C") returned 2 [0120.252] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="1E") returned 2 [0120.252] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="2F") returned 2 [0120.252] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="E5") returned 2 [0120.252] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="37") returned 2 [0120.252] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="08") returned 2 [0120.252] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="07") returned 2 [0120.252] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="52") returned 2 [0120.261] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json" [0120.261] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json" [0120.261] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json", lpString2=".E0B5D4559901A4A8F68EE76E0E6D98B188401E290C3B33AD0C1E2FE537080752" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json.E0B5D4559901A4A8F68EE76E0E6D98B188401E290C3B33AD0C1E2FE537080752") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json.E0B5D4559901A4A8F68EE76E0E6D98B188401E290C3B33AD0C1E2FE537080752" [0120.261] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0120.261] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0120.262] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8287e8d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8287e8d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab4f50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x253, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.262] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.262] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\PUSSY.TXT") returned 158 [0120.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0120.299] lstrlenA (lpString="abcd") returned 4 [0120.299] WriteFile (in: hFile=0x1b4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.300] CloseHandle (hObject=0x1b4) returned 1 [0120.300] GetProcessHeap () returned 0x4c0000 [0120.300] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.305] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828836f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82885e00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82885e00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 1 [0120.305] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0120.305] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0120.305] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0120.305] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0120.305] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0120.305] lstrcmpiW (lpString1="zh_TW", lpString2=".") returned 1 [0120.305] lstrcmpiW (lpString1="zh_TW", lpString2="..") returned 1 [0120.305] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW") returned 148 [0120.305] GetProcessHeap () returned 0x4c0000 [0120.305] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.306] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW" [0120.306] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\*" [0120.306] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828836f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82885e00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82885e00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.306] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.307] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.307] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.307] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.307] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.307] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.307] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828836f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82885e00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82885e00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.307] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.307] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.307] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.307] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.307] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.307] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.307] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.307] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82885e00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82885e00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab4f50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x280, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.307] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.307] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.307] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.307] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.307] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.307] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.307] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.307] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json") returned 162 [0120.307] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.307] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.307] lstrlenW (lpString=".json") returned 5 [0120.308] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.308] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=640) returned 1 [0120.308] GetProcessHeap () returned 0x4c0000 [0120.308] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ce9008 [0120.323] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="D1") returned 2 [0120.323] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="02") returned 2 [0120.323] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="17") returned 2 [0120.323] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="FC") returned 2 [0120.323] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="9A") returned 2 [0120.323] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="C4") returned 2 [0120.323] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="36") returned 2 [0120.323] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="A0") returned 2 [0120.323] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="53") returned 2 [0120.324] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="06") returned 2 [0120.324] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="EE") returned 2 [0120.324] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="58") returned 2 [0120.324] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="56") returned 2 [0120.324] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="8D") returned 2 [0120.324] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="E3") returned 2 [0120.324] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="31") returned 2 [0120.324] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="22") returned 2 [0120.324] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="B3") returned 2 [0120.324] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="9A") returned 2 [0120.324] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="80") returned 2 [0120.324] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="95") returned 2 [0120.324] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="20") returned 2 [0120.324] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="F4") returned 2 [0120.324] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="3F") returned 2 [0120.324] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="83") returned 2 [0120.324] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="36") returned 2 [0120.324] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="AA") returned 2 [0120.324] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="45") returned 2 [0120.324] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="B3") returned 2 [0120.324] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="AF") returned 2 [0120.324] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="25") returned 2 [0120.324] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="20") returned 2 [0120.340] lstrcpyW (in: lpString1=0x3cf903c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json" [0120.340] lstrcpyW (in: lpString1=0x3ce903c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json" [0120.340] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json", lpString2=".D10217FC9AC436A05306EE58568DE33122B39A809520F43F8336AA45B3AF2520" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json.D10217FC9AC436A05306EE58568DE33122B39A809520F43F8336AA45B3AF2520") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json.D10217FC9AC436A05306EE58568DE33122B39A809520F43F8336AA45B3AF2520" [0120.340] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3ce9008, NumberOfConcurrentThreads=0x0) returned 0x94 [0120.340] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ce9008, lpOverlapped=0x3ce9008) returned 1 [0120.340] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82885e00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82885e00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82ab4f50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x280, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.340] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.341] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\PUSSY.TXT") returned 158 [0120.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0120.342] lstrlenA (lpString="abcd") returned 4 [0120.342] WriteFile (in: hFile=0x1b4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.343] CloseHandle (hObject=0x1b4) returned 1 [0120.343] GetProcessHeap () returned 0x4c0000 [0120.343] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.343] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828836f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82885e00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82885e00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 0 [0120.343] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0120.344] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\PUSSY.TXT") returned 152 [0120.344] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0120.345] lstrlenA (lpString="abcd") returned 4 [0120.345] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0120.346] CloseHandle (hObject=0x114) returned 1 [0120.346] GetProcessHeap () returned 0x4c0000 [0120.346] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0120.348] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828e7880, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828e9f90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828e9f90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 1 [0120.348] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0120.348] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0120.348] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0120.348] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0120.348] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0120.349] lstrcmpiW (lpString1="_metadata", lpString2=".") returned 1 [0120.349] lstrcmpiW (lpString1="_metadata", lpString2="..") returned 1 [0120.349] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata") returned 143 [0120.349] GetProcessHeap () returned 0x4c0000 [0120.349] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0120.349] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata" [0120.349] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\*" [0120.349] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828e7880, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828e9f90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828e9f90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0120.350] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.350] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.350] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.350] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.350] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.350] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.350] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828e7880, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828e9f90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828e9f90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0120.350] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.350] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.350] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.350] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.350] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.350] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.350] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.350] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828e9f90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828e9f90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb7bfbc00, ftLastWriteTime.dwHighDateTime=0x1d297b0, nFileSizeHigh=0x0, nFileSizeLow=0x2dfa, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 1 [0120.350] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0120.350] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0120.350] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0120.351] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0120.351] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0120.351] lstrcmpiW (lpString1="verified_contents.json", lpString2=".") returned 1 [0120.351] lstrcmpiW (lpString1="verified_contents.json", lpString2="..") returned 1 [0120.351] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json") returned 166 [0120.351] lstrcmpW (lpString1="verified_contents.json", lpString2="PUSSY.TXT") returned 1 [0120.351] PathFindExtensionW (pszPath="verified_contents.json") returned=".json" [0120.351] lstrlenW (lpString=".json") returned 5 [0120.351] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0120.351] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b4 [0120.352] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x289638 | out: lpFileSize=0x289638*=11770) returned 1 [0120.352] GetProcessHeap () returned 0x4c0000 [0120.352] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0120.365] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="54") returned 2 [0120.365] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="58") returned 2 [0120.365] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="82") returned 2 [0120.365] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="CE") returned 2 [0120.365] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="48") returned 2 [0120.365] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="D4") returned 2 [0120.365] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="87") returned 2 [0120.365] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="AF") returned 2 [0120.365] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="F2") returned 2 [0120.365] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="54") returned 2 [0120.365] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="3F") returned 2 [0120.365] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="76") returned 2 [0120.365] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="AB") returned 2 [0120.365] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="03") returned 2 [0120.366] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="31") returned 2 [0120.366] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="6D") returned 2 [0120.366] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="5C") returned 2 [0120.366] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="F2") returned 2 [0120.366] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="11") returned 2 [0120.366] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="D3") returned 2 [0120.366] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="40") returned 2 [0120.366] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="78") returned 2 [0120.366] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="E5") returned 2 [0120.366] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="80") returned 2 [0120.366] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="85") returned 2 [0120.366] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="F5") returned 2 [0120.366] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="42") returned 2 [0120.366] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="87") returned 2 [0120.366] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="FF") returned 2 [0120.366] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="59") returned 2 [0120.366] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="1D") returned 2 [0120.366] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="3F") returned 2 [0120.379] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json" [0120.379] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json" [0120.379] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json", lpString2=".545882CE48D487AFF2543F76AB03316D5CF211D34078E58085F54287FF591D3F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.545882CE48D487AFF2543F76AB03316D5CF211D34078E58085F54287FF591D3F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.545882CE48D487AFF2543F76AB03316D5CF211D34078E58085F54287FF591D3F" [0120.379] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0120.379] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0120.379] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828e9f90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828e9f90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb7bfbc00, ftLastWriteTime.dwHighDateTime=0x1d297b0, nFileSizeHigh=0x0, nFileSizeLow=0x2dfa, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 0 [0120.379] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0120.380] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\PUSSY.TXT") returned 153 [0120.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0120.381] lstrlenA (lpString="abcd") returned 4 [0120.381] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0120.382] CloseHandle (hObject=0x114) returned 1 [0120.382] GetProcessHeap () returned 0x4c0000 [0120.382] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0120.382] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x828e7880, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828e9f90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828e9f90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 0 [0120.382] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0120.382] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\PUSSY.TXT") returned 143 [0120.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0120.411] lstrlenA (lpString="abcd") returned 4 [0120.411] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0120.412] CloseHandle (hObject=0x178) returned 1 [0120.412] GetProcessHeap () returned 0x4c0000 [0120.412] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0120.413] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82651e90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x828e7880, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x828e7880, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="1.0.0.2_0", cAlternateFileName="100~1.2_0")) returned 0 [0120.413] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0120.413] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\PUSSY.TXT") returned 133 [0120.413] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0120.414] lstrlenA (lpString="abcd") returned 4 [0120.414] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0120.415] CloseHandle (hObject=0x18c) returned 1 [0120.415] GetProcessHeap () returned 0x4c0000 [0120.415] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0120.415] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x814d6d00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9174a630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9174a630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="pjkljhegncpnkpknbcohdijeoejaedia", cAlternateFileName="PJKLJH~1")) returned 1 [0120.415] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="Windows") returned -1 [0120.415] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="Program Files") returned -1 [0120.415] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="Program Files (x86)") returned -1 [0120.416] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="$Recycle.bin") returned 1 [0120.416] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="System Volume Information") returned -1 [0120.416] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2=".") returned 1 [0120.416] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="..") returned 1 [0120.416] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia") returned 123 [0120.416] GetProcessHeap () returned 0x4c0000 [0120.416] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0120.416] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia" [0120.416] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\*" [0120.416] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x814d6d00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9174a630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9174a630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0120.416] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.416] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.416] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.417] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.417] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.417] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.417] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x814d6d00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9174a630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9174a630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0120.417] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.417] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.417] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.417] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.417] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.417] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.417] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.417] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86989eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86d1bfb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="8.1_0", cAlternateFileName="")) returned 1 [0120.417] lstrcmpiW (lpString1="8.1_0", lpString2="Windows") returned -1 [0120.417] lstrcmpiW (lpString1="8.1_0", lpString2="Program Files") returned -1 [0120.417] lstrcmpiW (lpString1="8.1_0", lpString2="Program Files (x86)") returned -1 [0120.417] lstrcmpiW (lpString1="8.1_0", lpString2="$Recycle.bin") returned 1 [0120.417] lstrcmpiW (lpString1="8.1_0", lpString2="System Volume Information") returned -1 [0120.417] lstrcmpiW (lpString1="8.1_0", lpString2=".") returned 1 [0120.417] lstrcmpiW (lpString1="8.1_0", lpString2="..") returned 1 [0120.417] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0") returned 129 [0120.417] GetProcessHeap () returned 0x4c0000 [0120.417] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0120.418] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0" [0120.418] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\*" [0120.418] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86989eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86d1bfb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0120.441] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.441] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.442] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.442] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.442] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.442] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.442] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86989eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86d1bfb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.442] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.442] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.442] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.442] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.442] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.442] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.442] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.442] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86d1bfb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x180f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="128.png", cAlternateFileName="")) returned 1 [0120.442] lstrcmpiW (lpString1="128.png", lpString2="Windows") returned -1 [0120.442] lstrcmpiW (lpString1="128.png", lpString2="Program Files") returned -1 [0120.442] lstrcmpiW (lpString1="128.png", lpString2="Program Files (x86)") returned -1 [0120.442] lstrcmpiW (lpString1="128.png", lpString2="$Recycle.bin") returned 1 [0120.443] lstrcmpiW (lpString1="128.png", lpString2="System Volume Information") returned -1 [0120.443] lstrcmpiW (lpString1="128.png", lpString2=".") returned 1 [0120.443] lstrcmpiW (lpString1="128.png", lpString2="..") returned 1 [0120.443] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png") returned 137 [0120.443] lstrcmpW (lpString1="128.png", lpString2="PUSSY.TXT") returned -1 [0120.443] PathFindExtensionW (pszPath="128.png") returned=".png" [0120.443] lstrlenW (lpString=".png") returned 4 [0120.443] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0120.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0120.459] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=6159) returned 1 [0120.460] GetProcessHeap () returned 0x4c0000 [0120.460] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0120.474] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="A4") returned 2 [0120.474] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="2F") returned 2 [0120.474] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="EF") returned 2 [0120.474] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="02") returned 2 [0120.474] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="E4") returned 2 [0120.474] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="F2") returned 2 [0120.474] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="CB") returned 2 [0120.474] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="91") returned 2 [0120.474] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="78") returned 2 [0120.474] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="87") returned 2 [0120.474] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="6F") returned 2 [0120.474] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="4A") returned 2 [0120.474] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="F1") returned 2 [0120.474] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="F2") returned 2 [0120.474] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="A0") returned 2 [0120.474] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="AD") returned 2 [0120.474] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="B6") returned 2 [0120.474] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="F1") returned 2 [0120.474] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="00") returned 2 [0120.474] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="80") returned 2 [0120.475] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="32") returned 2 [0120.475] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="A9") returned 2 [0120.475] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="A2") returned 2 [0120.475] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="B6") returned 2 [0120.475] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="28") returned 2 [0120.475] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="6F") returned 2 [0120.475] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="89") returned 2 [0120.475] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="F3") returned 2 [0120.475] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="A0") returned 2 [0120.475] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="62") returned 2 [0120.475] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="EE") returned 2 [0120.475] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="4D") returned 2 [0120.487] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png" [0120.487] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png" [0120.487] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png", lpString2=".A42FEF02E4F2CB9178876F4AF1F2A0ADB6F1008032A9A2B6286F89F3A062EE4D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.A42FEF02E4F2CB9178876F4AF1F2A0ADB6F1008032A9A2B6286F89F3A062EE4D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.A42FEF02E4F2CB9178876F4AF1F2A0ADB6F1008032A9A2B6286F89F3A062EE4D" [0120.487] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0120.487] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0120.487] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86989eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x869b0fb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x310, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0120.487] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0120.487] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0120.487] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0120.487] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0120.487] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0120.487] lstrcmpiW (lpString1="manifest.json", lpString2=".") returned 1 [0120.487] lstrcmpiW (lpString1="manifest.json", lpString2="..") returned 1 [0120.487] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json") returned 143 [0120.487] lstrcmpW (lpString1="manifest.json", lpString2="PUSSY.TXT") returned -1 [0120.487] PathFindExtensionW (pszPath="manifest.json") returned=".json" [0120.487] lstrlenW (lpString=".json") returned 5 [0120.488] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0120.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.488] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=784) returned 1 [0120.488] GetProcessHeap () returned 0x4c0000 [0120.488] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c480a8 [0120.502] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="8E") returned 2 [0120.502] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="AA") returned 2 [0120.502] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="27") returned 2 [0120.502] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="DA") returned 2 [0120.502] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="89") returned 2 [0120.502] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="FE") returned 2 [0120.502] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="4B") returned 2 [0120.502] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="E9") returned 2 [0120.502] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="17") returned 2 [0120.502] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="D7") returned 2 [0120.503] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="8D") returned 2 [0120.503] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="D6") returned 2 [0120.503] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="A2") returned 2 [0120.503] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="34") returned 2 [0120.503] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="71") returned 2 [0120.503] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="51") returned 2 [0120.503] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="73") returned 2 [0120.503] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="E1") returned 2 [0120.503] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="2C") returned 2 [0120.503] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="04") returned 2 [0120.503] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="5B") returned 2 [0120.503] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="C1") returned 2 [0120.503] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="62") returned 2 [0120.503] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="49") returned 2 [0120.503] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="A4") returned 2 [0120.503] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="6C") returned 2 [0120.503] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="87") returned 2 [0120.503] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="7D") returned 2 [0120.503] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="F6") returned 2 [0120.503] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="2C") returned 2 [0120.503] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="F3") returned 2 [0120.503] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="76") returned 2 [0120.517] lstrcpyW (in: lpString1=0x3c580dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json" [0120.517] lstrcpyW (in: lpString1=0x3c480dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json" [0120.517] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json", lpString2=".8EAA27DA89FE4BE917D78DD6A234715173E12C045BC16249A46C877DF62CF376" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.8EAA27DA89FE4BE917D78DD6A234715173E12C045BC16249A46C877DF62CF376") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.8EAA27DA89FE4BE917D78DD6A234715173E12C045BC16249A46C877DF62CF376" [0120.517] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x3c480a8, NumberOfConcurrentThreads=0x0) returned 0x94 [0120.517] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c480a8, lpOverlapped=0x3c480a8) returned 1 [0120.518] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a22430, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a22430, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_locales", cAlternateFileName="")) returned 1 [0120.518] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0120.518] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0120.518] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0120.518] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0120.518] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0120.518] lstrcmpiW (lpString1="_locales", lpString2=".") returned 1 [0120.518] lstrcmpiW (lpString1="_locales", lpString2="..") returned 1 [0120.518] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales") returned 138 [0120.518] GetProcessHeap () returned 0x4c0000 [0120.518] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0120.519] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales" [0120.519] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\*" [0120.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a22430, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a22430, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0120.522] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.522] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.522] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.522] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.522] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.535] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.535] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a22430, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a22430, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0120.535] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.535] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.535] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.535] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.535] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.535] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.535] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.535] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ar", cAlternateFileName="")) returned 1 [0120.535] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0120.535] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0120.535] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0120.535] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0120.535] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0120.535] lstrcmpiW (lpString1="ar", lpString2=".") returned 1 [0120.535] lstrcmpiW (lpString1="ar", lpString2="..") returned 1 [0120.535] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar") returned 141 [0120.536] GetProcessHeap () returned 0x4c0000 [0120.536] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0120.538] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar" [0120.538] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\*" [0120.538] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.578] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.579] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.579] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.579] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.579] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.579] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.579] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.579] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.579] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.579] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.579] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.579] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.579] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.579] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.579] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x138, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.579] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.579] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.579] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.580] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.580] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.580] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.580] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.580] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json") returned 155 [0120.580] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.580] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.580] lstrlenW (lpString=".json") returned 5 [0120.580] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.580] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.583] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=312) returned 1 [0120.583] CloseHandle (hObject=0x16c) returned 1 [0120.583] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x138, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.583] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.585] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\PUSSY.TXT") returned 151 [0120.585] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.586] lstrlenA (lpString="abcd") returned 4 [0120.587] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.588] CloseHandle (hObject=0x184) returned 1 [0120.588] GetProcessHeap () returned 0x4c0000 [0120.588] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0120.589] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="bg", cAlternateFileName="")) returned 1 [0120.589] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0120.589] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0120.589] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0120.589] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0120.589] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0120.589] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0120.589] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0120.589] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg") returned 141 [0120.589] GetProcessHeap () returned 0x4c0000 [0120.589] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.591] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg" [0120.591] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\*" [0120.591] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.591] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.591] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.591] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.591] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.591] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.591] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.591] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.592] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.592] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.592] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.592] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.592] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.592] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.592] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.592] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x124, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.592] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.592] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.592] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.592] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.592] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.592] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.592] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.592] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json") returned 155 [0120.592] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.592] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.592] lstrlenW (lpString=".json") returned 5 [0120.592] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.593] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=292) returned 1 [0120.593] CloseHandle (hObject=0x16c) returned 1 [0120.593] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x124, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.593] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.596] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\PUSSY.TXT") returned 151 [0120.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.597] lstrlenA (lpString="abcd") returned 4 [0120.597] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.598] CloseHandle (hObject=0x184) returned 1 [0120.598] GetProcessHeap () returned 0x4c0000 [0120.598] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.599] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ca", cAlternateFileName="")) returned 1 [0120.599] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0120.599] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0120.599] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0120.599] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0120.599] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0120.599] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0120.599] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0120.599] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca") returned 141 [0120.599] GetProcessHeap () returned 0x4c0000 [0120.599] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.600] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca" [0120.600] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\*" [0120.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.610] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.610] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.610] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.610] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.610] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.610] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.610] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.610] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.610] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.610] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.610] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.610] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.610] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.610] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.610] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.610] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.611] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.611] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.611] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.611] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.611] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.611] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json") returned 155 [0120.611] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.611] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.611] lstrlenW (lpString=".json") returned 5 [0120.611] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.613] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=254) returned 1 [0120.614] CloseHandle (hObject=0x16c) returned 1 [0120.614] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.614] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.615] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\PUSSY.TXT") returned 151 [0120.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.616] lstrlenA (lpString="abcd") returned 4 [0120.616] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.617] CloseHandle (hObject=0x184) returned 1 [0120.617] GetProcessHeap () returned 0x4c0000 [0120.617] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.618] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="cs", cAlternateFileName="")) returned 1 [0120.618] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0120.618] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0120.618] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0120.618] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0120.618] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0120.618] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0120.619] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0120.619] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs") returned 141 [0120.619] GetProcessHeap () returned 0x4c0000 [0120.619] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.619] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs" [0120.619] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\*" [0120.619] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.630] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.630] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.630] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.630] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.630] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.630] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.630] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.630] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.631] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.631] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.631] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.631] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.631] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.631] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.631] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.631] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.631] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.631] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.631] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.631] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.631] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.631] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.631] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json") returned 155 [0120.631] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.631] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.631] lstrlenW (lpString=".json") returned 5 [0120.631] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.631] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.633] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=249) returned 1 [0120.633] CloseHandle (hObject=0x16c) returned 1 [0120.634] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.634] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.635] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\PUSSY.TXT") returned 151 [0120.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.636] lstrlenA (lpString="abcd") returned 4 [0120.636] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.637] CloseHandle (hObject=0x184) returned 1 [0120.637] GetProcessHeap () returned 0x4c0000 [0120.637] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.638] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="da", cAlternateFileName="")) returned 1 [0120.638] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0120.638] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0120.638] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0120.638] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0120.638] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0120.638] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0120.639] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0120.639] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da") returned 141 [0120.639] GetProcessHeap () returned 0x4c0000 [0120.639] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.639] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da" [0120.639] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\*" [0120.639] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.644] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.644] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.644] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.644] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.644] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.644] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.645] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.645] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.645] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.645] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.645] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.645] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.645] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.645] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.645] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xec, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.645] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.645] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.645] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.645] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.645] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.645] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.645] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.645] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json") returned 155 [0120.646] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.646] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.646] lstrlenW (lpString=".json") returned 5 [0120.646] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.661] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=236) returned 1 [0120.661] CloseHandle (hObject=0x16c) returned 1 [0120.662] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xec, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.662] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.663] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\PUSSY.TXT") returned 151 [0120.663] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.664] lstrlenA (lpString="abcd") returned 4 [0120.664] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.665] CloseHandle (hObject=0x184) returned 1 [0120.665] GetProcessHeap () returned 0x4c0000 [0120.665] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.666] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="de", cAlternateFileName="")) returned 1 [0120.666] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0120.666] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0120.666] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0120.666] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0120.667] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0120.667] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0120.667] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0120.667] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de") returned 141 [0120.667] GetProcessHeap () returned 0x4c0000 [0120.667] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.667] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de" [0120.667] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\*" [0120.667] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.668] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.668] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.668] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.668] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.668] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.668] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.668] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.672] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.672] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.672] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.672] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.672] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.672] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.672] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.672] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xef, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.672] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.672] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.672] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.672] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.672] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.672] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.672] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.672] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json") returned 155 [0120.672] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.672] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.672] lstrlenW (lpString=".json") returned 5 [0120.672] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.673] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.673] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=239) returned 1 [0120.673] CloseHandle (hObject=0x16c) returned 1 [0120.674] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xef, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.674] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.675] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\PUSSY.TXT") returned 151 [0120.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.676] lstrlenA (lpString="abcd") returned 4 [0120.676] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.677] CloseHandle (hObject=0x184) returned 1 [0120.677] GetProcessHeap () returned 0x4c0000 [0120.677] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.678] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="el", cAlternateFileName="")) returned 1 [0120.678] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0120.678] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0120.678] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0120.678] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0120.678] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0120.678] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0120.678] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0120.679] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el") returned 141 [0120.679] GetProcessHeap () returned 0x4c0000 [0120.679] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.679] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el" [0120.679] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\*" [0120.679] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.682] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.682] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.682] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.682] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.682] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.682] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.683] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.683] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.683] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.683] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.683] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.683] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.683] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.683] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.683] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.683] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.683] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.683] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.683] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.683] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.683] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.683] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.684] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json") returned 155 [0120.684] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.684] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.684] lstrlenW (lpString=".json") returned 5 [0120.684] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.684] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.686] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=332) returned 1 [0120.686] CloseHandle (hObject=0x16c) returned 1 [0120.686] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.686] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.687] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\PUSSY.TXT") returned 151 [0120.687] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.688] lstrlenA (lpString="abcd") returned 4 [0120.688] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.689] CloseHandle (hObject=0x184) returned 1 [0120.689] GetProcessHeap () returned 0x4c0000 [0120.689] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.690] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en", cAlternateFileName="")) returned 1 [0120.690] lstrcmpiW (lpString1="en", lpString2="Windows") returned -1 [0120.690] lstrcmpiW (lpString1="en", lpString2="Program Files") returned -1 [0120.690] lstrcmpiW (lpString1="en", lpString2="Program Files (x86)") returned -1 [0120.690] lstrcmpiW (lpString1="en", lpString2="$Recycle.bin") returned 1 [0120.690] lstrcmpiW (lpString1="en", lpString2="System Volume Information") returned -1 [0120.690] lstrcmpiW (lpString1="en", lpString2=".") returned 1 [0120.690] lstrcmpiW (lpString1="en", lpString2="..") returned 1 [0120.690] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en") returned 141 [0120.690] GetProcessHeap () returned 0x4c0000 [0120.690] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.690] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en" [0120.690] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\*" [0120.690] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.690] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.691] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.691] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.691] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.691] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.691] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.691] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.691] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.691] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.691] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.691] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.691] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.691] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.691] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.691] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.691] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.691] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.691] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.691] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.691] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.691] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.691] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.691] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json") returned 155 [0120.691] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.692] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.692] lstrlenW (lpString=".json") returned 5 [0120.692] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.692] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=215) returned 1 [0120.692] CloseHandle (hObject=0x16c) returned 1 [0120.692] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.693] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.694] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\PUSSY.TXT") returned 151 [0120.694] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.695] lstrlenA (lpString="abcd") returned 4 [0120.695] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.696] CloseHandle (hObject=0x184) returned 1 [0120.696] GetProcessHeap () returned 0x4c0000 [0120.696] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.697] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es", cAlternateFileName="")) returned 1 [0120.697] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0120.697] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0120.697] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0120.698] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0120.698] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0120.698] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0120.698] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0120.698] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es") returned 141 [0120.698] GetProcessHeap () returned 0x4c0000 [0120.698] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.698] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es" [0120.698] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\*" [0120.698] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.698] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.698] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.698] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.698] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.698] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.699] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.699] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.699] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.699] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.699] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.699] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.699] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.699] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.699] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.699] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.699] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.699] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.699] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.699] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.699] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.699] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.699] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.699] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json") returned 155 [0120.700] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.700] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.700] lstrlenW (lpString=".json") returned 5 [0120.700] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.700] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.703] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=269) returned 1 [0120.703] CloseHandle (hObject=0x16c) returned 1 [0120.703] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.703] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.704] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\PUSSY.TXT") returned 151 [0120.705] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.705] lstrlenA (lpString="abcd") returned 4 [0120.705] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.706] CloseHandle (hObject=0x184) returned 1 [0120.706] GetProcessHeap () returned 0x4c0000 [0120.707] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.708] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fi", cAlternateFileName="")) returned 1 [0120.708] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0120.708] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0120.708] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0120.708] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0120.708] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0120.708] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0120.708] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0120.708] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi") returned 141 [0120.708] GetProcessHeap () returned 0x4c0000 [0120.708] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.708] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi" [0120.708] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\*" [0120.708] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.716] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.716] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.716] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.716] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.716] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.716] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.716] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.716] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.716] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.716] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.716] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.716] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.716] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.716] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.716] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x100, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.717] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.717] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.717] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.717] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.717] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.717] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.717] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.717] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json") returned 155 [0120.717] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.717] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.717] lstrlenW (lpString=".json") returned 5 [0120.717] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.717] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.718] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=256) returned 1 [0120.718] CloseHandle (hObject=0x16c) returned 1 [0120.718] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x100, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.718] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.720] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\PUSSY.TXT") returned 151 [0120.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.721] lstrlenA (lpString="abcd") returned 4 [0120.721] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.722] CloseHandle (hObject=0x184) returned 1 [0120.722] GetProcessHeap () returned 0x4c0000 [0120.722] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.723] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fil", cAlternateFileName="")) returned 1 [0120.723] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0120.723] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0120.723] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0120.723] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0120.723] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0120.723] lstrcmpiW (lpString1="fil", lpString2=".") returned 1 [0120.723] lstrcmpiW (lpString1="fil", lpString2="..") returned 1 [0120.723] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil") returned 142 [0120.723] GetProcessHeap () returned 0x4c0000 [0120.723] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.723] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil" [0120.724] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\*" [0120.724] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.724] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.724] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.724] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.724] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.725] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.725] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.725] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.725] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.725] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.725] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.725] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.725] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.725] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.725] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.725] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xea, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.725] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.725] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.725] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.725] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.725] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.725] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.725] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.725] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json") returned 156 [0120.725] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.725] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.725] lstrlenW (lpString=".json") returned 5 [0120.725] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.727] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=234) returned 1 [0120.727] CloseHandle (hObject=0x16c) returned 1 [0120.727] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xea, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.727] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.728] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\PUSSY.TXT") returned 152 [0120.728] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.729] lstrlenA (lpString="abcd") returned 4 [0120.729] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.729] CloseHandle (hObject=0x184) returned 1 [0120.730] GetProcessHeap () returned 0x4c0000 [0120.730] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.730] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fr", cAlternateFileName="")) returned 1 [0120.731] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0120.731] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0120.731] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0120.731] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0120.731] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0120.731] lstrcmpiW (lpString1="fr", lpString2=".") returned 1 [0120.731] lstrcmpiW (lpString1="fr", lpString2="..") returned 1 [0120.731] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr") returned 141 [0120.731] GetProcessHeap () returned 0x4c0000 [0120.731] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.731] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr" [0120.731] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\*" [0120.731] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.731] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.731] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.731] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.731] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.731] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.731] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.731] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.732] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.732] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.732] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.732] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.732] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.732] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.732] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.732] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.732] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.732] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.732] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.732] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.732] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.732] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.732] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.732] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json") returned 155 [0120.732] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.732] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.732] lstrlenW (lpString=".json") returned 5 [0120.733] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.733] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=268) returned 1 [0120.733] CloseHandle (hObject=0x16c) returned 1 [0120.733] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.733] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.734] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\PUSSY.TXT") returned 151 [0120.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.735] lstrlenA (lpString="abcd") returned 4 [0120.735] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.736] CloseHandle (hObject=0x184) returned 1 [0120.736] GetProcessHeap () returned 0x4c0000 [0120.736] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.737] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a22430, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a22430, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hi", cAlternateFileName="")) returned 1 [0120.737] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0120.737] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0120.737] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0120.737] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0120.737] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0120.737] lstrcmpiW (lpString1="hi", lpString2=".") returned 1 [0120.737] lstrcmpiW (lpString1="hi", lpString2="..") returned 1 [0120.737] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi") returned 141 [0120.737] GetProcessHeap () returned 0x4c0000 [0120.737] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.737] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi" [0120.737] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\*" [0120.737] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a22430, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a22430, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.738] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.738] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.738] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.738] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.738] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.738] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.738] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a22430, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a22430, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.738] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.738] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.738] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.738] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.738] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.738] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.738] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.738] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a21490, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x121, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.738] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.738] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.738] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.738] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.739] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.739] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.739] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.739] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json") returned 155 [0120.739] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.739] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.739] lstrlenW (lpString=".json") returned 5 [0120.739] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.739] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.739] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=289) returned 1 [0120.739] CloseHandle (hObject=0x16c) returned 1 [0120.739] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a21490, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x121, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.739] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.740] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\PUSSY.TXT") returned 151 [0120.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.741] lstrlenA (lpString="abcd") returned 4 [0120.741] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.742] CloseHandle (hObject=0x184) returned 1 [0120.742] GetProcessHeap () returned 0x4c0000 [0120.742] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.742] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hr", cAlternateFileName="")) returned 1 [0120.743] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0120.743] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0120.743] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0120.743] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0120.743] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0120.743] lstrcmpiW (lpString1="hr", lpString2=".") returned 1 [0120.743] lstrcmpiW (lpString1="hr", lpString2="..") returned 1 [0120.743] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr") returned 141 [0120.743] GetProcessHeap () returned 0x4c0000 [0120.743] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.743] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr" [0120.743] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\*" [0120.743] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.743] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.743] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.743] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.743] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.743] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.743] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.743] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.744] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.744] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.744] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.744] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.744] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.744] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.744] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.744] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.744] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.744] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.744] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.744] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.744] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.744] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.744] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.744] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json") returned 155 [0120.744] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.744] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.744] lstrlenW (lpString=".json") returned 5 [0120.744] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.744] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=230) returned 1 [0120.744] CloseHandle (hObject=0x16c) returned 1 [0120.745] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.745] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.746] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\PUSSY.TXT") returned 151 [0120.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.746] lstrlenA (lpString="abcd") returned 4 [0120.746] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.747] CloseHandle (hObject=0x184) returned 1 [0120.747] GetProcessHeap () returned 0x4c0000 [0120.747] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.748] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hu", cAlternateFileName="")) returned 1 [0120.748] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0120.748] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0120.748] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0120.748] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0120.748] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0120.748] lstrcmpiW (lpString1="hu", lpString2=".") returned 1 [0120.748] lstrcmpiW (lpString1="hu", lpString2="..") returned 1 [0120.748] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu") returned 141 [0120.748] GetProcessHeap () returned 0x4c0000 [0120.748] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.748] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu" [0120.748] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\*" [0120.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.748] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.748] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.749] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.749] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.749] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.749] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.749] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.749] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.749] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.749] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.749] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.749] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.749] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.749] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.749] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.749] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.749] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.749] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.749] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.749] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.749] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.749] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.749] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json") returned 155 [0120.749] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.749] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.749] lstrlenW (lpString=".json") returned 5 [0120.749] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.750] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=226) returned 1 [0120.750] CloseHandle (hObject=0x16c) returned 1 [0120.750] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.750] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.751] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\PUSSY.TXT") returned 151 [0120.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.751] lstrlenA (lpString="abcd") returned 4 [0120.751] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.752] CloseHandle (hObject=0x184) returned 1 [0120.753] GetProcessHeap () returned 0x4c0000 [0120.753] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.753] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="id", cAlternateFileName="")) returned 1 [0120.753] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0120.754] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0120.754] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0120.754] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0120.754] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0120.754] lstrcmpiW (lpString1="id", lpString2=".") returned 1 [0120.754] lstrcmpiW (lpString1="id", lpString2="..") returned 1 [0120.754] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id") returned 141 [0120.754] GetProcessHeap () returned 0x4c0000 [0120.754] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.754] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id" [0120.754] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\*" [0120.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.754] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.754] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.754] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.754] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.754] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.754] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.754] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.755] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.755] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.755] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.755] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.755] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.755] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.755] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.755] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.755] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.755] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.755] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.755] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.755] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.755] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.755] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.755] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json") returned 155 [0120.755] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.755] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.755] lstrlenW (lpString=".json") returned 5 [0120.755] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.756] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=242) returned 1 [0120.756] CloseHandle (hObject=0x16c) returned 1 [0120.756] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.756] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.757] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\PUSSY.TXT") returned 151 [0120.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.758] lstrlenA (lpString="abcd") returned 4 [0120.758] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.759] CloseHandle (hObject=0x184) returned 1 [0120.759] GetProcessHeap () returned 0x4c0000 [0120.759] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.759] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="it", cAlternateFileName="")) returned 1 [0120.759] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0120.759] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0120.759] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0120.759] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0120.760] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0120.760] lstrcmpiW (lpString1="it", lpString2=".") returned 1 [0120.760] lstrcmpiW (lpString1="it", lpString2="..") returned 1 [0120.760] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it") returned 141 [0120.760] GetProcessHeap () returned 0x4c0000 [0120.760] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.760] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it" [0120.760] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\*" [0120.760] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.760] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.760] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.760] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.760] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.760] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.760] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.760] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.760] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.760] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.761] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.761] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.761] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.761] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.761] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.761] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x100, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.761] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.761] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.761] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.761] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.761] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.761] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.761] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.761] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json") returned 155 [0120.761] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.761] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.761] lstrlenW (lpString=".json") returned 5 [0120.761] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.761] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.765] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=256) returned 1 [0120.765] CloseHandle (hObject=0x16c) returned 1 [0120.765] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x100, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.765] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.766] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\PUSSY.TXT") returned 151 [0120.766] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.766] lstrlenA (lpString="abcd") returned 4 [0120.766] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.767] CloseHandle (hObject=0x184) returned 1 [0120.767] GetProcessHeap () returned 0x4c0000 [0120.767] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.768] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ja", cAlternateFileName="")) returned 1 [0120.768] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0120.768] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0120.768] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0120.768] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0120.768] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0120.768] lstrcmpiW (lpString1="ja", lpString2=".") returned 1 [0120.768] lstrcmpiW (lpString1="ja", lpString2="..") returned 1 [0120.768] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja") returned 141 [0120.769] GetProcessHeap () returned 0x4c0000 [0120.769] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.769] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja" [0120.769] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\*" [0120.769] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.769] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.769] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.769] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.769] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.769] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.769] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.769] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.769] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.769] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.769] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.770] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.770] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.770] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.770] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.770] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.770] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.770] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.770] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.770] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.770] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.770] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.770] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.770] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json") returned 155 [0120.770] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.770] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.770] lstrlenW (lpString=".json") returned 5 [0120.770] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.770] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.770] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=271) returned 1 [0120.771] CloseHandle (hObject=0x16c) returned 1 [0120.771] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.771] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.772] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\PUSSY.TXT") returned 151 [0120.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.772] lstrlenA (lpString="abcd") returned 4 [0120.772] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.773] CloseHandle (hObject=0x184) returned 1 [0120.773] GetProcessHeap () returned 0x4c0000 [0120.773] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.774] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ko", cAlternateFileName="")) returned 1 [0120.774] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0120.774] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0120.774] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0120.774] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0120.774] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0120.774] lstrcmpiW (lpString1="ko", lpString2=".") returned 1 [0120.774] lstrcmpiW (lpString1="ko", lpString2="..") returned 1 [0120.774] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko") returned 141 [0120.774] GetProcessHeap () returned 0x4c0000 [0120.774] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.774] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko" [0120.774] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\*" [0120.774] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.775] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.775] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.775] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.775] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.775] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.775] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.775] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.775] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.775] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.775] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.775] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.775] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.776] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.776] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.776] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x100, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.776] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.776] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.776] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.776] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.776] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.776] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.776] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.776] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json") returned 155 [0120.776] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.776] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.776] lstrlenW (lpString=".json") returned 5 [0120.776] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.776] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.776] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=256) returned 1 [0120.777] CloseHandle (hObject=0x16c) returned 1 [0120.777] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x100, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.777] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.778] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\PUSSY.TXT") returned 151 [0120.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.778] lstrlenA (lpString="abcd") returned 4 [0120.778] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.779] CloseHandle (hObject=0x184) returned 1 [0120.779] GetProcessHeap () returned 0x4c0000 [0120.779] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.780] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lt", cAlternateFileName="")) returned 1 [0120.780] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0120.780] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0120.780] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0120.780] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0120.780] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0120.780] lstrcmpiW (lpString1="lt", lpString2=".") returned 1 [0120.780] lstrcmpiW (lpString1="lt", lpString2="..") returned 1 [0120.780] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt") returned 141 [0120.780] GetProcessHeap () returned 0x4c0000 [0120.780] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.780] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt" [0120.780] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\*" [0120.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.781] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.781] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.781] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.781] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.781] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.781] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.781] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.781] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.781] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.781] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.781] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.781] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.781] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.781] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.781] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.781] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.781] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.781] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.782] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.782] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.782] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.782] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.782] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json") returned 155 [0120.782] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.782] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.782] lstrlenW (lpString=".json") returned 5 [0120.782] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.784] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=253) returned 1 [0120.784] CloseHandle (hObject=0x16c) returned 1 [0120.784] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xfd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.784] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.785] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\PUSSY.TXT") returned 151 [0120.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.786] lstrlenA (lpString="abcd") returned 4 [0120.786] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.787] CloseHandle (hObject=0x184) returned 1 [0120.787] GetProcessHeap () returned 0x4c0000 [0120.787] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.788] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lv", cAlternateFileName="")) returned 1 [0120.788] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0120.788] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0120.788] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0120.788] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0120.788] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0120.788] lstrcmpiW (lpString1="lv", lpString2=".") returned 1 [0120.788] lstrcmpiW (lpString1="lv", lpString2="..") returned 1 [0120.788] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv") returned 141 [0120.788] GetProcessHeap () returned 0x4c0000 [0120.788] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.788] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv" [0120.788] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\*" [0120.788] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.788] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.788] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.788] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.788] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.788] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.788] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.788] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.789] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.789] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.789] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.789] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.789] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.789] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.789] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.789] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xee, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.789] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.789] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.789] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.789] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.789] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.789] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.789] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.789] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json") returned 155 [0120.789] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.789] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.789] lstrlenW (lpString=".json") returned 5 [0120.789] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.789] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.790] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=238) returned 1 [0120.790] CloseHandle (hObject=0x16c) returned 1 [0120.790] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xee, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.790] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.791] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\PUSSY.TXT") returned 151 [0120.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.791] lstrlenA (lpString="abcd") returned 4 [0120.791] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.792] CloseHandle (hObject=0x184) returned 1 [0120.792] GetProcessHeap () returned 0x4c0000 [0120.792] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.793] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="nl", cAlternateFileName="")) returned 1 [0120.793] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0120.793] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0120.793] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0120.793] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0120.793] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0120.793] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0120.793] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0120.793] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl") returned 141 [0120.793] GetProcessHeap () returned 0x4c0000 [0120.793] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.793] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl" [0120.793] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\*" [0120.793] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.794] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.794] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.794] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.794] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.794] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.794] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.794] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.794] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.794] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.794] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.794] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.794] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.794] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.794] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.794] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.794] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.794] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.795] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.795] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.795] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.795] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.795] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.795] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json") returned 155 [0120.795] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.795] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.795] lstrlenW (lpString=".json") returned 5 [0120.795] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.795] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=232) returned 1 [0120.795] CloseHandle (hObject=0x16c) returned 1 [0120.795] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.795] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.796] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\PUSSY.TXT") returned 151 [0120.796] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.797] lstrlenA (lpString="abcd") returned 4 [0120.797] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.798] CloseHandle (hObject=0x184) returned 1 [0120.798] GetProcessHeap () returned 0x4c0000 [0120.798] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.799] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="no", cAlternateFileName="")) returned 1 [0120.799] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0120.799] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0120.799] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0120.799] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0120.799] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0120.799] lstrcmpiW (lpString1="no", lpString2=".") returned 1 [0120.799] lstrcmpiW (lpString1="no", lpString2="..") returned 1 [0120.799] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no") returned 141 [0120.799] GetProcessHeap () returned 0x4c0000 [0120.799] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.799] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no" [0120.799] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\*" [0120.799] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.799] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.799] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.799] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.800] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.800] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.800] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.800] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.800] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.800] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.800] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.800] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.800] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.800] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.800] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.800] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x656b8f00, ftLastWriteTime.dwHighDateTime=0x1cccade, nFileSizeHigh=0x0, nFileSizeLow=0xd2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.800] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.800] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.800] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.800] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.800] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.800] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.800] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.800] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json") returned 155 [0120.801] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.801] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.801] lstrlenW (lpString=".json") returned 5 [0120.801] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.801] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=210) returned 1 [0120.801] CloseHandle (hObject=0x16c) returned 1 [0120.801] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x656b8f00, ftLastWriteTime.dwHighDateTime=0x1cccade, nFileSizeHigh=0x0, nFileSizeLow=0xd2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.801] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.802] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\PUSSY.TXT") returned 151 [0120.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.803] lstrlenA (lpString="abcd") returned 4 [0120.803] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.804] CloseHandle (hObject=0x184) returned 1 [0120.804] GetProcessHeap () returned 0x4c0000 [0120.804] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.816] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pl", cAlternateFileName="")) returned 1 [0120.816] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0120.816] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0120.817] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0120.817] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0120.817] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0120.817] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0120.817] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0120.817] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl") returned 141 [0120.817] GetProcessHeap () returned 0x4c0000 [0120.817] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.817] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl" [0120.817] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\*" [0120.817] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.817] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.817] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.817] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.817] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.817] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.817] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.817] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.818] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.818] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.818] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.818] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.818] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.818] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.818] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.818] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x108, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.818] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.818] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.818] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.818] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.818] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.818] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.818] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.818] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json") returned 155 [0120.818] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.818] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.818] lstrlenW (lpString=".json") returned 5 [0120.818] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.819] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=264) returned 1 [0120.819] CloseHandle (hObject=0x16c) returned 1 [0120.819] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x108, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.819] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.820] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\PUSSY.TXT") returned 151 [0120.820] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.821] lstrlenA (lpString="abcd") returned 4 [0120.822] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.822] CloseHandle (hObject=0x184) returned 1 [0120.822] GetProcessHeap () returned 0x4c0000 [0120.822] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.823] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_BR", cAlternateFileName="")) returned 1 [0120.823] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0120.823] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0120.823] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0120.823] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0120.823] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0120.824] lstrcmpiW (lpString1="pt_BR", lpString2=".") returned 1 [0120.824] lstrcmpiW (lpString1="pt_BR", lpString2="..") returned 1 [0120.824] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR") returned 144 [0120.824] GetProcessHeap () returned 0x4c0000 [0120.824] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.824] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR" [0120.824] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\*" [0120.824] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.825] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.825] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.825] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.825] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.825] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.825] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.825] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.825] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.825] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.825] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.825] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.825] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.825] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.825] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.826] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.826] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.826] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.826] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.826] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.826] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.826] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.826] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.826] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0120.826] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.826] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.826] lstrlenW (lpString=".json") returned 5 [0120.826] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.827] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=222) returned 1 [0120.827] CloseHandle (hObject=0x16c) returned 1 [0120.827] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.827] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.828] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\PUSSY.TXT") returned 154 [0120.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.828] lstrlenA (lpString="abcd") returned 4 [0120.829] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.829] CloseHandle (hObject=0x184) returned 1 [0120.829] GetProcessHeap () returned 0x4c0000 [0120.830] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.830] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_PT", cAlternateFileName="")) returned 1 [0120.830] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0120.830] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0120.830] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0120.830] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0120.830] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0120.830] lstrcmpiW (lpString1="pt_PT", lpString2=".") returned 1 [0120.830] lstrcmpiW (lpString1="pt_PT", lpString2="..") returned 1 [0120.831] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT") returned 144 [0120.831] GetProcessHeap () returned 0x4c0000 [0120.831] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.831] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT" [0120.831] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\*" [0120.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.831] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.831] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.831] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.831] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.831] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.831] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.831] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.831] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.831] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.832] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.832] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.832] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.832] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.832] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.832] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.832] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.832] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.832] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.832] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.832] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.832] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.832] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.832] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0120.832] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.832] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.832] lstrlenW (lpString=".json") returned 5 [0120.832] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.833] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=223) returned 1 [0120.833] CloseHandle (hObject=0x16c) returned 1 [0120.833] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.833] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.834] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\PUSSY.TXT") returned 154 [0120.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.834] lstrlenA (lpString="abcd") returned 4 [0120.834] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.835] CloseHandle (hObject=0x184) returned 1 [0120.835] GetProcessHeap () returned 0x4c0000 [0120.835] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.836] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ro", cAlternateFileName="")) returned 1 [0120.836] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0120.836] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0120.836] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0120.836] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0120.836] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0120.836] lstrcmpiW (lpString1="ro", lpString2=".") returned 1 [0120.836] lstrcmpiW (lpString1="ro", lpString2="..") returned 1 [0120.836] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro") returned 141 [0120.836] GetProcessHeap () returned 0x4c0000 [0120.836] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.836] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro" [0120.836] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\*" [0120.836] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.837] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.837] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.837] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.837] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.837] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.837] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.837] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.837] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.837] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.837] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.837] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.837] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.837] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.837] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.837] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x109, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.837] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.837] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.837] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.838] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.838] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.838] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.838] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.838] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json") returned 155 [0120.838] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.838] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.838] lstrlenW (lpString=".json") returned 5 [0120.838] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.838] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=265) returned 1 [0120.838] CloseHandle (hObject=0x16c) returned 1 [0120.838] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x109, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.838] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.839] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\PUSSY.TXT") returned 151 [0120.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.840] lstrlenA (lpString="abcd") returned 4 [0120.840] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.841] CloseHandle (hObject=0x184) returned 1 [0120.841] GetProcessHeap () returned 0x4c0000 [0120.841] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.842] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ru", cAlternateFileName="")) returned 1 [0120.842] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0120.842] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0120.842] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0120.842] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0120.842] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0120.842] lstrcmpiW (lpString1="ru", lpString2=".") returned 1 [0120.842] lstrcmpiW (lpString1="ru", lpString2="..") returned 1 [0120.842] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru") returned 141 [0120.842] GetProcessHeap () returned 0x4c0000 [0120.842] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.842] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru" [0120.842] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\*" [0120.842] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.842] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.842] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.842] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.842] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.843] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.843] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.843] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.843] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.843] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.843] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.843] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.843] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.843] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.843] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.843] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x11e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.843] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.843] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.843] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.843] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.843] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.843] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.843] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.843] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json") returned 155 [0120.843] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.843] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.843] lstrlenW (lpString=".json") returned 5 [0120.843] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.844] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=286) returned 1 [0120.844] CloseHandle (hObject=0x16c) returned 1 [0120.844] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x11e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.844] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.845] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\PUSSY.TXT") returned 151 [0120.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.846] lstrlenA (lpString="abcd") returned 4 [0120.846] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.846] CloseHandle (hObject=0x184) returned 1 [0120.847] GetProcessHeap () returned 0x4c0000 [0120.847] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.847] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="se", cAlternateFileName="")) returned 1 [0120.847] lstrcmpiW (lpString1="se", lpString2="Windows") returned -1 [0120.847] lstrcmpiW (lpString1="se", lpString2="Program Files") returned 1 [0120.847] lstrcmpiW (lpString1="se", lpString2="Program Files (x86)") returned 1 [0120.847] lstrcmpiW (lpString1="se", lpString2="$Recycle.bin") returned 1 [0120.848] lstrcmpiW (lpString1="se", lpString2="System Volume Information") returned -1 [0120.848] lstrcmpiW (lpString1="se", lpString2=".") returned 1 [0120.848] lstrcmpiW (lpString1="se", lpString2="..") returned 1 [0120.848] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se") returned 141 [0120.848] GetProcessHeap () returned 0x4c0000 [0120.848] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.848] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se" [0120.848] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\*" [0120.848] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.848] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.848] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.848] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.848] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.848] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.848] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.848] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.848] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.848] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.849] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.849] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.849] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.849] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.849] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.849] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x656b8f00, ftLastWriteTime.dwHighDateTime=0x1cccade, nFileSizeHigh=0x0, nFileSizeLow=0xd2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.849] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.849] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.849] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.849] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.849] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.849] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.849] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.849] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json") returned 155 [0120.849] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.849] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.849] lstrlenW (lpString=".json") returned 5 [0120.849] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.850] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=210) returned 1 [0120.850] CloseHandle (hObject=0x16c) returned 1 [0120.850] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x656b8f00, ftLastWriteTime.dwHighDateTime=0x1cccade, nFileSizeHigh=0x0, nFileSizeLow=0xd2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.850] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.851] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\PUSSY.TXT") returned 151 [0120.851] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.851] lstrlenA (lpString="abcd") returned 4 [0120.851] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.852] CloseHandle (hObject=0x184) returned 1 [0120.852] GetProcessHeap () returned 0x4c0000 [0120.852] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.853] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sk", cAlternateFileName="")) returned 1 [0120.853] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0120.853] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0120.853] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0120.853] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0120.853] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0120.853] lstrcmpiW (lpString1="sk", lpString2=".") returned 1 [0120.853] lstrcmpiW (lpString1="sk", lpString2="..") returned 1 [0120.853] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk") returned 141 [0120.853] GetProcessHeap () returned 0x4c0000 [0120.853] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.853] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk" [0120.853] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\*" [0120.853] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.854] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.854] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.854] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.854] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.854] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.854] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.854] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.854] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.854] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.854] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.854] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.854] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.854] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.854] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.854] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.854] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.854] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.854] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.854] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.854] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.855] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.855] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.855] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json") returned 155 [0120.855] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.855] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.855] lstrlenW (lpString=".json") returned 5 [0120.855] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.855] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=222) returned 1 [0120.855] CloseHandle (hObject=0x16c) returned 1 [0120.855] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.855] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.856] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\PUSSY.TXT") returned 151 [0120.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.857] lstrlenA (lpString="abcd") returned 4 [0120.857] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.858] CloseHandle (hObject=0x184) returned 1 [0120.858] GetProcessHeap () returned 0x4c0000 [0120.858] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.859] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sl", cAlternateFileName="")) returned 1 [0120.859] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0120.859] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0120.859] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0120.859] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0120.859] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0120.859] lstrcmpiW (lpString1="sl", lpString2=".") returned 1 [0120.859] lstrcmpiW (lpString1="sl", lpString2="..") returned 1 [0120.859] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl") returned 141 [0120.859] GetProcessHeap () returned 0x4c0000 [0120.859] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.859] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl" [0120.859] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\*" [0120.859] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.859] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.859] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.859] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.859] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.859] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.859] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.859] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.860] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.860] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.860] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.860] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.860] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.860] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.860] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.860] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xea, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.860] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.860] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.860] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.860] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.860] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.860] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.860] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.860] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json") returned 155 [0120.860] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.860] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.860] lstrlenW (lpString=".json") returned 5 [0120.860] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.860] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.861] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=234) returned 1 [0120.861] CloseHandle (hObject=0x16c) returned 1 [0120.861] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a48590, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a48590, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xea, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.861] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.862] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\PUSSY.TXT") returned 151 [0120.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.862] lstrlenA (lpString="abcd") returned 4 [0120.862] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.863] CloseHandle (hObject=0x184) returned 1 [0120.863] GetProcessHeap () returned 0x4c0000 [0120.863] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.864] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sr", cAlternateFileName="")) returned 1 [0120.864] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0120.864] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0120.864] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0120.864] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0120.865] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0120.865] lstrcmpiW (lpString1="sr", lpString2=".") returned 1 [0120.865] lstrcmpiW (lpString1="sr", lpString2="..") returned 1 [0120.865] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr") returned 141 [0120.865] GetProcessHeap () returned 0x4c0000 [0120.865] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.865] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr" [0120.865] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\*" [0120.865] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.865] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.865] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.865] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.865] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.865] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.865] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.865] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.866] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.866] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.866] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.866] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.866] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.866] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.866] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.866] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x127, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.866] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.866] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.866] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.866] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.866] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.866] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.866] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.866] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json") returned 155 [0120.866] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.866] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.866] lstrlenW (lpString=".json") returned 5 [0120.866] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.867] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=295) returned 1 [0120.867] CloseHandle (hObject=0x16c) returned 1 [0120.867] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x127, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.867] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.868] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\PUSSY.TXT") returned 151 [0120.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.868] lstrlenA (lpString="abcd") returned 4 [0120.868] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.869] CloseHandle (hObject=0x184) returned 1 [0120.869] GetProcessHeap () returned 0x4c0000 [0120.869] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.870] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="th", cAlternateFileName="")) returned 1 [0120.870] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0120.870] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0120.870] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0120.870] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0120.870] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0120.870] lstrcmpiW (lpString1="th", lpString2=".") returned 1 [0120.870] lstrcmpiW (lpString1="th", lpString2="..") returned 1 [0120.870] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th") returned 141 [0120.870] GetProcessHeap () returned 0x4c0000 [0120.870] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.870] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th" [0120.870] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\*" [0120.871] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.871] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.871] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.871] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.871] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.871] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.871] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.871] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86aba9b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86aba9b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.871] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.871] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.871] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.871] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.871] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.871] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.871] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.871] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x144, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.871] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.871] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.871] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.871] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.871] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.872] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.872] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.872] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json") returned 155 [0120.872] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.872] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.872] lstrlenW (lpString=".json") returned 5 [0120.872] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.872] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=324) returned 1 [0120.872] CloseHandle (hObject=0x16c) returned 1 [0120.872] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86abb180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x144, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.872] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.873] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\PUSSY.TXT") returned 151 [0120.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.874] lstrlenA (lpString="abcd") returned 4 [0120.874] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.875] CloseHandle (hObject=0x184) returned 1 [0120.875] GetProcessHeap () returned 0x4c0000 [0120.875] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.875] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a22430, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a22430, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="tr", cAlternateFileName="")) returned 1 [0120.875] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0120.876] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0120.876] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0120.876] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0120.876] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0120.876] lstrcmpiW (lpString1="tr", lpString2=".") returned 1 [0120.876] lstrcmpiW (lpString1="tr", lpString2="..") returned 1 [0120.876] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr") returned 141 [0120.876] GetProcessHeap () returned 0x4c0000 [0120.876] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.876] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr" [0120.876] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\*" [0120.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a22430, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a22430, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.876] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.876] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.876] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.876] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.876] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.876] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.876] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869b0010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a22430, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a22430, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.876] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.877] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.877] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.877] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.877] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.877] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.877] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.877] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a21490, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xea, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.877] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.877] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.877] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.877] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.877] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.877] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.877] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.877] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json") returned 155 [0120.877] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.877] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.877] lstrlenW (lpString=".json") returned 5 [0120.877] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.877] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=234) returned 1 [0120.878] CloseHandle (hObject=0x16c) returned 1 [0120.878] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a21490, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xea, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.878] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.879] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\PUSSY.TXT") returned 151 [0120.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.879] lstrlenA (lpString="abcd") returned 4 [0120.879] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.880] CloseHandle (hObject=0x184) returned 1 [0120.880] GetProcessHeap () returned 0x4c0000 [0120.880] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.881] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="uk", cAlternateFileName="")) returned 1 [0120.881] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0120.881] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0120.881] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0120.881] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0120.881] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0120.881] lstrcmpiW (lpString1="uk", lpString2=".") returned 1 [0120.881] lstrcmpiW (lpString1="uk", lpString2="..") returned 1 [0120.881] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk") returned 141 [0120.881] GetProcessHeap () returned 0x4c0000 [0120.881] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.881] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk" [0120.881] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\*" [0120.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.881] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.882] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.882] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.882] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.882] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.882] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.882] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869d6170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6e6f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a6e6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.882] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.882] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.882] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.882] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.882] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.882] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.882] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.882] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x130, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.882] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.883] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.883] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.883] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.883] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.883] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.883] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.883] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json") returned 155 [0120.883] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.883] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.883] lstrlenW (lpString=".json") returned 5 [0120.883] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.883] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.883] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=304) returned 1 [0120.883] CloseHandle (hObject=0x16c) returned 1 [0120.883] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a6e6f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a6f690, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x130, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.883] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.884] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\PUSSY.TXT") returned 151 [0120.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.885] lstrlenA (lpString="abcd") returned 4 [0120.885] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.886] CloseHandle (hObject=0x184) returned 1 [0120.886] GetProcessHeap () returned 0x4c0000 [0120.886] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.887] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="vi", cAlternateFileName="")) returned 1 [0120.887] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0120.887] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0120.887] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0120.887] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0120.887] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0120.887] lstrcmpiW (lpString1="vi", lpString2=".") returned 1 [0120.887] lstrcmpiW (lpString1="vi", lpString2="..") returned 1 [0120.887] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi") returned 141 [0120.887] GetProcessHeap () returned 0x4c0000 [0120.887] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.887] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi" [0120.887] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\*" [0120.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.887] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.887] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.887] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.887] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.887] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.887] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.888] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.888] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.888] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.888] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.888] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.888] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.888] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.888] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.888] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.888] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.888] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.888] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.888] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.888] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.888] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.888] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.888] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json") returned 155 [0120.888] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.888] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.888] lstrlenW (lpString=".json") returned 5 [0120.888] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.889] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=232) returned 1 [0120.889] CloseHandle (hObject=0x16c) returned 1 [0120.889] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.889] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.890] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\PUSSY.TXT") returned 151 [0120.890] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.891] lstrlenA (lpString="abcd") returned 4 [0120.891] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.892] CloseHandle (hObject=0x184) returned 1 [0120.892] GetProcessHeap () returned 0x4c0000 [0120.892] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.893] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_CN", cAlternateFileName="")) returned 1 [0120.893] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0120.893] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0120.893] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0120.893] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0120.893] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0120.893] lstrcmpiW (lpString1="zh_CN", lpString2=".") returned 1 [0120.894] lstrcmpiW (lpString1="zh_CN", lpString2="..") returned 1 [0120.894] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN") returned 144 [0120.894] GetProcessHeap () returned 0x4c0000 [0120.894] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.894] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN" [0120.894] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\*" [0120.894] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.894] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.894] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.894] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.894] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.894] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.894] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.894] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x869fc2d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.895] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.895] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.895] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.895] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.895] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.895] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.895] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.895] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.895] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.895] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.895] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.895] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.895] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.895] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.895] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.895] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0120.895] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.895] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.895] lstrlenW (lpString=".json") returned 5 [0120.895] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.896] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=258) returned 1 [0120.896] CloseHandle (hObject=0x16c) returned 1 [0120.897] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.897] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.898] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\PUSSY.TXT") returned 154 [0120.899] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.899] lstrlenA (lpString="abcd") returned 4 [0120.899] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.900] CloseHandle (hObject=0x184) returned 1 [0120.900] GetProcessHeap () returned 0x4c0000 [0120.900] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.901] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 1 [0120.902] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0120.902] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0120.902] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0120.902] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0120.902] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0120.902] lstrcmpiW (lpString1="zh_TW", lpString2=".") returned 1 [0120.902] lstrcmpiW (lpString1="zh_TW", lpString2="..") returned 1 [0120.902] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW") returned 144 [0120.902] GetProcessHeap () returned 0x4c0000 [0120.902] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0120.902] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW" [0120.902] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\*" [0120.902] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0120.902] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.902] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.902] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.902] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.902] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.902] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.902] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.903] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.903] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.903] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.903] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.903] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.903] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.903] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.903] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0120.903] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0120.903] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0120.903] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0120.903] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0120.903] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0120.903] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0120.903] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0120.903] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0120.903] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0120.903] PathFindExtensionW (pszPath="messages.json") returned=".json" [0120.904] lstrlenW (lpString=".json") returned 5 [0120.904] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0120.904] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0120.904] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=249) returned 1 [0120.904] CloseHandle (hObject=0x16c) returned 1 [0120.904] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86a94850, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94080, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xf9, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0120.904] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0120.906] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\PUSSY.TXT") returned 154 [0120.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.906] lstrlenA (lpString="abcd") returned 4 [0120.906] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0120.907] CloseHandle (hObject=0x184) returned 1 [0120.907] GetProcessHeap () returned 0x4c0000 [0120.908] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.908] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86a22430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86a94850, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a94850, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 0 [0120.909] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0120.909] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\PUSSY.TXT") returned 148 [0120.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0120.909] lstrlenA (lpString="abcd") returned 4 [0120.909] WriteFile (in: hFile=0x1c0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0120.910] CloseHandle (hObject=0x1c0) returned 1 [0120.911] GetProcessHeap () returned 0x4c0000 [0120.911] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0120.913] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ae0b10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ae0b10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 1 [0120.913] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0120.913] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0120.913] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0120.913] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0120.913] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0120.913] lstrcmpiW (lpString1="_metadata", lpString2=".") returned 1 [0120.913] lstrcmpiW (lpString1="_metadata", lpString2="..") returned 1 [0120.913] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata") returned 139 [0120.913] GetProcessHeap () returned 0x4c0000 [0120.913] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0120.914] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata" [0120.914] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\*" [0120.914] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ae0b10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ae0b10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0120.914] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.914] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.914] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.914] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.914] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.914] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.914] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ae0b10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ae0b10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0120.915] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.915] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.915] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.915] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.915] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.915] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.915] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.915] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ae0b10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86adfb70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xdd12c400, ftLastWriteTime.dwHighDateTime=0x1d0683e, nFileSizeHigh=0x0, nFileSizeLow=0x2686, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 1 [0120.915] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0120.915] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0120.915] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0120.915] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0120.915] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0120.915] lstrcmpiW (lpString1="verified_contents.json", lpString2=".") returned 1 [0120.915] lstrcmpiW (lpString1="verified_contents.json", lpString2="..") returned 1 [0120.915] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json") returned 162 [0120.915] lstrcmpW (lpString1="verified_contents.json", lpString2="PUSSY.TXT") returned 1 [0120.915] PathFindExtensionW (pszPath="verified_contents.json") returned=".json" [0120.915] lstrlenW (lpString=".json") returned 5 [0120.915] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0120.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0120.916] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x289638 | out: lpFileSize=0x289638*=9862) returned 1 [0120.916] GetProcessHeap () returned 0x4c0000 [0120.916] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0120.929] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="DB") returned 2 [0120.929] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="2D") returned 2 [0120.929] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="F7") returned 2 [0120.929] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="A2") returned 2 [0120.929] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="86") returned 2 [0120.929] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="2E") returned 2 [0120.929] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="87") returned 2 [0120.929] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="7C") returned 2 [0120.929] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="76") returned 2 [0120.930] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="3B") returned 2 [0120.930] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="63") returned 2 [0120.930] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="B4") returned 2 [0120.930] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="9B") returned 2 [0120.930] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="9B") returned 2 [0120.930] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="E0") returned 2 [0120.930] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="66") returned 2 [0120.930] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="8B") returned 2 [0120.930] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="4F") returned 2 [0120.930] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="66") returned 2 [0120.930] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="41") returned 2 [0120.930] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="00") returned 2 [0120.930] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="C5") returned 2 [0120.930] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="3B") returned 2 [0120.930] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="75") returned 2 [0120.930] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="C5") returned 2 [0120.930] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="89") returned 2 [0120.930] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="78") returned 2 [0120.930] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="C3") returned 2 [0120.930] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="D0") returned 2 [0120.930] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="0A") returned 2 [0120.930] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="02") returned 2 [0120.930] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="4A") returned 2 [0120.943] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json" [0120.943] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json" [0120.943] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json", lpString2=".DB2DF7A2862E877C763B63B49B9BE0668B4F664100C53B75C58978C3D00A024A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.DB2DF7A2862E877C763B63B49B9BE0668B4F664100C53B75C58978C3D00A024A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.DB2DF7A2862E877C763B63B49B9BE0668B4F664100C53B75C58978C3D00A024A" [0120.943] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0120.943] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0120.944] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86ae0b10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86adfb70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xdd12c400, ftLastWriteTime.dwHighDateTime=0x1d0683e, nFileSizeHigh=0x0, nFileSizeLow=0x2686, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 0 [0120.945] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0120.945] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\PUSSY.TXT") returned 149 [0120.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0120.946] lstrlenA (lpString="abcd") returned 4 [0120.946] WriteFile (in: hFile=0x1c0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0120.947] CloseHandle (hObject=0x1c0) returned 1 [0120.947] GetProcessHeap () returned 0x4c0000 [0120.947] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0120.947] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86aba9b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86ae0b10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86ae0b10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 0 [0120.947] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0120.947] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\PUSSY.TXT") returned 139 [0120.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0120.948] lstrlenA (lpString="abcd") returned 4 [0120.948] WriteFile (in: hFile=0x1c4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0120.949] CloseHandle (hObject=0x1c4) returned 1 [0120.949] GetProcessHeap () returned 0x4c0000 [0120.949] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0120.966] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x86989eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86d1bfb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86d1bfb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="8.1_0", cAlternateFileName="")) returned 0 [0120.966] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0120.967] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\PUSSY.TXT") returned 133 [0120.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0120.973] lstrlenA (lpString="abcd") returned 4 [0120.973] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0120.975] CloseHandle (hObject=0x184) returned 1 [0120.976] GetProcessHeap () returned 0x4c0000 [0120.976] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0120.980] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8399f510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x839a6a40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839a6a40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="pkedcjkdefgpdelpbcmbmeomcjbeemfm", cAlternateFileName="PKEDCJ~1")) returned 1 [0120.980] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Windows") returned -1 [0120.980] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Program Files") returned -1 [0120.980] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Program Files (x86)") returned -1 [0120.980] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="$Recycle.bin") returned 1 [0120.981] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="System Volume Information") returned -1 [0120.981] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2=".") returned 1 [0120.981] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="..") returned 1 [0120.981] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm") returned 123 [0120.981] GetProcessHeap () returned 0x4c0000 [0120.981] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0120.982] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm" [0120.982] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\*" [0120.982] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8399f510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x839a6a40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839a6a40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0120.983] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.983] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.983] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.983] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.983] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.983] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.983] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8399f510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x839a6a40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839a6a40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0120.983] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.983] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.983] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.983] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.983] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.983] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.984] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.984] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833dcb50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836e0310, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x836e0310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="5817.313.0.5_0", cAlternateFileName="581731~1.5_0")) returned 1 [0120.984] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="Windows") returned -1 [0120.984] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="Program Files") returned -1 [0120.984] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="Program Files (x86)") returned -1 [0120.984] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="$Recycle.bin") returned 1 [0120.984] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="System Volume Information") returned -1 [0120.984] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2=".") returned 1 [0120.984] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="..") returned 1 [0120.984] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0") returned 138 [0120.984] GetProcessHeap () returned 0x4c0000 [0120.984] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0120.985] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0" [0120.985] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\*" [0120.985] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833dcb50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836e0310, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x836e0310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0120.988] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0120.988] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0120.988] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0120.988] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0120.988] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0120.988] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0120.988] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833dcb50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836e0310, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x836e0310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0120.990] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0120.990] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0120.990] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0120.990] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0120.990] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0120.990] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0120.990] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0120.990] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83637bc0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8363f0f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x8c0bf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="angular.js", cAlternateFileName="")) returned 1 [0120.990] lstrcmpiW (lpString1="angular.js", lpString2="Windows") returned -1 [0120.990] lstrcmpiW (lpString1="angular.js", lpString2="Program Files") returned -1 [0120.990] lstrcmpiW (lpString1="angular.js", lpString2="Program Files (x86)") returned -1 [0120.990] lstrcmpiW (lpString1="angular.js", lpString2="$Recycle.bin") returned 1 [0120.990] lstrcmpiW (lpString1="angular.js", lpString2="System Volume Information") returned -1 [0120.990] lstrcmpiW (lpString1="angular.js", lpString2=".") returned 1 [0120.990] lstrcmpiW (lpString1="angular.js", lpString2="..") returned 1 [0120.990] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js") returned 149 [0120.990] lstrcmpW (lpString1="angular.js", lpString2="PUSSY.TXT") returned -1 [0120.990] PathFindExtensionW (pszPath="angular.js") returned=".js" [0120.990] lstrlenW (lpString=".js") returned 3 [0120.990] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0120.990] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c4 [0120.991] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=573631) returned 1 [0120.991] GetProcessHeap () returned 0x4c0000 [0120.992] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0121.005] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="B4") returned 2 [0121.005] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="9B") returned 2 [0121.006] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="A5") returned 2 [0121.006] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="4F") returned 2 [0121.006] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="E5") returned 2 [0121.006] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="95") returned 2 [0121.006] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="E3") returned 2 [0121.006] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="AB") returned 2 [0121.006] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="24") returned 2 [0121.006] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="C4") returned 2 [0121.006] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="57") returned 2 [0121.006] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="7E") returned 2 [0121.006] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="B5") returned 2 [0121.006] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="74") returned 2 [0121.006] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="8C") returned 2 [0121.006] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="46") returned 2 [0121.006] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="BD") returned 2 [0121.006] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="51") returned 2 [0121.006] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="DE") returned 2 [0121.006] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="1A") returned 2 [0121.006] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="EF") returned 2 [0121.006] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="EE") returned 2 [0121.006] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="A4") returned 2 [0121.006] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="7E") returned 2 [0121.006] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="A0") returned 2 [0121.006] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="FD") returned 2 [0121.006] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="90") returned 2 [0121.006] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="A2") returned 2 [0121.007] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="F6") returned 2 [0121.007] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="E2") returned 2 [0121.007] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="A3") returned 2 [0121.007] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="63") returned 2 [0121.019] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js" [0121.019] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js" [0121.019] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js", lpString2=".B49BA54FE595E3AB24C4577EB5748C46BD51DE1AEFEEA47EA0FD90A2F6E2A363" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.B49BA54FE595E3AB24C4577EB5748C46BD51DE1AEFEEA47EA0FD90A2F6E2A363") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.B49BA54FE595E3AB24C4577EB5748C46BD51DE1AEFEEA47EA0FD90A2F6E2A363" [0121.019] CreateIoCompletionPort (FileHandle=0x1c4, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.019] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0121.020] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83641800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83643f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0xa89c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="background_script.js", cAlternateFileName="BACKGR~1.JS")) returned 1 [0121.020] lstrcmpiW (lpString1="background_script.js", lpString2="Windows") returned -1 [0121.020] lstrcmpiW (lpString1="background_script.js", lpString2="Program Files") returned -1 [0121.020] lstrcmpiW (lpString1="background_script.js", lpString2="Program Files (x86)") returned -1 [0121.020] lstrcmpiW (lpString1="background_script.js", lpString2="$Recycle.bin") returned 1 [0121.020] lstrcmpiW (lpString1="background_script.js", lpString2="System Volume Information") returned -1 [0121.020] lstrcmpiW (lpString1="background_script.js", lpString2=".") returned 1 [0121.020] lstrcmpiW (lpString1="background_script.js", lpString2="..") returned 1 [0121.020] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js") returned 159 [0121.020] lstrcmpW (lpString1="background_script.js", lpString2="PUSSY.TXT") returned -1 [0121.020] PathFindExtensionW (pszPath="background_script.js") returned=".js" [0121.020] lstrlenW (lpString=".js") returned 3 [0121.020] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0121.022] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=43164) returned 1 [0121.022] GetProcessHeap () returned 0x4c0000 [0121.022] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c480a8 [0121.036] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="8B") returned 2 [0121.036] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="51") returned 2 [0121.036] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="95") returned 2 [0121.036] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="53") returned 2 [0121.036] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="BA") returned 2 [0121.036] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="D3") returned 2 [0121.036] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="F5") returned 2 [0121.036] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="AE") returned 2 [0121.036] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="F9") returned 2 [0121.036] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="5C") returned 2 [0121.036] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="5A") returned 2 [0121.036] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="89") returned 2 [0121.036] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="F5") returned 2 [0121.036] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="31") returned 2 [0121.036] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="7A") returned 2 [0121.036] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="22") returned 2 [0121.036] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="C1") returned 2 [0121.036] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="D1") returned 2 [0121.036] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="66") returned 2 [0121.036] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="49") returned 2 [0121.036] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="CE") returned 2 [0121.036] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="7B") returned 2 [0121.036] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="1A") returned 2 [0121.037] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="D3") returned 2 [0121.037] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="3C") returned 2 [0121.037] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="6F") returned 2 [0121.037] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="D8") returned 2 [0121.037] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="B0") returned 2 [0121.037] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="1B") returned 2 [0121.037] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="73") returned 2 [0121.037] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="6F") returned 2 [0121.037] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="08") returned 2 [0121.050] lstrcpyW (in: lpString1=0x3c580dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js" [0121.050] lstrcpyW (in: lpString1=0x3c480dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js" [0121.050] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js", lpString2=".8B519553BAD3F5AEF95C5A89F5317A22C1D16649CE7B1AD33C6FD8B01B736F08" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.8B519553BAD3F5AEF95C5A89F5317A22C1D16649CE7B1AD33C6FD8B01B736F08") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.8B519553BAD3F5AEF95C5A89F5317A22C1D16649CE7B1AD33C6FD8B01B736F08" [0121.050] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x94, CompletionKey=0x3c480a8, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.050] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c480a8, lpOverlapped=0x3c480a8) returned 1 [0121.050] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83646620, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83648d30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x181aa, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cast_game_sender.js", cAlternateFileName="CAST_G~1.JS")) returned 1 [0121.050] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="Windows") returned -1 [0121.050] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="Program Files") returned -1 [0121.050] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="Program Files (x86)") returned -1 [0121.050] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="$Recycle.bin") returned 1 [0121.050] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="System Volume Information") returned -1 [0121.050] lstrcmpiW (lpString1="cast_game_sender.js", lpString2=".") returned 1 [0121.050] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="..") returned 1 [0121.050] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js") returned 158 [0121.050] lstrcmpW (lpString1="cast_game_sender.js", lpString2="PUSSY.TXT") returned -1 [0121.050] PathFindExtensionW (pszPath="cast_game_sender.js") returned=".js" [0121.050] lstrlenW (lpString=".js") returned 3 [0121.051] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0121.051] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=98730) returned 1 [0121.052] GetProcessHeap () returned 0x4c0000 [0121.052] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0121.112] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="1C") returned 2 [0121.112] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="1B") returned 2 [0121.112] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="58") returned 2 [0121.112] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="FE") returned 2 [0121.112] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="9F") returned 2 [0121.112] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="5D") returned 2 [0121.112] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="B6") returned 2 [0121.112] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="DF") returned 2 [0121.112] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="08") returned 2 [0121.112] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="9C") returned 2 [0121.112] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="63") returned 2 [0121.112] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="28") returned 2 [0121.112] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="EB") returned 2 [0121.112] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="50") returned 2 [0121.112] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="9C") returned 2 [0121.112] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="E0") returned 2 [0121.112] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="40") returned 2 [0121.112] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="DB") returned 2 [0121.112] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="7E") returned 2 [0121.112] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="E6") returned 2 [0121.113] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="2A") returned 2 [0121.113] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="4E") returned 2 [0121.113] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="2A") returned 2 [0121.113] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="81") returned 2 [0121.113] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="1E") returned 2 [0121.113] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="BD") returned 2 [0121.113] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="F9") returned 2 [0121.113] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="06") returned 2 [0121.113] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="9B") returned 2 [0121.113] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="0E") returned 2 [0121.113] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="D2") returned 2 [0121.113] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="07") returned 2 [0121.125] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js" [0121.125] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js" [0121.125] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js", lpString2=".1C1B58FE9F5DB6DF089C6328EB509CE040DB7EE62A4E2A811EBDF9069B0ED207" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.1C1B58FE9F5DB6DF089C6328EB509CE040DB7EE62A4E2A811EBDF9069B0ED207") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.1C1B58FE9F5DB6DF089C6328EB509CE040DB7EE62A4E2A811EBDF9069B0ED207" [0121.125] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.125] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0121.126] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8364db50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8364db50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x111e1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cast_route_details.html", cAlternateFileName="CAST_R~1.HTM")) returned 1 [0121.126] lstrcmpiW (lpString1="cast_route_details.html", lpString2="Windows") returned -1 [0121.126] lstrcmpiW (lpString1="cast_route_details.html", lpString2="Program Files") returned -1 [0121.126] lstrcmpiW (lpString1="cast_route_details.html", lpString2="Program Files (x86)") returned -1 [0121.126] lstrcmpiW (lpString1="cast_route_details.html", lpString2="$Recycle.bin") returned 1 [0121.126] lstrcmpiW (lpString1="cast_route_details.html", lpString2="System Volume Information") returned -1 [0121.126] lstrcmpiW (lpString1="cast_route_details.html", lpString2=".") returned 1 [0121.126] lstrcmpiW (lpString1="cast_route_details.html", lpString2="..") returned 1 [0121.126] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html") returned 162 [0121.126] lstrcmpW (lpString1="cast_route_details.html", lpString2="PUSSY.TXT") returned -1 [0121.126] PathFindExtensionW (pszPath="cast_route_details.html") returned=".html" [0121.126] lstrlenW (lpString=".html") returned 5 [0121.126] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b4 [0121.127] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=70113) returned 1 [0121.127] GetProcessHeap () returned 0x4c0000 [0121.127] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0121.141] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="76") returned 2 [0121.141] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="8D") returned 2 [0121.142] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="60") returned 2 [0121.142] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="F6") returned 2 [0121.142] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="22") returned 2 [0121.142] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="CF") returned 2 [0121.142] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="2E") returned 2 [0121.142] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="8C") returned 2 [0121.142] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="26") returned 2 [0121.142] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="B1") returned 2 [0121.142] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="FD") returned 2 [0121.142] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="09") returned 2 [0121.142] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="0A") returned 2 [0121.142] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="28") returned 2 [0121.142] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="63") returned 2 [0121.142] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="DE") returned 2 [0121.142] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="C3") returned 2 [0121.142] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="F5") returned 2 [0121.142] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="BB") returned 2 [0121.142] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="72") returned 2 [0121.142] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="8E") returned 2 [0121.142] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="E0") returned 2 [0121.142] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="0D") returned 2 [0121.142] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="F6") returned 2 [0121.142] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="4A") returned 2 [0121.142] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="E9") returned 2 [0121.142] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="E4") returned 2 [0121.142] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="53") returned 2 [0121.142] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="84") returned 2 [0121.143] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="5E") returned 2 [0121.143] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="6A") returned 2 [0121.143] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="33") returned 2 [0121.154] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html" [0121.154] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html" [0121.154] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html", lpString2=".768D60F622CF2E8C26B1FD090A2863DEC3F5BB728EE00DF64AE9E453845E6A33" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.768D60F622CF2E8C26B1FD090A2863DEC3F5BB728EE00DF64AE9E453845E6A33") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.768D60F622CF2E8C26B1FD090A2863DEC3F5BB728EE00DF64AE9E453845E6A33" [0121.154] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.154] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0121.156] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83652970, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83657790, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x3a258, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cast_route_details.js", cAlternateFileName="CAST_R~1.JS")) returned 1 [0121.156] lstrcmpiW (lpString1="cast_route_details.js", lpString2="Windows") returned -1 [0121.156] lstrcmpiW (lpString1="cast_route_details.js", lpString2="Program Files") returned -1 [0121.156] lstrcmpiW (lpString1="cast_route_details.js", lpString2="Program Files (x86)") returned -1 [0121.156] lstrcmpiW (lpString1="cast_route_details.js", lpString2="$Recycle.bin") returned 1 [0121.156] lstrcmpiW (lpString1="cast_route_details.js", lpString2="System Volume Information") returned -1 [0121.156] lstrcmpiW (lpString1="cast_route_details.js", lpString2=".") returned 1 [0121.156] lstrcmpiW (lpString1="cast_route_details.js", lpString2="..") returned 1 [0121.156] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js") returned 160 [0121.156] lstrcmpW (lpString1="cast_route_details.js", lpString2="PUSSY.TXT") returned -1 [0121.156] PathFindExtensionW (pszPath="cast_route_details.js") returned=".js" [0121.156] lstrlenW (lpString=".js") returned 3 [0121.156] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0121.157] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=238168) returned 1 [0121.157] GetProcessHeap () returned 0x4c0000 [0121.157] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ce9008 [0121.172] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="69") returned 2 [0121.172] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="E0") returned 2 [0121.172] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="E0") returned 2 [0121.172] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="3D") returned 2 [0121.172] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="0D") returned 2 [0121.172] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="33") returned 2 [0121.172] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="83") returned 2 [0121.172] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="2B") returned 2 [0121.172] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="76") returned 2 [0121.172] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="FA") returned 2 [0121.172] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="63") returned 2 [0121.172] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="B7") returned 2 [0121.173] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="FB") returned 2 [0121.173] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="1A") returned 2 [0121.173] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="22") returned 2 [0121.173] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="A4") returned 2 [0121.173] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="EE") returned 2 [0121.173] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="C7") returned 2 [0121.173] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="EA") returned 2 [0121.173] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="FD") returned 2 [0121.173] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="A8") returned 2 [0121.173] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="98") returned 2 [0121.173] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="97") returned 2 [0121.173] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="32") returned 2 [0121.173] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="C0") returned 2 [0121.173] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="98") returned 2 [0121.173] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="12") returned 2 [0121.173] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="0D") returned 2 [0121.173] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="60") returned 2 [0121.173] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="12") returned 2 [0121.173] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="A8") returned 2 [0121.173] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="2D") returned 2 [0121.186] lstrcpyW (in: lpString1=0x3cf903c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js" [0121.186] lstrcpyW (in: lpString1=0x3ce903c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js" [0121.186] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js", lpString2=".69E0E03D0D33832B76FA63B7FB1A22A4EEC7EAFDA8989732C098120D6012A82D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.69E0E03D0D33832B76FA63B7FB1A22A4EEC7EAFDA8989732C098120D6012A82D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.69E0E03D0D33832B76FA63B7FB1A22A4EEC7EAFDA8989732C098120D6012A82D" [0121.186] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3ce9008, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.186] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ce9008, lpOverlapped=0x3ce9008) returned 1 [0121.186] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8365ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836613d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0xce17, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cast_sender.js", cAlternateFileName="CAST_S~1.JS")) returned 1 [0121.186] lstrcmpiW (lpString1="cast_sender.js", lpString2="Windows") returned -1 [0121.186] lstrcmpiW (lpString1="cast_sender.js", lpString2="Program Files") returned -1 [0121.186] lstrcmpiW (lpString1="cast_sender.js", lpString2="Program Files (x86)") returned -1 [0121.186] lstrcmpiW (lpString1="cast_sender.js", lpString2="$Recycle.bin") returned 1 [0121.186] lstrcmpiW (lpString1="cast_sender.js", lpString2="System Volume Information") returned -1 [0121.187] lstrcmpiW (lpString1="cast_sender.js", lpString2=".") returned 1 [0121.187] lstrcmpiW (lpString1="cast_sender.js", lpString2="..") returned 1 [0121.187] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js") returned 153 [0121.187] lstrcmpW (lpString1="cast_sender.js", lpString2="PUSSY.TXT") returned -1 [0121.187] PathFindExtensionW (pszPath="cast_sender.js") returned=".js" [0121.187] lstrlenW (lpString=".js") returned 3 [0121.187] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0121.189] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=52759) returned 1 [0121.189] GetProcessHeap () returned 0x4c0000 [0121.189] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d11058 [0121.206] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="73") returned 2 [0121.206] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="CC") returned 2 [0121.206] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="A0") returned 2 [0121.206] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="C8") returned 2 [0121.206] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="B0") returned 2 [0121.206] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="C8") returned 2 [0121.206] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="7E") returned 2 [0121.206] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="12") returned 2 [0121.206] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="59") returned 2 [0121.206] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="D9") returned 2 [0121.206] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="B5") returned 2 [0121.207] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="69") returned 2 [0121.207] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="A7") returned 2 [0121.207] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="7D") returned 2 [0121.207] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="F0") returned 2 [0121.207] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="98") returned 2 [0121.207] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="02") returned 2 [0121.207] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="F7") returned 2 [0121.207] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="F8") returned 2 [0121.207] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="95") returned 2 [0121.207] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="A9") returned 2 [0121.207] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="2D") returned 2 [0121.207] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="76") returned 2 [0121.207] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="95") returned 2 [0121.207] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="34") returned 2 [0121.207] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="52") returned 2 [0121.207] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="D7") returned 2 [0121.207] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="5A") returned 2 [0121.207] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="97") returned 2 [0121.207] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="FE") returned 2 [0121.208] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="D3") returned 2 [0121.208] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="74") returned 2 [0121.321] lstrcpyW (in: lpString1=0x3d2108c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js" [0121.321] lstrcpyW (in: lpString1=0x3d1108c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js" [0121.321] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js", lpString2=".73CCA0C8B0C87E1259D9B569A77DF09802F7F895A92D76953452D75A97FED374" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.73CCA0C8B0C87E1259D9B569A77DF09802F7F895A92D76953452D75A97FED374") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.73CCA0C8B0C87E1259D9B569A77DF09802F7F895A92D76953452D75A97FED374" [0121.321] CreateIoCompletionPort (FileHandle=0x114, ExistingCompletionPort=0x94, CompletionKey=0x3d11058, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.321] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d11058, lpOverlapped=0x3d11058) returned 1 [0121.323] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83663ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836884d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x836884d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cast_setup", cAlternateFileName="CAST_S~1")) returned 1 [0121.323] lstrcmpiW (lpString1="cast_setup", lpString2="Windows") returned -1 [0121.323] lstrcmpiW (lpString1="cast_setup", lpString2="Program Files") returned -1 [0121.323] lstrcmpiW (lpString1="cast_setup", lpString2="Program Files (x86)") returned -1 [0121.323] lstrcmpiW (lpString1="cast_setup", lpString2="$Recycle.bin") returned 1 [0121.323] lstrcmpiW (lpString1="cast_setup", lpString2="System Volume Information") returned -1 [0121.323] lstrcmpiW (lpString1="cast_setup", lpString2=".") returned 1 [0121.323] lstrcmpiW (lpString1="cast_setup", lpString2="..") returned 1 [0121.323] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup") returned 149 [0121.368] GetProcessHeap () returned 0x4c0000 [0121.368] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0121.369] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup" [0121.369] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\*" [0121.369] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83663ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836884d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x836884d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0121.459] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.459] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0121.459] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0121.459] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0121.459] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0121.459] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0121.459] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83663ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836884d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x836884d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0121.460] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.460] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0121.460] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0121.460] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0121.460] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0121.460] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0121.460] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0121.460] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x836661f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836661f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x1a1d, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="cast_app.css", cAlternateFileName="")) returned 1 [0121.460] lstrcmpiW (lpString1="cast_app.css", lpString2="Windows") returned -1 [0121.460] lstrcmpiW (lpString1="cast_app.css", lpString2="Program Files") returned -1 [0121.460] lstrcmpiW (lpString1="cast_app.css", lpString2="Program Files (x86)") returned -1 [0121.460] lstrcmpiW (lpString1="cast_app.css", lpString2="$Recycle.bin") returned 1 [0121.460] lstrcmpiW (lpString1="cast_app.css", lpString2="System Volume Information") returned -1 [0121.460] lstrcmpiW (lpString1="cast_app.css", lpString2=".") returned 1 [0121.460] lstrcmpiW (lpString1="cast_app.css", lpString2="..") returned 1 [0121.460] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css") returned 162 [0121.460] lstrcmpW (lpString1="cast_app.css", lpString2="PUSSY.TXT") returned -1 [0121.460] PathFindExtensionW (pszPath="cast_app.css") returned=".css" [0121.460] lstrlenW (lpString=".css") returned 4 [0121.460] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0121.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0121.461] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x289638 | out: lpFileSize=0x289638*=6685) returned 1 [0121.462] GetProcessHeap () returned 0x4c0000 [0121.462] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0121.479] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="49") returned 2 [0121.479] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="23") returned 2 [0121.479] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="3E") returned 2 [0121.479] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="E1") returned 2 [0121.479] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="5B") returned 2 [0121.479] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="30") returned 2 [0121.479] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="A8") returned 2 [0121.479] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="3E") returned 2 [0121.479] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="6C") returned 2 [0121.479] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="33") returned 2 [0121.479] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="BD") returned 2 [0121.479] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="55") returned 2 [0121.479] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="AB") returned 2 [0121.479] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="18") returned 2 [0121.479] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="30") returned 2 [0121.479] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="9B") returned 2 [0121.479] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="A5") returned 2 [0121.479] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="C8") returned 2 [0121.479] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="B8") returned 2 [0121.479] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="B3") returned 2 [0121.479] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="B5") returned 2 [0121.479] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="59") returned 2 [0121.479] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="98") returned 2 [0121.480] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="F6") returned 2 [0121.480] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="71") returned 2 [0121.480] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="D5") returned 2 [0121.480] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="A4") returned 2 [0121.480] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="1D") returned 2 [0121.480] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="14") returned 2 [0121.480] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="71") returned 2 [0121.480] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="3E") returned 2 [0121.480] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="0C") returned 2 [0121.563] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css" [0121.563] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css" [0121.563] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css", lpString2=".49233EE15B30A83E6C33BD55AB18309BA5C8B8B3B55998F671D5A41D14713E0C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.49233EE15B30A83E6C33BD55AB18309BA5C8B8B3B55998F671D5A41D14713E0C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.49233EE15B30A83E6C33BD55AB18309BA5C8B8B3B55998F671D5A41D14713E0C" [0121.563] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.563] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0121.585] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8366b010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8366d720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x221da, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="cast_app.js", cAlternateFileName="")) returned 1 [0121.585] lstrcmpiW (lpString1="cast_app.js", lpString2="Windows") returned -1 [0121.585] lstrcmpiW (lpString1="cast_app.js", lpString2="Program Files") returned -1 [0121.585] lstrcmpiW (lpString1="cast_app.js", lpString2="Program Files (x86)") returned -1 [0121.585] lstrcmpiW (lpString1="cast_app.js", lpString2="$Recycle.bin") returned 1 [0121.585] lstrcmpiW (lpString1="cast_app.js", lpString2="System Volume Information") returned -1 [0121.585] lstrcmpiW (lpString1="cast_app.js", lpString2=".") returned 1 [0121.585] lstrcmpiW (lpString1="cast_app.js", lpString2="..") returned 1 [0121.585] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js") returned 161 [0121.585] lstrcmpW (lpString1="cast_app.js", lpString2="PUSSY.TXT") returned -1 [0121.585] PathFindExtensionW (pszPath="cast_app.js") returned=".js" [0121.586] lstrlenW (lpString=".js") returned 3 [0121.586] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0121.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0121.586] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x289638 | out: lpFileSize=0x289638*=139738) returned 1 [0121.586] GetProcessHeap () returned 0x4c0000 [0121.586] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0121.602] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="E0") returned 2 [0121.602] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="34") returned 2 [0121.602] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="CF") returned 2 [0121.602] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="3E") returned 2 [0121.602] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="17") returned 2 [0121.602] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="1C") returned 2 [0121.603] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="12") returned 2 [0121.603] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="24") returned 2 [0121.603] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="27") returned 2 [0121.603] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="EB") returned 2 [0121.603] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="71") returned 2 [0121.603] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="4B") returned 2 [0121.603] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="68") returned 2 [0121.603] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="ED") returned 2 [0121.603] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="B7") returned 2 [0121.603] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="5E") returned 2 [0121.603] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="EE") returned 2 [0121.603] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="61") returned 2 [0121.603] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="4C") returned 2 [0121.603] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="37") returned 2 [0121.603] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="65") returned 2 [0121.603] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="D8") returned 2 [0121.603] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="5C") returned 2 [0121.603] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="4A") returned 2 [0121.603] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="57") returned 2 [0121.603] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="E6") returned 2 [0121.603] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="D9") returned 2 [0121.603] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="8A") returned 2 [0121.603] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="F0") returned 2 [0121.603] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="3A") returned 2 [0121.603] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="05") returned 2 [0121.603] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="32") returned 2 [0121.611] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js" [0121.611] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js" [0121.611] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js", lpString2=".E034CF3E171C122427EB714B68EDB75EEE614C3765D85C4A57E6D98AF03A0532" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.E034CF3E171C122427EB714B68EDB75EEE614C3765D85C4A57E6D98AF03A0532") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.E034CF3E171C122427EB714B68EDB75EEE614C3765D85C4A57E6D98AF03A0532" [0121.611] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.611] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0121.612] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8366fe30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8366fe30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0xf2, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="cast_app_redirect.js", cAlternateFileName="CAST_A~1.JS")) returned 1 [0121.612] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="Windows") returned -1 [0121.612] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="Program Files") returned -1 [0121.612] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="Program Files (x86)") returned -1 [0121.612] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="$Recycle.bin") returned 1 [0121.612] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="System Volume Information") returned -1 [0121.612] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2=".") returned 1 [0121.612] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="..") returned 1 [0121.612] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js") returned 170 [0121.612] lstrcmpW (lpString1="cast_app_redirect.js", lpString2="PUSSY.TXT") returned -1 [0121.612] PathFindExtensionW (pszPath="cast_app_redirect.js") returned=".js" [0121.614] lstrlenW (lpString=".js") returned 3 [0121.615] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0121.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0121.616] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x289638 | out: lpFileSize=0x289638*=242) returned 1 [0121.616] CloseHandle (hObject=0x198) returned 1 [0121.616] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83674c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83674c50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x1bef, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="chromecast_logo_grey.png", cAlternateFileName="CHROME~1.PNG")) returned 1 [0121.616] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="Windows") returned -1 [0121.616] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="Program Files") returned -1 [0121.616] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="Program Files (x86)") returned -1 [0121.616] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="$Recycle.bin") returned 1 [0121.616] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="System Volume Information") returned -1 [0121.616] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2=".") returned 1 [0121.616] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="..") returned 1 [0121.616] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png") returned 174 [0121.616] lstrcmpW (lpString1="chromecast_logo_grey.png", lpString2="PUSSY.TXT") returned -1 [0121.616] PathFindExtensionW (pszPath="chromecast_logo_grey.png") returned=".png" [0121.617] lstrlenW (lpString=".png") returned 4 [0121.617] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0121.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0121.617] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x289638 | out: lpFileSize=0x289638*=7151) returned 1 [0121.617] GetProcessHeap () returned 0x4c0000 [0121.617] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0121.655] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="8C") returned 2 [0121.655] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="5B") returned 2 [0121.655] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="24") returned 2 [0121.655] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="EF") returned 2 [0121.655] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="FA") returned 2 [0121.655] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="6B") returned 2 [0121.655] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="58") returned 2 [0121.655] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="26") returned 2 [0121.655] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="6F") returned 2 [0121.655] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="3D") returned 2 [0121.655] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="15") returned 2 [0121.655] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="D3") returned 2 [0121.655] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="66") returned 2 [0121.655] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="FC") returned 2 [0121.655] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="2C") returned 2 [0121.655] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="FC") returned 2 [0121.655] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="73") returned 2 [0121.655] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="E4") returned 2 [0121.655] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="04") returned 2 [0121.655] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="A6") returned 2 [0121.656] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="25") returned 2 [0121.656] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="2A") returned 2 [0121.656] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="60") returned 2 [0121.656] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="4B") returned 2 [0121.656] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="AF") returned 2 [0121.656] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="C4") returned 2 [0121.656] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="22") returned 2 [0121.656] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="85") returned 2 [0121.656] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="D0") returned 2 [0121.656] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="16") returned 2 [0121.656] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="11") returned 2 [0121.656] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="72") returned 2 [0121.665] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png" [0121.665] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png" [0121.665] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png", lpString2=".8C5B24EFFA6B58266F3D15D366FC2CFC73E404A6252A604BAFC42285D0161172" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.8C5B24EFFA6B58266F3D15D366FC2CFC73E404A6252A604BAFC42285D0161172") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.8C5B24EFFA6B58266F3D15D366FC2CFC73E404A6252A604BAFC42285D0161172" [0121.665] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.665] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0121.665] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83679a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83679a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x3b, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="devices.html", cAlternateFileName="DEVICE~1.HTM")) returned 1 [0121.665] lstrcmpiW (lpString1="devices.html", lpString2="Windows") returned -1 [0121.665] lstrcmpiW (lpString1="devices.html", lpString2="Program Files") returned -1 [0121.665] lstrcmpiW (lpString1="devices.html", lpString2="Program Files (x86)") returned -1 [0121.665] lstrcmpiW (lpString1="devices.html", lpString2="$Recycle.bin") returned 1 [0121.665] lstrcmpiW (lpString1="devices.html", lpString2="System Volume Information") returned -1 [0121.665] lstrcmpiW (lpString1="devices.html", lpString2=".") returned 1 [0121.665] lstrcmpiW (lpString1="devices.html", lpString2="..") returned 1 [0121.665] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html") returned 162 [0121.666] lstrcmpW (lpString1="devices.html", lpString2="PUSSY.TXT") returned -1 [0121.666] PathFindExtensionW (pszPath="devices.html") returned=".html" [0121.666] lstrlenW (lpString=".html") returned 5 [0121.666] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0121.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0121.673] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x289638 | out: lpFileSize=0x289638*=59) returned 1 [0121.673] CloseHandle (hObject=0x1b8) returned 1 [0121.673] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8367c180, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8367c180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x828, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="index.html", cAlternateFileName="INDEX~1.HTM")) returned 1 [0121.673] lstrcmpiW (lpString1="index.html", lpString2="Windows") returned -1 [0121.673] lstrcmpiW (lpString1="index.html", lpString2="Program Files") returned -1 [0121.673] lstrcmpiW (lpString1="index.html", lpString2="Program Files (x86)") returned -1 [0121.673] lstrcmpiW (lpString1="index.html", lpString2="$Recycle.bin") returned 1 [0121.673] lstrcmpiW (lpString1="index.html", lpString2="System Volume Information") returned -1 [0121.673] lstrcmpiW (lpString1="index.html", lpString2=".") returned 1 [0121.673] lstrcmpiW (lpString1="index.html", lpString2="..") returned 1 [0121.673] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html") returned 160 [0121.673] lstrcmpW (lpString1="index.html", lpString2="PUSSY.TXT") returned -1 [0121.673] PathFindExtensionW (pszPath="index.html") returned=".html" [0121.673] lstrlenW (lpString=".html") returned 5 [0121.673] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0121.673] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0121.674] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x289638 | out: lpFileSize=0x289638*=2088) returned 1 [0121.674] GetProcessHeap () returned 0x4c0000 [0121.674] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0121.690] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="47") returned 2 [0121.690] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="FE") returned 2 [0121.690] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="3E") returned 2 [0121.691] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="53") returned 2 [0121.691] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="DD") returned 2 [0121.691] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="1C") returned 2 [0121.691] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="14") returned 2 [0121.691] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="5E") returned 2 [0121.691] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="F0") returned 2 [0121.691] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="89") returned 2 [0121.691] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="C7") returned 2 [0121.691] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="14") returned 2 [0121.691] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="7D") returned 2 [0121.691] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="0E") returned 2 [0121.691] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="BD") returned 2 [0121.691] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="8B") returned 2 [0121.691] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="E6") returned 2 [0121.691] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="3F") returned 2 [0121.691] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="E2") returned 2 [0121.691] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="38") returned 2 [0121.691] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="C3") returned 2 [0121.691] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="96") returned 2 [0121.691] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="B7") returned 2 [0121.692] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="39") returned 2 [0121.692] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="76") returned 2 [0121.692] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="BB") returned 2 [0121.692] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="B6") returned 2 [0121.692] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="51") returned 2 [0121.692] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="C8") returned 2 [0121.692] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="C1") returned 2 [0121.692] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="4D") returned 2 [0121.692] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="76") returned 2 [0121.701] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html" [0121.701] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html" [0121.701] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html", lpString2=".47FE3E53DD1C145EF089C7147D0EBD8BE63FE238C396B73976BBB651C8C14D76" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.47FE3E53DD1C145EF089C7147D0EBD8BE63FE238C396B73976BBB651C8C14D76") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.47FE3E53DD1C145EF089C7147D0EBD8BE63FE238C396B73976BBB651C8C14D76" [0121.701] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.701] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0121.701] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83685dc0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83685dc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x3b, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="offers.html", cAlternateFileName="OFFERS~1.HTM")) returned 1 [0121.701] lstrcmpiW (lpString1="offers.html", lpString2="Windows") returned -1 [0121.701] lstrcmpiW (lpString1="offers.html", lpString2="Program Files") returned -1 [0121.701] lstrcmpiW (lpString1="offers.html", lpString2="Program Files (x86)") returned -1 [0121.701] lstrcmpiW (lpString1="offers.html", lpString2="$Recycle.bin") returned 1 [0121.702] lstrcmpiW (lpString1="offers.html", lpString2="System Volume Information") returned -1 [0121.702] lstrcmpiW (lpString1="offers.html", lpString2=".") returned 1 [0121.702] lstrcmpiW (lpString1="offers.html", lpString2="..") returned 1 [0121.702] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html") returned 161 [0121.702] lstrcmpW (lpString1="offers.html", lpString2="PUSSY.TXT") returned -1 [0121.702] PathFindExtensionW (pszPath="offers.html") returned=".html" [0121.702] lstrlenW (lpString=".html") returned 5 [0121.702] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0121.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0121.703] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x289638 | out: lpFileSize=0x289638*=59) returned 1 [0121.703] CloseHandle (hObject=0x17c) returned 1 [0121.703] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x836884d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8368abe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x3b, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="setup.html", cAlternateFileName="SETUP~1.HTM")) returned 1 [0121.703] lstrcmpiW (lpString1="setup.html", lpString2="Windows") returned -1 [0121.704] lstrcmpiW (lpString1="setup.html", lpString2="Program Files") returned 1 [0121.704] lstrcmpiW (lpString1="setup.html", lpString2="Program Files (x86)") returned 1 [0121.704] lstrcmpiW (lpString1="setup.html", lpString2="$Recycle.bin") returned 1 [0121.704] lstrcmpiW (lpString1="setup.html", lpString2="System Volume Information") returned -1 [0121.704] lstrcmpiW (lpString1="setup.html", lpString2=".") returned 1 [0121.704] lstrcmpiW (lpString1="setup.html", lpString2="..") returned 1 [0121.704] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html") returned 160 [0121.704] lstrcmpW (lpString1="setup.html", lpString2="PUSSY.TXT") returned 1 [0121.704] PathFindExtensionW (pszPath="setup.html") returned=".html" [0121.704] lstrlenW (lpString=".html") returned 5 [0121.704] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0121.704] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0121.704] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x289638 | out: lpFileSize=0x289638*=59) returned 1 [0121.705] CloseHandle (hObject=0x17c) returned 1 [0121.705] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x836884d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8368abe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x3b, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="setup.html", cAlternateFileName="SETUP~1.HTM")) returned 0 [0121.705] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0121.708] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\PUSSY.TXT") returned 159 [0121.708] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0121.709] lstrlenA (lpString="abcd") returned 4 [0121.709] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0121.710] CloseHandle (hObject=0x1b0) returned 1 [0121.710] GetProcessHeap () returned 0x4c0000 [0121.710] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0121.710] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8368d2f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83694820, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83694820, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="cloud_route_details", cAlternateFileName="CLOUD_~1")) returned 1 [0121.710] lstrcmpiW (lpString1="cloud_route_details", lpString2="Windows") returned -1 [0121.710] lstrcmpiW (lpString1="cloud_route_details", lpString2="Program Files") returned -1 [0121.710] lstrcmpiW (lpString1="cloud_route_details", lpString2="Program Files (x86)") returned -1 [0121.710] lstrcmpiW (lpString1="cloud_route_details", lpString2="$Recycle.bin") returned 1 [0121.710] lstrcmpiW (lpString1="cloud_route_details", lpString2="System Volume Information") returned -1 [0121.710] lstrcmpiW (lpString1="cloud_route_details", lpString2=".") returned 1 [0121.710] lstrcmpiW (lpString1="cloud_route_details", lpString2="..") returned 1 [0121.710] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details") returned 158 [0121.710] GetProcessHeap () returned 0x4c0000 [0121.710] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0121.710] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details" [0121.710] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\*" [0121.710] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8368d2f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83694820, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83694820, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0121.710] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.710] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0121.710] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0121.711] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0121.711] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0121.711] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0121.711] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8368d2f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83694820, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83694820, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0121.711] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.711] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0121.711] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0121.711] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0121.711] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0121.711] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0121.711] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0121.711] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8368fa00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8368fa00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x174c, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="view.html", cAlternateFileName="VIEW~1.HTM")) returned 1 [0121.711] lstrcmpiW (lpString1="view.html", lpString2="Windows") returned -1 [0121.711] lstrcmpiW (lpString1="view.html", lpString2="Program Files") returned 1 [0121.711] lstrcmpiW (lpString1="view.html", lpString2="Program Files (x86)") returned 1 [0121.711] lstrcmpiW (lpString1="view.html", lpString2="$Recycle.bin") returned 1 [0121.711] lstrcmpiW (lpString1="view.html", lpString2="System Volume Information") returned 1 [0121.711] lstrcmpiW (lpString1="view.html", lpString2=".") returned 1 [0121.711] lstrcmpiW (lpString1="view.html", lpString2="..") returned 1 [0121.711] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html") returned 168 [0121.711] lstrcmpW (lpString1="view.html", lpString2="PUSSY.TXT") returned 1 [0121.711] PathFindExtensionW (pszPath="view.html") returned=".html" [0121.711] lstrlenW (lpString=".html") returned 5 [0121.711] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0121.711] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0121.712] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x289638 | out: lpFileSize=0x289638*=5964) returned 1 [0121.712] GetProcessHeap () returned 0x4c0000 [0121.712] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0121.723] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="9E") returned 2 [0121.723] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="3B") returned 2 [0121.723] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="71") returned 2 [0121.723] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="FB") returned 2 [0121.723] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="BA") returned 2 [0121.723] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="9B") returned 2 [0121.723] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="B3") returned 2 [0121.723] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="82") returned 2 [0121.723] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="F9") returned 2 [0121.723] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="4A") returned 2 [0121.723] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="34") returned 2 [0121.723] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="EA") returned 2 [0121.723] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="E4") returned 2 [0121.723] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="FC") returned 2 [0121.723] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="CF") returned 2 [0121.723] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="95") returned 2 [0121.723] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="CE") returned 2 [0121.723] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="EA") returned 2 [0121.723] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="88") returned 2 [0121.723] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="D7") returned 2 [0121.723] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="D9") returned 2 [0121.723] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="90") returned 2 [0121.723] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="40") returned 2 [0121.723] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="57") returned 2 [0121.723] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="E0") returned 2 [0121.723] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="C7") returned 2 [0121.724] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="14") returned 2 [0121.724] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="05") returned 2 [0121.724] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="37") returned 2 [0121.724] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="81") returned 2 [0121.724] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="1C") returned 2 [0121.724] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="45") returned 2 [0121.732] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html" [0121.732] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html" [0121.732] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html", lpString2=".9E3B71FBBA9BB382F94A34EAE4FCCF95CEEA88D7D9904057E0C7140537811C45" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.9E3B71FBBA9BB382F94A34EAE4FCCF95CEEA88D7D9904057E0C7140537811C45") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.9E3B71FBBA9BB382F94A34EAE4FCCF95CEEA88D7D9904057E0C7140537811C45" [0121.732] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.732] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0121.732] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83694820, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83694820, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x945, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="view.js", cAlternateFileName="")) returned 1 [0121.732] lstrcmpiW (lpString1="view.js", lpString2="Windows") returned -1 [0121.732] lstrcmpiW (lpString1="view.js", lpString2="Program Files") returned 1 [0121.732] lstrcmpiW (lpString1="view.js", lpString2="Program Files (x86)") returned 1 [0121.732] lstrcmpiW (lpString1="view.js", lpString2="$Recycle.bin") returned 1 [0121.732] lstrcmpiW (lpString1="view.js", lpString2="System Volume Information") returned 1 [0121.732] lstrcmpiW (lpString1="view.js", lpString2=".") returned 1 [0121.732] lstrcmpiW (lpString1="view.js", lpString2="..") returned 1 [0121.732] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js") returned 166 [0121.733] lstrcmpW (lpString1="view.js", lpString2="PUSSY.TXT") returned 1 [0121.733] PathFindExtensionW (pszPath="view.js") returned=".js" [0121.733] lstrlenW (lpString=".js") returned 3 [0121.733] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0121.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0121.746] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x289638 | out: lpFileSize=0x289638*=2373) returned 1 [0121.746] GetProcessHeap () returned 0x4c0000 [0121.746] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0121.760] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="67") returned 2 [0121.760] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="B6") returned 2 [0121.760] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="1A") returned 2 [0121.760] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="D5") returned 2 [0121.760] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="35") returned 2 [0121.760] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="BD") returned 2 [0121.760] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="D9") returned 2 [0121.760] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="E3") returned 2 [0121.760] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="87") returned 2 [0121.760] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="E9") returned 2 [0121.760] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="4B") returned 2 [0121.760] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="DA") returned 2 [0121.760] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="31") returned 2 [0121.760] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="54") returned 2 [0121.760] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="A0") returned 2 [0121.760] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="A7") returned 2 [0121.760] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="5A") returned 2 [0121.760] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="10") returned 2 [0121.760] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="6F") returned 2 [0121.760] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="08") returned 2 [0121.760] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="8A") returned 2 [0121.760] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="38") returned 2 [0121.760] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="1D") returned 2 [0121.760] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="FE") returned 2 [0121.760] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="17") returned 2 [0121.761] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="E2") returned 2 [0121.761] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="A7") returned 2 [0121.761] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="ED") returned 2 [0121.761] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="42") returned 2 [0121.761] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="EC") returned 2 [0121.761] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="F9") returned 2 [0121.761] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="1D") returned 2 [0121.769] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js" [0121.769] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js" [0121.769] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js", lpString2=".67B61AD535BDD9E387E94BDA3154A0A75A106F088A381DFE17E2A7ED42ECF91D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.67B61AD535BDD9E387E94BDA3154A0A75A106F088A381DFE17E2A7ED42ECF91D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.67B61AD535BDD9E387E94BDA3154A0A75A106F088A381DFE17E2A7ED42ECF91D" [0121.769] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.769] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0121.769] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83694820, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83694820, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x945, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="view.js", cAlternateFileName="")) returned 0 [0121.769] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0121.769] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\PUSSY.TXT") returned 168 [0121.770] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0121.770] lstrlenA (lpString="abcd") returned 4 [0121.770] WriteFile (in: hFile=0x1b0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0121.771] CloseHandle (hObject=0x1b0) returned 1 [0121.771] GetProcessHeap () returned 0x4c0000 [0121.771] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0121.771] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83696f30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83699640, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0xc878, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="common.js", cAlternateFileName="")) returned 1 [0121.771] lstrcmpiW (lpString1="common.js", lpString2="Windows") returned -1 [0121.771] lstrcmpiW (lpString1="common.js", lpString2="Program Files") returned -1 [0121.771] lstrcmpiW (lpString1="common.js", lpString2="Program Files (x86)") returned -1 [0121.772] lstrcmpiW (lpString1="common.js", lpString2="$Recycle.bin") returned 1 [0121.772] lstrcmpiW (lpString1="common.js", lpString2="System Volume Information") returned -1 [0121.772] lstrcmpiW (lpString1="common.js", lpString2=".") returned 1 [0121.772] lstrcmpiW (lpString1="common.js", lpString2="..") returned 1 [0121.772] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js") returned 148 [0121.772] lstrcmpW (lpString1="common.js", lpString2="PUSSY.TXT") returned -1 [0121.772] PathFindExtensionW (pszPath="common.js") returned=".js" [0121.772] lstrlenW (lpString=".js") returned 3 [0121.772] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0121.772] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=51320) returned 1 [0121.772] GetProcessHeap () returned 0x4c0000 [0121.772] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0121.781] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="7E") returned 2 [0121.781] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="CE") returned 2 [0121.781] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="B4") returned 2 [0121.781] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="43") returned 2 [0121.781] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="4E") returned 2 [0121.781] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="0A") returned 2 [0121.781] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="19") returned 2 [0121.781] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="C8") returned 2 [0121.781] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="D4") returned 2 [0121.781] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="EE") returned 2 [0121.781] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="3F") returned 2 [0121.781] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="47") returned 2 [0121.781] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="B8") returned 2 [0121.781] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="CE") returned 2 [0121.781] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="83") returned 2 [0121.781] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="CB") returned 2 [0121.781] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="AD") returned 2 [0121.781] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="F7") returned 2 [0121.781] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="EE") returned 2 [0121.781] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="86") returned 2 [0121.782] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="DA") returned 2 [0121.782] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="63") returned 2 [0121.782] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="77") returned 2 [0121.782] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="84") returned 2 [0121.782] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="E5") returned 2 [0121.782] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="0B") returned 2 [0121.782] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="42") returned 2 [0121.782] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="0C") returned 2 [0121.782] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="2E") returned 2 [0121.782] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="91") returned 2 [0121.782] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="A3") returned 2 [0121.782] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="4F") returned 2 [0121.791] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js" [0121.791] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js" [0121.791] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js", lpString2=".7ECEB4434E0A19C8D4EE3F47B8CE83CBADF7EE86DA637784E50B420C2E91A34F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.7ECEB4434E0A19C8D4EE3F47B8CE83CBADF7EE86DA637784E50B420C2E91A34F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.7ECEB4434E0A19C8D4EE3F47B8CE83CBADF7EE86DA637784E50B420C2E91A34F" [0121.791] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.791] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0121.791] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8369bd50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8369bd50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0xc26, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="feedback.css", cAlternateFileName="")) returned 1 [0121.791] lstrcmpiW (lpString1="feedback.css", lpString2="Windows") returned -1 [0121.791] lstrcmpiW (lpString1="feedback.css", lpString2="Program Files") returned -1 [0121.791] lstrcmpiW (lpString1="feedback.css", lpString2="Program Files (x86)") returned -1 [0121.791] lstrcmpiW (lpString1="feedback.css", lpString2="$Recycle.bin") returned 1 [0121.791] lstrcmpiW (lpString1="feedback.css", lpString2="System Volume Information") returned -1 [0121.791] lstrcmpiW (lpString1="feedback.css", lpString2=".") returned 1 [0121.791] lstrcmpiW (lpString1="feedback.css", lpString2="..") returned 1 [0121.791] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css") returned 151 [0121.792] lstrcmpW (lpString1="feedback.css", lpString2="PUSSY.TXT") returned -1 [0121.792] PathFindExtensionW (pszPath="feedback.css") returned=".css" [0121.792] lstrlenW (lpString=".css") returned 4 [0121.792] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0121.792] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=3110) returned 1 [0121.793] GetProcessHeap () returned 0x4c0000 [0121.793] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0121.802] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="81") returned 2 [0121.802] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="A8") returned 2 [0121.802] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="DF") returned 2 [0121.813] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="C9") returned 2 [0121.813] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="87") returned 2 [0121.813] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="9D") returned 2 [0121.813] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="9B") returned 2 [0121.813] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="2D") returned 2 [0121.813] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="5B") returned 2 [0121.813] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="8F") returned 2 [0121.813] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="0C") returned 2 [0121.813] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="F0") returned 2 [0121.813] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="B0") returned 2 [0121.813] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="B1") returned 2 [0121.813] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="2C") returned 2 [0121.813] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="36") returned 2 [0121.813] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="E5") returned 2 [0121.813] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="82") returned 2 [0121.813] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="CB") returned 2 [0121.813] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="BA") returned 2 [0121.813] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="0E") returned 2 [0121.813] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="C1") returned 2 [0121.813] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="48") returned 2 [0121.813] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="9A") returned 2 [0121.813] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="E6") returned 2 [0121.813] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="5F") returned 2 [0121.813] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="88") returned 2 [0121.813] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="F4") returned 2 [0121.813] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="1F") returned 2 [0121.813] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="87") returned 2 [0121.813] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="41") returned 2 [0121.813] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="28") returned 2 [0121.822] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css" [0121.822] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css" [0121.822] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css", lpString2=".81A8DFC9879D9B2D5B8F0CF0B0B12C36E582CBBA0EC1489AE65F88F41F874128" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.81A8DFC9879D9B2D5B8F0CF0B0B12C36E582CBBA0EC1489AE65F88F41F874128") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.81A8DFC9879D9B2D5B8F0CF0B0B12C36E582CBBA0EC1489AE65F88F41F874128" [0121.822] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.822] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0121.823] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x836a0b70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836a0b70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x38a8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="feedback.html", cAlternateFileName="FEEDBA~1.HTM")) returned 1 [0121.823] lstrcmpiW (lpString1="feedback.html", lpString2="Windows") returned -1 [0121.823] lstrcmpiW (lpString1="feedback.html", lpString2="Program Files") returned -1 [0121.823] lstrcmpiW (lpString1="feedback.html", lpString2="Program Files (x86)") returned -1 [0121.823] lstrcmpiW (lpString1="feedback.html", lpString2="$Recycle.bin") returned 1 [0121.823] lstrcmpiW (lpString1="feedback.html", lpString2="System Volume Information") returned -1 [0121.823] lstrcmpiW (lpString1="feedback.html", lpString2=".") returned 1 [0121.823] lstrcmpiW (lpString1="feedback.html", lpString2="..") returned 1 [0121.823] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html") returned 152 [0121.823] lstrcmpW (lpString1="feedback.html", lpString2="PUSSY.TXT") returned -1 [0121.823] PathFindExtensionW (pszPath="feedback.html") returned=".html" [0121.823] lstrlenW (lpString=".html") returned 5 [0121.823] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0121.824] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=14504) returned 1 [0121.824] GetProcessHeap () returned 0x4c0000 [0121.824] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d390a8 [0121.834] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="40") returned 2 [0121.834] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="0B") returned 2 [0121.834] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="41") returned 2 [0121.834] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="56") returned 2 [0121.834] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="FD") returned 2 [0121.834] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="FB") returned 2 [0121.834] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="EE") returned 2 [0121.834] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="F6") returned 2 [0121.834] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="89") returned 2 [0121.834] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="83") returned 2 [0121.834] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="49") returned 2 [0121.834] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="64") returned 2 [0121.834] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="46") returned 2 [0121.834] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="0A") returned 2 [0121.834] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="61") returned 2 [0121.834] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="BC") returned 2 [0121.834] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="2E") returned 2 [0121.834] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="17") returned 2 [0121.834] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="B9") returned 2 [0121.834] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="CD") returned 2 [0121.834] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="24") returned 2 [0121.834] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="38") returned 2 [0121.834] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="C5") returned 2 [0121.834] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="E6") returned 2 [0121.834] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="4F") returned 2 [0121.834] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="F6") returned 2 [0121.835] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="A2") returned 2 [0121.835] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="3B") returned 2 [0121.835] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="5B") returned 2 [0121.835] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="0D") returned 2 [0121.835] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="97") returned 2 [0121.835] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="51") returned 2 [0121.843] lstrcpyW (in: lpString1=0x3d490dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html" [0121.843] lstrcpyW (in: lpString1=0x3d390dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html" [0121.843] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html", lpString2=".400B4156FDFBEEF689834964460A61BC2E17B9CD2438C5E64FF6A23B5B0D9751" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.400B4156FDFBEEF689834964460A61BC2E17B9CD2438C5E64FF6A23B5B0D9751") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.400B4156FDFBEEF689834964460A61BC2E17B9CD2438C5E64FF6A23B5B0D9751" [0121.843] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3d390a8, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.843] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d390a8, lpOverlapped=0x3d390a8) returned 1 [0121.843] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x836a5990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836a5990, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x2b20, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="feedback_script.js", cAlternateFileName="FEEDBA~1.JS")) returned 1 [0121.843] lstrcmpiW (lpString1="feedback_script.js", lpString2="Windows") returned -1 [0121.843] lstrcmpiW (lpString1="feedback_script.js", lpString2="Program Files") returned -1 [0121.843] lstrcmpiW (lpString1="feedback_script.js", lpString2="Program Files (x86)") returned -1 [0121.843] lstrcmpiW (lpString1="feedback_script.js", lpString2="$Recycle.bin") returned 1 [0121.844] lstrcmpiW (lpString1="feedback_script.js", lpString2="System Volume Information") returned -1 [0121.844] lstrcmpiW (lpString1="feedback_script.js", lpString2=".") returned 1 [0121.844] lstrcmpiW (lpString1="feedback_script.js", lpString2="..") returned 1 [0121.844] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js") returned 157 [0121.844] lstrcmpW (lpString1="feedback_script.js", lpString2="PUSSY.TXT") returned -1 [0121.844] PathFindExtensionW (pszPath="feedback_script.js") returned=".js" [0121.844] lstrlenW (lpString=".js") returned 3 [0121.844] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1bc [0121.845] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=11040) returned 1 [0121.845] GetProcessHeap () returned 0x4c0000 [0121.846] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d610f8 [0121.856] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="65") returned 2 [0121.856] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="A4") returned 2 [0121.856] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="F2") returned 2 [0121.856] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="AA") returned 2 [0121.856] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="16") returned 2 [0121.856] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="8A") returned 2 [0121.856] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="94") returned 2 [0121.856] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="D4") returned 2 [0121.856] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="AF") returned 2 [0121.856] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="57") returned 2 [0121.857] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="BA") returned 2 [0121.857] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="BF") returned 2 [0121.857] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="F0") returned 2 [0121.857] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="36") returned 2 [0121.857] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="27") returned 2 [0121.857] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="84") returned 2 [0121.857] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="34") returned 2 [0121.857] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="9A") returned 2 [0121.857] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="AF") returned 2 [0121.857] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="B4") returned 2 [0121.857] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="67") returned 2 [0121.857] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="68") returned 2 [0121.857] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="4D") returned 2 [0121.857] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="AB") returned 2 [0121.857] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="FC") returned 2 [0121.857] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="E7") returned 2 [0121.857] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="AC") returned 2 [0121.857] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="CC") returned 2 [0121.857] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="C9") returned 2 [0121.857] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="51") returned 2 [0121.857] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="69") returned 2 [0121.857] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="38") returned 2 [0121.866] lstrcpyW (in: lpString1=0x3d7112c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js" [0121.866] lstrcpyW (in: lpString1=0x3d6112c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js" [0121.866] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js", lpString2=".65A4F2AA168A94D4AF57BABFF0362784349AAFB467684DABFCE7ACCCC9516938" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.65A4F2AA168A94D4AF57BABFF0362784349AAFB467684DABFCE7ACCCC9516938") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.65A4F2AA168A94D4AF57BABFF0362784349AAFB467684DABFCE7ACCCC9516938" [0121.866] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0x94, CompletionKey=0x3d610f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.866] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d610f8, lpOverlapped=0x3d610f8) returned 1 [0121.866] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x833dcb50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836af5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8395fd70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0121.867] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0121.867] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0121.867] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0121.867] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0121.867] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0121.867] lstrcmpiW (lpString1="manifest.json", lpString2=".") returned 1 [0121.867] lstrcmpiW (lpString1="manifest.json", lpString2="..") returned 1 [0121.867] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json") returned 152 [0121.867] lstrcmpW (lpString1="manifest.json", lpString2="PUSSY.TXT") returned -1 [0121.867] PathFindExtensionW (pszPath="manifest.json") returned=".json" [0121.867] lstrlenW (lpString=".json") returned 5 [0121.867] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c8 [0121.868] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=2296) returned 1 [0121.868] GetProcessHeap () returned 0x4c0000 [0121.868] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d89148 [0121.890] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="17") returned 2 [0121.890] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="14") returned 2 [0121.890] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="AC") returned 2 [0121.890] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="DB") returned 2 [0121.890] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="02") returned 2 [0121.890] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="22") returned 2 [0121.890] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="2F") returned 2 [0121.890] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="46") returned 2 [0121.890] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="26") returned 2 [0121.891] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="1D") returned 2 [0121.891] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="22") returned 2 [0121.891] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="7A") returned 2 [0121.891] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="D6") returned 2 [0121.891] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="1F") returned 2 [0121.891] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="94") returned 2 [0121.891] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="48") returned 2 [0121.891] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="B6") returned 2 [0121.891] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="3B") returned 2 [0121.891] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="4D") returned 2 [0121.891] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="C1") returned 2 [0121.891] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="01") returned 2 [0121.891] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="FB") returned 2 [0121.891] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="51") returned 2 [0121.891] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="71") returned 2 [0121.891] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="D1") returned 2 [0121.891] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="78") returned 2 [0121.891] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="82") returned 2 [0121.891] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="DD") returned 2 [0121.891] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="5D") returned 2 [0121.891] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="C6") returned 2 [0121.891] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="98") returned 2 [0121.891] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="67") returned 2 [0121.899] lstrcpyW (in: lpString1=0x3d9917c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json" [0121.899] lstrcpyW (in: lpString1=0x3d8917c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json" [0121.899] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json", lpString2=".1714ACDB02222F46261D227AD61F9448B63B4DC101FB5171D17882DD5DC69867" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.1714ACDB02222F46261D227AD61F9448B63B4DC101FB5171D17882DD5DC69867") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.1714ACDB02222F46261D227AD61F9448B63B4DC101FB5171D17882DD5DC69867" [0121.899] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0x94, CompletionKey=0x3d89148, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.900] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d89148, lpOverlapped=0x3d89148) returned 1 [0121.905] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x836b1ce0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836b43f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x46039, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="material_css_min.css", cAlternateFileName="MATERI~1.CSS")) returned 1 [0121.905] lstrcmpiW (lpString1="material_css_min.css", lpString2="Windows") returned -1 [0121.905] lstrcmpiW (lpString1="material_css_min.css", lpString2="Program Files") returned -1 [0121.905] lstrcmpiW (lpString1="material_css_min.css", lpString2="Program Files (x86)") returned -1 [0121.905] lstrcmpiW (lpString1="material_css_min.css", lpString2="$Recycle.bin") returned 1 [0121.905] lstrcmpiW (lpString1="material_css_min.css", lpString2="System Volume Information") returned -1 [0121.905] lstrcmpiW (lpString1="material_css_min.css", lpString2=".") returned 1 [0121.905] lstrcmpiW (lpString1="material_css_min.css", lpString2="..") returned 1 [0121.905] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css") returned 159 [0121.905] lstrcmpW (lpString1="material_css_min.css", lpString2="PUSSY.TXT") returned -1 [0121.905] PathFindExtensionW (pszPath="material_css_min.css") returned=".css" [0121.905] lstrlenW (lpString=".css") returned 4 [0121.906] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c8 [0121.906] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=286777) returned 1 [0121.906] GetProcessHeap () returned 0x4c0000 [0121.906] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d610f8 [0121.916] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="9E") returned 2 [0121.916] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="BD") returned 2 [0121.916] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="02") returned 2 [0121.916] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="25") returned 2 [0121.916] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="D5") returned 2 [0121.916] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="E5") returned 2 [0121.916] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="A7") returned 2 [0121.916] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="A7") returned 2 [0121.916] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="5F") returned 2 [0121.916] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="54") returned 2 [0121.916] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="05") returned 2 [0121.916] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="BD") returned 2 [0121.916] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="BA") returned 2 [0121.916] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="6C") returned 2 [0121.916] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="A4") returned 2 [0121.916] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="D8") returned 2 [0121.916] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="5A") returned 2 [0121.916] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="D8") returned 2 [0121.916] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="17") returned 2 [0121.916] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="B2") returned 2 [0121.916] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="29") returned 2 [0121.916] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="63") returned 2 [0121.917] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="8A") returned 2 [0121.917] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="F8") returned 2 [0121.917] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="CD") returned 2 [0121.917] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="BD") returned 2 [0121.917] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="F4") returned 2 [0121.917] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="82") returned 2 [0121.917] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="8F") returned 2 [0121.917] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="58") returned 2 [0121.917] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="43") returned 2 [0121.917] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="50") returned 2 [0121.925] lstrcpyW (in: lpString1=0x3d7112c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css" [0121.925] lstrcpyW (in: lpString1=0x3d6112c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css" [0121.925] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css", lpString2=".9EBD0225D5E5A7A75F5405BDBA6CA4D85AD817B229638AF8CDBDF4828F584350" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.9EBD0225D5E5A7A75F5405BDBA6CA4D85AD817B229638AF8CDBDF4828F584350") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.9EBD0225D5E5A7A75F5405BDBA6CA4D85AD817B229638AF8CDBDF4828F584350" [0121.925] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0x94, CompletionKey=0x3d610f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.925] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d610f8, lpOverlapped=0x3d610f8) returned 1 [0121.926] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x836b6b00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836b9210, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x7c33, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="mirroring_cast_streaming.js", cAlternateFileName="MIRROR~1.JS")) returned 1 [0121.926] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="Windows") returned -1 [0121.926] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="Program Files") returned -1 [0121.926] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="Program Files (x86)") returned -1 [0121.926] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="$Recycle.bin") returned 1 [0121.926] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="System Volume Information") returned -1 [0121.926] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2=".") returned 1 [0121.926] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="..") returned 1 [0121.926] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js") returned 166 [0121.926] lstrcmpW (lpString1="mirroring_cast_streaming.js", lpString2="PUSSY.TXT") returned -1 [0121.926] PathFindExtensionW (pszPath="mirroring_cast_streaming.js") returned=".js" [0121.926] lstrlenW (lpString=".js") returned 3 [0121.926] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1bc [0121.927] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=31795) returned 1 [0121.927] GetProcessHeap () returned 0x4c0000 [0121.927] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d89148 [0121.967] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="A0") returned 2 [0121.967] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="CF") returned 2 [0121.967] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="A3") returned 2 [0121.967] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="EA") returned 2 [0121.967] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="F6") returned 2 [0121.967] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="5F") returned 2 [0121.967] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="8A") returned 2 [0121.967] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="D4") returned 2 [0121.967] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="DA") returned 2 [0121.967] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="0B") returned 2 [0121.967] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="B4") returned 2 [0121.967] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="6E") returned 2 [0121.967] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="2E") returned 2 [0121.968] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="BB") returned 2 [0121.968] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="ED") returned 2 [0121.968] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="85") returned 2 [0121.968] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="3A") returned 2 [0121.968] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="12") returned 2 [0121.968] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="59") returned 2 [0121.968] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="E5") returned 2 [0121.968] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="1A") returned 2 [0121.968] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="17") returned 2 [0121.968] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="73") returned 2 [0121.968] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="A9") returned 2 [0121.968] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="E6") returned 2 [0121.968] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="C1") returned 2 [0121.968] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="8A") returned 2 [0121.968] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="D9") returned 2 [0121.968] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="6D") returned 2 [0121.968] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="69") returned 2 [0121.968] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="68") returned 2 [0121.968] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="69") returned 2 [0121.978] lstrcpyW (in: lpString1=0x3d9917c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js" [0121.978] lstrcpyW (in: lpString1=0x3d8917c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js" [0121.978] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js", lpString2=".A0CFA3EAF65F8AD4DA0BB46E2EBBED853A1259E51A1773A9E6C18AD96D696869" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.A0CFA3EAF65F8AD4DA0BB46E2EBBED853A1259E51A1773A9E6C18AD96D696869") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.A0CFA3EAF65F8AD4DA0BB46E2EBBED853A1259E51A1773A9E6C18AD96D696869" [0121.978] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0x94, CompletionKey=0x3d89148, NumberOfConcurrentThreads=0x0) returned 0x94 [0121.979] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d89148, lpOverlapped=0x3d89148) returned 1 [0121.979] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x836c2e50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836c5560, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x2adeb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="mirroring_common.js", cAlternateFileName="MIRROR~2.JS")) returned 1 [0121.979] lstrcmpiW (lpString1="mirroring_common.js", lpString2="Windows") returned -1 [0121.979] lstrcmpiW (lpString1="mirroring_common.js", lpString2="Program Files") returned -1 [0121.979] lstrcmpiW (lpString1="mirroring_common.js", lpString2="Program Files (x86)") returned -1 [0121.979] lstrcmpiW (lpString1="mirroring_common.js", lpString2="$Recycle.bin") returned 1 [0121.979] lstrcmpiW (lpString1="mirroring_common.js", lpString2="System Volume Information") returned -1 [0121.979] lstrcmpiW (lpString1="mirroring_common.js", lpString2=".") returned 1 [0121.979] lstrcmpiW (lpString1="mirroring_common.js", lpString2="..") returned 1 [0121.979] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js") returned 158 [0121.979] lstrcmpW (lpString1="mirroring_common.js", lpString2="PUSSY.TXT") returned -1 [0121.979] PathFindExtensionW (pszPath="mirroring_common.js") returned=".js" [0121.980] lstrlenW (lpString=".js") returned 3 [0121.980] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0121.980] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c4 [0121.980] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=175595) returned 1 [0121.980] GetProcessHeap () returned 0x4c0000 [0121.980] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0122.016] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="97") returned 2 [0122.016] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="B6") returned 2 [0122.016] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="5B") returned 2 [0122.016] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="77") returned 2 [0122.016] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="28") returned 2 [0122.016] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="1D") returned 2 [0122.016] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="29") returned 2 [0122.016] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="72") returned 2 [0122.016] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="04") returned 2 [0122.016] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="08") returned 2 [0122.016] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="51") returned 2 [0122.016] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="BD") returned 2 [0122.016] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="E3") returned 2 [0122.016] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="1D") returned 2 [0122.016] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="50") returned 2 [0122.016] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="CE") returned 2 [0122.016] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="69") returned 2 [0122.016] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="34") returned 2 [0122.017] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="5C") returned 2 [0122.017] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="14") returned 2 [0122.017] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="65") returned 2 [0122.017] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="5C") returned 2 [0122.017] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="5B") returned 2 [0122.017] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="A5") returned 2 [0122.017] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="80") returned 2 [0122.017] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="DA") returned 2 [0122.017] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="BE") returned 2 [0122.017] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="F3") returned 2 [0122.017] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="98") returned 2 [0122.017] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="C3") returned 2 [0122.017] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="C9") returned 2 [0122.017] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="53") returned 2 [0122.026] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js" [0122.026] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js" [0122.026] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js", lpString2=".97B65B77281D2972040851BDE31D50CE69345C14655C5BA580DABEF398C3C953" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.97B65B77281D2972040851BDE31D50CE69345C14655C5BA580DABEF398C3C953") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.97B65B77281D2972040851BDE31D50CE69345C14655C5BA580DABEF398C3C953" [0122.026] CreateIoCompletionPort (FileHandle=0x1c4, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.026] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0122.055] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x836ca380, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836cf1a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x794cf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="mirroring_hangouts.js", cAlternateFileName="MIRROR~3.JS")) returned 1 [0122.055] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="Windows") returned -1 [0122.055] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="Program Files") returned -1 [0122.055] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="Program Files (x86)") returned -1 [0122.056] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="$Recycle.bin") returned 1 [0122.056] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="System Volume Information") returned -1 [0122.056] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2=".") returned 1 [0122.056] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="..") returned 1 [0122.056] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js") returned 160 [0122.056] lstrcmpW (lpString1="mirroring_hangouts.js", lpString2="PUSSY.TXT") returned -1 [0122.056] PathFindExtensionW (pszPath="mirroring_hangouts.js") returned=".js" [0122.056] lstrlenW (lpString=".js") returned 3 [0122.056] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0122.056] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1cc [0122.057] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=496847) returned 1 [0122.057] GetProcessHeap () returned 0x4c0000 [0122.057] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3db1198 [0122.067] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="7C") returned 2 [0122.067] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="FE") returned 2 [0122.067] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="ED") returned 2 [0122.067] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="FA") returned 2 [0122.067] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="93") returned 2 [0122.067] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="46") returned 2 [0122.067] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="F9") returned 2 [0122.067] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="82") returned 2 [0122.067] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="C7") returned 2 [0122.067] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="44") returned 2 [0122.076] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="F3") returned 2 [0122.076] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="69") returned 2 [0122.076] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="F5") returned 2 [0122.076] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="55") returned 2 [0122.076] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="A2") returned 2 [0122.076] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="A2") returned 2 [0122.076] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="1B") returned 2 [0122.076] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="2D") returned 2 [0122.076] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="3A") returned 2 [0122.076] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="4B") returned 2 [0122.076] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="10") returned 2 [0122.076] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="F4") returned 2 [0122.076] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="E4") returned 2 [0122.077] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="AD") returned 2 [0122.077] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="91") returned 2 [0122.077] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="29") returned 2 [0122.077] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="04") returned 2 [0122.077] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="58") returned 2 [0122.077] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="AB") returned 2 [0122.077] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="F9") returned 2 [0122.077] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="35") returned 2 [0122.077] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="2D") returned 2 [0122.096] lstrcpyW (in: lpString1=0x3dc11cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js" [0122.096] lstrcpyW (in: lpString1=0x3db11cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js" [0122.096] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js", lpString2=".7CFEEDFA9346F982C744F369F555A2A21B2D3A4B10F4E4AD91290458ABF9352D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.7CFEEDFA9346F982C744F369F555A2A21B2D3A4B10F4E4AD91290458ABF9352D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.7CFEEDFA9346F982C744F369F555A2A21B2D3A4B10F4E4AD91290458ABF9352D" [0122.096] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0x94, CompletionKey=0x3db1198, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.096] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3db1198, lpOverlapped=0x3db1198) returned 1 [0122.096] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x836d3fc0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836d66d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x941, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="mirroring_webrtc.js", cAlternateFileName="MIRROR~4.JS")) returned 1 [0122.096] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="Windows") returned -1 [0122.097] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="Program Files") returned -1 [0122.097] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="Program Files (x86)") returned -1 [0122.097] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="$Recycle.bin") returned 1 [0122.097] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="System Volume Information") returned -1 [0122.097] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2=".") returned 1 [0122.097] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="..") returned 1 [0122.097] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js") returned 158 [0122.097] lstrcmpW (lpString1="mirroring_webrtc.js", lpString2="PUSSY.TXT") returned -1 [0122.097] PathFindExtensionW (pszPath="mirroring_webrtc.js") returned=".js" [0122.097] lstrlenW (lpString=".js") returned 3 [0122.097] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0122.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0122.141] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=2369) returned 1 [0122.141] GetProcessHeap () returned 0x4c0000 [0122.142] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d89148 [0122.151] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="44") returned 2 [0122.151] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="08") returned 2 [0122.151] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="CF") returned 2 [0122.151] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="C2") returned 2 [0122.151] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="60") returned 2 [0122.151] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="37") returned 2 [0122.151] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="DB") returned 2 [0122.151] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="42") returned 2 [0122.151] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="CC") returned 2 [0122.151] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="EE") returned 2 [0122.151] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="C5") returned 2 [0122.151] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="68") returned 2 [0122.151] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="F2") returned 2 [0122.151] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="75") returned 2 [0122.151] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="FC") returned 2 [0122.151] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="BC") returned 2 [0122.151] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="28") returned 2 [0122.151] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="0F") returned 2 [0122.152] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="0F") returned 2 [0122.152] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="2E") returned 2 [0122.152] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="AC") returned 2 [0122.152] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="DC") returned 2 [0122.152] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="9D") returned 2 [0122.152] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="69") returned 2 [0122.152] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="C2") returned 2 [0122.152] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="69") returned 2 [0122.152] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="4C") returned 2 [0122.152] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="87") returned 2 [0122.152] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="B0") returned 2 [0122.152] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="E1") returned 2 [0122.152] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="B1") returned 2 [0122.152] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="49") returned 2 [0122.160] lstrcpyW (in: lpString1=0x3d9917c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js" [0122.160] lstrcpyW (in: lpString1=0x3d8917c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js" [0122.160] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js", lpString2=".4408CFC26037DB42CCEEC568F275FCBC280F0F2EACDC9D69C2694C87B0E1B149" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.4408CFC26037DB42CCEEC568F275FCBC280F0F2EACDC9D69C2694C87B0E1B149") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.4408CFC26037DB42CCEEC568F275FCBC280F0F2EACDC9D69C2694C87B0E1B149" [0122.160] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3d89148, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.160] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d89148, lpOverlapped=0x3d89148) returned 1 [0122.161] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833e6790, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83624340, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83624340, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_locales", cAlternateFileName="")) returned 1 [0122.161] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0122.161] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0122.161] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0122.161] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0122.161] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0122.161] lstrcmpiW (lpString1="_locales", lpString2=".") returned 1 [0122.161] lstrcmpiW (lpString1="_locales", lpString2="..") returned 1 [0122.161] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales") returned 147 [0122.161] GetProcessHeap () returned 0x4c0000 [0122.161] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd91e8 [0122.162] lstrcpyW (in: lpString1=0x3dd91e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales" [0122.162] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\*" [0122.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833e6790, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83624340, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83624340, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0122.164] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.164] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.164] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.164] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.164] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.164] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.164] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833e6790, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83624340, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83624340, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0122.165] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.165] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.165] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.165] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.165] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.165] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.165] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.165] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833e8ea0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x833eb5b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x833eb5b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="am", cAlternateFileName="")) returned 1 [0122.166] lstrcmpiW (lpString1="am", lpString2="Windows") returned -1 [0122.166] lstrcmpiW (lpString1="am", lpString2="Program Files") returned -1 [0122.166] lstrcmpiW (lpString1="am", lpString2="Program Files (x86)") returned -1 [0122.166] lstrcmpiW (lpString1="am", lpString2="$Recycle.bin") returned 1 [0122.166] lstrcmpiW (lpString1="am", lpString2="System Volume Information") returned -1 [0122.166] lstrcmpiW (lpString1="am", lpString2=".") returned 1 [0122.166] lstrcmpiW (lpString1="am", lpString2="..") returned 1 [0122.166] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am") returned 150 [0122.166] GetProcessHeap () returned 0x4c0000 [0122.166] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.167] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am" [0122.167] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\*" [0122.167] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833e8ea0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x833eb5b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x833eb5b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.167] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.167] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.167] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.168] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.168] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.168] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.168] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833e8ea0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x833eb5b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x833eb5b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.168] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.168] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.168] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.168] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.168] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.168] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.168] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.169] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x833eb5b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x833eb5b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8397d230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4827, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.169] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.169] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.169] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.169] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.169] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.169] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.169] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.169] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json") returned 164 [0122.169] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.169] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.169] lstrlenW (lpString=".json") returned 5 [0122.169] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b4 [0122.171] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=18471) returned 1 [0122.171] GetProcessHeap () returned 0x4c0000 [0122.171] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0122.181] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="36") returned 2 [0122.181] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="6B") returned 2 [0122.181] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="32") returned 2 [0122.181] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="2A") returned 2 [0122.181] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="7C") returned 2 [0122.181] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="F5") returned 2 [0122.181] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="4F") returned 2 [0122.181] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="F6") returned 2 [0122.181] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="4B") returned 2 [0122.181] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="DE") returned 2 [0122.181] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="16") returned 2 [0122.181] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="BB") returned 2 [0122.181] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="5D") returned 2 [0122.181] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="2E") returned 2 [0122.182] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="DC") returned 2 [0122.182] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="A8") returned 2 [0122.182] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="16") returned 2 [0122.182] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="E3") returned 2 [0122.182] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="69") returned 2 [0122.182] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="38") returned 2 [0122.182] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="98") returned 2 [0122.182] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="DD") returned 2 [0122.182] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="0F") returned 2 [0122.182] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="07") returned 2 [0122.182] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="6F") returned 2 [0122.182] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="69") returned 2 [0122.182] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="1D") returned 2 [0122.182] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="2C") returned 2 [0122.182] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="80") returned 2 [0122.182] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="2A") returned 2 [0122.182] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="7A") returned 2 [0122.182] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="58") returned 2 [0122.194] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json" [0122.194] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json" [0122.194] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json", lpString2=".366B322A7CF54FF64BDE16BB5D2EDCA816E3693898DD0F076F691D2C802A7A58" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.366B322A7CF54FF64BDE16BB5D2EDCA816E3693898DD0F076F691D2C802A7A58") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.366B322A7CF54FF64BDE16BB5D2EDCA816E3693898DD0F076F691D2C802A7A58" [0122.194] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.194] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0122.216] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x833eb5b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x833eb5b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8397d230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4827, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.216] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.216] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\PUSSY.TXT") returned 160 [0122.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0122.217] lstrlenA (lpString="abcd") returned 4 [0122.217] WriteFile (in: hFile=0x1bc, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.218] CloseHandle (hObject=0x1bc) returned 1 [0122.218] GetProcessHeap () returned 0x4c0000 [0122.218] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.221] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833f7900, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x833fee30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x833fee30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ar", cAlternateFileName="")) returned 1 [0122.221] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0122.221] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0122.221] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0122.221] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0122.221] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0122.221] lstrcmpiW (lpString1="ar", lpString2=".") returned 1 [0122.221] lstrcmpiW (lpString1="ar", lpString2="..") returned 1 [0122.221] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar") returned 150 [0122.221] GetProcessHeap () returned 0x4c0000 [0122.221] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.222] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar" [0122.222] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\*" [0122.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833f7900, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x833fee30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x833fee30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.222] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.222] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.222] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.222] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.222] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.223] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.223] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833f7900, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x833fee30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x833fee30, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.223] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.223] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.223] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.223] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.223] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.223] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.223] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.223] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x833fee30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x833fee30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8397f940, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x45bf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.223] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.223] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.223] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.223] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.223] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.226] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.226] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.226] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json") returned 164 [0122.226] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.226] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.226] lstrlenW (lpString=".json") returned 5 [0122.226] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0122.227] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=17855) returned 1 [0122.227] GetProcessHeap () returned 0x4c0000 [0122.227] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d89148 [0122.237] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="17") returned 2 [0122.237] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="72") returned 2 [0122.237] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="66") returned 2 [0122.237] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="77") returned 2 [0122.237] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="56") returned 2 [0122.237] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="46") returned 2 [0122.237] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="C9") returned 2 [0122.237] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="68") returned 2 [0122.237] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="94") returned 2 [0122.237] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="FB") returned 2 [0122.237] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="07") returned 2 [0122.237] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="5F") returned 2 [0122.237] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="2C") returned 2 [0122.237] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="3F") returned 2 [0122.237] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="2F") returned 2 [0122.237] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="DC") returned 2 [0122.237] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="39") returned 2 [0122.238] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="DB") returned 2 [0122.238] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="D4") returned 2 [0122.238] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="6B") returned 2 [0122.238] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="91") returned 2 [0122.238] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="1A") returned 2 [0122.238] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="4E") returned 2 [0122.238] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="25") returned 2 [0122.238] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="97") returned 2 [0122.238] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="C8") returned 2 [0122.238] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="F6") returned 2 [0122.238] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="61") returned 2 [0122.238] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="CE") returned 2 [0122.238] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="95") returned 2 [0122.238] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="D6") returned 2 [0122.238] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="31") returned 2 [0122.247] lstrcpyW (in: lpString1=0x3d9917c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json" [0122.247] lstrcpyW (in: lpString1=0x3d8917c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json" [0122.247] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json", lpString2=".177266775646C96894FB075F2C3F2FDC39DBD46B911A4E2597C8F661CE95D631" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.177266775646C96894FB075F2C3F2FDC39DBD46B911A4E2597C8F661CE95D631") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.177266775646C96894FB075F2C3F2FDC39DBD46B911A4E2597C8F661CE95D631" [0122.247] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3d89148, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.247] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d89148, lpOverlapped=0x3d89148) returned 1 [0122.265] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x833fee30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x833fee30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8397f940, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x45bf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.265] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.265] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\PUSSY.TXT") returned 160 [0122.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0122.266] lstrlenA (lpString="abcd") returned 4 [0122.266] WriteFile (in: hFile=0x1bc, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.267] CloseHandle (hObject=0x1bc) returned 1 [0122.267] GetProcessHeap () returned 0x4c0000 [0122.267] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.267] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83403c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83406360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83406360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="bg", cAlternateFileName="")) returned 1 [0122.267] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0122.267] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0122.267] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0122.267] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0122.267] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0122.267] lstrcmpiW (lpString1="bg", lpString2=".") returned 1 [0122.267] lstrcmpiW (lpString1="bg", lpString2="..") returned 1 [0122.267] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg") returned 150 [0122.267] GetProcessHeap () returned 0x4c0000 [0122.267] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.267] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg" [0122.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\*" [0122.267] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83403c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83406360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83406360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.268] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.268] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.268] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.268] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.268] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.268] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.268] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83403c50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83406360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83406360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.268] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.268] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.268] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.268] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.268] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.268] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.268] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.268] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83406360, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83408a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8397f940, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4b63, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.268] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.268] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.269] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.269] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.269] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.269] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.269] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.269] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json") returned 164 [0122.269] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.269] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.269] lstrlenW (lpString=".json") returned 5 [0122.269] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.269] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x198 [0122.271] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=19299) returned 1 [0122.271] GetProcessHeap () returned 0x4c0000 [0122.271] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0122.281] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="15") returned 2 [0122.281] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="78") returned 2 [0122.281] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="A7") returned 2 [0122.282] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="1D") returned 2 [0122.282] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="4D") returned 2 [0122.282] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="56") returned 2 [0122.282] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="C1") returned 2 [0122.282] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="22") returned 2 [0122.282] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="35") returned 2 [0122.282] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="7B") returned 2 [0122.282] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="FB") returned 2 [0122.282] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="C6") returned 2 [0122.282] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="A0") returned 2 [0122.282] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="9A") returned 2 [0122.282] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="CD") returned 2 [0122.282] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="41") returned 2 [0122.282] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="33") returned 2 [0122.282] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="96") returned 2 [0122.282] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="E5") returned 2 [0122.282] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="F9") returned 2 [0122.282] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="22") returned 2 [0122.282] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="AB") returned 2 [0122.282] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="7C") returned 2 [0122.282] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="13") returned 2 [0122.282] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="99") returned 2 [0122.282] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="F4") returned 2 [0122.282] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="08") returned 2 [0122.282] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="97") returned 2 [0122.283] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="45") returned 2 [0122.283] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="43") returned 2 [0122.283] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="36") returned 2 [0122.283] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="3B") returned 2 [0122.303] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json" [0122.303] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json" [0122.303] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json", lpString2=".1578A71D4D56C122357BFBC6A09ACD413396E5F922AB7C1399F408974543363B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.1578A71D4D56C122357BFBC6A09ACD413396E5F922AB7C1399F408974543363B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.1578A71D4D56C122357BFBC6A09ACD413396E5F922AB7C1399F408974543363B" [0122.303] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.303] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0122.329] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83406360, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83408a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8397f940, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4b63, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.329] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.329] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\PUSSY.TXT") returned 160 [0122.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.415] lstrlenA (lpString="abcd") returned 4 [0122.415] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.416] CloseHandle (hObject=0x198) returned 1 [0122.416] GetProcessHeap () returned 0x4c0000 [0122.416] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.421] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8340b180, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8340b180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8340b180, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="bn", cAlternateFileName="")) returned 1 [0122.421] lstrcmpiW (lpString1="bn", lpString2="Windows") returned -1 [0122.421] lstrcmpiW (lpString1="bn", lpString2="Program Files") returned -1 [0122.421] lstrcmpiW (lpString1="bn", lpString2="Program Files (x86)") returned -1 [0122.421] lstrcmpiW (lpString1="bn", lpString2="$Recycle.bin") returned 1 [0122.421] lstrcmpiW (lpString1="bn", lpString2="System Volume Information") returned -1 [0122.421] lstrcmpiW (lpString1="bn", lpString2=".") returned 1 [0122.421] lstrcmpiW (lpString1="bn", lpString2="..") returned 1 [0122.421] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn") returned 150 [0122.421] GetProcessHeap () returned 0x4c0000 [0122.421] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.422] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn" [0122.422] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\*" [0122.422] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8340b180, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8340b180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8340b180, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.422] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.423] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.423] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.423] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.423] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.423] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.423] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8340b180, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8340b180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8340b180, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.423] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.423] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.423] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.423] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.423] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.423] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.423] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.423] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8340b180, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8340b180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8397f940, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x52cb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.423] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.423] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.423] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.423] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.423] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.423] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.423] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.424] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json") returned 164 [0122.424] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.424] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.424] lstrlenW (lpString=".json") returned 5 [0122.424] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c8 [0122.424] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=21195) returned 1 [0122.424] GetProcessHeap () returned 0x4c0000 [0122.424] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3ce9008 [0122.434] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="63") returned 2 [0122.434] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="D8") returned 2 [0122.434] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="1B") returned 2 [0122.434] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="BE") returned 2 [0122.434] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="E0") returned 2 [0122.434] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="AF") returned 2 [0122.434] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="82") returned 2 [0122.434] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="84") returned 2 [0122.434] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="7B") returned 2 [0122.435] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="2E") returned 2 [0122.435] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="D5") returned 2 [0122.435] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="48") returned 2 [0122.435] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="6A") returned 2 [0122.435] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="AB") returned 2 [0122.435] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="F2") returned 2 [0122.435] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="11") returned 2 [0122.435] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="04") returned 2 [0122.435] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="0A") returned 2 [0122.435] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="D7") returned 2 [0122.435] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="5B") returned 2 [0122.435] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="21") returned 2 [0122.435] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="90") returned 2 [0122.435] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="FE") returned 2 [0122.435] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="91") returned 2 [0122.435] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="A2") returned 2 [0122.435] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="A2") returned 2 [0122.435] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="DA") returned 2 [0122.435] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="B0") returned 2 [0122.435] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="1F") returned 2 [0122.435] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="4D") returned 2 [0122.435] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="62") returned 2 [0122.435] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="10") returned 2 [0122.444] lstrcpyW (in: lpString1=0x3cf903c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json" [0122.444] lstrcpyW (in: lpString1=0x3ce903c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json" [0122.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json", lpString2=".63D81BBEE0AF82847B2ED5486AABF211040AD75B2190FE91A2A2DAB01F4D6210" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.63D81BBEE0AF82847B2ED5486AABF211040AD75B2190FE91A2A2DAB01F4D6210") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.63D81BBEE0AF82847B2ED5486AABF211040AD75B2190FE91A2A2DAB01F4D6210" [0122.444] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0x94, CompletionKey=0x3ce9008, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.444] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3ce9008, lpOverlapped=0x3ce9008) returned 1 [0122.444] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8340b180, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8340b180, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8397f940, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x52cb, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.444] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.444] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\PUSSY.TXT") returned 160 [0122.444] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.445] lstrlenA (lpString="abcd") returned 4 [0122.445] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.446] CloseHandle (hObject=0x198) returned 1 [0122.446] GetProcessHeap () returned 0x4c0000 [0122.446] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.446] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8340ffa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834126b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834126b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ca", cAlternateFileName="")) returned 1 [0122.446] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0122.446] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0122.446] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0122.446] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0122.446] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0122.446] lstrcmpiW (lpString1="ca", lpString2=".") returned 1 [0122.446] lstrcmpiW (lpString1="ca", lpString2="..") returned 1 [0122.446] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca") returned 150 [0122.446] GetProcessHeap () returned 0x4c0000 [0122.446] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.447] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca" [0122.447] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\*" [0122.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8340ffa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834126b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834126b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.447] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.447] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.447] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.447] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.447] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.447] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.447] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8340ffa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834126b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834126b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.447] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.447] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.447] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.448] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.448] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.448] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.448] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.448] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834126b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83414dc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8397f940, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x405d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.448] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.448] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.448] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.448] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.448] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.448] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.448] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.449] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json") returned 164 [0122.449] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.449] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.449] lstrlenW (lpString=".json") returned 5 [0122.449] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.449] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1cc [0122.450] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16477) returned 1 [0122.450] GetProcessHeap () returned 0x4c0000 [0122.450] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d11058 [0122.461] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="3A") returned 2 [0122.461] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="7F") returned 2 [0122.461] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="70") returned 2 [0122.461] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="23") returned 2 [0122.461] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="2E") returned 2 [0122.461] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="42") returned 2 [0122.461] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="0D") returned 2 [0122.461] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="B1") returned 2 [0122.461] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="8C") returned 2 [0122.461] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="15") returned 2 [0122.461] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="C9") returned 2 [0122.461] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="7F") returned 2 [0122.461] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="6B") returned 2 [0122.461] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="12") returned 2 [0122.461] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="1F") returned 2 [0122.461] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="98") returned 2 [0122.461] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="40") returned 2 [0122.462] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="0A") returned 2 [0122.462] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="9B") returned 2 [0122.462] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="6F") returned 2 [0122.462] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="B4") returned 2 [0122.462] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="A0") returned 2 [0122.462] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="AC") returned 2 [0122.462] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="78") returned 2 [0122.462] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="B2") returned 2 [0122.462] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="D6") returned 2 [0122.462] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="19") returned 2 [0122.462] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="9B") returned 2 [0122.462] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="49") returned 2 [0122.462] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="98") returned 2 [0122.462] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="0C") returned 2 [0122.462] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="11") returned 2 [0122.470] lstrcpyW (in: lpString1=0x3d2108c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json" [0122.470] lstrcpyW (in: lpString1=0x3d1108c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json" [0122.470] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json", lpString2=".3A7F70232E420DB18C15C97F6B121F98400A9B6FB4A0AC78B2D6199B49980C11" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.3A7F70232E420DB18C15C97F6B121F98400A9B6FB4A0AC78B2D6199B49980C11") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.3A7F70232E420DB18C15C97F6B121F98400A9B6FB4A0AC78B2D6199B49980C11" [0122.470] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0x94, CompletionKey=0x3d11058, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.471] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d11058, lpOverlapped=0x3d11058) returned 1 [0122.471] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834126b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83414dc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8397f940, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x405d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.471] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.471] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\PUSSY.TXT") returned 160 [0122.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.472] lstrlenA (lpString="abcd") returned 4 [0122.472] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.473] CloseHandle (hObject=0x198) returned 1 [0122.473] GetProcessHeap () returned 0x4c0000 [0122.473] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.473] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83419be0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8341c2f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8341c2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="cs", cAlternateFileName="")) returned 1 [0122.473] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0122.474] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0122.474] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0122.474] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0122.474] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0122.474] lstrcmpiW (lpString1="cs", lpString2=".") returned 1 [0122.474] lstrcmpiW (lpString1="cs", lpString2="..") returned 1 [0122.474] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs") returned 150 [0122.474] GetProcessHeap () returned 0x4c0000 [0122.474] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.474] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs" [0122.474] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\*" [0122.474] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83419be0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8341c2f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8341c2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.474] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.475] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.475] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.475] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.475] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.475] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.475] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83419be0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8341c2f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8341c2f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.475] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.475] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.475] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.475] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.475] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.475] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.475] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.475] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8341c2f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83421110, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83982050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4029, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.475] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.475] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.475] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.475] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.475] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.475] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.475] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.476] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json") returned 164 [0122.476] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.476] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.476] lstrlenW (lpString=".json") returned 5 [0122.476] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1bc [0122.476] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16425) returned 1 [0122.477] GetProcessHeap () returned 0x4c0000 [0122.477] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0122.486] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="D5") returned 2 [0122.486] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="59") returned 2 [0122.486] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="11") returned 2 [0122.487] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="4F") returned 2 [0122.487] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="F8") returned 2 [0122.487] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="FE") returned 2 [0122.487] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="DD") returned 2 [0122.487] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="5A") returned 2 [0122.487] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="6D") returned 2 [0122.487] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="B1") returned 2 [0122.487] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="E9") returned 2 [0122.487] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="B3") returned 2 [0122.487] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="07") returned 2 [0122.487] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="8C") returned 2 [0122.487] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="03") returned 2 [0122.487] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="7F") returned 2 [0122.487] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="64") returned 2 [0122.487] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="B8") returned 2 [0122.487] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="7F") returned 2 [0122.487] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="AA") returned 2 [0122.487] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="D3") returned 2 [0122.487] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="9D") returned 2 [0122.487] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="E3") returned 2 [0122.487] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="67") returned 2 [0122.487] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="39") returned 2 [0122.487] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="1B") returned 2 [0122.487] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="AE") returned 2 [0122.487] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="A2") returned 2 [0122.487] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="A1") returned 2 [0122.487] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="19") returned 2 [0122.488] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="D5") returned 2 [0122.488] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="0E") returned 2 [0122.497] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json" [0122.497] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json" [0122.497] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json", lpString2=".D559114FF8FEDD5A6DB1E9B3078C037F64B87FAAD39DE367391BAEA2A119D50E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.D559114FF8FEDD5A6DB1E9B3078C037F64B87FAAD39DE367391BAEA2A119D50E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.D559114FF8FEDD5A6DB1E9B3078C037F64B87FAAD39DE367391BAEA2A119D50E" [0122.497] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.497] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0122.497] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8341c2f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83421110, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83982050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4029, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.497] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.497] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\PUSSY.TXT") returned 160 [0122.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.501] lstrlenA (lpString="abcd") returned 4 [0122.501] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.502] CloseHandle (hObject=0x198) returned 1 [0122.503] GetProcessHeap () returned 0x4c0000 [0122.503] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.503] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83425f30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83428640, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83428640, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="da", cAlternateFileName="")) returned 1 [0122.503] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0122.503] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0122.503] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0122.503] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0122.503] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0122.503] lstrcmpiW (lpString1="da", lpString2=".") returned 1 [0122.503] lstrcmpiW (lpString1="da", lpString2="..") returned 1 [0122.503] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da") returned 150 [0122.503] GetProcessHeap () returned 0x4c0000 [0122.503] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.503] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da" [0122.503] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\*" [0122.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83425f30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83428640, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83428640, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.504] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.504] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.504] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.504] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.504] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.504] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.504] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83425f30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83428640, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83428640, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.504] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.504] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.504] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.504] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.504] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.504] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.504] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.504] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83428640, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83428640, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83982050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3f79, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.504] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.504] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.504] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.504] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.505] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.505] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.505] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.505] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json") returned 164 [0122.505] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.505] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.505] lstrlenW (lpString=".json") returned 5 [0122.505] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0122.508] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16249) returned 1 [0122.508] GetProcessHeap () returned 0x4c0000 [0122.508] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c480a8 [0122.517] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="4C") returned 2 [0122.517] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="B9") returned 2 [0122.517] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="C2") returned 2 [0122.517] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="2A") returned 2 [0122.517] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="2D") returned 2 [0122.517] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="A2") returned 2 [0122.517] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="0F") returned 2 [0122.517] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="DD") returned 2 [0122.517] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="79") returned 2 [0122.517] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="A1") returned 2 [0122.517] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="52") returned 2 [0122.517] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="6B") returned 2 [0122.517] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="56") returned 2 [0122.517] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="E5") returned 2 [0122.517] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="CF") returned 2 [0122.517] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="47") returned 2 [0122.517] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="3B") returned 2 [0122.517] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="93") returned 2 [0122.517] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="BE") returned 2 [0122.517] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="5B") returned 2 [0122.517] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="04") returned 2 [0122.517] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="41") returned 2 [0122.517] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="85") returned 2 [0122.518] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="39") returned 2 [0122.518] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="A3") returned 2 [0122.518] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="ED") returned 2 [0122.518] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="FC") returned 2 [0122.518] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="EB") returned 2 [0122.518] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="7E") returned 2 [0122.518] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="7E") returned 2 [0122.518] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="72") returned 2 [0122.518] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="2B") returned 2 [0122.531] lstrcpyW (in: lpString1=0x3c580dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json" [0122.531] lstrcpyW (in: lpString1=0x3c480dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json" [0122.531] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json", lpString2=".4CB9C22A2DA20FDD79A1526B56E5CF473B93BE5B04418539A3EDFCEB7E7E722B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.4CB9C22A2DA20FDD79A1526B56E5CF473B93BE5B04418539A3EDFCEB7E7E722B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.4CB9C22A2DA20FDD79A1526B56E5CF473B93BE5B04418539A3EDFCEB7E7E722B" [0122.531] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3c480a8, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.531] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c480a8, lpOverlapped=0x3c480a8) returned 1 [0122.531] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83428640, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83428640, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83982050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3f79, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.531] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.531] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\PUSSY.TXT") returned 160 [0122.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.532] lstrlenA (lpString="abcd") returned 4 [0122.532] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.533] CloseHandle (hObject=0x198) returned 1 [0122.533] GetProcessHeap () returned 0x4c0000 [0122.533] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.533] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8342d460, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8342fb70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8342fb70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="de", cAlternateFileName="")) returned 1 [0122.533] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0122.534] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0122.534] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0122.534] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0122.534] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0122.534] lstrcmpiW (lpString1="de", lpString2=".") returned 1 [0122.534] lstrcmpiW (lpString1="de", lpString2="..") returned 1 [0122.534] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de") returned 150 [0122.534] GetProcessHeap () returned 0x4c0000 [0122.534] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.534] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de" [0122.534] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\*" [0122.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8342d460, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8342fb70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8342fb70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.534] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.534] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.534] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.534] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.535] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.535] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.535] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8342d460, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8342fb70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8342fb70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.535] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.535] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.535] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.535] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.535] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.535] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.535] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.535] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8342fb70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83432280, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83982050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x406f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.535] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.535] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.535] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.535] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.535] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.535] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.535] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.535] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json") returned 164 [0122.536] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.536] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.536] lstrlenW (lpString=".json") returned 5 [0122.536] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0122.536] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16495) returned 1 [0122.536] GetProcessHeap () returned 0x4c0000 [0122.537] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0122.545] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="19") returned 2 [0122.545] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="4E") returned 2 [0122.545] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="C3") returned 2 [0122.545] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="72") returned 2 [0122.545] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="9D") returned 2 [0122.545] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="51") returned 2 [0122.545] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="AF") returned 2 [0122.545] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="EB") returned 2 [0122.545] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="57") returned 2 [0122.545] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="CC") returned 2 [0122.545] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="CD") returned 2 [0122.545] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="32") returned 2 [0122.545] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="ED") returned 2 [0122.545] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="AB") returned 2 [0122.545] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="5E") returned 2 [0122.545] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="1C") returned 2 [0122.545] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="51") returned 2 [0122.545] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="A1") returned 2 [0122.545] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="01") returned 2 [0122.545] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="45") returned 2 [0122.545] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="08") returned 2 [0122.545] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="93") returned 2 [0122.545] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="3E") returned 2 [0122.546] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="77") returned 2 [0122.546] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="7F") returned 2 [0122.546] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="0C") returned 2 [0122.546] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="5B") returned 2 [0122.546] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="16") returned 2 [0122.546] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="7D") returned 2 [0122.546] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="97") returned 2 [0122.546] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="AC") returned 2 [0122.546] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="6C") returned 2 [0122.556] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json" [0122.556] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json" [0122.556] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json", lpString2=".194EC3729D51AFEB57CCCD32EDAB5E1C51A1014508933E777F0C5B167D97AC6C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.194EC3729D51AFEB57CCCD32EDAB5E1C51A1014508933E777F0C5B167D97AC6C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.194EC3729D51AFEB57CCCD32EDAB5E1C51A1014508933E777F0C5B167D97AC6C" [0122.556] CreateIoCompletionPort (FileHandle=0x114, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.557] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0122.557] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8342fb70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83432280, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83982050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x406f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.557] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.557] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\PUSSY.TXT") returned 160 [0122.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.558] lstrlenA (lpString="abcd") returned 4 [0122.558] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.559] CloseHandle (hObject=0x198) returned 1 [0122.559] GetProcessHeap () returned 0x4c0000 [0122.559] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.559] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83434990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834370a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834370a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="el", cAlternateFileName="")) returned 1 [0122.560] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0122.560] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0122.560] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0122.560] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0122.560] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0122.560] lstrcmpiW (lpString1="el", lpString2=".") returned 1 [0122.560] lstrcmpiW (lpString1="el", lpString2="..") returned 1 [0122.560] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el") returned 150 [0122.560] GetProcessHeap () returned 0x4c0000 [0122.560] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.560] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el" [0122.560] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\*" [0122.560] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83434990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834370a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834370a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.560] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.560] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.561] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.561] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.561] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.561] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.561] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83434990, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834370a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834370a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.561] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.561] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.561] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.561] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.561] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.561] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.561] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.561] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834370a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834397b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83982050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4afe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.561] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.561] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.561] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.561] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.561] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.561] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.561] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.561] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json") returned 164 [0122.562] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.562] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.562] lstrlenW (lpString=".json") returned 5 [0122.562] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.562] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0122.563] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=19198) returned 1 [0122.563] GetProcessHeap () returned 0x4c0000 [0122.563] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d610f8 [0122.574] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="03") returned 2 [0122.574] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="5E") returned 2 [0122.574] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="EB") returned 2 [0122.574] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="9B") returned 2 [0122.574] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="73") returned 2 [0122.574] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="01") returned 2 [0122.574] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="5B") returned 2 [0122.574] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="32") returned 2 [0122.574] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="19") returned 2 [0122.574] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="C4") returned 2 [0122.574] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="1E") returned 2 [0122.574] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="97") returned 2 [0122.574] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="2B") returned 2 [0122.574] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="57") returned 2 [0122.574] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="5D") returned 2 [0122.574] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="83") returned 2 [0122.574] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="62") returned 2 [0122.574] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="00") returned 2 [0122.574] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="4F") returned 2 [0122.574] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="16") returned 2 [0122.574] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="E4") returned 2 [0122.574] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="94") returned 2 [0122.575] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="4A") returned 2 [0122.575] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="66") returned 2 [0122.575] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="9C") returned 2 [0122.575] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="ED") returned 2 [0122.575] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="8C") returned 2 [0122.575] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="A5") returned 2 [0122.575] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="49") returned 2 [0122.575] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="F6") returned 2 [0122.575] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="5A") returned 2 [0122.575] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="65") returned 2 [0122.595] lstrcpyW (in: lpString1=0x3d7112c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json" [0122.595] lstrcpyW (in: lpString1=0x3d6112c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json" [0122.595] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json", lpString2=".035EEB9B73015B3219C41E972B575D8362004F16E4944A669CED8CA549F65A65" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.035EEB9B73015B3219C41E972B575D8362004F16E4944A669CED8CA549F65A65") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.035EEB9B73015B3219C41E972B575D8362004F16E4944A669CED8CA549F65A65" [0122.595] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x94, CompletionKey=0x3d610f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.595] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d610f8, lpOverlapped=0x3d610f8) returned 1 [0122.595] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834370a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834397b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83982050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4afe, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.595] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.595] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\PUSSY.TXT") returned 160 [0122.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.596] lstrlenA (lpString="abcd") returned 4 [0122.596] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.597] CloseHandle (hObject=0x198) returned 1 [0122.597] GetProcessHeap () returned 0x4c0000 [0122.597] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.598] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8343bec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83440ce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83440ce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="en", cAlternateFileName="")) returned 1 [0122.598] lstrcmpiW (lpString1="en", lpString2="Windows") returned -1 [0122.598] lstrcmpiW (lpString1="en", lpString2="Program Files") returned -1 [0122.598] lstrcmpiW (lpString1="en", lpString2="Program Files (x86)") returned -1 [0122.598] lstrcmpiW (lpString1="en", lpString2="$Recycle.bin") returned 1 [0122.598] lstrcmpiW (lpString1="en", lpString2="System Volume Information") returned -1 [0122.598] lstrcmpiW (lpString1="en", lpString2=".") returned 1 [0122.598] lstrcmpiW (lpString1="en", lpString2="..") returned 1 [0122.598] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en") returned 150 [0122.598] GetProcessHeap () returned 0x4c0000 [0122.599] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.599] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en" [0122.599] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\*" [0122.599] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8343bec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83440ce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83440ce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.599] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.599] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.599] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.599] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.599] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.599] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.599] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8343bec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83440ce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83440ce0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.599] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.600] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.600] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.600] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.600] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.600] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.600] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.600] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8343e5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83440ce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83984760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3d7a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.600] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.600] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.600] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.600] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.600] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.600] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.600] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.600] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json") returned 164 [0122.600] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.600] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.600] lstrlenW (lpString=".json") returned 5 [0122.600] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0122.601] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=15738) returned 1 [0122.601] GetProcessHeap () returned 0x4c0000 [0122.601] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d89148 [0122.610] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="40") returned 2 [0122.610] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="A8") returned 2 [0122.610] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="EF") returned 2 [0122.610] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="18") returned 2 [0122.610] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="3F") returned 2 [0122.610] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="1D") returned 2 [0122.610] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="B0") returned 2 [0122.611] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="68") returned 2 [0122.611] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="A2") returned 2 [0122.611] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="A0") returned 2 [0122.611] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="81") returned 2 [0122.611] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="9C") returned 2 [0122.611] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="88") returned 2 [0122.611] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="42") returned 2 [0122.611] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="F4") returned 2 [0122.611] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="7D") returned 2 [0122.611] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="0F") returned 2 [0122.611] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="B6") returned 2 [0122.611] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="B7") returned 2 [0122.611] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="D7") returned 2 [0122.611] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="09") returned 2 [0122.611] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="AB") returned 2 [0122.611] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="9E") returned 2 [0122.611] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="50") returned 2 [0122.611] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="28") returned 2 [0122.611] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="C2") returned 2 [0122.611] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="17") returned 2 [0122.611] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="9E") returned 2 [0122.611] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="DE") returned 2 [0122.611] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="35") returned 2 [0122.612] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="FF") returned 2 [0122.612] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="4B") returned 2 [0122.620] lstrcpyW (in: lpString1=0x3d9917c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json" [0122.620] lstrcpyW (in: lpString1=0x3d8917c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json" [0122.620] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json", lpString2=".40A8EF183F1DB068A2A0819C8842F47D0FB6B7D709AB9E5028C2179EDE35FF4B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.40A8EF183F1DB068A2A0819C8842F47D0FB6B7D709AB9E5028C2179EDE35FF4B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.40A8EF183F1DB068A2A0819C8842F47D0FB6B7D709AB9E5028C2179EDE35FF4B" [0122.620] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3d89148, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.620] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d89148, lpOverlapped=0x3d89148) returned 1 [0122.620] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8343e5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83440ce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83984760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3d7a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.620] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.621] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\PUSSY.TXT") returned 160 [0122.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.622] lstrlenA (lpString="abcd") returned 4 [0122.622] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.623] CloseHandle (hObject=0x198) returned 1 [0122.623] GetProcessHeap () returned 0x4c0000 [0122.623] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.623] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8344a920, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8344d030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8344d030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="es", cAlternateFileName="")) returned 1 [0122.623] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0122.623] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0122.623] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0122.623] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0122.623] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0122.623] lstrcmpiW (lpString1="es", lpString2=".") returned 1 [0122.623] lstrcmpiW (lpString1="es", lpString2="..") returned 1 [0122.623] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es") returned 150 [0122.624] GetProcessHeap () returned 0x4c0000 [0122.624] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.624] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es" [0122.624] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\*" [0122.624] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8344a920, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8344d030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8344d030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.624] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.624] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.624] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.624] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.624] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.624] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.624] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8344a920, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8344d030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8344d030, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.624] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.624] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.624] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.625] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.625] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.625] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.625] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.625] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8344d030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8344d030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83984760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x404b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.625] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.625] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.625] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.625] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.625] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.625] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.625] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.625] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json") returned 164 [0122.625] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.625] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.625] lstrlenW (lpString=".json") returned 5 [0122.625] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.625] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b4 [0122.627] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16459) returned 1 [0122.627] GetProcessHeap () returned 0x4c0000 [0122.627] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3db1198 [0122.639] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="84") returned 2 [0122.639] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="07") returned 2 [0122.639] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="6E") returned 2 [0122.639] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="F3") returned 2 [0122.639] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="1E") returned 2 [0122.639] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="20") returned 2 [0122.639] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="B6") returned 2 [0122.639] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="C3") returned 2 [0122.639] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="AE") returned 2 [0122.639] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="9B") returned 2 [0122.639] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="22") returned 2 [0122.639] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="00") returned 2 [0122.639] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="74") returned 2 [0122.639] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="2E") returned 2 [0122.639] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="20") returned 2 [0122.639] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="10") returned 2 [0122.639] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="1E") returned 2 [0122.640] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="DB") returned 2 [0122.640] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="11") returned 2 [0122.640] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="8E") returned 2 [0122.640] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="54") returned 2 [0122.640] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="35") returned 2 [0122.640] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="94") returned 2 [0122.640] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="B4") returned 2 [0122.640] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="5E") returned 2 [0122.640] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="44") returned 2 [0122.640] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="8B") returned 2 [0122.640] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="E5") returned 2 [0122.640] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="C3") returned 2 [0122.640] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="B4") returned 2 [0122.640] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="BF") returned 2 [0122.640] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="58") returned 2 [0122.651] lstrcpyW (in: lpString1=0x3dc11cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json" [0122.651] lstrcpyW (in: lpString1=0x3db11cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json" [0122.651] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json", lpString2=".84076EF31E20B6C3AE9B2200742E20101EDB118E543594B45E448BE5C3B4BF58" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.84076EF31E20B6C3AE9B2200742E20101EDB118E543594B45E448BE5C3B4BF58") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.84076EF31E20B6C3AE9B2200742E20101EDB118E543594B45E448BE5C3B4BF58" [0122.651] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0x94, CompletionKey=0x3db1198, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.651] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3db1198, lpOverlapped=0x3db1198) returned 1 [0122.652] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8344d030, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8344d030, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83984760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x404b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.652] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.652] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\PUSSY.TXT") returned 160 [0122.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.653] lstrlenA (lpString="abcd") returned 4 [0122.653] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.654] CloseHandle (hObject=0x198) returned 1 [0122.654] GetProcessHeap () returned 0x4c0000 [0122.654] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.654] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83451e50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83454560, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83454560, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="et", cAlternateFileName="")) returned 1 [0122.655] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0122.655] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0122.655] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0122.655] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0122.655] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0122.655] lstrcmpiW (lpString1="et", lpString2=".") returned 1 [0122.655] lstrcmpiW (lpString1="et", lpString2="..") returned 1 [0122.655] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et") returned 150 [0122.655] GetProcessHeap () returned 0x4c0000 [0122.655] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.655] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et" [0122.655] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\*" [0122.655] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83451e50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83454560, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83454560, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.656] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.656] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.656] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.656] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.656] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.656] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.656] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83451e50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83454560, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83454560, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.656] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.656] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.656] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.656] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.656] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.656] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.656] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.656] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83454560, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83454560, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83984760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3e85, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.656] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.656] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.656] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.656] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.657] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.657] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.657] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.657] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json") returned 164 [0122.657] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.657] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.657] lstrlenW (lpString=".json") returned 5 [0122.657] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c4 [0122.658] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16005) returned 1 [0122.658] GetProcessHeap () returned 0x4c0000 [0122.658] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0122.685] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="71") returned 2 [0122.685] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="C4") returned 2 [0122.685] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="80") returned 2 [0122.685] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="25") returned 2 [0122.686] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="48") returned 2 [0122.686] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="FE") returned 2 [0122.686] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="D7") returned 2 [0122.686] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="E9") returned 2 [0122.686] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="F4") returned 2 [0122.686] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="96") returned 2 [0122.686] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="39") returned 2 [0122.686] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="2C") returned 2 [0122.686] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="05") returned 2 [0122.686] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="1A") returned 2 [0122.686] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="3B") returned 2 [0122.686] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="37") returned 2 [0122.686] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="AC") returned 2 [0122.686] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="95") returned 2 [0122.686] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="2B") returned 2 [0122.686] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="8B") returned 2 [0122.686] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="9B") returned 2 [0122.686] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="56") returned 2 [0122.687] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="0A") returned 2 [0122.687] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="62") returned 2 [0122.687] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="18") returned 2 [0122.687] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="5D") returned 2 [0122.687] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="23") returned 2 [0122.687] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="D8") returned 2 [0122.687] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="59") returned 2 [0122.687] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="D1") returned 2 [0122.687] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="CD") returned 2 [0122.687] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="1A") returned 2 [0122.699] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json" [0122.699] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json" [0122.699] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json", lpString2=".71C4802548FED7E9F496392C051A3B37AC952B8B9B560A62185D23D859D1CD1A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.71C4802548FED7E9F496392C051A3B37AC952B8B9B560A62185D23D859D1CD1A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.71C4802548FED7E9F496392C051A3B37AC952B8B9B560A62185D23D859D1CD1A" [0122.699] CreateIoCompletionPort (FileHandle=0x1c4, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.699] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0122.700] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83454560, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83454560, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83984760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3e85, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.700] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.700] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\PUSSY.TXT") returned 160 [0122.701] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.702] lstrlenA (lpString="abcd") returned 4 [0122.702] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.703] CloseHandle (hObject=0x198) returned 1 [0122.703] GetProcessHeap () returned 0x4c0000 [0122.703] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.703] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83459380, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8345ba90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8345ba90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fa", cAlternateFileName="")) returned 1 [0122.703] lstrcmpiW (lpString1="fa", lpString2="Windows") returned -1 [0122.703] lstrcmpiW (lpString1="fa", lpString2="Program Files") returned -1 [0122.703] lstrcmpiW (lpString1="fa", lpString2="Program Files (x86)") returned -1 [0122.703] lstrcmpiW (lpString1="fa", lpString2="$Recycle.bin") returned 1 [0122.703] lstrcmpiW (lpString1="fa", lpString2="System Volume Information") returned -1 [0122.704] lstrcmpiW (lpString1="fa", lpString2=".") returned 1 [0122.704] lstrcmpiW (lpString1="fa", lpString2="..") returned 1 [0122.704] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa") returned 150 [0122.704] GetProcessHeap () returned 0x4c0000 [0122.704] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.704] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa" [0122.704] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\*" [0122.704] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83459380, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8345ba90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8345ba90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.704] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.705] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.705] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.705] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.705] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.705] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.705] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83459380, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8345ba90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8345ba90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.705] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.705] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.705] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.705] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.705] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.705] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.705] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.705] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8345ba90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8345ba90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83984760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x46f5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.706] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.706] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.706] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.706] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.706] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.706] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.706] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.706] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json") returned 164 [0122.706] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.706] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.706] lstrlenW (lpString=".json") returned 5 [0122.706] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0122.709] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=18165) returned 1 [0122.709] GetProcessHeap () returned 0x4c0000 [0122.709] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0122.717] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="39") returned 2 [0122.717] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="04") returned 2 [0122.717] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="7C") returned 2 [0122.718] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="40") returned 2 [0122.718] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="01") returned 2 [0122.718] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="44") returned 2 [0122.718] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="D8") returned 2 [0122.718] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="DE") returned 2 [0122.718] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="D4") returned 2 [0122.718] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="A7") returned 2 [0122.718] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="BA") returned 2 [0122.718] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="30") returned 2 [0122.718] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="6C") returned 2 [0122.718] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="C3") returned 2 [0122.718] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="CE") returned 2 [0122.718] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="77") returned 2 [0122.718] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="43") returned 2 [0122.718] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="DA") returned 2 [0122.718] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="DE") returned 2 [0122.718] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="84") returned 2 [0122.718] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="EE") returned 2 [0122.718] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="B1") returned 2 [0122.719] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="2A") returned 2 [0122.719] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="A1") returned 2 [0122.719] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="E9") returned 2 [0122.719] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="B5") returned 2 [0122.719] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="A6") returned 2 [0122.719] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="36") returned 2 [0122.719] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="D2") returned 2 [0122.719] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="C2") returned 2 [0122.719] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="9E") returned 2 [0122.719] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="3F") returned 2 [0122.727] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json" [0122.728] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json" [0122.728] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json", lpString2=".39047C400144D8DED4A7BA306CC3CE7743DADE84EEB12AA1E9B5A636D2C29E3F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.39047C400144D8DED4A7BA306CC3CE7743DADE84EEB12AA1E9B5A636D2C29E3F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.39047C400144D8DED4A7BA306CC3CE7743DADE84EEB12AA1E9B5A636D2C29E3F" [0122.728] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.728] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0122.728] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8345ba90, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8345ba90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83984760, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x46f5, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.728] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.728] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\PUSSY.TXT") returned 160 [0122.728] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.729] lstrlenA (lpString="abcd") returned 4 [0122.729] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.730] CloseHandle (hObject=0x198) returned 1 [0122.730] GetProcessHeap () returned 0x4c0000 [0122.731] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.731] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834608b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83462fc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83462fc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fi", cAlternateFileName="")) returned 1 [0122.731] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0122.731] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0122.731] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0122.731] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0122.731] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0122.731] lstrcmpiW (lpString1="fi", lpString2=".") returned 1 [0122.731] lstrcmpiW (lpString1="fi", lpString2="..") returned 1 [0122.731] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi") returned 150 [0122.731] GetProcessHeap () returned 0x4c0000 [0122.731] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.731] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi" [0122.731] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\*" [0122.731] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834608b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83462fc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83462fc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.732] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.732] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.732] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.732] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.732] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.732] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.732] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834608b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83462fc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83462fc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.732] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.732] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.732] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.732] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.732] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.732] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.732] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.732] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83462fc0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83462fc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3f4c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.732] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.732] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.733] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.733] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.733] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.733] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.733] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.733] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json") returned 164 [0122.733] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.733] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.733] lstrlenW (lpString=".json") returned 5 [0122.733] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0122.734] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16204) returned 1 [0122.734] GetProcessHeap () returned 0x4c0000 [0122.734] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0122.743] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="85") returned 2 [0122.743] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="5C") returned 2 [0122.744] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="A5") returned 2 [0122.744] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="35") returned 2 [0122.744] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="42") returned 2 [0122.744] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="87") returned 2 [0122.744] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="73") returned 2 [0122.744] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="57") returned 2 [0122.744] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="3A") returned 2 [0122.744] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="87") returned 2 [0122.744] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="C7") returned 2 [0122.744] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="52") returned 2 [0122.744] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="2C") returned 2 [0122.744] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="E5") returned 2 [0122.744] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="43") returned 2 [0122.744] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="4E") returned 2 [0122.744] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="D0") returned 2 [0122.744] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="09") returned 2 [0122.744] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="1A") returned 2 [0122.744] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="FB") returned 2 [0122.744] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="16") returned 2 [0122.745] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="8A") returned 2 [0122.745] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="C4") returned 2 [0122.745] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="1E") returned 2 [0122.745] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="C1") returned 2 [0122.745] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="17") returned 2 [0122.745] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="44") returned 2 [0122.745] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="EA") returned 2 [0122.745] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="84") returned 2 [0122.745] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="CF") returned 2 [0122.745] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="47") returned 2 [0122.745] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="73") returned 2 [0122.755] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json" [0122.755] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json" [0122.755] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json", lpString2=".855CA535428773573A87C7522CE5434ED0091AFB168AC41EC11744EA84CF4773" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.855CA535428773573A87C7522CE5434ED0091AFB168AC41EC11744EA84CF4773") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.855CA535428773573A87C7522CE5434ED0091AFB168AC41EC11744EA84CF4773" [0122.755] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.755] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0122.755] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83462fc0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83462fc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3f4c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.755] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.755] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\PUSSY.TXT") returned 160 [0122.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.773] lstrlenA (lpString="abcd") returned 4 [0122.773] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.776] CloseHandle (hObject=0x198) returned 1 [0122.776] GetProcessHeap () returned 0x4c0000 [0122.776] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.776] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83467de0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8346cc00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8346cc00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fil", cAlternateFileName="")) returned 1 [0122.776] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0122.776] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0122.776] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0122.776] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0122.776] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0122.776] lstrcmpiW (lpString1="fil", lpString2=".") returned 1 [0122.776] lstrcmpiW (lpString1="fil", lpString2="..") returned 1 [0122.776] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil") returned 151 [0122.776] GetProcessHeap () returned 0x4c0000 [0122.776] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.776] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil" [0122.776] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\*" [0122.777] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83467de0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8346cc00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8346cc00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.777] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.777] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.777] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.777] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.777] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.777] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.777] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83467de0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8346cc00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8346cc00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.777] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.777] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.777] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.777] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.777] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.777] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.777] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.778] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8346cc00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83471a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4082, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.778] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.778] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.778] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.778] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.778] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.778] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.778] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.778] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json") returned 165 [0122.778] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.778] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.778] lstrlenW (lpString=".json") returned 5 [0122.778] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0122.780] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16514) returned 1 [0122.780] GetProcessHeap () returned 0x4c0000 [0122.780] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0122.789] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="4B") returned 2 [0122.789] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="09") returned 2 [0122.789] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="7F") returned 2 [0122.789] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="5D") returned 2 [0122.789] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="2E") returned 2 [0122.789] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="44") returned 2 [0122.790] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="11") returned 2 [0122.790] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="9D") returned 2 [0122.790] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="8B") returned 2 [0122.790] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="E5") returned 2 [0122.790] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="19") returned 2 [0122.790] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="DB") returned 2 [0122.790] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="70") returned 2 [0122.790] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="3C") returned 2 [0122.790] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="9A") returned 2 [0122.790] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="98") returned 2 [0122.790] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="B2") returned 2 [0122.790] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="94") returned 2 [0122.790] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="36") returned 2 [0122.790] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="0B") returned 2 [0122.790] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="86") returned 2 [0122.790] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="B0") returned 2 [0122.790] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="40") returned 2 [0122.790] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="E5") returned 2 [0122.790] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="CD") returned 2 [0122.790] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="5C") returned 2 [0122.791] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="1C") returned 2 [0122.791] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="6F") returned 2 [0122.791] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="9A") returned 2 [0122.791] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="51") returned 2 [0122.791] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="52") returned 2 [0122.791] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="09") returned 2 [0122.800] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json" [0122.800] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json" [0122.800] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json", lpString2=".4B097F5D2E44119D8BE519DB703C9A98B294360B86B040E5CD5C1C6F9A515209" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.4B097F5D2E44119D8BE519DB703C9A98B294360B86B040E5CD5C1C6F9A515209") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.4B097F5D2E44119D8BE519DB703C9A98B294360B86B040E5CD5C1C6F9A515209" [0122.800] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.800] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0122.810] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8346cc00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83471a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4082, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.810] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.810] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\PUSSY.TXT") returned 161 [0122.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.827] lstrlenA (lpString="abcd") returned 4 [0122.827] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.828] CloseHandle (hObject=0x198) returned 1 [0122.828] GetProcessHeap () returned 0x4c0000 [0122.828] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.828] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83476840, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83478f50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83478f50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="fr", cAlternateFileName="")) returned 1 [0122.828] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0122.828] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0122.828] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0122.828] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0122.829] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0122.829] lstrcmpiW (lpString1="fr", lpString2=".") returned 1 [0122.829] lstrcmpiW (lpString1="fr", lpString2="..") returned 1 [0122.829] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr") returned 150 [0122.829] GetProcessHeap () returned 0x4c0000 [0122.829] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.829] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr" [0122.829] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\*" [0122.829] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83476840, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83478f50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83478f50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.829] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.829] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.829] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.830] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.830] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.830] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.830] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83476840, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83478f50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83478f50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.830] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.830] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.830] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.830] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.830] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.830] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.830] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.830] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83478f50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83478f50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x419f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.830] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.830] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.830] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.830] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.830] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.830] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.831] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.831] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json") returned 164 [0122.831] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.831] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.831] lstrlenW (lpString=".json") returned 5 [0122.831] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.831] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0122.831] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16799) returned 1 [0122.832] GetProcessHeap () returned 0x4c0000 [0122.832] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x4040048 [0122.842] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="6F") returned 2 [0122.842] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="D6") returned 2 [0122.842] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="E4") returned 2 [0122.842] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="B1") returned 2 [0122.842] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="38") returned 2 [0122.842] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="6D") returned 2 [0122.842] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="B6") returned 2 [0122.842] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="82") returned 2 [0122.842] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="E1") returned 2 [0122.842] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="FC") returned 2 [0122.842] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="C8") returned 2 [0122.842] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="A5") returned 2 [0122.842] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="F5") returned 2 [0122.842] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="4C") returned 2 [0122.842] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="71") returned 2 [0122.842] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="C2") returned 2 [0122.842] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="FF") returned 2 [0122.842] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="6F") returned 2 [0122.843] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="E8") returned 2 [0122.843] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="98") returned 2 [0122.843] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="36") returned 2 [0122.843] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="F7") returned 2 [0122.843] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="BA") returned 2 [0122.843] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="0C") returned 2 [0122.843] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="B9") returned 2 [0122.843] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="92") returned 2 [0122.843] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="8A") returned 2 [0122.843] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="D3") returned 2 [0122.843] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="DE") returned 2 [0122.843] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="94") returned 2 [0122.843] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="1D") returned 2 [0122.843] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="43") returned 2 [0122.852] lstrcpyW (in: lpString1=0x405007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json" [0122.852] lstrcpyW (in: lpString1=0x404007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json" [0122.852] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json", lpString2=".6FD6E4B1386DB682E1FCC8A5F54C71C2FF6FE89836F7BA0CB9928AD3DE941D43" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.6FD6E4B1386DB682E1FCC8A5F54C71C2FF6FE89836F7BA0CB9928AD3DE941D43") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.6FD6E4B1386DB682E1FCC8A5F54C71C2FF6FE89836F7BA0CB9928AD3DE941D43" [0122.852] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x4040048, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.852] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x4040048, lpOverlapped=0x4040048) returned 1 [0122.852] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83478f50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83478f50, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x419f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.852] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.852] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\PUSSY.TXT") returned 160 [0122.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.853] lstrlenA (lpString="abcd") returned 4 [0122.853] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.854] CloseHandle (hObject=0x198) returned 1 [0122.854] GetProcessHeap () returned 0x4c0000 [0122.855] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.855] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8347dd70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83480480, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83480480, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="gu", cAlternateFileName="")) returned 1 [0122.855] lstrcmpiW (lpString1="gu", lpString2="Windows") returned -1 [0122.855] lstrcmpiW (lpString1="gu", lpString2="Program Files") returned -1 [0122.855] lstrcmpiW (lpString1="gu", lpString2="Program Files (x86)") returned -1 [0122.855] lstrcmpiW (lpString1="gu", lpString2="$Recycle.bin") returned 1 [0122.855] lstrcmpiW (lpString1="gu", lpString2="System Volume Information") returned -1 [0122.855] lstrcmpiW (lpString1="gu", lpString2=".") returned 1 [0122.855] lstrcmpiW (lpString1="gu", lpString2="..") returned 1 [0122.855] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu") returned 150 [0122.855] GetProcessHeap () returned 0x4c0000 [0122.855] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.855] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu" [0122.855] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\*" [0122.855] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8347dd70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83480480, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83480480, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.856] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.856] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.856] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.856] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.856] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.856] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.856] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8347dd70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83480480, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83480480, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.856] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.856] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.856] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.856] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.856] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.856] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.856] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.857] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83480480, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83480480, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x5079, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.857] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.857] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.857] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.857] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.857] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.857] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.857] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.857] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json") returned 164 [0122.857] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.857] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.857] lstrlenW (lpString=".json") returned 5 [0122.857] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.857] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1dc [0122.859] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=20601) returned 1 [0122.859] GetProcessHeap () returned 0x4c0000 [0122.859] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x4068098 [0122.873] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="67") returned 2 [0122.873] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="99") returned 2 [0122.873] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="68") returned 2 [0122.873] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="2F") returned 2 [0122.873] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="5A") returned 2 [0122.873] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="68") returned 2 [0122.873] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="C1") returned 2 [0122.873] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="D0") returned 2 [0122.873] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="A5") returned 2 [0122.873] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="3E") returned 2 [0122.873] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="CD") returned 2 [0122.874] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="6C") returned 2 [0122.874] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="0C") returned 2 [0122.874] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="BE") returned 2 [0122.874] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="9E") returned 2 [0122.874] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="57") returned 2 [0122.874] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="84") returned 2 [0122.874] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="87") returned 2 [0122.874] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="6C") returned 2 [0122.874] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="F9") returned 2 [0122.874] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="B6") returned 2 [0122.874] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="32") returned 2 [0122.874] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="48") returned 2 [0122.874] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="35") returned 2 [0122.875] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="A1") returned 2 [0122.875] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="7A") returned 2 [0122.875] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="25") returned 2 [0122.875] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="2E") returned 2 [0122.875] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="01") returned 2 [0122.875] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="D5") returned 2 [0122.875] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="49") returned 2 [0122.875] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="78") returned 2 [0122.889] lstrcpyW (in: lpString1=0x40780cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json" [0122.889] lstrcpyW (in: lpString1=0x40680cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json" [0122.889] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json", lpString2=".6799682F5A68C1D0A53ECD6C0CBE9E5784876CF9B6324835A17A252E01D54978" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.6799682F5A68C1D0A53ECD6C0CBE9E5784876CF9B6324835A17A252E01D54978") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.6799682F5A68C1D0A53ECD6C0CBE9E5784876CF9B6324835A17A252E01D54978" [0122.889] CreateIoCompletionPort (FileHandle=0x1dc, ExistingCompletionPort=0x94, CompletionKey=0x4068098, NumberOfConcurrentThreads=0x0) returned 0x94 [0122.890] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x4068098, lpOverlapped=0x4068098) returned 1 [0122.890] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83480480, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83480480, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x5079, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0122.890] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0122.890] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\PUSSY.TXT") returned 160 [0122.890] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0122.891] lstrlenA (lpString="abcd") returned 4 [0122.891] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0122.893] CloseHandle (hObject=0x198) returned 1 [0122.893] GetProcessHeap () returned 0x4c0000 [0122.893] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0122.893] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834852a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834879b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834879b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hi", cAlternateFileName="")) returned 1 [0122.893] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0122.893] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0122.893] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0122.893] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0122.893] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0122.893] lstrcmpiW (lpString1="hi", lpString2=".") returned 1 [0122.893] lstrcmpiW (lpString1="hi", lpString2="..") returned 1 [0122.894] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi") returned 150 [0122.894] GetProcessHeap () returned 0x4c0000 [0122.894] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0122.894] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi" [0122.894] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\*" [0122.894] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834852a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834879b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834879b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0122.895] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0122.895] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0122.895] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0122.895] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0122.895] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0122.895] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0122.895] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834852a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834879b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834879b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0122.895] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0122.895] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0122.895] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0122.895] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0122.895] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0122.895] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0122.896] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0122.896] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834879b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834879b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x50f7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0122.896] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0122.896] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0122.896] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0122.896] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0122.896] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0122.896] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0122.896] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0122.896] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json") returned 164 [0122.896] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0122.896] PathFindExtensionW (pszPath="messages.json") returned=".json" [0122.897] lstrlenW (lpString=".json") returned 5 [0122.897] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0122.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1e0 [0122.898] GetFileSizeEx (in: hFile=0x1e0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=20727) returned 1 [0122.898] GetProcessHeap () returned 0x4c0000 [0122.898] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x40900e8 [0122.915] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="B9") returned 2 [0122.915] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="65") returned 2 [0122.915] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="5B") returned 2 [0122.915] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="17") returned 2 [0122.915] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="C0") returned 2 [0122.915] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="6B") returned 2 [0122.915] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="DC") returned 2 [0122.915] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="AD") returned 2 [0122.915] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="64") returned 2 [0122.915] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="FF") returned 2 [0122.915] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="CA") returned 2 [0122.916] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="DA") returned 2 [0122.916] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="CB") returned 2 [0122.916] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="A1") returned 2 [0122.916] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="8A") returned 2 [0122.916] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="5C") returned 2 [0122.916] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="36") returned 2 [0122.916] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="08") returned 2 [0122.916] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="A9") returned 2 [0122.916] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="A1") returned 2 [0122.916] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="4F") returned 2 [0122.916] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="CD") returned 2 [0122.916] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="A3") returned 2 [0122.916] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="D3") returned 2 [0122.917] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="80") returned 2 [0122.917] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="17") returned 2 [0122.917] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="BD") returned 2 [0122.917] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="8A") returned 2 [0122.917] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="6C") returned 2 [0122.917] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="43") returned 2 [0122.917] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="DB") returned 2 [0122.917] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="62") returned 2 [0123.034] lstrcpyW (in: lpString1=0x40a011c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json" [0123.034] lstrcpyW (in: lpString1=0x409011c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json" [0123.034] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json", lpString2=".B9655B17C06BDCAD64FFCADACBA18A5C3608A9A14FCDA3D38017BD8A6C43DB62" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.B9655B17C06BDCAD64FFCADACBA18A5C3608A9A14FCDA3D38017BD8A6C43DB62") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.B9655B17C06BDCAD64FFCADACBA18A5C3608A9A14FCDA3D38017BD8A6C43DB62" [0123.034] CreateIoCompletionPort (FileHandle=0x1e0, ExistingCompletionPort=0x94, CompletionKey=0x40900e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0123.034] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x40900e8, lpOverlapped=0x40900e8) returned 1 [0123.039] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834879b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834879b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x50f7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0123.039] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0123.039] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\PUSSY.TXT") returned 160 [0123.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0123.040] lstrlenA (lpString="abcd") returned 4 [0123.040] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0123.042] CloseHandle (hObject=0x198) returned 1 [0123.042] GetProcessHeap () returned 0x4c0000 [0123.042] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0123.042] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8348c7d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8348eee0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8348eee0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hr", cAlternateFileName="")) returned 1 [0123.042] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0123.042] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0123.042] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0123.042] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0123.042] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0123.042] lstrcmpiW (lpString1="hr", lpString2=".") returned 1 [0123.043] lstrcmpiW (lpString1="hr", lpString2="..") returned 1 [0123.043] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr") returned 150 [0123.043] GetProcessHeap () returned 0x4c0000 [0123.043] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0123.043] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr" [0123.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\*" [0123.043] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8348c7d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8348eee0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8348eee0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0123.043] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0123.044] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0123.044] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0123.044] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0123.044] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0123.044] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.044] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8348c7d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8348eee0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8348eee0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0123.044] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0123.044] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0123.044] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0123.044] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0123.044] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0123.044] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.045] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.045] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8348eee0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8348eee0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3ff2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0123.045] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0123.045] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0123.045] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0123.045] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0123.045] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0123.045] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0123.045] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0123.045] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json") returned 164 [0123.045] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0123.045] PathFindExtensionW (pszPath="messages.json") returned=".json" [0123.046] lstrlenW (lpString=".json") returned 5 [0123.046] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0123.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0123.047] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16370) returned 1 [0123.048] GetProcessHeap () returned 0x4c0000 [0123.048] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d89148 [0123.062] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="7D") returned 2 [0123.062] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="55") returned 2 [0123.062] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="05") returned 2 [0123.062] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="91") returned 2 [0123.063] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="35") returned 2 [0123.063] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="32") returned 2 [0123.063] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="69") returned 2 [0123.063] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="24") returned 2 [0123.063] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="6A") returned 2 [0123.063] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="2F") returned 2 [0123.063] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="2C") returned 2 [0123.063] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="62") returned 2 [0123.063] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="D1") returned 2 [0123.063] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="B5") returned 2 [0123.063] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="C4") returned 2 [0123.063] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="13") returned 2 [0123.063] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="65") returned 2 [0123.063] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="00") returned 2 [0123.064] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="15") returned 2 [0123.064] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="E2") returned 2 [0123.064] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="CF") returned 2 [0123.064] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="87") returned 2 [0123.064] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="8B") returned 2 [0123.064] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="0B") returned 2 [0123.068] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="93") returned 2 [0123.068] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="1B") returned 2 [0123.068] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="7C") returned 2 [0123.068] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="A9") returned 2 [0123.068] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="B8") returned 2 [0123.068] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="4F") returned 2 [0123.068] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="40") returned 2 [0123.068] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="5F") returned 2 [0123.080] lstrcpyW (in: lpString1=0x3d9917c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json" [0123.081] lstrcpyW (in: lpString1=0x3d8917c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json" [0123.081] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json", lpString2=".7D550591353269246A2F2C62D1B5C413650015E2CF878B0B931B7CA9B84F405F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.7D550591353269246A2F2C62D1B5C413650015E2CF878B0B931B7CA9B84F405F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.7D550591353269246A2F2C62D1B5C413650015E2CF878B0B931B7CA9B84F405F" [0123.081] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3d89148, NumberOfConcurrentThreads=0x0) returned 0x94 [0123.081] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d89148, lpOverlapped=0x3d89148) returned 1 [0123.081] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8348eee0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8348eee0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3ff2, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0123.081] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0123.082] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\PUSSY.TXT") returned 160 [0123.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0123.083] lstrlenA (lpString="abcd") returned 4 [0123.083] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0123.084] CloseHandle (hObject=0x198) returned 1 [0123.084] GetProcessHeap () returned 0x4c0000 [0123.084] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0123.084] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83496410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83498b20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83498b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="hu", cAlternateFileName="")) returned 1 [0123.084] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0123.084] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0123.084] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0123.084] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0123.084] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0123.084] lstrcmpiW (lpString1="hu", lpString2=".") returned 1 [0123.084] lstrcmpiW (lpString1="hu", lpString2="..") returned 1 [0123.084] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu") returned 150 [0123.085] GetProcessHeap () returned 0x4c0000 [0123.085] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0123.085] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu" [0123.085] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\*" [0123.085] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83496410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83498b20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83498b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0123.085] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0123.085] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0123.085] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0123.085] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0123.085] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0123.085] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.085] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83496410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83498b20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83498b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0123.086] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0123.086] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0123.086] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0123.086] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0123.086] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0123.086] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.086] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.086] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83498b20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8349d940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x40d4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0123.086] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0123.086] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0123.086] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0123.086] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0123.086] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0123.086] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0123.086] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0123.086] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json") returned 164 [0123.086] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0123.087] PathFindExtensionW (pszPath="messages.json") returned=".json" [0123.087] lstrlenW (lpString=".json") returned 5 [0123.087] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0123.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b4 [0123.087] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16596) returned 1 [0123.087] GetProcessHeap () returned 0x4c0000 [0123.087] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3db1198 [0123.096] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="ED") returned 2 [0123.096] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="61") returned 2 [0123.096] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="01") returned 2 [0123.096] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="36") returned 2 [0123.096] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="BD") returned 2 [0123.096] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="7E") returned 2 [0123.096] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="58") returned 2 [0123.096] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="ED") returned 2 [0123.096] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="2D") returned 2 [0123.096] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="B5") returned 2 [0123.096] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="86") returned 2 [0123.096] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="E6") returned 2 [0123.096] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="72") returned 2 [0123.097] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="02") returned 2 [0123.097] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="58") returned 2 [0123.097] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="1E") returned 2 [0123.097] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="9B") returned 2 [0123.097] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="8F") returned 2 [0123.097] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="3C") returned 2 [0123.097] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="D0") returned 2 [0123.097] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="F6") returned 2 [0123.097] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="55") returned 2 [0123.097] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="3A") returned 2 [0123.097] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="DF") returned 2 [0123.097] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="ED") returned 2 [0123.098] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="B6") returned 2 [0123.098] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="64") returned 2 [0123.098] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="1B") returned 2 [0123.098] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="3D") returned 2 [0123.098] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="2D") returned 2 [0123.098] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="AD") returned 2 [0123.098] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="07") returned 2 [0123.106] lstrcpyW (in: lpString1=0x3dc11cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json" [0123.106] lstrcpyW (in: lpString1=0x3db11cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json" [0123.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json", lpString2=".ED610136BD7E58ED2DB586E67202581E9B8F3CD0F6553ADFEDB6641B3D2DAD07" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.ED610136BD7E58ED2DB586E67202581E9B8F3CD0F6553ADFEDB6641B3D2DAD07") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.ED610136BD7E58ED2DB586E67202581E9B8F3CD0F6553ADFEDB6641B3D2DAD07" [0123.106] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0x94, CompletionKey=0x3db1198, NumberOfConcurrentThreads=0x0) returned 0x94 [0123.106] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3db1198, lpOverlapped=0x3db1198) returned 1 [0123.106] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83498b20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8349d940, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x40d4, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0123.106] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0123.106] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\PUSSY.TXT") returned 160 [0123.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0123.107] lstrlenA (lpString="abcd") returned 4 [0123.108] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0123.108] CloseHandle (hObject=0x198) returned 1 [0123.109] GetProcessHeap () returned 0x4c0000 [0123.109] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0123.109] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834a2760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834a4e70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834a4e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="id", cAlternateFileName="")) returned 1 [0123.109] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0123.109] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0123.109] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0123.109] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0123.109] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0123.109] lstrcmpiW (lpString1="id", lpString2=".") returned 1 [0123.109] lstrcmpiW (lpString1="id", lpString2="..") returned 1 [0123.109] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id") returned 150 [0123.109] GetProcessHeap () returned 0x4c0000 [0123.109] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0123.109] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id" [0123.109] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\*" [0123.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834a2760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834a4e70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834a4e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0123.110] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0123.110] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0123.110] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0123.110] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0123.110] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0123.110] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.110] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834a2760, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834a4e70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834a4e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0123.110] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0123.110] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0123.110] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0123.110] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0123.110] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0123.110] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.111] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.111] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834a4e70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834a4e70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3e5d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0123.111] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0123.111] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0123.111] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0123.111] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0123.111] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0123.111] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0123.111] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0123.111] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json") returned 164 [0123.111] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0123.111] PathFindExtensionW (pszPath="messages.json") returned=".json" [0123.111] lstrlenW (lpString=".json") returned 5 [0123.111] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0123.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0123.161] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=15965) returned 1 [0123.161] GetProcessHeap () returned 0x4c0000 [0123.161] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0123.169] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="46") returned 2 [0123.169] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="68") returned 2 [0123.169] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="AD") returned 2 [0123.169] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="4C") returned 2 [0123.170] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="37") returned 2 [0123.170] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="68") returned 2 [0123.170] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="74") returned 2 [0123.170] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="FD") returned 2 [0123.170] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="7F") returned 2 [0123.170] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="87") returned 2 [0123.170] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="B7") returned 2 [0123.170] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="35") returned 2 [0123.170] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="AC") returned 2 [0123.170] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="B6") returned 2 [0123.170] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="8A") returned 2 [0123.170] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="41") returned 2 [0123.170] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="2E") returned 2 [0123.170] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="B9") returned 2 [0123.170] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="07") returned 2 [0123.170] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="11") returned 2 [0123.170] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="D5") returned 2 [0123.170] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="33") returned 2 [0123.171] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="68") returned 2 [0123.171] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="10") returned 2 [0123.171] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="EA") returned 2 [0123.171] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="34") returned 2 [0123.171] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="65") returned 2 [0123.171] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="0A") returned 2 [0123.171] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="7B") returned 2 [0123.171] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="C2") returned 2 [0123.171] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="03") returned 2 [0123.171] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="07") returned 2 [0123.179] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json" [0123.179] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json" [0123.179] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json", lpString2=".4668AD4C376874FD7F87B735ACB68A412EB90711D5336810EA34650A7BC20307" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.4668AD4C376874FD7F87B735ACB68A412EB90711D5336810EA34650A7BC20307") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.4668AD4C376874FD7F87B735ACB68A412EB90711D5336810EA34650A7BC20307" [0123.179] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0123.179] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0123.180] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834a4e70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834a4e70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3e5d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0123.180] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0123.180] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\PUSSY.TXT") returned 160 [0123.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0123.181] lstrlenA (lpString="abcd") returned 4 [0123.181] WriteFile (in: hFile=0x198, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0123.184] CloseHandle (hObject=0x198) returned 1 [0123.184] GetProcessHeap () returned 0x4c0000 [0123.184] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0123.184] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834a7580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834a7580, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834a7580, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="it", cAlternateFileName="")) returned 1 [0123.185] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0123.185] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0123.185] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0123.185] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0123.185] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0123.185] lstrcmpiW (lpString1="it", lpString2=".") returned 1 [0123.185] lstrcmpiW (lpString1="it", lpString2="..") returned 1 [0123.185] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it") returned 150 [0123.185] GetProcessHeap () returned 0x4c0000 [0123.185] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0123.185] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it" [0123.185] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\*" [0123.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834a7580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834a7580, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834a7580, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0123.186] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0123.186] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0123.186] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0123.186] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0123.186] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0123.186] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.186] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834a7580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834a7580, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834a7580, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0123.186] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0123.186] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0123.186] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0123.186] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0123.186] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0123.186] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.186] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.186] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834a7580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834a7580, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3f0c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0123.187] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0123.187] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0123.187] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0123.187] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0123.187] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0123.187] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0123.187] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0123.187] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json") returned 164 [0123.187] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0123.187] PathFindExtensionW (pszPath="messages.json") returned=".json" [0123.187] lstrlenW (lpString=".json") returned 5 [0123.187] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0123.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1e4 [0123.188] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16140) returned 1 [0123.188] GetProcessHeap () returned 0x4c0000 [0123.188] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x40b8138 [0123.199] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="FD") returned 2 [0123.199] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="A1") returned 2 [0123.199] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="FB") returned 2 [0123.199] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="72") returned 2 [0123.199] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="B5") returned 2 [0123.199] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="41") returned 2 [0123.199] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="5B") returned 2 [0123.199] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="65") returned 2 [0123.199] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="C3") returned 2 [0123.199] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="A6") returned 2 [0123.199] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="A2") returned 2 [0123.199] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="1B") returned 2 [0123.199] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="6F") returned 2 [0123.199] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="F8") returned 2 [0123.199] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="EF") returned 2 [0123.199] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="64") returned 2 [0123.200] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="A9") returned 2 [0123.200] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="E2") returned 2 [0123.200] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="2B") returned 2 [0123.200] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="2C") returned 2 [0123.200] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="B9") returned 2 [0123.200] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="47") returned 2 [0123.200] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="0C") returned 2 [0123.200] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="20") returned 2 [0123.200] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="FD") returned 2 [0123.200] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="56") returned 2 [0123.200] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="BF") returned 2 [0123.200] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="CA") returned 2 [0123.200] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="AD") returned 2 [0123.200] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="32") returned 2 [0123.200] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="24") returned 2 [0123.200] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="5D") returned 2 [0123.306] lstrcpyW (in: lpString1=0x40c816c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json" [0123.306] lstrcpyW (in: lpString1=0x40b816c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json" [0123.307] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json", lpString2=".FDA1FB72B5415B65C3A6A21B6FF8EF64A9E22B2CB9470C20FD56BFCAAD32245D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.FDA1FB72B5415B65C3A6A21B6FF8EF64A9E22B2CB9470C20FD56BFCAAD32245D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.FDA1FB72B5415B65C3A6A21B6FF8EF64A9E22B2CB9470C20FD56BFCAAD32245D" [0123.307] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0x94, CompletionKey=0x40b8138, NumberOfConcurrentThreads=0x0) returned 0x94 [0123.307] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x40b8138, lpOverlapped=0x40b8138) returned 1 [0123.307] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834a7580, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834a7580, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83986e70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3f0c, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0123.308] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0123.308] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\PUSSY.TXT") returned 160 [0123.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0123.716] lstrlenA (lpString="abcd") returned 4 [0123.717] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0123.718] CloseHandle (hObject=0x16c) returned 1 [0123.718] GetProcessHeap () returned 0x4c0000 [0123.718] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0123.718] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834aeab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834b11c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834b11c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="iw", cAlternateFileName="")) returned 1 [0123.718] lstrcmpiW (lpString1="iw", lpString2="Windows") returned -1 [0123.718] lstrcmpiW (lpString1="iw", lpString2="Program Files") returned -1 [0123.719] lstrcmpiW (lpString1="iw", lpString2="Program Files (x86)") returned -1 [0123.719] lstrcmpiW (lpString1="iw", lpString2="$Recycle.bin") returned 1 [0123.719] lstrcmpiW (lpString1="iw", lpString2="System Volume Information") returned -1 [0123.719] lstrcmpiW (lpString1="iw", lpString2=".") returned 1 [0123.719] lstrcmpiW (lpString1="iw", lpString2="..") returned 1 [0123.719] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw") returned 150 [0123.719] GetProcessHeap () returned 0x4c0000 [0123.719] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0123.719] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw" [0123.719] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\*" [0123.719] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834aeab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834b11c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834b11c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0123.720] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0123.720] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0123.720] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0123.720] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0123.720] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0123.720] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.720] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834aeab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834b11c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834b11c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0123.720] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0123.720] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0123.720] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0123.720] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0123.720] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0123.720] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.720] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.720] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834b11c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834b38d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x5074, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0123.721] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0123.721] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0123.721] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0123.721] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0123.721] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0123.721] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0123.721] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0123.721] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json") returned 164 [0123.721] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0123.721] PathFindExtensionW (pszPath="messages.json") returned=".json" [0123.721] lstrlenW (lpString=".json") returned 5 [0123.721] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0123.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1dc [0123.725] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=20596) returned 1 [0123.725] GetProcessHeap () returned 0x4c0000 [0123.725] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0123.741] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="54") returned 2 [0123.741] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="27") returned 2 [0123.741] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="BB") returned 2 [0123.741] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="10") returned 2 [0123.741] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="6E") returned 2 [0123.741] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="8D") returned 2 [0123.741] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="DF") returned 2 [0123.741] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="F9") returned 2 [0123.741] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="A0") returned 2 [0123.741] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="E5") returned 2 [0123.741] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="92") returned 2 [0123.741] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="45") returned 2 [0123.742] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="70") returned 2 [0123.742] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="4F") returned 2 [0123.742] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="4A") returned 2 [0123.742] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="5C") returned 2 [0123.742] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="0E") returned 2 [0123.742] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="54") returned 2 [0123.742] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="65") returned 2 [0123.742] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="EC") returned 2 [0123.742] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="3D") returned 2 [0123.742] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="28") returned 2 [0123.742] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="65") returned 2 [0123.742] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="A5") returned 2 [0123.742] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="0D") returned 2 [0123.742] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="B7") returned 2 [0123.742] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="6C") returned 2 [0123.742] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="4B") returned 2 [0123.742] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="58") returned 2 [0123.742] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="AF") returned 2 [0123.742] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="B6") returned 2 [0123.742] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="67") returned 2 [0123.755] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json" [0123.755] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json" [0123.755] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json", lpString2=".5427BB106E8DDFF9A0E59245704F4A5C0E5465EC3D2865A50DB76C4B58AFB667" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.5427BB106E8DDFF9A0E59245704F4A5C0E5465EC3D2865A50DB76C4B58AFB667") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.5427BB106E8DDFF9A0E59245704F4A5C0E5465EC3D2865A50DB76C4B58AFB667" [0123.755] CreateIoCompletionPort (FileHandle=0x1dc, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0123.755] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0123.755] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834b11c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834b38d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x5074, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0123.755] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0123.755] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\PUSSY.TXT") returned 160 [0123.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0123.757] lstrlenA (lpString="abcd") returned 4 [0123.757] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0123.758] CloseHandle (hObject=0x16c) returned 1 [0123.758] GetProcessHeap () returned 0x4c0000 [0123.758] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0123.758] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834b86f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834bae00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834bae00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ja", cAlternateFileName="")) returned 1 [0123.758] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0123.758] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0123.758] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0123.758] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0123.758] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0123.758] lstrcmpiW (lpString1="ja", lpString2=".") returned 1 [0123.758] lstrcmpiW (lpString1="ja", lpString2="..") returned 1 [0123.758] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja") returned 150 [0123.759] GetProcessHeap () returned 0x4c0000 [0123.759] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0123.759] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja" [0123.759] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\*" [0123.759] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834b86f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834bae00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834bae00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0123.759] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0123.759] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0123.759] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0123.759] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0123.759] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0123.759] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.759] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834b86f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834bae00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834bae00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0123.760] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0123.760] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0123.760] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0123.760] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0123.760] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0123.760] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.760] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.760] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834bae00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834bd510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83989580, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x447a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0123.760] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0123.760] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0123.760] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0123.760] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0123.760] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0123.760] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0123.760] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0123.760] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json") returned 164 [0123.760] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0123.760] PathFindExtensionW (pszPath="messages.json") returned=".json" [0123.760] lstrlenW (lpString=".json") returned 5 [0123.761] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0123.761] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0123.761] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=17530) returned 1 [0123.761] GetProcessHeap () returned 0x4c0000 [0123.762] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0123.776] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="19") returned 2 [0123.776] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="CB") returned 2 [0123.776] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="C1") returned 2 [0123.776] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="FD") returned 2 [0123.776] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="62") returned 2 [0123.776] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="43") returned 2 [0123.776] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="49") returned 2 [0123.776] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="A0") returned 2 [0123.776] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="D2") returned 2 [0123.776] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="CC") returned 2 [0123.777] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="43") returned 2 [0123.777] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="79") returned 2 [0123.777] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="F2") returned 2 [0123.777] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="76") returned 2 [0123.777] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="EB") returned 2 [0123.777] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="D5") returned 2 [0123.777] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="8F") returned 2 [0123.777] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="A6") returned 2 [0123.777] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="17") returned 2 [0123.777] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="92") returned 2 [0123.777] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="D9") returned 2 [0123.777] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="A7") returned 2 [0123.777] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="9A") returned 2 [0123.777] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="B1") returned 2 [0123.777] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="6A") returned 2 [0123.777] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="96") returned 2 [0123.777] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="92") returned 2 [0123.777] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="B7") returned 2 [0123.777] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="E8") returned 2 [0123.777] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="F4") returned 2 [0123.777] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="4B") returned 2 [0123.778] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="1B") returned 2 [0123.790] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json" [0123.790] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json" [0123.790] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json", lpString2=".19CBC1FD624349A0D2CC4379F276EBD58FA61792D9A79AB16A9692B7E8F44B1B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.19CBC1FD624349A0D2CC4379F276EBD58FA61792D9A79AB16A9692B7E8F44B1B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.19CBC1FD624349A0D2CC4379F276EBD58FA61792D9A79AB16A9692B7E8F44B1B" [0123.790] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0123.790] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0123.791] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834bae00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834bd510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83989580, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x447a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0123.791] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0123.791] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\PUSSY.TXT") returned 160 [0123.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0123.792] lstrlenA (lpString="abcd") returned 4 [0123.792] WriteFile (in: hFile=0x16c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0123.793] CloseHandle (hObject=0x16c) returned 1 [0123.793] GetProcessHeap () returned 0x4c0000 [0123.793] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0123.793] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834c4a40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834c7150, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834c7150, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="kn", cAlternateFileName="")) returned 1 [0123.793] lstrcmpiW (lpString1="kn", lpString2="Windows") returned -1 [0123.793] lstrcmpiW (lpString1="kn", lpString2="Program Files") returned -1 [0123.793] lstrcmpiW (lpString1="kn", lpString2="Program Files (x86)") returned -1 [0123.794] lstrcmpiW (lpString1="kn", lpString2="$Recycle.bin") returned 1 [0123.794] lstrcmpiW (lpString1="kn", lpString2="System Volume Information") returned -1 [0123.794] lstrcmpiW (lpString1="kn", lpString2=".") returned 1 [0123.794] lstrcmpiW (lpString1="kn", lpString2="..") returned 1 [0123.794] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn") returned 150 [0123.794] GetProcessHeap () returned 0x4c0000 [0123.794] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0123.794] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn" [0123.794] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\*" [0123.794] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834c4a40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834c7150, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834c7150, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0123.795] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0123.795] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0123.795] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0123.795] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0123.795] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0123.795] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0123.795] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834c4a40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834c7150, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834c7150, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0123.795] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0123.795] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0123.795] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0123.795] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0123.795] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0123.795] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0123.795] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0123.795] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834c7150, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834c9860, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83989580, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x55a3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0123.795] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0123.795] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0123.795] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0123.795] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0123.795] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0123.795] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0123.796] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0123.796] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json") returned 164 [0123.796] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0123.796] PathFindExtensionW (pszPath="messages.json") returned=".json" [0123.796] lstrlenW (lpString=".json") returned 5 [0123.796] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0123.796] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0123.842] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=21923) returned 1 [0123.843] GetProcessHeap () returned 0x4c0000 [0123.843] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0123.857] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="5E") returned 2 [0123.857] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="30") returned 2 [0123.857] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="42") returned 2 [0123.857] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="58") returned 2 [0123.857] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="DB") returned 2 [0123.857] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="0B") returned 2 [0123.857] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="3E") returned 2 [0123.857] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="72") returned 2 [0123.857] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="2A") returned 2 [0123.857] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="F6") returned 2 [0123.857] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="E7") returned 2 [0123.857] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="D7") returned 2 [0123.857] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="71") returned 2 [0123.857] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="8E") returned 2 [0123.857] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="FB") returned 2 [0123.857] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="1E") returned 2 [0123.857] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="50") returned 2 [0123.857] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="F1") returned 2 [0123.857] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="DE") returned 2 [0123.858] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="91") returned 2 [0123.858] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="AF") returned 2 [0123.858] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="7D") returned 2 [0123.858] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="C3") returned 2 [0123.858] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="B3") returned 2 [0123.858] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="F4") returned 2 [0123.858] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="D0") returned 2 [0123.858] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="DD") returned 2 [0123.858] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="EA") returned 2 [0123.858] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="3F") returned 2 [0123.858] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="43") returned 2 [0123.858] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="8A") returned 2 [0123.858] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="11") returned 2 [0123.881] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json" [0123.881] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json" [0123.881] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json", lpString2=".5E304258DB0B3E722AF6E7D7718EFB1E50F1DE91AF7DC3B3F4D0DDEA3F438A11" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.5E304258DB0B3E722AF6E7D7718EFB1E50F1DE91AF7DC3B3F4D0DDEA3F438A11") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.5E304258DB0B3E722AF6E7D7718EFB1E50F1DE91AF7DC3B3F4D0DDEA3F438A11" [0123.881] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0123.881] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0123.882] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834c7150, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834c9860, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83989580, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x55a3, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0123.882] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0123.882] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\PUSSY.TXT") returned 160 [0123.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0124.760] lstrlenA (lpString="abcd") returned 4 [0124.760] WriteFile (in: hFile=0x1bc, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0124.761] CloseHandle (hObject=0x1bc) returned 1 [0124.762] GetProcessHeap () returned 0x4c0000 [0124.762] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0124.765] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834cbf70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ce680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834ce680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ko", cAlternateFileName="")) returned 1 [0124.765] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0124.765] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0124.765] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0124.765] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0124.765] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0124.765] lstrcmpiW (lpString1="ko", lpString2=".") returned 1 [0124.765] lstrcmpiW (lpString1="ko", lpString2="..") returned 1 [0124.765] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko") returned 150 [0124.765] GetProcessHeap () returned 0x4c0000 [0124.765] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0124.766] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko" [0124.766] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\*" [0124.766] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834cbf70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ce680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834ce680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0124.767] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0124.767] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0124.767] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0124.767] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0124.767] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0124.767] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.767] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834cbf70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ce680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834ce680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0124.767] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0124.767] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0124.767] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0124.767] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0124.767] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0124.767] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.767] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.767] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834ce680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834d0d90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83989580, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x403a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0124.767] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0124.767] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0124.767] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0124.767] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0124.767] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0124.767] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0124.767] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0124.768] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json") returned 164 [0124.768] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0124.768] PathFindExtensionW (pszPath="messages.json") returned=".json" [0124.768] lstrlenW (lpString=".json") returned 5 [0124.768] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0124.768] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1e4 [0124.769] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16442) returned 1 [0124.769] GetProcessHeap () returned 0x4c0000 [0124.769] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0124.783] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="65") returned 2 [0124.783] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="DE") returned 2 [0124.783] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="78") returned 2 [0124.783] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="45") returned 2 [0124.783] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="68") returned 2 [0124.783] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="CC") returned 2 [0124.784] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="01") returned 2 [0124.784] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="61") returned 2 [0124.784] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="0C") returned 2 [0124.784] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="FC") returned 2 [0124.784] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="E3") returned 2 [0124.784] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="3E") returned 2 [0124.784] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="9C") returned 2 [0124.784] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="D8") returned 2 [0124.784] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="03") returned 2 [0124.784] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="B8") returned 2 [0124.784] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="EF") returned 2 [0124.784] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="CA") returned 2 [0124.784] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="68") returned 2 [0124.784] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="43") returned 2 [0124.784] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="E6") returned 2 [0124.784] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="1D") returned 2 [0124.784] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="62") returned 2 [0124.784] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="FA") returned 2 [0124.784] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="E6") returned 2 [0124.784] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="88") returned 2 [0124.784] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="F2") returned 2 [0124.784] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="F5") returned 2 [0124.784] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="E5") returned 2 [0124.784] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="B2") returned 2 [0124.784] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="DC") returned 2 [0124.785] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="69") returned 2 [0124.796] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json" [0124.797] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json" [0124.797] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json", lpString2=".65DE784568CC01610CFCE33E9CD803B8EFCA6843E61D62FAE688F2F5E5B2DC69" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.65DE784568CC01610CFCE33E9CD803B8EFCA6843E61D62FAE688F2F5E5B2DC69") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.65DE784568CC01610CFCE33E9CD803B8EFCA6843E61D62FAE688F2F5E5B2DC69" [0124.797] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0124.797] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0124.797] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834ce680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834d0d90, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83989580, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x403a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0124.797] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0124.797] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\PUSSY.TXT") returned 160 [0124.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0124.861] lstrlenA (lpString="abcd") returned 4 [0124.861] WriteFile (in: hFile=0x1bc, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0124.862] CloseHandle (hObject=0x1bc) returned 1 [0124.862] GetProcessHeap () returned 0x4c0000 [0124.862] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0124.865] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834d34a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834d5bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834d5bb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lt", cAlternateFileName="")) returned 1 [0124.865] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0124.865] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0124.865] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0124.865] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0124.865] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0124.865] lstrcmpiW (lpString1="lt", lpString2=".") returned 1 [0124.865] lstrcmpiW (lpString1="lt", lpString2="..") returned 1 [0124.865] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt") returned 150 [0124.865] GetProcessHeap () returned 0x4c0000 [0124.865] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0124.866] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt" [0124.866] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\*" [0124.866] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834d34a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834d5bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834d5bb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0124.867] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0124.867] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0124.867] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0124.867] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0124.867] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0124.867] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.867] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834d34a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834d5bb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834d5bb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0124.867] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0124.867] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0124.867] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0124.867] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0124.867] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0124.867] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.867] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.867] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834d5bb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834d82c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398bc90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x416b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0124.867] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0124.867] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0124.868] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0124.868] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0124.868] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0124.868] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0124.868] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0124.868] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json") returned 164 [0124.868] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0124.868] PathFindExtensionW (pszPath="messages.json") returned=".json" [0124.868] lstrlenW (lpString=".json") returned 5 [0124.868] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0124.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1cc [0124.869] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16747) returned 1 [0124.870] GetProcessHeap () returned 0x4c0000 [0124.870] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0124.885] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="F2") returned 2 [0124.885] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="1A") returned 2 [0124.885] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="CA") returned 2 [0124.885] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="67") returned 2 [0124.885] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="8D") returned 2 [0124.885] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="2E") returned 2 [0124.885] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="73") returned 2 [0124.885] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="FD") returned 2 [0124.885] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="57") returned 2 [0124.885] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="C8") returned 2 [0124.885] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="81") returned 2 [0124.885] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="62") returned 2 [0124.885] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="E9") returned 2 [0124.885] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="E8") returned 2 [0124.885] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="63") returned 2 [0124.885] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="D5") returned 2 [0124.885] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="11") returned 2 [0124.885] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="99") returned 2 [0124.885] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="F5") returned 2 [0124.886] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="34") returned 2 [0124.886] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="52") returned 2 [0124.886] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="16") returned 2 [0124.886] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="26") returned 2 [0124.886] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="62") returned 2 [0124.886] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="63") returned 2 [0124.886] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="CD") returned 2 [0124.886] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="63") returned 2 [0124.886] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="C2") returned 2 [0124.886] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="05") returned 2 [0124.886] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="51") returned 2 [0124.886] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="BC") returned 2 [0124.886] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="0E") returned 2 [0124.899] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json" [0124.899] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json" [0124.899] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json", lpString2=".F21ACA678D2E73FD57C88162E9E863D51199F5345216266263CD63C20551BC0E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.F21ACA678D2E73FD57C88162E9E863D51199F5345216266263CD63C20551BC0E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.F21ACA678D2E73FD57C88162E9E863D51199F5345216266263CD63C20551BC0E" [0124.899] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0124.899] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0124.900] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834d5bb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834d82c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398bc90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x416b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0124.900] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0124.900] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\PUSSY.TXT") returned 160 [0124.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0124.901] lstrlenA (lpString="abcd") returned 4 [0124.901] WriteFile (in: hFile=0x1bc, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0124.902] CloseHandle (hObject=0x1bc) returned 1 [0124.902] GetProcessHeap () returned 0x4c0000 [0124.902] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0124.902] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834da9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834dd0e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834dd0e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="lv", cAlternateFileName="")) returned 1 [0124.902] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0124.902] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0124.903] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0124.903] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0124.903] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0124.903] lstrcmpiW (lpString1="lv", lpString2=".") returned 1 [0124.903] lstrcmpiW (lpString1="lv", lpString2="..") returned 1 [0124.903] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv") returned 150 [0124.903] GetProcessHeap () returned 0x4c0000 [0124.903] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0124.903] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv" [0124.903] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\*" [0124.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834da9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834dd0e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834dd0e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0124.903] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0124.903] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0124.903] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0124.904] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0124.904] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0124.904] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0124.904] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834da9d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834dd0e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834dd0e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0124.904] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0124.904] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0124.904] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0124.904] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0124.904] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0124.904] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0124.904] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0124.904] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834dd0e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834df7f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398bc90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x41bf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0124.904] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0124.904] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0124.904] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0124.904] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0124.904] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0124.904] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0124.904] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0124.904] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json") returned 164 [0124.904] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0124.905] PathFindExtensionW (pszPath="messages.json") returned=".json" [0124.905] lstrlenW (lpString=".json") returned 5 [0124.905] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0124.905] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x114 [0124.905] GetFileSizeEx (in: hFile=0x114, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16831) returned 1 [0124.906] GetProcessHeap () returned 0x4c0000 [0124.906] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c480a8 [0124.917] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="46") returned 2 [0124.917] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="0D") returned 2 [0124.917] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="A4") returned 2 [0124.917] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="3E") returned 2 [0124.917] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="C3") returned 2 [0124.917] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="2B") returned 2 [0124.917] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="B6") returned 2 [0124.917] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="4C") returned 2 [0124.917] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="61") returned 2 [0124.917] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="C1") returned 2 [0124.917] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="EC") returned 2 [0124.918] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="59") returned 2 [0124.918] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="65") returned 2 [0124.918] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="90") returned 2 [0124.918] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="3D") returned 2 [0124.918] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="44") returned 2 [0124.918] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="78") returned 2 [0124.918] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="CF") returned 2 [0124.918] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="66") returned 2 [0124.918] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="11") returned 2 [0124.918] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="B8") returned 2 [0124.918] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="F3") returned 2 [0124.918] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="80") returned 2 [0124.918] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="CC") returned 2 [0124.918] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="02") returned 2 [0124.918] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="57") returned 2 [0124.918] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="88") returned 2 [0124.918] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="DA") returned 2 [0124.918] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="E8") returned 2 [0124.918] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="2C") returned 2 [0124.918] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="21") returned 2 [0124.918] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="56") returned 2 [0125.004] lstrcpyW (in: lpString1=0x3c580dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json" [0125.004] lstrcpyW (in: lpString1=0x3c480dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json" [0125.004] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json", lpString2=".460DA43EC32BB64C61C1EC5965903D4478CF6611B8F380CC025788DAE82C2156" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.460DA43EC32BB64C61C1EC5965903D4478CF6611B8F380CC025788DAE82C2156") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.460DA43EC32BB64C61C1EC5965903D4478CF6611B8F380CC025788DAE82C2156" [0125.004] CreateIoCompletionPort (FileHandle=0x114, ExistingCompletionPort=0x94, CompletionKey=0x3c480a8, NumberOfConcurrentThreads=0x0) returned 0x94 [0125.004] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c480a8, lpOverlapped=0x3c480a8) returned 1 [0125.004] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834dd0e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834df7f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398bc90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x41bf, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0125.004] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0125.029] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\PUSSY.TXT") returned 160 [0125.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0125.030] lstrlenA (lpString="abcd") returned 4 [0125.030] WriteFile (in: hFile=0x1bc, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0125.031] CloseHandle (hObject=0x1bc) returned 1 [0125.031] GetProcessHeap () returned 0x4c0000 [0125.031] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0125.035] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834e9430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ebb40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834ebb40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ml", cAlternateFileName="")) returned 1 [0125.035] lstrcmpiW (lpString1="ml", lpString2="Windows") returned -1 [0125.035] lstrcmpiW (lpString1="ml", lpString2="Program Files") returned -1 [0125.035] lstrcmpiW (lpString1="ml", lpString2="Program Files (x86)") returned -1 [0125.035] lstrcmpiW (lpString1="ml", lpString2="$Recycle.bin") returned 1 [0125.036] lstrcmpiW (lpString1="ml", lpString2="System Volume Information") returned -1 [0125.038] lstrcmpiW (lpString1="ml", lpString2=".") returned 1 [0125.038] lstrcmpiW (lpString1="ml", lpString2="..") returned 1 [0125.038] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml") returned 150 [0125.038] GetProcessHeap () returned 0x4c0000 [0125.038] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0125.039] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml" [0125.039] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\*" [0125.039] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834e9430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ebb40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834ebb40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0125.040] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.040] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0125.040] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0125.040] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0125.040] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0125.040] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.040] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834e9430, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ebb40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834ebb40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0125.040] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.040] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0125.040] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0125.040] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0125.040] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0125.040] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.040] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.040] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834ebb40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ebb40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398bc90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x583f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0125.041] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0125.041] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0125.041] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0125.041] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0125.041] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0125.041] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0125.041] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0125.041] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json") returned 164 [0125.041] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0125.041] PathFindExtensionW (pszPath="messages.json") returned=".json" [0125.041] lstrlenW (lpString=".json") returned 5 [0125.041] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0125.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1bc [0125.043] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=22591) returned 1 [0125.043] GetProcessHeap () returned 0x4c0000 [0125.043] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c480a8 [0125.055] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="22") returned 2 [0125.055] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="A5") returned 2 [0125.055] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="48") returned 2 [0125.055] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="86") returned 2 [0125.055] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="B0") returned 2 [0125.055] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="76") returned 2 [0125.055] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="92") returned 2 [0125.056] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="5A") returned 2 [0125.056] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="DF") returned 2 [0125.056] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="21") returned 2 [0125.056] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="E1") returned 2 [0125.056] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="69") returned 2 [0125.056] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="05") returned 2 [0125.056] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="19") returned 2 [0125.056] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="FB") returned 2 [0125.056] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="C9") returned 2 [0125.056] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="62") returned 2 [0125.056] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="22") returned 2 [0125.056] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="BA") returned 2 [0125.056] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="35") returned 2 [0125.056] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="D5") returned 2 [0125.056] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="AF") returned 2 [0125.056] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="1D") returned 2 [0125.056] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="FC") returned 2 [0125.056] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="E5") returned 2 [0125.056] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="09") returned 2 [0125.056] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="31") returned 2 [0125.056] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="59") returned 2 [0125.056] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="54") returned 2 [0125.057] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="CD") returned 2 [0125.057] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="24") returned 2 [0125.057] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="29") returned 2 [0125.069] lstrcpyW (in: lpString1=0x3c580dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json" [0125.070] lstrcpyW (in: lpString1=0x3c480dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json" [0125.070] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json", lpString2=".22A54886B076925ADF21E1690519FBC96222BA35D5AF1DFCE509315954CD2429" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.22A54886B076925ADF21E1690519FBC96222BA35D5AF1DFCE509315954CD2429") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.22A54886B076925ADF21E1690519FBC96222BA35D5AF1DFCE509315954CD2429" [0125.070] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0x94, CompletionKey=0x3c480a8, NumberOfConcurrentThreads=0x0) returned 0x94 [0125.070] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c480a8, lpOverlapped=0x3c480a8) returned 1 [0125.070] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834ebb40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ebb40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398bc90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x583f, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0125.070] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0125.070] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\PUSSY.TXT") returned 160 [0125.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0125.071] lstrlenA (lpString="abcd") returned 4 [0125.071] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0125.072] CloseHandle (hObject=0x114) returned 1 [0125.072] GetProcessHeap () returned 0x4c0000 [0125.072] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0125.072] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834f0960, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834f3070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834f3070, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="mr", cAlternateFileName="")) returned 1 [0125.072] lstrcmpiW (lpString1="mr", lpString2="Windows") returned -1 [0125.073] lstrcmpiW (lpString1="mr", lpString2="Program Files") returned -1 [0125.073] lstrcmpiW (lpString1="mr", lpString2="Program Files (x86)") returned -1 [0125.073] lstrcmpiW (lpString1="mr", lpString2="$Recycle.bin") returned 1 [0125.073] lstrcmpiW (lpString1="mr", lpString2="System Volume Information") returned -1 [0125.073] lstrcmpiW (lpString1="mr", lpString2=".") returned 1 [0125.073] lstrcmpiW (lpString1="mr", lpString2="..") returned 1 [0125.073] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr") returned 150 [0125.073] GetProcessHeap () returned 0x4c0000 [0125.073] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0125.073] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr" [0125.073] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\*" [0125.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834f0960, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834f3070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834f3070, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0125.073] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.073] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0125.073] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0125.074] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0125.074] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0125.074] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.074] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834f0960, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834f3070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834f3070, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0125.074] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.074] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0125.074] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0125.074] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0125.074] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0125.074] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.074] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.074] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834f3070, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834f3070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398bc90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x5224, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0125.074] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0125.074] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0125.074] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0125.074] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0125.074] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0125.074] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0125.074] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0125.074] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json") returned 164 [0125.074] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0125.074] PathFindExtensionW (pszPath="messages.json") returned=".json" [0125.074] lstrlenW (lpString=".json") returned 5 [0125.074] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0125.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1e4 [0125.075] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=21028) returned 1 [0125.075] GetProcessHeap () returned 0x4c0000 [0125.075] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0125.090] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="2B") returned 2 [0125.090] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="CB") returned 2 [0125.090] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="16") returned 2 [0125.090] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="79") returned 2 [0125.090] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="37") returned 2 [0125.090] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="0B") returned 2 [0125.090] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="24") returned 2 [0125.090] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="6C") returned 2 [0125.090] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="FC") returned 2 [0125.090] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="5B") returned 2 [0125.090] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="56") returned 2 [0125.090] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="7B") returned 2 [0125.090] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="ED") returned 2 [0125.090] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="2D") returned 2 [0125.090] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="F3") returned 2 [0125.090] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="B8") returned 2 [0125.090] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="A7") returned 2 [0125.090] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="9A") returned 2 [0125.090] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="DD") returned 2 [0125.090] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="B6") returned 2 [0125.090] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="17") returned 2 [0125.090] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="27") returned 2 [0125.091] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="6F") returned 2 [0125.091] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="83") returned 2 [0125.091] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="74") returned 2 [0125.091] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="55") returned 2 [0125.091] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="52") returned 2 [0125.091] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="FF") returned 2 [0125.091] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="40") returned 2 [0125.091] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="C3") returned 2 [0125.091] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="3A") returned 2 [0125.091] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="46") returned 2 [0125.103] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json" [0125.103] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json" [0125.103] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json", lpString2=".2BCB1679370B246CFC5B567BED2DF3B8A79ADDB617276F83745552FF40C33A46" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.2BCB1679370B246CFC5B567BED2DF3B8A79ADDB617276F83745552FF40C33A46") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.2BCB1679370B246CFC5B567BED2DF3B8A79ADDB617276F83745552FF40C33A46" [0125.103] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0125.104] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0125.104] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834f3070, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834f3070, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398bc90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x5224, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0125.104] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0125.104] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\PUSSY.TXT") returned 160 [0125.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0125.105] lstrlenA (lpString="abcd") returned 4 [0125.105] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0125.106] CloseHandle (hObject=0x114) returned 1 [0125.106] GetProcessHeap () returned 0x4c0000 [0125.106] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0125.106] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834fccb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ff3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834ff3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ms", cAlternateFileName="")) returned 1 [0125.106] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0125.106] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0125.107] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0125.107] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0125.107] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0125.107] lstrcmpiW (lpString1="ms", lpString2=".") returned 1 [0125.107] lstrcmpiW (lpString1="ms", lpString2="..") returned 1 [0125.107] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms") returned 150 [0125.107] GetProcessHeap () returned 0x4c0000 [0125.107] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0125.107] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms" [0125.107] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\*" [0125.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834fccb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ff3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834ff3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0125.107] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.107] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0125.107] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0125.107] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0125.107] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0125.108] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.108] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x834fccb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ff3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x834ff3c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0125.108] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.108] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0125.108] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0125.108] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0125.108] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0125.108] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.108] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.108] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834ff3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ff3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398e3a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3f8b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0125.108] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0125.108] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0125.108] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0125.108] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0125.108] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0125.108] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0125.108] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0125.108] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json") returned 164 [0125.108] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0125.108] PathFindExtensionW (pszPath="messages.json") returned=".json" [0125.108] lstrlenW (lpString=".json") returned 5 [0125.108] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0125.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0125.171] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16267) returned 1 [0125.171] GetProcessHeap () returned 0x4c0000 [0125.172] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0125.185] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="7B") returned 2 [0125.185] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="AF") returned 2 [0125.185] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="6E") returned 2 [0125.185] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="4A") returned 2 [0125.185] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="91") returned 2 [0125.185] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="B0") returned 2 [0125.185] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="6D") returned 2 [0125.185] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="89") returned 2 [0125.185] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="5A") returned 2 [0125.185] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="E9") returned 2 [0125.185] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="A3") returned 2 [0125.186] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="F3") returned 2 [0125.186] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="07") returned 2 [0125.186] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="65") returned 2 [0125.186] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="91") returned 2 [0125.186] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="95") returned 2 [0125.186] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="66") returned 2 [0125.186] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="A6") returned 2 [0125.186] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="37") returned 2 [0125.186] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="B8") returned 2 [0125.186] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="3F") returned 2 [0125.186] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="8D") returned 2 [0125.186] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="57") returned 2 [0125.186] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="E0") returned 2 [0125.186] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="D8") returned 2 [0125.186] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="07") returned 2 [0125.186] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="F7") returned 2 [0125.186] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="7A") returned 2 [0125.186] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="1B") returned 2 [0125.186] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="6B") returned 2 [0125.186] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="7C") returned 2 [0125.186] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="5C") returned 2 [0125.213] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json" [0125.214] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json" [0125.214] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json", lpString2=".7BAF6E4A91B06D895AE9A3F30765919566A637B83F8D57E0D807F77A1B6B7C5C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.7BAF6E4A91B06D895AE9A3F30765919566A637B83F8D57E0D807F77A1B6B7C5C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.7BAF6E4A91B06D895AE9A3F30765919566A637B83F8D57E0D807F77A1B6B7C5C" [0125.214] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0125.214] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0125.214] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x834ff3c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x834ff3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398e3a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3f8b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0125.214] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0125.215] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\PUSSY.TXT") returned 160 [0125.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0125.637] lstrlenA (lpString="abcd") returned 4 [0125.637] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0125.638] CloseHandle (hObject=0x114) returned 1 [0125.638] GetProcessHeap () returned 0x4c0000 [0125.638] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0125.638] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835041e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835068f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835068f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="nb", cAlternateFileName="")) returned 1 [0125.638] lstrcmpiW (lpString1="nb", lpString2="Windows") returned -1 [0125.638] lstrcmpiW (lpString1="nb", lpString2="Program Files") returned -1 [0125.638] lstrcmpiW (lpString1="nb", lpString2="Program Files (x86)") returned -1 [0125.638] lstrcmpiW (lpString1="nb", lpString2="$Recycle.bin") returned 1 [0125.638] lstrcmpiW (lpString1="nb", lpString2="System Volume Information") returned -1 [0125.638] lstrcmpiW (lpString1="nb", lpString2=".") returned 1 [0125.638] lstrcmpiW (lpString1="nb", lpString2="..") returned 1 [0125.638] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb") returned 150 [0125.638] GetProcessHeap () returned 0x4c0000 [0125.638] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0125.638] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb" [0125.638] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\*" [0125.638] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835041e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835068f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835068f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0125.639] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.639] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0125.639] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0125.639] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0125.639] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0125.639] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.639] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835041e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835068f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835068f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0125.639] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.639] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0125.639] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0125.639] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0125.639] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0125.639] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.639] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.639] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835068f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835068f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398e3a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3ebc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0125.639] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0125.639] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0125.639] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0125.639] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0125.639] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0125.639] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0125.639] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0125.640] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json") returned 164 [0125.640] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0125.640] PathFindExtensionW (pszPath="messages.json") returned=".json" [0125.640] lstrlenW (lpString=".json") returned 5 [0125.640] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0125.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1cc [0125.640] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16060) returned 1 [0125.641] GetProcessHeap () returned 0x4c0000 [0125.641] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0125.651] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="07") returned 2 [0125.651] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="20") returned 2 [0125.651] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="7A") returned 2 [0125.651] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="34") returned 2 [0125.651] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="2F") returned 2 [0125.651] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="67") returned 2 [0125.651] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="60") returned 2 [0125.651] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="0B") returned 2 [0125.651] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="64") returned 2 [0125.651] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="DE") returned 2 [0125.651] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="AC") returned 2 [0125.651] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="BB") returned 2 [0125.651] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="CD") returned 2 [0125.651] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="BA") returned 2 [0125.651] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="67") returned 2 [0125.651] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="CC") returned 2 [0125.651] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="83") returned 2 [0125.651] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="29") returned 2 [0125.652] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="39") returned 2 [0125.652] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="CF") returned 2 [0125.652] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="C7") returned 2 [0125.652] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="96") returned 2 [0125.652] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="1C") returned 2 [0125.652] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="71") returned 2 [0125.652] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="32") returned 2 [0125.652] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="C8") returned 2 [0125.652] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="E9") returned 2 [0125.652] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="AA") returned 2 [0125.652] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="D2") returned 2 [0125.652] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="A3") returned 2 [0125.652] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="4D") returned 2 [0125.652] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="6D") returned 2 [0125.660] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json" [0125.660] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json" [0125.661] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json", lpString2=".07207A342F67600B64DEACBBCDBA67CC832939CFC7961C7132C8E9AAD2A34D6D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.07207A342F67600B64DEACBBCDBA67CC832939CFC7961C7132C8E9AAD2A34D6D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.07207A342F67600B64DEACBBCDBA67CC832939CFC7961C7132C8E9AAD2A34D6D" [0125.661] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0125.661] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0125.661] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835068f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835068f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398e3a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3ebc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0125.661] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0125.661] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\PUSSY.TXT") returned 160 [0125.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0125.662] lstrlenA (lpString="abcd") returned 4 [0125.662] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0125.663] CloseHandle (hObject=0x114) returned 1 [0125.663] GetProcessHeap () returned 0x4c0000 [0125.663] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0125.663] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835794e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8357bbf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8357bbf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="nl", cAlternateFileName="")) returned 1 [0125.663] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0125.663] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0125.663] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0125.663] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0125.663] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0125.663] lstrcmpiW (lpString1="nl", lpString2=".") returned 1 [0125.663] lstrcmpiW (lpString1="nl", lpString2="..") returned 1 [0125.663] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl") returned 150 [0125.663] GetProcessHeap () returned 0x4c0000 [0125.663] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0125.663] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl" [0125.663] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\*" [0125.663] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835794e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8357bbf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8357bbf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0125.664] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.664] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0125.664] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0125.664] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0125.664] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0125.664] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.664] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835794e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8357bbf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8357bbf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0125.664] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.664] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0125.664] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0125.664] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0125.664] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0125.664] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.664] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.664] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8357bbf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8357bbf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398e3a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3f45, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0125.664] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0125.664] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0125.665] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0125.665] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0125.665] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0125.665] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0125.665] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0125.665] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json") returned 164 [0125.665] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0125.665] PathFindExtensionW (pszPath="messages.json") returned=".json" [0125.665] lstrlenW (lpString=".json") returned 5 [0125.665] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0125.665] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0125.666] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16197) returned 1 [0125.666] GetProcessHeap () returned 0x4c0000 [0125.666] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0125.675] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="37") returned 2 [0125.675] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="D1") returned 2 [0125.675] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="15") returned 2 [0125.675] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="5F") returned 2 [0125.675] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="9D") returned 2 [0125.675] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="D3") returned 2 [0125.676] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="5A") returned 2 [0125.676] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="08") returned 2 [0125.676] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="EB") returned 2 [0125.676] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="9F") returned 2 [0125.676] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="7A") returned 2 [0125.676] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="48") returned 2 [0125.676] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="68") returned 2 [0125.676] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="24") returned 2 [0125.676] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="74") returned 2 [0125.676] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="12") returned 2 [0125.676] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="F5") returned 2 [0125.676] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="86") returned 2 [0125.676] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="E4") returned 2 [0125.676] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="6C") returned 2 [0125.676] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="CD") returned 2 [0125.676] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="0A") returned 2 [0125.676] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="A5") returned 2 [0125.676] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="AD") returned 2 [0125.676] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="9B") returned 2 [0125.676] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="8C") returned 2 [0125.676] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="E9") returned 2 [0125.676] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="92") returned 2 [0125.676] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="E6") returned 2 [0125.677] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="55") returned 2 [0125.677] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="F9") returned 2 [0125.677] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="4A") returned 2 [0125.685] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json" [0125.685] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json" [0125.690] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json", lpString2=".37D1155F9DD35A08EB9F7A4868247412F586E46CCD0AA5AD9B8CE992E655F94A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.37D1155F9DD35A08EB9F7A4868247412F586E46CCD0AA5AD9B8CE992E655F94A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.37D1155F9DD35A08EB9F7A4868247412F586E46CCD0AA5AD9B8CE992E655F94A" [0125.690] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0125.691] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0125.691] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8357bbf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8357bbf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398e3a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3f45, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0125.691] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0125.692] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\PUSSY.TXT") returned 160 [0125.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0125.695] lstrlenA (lpString="abcd") returned 4 [0125.695] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0125.696] CloseHandle (hObject=0x114) returned 1 [0125.696] GetProcessHeap () returned 0x4c0000 [0125.696] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0125.696] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83580a10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83583120, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83583120, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pl", cAlternateFileName="")) returned 1 [0125.696] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0125.697] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0125.697] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0125.697] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0125.697] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0125.697] lstrcmpiW (lpString1="pl", lpString2=".") returned 1 [0125.697] lstrcmpiW (lpString1="pl", lpString2="..") returned 1 [0125.697] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl") returned 150 [0125.697] GetProcessHeap () returned 0x4c0000 [0125.697] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0125.697] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl" [0125.697] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\*" [0125.697] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83580a10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83583120, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83583120, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0125.698] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.698] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0125.698] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0125.698] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0125.698] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0125.698] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.698] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83580a10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83583120, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83583120, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0125.698] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.698] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0125.698] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0125.698] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0125.698] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0125.698] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.698] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.698] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83583120, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83583120, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398e3a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3fd7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0125.698] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0125.698] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0125.698] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0125.698] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0125.698] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0125.698] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0125.698] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0125.698] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json") returned 164 [0125.698] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0125.698] PathFindExtensionW (pszPath="messages.json") returned=".json" [0125.698] lstrlenW (lpString=".json") returned 5 [0125.698] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0125.699] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0125.699] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16343) returned 1 [0125.699] GetProcessHeap () returned 0x4c0000 [0125.699] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0125.710] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="17") returned 2 [0125.710] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="BA") returned 2 [0125.710] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="42") returned 2 [0125.710] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="60") returned 2 [0125.710] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="02") returned 2 [0125.710] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="65") returned 2 [0125.711] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="89") returned 2 [0125.711] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="80") returned 2 [0125.711] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="D4") returned 2 [0125.711] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="40") returned 2 [0125.711] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="BB") returned 2 [0125.711] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="76") returned 2 [0125.711] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="C5") returned 2 [0125.711] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="F9") returned 2 [0125.711] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="53") returned 2 [0125.711] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="BE") returned 2 [0125.711] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="EC") returned 2 [0125.711] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="72") returned 2 [0125.711] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="AF") returned 2 [0125.711] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="CE") returned 2 [0125.711] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="C5") returned 2 [0125.711] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="45") returned 2 [0125.711] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="FE") returned 2 [0125.711] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="AD") returned 2 [0125.711] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="47") returned 2 [0125.711] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="8B") returned 2 [0125.711] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="E1") returned 2 [0125.711] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="D9") returned 2 [0125.711] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="BD") returned 2 [0125.711] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="C6") returned 2 [0125.711] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="EF") returned 2 [0125.711] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="1C") returned 2 [0125.720] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json" [0125.720] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json" [0125.720] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json", lpString2=".17BA426002658980D440BB76C5F953BEEC72AFCEC545FEAD478BE1D9BDC6EF1C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.17BA426002658980D440BB76C5F953BEEC72AFCEC545FEAD478BE1D9BDC6EF1C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.17BA426002658980D440BB76C5F953BEEC72AFCEC545FEAD478BE1D9BDC6EF1C" [0125.720] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0125.720] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0125.720] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83583120, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83583120, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8398e3a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3fd7, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0125.720] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0125.720] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\PUSSY.TXT") returned 160 [0125.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0125.721] lstrlenA (lpString="abcd") returned 4 [0125.721] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0125.722] CloseHandle (hObject=0x114) returned 1 [0125.723] GetProcessHeap () returned 0x4c0000 [0125.723] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0125.723] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8358f470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8359b7c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8359b7c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt", cAlternateFileName="")) returned 1 [0125.723] lstrcmpiW (lpString1="pt", lpString2="Windows") returned -1 [0125.723] lstrcmpiW (lpString1="pt", lpString2="Program Files") returned 1 [0125.723] lstrcmpiW (lpString1="pt", lpString2="Program Files (x86)") returned 1 [0125.723] lstrcmpiW (lpString1="pt", lpString2="$Recycle.bin") returned 1 [0125.723] lstrcmpiW (lpString1="pt", lpString2="System Volume Information") returned -1 [0125.723] lstrcmpiW (lpString1="pt", lpString2=".") returned 1 [0125.723] lstrcmpiW (lpString1="pt", lpString2="..") returned 1 [0125.723] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt") returned 150 [0125.723] GetProcessHeap () returned 0x4c0000 [0125.723] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0125.723] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt" [0125.723] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\*" [0125.723] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8358f470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8359b7c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8359b7c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0125.724] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.724] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0125.724] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0125.724] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0125.724] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0125.724] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.724] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8358f470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8359b7c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8359b7c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0125.724] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.724] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0125.724] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0125.724] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0125.724] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0125.724] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.724] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.724] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8359b7c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8359ded0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83990ab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3fdc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0125.724] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0125.724] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0125.724] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0125.724] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0125.724] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0125.724] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0125.724] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0125.724] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json") returned 164 [0125.724] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0125.724] PathFindExtensionW (pszPath="messages.json") returned=".json" [0125.725] lstrlenW (lpString=".json") returned 5 [0125.725] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0125.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1dc [0125.727] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16348) returned 1 [0125.727] GetProcessHeap () returned 0x4c0000 [0125.727] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0125.838] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="72") returned 2 [0125.838] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="13") returned 2 [0125.838] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="00") returned 2 [0125.838] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="B6") returned 2 [0125.838] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="E0") returned 2 [0125.838] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="77") returned 2 [0125.838] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="B9") returned 2 [0125.838] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="2A") returned 2 [0125.838] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="94") returned 2 [0125.838] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="4C") returned 2 [0125.838] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="39") returned 2 [0125.838] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="FA") returned 2 [0125.838] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="33") returned 2 [0125.838] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="3D") returned 2 [0125.838] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="27") returned 2 [0125.839] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="35") returned 2 [0125.839] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="EA") returned 2 [0125.839] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="3D") returned 2 [0125.839] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="C6") returned 2 [0125.839] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="A5") returned 2 [0125.839] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="43") returned 2 [0125.839] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="77") returned 2 [0125.839] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="78") returned 2 [0125.839] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="6B") returned 2 [0125.839] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="22") returned 2 [0125.839] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="4F") returned 2 [0125.839] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="B4") returned 2 [0125.839] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="8C") returned 2 [0125.839] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="68") returned 2 [0125.839] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="E3") returned 2 [0125.839] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="40") returned 2 [0125.839] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="02") returned 2 [0125.852] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json" [0125.852] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json" [0125.852] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json", lpString2=".721300B6E077B92A944C39FA333D2735EA3DC6A54377786B224FB48C68E34002" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.721300B6E077B92A944C39FA333D2735EA3DC6A54377786B224FB48C68E34002") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.721300B6E077B92A944C39FA333D2735EA3DC6A54377786B224FB48C68E34002" [0125.852] CreateIoCompletionPort (FileHandle=0x1dc, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0125.852] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0125.875] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8359b7c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8359ded0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83990ab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3fdc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0125.875] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0125.875] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\PUSSY.TXT") returned 160 [0125.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0125.876] lstrlenA (lpString="abcd") returned 4 [0125.876] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0125.877] CloseHandle (hObject=0x114) returned 1 [0125.878] GetProcessHeap () returned 0x4c0000 [0125.878] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0125.878] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835969a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835a05e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835a05e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_BR", cAlternateFileName="")) returned 1 [0125.878] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0125.878] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0125.878] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0125.878] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0125.878] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0125.878] lstrcmpiW (lpString1="pt_BR", lpString2=".") returned 1 [0125.878] lstrcmpiW (lpString1="pt_BR", lpString2="..") returned 1 [0125.878] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR") returned 153 [0125.878] GetProcessHeap () returned 0x4c0000 [0125.878] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0125.878] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR" [0125.879] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\*" [0125.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835969a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835a05e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835a05e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0125.879] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.879] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0125.879] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0125.879] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0125.879] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0125.879] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.879] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835969a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835a05e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835a05e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0125.879] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.879] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0125.879] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0125.879] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0125.879] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0125.880] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.880] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.880] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835a05e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835a05e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83990ab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3fdc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0125.880] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0125.880] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0125.880] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0125.880] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0125.880] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0125.880] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0125.880] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0125.880] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json") returned 167 [0125.880] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0125.880] PathFindExtensionW (pszPath="messages.json") returned=".json" [0125.880] lstrlenW (lpString=".json") returned 5 [0125.880] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0125.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1e4 [0125.881] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16348) returned 1 [0125.881] GetProcessHeap () returned 0x4c0000 [0125.881] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0125.917] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="0F") returned 2 [0125.917] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="BA") returned 2 [0125.917] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="B7") returned 2 [0125.917] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="1F") returned 2 [0125.918] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="3A") returned 2 [0125.918] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="09") returned 2 [0125.918] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="B7") returned 2 [0125.918] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="40") returned 2 [0125.918] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="E7") returned 2 [0125.918] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="FD") returned 2 [0125.918] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="EB") returned 2 [0125.918] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="B9") returned 2 [0125.918] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="65") returned 2 [0125.918] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="E5") returned 2 [0125.918] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="9F") returned 2 [0125.918] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="F2") returned 2 [0125.918] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="60") returned 2 [0125.918] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="B2") returned 2 [0125.918] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="0A") returned 2 [0125.918] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="66") returned 2 [0125.918] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="5A") returned 2 [0125.918] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="91") returned 2 [0125.918] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="C2") returned 2 [0125.918] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="40") returned 2 [0125.918] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="87") returned 2 [0125.918] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="54") returned 2 [0125.918] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="25") returned 2 [0125.918] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="9F") returned 2 [0125.919] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="76") returned 2 [0125.919] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="93") returned 2 [0125.919] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="32") returned 2 [0125.919] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="38") returned 2 [0125.931] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json" [0125.931] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json" [0125.931] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json", lpString2=".0FBAB71F3A09B740E7FDEBB965E59FF260B20A665A91C2408754259F76933238" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json.0FBAB71F3A09B740E7FDEBB965E59FF260B20A665A91C2408754259F76933238") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json.0FBAB71F3A09B740E7FDEBB965E59FF260B20A665A91C2408754259F76933238" [0125.931] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0125.931] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0125.953] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835a05e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835a05e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83990ab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3fdc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0125.953] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0125.953] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\PUSSY.TXT") returned 163 [0125.954] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0125.955] lstrlenA (lpString="abcd") returned 4 [0125.955] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0125.956] CloseHandle (hObject=0x114) returned 1 [0125.956] GetProcessHeap () returned 0x4c0000 [0125.956] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0125.956] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835990b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835a5400, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835a5400, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="pt_PT", cAlternateFileName="")) returned 1 [0125.956] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0125.956] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0125.956] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0125.956] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0125.956] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0125.956] lstrcmpiW (lpString1="pt_PT", lpString2=".") returned 1 [0125.956] lstrcmpiW (lpString1="pt_PT", lpString2="..") returned 1 [0125.956] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT") returned 153 [0125.956] GetProcessHeap () returned 0x4c0000 [0125.956] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0125.957] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT" [0125.957] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\*" [0125.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835990b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835a5400, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835a5400, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0125.957] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.957] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0125.957] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0125.957] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0125.957] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0125.957] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.957] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835990b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835a5400, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835a5400, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0125.957] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.957] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0125.957] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0125.957] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0125.958] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0125.958] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.958] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.958] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835a5400, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835a5400, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83990ab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3fdc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0125.958] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0125.958] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0125.958] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0125.958] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0125.958] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0125.958] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0125.958] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0125.958] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json") returned 167 [0125.958] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0125.958] PathFindExtensionW (pszPath="messages.json") returned=".json" [0125.958] lstrlenW (lpString=".json") returned 5 [0125.958] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0125.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1bc [0125.960] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16348) returned 1 [0125.960] GetProcessHeap () returned 0x4c0000 [0125.960] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0125.974] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="C1") returned 2 [0125.974] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="26") returned 2 [0125.974] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="B3") returned 2 [0125.974] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="8B") returned 2 [0125.974] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="56") returned 2 [0125.974] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="C8") returned 2 [0125.974] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="FD") returned 2 [0125.974] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="06") returned 2 [0125.974] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="CC") returned 2 [0125.974] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="8A") returned 2 [0125.974] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="23") returned 2 [0125.974] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="34") returned 2 [0125.975] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="88") returned 2 [0125.975] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="18") returned 2 [0125.975] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="86") returned 2 [0125.975] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="7C") returned 2 [0125.975] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="EA") returned 2 [0125.975] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="0E") returned 2 [0125.975] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="1F") returned 2 [0125.975] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="62") returned 2 [0125.975] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="53") returned 2 [0125.975] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="4F") returned 2 [0125.975] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="09") returned 2 [0125.975] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="59") returned 2 [0125.975] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="59") returned 2 [0125.975] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="1B") returned 2 [0125.975] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="41") returned 2 [0125.975] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="C5") returned 2 [0125.975] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="DC") returned 2 [0125.975] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="5A") returned 2 [0125.975] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="EB") returned 2 [0125.975] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="1D") returned 2 [0125.988] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json" [0125.988] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json" [0125.989] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json", lpString2=".C126B38B56C8FD06CC8A23348818867CEA0E1F62534F0959591B41C5DC5AEB1D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json.C126B38B56C8FD06CC8A23348818867CEA0E1F62534F0959591B41C5DC5AEB1D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json.C126B38B56C8FD06CC8A23348818867CEA0E1F62534F0959591B41C5DC5AEB1D" [0125.989] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0125.989] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0125.989] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835a5400, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835a5400, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83990ab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3fdc, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0125.989] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0125.989] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\PUSSY.TXT") returned 163 [0125.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0125.990] lstrlenA (lpString="abcd") returned 4 [0125.990] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0125.992] CloseHandle (hObject=0x114) returned 1 [0125.992] GetProcessHeap () returned 0x4c0000 [0125.992] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0125.992] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835aa220, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835b1750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835b1750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ro", cAlternateFileName="")) returned 1 [0125.992] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0125.992] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0125.992] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0125.992] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0125.992] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0125.992] lstrcmpiW (lpString1="ro", lpString2=".") returned 1 [0125.992] lstrcmpiW (lpString1="ro", lpString2="..") returned 1 [0125.992] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro") returned 150 [0125.992] GetProcessHeap () returned 0x4c0000 [0125.992] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0125.992] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro" [0125.992] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\*" [0125.993] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835aa220, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835b1750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835b1750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0125.993] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.993] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0125.993] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0125.993] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0125.993] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0125.993] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0125.993] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835aa220, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835b1750, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835b1750, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0125.993] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.993] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0125.993] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0125.993] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0125.993] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0125.993] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0125.993] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0125.993] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835b1750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835b3e60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83990ab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x40db, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0125.994] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0125.994] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0125.994] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0125.994] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0125.994] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0125.994] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0125.994] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0125.994] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json") returned 164 [0125.994] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0125.994] PathFindExtensionW (pszPath="messages.json") returned=".json" [0125.994] lstrlenW (lpString=".json") returned 5 [0125.994] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0125.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b0 [0125.995] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16603) returned 1 [0125.995] GetProcessHeap () returned 0x4c0000 [0125.995] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0126.058] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="36") returned 2 [0126.058] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="EE") returned 2 [0126.058] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="B8") returned 2 [0126.058] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="55") returned 2 [0126.058] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="D8") returned 2 [0126.058] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="D0") returned 2 [0126.059] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="82") returned 2 [0126.059] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="FE") returned 2 [0126.059] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="12") returned 2 [0126.059] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="3C") returned 2 [0126.059] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="7B") returned 2 [0126.059] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="39") returned 2 [0126.059] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="71") returned 2 [0126.059] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="01") returned 2 [0126.059] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="C4") returned 2 [0126.059] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="57") returned 2 [0126.059] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="2D") returned 2 [0126.059] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="35") returned 2 [0126.059] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="CC") returned 2 [0126.059] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="C2") returned 2 [0126.059] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="89") returned 2 [0126.059] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="29") returned 2 [0126.059] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="B0") returned 2 [0126.059] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="1D") returned 2 [0126.059] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="60") returned 2 [0126.059] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="B4") returned 2 [0126.059] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="DB") returned 2 [0126.059] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="97") returned 2 [0126.059] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="D1") returned 2 [0126.059] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="6A") returned 2 [0126.060] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="CB") returned 2 [0126.060] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="7E") returned 2 [0126.071] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json" [0126.071] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json" [0126.072] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json", lpString2=".36EEB855D8D082FE123C7B397101C4572D35CCC28929B01D60B4DB97D16ACB7E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.36EEB855D8D082FE123C7B397101C4572D35CCC28929B01D60B4DB97D16ACB7E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.36EEB855D8D082FE123C7B397101C4572D35CCC28929B01D60B4DB97D16ACB7E" [0126.072] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.072] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0126.072] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835b1750, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835b3e60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83990ab0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x40db, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.072] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.075] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\PUSSY.TXT") returned 160 [0126.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.077] lstrlenA (lpString="abcd") returned 4 [0126.077] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.078] CloseHandle (hObject=0x114) returned 1 [0126.078] GetProcessHeap () returned 0x4c0000 [0126.078] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.078] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835b6570, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835b8c80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835b8c80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ru", cAlternateFileName="")) returned 1 [0126.078] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0126.078] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0126.079] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0126.079] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0126.079] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0126.079] lstrcmpiW (lpString1="ru", lpString2=".") returned 1 [0126.079] lstrcmpiW (lpString1="ru", lpString2="..") returned 1 [0126.079] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru") returned 150 [0126.079] GetProcessHeap () returned 0x4c0000 [0126.079] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.079] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru" [0126.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\*" [0126.079] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835b6570, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835b8c80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835b8c80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.079] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.079] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.079] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.080] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.080] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.080] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.080] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835b6570, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835b8c80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835b8c80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.080] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.080] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.080] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.080] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.080] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.080] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.080] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.080] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835b8c80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835bb390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839931c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x490e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.080] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.080] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.080] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.080] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.080] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.080] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.080] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.080] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json") returned 164 [0126.080] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.081] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.081] lstrlenW (lpString=".json") returned 5 [0126.081] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1ac [0126.082] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=18702) returned 1 [0126.082] GetProcessHeap () returned 0x4c0000 [0126.082] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c480a8 [0126.096] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="1B") returned 2 [0126.096] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="F5") returned 2 [0126.096] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="EC") returned 2 [0126.096] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="B8") returned 2 [0126.096] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="A9") returned 2 [0126.096] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="BB") returned 2 [0126.097] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="E4") returned 2 [0126.097] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="A4") returned 2 [0126.097] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="E6") returned 2 [0126.097] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="74") returned 2 [0126.097] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="81") returned 2 [0126.097] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="C9") returned 2 [0126.097] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="29") returned 2 [0126.097] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="7C") returned 2 [0126.097] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="71") returned 2 [0126.097] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="24") returned 2 [0126.097] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="D6") returned 2 [0126.097] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="AB") returned 2 [0126.097] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="D6") returned 2 [0126.097] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="C7") returned 2 [0126.097] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="5F") returned 2 [0126.097] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="C2") returned 2 [0126.097] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="B2") returned 2 [0126.097] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="EB") returned 2 [0126.097] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="1C") returned 2 [0126.097] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="14") returned 2 [0126.097] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="50") returned 2 [0126.097] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="2C") returned 2 [0126.098] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="9C") returned 2 [0126.098] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="1F") returned 2 [0126.098] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="FE") returned 2 [0126.098] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="6F") returned 2 [0126.110] lstrcpyW (in: lpString1=0x3c580dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json" [0126.110] lstrcpyW (in: lpString1=0x3c480dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json" [0126.110] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json", lpString2=".1BF5ECB8A9BBE4A4E67481C9297C7124D6ABD6C75FC2B2EB1C14502C9C1FFE6F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.1BF5ECB8A9BBE4A4E67481C9297C7124D6ABD6C75FC2B2EB1C14502C9C1FFE6F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.1BF5ECB8A9BBE4A4E67481C9297C7124D6ABD6C75FC2B2EB1C14502C9C1FFE6F" [0126.110] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x94, CompletionKey=0x3c480a8, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.110] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c480a8, lpOverlapped=0x3c480a8) returned 1 [0126.110] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835b8c80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835bb390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839931c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x490e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.110] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.110] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\PUSSY.TXT") returned 160 [0126.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.123] lstrlenA (lpString="abcd") returned 4 [0126.123] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.124] CloseHandle (hObject=0x114) returned 1 [0126.125] GetProcessHeap () returned 0x4c0000 [0126.125] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.125] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835c01b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835c01b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835c01b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sk", cAlternateFileName="")) returned 1 [0126.125] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0126.125] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0126.125] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0126.125] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0126.125] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0126.125] lstrcmpiW (lpString1="sk", lpString2=".") returned 1 [0126.125] lstrcmpiW (lpString1="sk", lpString2="..") returned 1 [0126.125] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk") returned 150 [0126.125] GetProcessHeap () returned 0x4c0000 [0126.125] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.125] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk" [0126.125] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\*" [0126.125] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835c01b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835c01b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835c01b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.126] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.126] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.126] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.126] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.126] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.126] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.126] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835c01b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835c01b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835c01b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.126] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.126] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.126] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.126] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.126] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.126] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.126] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.126] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835c01b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835c28c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839931c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x40fd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.126] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.127] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.127] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.127] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.127] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.127] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.127] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.127] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json") returned 164 [0126.127] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.127] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.127] lstrlenW (lpString=".json") returned 5 [0126.127] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1dc [0126.128] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16637) returned 1 [0126.128] GetProcessHeap () returned 0x4c0000 [0126.128] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0126.143] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="CA") returned 2 [0126.143] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="BF") returned 2 [0126.143] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="FD") returned 2 [0126.143] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="56") returned 2 [0126.143] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="1A") returned 2 [0126.143] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="08") returned 2 [0126.143] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="3D") returned 2 [0126.143] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="88") returned 2 [0126.143] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="9F") returned 2 [0126.143] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="80") returned 2 [0126.143] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="66") returned 2 [0126.143] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="E6") returned 2 [0126.143] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="53") returned 2 [0126.144] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="DD") returned 2 [0126.144] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="E4") returned 2 [0126.144] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="B6") returned 2 [0126.144] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="35") returned 2 [0126.144] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="EA") returned 2 [0126.144] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="E2") returned 2 [0126.144] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="64") returned 2 [0126.144] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="1C") returned 2 [0126.144] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="AC") returned 2 [0126.144] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="81") returned 2 [0126.144] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="9E") returned 2 [0126.144] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="06") returned 2 [0126.144] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="2C") returned 2 [0126.144] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="CE") returned 2 [0126.144] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="87") returned 2 [0126.144] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="C4") returned 2 [0126.144] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="9A") returned 2 [0126.144] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="C7") returned 2 [0126.144] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="68") returned 2 [0126.157] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json" [0126.157] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json" [0126.157] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json", lpString2=".CABFFD561A083D889F8066E653DDE4B635EAE2641CAC819E062CCE87C49AC768" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.CABFFD561A083D889F8066E653DDE4B635EAE2641CAC819E062CCE87C49AC768") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.CABFFD561A083D889F8066E653DDE4B635EAE2641CAC819E062CCE87C49AC768" [0126.157] CreateIoCompletionPort (FileHandle=0x1dc, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.157] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0126.158] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835c01b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835c28c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839931c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x40fd, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.158] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.158] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\PUSSY.TXT") returned 160 [0126.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.159] lstrlenA (lpString="abcd") returned 4 [0126.159] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.160] CloseHandle (hObject=0x114) returned 1 [0126.160] GetProcessHeap () returned 0x4c0000 [0126.160] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.160] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835c4fd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835c9df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835c9df0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sl", cAlternateFileName="")) returned 1 [0126.160] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0126.160] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0126.160] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0126.160] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0126.160] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0126.160] lstrcmpiW (lpString1="sl", lpString2=".") returned 1 [0126.160] lstrcmpiW (lpString1="sl", lpString2="..") returned 1 [0126.161] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl") returned 150 [0126.161] GetProcessHeap () returned 0x4c0000 [0126.161] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.161] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl" [0126.161] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\*" [0126.161] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835c4fd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835c9df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835c9df0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.161] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.161] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.161] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.161] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.161] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.161] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.161] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835c4fd0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835c9df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835c9df0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.161] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.161] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.161] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.161] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.162] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.162] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.162] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.162] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835c9df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835c9df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839931c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x407a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.162] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.162] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.162] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.162] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.162] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.162] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.162] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.162] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json") returned 164 [0126.162] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.162] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.162] lstrlenW (lpString=".json") returned 5 [0126.162] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a0 [0126.163] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16506) returned 1 [0126.163] GetProcessHeap () returned 0x4c0000 [0126.163] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0126.174] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="51") returned 2 [0126.174] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="16") returned 2 [0126.174] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="6F") returned 2 [0126.174] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="D6") returned 2 [0126.174] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="F9") returned 2 [0126.174] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="3F") returned 2 [0126.174] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="5C") returned 2 [0126.174] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="9A") returned 2 [0126.174] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="FD") returned 2 [0126.174] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="DD") returned 2 [0126.174] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="AE") returned 2 [0126.174] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="1E") returned 2 [0126.174] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="30") returned 2 [0126.174] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="78") returned 2 [0126.174] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="EA") returned 2 [0126.174] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="7E") returned 2 [0126.174] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="5E") returned 2 [0126.174] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="CB") returned 2 [0126.174] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="BF") returned 2 [0126.174] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="95") returned 2 [0126.174] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="5E") returned 2 [0126.174] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="C1") returned 2 [0126.174] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="D2") returned 2 [0126.174] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="F5") returned 2 [0126.174] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="DB") returned 2 [0126.175] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="05") returned 2 [0126.175] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="B3") returned 2 [0126.175] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="BD") returned 2 [0126.175] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="65") returned 2 [0126.175] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="E6") returned 2 [0126.175] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="04") returned 2 [0126.175] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="0F") returned 2 [0126.183] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json" [0126.183] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json" [0126.183] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json", lpString2=".51166FD6F93F5C9AFDDDAE1E3078EA7E5ECBBF955EC1D2F5DB05B3BD65E6040F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.51166FD6F93F5C9AFDDDAE1E3078EA7E5ECBBF955EC1D2F5DB05B3BD65E6040F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.51166FD6F93F5C9AFDDDAE1E3078EA7E5ECBBF955EC1D2F5DB05B3BD65E6040F" [0126.183] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.183] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0126.183] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835c9df0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835c9df0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839931c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x407a, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.183] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.183] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\PUSSY.TXT") returned 160 [0126.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.248] lstrlenA (lpString="abcd") returned 4 [0126.248] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.249] CloseHandle (hObject=0x114) returned 1 [0126.249] GetProcessHeap () returned 0x4c0000 [0126.249] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.249] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835cec10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835cec10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835cec10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sr", cAlternateFileName="")) returned 1 [0126.249] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0126.249] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0126.249] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0126.249] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0126.249] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0126.249] lstrcmpiW (lpString1="sr", lpString2=".") returned 1 [0126.249] lstrcmpiW (lpString1="sr", lpString2="..") returned 1 [0126.249] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr") returned 150 [0126.249] GetProcessHeap () returned 0x4c0000 [0126.249] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.249] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr" [0126.250] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\*" [0126.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835cec10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835cec10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835cec10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.250] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.250] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.250] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.250] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.250] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.250] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.250] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835cec10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835cec10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835cec10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.250] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.250] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.250] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.250] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.250] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.250] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.250] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.250] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835cec10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835d1320, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839931c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x49c1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.250] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.250] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.251] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.251] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.251] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.251] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.251] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.251] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json") returned 164 [0126.251] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.251] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.251] lstrlenW (lpString=".json") returned 5 [0126.251] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1e4 [0126.252] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=18881) returned 1 [0126.252] GetProcessHeap () returned 0x4c0000 [0126.252] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0126.260] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="0B") returned 2 [0126.260] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="67") returned 2 [0126.260] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="93") returned 2 [0126.260] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="23") returned 2 [0126.260] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="A4") returned 2 [0126.260] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="F4") returned 2 [0126.260] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="32") returned 2 [0126.260] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="34") returned 2 [0126.260] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="17") returned 2 [0126.260] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="51") returned 2 [0126.260] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="97") returned 2 [0126.260] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="A2") returned 2 [0126.260] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="96") returned 2 [0126.260] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="56") returned 2 [0126.260] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="B1") returned 2 [0126.260] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="3D") returned 2 [0126.260] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="75") returned 2 [0126.260] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="4D") returned 2 [0126.260] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="53") returned 2 [0126.261] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="19") returned 2 [0126.261] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="2E") returned 2 [0126.261] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="FE") returned 2 [0126.261] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="00") returned 2 [0126.261] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="83") returned 2 [0126.261] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="94") returned 2 [0126.261] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="19") returned 2 [0126.261] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="46") returned 2 [0126.261] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="96") returned 2 [0126.261] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="D1") returned 2 [0126.261] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="E9") returned 2 [0126.261] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="6E") returned 2 [0126.261] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="1C") returned 2 [0126.269] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json" [0126.269] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json" [0126.269] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json", lpString2=".0B679323A4F43234175197A29656B13D754D53192EFE008394194696D1E96E1C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.0B679323A4F43234175197A29656B13D754D53192EFE008394194696D1E96E1C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.0B679323A4F43234175197A29656B13D754D53192EFE008394194696D1E96E1C" [0126.269] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.269] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0126.269] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835cec10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835d1320, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839931c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x49c1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.269] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.270] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\PUSSY.TXT") returned 160 [0126.270] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.271] lstrlenA (lpString="abcd") returned 4 [0126.272] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.272] CloseHandle (hObject=0x114) returned 1 [0126.273] GetProcessHeap () returned 0x4c0000 [0126.273] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.273] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835daf60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835dd670, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835dd670, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sv", cAlternateFileName="")) returned 1 [0126.273] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0126.273] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0126.273] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0126.273] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0126.273] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0126.273] lstrcmpiW (lpString1="sv", lpString2=".") returned 1 [0126.273] lstrcmpiW (lpString1="sv", lpString2="..") returned 1 [0126.273] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv") returned 150 [0126.273] GetProcessHeap () returned 0x4c0000 [0126.273] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.273] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv" [0126.273] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\*" [0126.273] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835daf60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835dd670, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835dd670, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.273] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.273] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.273] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.274] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.274] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.274] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.274] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835daf60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835dd670, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835dd670, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.274] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.274] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.274] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.274] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.274] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.274] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.274] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.274] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835dd670, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835dd670, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839958d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3e96, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.274] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.274] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.274] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.274] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.274] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.274] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.274] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.274] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json") returned 164 [0126.274] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.274] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.274] lstrlenW (lpString=".json") returned 5 [0126.274] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.274] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1cc [0126.276] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16022) returned 1 [0126.276] GetProcessHeap () returned 0x4c0000 [0126.276] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0126.316] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="77") returned 2 [0126.316] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="34") returned 2 [0126.317] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="9D") returned 2 [0126.317] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="37") returned 2 [0126.317] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="37") returned 2 [0126.317] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="F3") returned 2 [0126.317] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="5C") returned 2 [0126.317] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="2F") returned 2 [0126.317] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="FA") returned 2 [0126.317] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="50") returned 2 [0126.317] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="BC") returned 2 [0126.317] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="27") returned 2 [0126.317] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="06") returned 2 [0126.317] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="BD") returned 2 [0126.317] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="12") returned 2 [0126.317] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="FA") returned 2 [0126.317] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="FE") returned 2 [0126.317] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="7F") returned 2 [0126.317] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="7D") returned 2 [0126.317] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="EB") returned 2 [0126.317] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="E7") returned 2 [0126.317] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="34") returned 2 [0126.317] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="8C") returned 2 [0126.317] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="7F") returned 2 [0126.317] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="38") returned 2 [0126.317] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="B0") returned 2 [0126.317] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="13") returned 2 [0126.317] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="C8") returned 2 [0126.317] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="A8") returned 2 [0126.317] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="6E") returned 2 [0126.317] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="2E") returned 2 [0126.317] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="55") returned 2 [0126.325] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json" [0126.325] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json" [0126.326] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json", lpString2=".77349D3737F35C2FFA50BC2706BD12FAFE7F7DEBE7348C7F38B013C8A86E2E55" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.77349D3737F35C2FFA50BC2706BD12FAFE7F7DEBE7348C7F38B013C8A86E2E55") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.77349D3737F35C2FFA50BC2706BD12FAFE7F7DEBE7348C7F38B013C8A86E2E55" [0126.326] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.326] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0126.326] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835dd670, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835dd670, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839958d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3e96, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.326] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.326] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\PUSSY.TXT") returned 160 [0126.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.327] lstrlenA (lpString="abcd") returned 4 [0126.327] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.328] CloseHandle (hObject=0x114) returned 1 [0126.328] GetProcessHeap () returned 0x4c0000 [0126.328] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.328] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835dd670, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835dfd80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835dfd80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="sw", cAlternateFileName="")) returned 1 [0126.328] lstrcmpiW (lpString1="sw", lpString2="Windows") returned -1 [0126.328] lstrcmpiW (lpString1="sw", lpString2="Program Files") returned 1 [0126.328] lstrcmpiW (lpString1="sw", lpString2="Program Files (x86)") returned 1 [0126.328] lstrcmpiW (lpString1="sw", lpString2="$Recycle.bin") returned 1 [0126.328] lstrcmpiW (lpString1="sw", lpString2="System Volume Information") returned -1 [0126.328] lstrcmpiW (lpString1="sw", lpString2=".") returned 1 [0126.328] lstrcmpiW (lpString1="sw", lpString2="..") returned 1 [0126.329] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw") returned 150 [0126.329] GetProcessHeap () returned 0x4c0000 [0126.329] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.329] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw" [0126.329] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\*" [0126.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835dd670, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835dfd80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835dfd80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.329] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.329] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.329] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.329] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.329] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.329] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.329] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835dd670, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835dfd80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835dfd80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.329] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.329] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.329] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.329] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.329] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.329] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.329] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.329] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835dfd80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835dfd80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839958d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3e8b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.330] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.330] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.330] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.330] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.330] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.330] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.330] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.330] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json") returned 164 [0126.330] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.330] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.330] lstrlenW (lpString=".json") returned 5 [0126.330] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0126.330] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16011) returned 1 [0126.331] GetProcessHeap () returned 0x4c0000 [0126.331] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0126.342] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="9D") returned 2 [0126.342] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="23") returned 2 [0126.342] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="A1") returned 2 [0126.342] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="3E") returned 2 [0126.342] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="FC") returned 2 [0126.342] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="E8") returned 2 [0126.342] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="95") returned 2 [0126.342] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="8B") returned 2 [0126.342] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="27") returned 2 [0126.342] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="10") returned 2 [0126.342] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="7F") returned 2 [0126.342] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="15") returned 2 [0126.342] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="A5") returned 2 [0126.342] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="B8") returned 2 [0126.342] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="9D") returned 2 [0126.342] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="B1") returned 2 [0126.342] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="A4") returned 2 [0126.342] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="5C") returned 2 [0126.342] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="EA") returned 2 [0126.342] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="6B") returned 2 [0126.342] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="46") returned 2 [0126.343] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="37") returned 2 [0126.343] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="16") returned 2 [0126.343] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="B5") returned 2 [0126.343] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="BE") returned 2 [0126.343] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="03") returned 2 [0126.343] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="14") returned 2 [0126.343] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="68") returned 2 [0126.343] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="BE") returned 2 [0126.343] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="A3") returned 2 [0126.343] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="79") returned 2 [0126.343] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="69") returned 2 [0126.370] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json" [0126.370] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json" [0126.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json", lpString2=".9D23A13EFCE8958B27107F15A5B89DB1A45CEA6B463716B5BE031468BEA37969" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.9D23A13EFCE8958B27107F15A5B89DB1A45CEA6B463716B5BE031468BEA37969") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.9D23A13EFCE8958B27107F15A5B89DB1A45CEA6B463716B5BE031468BEA37969" [0126.370] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.370] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0126.370] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835dfd80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835dfd80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839958d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3e8b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.370] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.370] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\PUSSY.TXT") returned 160 [0126.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.372] lstrlenA (lpString="abcd") returned 4 [0126.372] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.373] CloseHandle (hObject=0x114) returned 1 [0126.373] GetProcessHeap () returned 0x4c0000 [0126.373] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.373] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835e4ba0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835e72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835e72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="ta", cAlternateFileName="")) returned 1 [0126.373] lstrcmpiW (lpString1="ta", lpString2="Windows") returned -1 [0126.373] lstrcmpiW (lpString1="ta", lpString2="Program Files") returned 1 [0126.373] lstrcmpiW (lpString1="ta", lpString2="Program Files (x86)") returned 1 [0126.373] lstrcmpiW (lpString1="ta", lpString2="$Recycle.bin") returned 1 [0126.373] lstrcmpiW (lpString1="ta", lpString2="System Volume Information") returned 1 [0126.373] lstrcmpiW (lpString1="ta", lpString2=".") returned 1 [0126.373] lstrcmpiW (lpString1="ta", lpString2="..") returned 1 [0126.373] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta") returned 150 [0126.374] GetProcessHeap () returned 0x4c0000 [0126.374] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.374] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta" [0126.374] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\*" [0126.374] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835e4ba0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835e72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835e72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.374] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.374] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.374] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.374] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.374] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.374] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.374] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835e4ba0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835e72b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835e72b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.374] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.374] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.374] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.374] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.374] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.375] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.375] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.375] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835e72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835e99c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839958d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x563d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.375] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.375] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.375] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.375] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.375] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.375] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.375] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.375] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json") returned 164 [0126.375] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.375] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.375] lstrlenW (lpString=".json") returned 5 [0126.375] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1e4 [0126.377] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=22077) returned 1 [0126.377] GetProcessHeap () returned 0x4c0000 [0126.377] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0126.385] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="B6") returned 2 [0126.386] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="38") returned 2 [0126.386] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="60") returned 2 [0126.386] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="28") returned 2 [0126.386] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="C7") returned 2 [0126.386] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="EC") returned 2 [0126.386] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="82") returned 2 [0126.386] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="95") returned 2 [0126.386] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="43") returned 2 [0126.386] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="FB") returned 2 [0126.386] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="AE") returned 2 [0126.386] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="75") returned 2 [0126.386] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="A8") returned 2 [0126.386] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="7E") returned 2 [0126.386] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="A1") returned 2 [0126.386] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="19") returned 2 [0126.386] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="07") returned 2 [0126.386] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="18") returned 2 [0126.386] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="51") returned 2 [0126.386] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="C6") returned 2 [0126.386] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="A4") returned 2 [0126.386] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="25") returned 2 [0126.386] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="70") returned 2 [0126.386] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="B1") returned 2 [0126.386] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="E3") returned 2 [0126.386] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="42") returned 2 [0126.386] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="CB") returned 2 [0126.386] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="1F") returned 2 [0126.386] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="A1") returned 2 [0126.386] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="8B") returned 2 [0126.386] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="EF") returned 2 [0126.387] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="67") returned 2 [0126.394] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json" [0126.394] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json" [0126.395] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json", lpString2=".B6386028C7EC829543FBAE75A87EA119071851C6A42570B1E342CB1FA18BEF67" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.B6386028C7EC829543FBAE75A87EA119071851C6A42570B1E342CB1FA18BEF67") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.B6386028C7EC829543FBAE75A87EA119071851C6A42570B1E342CB1FA18BEF67" [0126.395] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.395] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0126.395] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835e72b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835e99c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839958d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x563d, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.395] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.395] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\PUSSY.TXT") returned 160 [0126.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.396] lstrlenA (lpString="abcd") returned 4 [0126.396] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.397] CloseHandle (hObject=0x114) returned 1 [0126.397] GetProcessHeap () returned 0x4c0000 [0126.397] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.397] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835ec0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835f0ef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835f0ef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="te", cAlternateFileName="")) returned 1 [0126.397] lstrcmpiW (lpString1="te", lpString2="Windows") returned -1 [0126.397] lstrcmpiW (lpString1="te", lpString2="Program Files") returned 1 [0126.397] lstrcmpiW (lpString1="te", lpString2="Program Files (x86)") returned 1 [0126.397] lstrcmpiW (lpString1="te", lpString2="$Recycle.bin") returned 1 [0126.397] lstrcmpiW (lpString1="te", lpString2="System Volume Information") returned 1 [0126.397] lstrcmpiW (lpString1="te", lpString2=".") returned 1 [0126.397] lstrcmpiW (lpString1="te", lpString2="..") returned 1 [0126.397] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te") returned 150 [0126.397] GetProcessHeap () returned 0x4c0000 [0126.397] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.397] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te" [0126.397] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\*" [0126.397] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835ec0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835f0ef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835f0ef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.398] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.398] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.398] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.398] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.398] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.398] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.398] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835ec0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835f0ef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835f0ef0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.398] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.398] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.398] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.398] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.398] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.398] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.398] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.398] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835f0ef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835f0ef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839958d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x5593, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.398] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.398] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.398] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.398] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.398] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.398] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.398] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.398] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json") returned 164 [0126.398] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.398] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.398] lstrlenW (lpString=".json") returned 5 [0126.398] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.399] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x16c [0126.399] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=21907) returned 1 [0126.399] GetProcessHeap () returned 0x4c0000 [0126.399] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0126.409] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="70") returned 2 [0126.409] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="8F") returned 2 [0126.409] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="FA") returned 2 [0126.409] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="FE") returned 2 [0126.409] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="0B") returned 2 [0126.409] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="0E") returned 2 [0126.409] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="F3") returned 2 [0126.409] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="96") returned 2 [0126.409] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="A7") returned 2 [0126.409] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="68") returned 2 [0126.409] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="B7") returned 2 [0126.409] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="5C") returned 2 [0126.409] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="EA") returned 2 [0126.409] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="30") returned 2 [0126.409] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="4C") returned 2 [0126.409] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="D2") returned 2 [0126.409] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="5C") returned 2 [0126.409] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="22") returned 2 [0126.409] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="45") returned 2 [0126.409] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="3B") returned 2 [0126.409] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="C0") returned 2 [0126.409] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="30") returned 2 [0126.409] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="23") returned 2 [0126.409] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="E1") returned 2 [0126.409] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="15") returned 2 [0126.409] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="A2") returned 2 [0126.409] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="33") returned 2 [0126.409] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="36") returned 2 [0126.409] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="74") returned 2 [0126.409] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="34") returned 2 [0126.409] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="3A") returned 2 [0126.409] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="24") returned 2 [0126.418] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json" [0126.418] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json" [0126.418] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json", lpString2=".708FFAFE0B0EF396A768B75CEA304CD25C22453BC03023E115A2333674343A24" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.708FFAFE0B0EF396A768B75CEA304CD25C22453BC03023E115A2333674343A24") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.708FFAFE0B0EF396A768B75CEA304CD25C22453BC03023E115A2333674343A24" [0126.418] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.418] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0126.418] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835f0ef0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835f0ef0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839958d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x5593, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.418] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.418] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\PUSSY.TXT") returned 160 [0126.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.419] lstrlenA (lpString="abcd") returned 4 [0126.419] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.420] CloseHandle (hObject=0x114) returned 1 [0126.420] GetProcessHeap () returned 0x4c0000 [0126.420] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.420] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835f5d10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835f8420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835f8420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="th", cAlternateFileName="")) returned 1 [0126.420] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0126.420] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0126.420] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0126.420] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0126.420] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0126.420] lstrcmpiW (lpString1="th", lpString2=".") returned 1 [0126.420] lstrcmpiW (lpString1="th", lpString2="..") returned 1 [0126.420] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th") returned 150 [0126.420] GetProcessHeap () returned 0x4c0000 [0126.420] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.421] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th" [0126.421] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\*" [0126.421] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835f5d10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835f8420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835f8420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.421] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.421] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.421] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.421] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.421] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.421] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.421] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835f5d10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835f8420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835f8420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.421] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.421] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.421] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.421] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.421] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.421] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.421] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.421] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835f8420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835fab30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83997fe0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4f64, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.421] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.421] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.421] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.421] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.422] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.422] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.422] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.422] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json") returned 164 [0126.422] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.422] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.422] lstrlenW (lpString=".json") returned 5 [0126.422] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0126.423] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=20324) returned 1 [0126.424] GetProcessHeap () returned 0x4c0000 [0126.424] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3cc2198 [0126.434] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="B3") returned 2 [0126.434] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="AA") returned 2 [0126.434] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="DD") returned 2 [0126.489] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="BD") returned 2 [0126.489] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="F0") returned 2 [0126.489] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="5A") returned 2 [0126.489] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="04") returned 2 [0126.489] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="EC") returned 2 [0126.490] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="32") returned 2 [0126.490] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="25") returned 2 [0126.490] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="E5") returned 2 [0126.490] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="2C") returned 2 [0126.490] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="3A") returned 2 [0126.490] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="18") returned 2 [0126.490] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="A4") returned 2 [0126.490] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="93") returned 2 [0126.490] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="4A") returned 2 [0126.490] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="A6") returned 2 [0126.490] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="B4") returned 2 [0126.490] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="AA") returned 2 [0126.490] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="95") returned 2 [0126.490] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="9B") returned 2 [0126.490] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="B7") returned 2 [0126.490] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="D9") returned 2 [0126.490] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="49") returned 2 [0126.490] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="FF") returned 2 [0126.490] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="B8") returned 2 [0126.490] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="79") returned 2 [0126.490] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="31") returned 2 [0126.490] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="BF") returned 2 [0126.490] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="52") returned 2 [0126.490] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="3A") returned 2 [0126.498] lstrcpyW (in: lpString1=0x3cd21cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json" [0126.498] lstrcpyW (in: lpString1=0x3cc21cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json" [0126.499] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json", lpString2=".B3AADDBDF05A04EC3225E52C3A18A4934AA6B4AA959BB7D949FFB87931BF523A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.B3AADDBDF05A04EC3225E52C3A18A4934AA6B4AA959BB7D949FFB87931BF523A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.B3AADDBDF05A04EC3225E52C3A18A4934AA6B4AA959BB7D949FFB87931BF523A" [0126.499] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3cc2198, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.499] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3cc2198, lpOverlapped=0x3cc2198) returned 1 [0126.499] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835f8420, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835fab30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83997fe0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4f64, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.499] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.499] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\PUSSY.TXT") returned 160 [0126.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.500] lstrlenA (lpString="abcd") returned 4 [0126.500] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.501] CloseHandle (hObject=0x114) returned 1 [0126.501] GetProcessHeap () returned 0x4c0000 [0126.501] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.501] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835fd240, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835ff950, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835ff950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="tr", cAlternateFileName="")) returned 1 [0126.501] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0126.501] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0126.501] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0126.501] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0126.501] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0126.501] lstrcmpiW (lpString1="tr", lpString2=".") returned 1 [0126.501] lstrcmpiW (lpString1="tr", lpString2="..") returned 1 [0126.501] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr") returned 150 [0126.501] GetProcessHeap () returned 0x4c0000 [0126.501] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.502] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr" [0126.502] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\*" [0126.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835fd240, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835ff950, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835ff950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.502] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.502] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.502] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.502] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.502] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.502] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.502] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x835fd240, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x835ff950, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x835ff950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.502] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.502] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.502] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.502] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.502] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.502] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.502] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.502] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835ff950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83602060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83997fe0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x404e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.502] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.502] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.502] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.503] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.503] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.503] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.503] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.503] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json") returned 164 [0126.503] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.503] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.503] lstrlenW (lpString=".json") returned 5 [0126.503] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c8 [0126.503] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=16462) returned 1 [0126.503] GetProcessHeap () returned 0x4c0000 [0126.503] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3cea1e8 [0126.532] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="04") returned 2 [0126.532] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="C7") returned 2 [0126.532] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="17") returned 2 [0126.532] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="35") returned 2 [0126.532] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="3E") returned 2 [0126.532] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="0A") returned 2 [0126.532] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="57") returned 2 [0126.532] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="D0") returned 2 [0126.532] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="26") returned 2 [0126.532] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="90") returned 2 [0126.532] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="0D") returned 2 [0126.532] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="B8") returned 2 [0126.532] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="1D") returned 2 [0126.532] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="E2") returned 2 [0126.532] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="C5") returned 2 [0126.532] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="10") returned 2 [0126.532] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="B4") returned 2 [0126.532] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="41") returned 2 [0126.532] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="17") returned 2 [0126.532] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="55") returned 2 [0126.532] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="85") returned 2 [0126.532] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="DF") returned 2 [0126.532] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="08") returned 2 [0126.532] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="F2") returned 2 [0126.533] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="D7") returned 2 [0126.533] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="29") returned 2 [0126.533] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="47") returned 2 [0126.533] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="6B") returned 2 [0126.533] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="86") returned 2 [0126.533] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="46") returned 2 [0126.533] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="9D") returned 2 [0126.533] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="07") returned 2 [0126.541] lstrcpyW (in: lpString1=0x3cfa21c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json" [0126.541] lstrcpyW (in: lpString1=0x3cea21c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json" [0126.541] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json", lpString2=".04C717353E0A57D026900DB81DE2C510B441175585DF08F2D729476B86469D07" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.04C717353E0A57D026900DB81DE2C510B441175585DF08F2D729476B86469D07") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.04C717353E0A57D026900DB81DE2C510B441175585DF08F2D729476B86469D07" [0126.541] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0x94, CompletionKey=0x3cea1e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.541] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3cea1e8, lpOverlapped=0x3cea1e8) returned 1 [0126.557] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x835ff950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83602060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83997fe0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x404e, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.557] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.557] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\PUSSY.TXT") returned 160 [0126.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.558] lstrlenA (lpString="abcd") returned 4 [0126.558] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.559] CloseHandle (hObject=0x114) returned 1 [0126.559] GetProcessHeap () returned 0x4c0000 [0126.559] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.559] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8360bca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8360e3b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8360e3b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="uk", cAlternateFileName="")) returned 1 [0126.559] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0126.559] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0126.559] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0126.559] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0126.559] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0126.559] lstrcmpiW (lpString1="uk", lpString2=".") returned 1 [0126.559] lstrcmpiW (lpString1="uk", lpString2="..") returned 1 [0126.559] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk") returned 150 [0126.559] GetProcessHeap () returned 0x4c0000 [0126.559] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.559] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk" [0126.560] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\*" [0126.560] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8360bca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8360e3b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8360e3b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.560] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.560] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.560] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.560] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.560] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.560] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.560] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8360bca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8360e3b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8360e3b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.560] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.560] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.560] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.561] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.561] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.561] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.561] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.561] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8360e3b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83610ac0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83997fe0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x48f1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.561] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.561] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.561] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.561] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.561] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.561] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.561] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.561] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json") returned 164 [0126.561] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.561] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.561] lstrlenW (lpString=".json") returned 5 [0126.561] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0126.562] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=18673) returned 1 [0126.562] GetProcessHeap () returned 0x4c0000 [0126.562] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d12238 [0126.573] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="F4") returned 2 [0126.573] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="84") returned 2 [0126.573] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="3D") returned 2 [0126.573] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="13") returned 2 [0126.573] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="EF") returned 2 [0126.573] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="BA") returned 2 [0126.573] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="85") returned 2 [0126.573] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="8B") returned 2 [0126.573] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="A0") returned 2 [0126.573] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="F3") returned 2 [0126.573] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="38") returned 2 [0126.573] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="97") returned 2 [0126.573] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="D7") returned 2 [0126.573] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="CB") returned 2 [0126.573] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="C0") returned 2 [0126.573] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="AB") returned 2 [0126.573] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="9D") returned 2 [0126.573] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="67") returned 2 [0126.573] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="DF") returned 2 [0126.573] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="F0") returned 2 [0126.573] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="C6") returned 2 [0126.573] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="14") returned 2 [0126.573] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="60") returned 2 [0126.573] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="12") returned 2 [0126.573] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="47") returned 2 [0126.573] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="16") returned 2 [0126.574] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="2C") returned 2 [0126.574] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="D3") returned 2 [0126.574] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="A0") returned 2 [0126.574] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="60") returned 2 [0126.574] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="EF") returned 2 [0126.574] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="04") returned 2 [0126.582] lstrcpyW (in: lpString1=0x3d2226c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json" [0126.582] lstrcpyW (in: lpString1=0x3d1226c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json" [0126.582] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json", lpString2=".F4843D13EFBA858BA0F33897D7CBC0AB9D67DFF0C614601247162CD3A060EF04" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.F4843D13EFBA858BA0F33897D7CBC0AB9D67DFF0C614601247162CD3A060EF04") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.F4843D13EFBA858BA0F33897D7CBC0AB9D67DFF0C614601247162CD3A060EF04" [0126.582] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3d12238, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.582] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d12238, lpOverlapped=0x3d12238) returned 1 [0126.582] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8360e3b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83610ac0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83997fe0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x48f1, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.582] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.582] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\PUSSY.TXT") returned 160 [0126.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.583] lstrlenA (lpString="abcd") returned 4 [0126.583] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.584] CloseHandle (hObject=0x114) returned 1 [0126.584] GetProcessHeap () returned 0x4c0000 [0126.584] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.584] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x836158e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83617ff0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83617ff0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="vi", cAlternateFileName="")) returned 1 [0126.584] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0126.584] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0126.584] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0126.584] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0126.584] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0126.584] lstrcmpiW (lpString1="vi", lpString2=".") returned 1 [0126.584] lstrcmpiW (lpString1="vi", lpString2="..") returned 1 [0126.584] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi") returned 150 [0126.584] GetProcessHeap () returned 0x4c0000 [0126.584] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.584] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi" [0126.584] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\*" [0126.584] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x836158e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83617ff0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83617ff0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.585] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.585] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.585] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.585] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.585] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.585] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.585] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x836158e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83617ff0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83617ff0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.585] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.585] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.585] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.585] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.585] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.585] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.585] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.585] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83617ff0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83617ff0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83997fe0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x426b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.585] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.585] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.585] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.585] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.585] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.585] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.585] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.585] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json") returned 164 [0126.585] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.585] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.585] lstrlenW (lpString=".json") returned 5 [0126.585] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0126.586] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=17003) returned 1 [0126.586] GetProcessHeap () returned 0x4c0000 [0126.586] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d3a288 [0126.596] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="0D") returned 2 [0126.596] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="F0") returned 2 [0126.596] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="3D") returned 2 [0126.596] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="3C") returned 2 [0126.596] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="63") returned 2 [0126.596] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="67") returned 2 [0126.596] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="73") returned 2 [0126.596] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="37") returned 2 [0126.596] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="E7") returned 2 [0126.596] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="0E") returned 2 [0126.596] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="EB") returned 2 [0126.596] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="44") returned 2 [0126.596] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="9F") returned 2 [0126.596] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="D3") returned 2 [0126.596] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="EB") returned 2 [0126.596] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="11") returned 2 [0126.596] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="2E") returned 2 [0126.596] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="6E") returned 2 [0126.596] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="F8") returned 2 [0126.596] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="7C") returned 2 [0126.596] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="3A") returned 2 [0126.596] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="EE") returned 2 [0126.596] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="48") returned 2 [0126.596] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="D4") returned 2 [0126.596] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="50") returned 2 [0126.596] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="E5") returned 2 [0126.596] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="0A") returned 2 [0126.596] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="00") returned 2 [0126.596] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="58") returned 2 [0126.597] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="90") returned 2 [0126.597] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="34") returned 2 [0126.597] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="05") returned 2 [0126.604] lstrcpyW (in: lpString1=0x3d4a2bc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json" [0126.604] lstrcpyW (in: lpString1=0x3d3a2bc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json" [0126.605] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json", lpString2=".0DF03D3C63677337E70EEB449FD3EB112E6EF87C3AEE48D450E50A0058903405" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.0DF03D3C63677337E70EEB449FD3EB112E6EF87C3AEE48D450E50A0058903405") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.0DF03D3C63677337E70EEB449FD3EB112E6EF87C3AEE48D450E50A0058903405" [0126.605] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3d3a288, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.605] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d3a288, lpOverlapped=0x3d3a288) returned 1 [0126.605] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83617ff0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x83617ff0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x83997fe0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x426b, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.605] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.605] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\PUSSY.TXT") returned 160 [0126.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.620] lstrlenA (lpString="abcd") returned 4 [0126.620] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.621] CloseHandle (hObject=0x114) returned 1 [0126.621] GetProcessHeap () returned 0x4c0000 [0126.621] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.621] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8361ce10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8361f520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8361f520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh", cAlternateFileName="")) returned 1 [0126.621] lstrcmpiW (lpString1="zh", lpString2="Windows") returned 1 [0126.621] lstrcmpiW (lpString1="zh", lpString2="Program Files") returned 1 [0126.621] lstrcmpiW (lpString1="zh", lpString2="Program Files (x86)") returned 1 [0126.621] lstrcmpiW (lpString1="zh", lpString2="$Recycle.bin") returned 1 [0126.621] lstrcmpiW (lpString1="zh", lpString2="System Volume Information") returned 1 [0126.621] lstrcmpiW (lpString1="zh", lpString2=".") returned 1 [0126.621] lstrcmpiW (lpString1="zh", lpString2="..") returned 1 [0126.621] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh") returned 150 [0126.621] GetProcessHeap () returned 0x4c0000 [0126.621] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.622] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh" [0126.622] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\*" [0126.622] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8361ce10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8361f520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8361f520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.622] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.622] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.622] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.622] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.622] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.622] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.622] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8361ce10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8361f520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8361f520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.622] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.622] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.622] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.622] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.622] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.622] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.622] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.622] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8361f520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8361f520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8399a6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3d11, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.622] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.622] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.623] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.623] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.623] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.623] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.623] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.623] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json") returned 164 [0126.623] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.623] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.623] lstrlenW (lpString=".json") returned 5 [0126.623] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0126.624] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=15633) returned 1 [0126.624] GetProcessHeap () returned 0x4c0000 [0126.624] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d622d8 [0126.633] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="D9") returned 2 [0126.633] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="08") returned 2 [0126.633] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="73") returned 2 [0126.633] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="D9") returned 2 [0126.633] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="32") returned 2 [0126.633] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="66") returned 2 [0126.634] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="31") returned 2 [0126.634] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="00") returned 2 [0126.634] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="34") returned 2 [0126.634] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="F4") returned 2 [0126.634] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="89") returned 2 [0126.634] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="1A") returned 2 [0126.634] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="2C") returned 2 [0126.634] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="A9") returned 2 [0126.634] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="92") returned 2 [0126.634] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="FA") returned 2 [0126.634] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="A0") returned 2 [0126.634] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="3A") returned 2 [0126.634] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="83") returned 2 [0126.634] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="09") returned 2 [0126.634] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="56") returned 2 [0126.634] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="5B") returned 2 [0126.634] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="1C") returned 2 [0126.634] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="F1") returned 2 [0126.634] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="0B") returned 2 [0126.634] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="D8") returned 2 [0126.634] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="2F") returned 2 [0126.634] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="3A") returned 2 [0126.634] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="F4") returned 2 [0126.634] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="C9") returned 2 [0126.634] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="41") returned 2 [0126.634] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="79") returned 2 [0126.642] lstrcpyW (in: lpString1=0x3d7230c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json" [0126.642] lstrcpyW (in: lpString1=0x3d6230c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json" [0126.642] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json", lpString2=".D90873D93266310034F4891A2CA992FAA03A8309565B1CF10BD82F3AF4C94179" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.D90873D93266310034F4891A2CA992FAA03A8309565B1CF10BD82F3AF4C94179") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.D90873D93266310034F4891A2CA992FAA03A8309565B1CF10BD82F3AF4C94179" [0126.643] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x94, CompletionKey=0x3d622d8, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.643] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d622d8, lpOverlapped=0x3d622d8) returned 1 [0126.643] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8361f520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8361f520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8399a6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3d11, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.643] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.643] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\PUSSY.TXT") returned 160 [0126.643] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x114 [0126.644] lstrlenA (lpString="abcd") returned 4 [0126.644] WriteFile (in: hFile=0x114, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.645] CloseHandle (hObject=0x114) returned 1 [0126.645] GetProcessHeap () returned 0x4c0000 [0126.645] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.645] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83624340, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8362b870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8362b870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 1 [0126.645] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0126.645] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0126.645] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0126.646] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0126.646] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0126.646] lstrcmpiW (lpString1="zh_TW", lpString2=".") returned 1 [0126.646] lstrcmpiW (lpString1="zh_TW", lpString2="..") returned 1 [0126.646] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW") returned 153 [0126.646] GetProcessHeap () returned 0x4c0000 [0126.646] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0126.646] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW" [0126.646] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\*" [0126.646] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\*", lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83624340, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8362b870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8362b870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0126.646] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.646] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.646] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.646] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.646] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.646] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.646] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83624340, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8362b870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8362b870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0126.646] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.646] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.646] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.647] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.647] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.647] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.647] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.647] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8362b870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8362b870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8399a6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3d72, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0126.647] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0126.647] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0126.647] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0126.647] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0126.647] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0126.647] lstrcmpiW (lpString1="messages.json", lpString2=".") returned 1 [0126.647] lstrcmpiW (lpString1="messages.json", lpString2="..") returned 1 [0126.647] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json") returned 167 [0126.647] lstrcmpW (lpString1="messages.json", lpString2="PUSSY.TXT") returned -1 [0126.647] PathFindExtensionW (pszPath="messages.json") returned=".json" [0126.647] lstrlenW (lpString=".json") returned 5 [0126.647] SystemFunction036 (in: RandomBuffer=0x288ea4, RandomBufferLength=0x20 | out: RandomBuffer=0x288ea4) returned 1 [0126.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0126.648] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x288e98 | out: lpFileSize=0x288e98*=15730) returned 1 [0126.648] GetProcessHeap () returned 0x4c0000 [0126.648] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d8a328 [0126.709] wsprintfW (in: param_1=0x288ee6, param_2="%02X" | out: param_1="A4") returned 2 [0126.709] wsprintfW (in: param_1=0x288eea, param_2="%02X" | out: param_1="66") returned 2 [0126.710] wsprintfW (in: param_1=0x288eee, param_2="%02X" | out: param_1="AF") returned 2 [0126.710] wsprintfW (in: param_1=0x288ef2, param_2="%02X" | out: param_1="03") returned 2 [0126.710] wsprintfW (in: param_1=0x288ef6, param_2="%02X" | out: param_1="23") returned 2 [0126.710] wsprintfW (in: param_1=0x288efa, param_2="%02X" | out: param_1="5F") returned 2 [0126.710] wsprintfW (in: param_1=0x288efe, param_2="%02X" | out: param_1="3E") returned 2 [0126.710] wsprintfW (in: param_1=0x288f02, param_2="%02X" | out: param_1="11") returned 2 [0126.710] wsprintfW (in: param_1=0x288f06, param_2="%02X" | out: param_1="2F") returned 2 [0126.710] wsprintfW (in: param_1=0x288f0a, param_2="%02X" | out: param_1="24") returned 2 [0126.710] wsprintfW (in: param_1=0x288f0e, param_2="%02X" | out: param_1="F7") returned 2 [0126.710] wsprintfW (in: param_1=0x288f12, param_2="%02X" | out: param_1="14") returned 2 [0126.710] wsprintfW (in: param_1=0x288f16, param_2="%02X" | out: param_1="90") returned 2 [0126.710] wsprintfW (in: param_1=0x288f1a, param_2="%02X" | out: param_1="36") returned 2 [0126.710] wsprintfW (in: param_1=0x288f1e, param_2="%02X" | out: param_1="C3") returned 2 [0126.710] wsprintfW (in: param_1=0x288f22, param_2="%02X" | out: param_1="A3") returned 2 [0126.710] wsprintfW (in: param_1=0x288f26, param_2="%02X" | out: param_1="CE") returned 2 [0126.710] wsprintfW (in: param_1=0x288f2a, param_2="%02X" | out: param_1="AD") returned 2 [0126.710] wsprintfW (in: param_1=0x288f2e, param_2="%02X" | out: param_1="76") returned 2 [0126.710] wsprintfW (in: param_1=0x288f32, param_2="%02X" | out: param_1="4E") returned 2 [0126.710] wsprintfW (in: param_1=0x288f36, param_2="%02X" | out: param_1="4D") returned 2 [0126.710] wsprintfW (in: param_1=0x288f3a, param_2="%02X" | out: param_1="E2") returned 2 [0126.710] wsprintfW (in: param_1=0x288f3e, param_2="%02X" | out: param_1="D8") returned 2 [0126.710] wsprintfW (in: param_1=0x288f42, param_2="%02X" | out: param_1="D4") returned 2 [0126.710] wsprintfW (in: param_1=0x288f46, param_2="%02X" | out: param_1="A5") returned 2 [0126.710] wsprintfW (in: param_1=0x288f4a, param_2="%02X" | out: param_1="FE") returned 2 [0126.710] wsprintfW (in: param_1=0x288f4e, param_2="%02X" | out: param_1="33") returned 2 [0126.710] wsprintfW (in: param_1=0x288f52, param_2="%02X" | out: param_1="AB") returned 2 [0126.710] wsprintfW (in: param_1=0x288f56, param_2="%02X" | out: param_1="C0") returned 2 [0126.710] wsprintfW (in: param_1=0x288f5a, param_2="%02X" | out: param_1="D6") returned 2 [0126.711] wsprintfW (in: param_1=0x288f5e, param_2="%02X" | out: param_1="24") returned 2 [0126.711] wsprintfW (in: param_1=0x288f62, param_2="%02X" | out: param_1="10") returned 2 [0126.719] lstrcpyW (in: lpString1=0x3d9a35c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json" [0126.719] lstrcpyW (in: lpString1=0x3d8a35c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json" [0126.719] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json", lpString2=".A466AF03235F3E112F24F7149036C3A3CEAD764E4DE2D8D4A5FE33ABC0D62410" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json.A466AF03235F3E112F24F7149036C3A3CEAD764E4DE2D8D4A5FE33ABC0D62410") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json.A466AF03235F3E112F24F7149036C3A3CEAD764E4DE2D8D4A5FE33ABC0D62410" [0126.719] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3d8a328, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.719] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d8a328, lpOverlapped=0x3d8a328) returned 1 [0126.720] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x288fb8 | out: lpFindFileData=0x288fb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8362b870, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8362b870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8399a6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3d72, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0126.720] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0126.720] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\PUSSY.TXT") returned 163 [0126.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0126.816] lstrlenA (lpString="abcd") returned 4 [0126.816] WriteFile (in: hFile=0x1c0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28920c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28920c*=0x4, lpOverlapped=0x0) returned 1 [0126.817] CloseHandle (hObject=0x1c0) returned 1 [0126.817] GetProcessHeap () returned 0x4c0000 [0126.817] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0126.819] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83624340, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8362b870, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8362b870, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="zh_TW", cAlternateFileName="")) returned 0 [0126.819] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0126.819] wnsprintfW (in: pszDest=0x3dd91e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\PUSSY.TXT") returned 157 [0126.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0126.820] lstrlenA (lpString="abcd") returned 4 [0126.820] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0126.821] CloseHandle (hObject=0x1b8) returned 1 [0126.821] GetProcessHeap () returned 0x4c0000 [0126.821] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd91e8 | out: hHeap=0x4c0000) returned 1 [0126.821] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x836ddc00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x839fe880, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839fe880, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 1 [0126.821] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0126.822] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0126.822] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0126.822] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0126.822] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0126.822] lstrcmpiW (lpString1="_metadata", lpString2=".") returned 1 [0126.822] lstrcmpiW (lpString1="_metadata", lpString2="..") returned 1 [0126.822] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata") returned 148 [0126.822] GetProcessHeap () returned 0x4c0000 [0126.822] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0126.822] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata" [0126.822] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\*" [0126.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x836ddc00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x839fe880, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839fe880, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0126.822] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.822] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0126.823] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0126.823] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0126.823] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0126.823] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0126.823] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x836ddc00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x839fe880, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839fe880, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0126.823] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0126.823] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0126.823] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0126.823] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0126.823] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0126.823] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0126.823] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0126.823] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x839fe880, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x839fe880, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839fe880, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x7299, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="computed_hashes.json", cAlternateFileName="COMPUT~1.JSO")) returned 1 [0126.823] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0126.823] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0126.823] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0126.823] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0126.823] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0126.823] lstrcmpiW (lpString1="computed_hashes.json", lpString2=".") returned 1 [0126.823] lstrcmpiW (lpString1="computed_hashes.json", lpString2="..") returned 1 [0126.823] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json") returned 169 [0126.823] lstrcmpW (lpString1="computed_hashes.json", lpString2="PUSSY.TXT") returned -1 [0126.823] PathFindExtensionW (pszPath="computed_hashes.json") returned=".json" [0126.823] lstrlenW (lpString=".json") returned 5 [0126.823] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0126.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0126.824] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x289638 | out: lpFileSize=0x289638*=29337) returned 1 [0126.824] GetProcessHeap () returned 0x4c0000 [0126.824] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d622d8 [0126.834] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="86") returned 2 [0126.834] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="3E") returned 2 [0126.834] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="77") returned 2 [0126.834] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="3C") returned 2 [0126.834] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="89") returned 2 [0126.834] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="E5") returned 2 [0126.834] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="DF") returned 2 [0126.834] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="78") returned 2 [0126.834] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="AC") returned 2 [0126.834] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="80") returned 2 [0126.834] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="E0") returned 2 [0126.834] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="BB") returned 2 [0126.834] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="05") returned 2 [0126.834] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="D4") returned 2 [0126.834] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="7C") returned 2 [0126.834] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="14") returned 2 [0126.834] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="62") returned 2 [0126.834] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="B9") returned 2 [0126.834] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="44") returned 2 [0126.835] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="B0") returned 2 [0126.835] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="E5") returned 2 [0126.835] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="3C") returned 2 [0126.835] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="BD") returned 2 [0126.835] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="3A") returned 2 [0126.835] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="52") returned 2 [0126.835] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="F3") returned 2 [0126.835] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="EF") returned 2 [0126.835] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="F9") returned 2 [0126.835] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="23") returned 2 [0126.835] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="45") returned 2 [0126.835] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="1C") returned 2 [0126.835] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="03") returned 2 [0126.844] lstrcpyW (in: lpString1=0x3d7230c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json" [0126.844] lstrcpyW (in: lpString1=0x3d6230c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json" [0126.844] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json", lpString2=".863E773C89E5DF78AC80E0BB05D47C1462B944B0E53CBD3A52F3EFF923451C03" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.863E773C89E5DF78AC80E0BB05D47C1462B944B0E53CBD3A52F3EFF923451C03") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.863E773C89E5DF78AC80E0BB05D47C1462B944B0E53CBD3A52F3EFF923451C03" [0126.844] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x94, CompletionKey=0x3d622d8, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.844] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d622d8, lpOverlapped=0x3d622d8) returned 1 [0126.844] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x836e0310, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836e0310, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x3e39, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 1 [0126.844] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0126.844] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0126.844] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0126.844] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0126.844] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0126.845] lstrcmpiW (lpString1="verified_contents.json", lpString2=".") returned 1 [0126.845] lstrcmpiW (lpString1="verified_contents.json", lpString2="..") returned 1 [0126.845] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json") returned 171 [0126.845] lstrcmpW (lpString1="verified_contents.json", lpString2="PUSSY.TXT") returned 1 [0126.845] PathFindExtensionW (pszPath="verified_contents.json") returned=".json" [0126.845] lstrlenW (lpString=".json") returned 5 [0126.845] SystemFunction036 (in: RandomBuffer=0x289644, RandomBufferLength=0x20 | out: RandomBuffer=0x289644) returned 1 [0126.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0126.846] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x289638 | out: lpFileSize=0x289638*=15929) returned 1 [0126.846] GetProcessHeap () returned 0x4c0000 [0126.846] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0126.855] wsprintfW (in: param_1=0x289686, param_2="%02X" | out: param_1="5E") returned 2 [0126.855] wsprintfW (in: param_1=0x28968a, param_2="%02X" | out: param_1="94") returned 2 [0126.855] wsprintfW (in: param_1=0x28968e, param_2="%02X" | out: param_1="C3") returned 2 [0126.855] wsprintfW (in: param_1=0x289692, param_2="%02X" | out: param_1="C0") returned 2 [0126.855] wsprintfW (in: param_1=0x289696, param_2="%02X" | out: param_1="84") returned 2 [0126.855] wsprintfW (in: param_1=0x28969a, param_2="%02X" | out: param_1="EF") returned 2 [0126.855] wsprintfW (in: param_1=0x28969e, param_2="%02X" | out: param_1="63") returned 2 [0126.856] wsprintfW (in: param_1=0x2896a2, param_2="%02X" | out: param_1="2C") returned 2 [0126.856] wsprintfW (in: param_1=0x2896a6, param_2="%02X" | out: param_1="53") returned 2 [0126.856] wsprintfW (in: param_1=0x2896aa, param_2="%02X" | out: param_1="4E") returned 2 [0126.856] wsprintfW (in: param_1=0x2896ae, param_2="%02X" | out: param_1="6C") returned 2 [0126.856] wsprintfW (in: param_1=0x2896b2, param_2="%02X" | out: param_1="92") returned 2 [0126.856] wsprintfW (in: param_1=0x2896b6, param_2="%02X" | out: param_1="C5") returned 2 [0126.856] wsprintfW (in: param_1=0x2896ba, param_2="%02X" | out: param_1="78") returned 2 [0126.856] wsprintfW (in: param_1=0x2896be, param_2="%02X" | out: param_1="25") returned 2 [0126.856] wsprintfW (in: param_1=0x2896c2, param_2="%02X" | out: param_1="CF") returned 2 [0126.856] wsprintfW (in: param_1=0x2896c6, param_2="%02X" | out: param_1="A7") returned 2 [0126.856] wsprintfW (in: param_1=0x2896ca, param_2="%02X" | out: param_1="8F") returned 2 [0126.856] wsprintfW (in: param_1=0x2896ce, param_2="%02X" | out: param_1="FC") returned 2 [0126.856] wsprintfW (in: param_1=0x2896d2, param_2="%02X" | out: param_1="AA") returned 2 [0126.856] wsprintfW (in: param_1=0x2896d6, param_2="%02X" | out: param_1="16") returned 2 [0126.856] wsprintfW (in: param_1=0x2896da, param_2="%02X" | out: param_1="66") returned 2 [0126.856] wsprintfW (in: param_1=0x2896de, param_2="%02X" | out: param_1="C4") returned 2 [0126.856] wsprintfW (in: param_1=0x2896e2, param_2="%02X" | out: param_1="A1") returned 2 [0126.856] wsprintfW (in: param_1=0x2896e6, param_2="%02X" | out: param_1="B7") returned 2 [0126.856] wsprintfW (in: param_1=0x2896ea, param_2="%02X" | out: param_1="07") returned 2 [0126.856] wsprintfW (in: param_1=0x2896ee, param_2="%02X" | out: param_1="23") returned 2 [0126.856] wsprintfW (in: param_1=0x2896f2, param_2="%02X" | out: param_1="1F") returned 2 [0126.856] wsprintfW (in: param_1=0x2896f6, param_2="%02X" | out: param_1="66") returned 2 [0126.856] wsprintfW (in: param_1=0x2896fa, param_2="%02X" | out: param_1="F3") returned 2 [0126.856] wsprintfW (in: param_1=0x2896fe, param_2="%02X" | out: param_1="B3") returned 2 [0126.856] wsprintfW (in: param_1=0x289702, param_2="%02X" | out: param_1="30") returned 2 [0126.866] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json" [0126.866] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json" [0126.866] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json", lpString2=".5E94C3C084EF632C534E6C92C57825CFA78FFCAA1666C4A1B707231F66F3B330" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.5E94C3C084EF632C534E6C92C57825CFA78FFCAA1666C4A1B707231F66F3B330") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.5E94C3C084EF632C534E6C92C57825CFA78FFCAA1666C4A1B707231F66F3B330" [0126.866] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0126.866] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0126.866] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x836e0310, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836e0310, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1caf9500, ftLastWriteTime.dwHighDateTime=0x1d2c87a, nFileSizeHigh=0x0, nFileSizeLow=0x3e39, dwReserved0=0x289790, dwReserved1=0x77c61b06, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 0 [0126.866] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0126.866] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\PUSSY.TXT") returned 158 [0126.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0127.015] lstrlenA (lpString="abcd") returned 4 [0127.015] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0127.016] CloseHandle (hObject=0x17c) returned 1 [0127.016] GetProcessHeap () returned 0x4c0000 [0127.016] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0127.018] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x836ddc00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x839fe880, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839fe880, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfe000000, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 0 [0127.018] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0127.018] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\PUSSY.TXT") returned 148 [0127.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0127.019] lstrlenA (lpString="abcd") returned 4 [0127.019] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0127.021] CloseHandle (hObject=0x18c) returned 1 [0127.021] GetProcessHeap () returned 0x4c0000 [0127.021] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0127.021] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x833dcb50, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x836e0310, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x836e0310, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="5817.313.0.5_0", cAlternateFileName="581731~1.5_0")) returned 0 [0127.021] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0127.021] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\PUSSY.TXT") returned 133 [0127.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0127.022] lstrlenA (lpString="abcd") returned 4 [0127.022] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0127.024] CloseHandle (hObject=0x184) returned 1 [0127.024] GetProcessHeap () returned 0x4c0000 [0127.024] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0127.026] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8399f510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x839a6a40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x839a6a40, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="pkedcjkdefgpdelpbcmbmeomcjbeemfm", cAlternateFileName="PKEDCJ~1")) returned 0 [0127.026] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0127.026] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\PUSSY.TXT") returned 100 [0127.026] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0127.027] lstrlenA (lpString="abcd") returned 4 [0127.027] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0127.028] CloseHandle (hObject=0x194) returned 1 [0127.028] GetProcessHeap () returned 0x4c0000 [0127.028] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0127.029] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80cce2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80cce2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x80db2b00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Favicons", cAlternateFileName="")) returned 1 [0127.029] lstrcmpiW (lpString1="Favicons", lpString2="Windows") returned -1 [0127.029] lstrcmpiW (lpString1="Favicons", lpString2="Program Files") returned -1 [0127.029] lstrcmpiW (lpString1="Favicons", lpString2="Program Files (x86)") returned -1 [0127.029] lstrcmpiW (lpString1="Favicons", lpString2="$Recycle.bin") returned 1 [0127.029] lstrcmpiW (lpString1="Favicons", lpString2="System Volume Information") returned -1 [0127.029] lstrcmpiW (lpString1="Favicons", lpString2=".") returned 1 [0127.029] lstrcmpiW (lpString1="Favicons", lpString2="..") returned 1 [0127.029] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons") returned 88 [0127.029] lstrcmpW (lpString1="Favicons", lpString2="PUSSY.TXT") returned -1 [0127.029] PathFindExtensionW (pszPath="Favicons") returned="" [0127.029] lstrlenW (lpString="") returned 0 [0127.029] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0127.030] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=20480) returned 1 [0127.030] GetProcessHeap () returned 0x4c0000 [0127.030] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0127.043] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="2A") returned 2 [0127.043] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="59") returned 2 [0127.043] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="66") returned 2 [0127.043] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="C2") returned 2 [0127.044] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="C9") returned 2 [0127.044] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="CA") returned 2 [0127.044] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="E8") returned 2 [0127.044] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="95") returned 2 [0127.044] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="8E") returned 2 [0127.044] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="93") returned 2 [0127.044] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="35") returned 2 [0127.044] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="37") returned 2 [0127.044] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="DC") returned 2 [0127.044] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="E6") returned 2 [0127.044] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="1E") returned 2 [0127.044] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="02") returned 2 [0127.044] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="D3") returned 2 [0127.044] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="20") returned 2 [0127.044] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="48") returned 2 [0127.044] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="60") returned 2 [0127.044] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="FD") returned 2 [0127.044] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="DD") returned 2 [0127.044] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="94") returned 2 [0127.045] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="DD") returned 2 [0127.045] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="D9") returned 2 [0127.045] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="71") returned 2 [0127.045] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="A2") returned 2 [0127.045] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="2D") returned 2 [0127.045] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="EE") returned 2 [0127.045] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="C7") returned 2 [0127.045] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="3D") returned 2 [0127.045] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="37") returned 2 [0127.057] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons" [0127.058] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons" [0127.058] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons", lpString2=".2A5966C2C9CAE8958E933537DCE61E02D3204860FDDD94DDD971A22DEEC73D37" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons.2A5966C2C9CAE8958E933537DCE61E02D3204860FDDD94DDD971A22DEEC73D37") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons.2A5966C2C9CAE8958E933537DCE61E02D3204860FDDD94DDD971A22DEEC73D37" [0127.058] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0127.058] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0127.058] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80cce2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80cce2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x80e97340, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Favicons-journal", cAlternateFileName="FAVICO~1")) returned 1 [0127.058] lstrcmpiW (lpString1="Favicons-journal", lpString2="Windows") returned -1 [0127.058] lstrcmpiW (lpString1="Favicons-journal", lpString2="Program Files") returned -1 [0127.058] lstrcmpiW (lpString1="Favicons-journal", lpString2="Program Files (x86)") returned -1 [0127.058] lstrcmpiW (lpString1="Favicons-journal", lpString2="$Recycle.bin") returned 1 [0127.058] lstrcmpiW (lpString1="Favicons-journal", lpString2="System Volume Information") returned -1 [0127.058] lstrcmpiW (lpString1="Favicons-journal", lpString2=".") returned 1 [0127.058] lstrcmpiW (lpString1="Favicons-journal", lpString2="..") returned 1 [0127.058] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal") returned 96 [0127.058] lstrcmpW (lpString1="Favicons-journal", lpString2="PUSSY.TXT") returned -1 [0127.058] PathFindExtensionW (pszPath="Favicons-journal") returned="" [0127.058] lstrlenW (lpString="") returned 0 [0127.058] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0127.059] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0127.060] CloseHandle (hObject=0x184) returned 1 [0127.060] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x81c321d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81c321d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81c58330, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2b2e9, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Google Profile.ico", cAlternateFileName="GOOGLE~1.ICO")) returned 1 [0127.060] lstrcmpiW (lpString1="Google Profile.ico", lpString2="Windows") returned -1 [0127.060] lstrcmpiW (lpString1="Google Profile.ico", lpString2="Program Files") returned -1 [0127.060] lstrcmpiW (lpString1="Google Profile.ico", lpString2="Program Files (x86)") returned -1 [0127.060] lstrcmpiW (lpString1="Google Profile.ico", lpString2="$Recycle.bin") returned 1 [0127.060] lstrcmpiW (lpString1="Google Profile.ico", lpString2="System Volume Information") returned -1 [0127.060] lstrcmpiW (lpString1="Google Profile.ico", lpString2=".") returned 1 [0127.060] lstrcmpiW (lpString1="Google Profile.ico", lpString2="..") returned 1 [0127.060] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico") returned 98 [0127.061] lstrcmpW (lpString1="Google Profile.ico", lpString2="PUSSY.TXT") returned -1 [0127.062] PathFindExtensionW (pszPath="Google Profile.ico") returned=".ico" [0127.062] lstrlenW (lpString=".ico") returned 4 [0127.062] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\google profile.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0127.063] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=176873) returned 1 [0127.063] GetProcessHeap () returned 0x4c0000 [0127.063] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0127.077] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="8C") returned 2 [0127.077] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="88") returned 2 [0127.077] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="28") returned 2 [0127.077] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="D1") returned 2 [0127.077] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="01") returned 2 [0127.077] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="72") returned 2 [0127.077] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="3A") returned 2 [0127.078] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="F8") returned 2 [0127.078] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="C1") returned 2 [0127.078] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="CD") returned 2 [0127.078] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="BC") returned 2 [0127.078] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="05") returned 2 [0127.078] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="99") returned 2 [0127.078] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="26") returned 2 [0127.078] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="59") returned 2 [0127.078] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="F8") returned 2 [0127.078] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="F2") returned 2 [0127.078] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="47") returned 2 [0127.078] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="79") returned 2 [0127.078] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="17") returned 2 [0127.078] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="1A") returned 2 [0127.078] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="CF") returned 2 [0127.078] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="8F") returned 2 [0127.078] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="66") returned 2 [0127.078] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="BB") returned 2 [0127.078] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="9B") returned 2 [0127.078] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="1E") returned 2 [0127.079] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="AC") returned 2 [0127.079] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="99") returned 2 [0127.079] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="0D") returned 2 [0127.079] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="61") returned 2 [0127.079] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="73") returned 2 [0127.091] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico" [0127.091] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico" [0127.091] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico", lpString2=".8C8828D101723AF8C1CDBC05992659F8F24779171ACF8F66BB9B1EAC990D6173" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico.8C8828D101723AF8C1CDBC05992659F8F24779171ACF8F66BB9B1EAC990D6173") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico.8C8828D101723AF8C1CDBC05992659F8F24779171ACF8F66BB9B1EAC990D6173" [0127.092] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0127.092] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0127.093] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x802fc800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x802fc800, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x87f47590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x19000, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="History", cAlternateFileName="")) returned 1 [0127.094] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0127.094] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0127.094] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0127.094] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0127.094] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0127.094] lstrcmpiW (lpString1="History", lpString2=".") returned 1 [0127.094] lstrcmpiW (lpString1="History", lpString2="..") returned 1 [0127.094] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History") returned 87 [0127.094] lstrcmpW (lpString1="History", lpString2="PUSSY.TXT") returned -1 [0127.094] PathFindExtensionW (pszPath="History") returned="" [0127.094] lstrlenW (lpString="") returned 0 [0127.094] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0127.096] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=102400) returned 1 [0127.096] GetProcessHeap () returned 0x4c0000 [0127.096] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d8a328 [0127.110] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="3E") returned 2 [0127.110] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="82") returned 2 [0127.110] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="8F") returned 2 [0127.111] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="8A") returned 2 [0127.111] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="7C") returned 2 [0127.111] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="E1") returned 2 [0127.111] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="34") returned 2 [0127.111] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="06") returned 2 [0127.111] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="21") returned 2 [0127.111] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="02") returned 2 [0127.111] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="96") returned 2 [0127.111] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="CD") returned 2 [0127.111] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="5D") returned 2 [0127.111] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="23") returned 2 [0127.111] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="BB") returned 2 [0127.111] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="15") returned 2 [0127.111] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="0C") returned 2 [0127.111] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="9C") returned 2 [0127.111] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="BC") returned 2 [0127.111] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="DC") returned 2 [0127.111] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="91") returned 2 [0127.111] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="97") returned 2 [0127.111] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="A1") returned 2 [0127.112] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="99") returned 2 [0127.112] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="40") returned 2 [0127.112] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="3A") returned 2 [0127.112] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="17") returned 2 [0127.112] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="87") returned 2 [0127.112] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="C6") returned 2 [0127.112] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="1B") returned 2 [0127.112] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="DF") returned 2 [0127.112] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="7F") returned 2 [0127.125] lstrcpyW (in: lpString1=0x3d9a35c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" [0127.125] lstrcpyW (in: lpString1=0x3d8a35c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" [0127.125] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History", lpString2=".3E828F8A7CE13406210296CD5D23BB150C9CBCDC9197A199403A1787C61BDF7F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History.3E828F8A7CE13406210296CD5D23BB150C9CBCDC9197A199403A1787C61BDF7F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History.3E828F8A7CE13406210296CD5D23BB150C9CBCDC9197A199403A1787C61BDF7F" [0127.125] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3d8a328, NumberOfConcurrentThreads=0x0) returned 0x94 [0127.125] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d8a328, lpOverlapped=0x3d8a328) returned 1 [0127.125] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x824d3190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x824d3190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c3b6860, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x142f, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="History Provider Cache", cAlternateFileName="HISTOR~2")) returned 1 [0127.125] lstrcmpiW (lpString1="History Provider Cache", lpString2="Windows") returned -1 [0127.125] lstrcmpiW (lpString1="History Provider Cache", lpString2="Program Files") returned -1 [0127.125] lstrcmpiW (lpString1="History Provider Cache", lpString2="Program Files (x86)") returned -1 [0127.125] lstrcmpiW (lpString1="History Provider Cache", lpString2="$Recycle.bin") returned 1 [0127.125] lstrcmpiW (lpString1="History Provider Cache", lpString2="System Volume Information") returned -1 [0127.125] lstrcmpiW (lpString1="History Provider Cache", lpString2=".") returned 1 [0127.125] lstrcmpiW (lpString1="History Provider Cache", lpString2="..") returned 1 [0127.126] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache") returned 102 [0127.126] lstrcmpW (lpString1="History Provider Cache", lpString2="PUSSY.TXT") returned -1 [0127.126] PathFindExtensionW (pszPath="History Provider Cache") returned="" [0127.126] lstrlenW (lpString="") returned 0 [0127.126] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history provider cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0127.127] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=5167) returned 1 [0127.127] GetProcessHeap () returned 0x4c0000 [0127.127] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0127.142] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="D7") returned 2 [0127.142] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="F4") returned 2 [0127.142] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="DB") returned 2 [0127.142] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="FE") returned 2 [0127.142] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="74") returned 2 [0127.142] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="A9") returned 2 [0127.142] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="1B") returned 2 [0127.142] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="4E") returned 2 [0127.142] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="9B") returned 2 [0127.142] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="AB") returned 2 [0127.142] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="74") returned 2 [0127.142] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="90") returned 2 [0127.142] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="F1") returned 2 [0127.142] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="7E") returned 2 [0127.142] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="36") returned 2 [0127.142] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="51") returned 2 [0127.142] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="4C") returned 2 [0127.142] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="61") returned 2 [0127.143] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="DB") returned 2 [0127.143] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="EA") returned 2 [0127.143] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="07") returned 2 [0127.143] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="30") returned 2 [0127.143] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="82") returned 2 [0127.143] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="F5") returned 2 [0127.143] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="9A") returned 2 [0127.143] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="D4") returned 2 [0127.143] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="6B") returned 2 [0127.143] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="CE") returned 2 [0127.143] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="97") returned 2 [0127.143] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="42") returned 2 [0127.143] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="1B") returned 2 [0127.143] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="65") returned 2 [0127.161] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache" [0127.161] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache" [0127.161] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache", lpString2=".D7F4DBFE74A91B4E9BAB7490F17E36514C61DBEA073082F59AD46BCE97421B65" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache.D7F4DBFE74A91B4E9BAB7490F17E36514C61DBEA073082F59AD46BCE97421B65") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache.D7F4DBFE74A91B4E9BAB7490F17E36514C61DBEA073082F59AD46BCE97421B65" [0127.161] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0127.161] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0127.163] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x802fc800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x802fc800, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x87f6d6f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="History-journal", cAlternateFileName="HISTOR~1")) returned 1 [0127.163] lstrcmpiW (lpString1="History-journal", lpString2="Windows") returned -1 [0127.163] lstrcmpiW (lpString1="History-journal", lpString2="Program Files") returned -1 [0127.163] lstrcmpiW (lpString1="History-journal", lpString2="Program Files (x86)") returned -1 [0127.163] lstrcmpiW (lpString1="History-journal", lpString2="$Recycle.bin") returned 1 [0127.163] lstrcmpiW (lpString1="History-journal", lpString2="System Volume Information") returned -1 [0127.163] lstrcmpiW (lpString1="History-journal", lpString2=".") returned 1 [0127.163] lstrcmpiW (lpString1="History-journal", lpString2="..") returned 1 [0127.163] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal") returned 95 [0127.163] lstrcmpW (lpString1="History-journal", lpString2="PUSSY.TXT") returned -1 [0127.163] PathFindExtensionW (pszPath="History-journal") returned="" [0127.163] lstrlenW (lpString="") returned 0 [0127.163] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0127.164] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0127.164] CloseHandle (hObject=0x1d0) returned 1 [0127.164] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x96ec4eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x96ec4eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x96ec4eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="JumpListIcons", cAlternateFileName="JUMPLI~2")) returned 1 [0127.164] lstrcmpiW (lpString1="JumpListIcons", lpString2="Windows") returned -1 [0127.164] lstrcmpiW (lpString1="JumpListIcons", lpString2="Program Files") returned -1 [0127.164] lstrcmpiW (lpString1="JumpListIcons", lpString2="Program Files (x86)") returned -1 [0127.165] lstrcmpiW (lpString1="JumpListIcons", lpString2="$Recycle.bin") returned 1 [0127.165] lstrcmpiW (lpString1="JumpListIcons", lpString2="System Volume Information") returned -1 [0127.165] lstrcmpiW (lpString1="JumpListIcons", lpString2=".") returned 1 [0127.165] lstrcmpiW (lpString1="JumpListIcons", lpString2="..") returned 1 [0127.165] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons") returned 93 [0127.165] GetProcessHeap () returned 0x4c0000 [0127.165] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0127.166] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons" [0127.166] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\*" [0127.166] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x96ec4eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x96ec4eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x96ec4eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0127.166] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0127.166] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0127.166] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0127.166] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0127.166] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0127.166] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.167] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x96ec4eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x96ec4eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x96ec4eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0127.167] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0127.167] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0127.167] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0127.167] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0127.167] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0127.167] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.167] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.167] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x96ec4eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x96ec4eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x96ec4eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="A058.tmp", cAlternateFileName="")) returned 1 [0127.167] lstrcmpiW (lpString1="A058.tmp", lpString2="Windows") returned -1 [0127.167] lstrcmpiW (lpString1="A058.tmp", lpString2="Program Files") returned -1 [0127.167] lstrcmpiW (lpString1="A058.tmp", lpString2="Program Files (x86)") returned -1 [0127.167] lstrcmpiW (lpString1="A058.tmp", lpString2="$Recycle.bin") returned 1 [0127.167] lstrcmpiW (lpString1="A058.tmp", lpString2="System Volume Information") returned -1 [0127.167] lstrcmpiW (lpString1="A058.tmp", lpString2=".") returned 1 [0127.167] lstrcmpiW (lpString1="A058.tmp", lpString2="..") returned 1 [0127.167] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp") returned 102 [0127.167] lstrcmpW (lpString1="A058.tmp", lpString2="PUSSY.TXT") returned -1 [0127.168] PathFindExtensionW (pszPath="A058.tmp") returned=".tmp" [0127.168] lstrlenW (lpString=".tmp") returned 4 [0127.168] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0127.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a058.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0127.168] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=0) returned 1 [0127.168] CloseHandle (hObject=0x1d8) returned 1 [0127.169] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x96ec4eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x96ec4eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x96ec4eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="A059.tmp", cAlternateFileName="")) returned 1 [0127.174] lstrcmpiW (lpString1="A059.tmp", lpString2="Windows") returned -1 [0127.174] lstrcmpiW (lpString1="A059.tmp", lpString2="Program Files") returned -1 [0127.174] lstrcmpiW (lpString1="A059.tmp", lpString2="Program Files (x86)") returned -1 [0127.174] lstrcmpiW (lpString1="A059.tmp", lpString2="$Recycle.bin") returned 1 [0127.174] lstrcmpiW (lpString1="A059.tmp", lpString2="System Volume Information") returned -1 [0127.174] lstrcmpiW (lpString1="A059.tmp", lpString2=".") returned 1 [0127.174] lstrcmpiW (lpString1="A059.tmp", lpString2="..") returned 1 [0127.174] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp") returned 102 [0127.174] lstrcmpW (lpString1="A059.tmp", lpString2="PUSSY.TXT") returned -1 [0127.174] PathFindExtensionW (pszPath="A059.tmp") returned=".tmp" [0127.174] lstrlenW (lpString=".tmp") returned 4 [0127.174] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0127.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a059.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0127.175] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=0) returned 1 [0127.175] CloseHandle (hObject=0x1c0) returned 1 [0127.175] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x96ec4eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x96ec4eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x96ec4eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="A059.tmp", cAlternateFileName="")) returned 0 [0127.175] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0127.175] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\PUSSY.TXT") returned 103 [0127.175] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0127.176] lstrlenA (lpString="abcd") returned 4 [0127.176] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0127.177] CloseHandle (hObject=0x1d0) returned 1 [0127.177] GetProcessHeap () returned 0x4c0000 [0127.178] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0127.182] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85096390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85096390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85096390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="JumpListIconsOld", cAlternateFileName="JUMPLI~1")) returned 1 [0127.182] lstrcmpiW (lpString1="JumpListIconsOld", lpString2="Windows") returned -1 [0127.183] lstrcmpiW (lpString1="JumpListIconsOld", lpString2="Program Files") returned -1 [0127.183] lstrcmpiW (lpString1="JumpListIconsOld", lpString2="Program Files (x86)") returned -1 [0127.183] lstrcmpiW (lpString1="JumpListIconsOld", lpString2="$Recycle.bin") returned 1 [0127.183] lstrcmpiW (lpString1="JumpListIconsOld", lpString2="System Volume Information") returned -1 [0127.183] lstrcmpiW (lpString1="JumpListIconsOld", lpString2=".") returned 1 [0127.183] lstrcmpiW (lpString1="JumpListIconsOld", lpString2="..") returned 1 [0127.183] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld") returned 96 [0127.183] GetProcessHeap () returned 0x4c0000 [0127.183] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0127.184] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld" [0127.184] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\*" [0127.184] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85096390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85096390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85096390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0127.269] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0127.269] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0127.269] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0127.269] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0127.269] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0127.269] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.269] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85096390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85096390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85096390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0127.269] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0127.269] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0127.269] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0127.269] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0127.269] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0127.269] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.269] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.269] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85096390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85096390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85096390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="2B03.tmp", cAlternateFileName="")) returned 1 [0127.269] lstrcmpiW (lpString1="2B03.tmp", lpString2="Windows") returned -1 [0127.269] lstrcmpiW (lpString1="2B03.tmp", lpString2="Program Files") returned -1 [0127.269] lstrcmpiW (lpString1="2B03.tmp", lpString2="Program Files (x86)") returned -1 [0127.270] lstrcmpiW (lpString1="2B03.tmp", lpString2="$Recycle.bin") returned 1 [0127.270] lstrcmpiW (lpString1="2B03.tmp", lpString2="System Volume Information") returned -1 [0127.270] lstrcmpiW (lpString1="2B03.tmp", lpString2=".") returned 1 [0127.270] lstrcmpiW (lpString1="2B03.tmp", lpString2="..") returned 1 [0127.270] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp") returned 105 [0127.270] lstrcmpW (lpString1="2B03.tmp", lpString2="PUSSY.TXT") returned -1 [0127.270] PathFindExtensionW (pszPath="2B03.tmp") returned=".tmp" [0127.270] lstrlenW (lpString=".tmp") returned 4 [0127.270] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0127.270] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b03.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0127.272] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=0) returned 1 [0127.272] CloseHandle (hObject=0x1c0) returned 1 [0127.272] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85096390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85096390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85096390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="2B04.tmp", cAlternateFileName="")) returned 1 [0127.272] lstrcmpiW (lpString1="2B04.tmp", lpString2="Windows") returned -1 [0127.272] lstrcmpiW (lpString1="2B04.tmp", lpString2="Program Files") returned -1 [0127.272] lstrcmpiW (lpString1="2B04.tmp", lpString2="Program Files (x86)") returned -1 [0127.272] lstrcmpiW (lpString1="2B04.tmp", lpString2="$Recycle.bin") returned 1 [0127.272] lstrcmpiW (lpString1="2B04.tmp", lpString2="System Volume Information") returned -1 [0127.272] lstrcmpiW (lpString1="2B04.tmp", lpString2=".") returned 1 [0127.272] lstrcmpiW (lpString1="2B04.tmp", lpString2="..") returned 1 [0127.272] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp") returned 105 [0127.272] lstrcmpW (lpString1="2B04.tmp", lpString2="PUSSY.TXT") returned -1 [0127.272] PathFindExtensionW (pszPath="2B04.tmp") returned=".tmp" [0127.272] lstrlenW (lpString=".tmp") returned 4 [0127.272] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0127.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b04.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0127.273] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=0) returned 1 [0127.273] CloseHandle (hObject=0x1c0) returned 1 [0127.273] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85096390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85096390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85096390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="2B04.tmp", cAlternateFileName="")) returned 0 [0127.273] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0127.273] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\PUSSY.TXT") returned 106 [0127.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0127.274] lstrlenA (lpString="abcd") returned 4 [0127.274] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0127.275] CloseHandle (hObject=0x1d0) returned 1 [0127.275] GetProcessHeap () returned 0x4c0000 [0127.275] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0127.275] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8642cdf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8642cdf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8642cdf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Local Extension Settings", cAlternateFileName="LOCALE~1")) returned 1 [0127.275] lstrcmpiW (lpString1="Local Extension Settings", lpString2="Windows") returned -1 [0127.275] lstrcmpiW (lpString1="Local Extension Settings", lpString2="Program Files") returned -1 [0127.275] lstrcmpiW (lpString1="Local Extension Settings", lpString2="Program Files (x86)") returned -1 [0127.275] lstrcmpiW (lpString1="Local Extension Settings", lpString2="$Recycle.bin") returned 1 [0127.275] lstrcmpiW (lpString1="Local Extension Settings", lpString2="System Volume Information") returned -1 [0127.275] lstrcmpiW (lpString1="Local Extension Settings", lpString2=".") returned 1 [0127.275] lstrcmpiW (lpString1="Local Extension Settings", lpString2="..") returned 1 [0127.275] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings") returned 104 [0127.275] GetProcessHeap () returned 0x4c0000 [0127.275] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0127.275] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings" [0127.275] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*" [0127.275] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8642cdf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8642cdf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8642cdf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0127.276] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0127.276] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0127.276] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0127.276] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0127.276] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0127.276] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.276] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8642cdf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8642cdf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8642cdf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0127.276] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0127.276] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0127.276] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0127.276] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0127.276] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0127.276] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.276] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.276] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8642cdf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86513570, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86513570, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ghbmnnjooekpmoecnnnilnnbdlolhkhi", cAlternateFileName="GHBMNN~1")) returned 1 [0127.276] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Windows") returned -1 [0127.276] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Program Files") returned -1 [0127.276] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Program Files (x86)") returned -1 [0127.276] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="$Recycle.bin") returned 1 [0127.276] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="System Volume Information") returned -1 [0127.277] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2=".") returned 1 [0127.277] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="..") returned 1 [0127.277] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi") returned 137 [0127.277] GetProcessHeap () returned 0x4c0000 [0127.277] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c480a8 [0127.277] lstrcpyW (in: lpString1=0x3c480a8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi" [0127.278] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\*" [0127.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8642cdf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86513570, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86513570, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0127.279] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0127.279] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0127.279] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0127.279] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0127.279] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0127.279] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.279] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8642cdf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86513570, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86513570, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0127.280] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0127.280] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0127.280] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0127.280] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0127.280] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0127.280] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.280] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.280] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86513570, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86513570, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86513570, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="000003.log", cAlternateFileName="")) returned 1 [0127.280] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0127.280] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0127.280] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0127.280] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0127.280] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0127.280] lstrcmpiW (lpString1="000003.log", lpString2=".") returned 1 [0127.280] lstrcmpiW (lpString1="000003.log", lpString2="..") returned 1 [0127.280] wnsprintfW (in: pszDest=0x3c480a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log") returned 148 [0127.280] lstrcmpW (lpString1="000003.log", lpString2="PUSSY.TXT") returned -1 [0127.280] PathFindExtensionW (pszPath="000003.log") returned=".log" [0127.280] lstrlenW (lpString=".log") returned 4 [0127.280] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0127.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0127.281] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=0) returned 1 [0127.281] CloseHandle (hObject=0x1d8) returned 1 [0127.281] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8642cdf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8642cdf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8642cdf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="CURRENT", cAlternateFileName="")) returned 1 [0127.281] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0127.281] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0127.281] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0127.281] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0127.281] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0127.281] lstrcmpiW (lpString1="CURRENT", lpString2=".") returned 1 [0127.281] lstrcmpiW (lpString1="CURRENT", lpString2="..") returned 1 [0127.281] wnsprintfW (in: pszDest=0x3c480a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT") returned 145 [0127.281] lstrcmpW (lpString1="CURRENT", lpString2="PUSSY.TXT") returned -1 [0127.282] PathFindExtensionW (pszPath="CURRENT") returned="" [0127.282] lstrlenW (lpString="") returned 0 [0127.282] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0127.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0127.282] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=16) returned 1 [0127.282] CloseHandle (hObject=0x1d8) returned 1 [0127.282] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8642cdf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8642cdf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8642cdf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="LOCK", cAlternateFileName="")) returned 1 [0127.282] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0127.282] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0127.282] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0127.282] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0127.282] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0127.283] lstrcmpiW (lpString1="LOCK", lpString2=".") returned 1 [0127.283] lstrcmpiW (lpString1="LOCK", lpString2="..") returned 1 [0127.283] wnsprintfW (in: pszDest=0x3c480a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK") returned 142 [0127.283] lstrcmpW (lpString1="LOCK", lpString2="PUSSY.TXT") returned -1 [0127.283] PathFindExtensionW (pszPath="LOCK") returned="" [0127.283] lstrlenW (lpString="") returned 0 [0127.283] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0127.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0127.283] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=0) returned 1 [0127.283] CloseHandle (hObject=0x1d8) returned 1 [0127.283] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8642cdf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8642cdf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x97256fb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="LOG", cAlternateFileName="")) returned 1 [0127.283] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0127.283] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0127.283] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0127.284] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0127.284] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0127.284] lstrcmpiW (lpString1="LOG", lpString2=".") returned 1 [0127.284] lstrcmpiW (lpString1="LOG", lpString2="..") returned 1 [0127.284] wnsprintfW (in: pszDest=0x3c480a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG") returned 141 [0127.284] lstrcmpW (lpString1="LOG", lpString2="PUSSY.TXT") returned -1 [0127.284] PathFindExtensionW (pszPath="LOG") returned="" [0127.284] lstrlenW (lpString="") returned 0 [0127.284] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0127.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0127.284] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=196) returned 1 [0127.284] CloseHandle (hObject=0x1d8) returned 1 [0127.284] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8642cdf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8642cdf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8642cdf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MANIFEST-000001", cAlternateFileName="MANIFE~1")) returned 1 [0127.285] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0127.285] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0127.285] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0127.285] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0127.285] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0127.285] lstrcmpiW (lpString1="MANIFEST-000001", lpString2=".") returned 1 [0127.285] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="..") returned 1 [0127.285] wnsprintfW (in: pszDest=0x3c480a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001") returned 153 [0127.285] lstrcmpW (lpString1="MANIFEST-000001", lpString2="PUSSY.TXT") returned -1 [0127.285] PathFindExtensionW (pszPath="MANIFEST-000001") returned="" [0127.285] lstrlenW (lpString="") returned 0 [0127.285] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0127.285] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0127.285] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=41) returned 1 [0127.285] CloseHandle (hObject=0x1d8) returned 1 [0127.286] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8642cdf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8642cdf0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8642cdf0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MANIFEST-000001", cAlternateFileName="MANIFE~1")) returned 0 [0127.286] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0127.286] wnsprintfW (in: pszDest=0x3c480a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\PUSSY.TXT") returned 147 [0127.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0127.286] lstrlenA (lpString="abcd") returned 4 [0127.286] WriteFile (in: hFile=0x1c0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0127.287] CloseHandle (hObject=0x1c0) returned 1 [0127.287] GetProcessHeap () returned 0x4c0000 [0127.288] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c480a8 | out: hHeap=0x4c0000) returned 1 [0127.288] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8642cdf0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86513570, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86513570, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ghbmnnjooekpmoecnnnilnnbdlolhkhi", cAlternateFileName="GHBMNN~1")) returned 0 [0127.288] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0127.288] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\PUSSY.TXT") returned 114 [0127.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0127.288] lstrlenA (lpString="abcd") returned 4 [0127.288] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0127.289] CloseHandle (hObject=0x1d0) returned 1 [0127.289] GetProcessHeap () returned 0x4c0000 [0127.290] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0127.290] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83ede170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x90191d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x90191d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Local Storage", cAlternateFileName="LOCALS~1")) returned 1 [0127.290] lstrcmpiW (lpString1="Local Storage", lpString2="Windows") returned -1 [0127.290] lstrcmpiW (lpString1="Local Storage", lpString2="Program Files") returned -1 [0127.290] lstrcmpiW (lpString1="Local Storage", lpString2="Program Files (x86)") returned -1 [0127.290] lstrcmpiW (lpString1="Local Storage", lpString2="$Recycle.bin") returned 1 [0127.290] lstrcmpiW (lpString1="Local Storage", lpString2="System Volume Information") returned -1 [0127.290] lstrcmpiW (lpString1="Local Storage", lpString2=".") returned 1 [0127.290] lstrcmpiW (lpString1="Local Storage", lpString2="..") returned 1 [0127.290] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage") returned 93 [0127.290] GetProcessHeap () returned 0x4c0000 [0127.290] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0127.290] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage" [0127.290] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\*" [0127.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83ede170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x90191d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x90191d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0127.355] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0127.355] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0127.355] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0127.355] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0127.355] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0127.355] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0127.355] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x83ede170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x90191d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x90191d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0127.355] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0127.355] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0127.355] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0127.355] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0127.355] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0127.355] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0127.355] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0127.355] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x90191d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x90191d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9048b8f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", cAlternateFileName="CHROME~1.LOC")) returned 1 [0127.355] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="Windows") returned -1 [0127.355] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="Program Files") returned -1 [0127.355] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="Program Files (x86)") returned -1 [0127.355] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="$Recycle.bin") returned 1 [0127.355] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="System Volume Information") returned -1 [0127.355] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2=".") returned 1 [0127.355] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="..") returned 1 [0127.355] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage") returned 158 [0127.355] lstrcmpW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="PUSSY.TXT") returned -1 [0127.355] PathFindExtensionW (pszPath="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage") returned=".localstorage" [0127.356] lstrlenW (lpString=".localstorage") returned 13 [0127.356] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0127.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0127.356] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=12288) returned 1 [0127.357] GetProcessHeap () returned 0x4c0000 [0127.357] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c480a8 [0127.365] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="F6") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="B3") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="DB") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="19") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="A4") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="D2") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="35") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="5B") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="21") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="02") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="A9") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="77") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="BB") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="7B") returned 2 [0127.365] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="5D") returned 2 [0127.365] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="06") returned 2 [0127.365] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="A9") returned 2 [0127.365] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="ED") returned 2 [0127.365] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="9D") returned 2 [0127.366] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="82") returned 2 [0127.366] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="8A") returned 2 [0127.366] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="B7") returned 2 [0127.366] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="0E") returned 2 [0127.366] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="DD") returned 2 [0127.366] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="C7") returned 2 [0127.366] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="8C") returned 2 [0127.366] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="83") returned 2 [0127.366] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="C9") returned 2 [0127.366] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="38") returned 2 [0127.366] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="1A") returned 2 [0127.366] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="E9") returned 2 [0127.366] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="22") returned 2 [0127.374] lstrcpyW (in: lpString1=0x3c580dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage" [0127.374] lstrcpyW (in: lpString1=0x3c480dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage" [0127.374] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2=".F6B3DB19A4D2355B2102A977BB7B5D06A9ED9D828AB70EDDC78C83C9381AE922" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage.F6B3DB19A4D2355B2102A977BB7B5D06A9ED9D828AB70EDDC78C83C9381AE922") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage.F6B3DB19A4D2355B2102A977BB7B5D06A9ED9D828AB70EDDC78C83C9381AE922" [0127.374] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x94, CompletionKey=0x3c480a8, NumberOfConcurrentThreads=0x0) returned 0x94 [0127.374] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c480a8, lpOverlapped=0x3c480a8) returned 1 [0127.374] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x90191d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x90191d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x904b1a50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", cAlternateFileName="CHROME~2.LOC")) returned 1 [0127.374] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="Windows") returned -1 [0127.374] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="Program Files") returned -1 [0127.374] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="Program Files (x86)") returned -1 [0127.374] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="$Recycle.bin") returned 1 [0127.375] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="System Volume Information") returned -1 [0127.375] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2=".") returned 1 [0127.375] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="..") returned 1 [0127.375] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal") returned 166 [0127.375] lstrcmpW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="PUSSY.TXT") returned -1 [0127.375] PathFindExtensionW (pszPath="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal") returned=".localstorage-journal" [0127.375] lstrlenW (lpString=".localstorage-journal") returned 21 [0127.375] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0127.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0127.376] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=0) returned 1 [0127.376] CloseHandle (hObject=0x1d8) returned 1 [0127.376] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x90191d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x90191d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x904b1a50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", cAlternateFileName="CHROME~2.LOC")) returned 0 [0127.376] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0127.376] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\PUSSY.TXT") returned 103 [0127.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0127.436] lstrlenA (lpString="abcd") returned 4 [0127.436] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0127.437] CloseHandle (hObject=0x1d0) returned 1 [0127.437] GetProcessHeap () returned 0x4c0000 [0127.437] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0127.437] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80fc7e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80fc7e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8124f5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4800, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Login Data", cAlternateFileName="LOGIND~1")) returned 1 [0127.437] lstrcmpiW (lpString1="Login Data", lpString2="Windows") returned -1 [0127.437] lstrcmpiW (lpString1="Login Data", lpString2="Program Files") returned -1 [0127.437] lstrcmpiW (lpString1="Login Data", lpString2="Program Files (x86)") returned -1 [0127.437] lstrcmpiW (lpString1="Login Data", lpString2="$Recycle.bin") returned 1 [0127.437] lstrcmpiW (lpString1="Login Data", lpString2="System Volume Information") returned -1 [0127.437] lstrcmpiW (lpString1="Login Data", lpString2=".") returned 1 [0127.437] lstrcmpiW (lpString1="Login Data", lpString2="..") returned 1 [0127.437] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data") returned 90 [0127.437] lstrcmpW (lpString1="Login Data", lpString2="PUSSY.TXT") returned -1 [0127.437] PathFindExtensionW (pszPath="Login Data") returned="" [0127.437] lstrlenW (lpString="") returned 0 [0127.437] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0127.440] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=18432) returned 1 [0127.440] GetProcessHeap () returned 0x4c0000 [0127.440] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0127.453] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="AC") returned 2 [0127.453] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="0D") returned 2 [0127.453] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="3F") returned 2 [0127.453] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="68") returned 2 [0127.453] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="29") returned 2 [0127.453] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="A0") returned 2 [0127.453] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="C4") returned 2 [0127.453] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="D8") returned 2 [0127.453] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="BD") returned 2 [0127.453] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="BF") returned 2 [0127.453] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="19") returned 2 [0127.453] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="48") returned 2 [0127.453] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="D9") returned 2 [0127.453] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="2B") returned 2 [0127.453] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="B0") returned 2 [0127.453] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="E6") returned 2 [0127.453] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="76") returned 2 [0127.453] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="D5") returned 2 [0127.454] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="B8") returned 2 [0127.454] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="A6") returned 2 [0127.454] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="D8") returned 2 [0127.454] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="D7") returned 2 [0127.454] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="10") returned 2 [0127.454] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="20") returned 2 [0127.454] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="BD") returned 2 [0127.454] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="8A") returned 2 [0127.454] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="F5") returned 2 [0127.454] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="71") returned 2 [0127.454] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="14") returned 2 [0127.454] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="B3") returned 2 [0127.454] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="6A") returned 2 [0127.454] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="41") returned 2 [0127.466] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" [0127.466] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" [0127.466] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data", lpString2=".AC0D3F6829A0C4D8BDBF1948D92BB0E676D5B8A6D8D71020BD8AF57114B36A41" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.AC0D3F6829A0C4D8BDBF1948D92BB0E676D5B8A6D8D71020BD8AF57114B36A41") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.AC0D3F6829A0C4D8BDBF1948D92BB0E676D5B8A6D8D71020BD8AF57114B36A41" [0127.466] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0127.466] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0127.466] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80fc7e40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80fc7e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8129b860, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Login Data-journal", cAlternateFileName="LOGIND~2")) returned 1 [0127.466] lstrcmpiW (lpString1="Login Data-journal", lpString2="Windows") returned -1 [0127.466] lstrcmpiW (lpString1="Login Data-journal", lpString2="Program Files") returned -1 [0127.466] lstrcmpiW (lpString1="Login Data-journal", lpString2="Program Files (x86)") returned -1 [0127.466] lstrcmpiW (lpString1="Login Data-journal", lpString2="$Recycle.bin") returned 1 [0127.466] lstrcmpiW (lpString1="Login Data-journal", lpString2="System Volume Information") returned -1 [0127.466] lstrcmpiW (lpString1="Login Data-journal", lpString2=".") returned 1 [0127.466] lstrcmpiW (lpString1="Login Data-journal", lpString2="..") returned 1 [0127.466] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal") returned 98 [0127.466] lstrcmpW (lpString1="Login Data-journal", lpString2="PUSSY.TXT") returned -1 [0127.466] PathFindExtensionW (pszPath="Login Data-journal") returned="" [0127.466] lstrlenW (lpString="") returned 0 [0127.466] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0127.467] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0127.468] CloseHandle (hObject=0x1d8) returned 1 [0127.468] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82330270, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82330270, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x825f0410, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Network Action Predictor", cAlternateFileName="NETWOR~1")) returned 1 [0127.468] lstrcmpiW (lpString1="Network Action Predictor", lpString2="Windows") returned -1 [0127.468] lstrcmpiW (lpString1="Network Action Predictor", lpString2="Program Files") returned -1 [0127.468] lstrcmpiW (lpString1="Network Action Predictor", lpString2="Program Files (x86)") returned -1 [0127.468] lstrcmpiW (lpString1="Network Action Predictor", lpString2="$Recycle.bin") returned 1 [0127.468] lstrcmpiW (lpString1="Network Action Predictor", lpString2="System Volume Information") returned -1 [0127.468] lstrcmpiW (lpString1="Network Action Predictor", lpString2=".") returned 1 [0127.468] lstrcmpiW (lpString1="Network Action Predictor", lpString2="..") returned 1 [0127.468] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor") returned 104 [0127.468] lstrcmpW (lpString1="Network Action Predictor", lpString2="PUSSY.TXT") returned -1 [0127.468] PathFindExtensionW (pszPath="Network Action Predictor") returned="" [0127.468] lstrlenW (lpString="") returned 0 [0127.468] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.468] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0127.469] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=15360) returned 1 [0127.469] GetProcessHeap () returned 0x4c0000 [0127.469] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0127.481] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="1F") returned 2 [0127.486] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="C3") returned 2 [0127.486] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="68") returned 2 [0127.486] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="4A") returned 2 [0127.486] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="77") returned 2 [0127.486] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="BD") returned 2 [0127.486] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="C7") returned 2 [0127.486] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="AB") returned 2 [0127.486] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="9C") returned 2 [0127.486] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="38") returned 2 [0127.486] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="DB") returned 2 [0127.486] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="D4") returned 2 [0127.486] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="45") returned 2 [0127.487] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="F7") returned 2 [0127.487] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="AF") returned 2 [0127.487] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="02") returned 2 [0127.487] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="A4") returned 2 [0127.487] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="CC") returned 2 [0127.487] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="F5") returned 2 [0127.487] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="AD") returned 2 [0127.487] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="D2") returned 2 [0127.487] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="00") returned 2 [0127.487] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="2F") returned 2 [0127.487] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="3E") returned 2 [0127.487] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="6B") returned 2 [0127.487] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="08") returned 2 [0127.487] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="A1") returned 2 [0127.487] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="47") returned 2 [0127.487] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="7D") returned 2 [0127.487] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="7F") returned 2 [0127.487] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="DF") returned 2 [0127.487] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="2E") returned 2 [0127.496] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor" [0127.496] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor" [0127.496] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor", lpString2=".1FC3684A77BDC7AB9C38DBD445F7AF02A4CCF5ADD2002F3E6B08A1477D7FDF2E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor.1FC3684A77BDC7AB9C38DBD445F7AF02A4CCF5ADD2002F3E6B08A1477D7FDF2E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor.1FC3684A77BDC7AB9C38DBD445F7AF02A4CCF5ADD2002F3E6B08A1477D7FDF2E" [0127.496] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0127.496] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0127.523] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82330270, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82330270, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8262ad90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Network Action Predictor-journal", cAlternateFileName="NETWOR~2")) returned 1 [0127.523] lstrcmpiW (lpString1="Network Action Predictor-journal", lpString2="Windows") returned -1 [0127.523] lstrcmpiW (lpString1="Network Action Predictor-journal", lpString2="Program Files") returned -1 [0127.523] lstrcmpiW (lpString1="Network Action Predictor-journal", lpString2="Program Files (x86)") returned -1 [0127.523] lstrcmpiW (lpString1="Network Action Predictor-journal", lpString2="$Recycle.bin") returned 1 [0127.523] lstrcmpiW (lpString1="Network Action Predictor-journal", lpString2="System Volume Information") returned -1 [0127.523] lstrcmpiW (lpString1="Network Action Predictor-journal", lpString2=".") returned 1 [0127.523] lstrcmpiW (lpString1="Network Action Predictor-journal", lpString2="..") returned 1 [0127.523] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal") returned 112 [0127.523] lstrcmpW (lpString1="Network Action Predictor-journal", lpString2="PUSSY.TXT") returned -1 [0127.523] PathFindExtensionW (pszPath="Network Action Predictor-journal") returned="" [0127.523] lstrlenW (lpString="") returned 0 [0127.523] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0127.524] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0127.524] CloseHandle (hObject=0x178) returned 1 [0127.524] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86263d70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86263d70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86263d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Network Persistent State", cAlternateFileName="NETWOR~3")) returned 1 [0127.524] lstrcmpiW (lpString1="Network Persistent State", lpString2="Windows") returned -1 [0127.524] lstrcmpiW (lpString1="Network Persistent State", lpString2="Program Files") returned -1 [0127.524] lstrcmpiW (lpString1="Network Persistent State", lpString2="Program Files (x86)") returned -1 [0127.524] lstrcmpiW (lpString1="Network Persistent State", lpString2="$Recycle.bin") returned 1 [0127.524] lstrcmpiW (lpString1="Network Persistent State", lpString2="System Volume Information") returned -1 [0127.524] lstrcmpiW (lpString1="Network Persistent State", lpString2=".") returned 1 [0127.524] lstrcmpiW (lpString1="Network Persistent State", lpString2="..") returned 1 [0127.524] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State") returned 104 [0127.524] lstrcmpW (lpString1="Network Persistent State", lpString2="PUSSY.TXT") returned -1 [0127.524] PathFindExtensionW (pszPath="Network Persistent State") returned="" [0127.524] lstrlenW (lpString="") returned 0 [0127.524] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network persistent state"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0127.525] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=40) returned 1 [0127.525] CloseHandle (hObject=0x178) returned 1 [0127.525] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x81d16a10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81d16a10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x94034050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Origin Bound Certs", cAlternateFileName="ORIGIN~1")) returned 1 [0127.525] lstrcmpiW (lpString1="Origin Bound Certs", lpString2="Windows") returned -1 [0127.525] lstrcmpiW (lpString1="Origin Bound Certs", lpString2="Program Files") returned -1 [0127.525] lstrcmpiW (lpString1="Origin Bound Certs", lpString2="Program Files (x86)") returned -1 [0127.525] lstrcmpiW (lpString1="Origin Bound Certs", lpString2="$Recycle.bin") returned 1 [0127.525] lstrcmpiW (lpString1="Origin Bound Certs", lpString2="System Volume Information") returned -1 [0127.525] lstrcmpiW (lpString1="Origin Bound Certs", lpString2=".") returned 1 [0127.525] lstrcmpiW (lpString1="Origin Bound Certs", lpString2="..") returned 1 [0127.525] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs") returned 98 [0127.525] lstrcmpW (lpString1="Origin Bound Certs", lpString2="PUSSY.TXT") returned -1 [0127.525] PathFindExtensionW (pszPath="Origin Bound Certs") returned="" [0127.525] lstrlenW (lpString="") returned 0 [0127.525] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0127.526] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=5120) returned 1 [0127.526] GetProcessHeap () returned 0x4c0000 [0127.526] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0127.535] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="EF") returned 2 [0127.535] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="35") returned 2 [0127.535] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="CE") returned 2 [0127.535] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="DD") returned 2 [0127.535] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="6F") returned 2 [0127.535] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="A0") returned 2 [0127.535] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="10") returned 2 [0127.535] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="0C") returned 2 [0127.535] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="27") returned 2 [0127.535] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="26") returned 2 [0127.535] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="AF") returned 2 [0127.535] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="FC") returned 2 [0127.535] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="41") returned 2 [0127.535] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="16") returned 2 [0127.535] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="F4") returned 2 [0127.535] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="69") returned 2 [0127.536] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="19") returned 2 [0127.536] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="8B") returned 2 [0127.536] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="19") returned 2 [0127.536] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="85") returned 2 [0127.536] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="C1") returned 2 [0127.536] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="87") returned 2 [0127.536] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="89") returned 2 [0127.536] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="B8") returned 2 [0127.536] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="E4") returned 2 [0127.536] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="7A") returned 2 [0127.536] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="7E") returned 2 [0127.536] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="3B") returned 2 [0127.536] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="05") returned 2 [0127.536] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="CF") returned 2 [0127.536] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="16") returned 2 [0127.536] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="31") returned 2 [0127.544] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs" [0127.544] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs" [0127.544] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs", lpString2=".EF35CEDD6FA0100C2726AFFC4116F469198B1985C18789B8E47A7E3B05CF1631" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs.EF35CEDD6FA0100C2726AFFC4116F469198B1985C18789B8E47A7E3B05CF1631") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs.EF35CEDD6FA0100C2726AFFC4116F469198B1985C18789B8E47A7E3B05CF1631" [0127.544] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0127.544] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0127.554] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x81d16a10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81d16a10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9405a1b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Origin Bound Certs-journal", cAlternateFileName="ORIGIN~2")) returned 1 [0127.554] lstrcmpiW (lpString1="Origin Bound Certs-journal", lpString2="Windows") returned -1 [0127.555] lstrcmpiW (lpString1="Origin Bound Certs-journal", lpString2="Program Files") returned -1 [0127.555] lstrcmpiW (lpString1="Origin Bound Certs-journal", lpString2="Program Files (x86)") returned -1 [0127.555] lstrcmpiW (lpString1="Origin Bound Certs-journal", lpString2="$Recycle.bin") returned 1 [0127.555] lstrcmpiW (lpString1="Origin Bound Certs-journal", lpString2="System Volume Information") returned -1 [0127.555] lstrcmpiW (lpString1="Origin Bound Certs-journal", lpString2=".") returned 1 [0127.555] lstrcmpiW (lpString1="Origin Bound Certs-journal", lpString2="..") returned 1 [0127.555] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal") returned 106 [0127.555] lstrcmpW (lpString1="Origin Bound Certs-journal", lpString2="PUSSY.TXT") returned -1 [0127.555] PathFindExtensionW (pszPath="Origin Bound Certs-journal") returned="" [0127.555] lstrlenW (lpString="") returned 0 [0127.555] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.555] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0127.555] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0127.555] CloseHandle (hObject=0x178) returned 1 [0127.556] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x859aa710, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c43f3e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c446910, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1a9d, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Preferences", cAlternateFileName="PREFER~1")) returned 1 [0127.572] lstrcmpiW (lpString1="Preferences", lpString2="Windows") returned -1 [0127.572] lstrcmpiW (lpString1="Preferences", lpString2="Program Files") returned -1 [0127.572] lstrcmpiW (lpString1="Preferences", lpString2="Program Files (x86)") returned -1 [0127.572] lstrcmpiW (lpString1="Preferences", lpString2="$Recycle.bin") returned 1 [0127.573] lstrcmpiW (lpString1="Preferences", lpString2="System Volume Information") returned -1 [0127.573] lstrcmpiW (lpString1="Preferences", lpString2=".") returned 1 [0127.573] lstrcmpiW (lpString1="Preferences", lpString2="..") returned 1 [0127.573] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences") returned 91 [0127.573] lstrcmpW (lpString1="Preferences", lpString2="PUSSY.TXT") returned -1 [0127.573] PathFindExtensionW (pszPath="Preferences") returned="" [0127.573] lstrlenW (lpString="") returned 0 [0127.573] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\preferences"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0127.573] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=6813) returned 1 [0127.574] GetProcessHeap () returned 0x4c0000 [0127.574] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0127.582] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="00") returned 2 [0127.582] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="E4") returned 2 [0127.582] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="A8") returned 2 [0127.582] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="71") returned 2 [0127.582] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="7B") returned 2 [0127.582] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="F3") returned 2 [0127.582] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="48") returned 2 [0127.582] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="94") returned 2 [0127.582] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="EE") returned 2 [0127.582] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="9A") returned 2 [0127.582] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="27") returned 2 [0127.582] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="E9") returned 2 [0127.582] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="0C") returned 2 [0127.582] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="26") returned 2 [0127.582] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="65") returned 2 [0127.582] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="D2") returned 2 [0127.582] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="16") returned 2 [0127.582] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="47") returned 2 [0127.582] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="2C") returned 2 [0127.582] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="FB") returned 2 [0127.582] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="59") returned 2 [0127.582] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="A0") returned 2 [0127.582] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="5C") returned 2 [0127.582] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="FE") returned 2 [0127.583] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="00") returned 2 [0127.583] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="D5") returned 2 [0127.583] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="CE") returned 2 [0127.583] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="B0") returned 2 [0127.583] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="87") returned 2 [0127.583] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="52") returned 2 [0127.583] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="B4") returned 2 [0127.583] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="05") returned 2 [0127.591] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences" [0127.591] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences" [0127.591] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences", lpString2=".00E4A8717BF34894EE9A27E90C2665D216472CFB59A05CFE00D5CEB08752B405" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences.00E4A8717BF34894EE9A27E90C2665D216472CFB59A05CFE00D5CEB08752B405") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences.00E4A8717BF34894EE9A27E90C2665D216472CFB59A05CFE00D5CEB08752B405" [0127.591] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0127.591] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0127.601] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7f8dea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f8dea80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8129b860, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="previews_opt_out.db", cAlternateFileName="PREVIE~1.DB")) returned 1 [0127.606] lstrcmpiW (lpString1="previews_opt_out.db", lpString2="Windows") returned -1 [0127.606] lstrcmpiW (lpString1="previews_opt_out.db", lpString2="Program Files") returned -1 [0127.606] lstrcmpiW (lpString1="previews_opt_out.db", lpString2="Program Files (x86)") returned -1 [0127.606] lstrcmpiW (lpString1="previews_opt_out.db", lpString2="$Recycle.bin") returned 1 [0127.606] lstrcmpiW (lpString1="previews_opt_out.db", lpString2="System Volume Information") returned -1 [0127.606] lstrcmpiW (lpString1="previews_opt_out.db", lpString2=".") returned 1 [0127.606] lstrcmpiW (lpString1="previews_opt_out.db", lpString2="..") returned 1 [0127.606] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db") returned 99 [0127.606] lstrcmpW (lpString1="previews_opt_out.db", lpString2="PUSSY.TXT") returned -1 [0127.606] PathFindExtensionW (pszPath="previews_opt_out.db") returned=".db" [0127.606] lstrlenW (lpString=".db") returned 3 [0127.606] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0127.607] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=16384) returned 1 [0127.607] GetProcessHeap () returned 0x4c0000 [0127.607] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0127.615] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="79") returned 2 [0127.615] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="4F") returned 2 [0127.615] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="14") returned 2 [0127.615] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="E5") returned 2 [0127.615] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="60") returned 2 [0127.615] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="B7") returned 2 [0127.615] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="30") returned 2 [0127.615] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="CB") returned 2 [0127.615] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="D1") returned 2 [0127.615] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="ED") returned 2 [0127.615] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="19") returned 2 [0127.615] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="B0") returned 2 [0127.615] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="34") returned 2 [0127.615] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="B6") returned 2 [0127.615] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="4D") returned 2 [0127.616] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="18") returned 2 [0127.616] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="2E") returned 2 [0127.616] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="9F") returned 2 [0127.616] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="05") returned 2 [0127.616] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="31") returned 2 [0127.616] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="76") returned 2 [0127.616] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="CF") returned 2 [0127.616] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="D4") returned 2 [0127.616] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="73") returned 2 [0127.616] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="9C") returned 2 [0127.616] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="4F") returned 2 [0127.616] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="14") returned 2 [0127.616] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="97") returned 2 [0127.616] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="F9") returned 2 [0127.616] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="A6") returned 2 [0127.616] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="D0") returned 2 [0127.616] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="1F") returned 2 [0127.624] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db" [0127.625] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db" [0127.625] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db", lpString2=".794F14E560B730CBD1ED19B034B64D182E9F053176CFD4739C4F1497F9A6D01F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db.794F14E560B730CBD1ED19B034B64D182E9F053176CFD4739C4F1497F9A6D01F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db.794F14E560B730CBD1ED19B034B64D182E9F053176CFD4739C4F1497F9A6D01F" [0127.625] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0127.625] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0127.636] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x804795c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x804795c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x812c19c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="previews_opt_out.db-journal", cAlternateFileName="PREVIE~1.DB-")) returned 1 [0127.636] lstrcmpiW (lpString1="previews_opt_out.db-journal", lpString2="Windows") returned -1 [0127.636] lstrcmpiW (lpString1="previews_opt_out.db-journal", lpString2="Program Files") returned -1 [0127.636] lstrcmpiW (lpString1="previews_opt_out.db-journal", lpString2="Program Files (x86)") returned -1 [0127.636] lstrcmpiW (lpString1="previews_opt_out.db-journal", lpString2="$Recycle.bin") returned 1 [0127.636] lstrcmpiW (lpString1="previews_opt_out.db-journal", lpString2="System Volume Information") returned -1 [0127.636] lstrcmpiW (lpString1="previews_opt_out.db-journal", lpString2=".") returned 1 [0127.636] lstrcmpiW (lpString1="previews_opt_out.db-journal", lpString2="..") returned 1 [0127.636] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal") returned 107 [0127.636] lstrcmpW (lpString1="previews_opt_out.db-journal", lpString2="PUSSY.TXT") returned -1 [0127.636] PathFindExtensionW (pszPath="previews_opt_out.db-journal") returned=".db-journal" [0127.636] lstrlenW (lpString=".db-journal") returned 11 [0127.636] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0127.637] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0127.637] CloseHandle (hObject=0x178) returned 1 [0127.637] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8687f510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8687f510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x869fc2d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="QuotaManager", cAlternateFileName="QUOTAM~1")) returned 1 [0127.637] lstrcmpiW (lpString1="QuotaManager", lpString2="Windows") returned -1 [0127.637] lstrcmpiW (lpString1="QuotaManager", lpString2="Program Files") returned 1 [0127.637] lstrcmpiW (lpString1="QuotaManager", lpString2="Program Files (x86)") returned 1 [0127.637] lstrcmpiW (lpString1="QuotaManager", lpString2="$Recycle.bin") returned 1 [0127.638] lstrcmpiW (lpString1="QuotaManager", lpString2="System Volume Information") returned -1 [0127.638] lstrcmpiW (lpString1="QuotaManager", lpString2=".") returned 1 [0127.638] lstrcmpiW (lpString1="QuotaManager", lpString2="..") returned 1 [0127.638] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager") returned 92 [0127.638] lstrcmpW (lpString1="QuotaManager", lpString2="PUSSY.TXT") returned 1 [0127.638] PathFindExtensionW (pszPath="QuotaManager") returned="" [0127.638] lstrlenW (lpString="") returned 0 [0127.638] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0127.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0127.638] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=15360) returned 1 [0127.638] GetProcessHeap () returned 0x4c0000 [0127.638] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0127.661] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="F1") returned 2 [0127.661] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="E1") returned 2 [0127.662] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="23") returned 2 [0127.662] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="52") returned 2 [0127.662] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="AC") returned 2 [0127.662] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="4A") returned 2 [0127.662] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="2B") returned 2 [0127.662] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="28") returned 2 [0127.662] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="E2") returned 2 [0127.662] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="39") returned 2 [0127.662] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="26") returned 2 [0127.662] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="03") returned 2 [0127.662] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="AE") returned 2 [0127.662] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="11") returned 2 [0127.662] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="4C") returned 2 [0127.662] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="DE") returned 2 [0127.662] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="8A") returned 2 [0127.662] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="65") returned 2 [0127.663] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="70") returned 2 [0127.663] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="C3") returned 2 [0127.663] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="B7") returned 2 [0127.663] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="2C") returned 2 [0127.663] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="16") returned 2 [0127.663] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="5F") returned 2 [0127.663] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="E8") returned 2 [0127.663] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="CF") returned 2 [0127.663] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="E2") returned 2 [0127.663] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="5E") returned 2 [0127.663] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="1B") returned 2 [0127.663] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="C7") returned 2 [0127.663] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="E8") returned 2 [0127.663] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="34") returned 2 [0127.737] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager" [0127.737] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager" [0127.737] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager", lpString2=".F1E12352AC4A2B28E2392603AE114CDE8A6570C3B72C165FE8CFE25E1BC7E834" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager.F1E12352AC4A2B28E2392603AE114CDE8A6570C3B72C165FE8CFE25E1BC7E834") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager.F1E12352AC4A2B28E2392603AE114CDE8A6570C3B72C165FE8CFE25E1BC7E834" [0127.737] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0127.737] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0127.738] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8687f510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8687f510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86a48590, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="QuotaManager-journal", cAlternateFileName="QUOTAM~2")) returned 1 [0128.052] lstrcmpiW (lpString1="QuotaManager-journal", lpString2="Windows") returned -1 [0128.052] lstrcmpiW (lpString1="QuotaManager-journal", lpString2="Program Files") returned 1 [0128.052] lstrcmpiW (lpString1="QuotaManager-journal", lpString2="Program Files (x86)") returned 1 [0128.052] lstrcmpiW (lpString1="QuotaManager-journal", lpString2="$Recycle.bin") returned 1 [0128.052] lstrcmpiW (lpString1="QuotaManager-journal", lpString2="System Volume Information") returned -1 [0128.052] lstrcmpiW (lpString1="QuotaManager-journal", lpString2=".") returned 1 [0128.052] lstrcmpiW (lpString1="QuotaManager-journal", lpString2="..") returned 1 [0128.052] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal") returned 100 [0128.052] lstrcmpW (lpString1="QuotaManager-journal", lpString2="PUSSY.TXT") returned 1 [0128.052] PathFindExtensionW (pszPath="QuotaManager-journal") returned="" [0128.052] lstrlenW (lpString="") returned 0 [0128.052] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0128.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0128.053] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0128.053] CloseHandle (hObject=0x1d8) returned 1 [0128.054] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7f846500, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f846500, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f846500, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb4, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="README", cAlternateFileName="")) returned 1 [0128.054] lstrcmpiW (lpString1="README", lpString2="Windows") returned -1 [0128.054] lstrcmpiW (lpString1="README", lpString2="Program Files") returned 1 [0128.054] lstrcmpiW (lpString1="README", lpString2="Program Files (x86)") returned 1 [0128.054] lstrcmpiW (lpString1="README", lpString2="$Recycle.bin") returned 1 [0128.054] lstrcmpiW (lpString1="README", lpString2="System Volume Information") returned -1 [0128.054] lstrcmpiW (lpString1="README", lpString2=".") returned 1 [0128.054] lstrcmpiW (lpString1="README", lpString2="..") returned 1 [0128.054] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README") returned 86 [0128.054] lstrcmpW (lpString1="README", lpString2="PUSSY.TXT") returned 1 [0128.054] PathFindExtensionW (pszPath="README") returned="" [0128.054] lstrlenW (lpString="") returned 0 [0128.054] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0128.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\readme"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0128.055] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=180) returned 1 [0128.055] CloseHandle (hObject=0x1d8) returned 1 [0128.055] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857e1690, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c3f38f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c404a60, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x8b43, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Secure Preferences", cAlternateFileName="SECURE~1")) returned 1 [0128.055] lstrcmpiW (lpString1="Secure Preferences", lpString2="Windows") returned -1 [0128.055] lstrcmpiW (lpString1="Secure Preferences", lpString2="Program Files") returned 1 [0128.055] lstrcmpiW (lpString1="Secure Preferences", lpString2="Program Files (x86)") returned 1 [0128.055] lstrcmpiW (lpString1="Secure Preferences", lpString2="$Recycle.bin") returned 1 [0128.055] lstrcmpiW (lpString1="Secure Preferences", lpString2="System Volume Information") returned -1 [0128.055] lstrcmpiW (lpString1="Secure Preferences", lpString2=".") returned 1 [0128.055] lstrcmpiW (lpString1="Secure Preferences", lpString2="..") returned 1 [0128.056] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences") returned 98 [0128.056] lstrcmpW (lpString1="Secure Preferences", lpString2="PUSSY.TXT") returned 1 [0128.056] PathFindExtensionW (pszPath="Secure Preferences") returned="" [0128.056] lstrlenW (lpString="") returned 0 [0128.056] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0128.056] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\secure preferences"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0128.056] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=35651) returned 1 [0128.056] GetProcessHeap () returned 0x4c0000 [0128.056] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0128.071] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="25") returned 2 [0128.071] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="02") returned 2 [0128.071] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="3D") returned 2 [0128.071] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="C1") returned 2 [0128.071] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="90") returned 2 [0128.071] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="C4") returned 2 [0128.071] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="DD") returned 2 [0128.071] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="B5") returned 2 [0128.071] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="58") returned 2 [0128.072] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="24") returned 2 [0128.072] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="85") returned 2 [0128.072] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="88") returned 2 [0128.072] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="7A") returned 2 [0128.072] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="03") returned 2 [0128.072] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="23") returned 2 [0128.072] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="17") returned 2 [0128.072] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="AA") returned 2 [0128.072] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="F8") returned 2 [0128.072] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="1A") returned 2 [0128.072] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="8F") returned 2 [0128.072] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="75") returned 2 [0128.072] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="FD") returned 2 [0128.072] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="EA") returned 2 [0128.072] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="C7") returned 2 [0128.072] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="B6") returned 2 [0128.072] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="D0") returned 2 [0128.072] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="14") returned 2 [0128.072] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="8E") returned 2 [0128.072] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="B0") returned 2 [0128.072] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="DB") returned 2 [0128.072] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="13") returned 2 [0128.072] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="59") returned 2 [0128.087] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences" [0128.087] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences" [0128.087] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences", lpString2=".25023DC190C4DDB5582485887A032317AAF81A8F75FDEAC7B6D0148EB0DB1359" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences.25023DC190C4DDB5582485887A032317AAF81A8F75FDEAC7B6D0148EB0DB1359") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences.25023DC190C4DDB5582485887A032317AAF81A8F75FDEAC7B6D0148EB0DB1359" [0128.087] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0128.087] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0128.088] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8218d350, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8218d350, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82271b90, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Shortcuts", cAlternateFileName="SHORTC~1")) returned 1 [0128.088] lstrcmpiW (lpString1="Shortcuts", lpString2="Windows") returned -1 [0128.088] lstrcmpiW (lpString1="Shortcuts", lpString2="Program Files") returned 1 [0128.088] lstrcmpiW (lpString1="Shortcuts", lpString2="Program Files (x86)") returned 1 [0128.088] lstrcmpiW (lpString1="Shortcuts", lpString2="$Recycle.bin") returned 1 [0128.088] lstrcmpiW (lpString1="Shortcuts", lpString2="System Volume Information") returned -1 [0128.088] lstrcmpiW (lpString1="Shortcuts", lpString2=".") returned 1 [0128.088] lstrcmpiW (lpString1="Shortcuts", lpString2="..") returned 1 [0128.088] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts") returned 89 [0128.088] lstrcmpW (lpString1="Shortcuts", lpString2="PUSSY.TXT") returned 1 [0128.088] PathFindExtensionW (pszPath="Shortcuts") returned="" [0128.088] lstrlenW (lpString="") returned 0 [0128.088] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0128.088] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0128.092] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=12288) returned 1 [0128.092] GetProcessHeap () returned 0x4c0000 [0128.093] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c480a8 [0128.108] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="16") returned 2 [0128.108] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="1C") returned 2 [0128.108] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="34") returned 2 [0128.108] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="F3") returned 2 [0128.108] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="8E") returned 2 [0128.108] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="D4") returned 2 [0128.108] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="42") returned 2 [0128.108] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="67") returned 2 [0128.108] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="36") returned 2 [0128.108] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="17") returned 2 [0128.108] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="CB") returned 2 [0128.108] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="55") returned 2 [0128.108] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="11") returned 2 [0128.108] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="B9") returned 2 [0128.108] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="76") returned 2 [0128.108] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="27") returned 2 [0128.108] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="7D") returned 2 [0128.108] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="11") returned 2 [0128.108] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="25") returned 2 [0128.109] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="94") returned 2 [0128.109] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="D7") returned 2 [0128.109] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="56") returned 2 [0128.109] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="F6") returned 2 [0128.109] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="2B") returned 2 [0128.109] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="B7") returned 2 [0128.109] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="26") returned 2 [0128.109] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="4E") returned 2 [0128.109] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="F4") returned 2 [0128.109] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="05") returned 2 [0128.109] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="44") returned 2 [0128.109] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="B8") returned 2 [0128.109] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="76") returned 2 [0128.123] lstrcpyW (in: lpString1=0x3c580dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts" [0128.123] lstrcpyW (in: lpString1=0x3c480dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts" [0128.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts", lpString2=".161C34F38ED442673617CB5511B976277D112594D756F62BB7264EF40544B876" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts.161C34F38ED442673617CB5511B976277D112594D756F62BB7264EF40544B876") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts.161C34F38ED442673617CB5511B976277D112594D756F62BB7264EF40544B876" [0128.123] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x94, CompletionKey=0x3c480a8, NumberOfConcurrentThreads=0x0) returned 0x94 [0128.123] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c480a8, lpOverlapped=0x3c480a8) returned 1 [0128.123] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8218d350, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8218d350, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x822e3fb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Shortcuts-journal", cAlternateFileName="SHORTC~2")) returned 1 [0128.123] lstrcmpiW (lpString1="Shortcuts-journal", lpString2="Windows") returned -1 [0128.123] lstrcmpiW (lpString1="Shortcuts-journal", lpString2="Program Files") returned 1 [0128.123] lstrcmpiW (lpString1="Shortcuts-journal", lpString2="Program Files (x86)") returned 1 [0128.123] lstrcmpiW (lpString1="Shortcuts-journal", lpString2="$Recycle.bin") returned 1 [0128.123] lstrcmpiW (lpString1="Shortcuts-journal", lpString2="System Volume Information") returned -1 [0128.123] lstrcmpiW (lpString1="Shortcuts-journal", lpString2=".") returned 1 [0128.123] lstrcmpiW (lpString1="Shortcuts-journal", lpString2="..") returned 1 [0128.123] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal") returned 97 [0128.123] lstrcmpW (lpString1="Shortcuts-journal", lpString2="PUSSY.TXT") returned 1 [0128.123] PathFindExtensionW (pszPath="Shortcuts-journal") returned="" [0128.124] lstrlenW (lpString="") returned 0 [0128.124] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0128.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0128.504] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0128.504] CloseHandle (hObject=0x17c) returned 1 [0128.504] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84251e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84251e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84251e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Sync Extension Settings", cAlternateFileName="SYNCEX~1")) returned 1 [0128.504] lstrcmpiW (lpString1="Sync Extension Settings", lpString2="Windows") returned -1 [0128.504] lstrcmpiW (lpString1="Sync Extension Settings", lpString2="Program Files") returned 1 [0128.504] lstrcmpiW (lpString1="Sync Extension Settings", lpString2="Program Files (x86)") returned 1 [0128.504] lstrcmpiW (lpString1="Sync Extension Settings", lpString2="$Recycle.bin") returned 1 [0128.504] lstrcmpiW (lpString1="Sync Extension Settings", lpString2="System Volume Information") returned -1 [0128.504] lstrcmpiW (lpString1="Sync Extension Settings", lpString2=".") returned 1 [0128.504] lstrcmpiW (lpString1="Sync Extension Settings", lpString2="..") returned 1 [0128.504] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings") returned 103 [0128.504] GetProcessHeap () returned 0x4c0000 [0128.504] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0128.505] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings" [0128.505] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\*" [0128.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84251e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84251e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84251e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0128.506] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0128.506] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0128.506] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0128.506] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0128.506] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0128.506] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0128.506] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84251e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84251e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84251e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0128.506] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0128.506] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0128.506] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0128.506] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0128.506] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0128.506] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0128.506] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0128.506] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84251e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8448d2b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8448d2b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="pkedcjkdefgpdelpbcmbmeomcjbeemfm", cAlternateFileName="PKEDCJ~1")) returned 1 [0128.506] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Windows") returned -1 [0128.506] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Program Files") returned -1 [0128.506] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Program Files (x86)") returned -1 [0128.506] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="$Recycle.bin") returned 1 [0128.507] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="System Volume Information") returned -1 [0128.507] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2=".") returned 1 [0128.507] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="..") returned 1 [0128.507] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm") returned 136 [0128.507] GetProcessHeap () returned 0x4c0000 [0128.507] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c20058 [0128.508] lstrcpyW (in: lpString1=0x3c20058, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm" [0128.508] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\*" [0128.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84251e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8448d2b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8448d2b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe46e6e5, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0128.510] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0128.510] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0128.510] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0128.510] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0128.510] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0128.510] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0128.510] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84251e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8448d2b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8448d2b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe46e6e5, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0128.510] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0128.510] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0128.510] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0128.511] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0128.511] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0128.511] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0128.511] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0128.511] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8448d2b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8448d2b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8448d2b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe46e6e5, dwReserved1=0xfe000000, cFileName="000003.log", cAlternateFileName="")) returned 1 [0128.511] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0128.511] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0128.511] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0128.511] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0128.511] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0128.511] lstrcmpiW (lpString1="000003.log", lpString2=".") returned 1 [0128.511] lstrcmpiW (lpString1="000003.log", lpString2="..") returned 1 [0128.511] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log") returned 147 [0128.511] lstrcmpW (lpString1="000003.log", lpString2="PUSSY.TXT") returned -1 [0128.511] PathFindExtensionW (pszPath="000003.log") returned=".log" [0128.511] lstrlenW (lpString=".log") returned 4 [0128.511] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0128.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0128.512] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=0) returned 1 [0128.512] CloseHandle (hObject=0x1d0) returned 1 [0128.512] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84254520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84254520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84254520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10, dwReserved0=0xfe46e6e5, dwReserved1=0xfe000000, cFileName="CURRENT", cAlternateFileName="")) returned 1 [0128.512] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0128.512] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0128.512] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0128.512] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0128.512] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0128.512] lstrcmpiW (lpString1="CURRENT", lpString2=".") returned 1 [0128.512] lstrcmpiW (lpString1="CURRENT", lpString2="..") returned 1 [0128.513] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT") returned 144 [0128.513] lstrcmpW (lpString1="CURRENT", lpString2="PUSSY.TXT") returned -1 [0128.513] PathFindExtensionW (pszPath="CURRENT") returned="" [0128.513] lstrlenW (lpString="") returned 0 [0128.513] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0128.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0128.513] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=16) returned 1 [0128.513] CloseHandle (hObject=0x1d0) returned 1 [0128.513] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84254520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84254520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84254520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe46e6e5, dwReserved1=0xfe000000, cFileName="LOCK", cAlternateFileName="")) returned 1 [0128.514] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0128.514] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0128.514] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0128.514] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0128.514] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0128.514] lstrcmpiW (lpString1="LOCK", lpString2=".") returned 1 [0128.514] lstrcmpiW (lpString1="LOCK", lpString2="..") returned 1 [0128.514] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK") returned 141 [0128.514] lstrcmpW (lpString1="LOCK", lpString2="PUSSY.TXT") returned -1 [0128.514] PathFindExtensionW (pszPath="LOCK") returned="" [0128.514] lstrlenW (lpString="") returned 0 [0128.514] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0128.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0128.515] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=0) returned 1 [0128.515] CloseHandle (hObject=0x1d0) returned 1 [0128.515] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84254520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84254520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x93935fb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xc3, dwReserved0=0xfe46e6e5, dwReserved1=0xfe000000, cFileName="LOG", cAlternateFileName="")) returned 1 [0128.515] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0128.515] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0128.515] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0128.515] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0128.515] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0128.515] lstrcmpiW (lpString1="LOG", lpString2=".") returned 1 [0128.515] lstrcmpiW (lpString1="LOG", lpString2="..") returned 1 [0128.515] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG") returned 140 [0128.515] lstrcmpW (lpString1="LOG", lpString2="PUSSY.TXT") returned -1 [0128.515] PathFindExtensionW (pszPath="LOG") returned="" [0128.515] lstrlenW (lpString="") returned 0 [0128.515] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0128.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0128.516] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=195) returned 1 [0128.516] CloseHandle (hObject=0x1d0) returned 1 [0128.516] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84254520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84254520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84254520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0xfe46e6e5, dwReserved1=0xfe000000, cFileName="MANIFEST-000001", cAlternateFileName="MANIFE~1")) returned 1 [0128.516] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0128.516] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0128.516] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0128.516] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0128.516] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0128.516] lstrcmpiW (lpString1="MANIFEST-000001", lpString2=".") returned 1 [0128.516] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="..") returned 1 [0128.516] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001") returned 152 [0128.516] lstrcmpW (lpString1="MANIFEST-000001", lpString2="PUSSY.TXT") returned -1 [0128.516] PathFindExtensionW (pszPath="MANIFEST-000001") returned="" [0128.517] lstrlenW (lpString="") returned 0 [0128.517] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0128.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0128.517] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=41) returned 1 [0128.517] CloseHandle (hObject=0x1d0) returned 1 [0128.517] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84254520, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x84254520, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x84254520, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0xfe46e6e5, dwReserved1=0xfe000000, cFileName="MANIFEST-000001", cAlternateFileName="MANIFE~1")) returned 0 [0128.517] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0128.517] wnsprintfW (in: pszDest=0x3c20058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\PUSSY.TXT") returned 146 [0128.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0128.518] lstrlenA (lpString="abcd") returned 4 [0128.518] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0128.519] CloseHandle (hObject=0x1d4) returned 1 [0128.519] GetProcessHeap () returned 0x4c0000 [0128.519] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0128.519] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84251e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8448d2b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8448d2b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="pkedcjkdefgpdelpbcmbmeomcjbeemfm", cAlternateFileName="PKEDCJ~1")) returned 0 [0128.519] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0128.520] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\PUSSY.TXT") returned 113 [0128.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0128.520] lstrlenA (lpString="abcd") returned 4 [0128.520] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0128.521] CloseHandle (hObject=0x17c) returned 1 [0128.521] GetProcessHeap () returned 0x4c0000 [0128.521] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0128.523] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80d66840, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80d66840, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8195e7b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Top Sites", cAlternateFileName="TOPSIT~1")) returned 1 [0128.523] lstrcmpiW (lpString1="Top Sites", lpString2="Windows") returned -1 [0128.523] lstrcmpiW (lpString1="Top Sites", lpString2="Program Files") returned 1 [0128.523] lstrcmpiW (lpString1="Top Sites", lpString2="Program Files (x86)") returned 1 [0128.523] lstrcmpiW (lpString1="Top Sites", lpString2="$Recycle.bin") returned 1 [0128.523] lstrcmpiW (lpString1="Top Sites", lpString2="System Volume Information") returned 1 [0128.523] lstrcmpiW (lpString1="Top Sites", lpString2=".") returned 1 [0128.523] lstrcmpiW (lpString1="Top Sites", lpString2="..") returned 1 [0128.523] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites") returned 89 [0128.523] lstrcmpW (lpString1="Top Sites", lpString2="PUSSY.TXT") returned 1 [0128.523] PathFindExtensionW (pszPath="Top Sites") returned="" [0128.524] lstrlenW (lpString="") returned 0 [0128.524] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0128.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0128.525] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=20480) returned 1 [0128.525] GetProcessHeap () returned 0x4c0000 [0128.525] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0128.541] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="B0") returned 2 [0128.541] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="23") returned 2 [0128.541] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="79") returned 2 [0128.541] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="71") returned 2 [0128.541] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="DD") returned 2 [0128.541] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="F1") returned 2 [0128.541] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="C1") returned 2 [0128.541] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="86") returned 2 [0128.541] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="EB") returned 2 [0128.541] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="FC") returned 2 [0128.541] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="72") returned 2 [0128.541] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="61") returned 2 [0128.541] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="A1") returned 2 [0128.541] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="84") returned 2 [0128.541] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="C3") returned 2 [0128.541] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="5D") returned 2 [0128.541] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="EE") returned 2 [0128.541] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="BF") returned 2 [0128.541] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="82") returned 2 [0128.541] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="9A") returned 2 [0128.541] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="ED") returned 2 [0128.542] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="AC") returned 2 [0128.542] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="63") returned 2 [0128.542] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="49") returned 2 [0128.542] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="3A") returned 2 [0128.542] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="A4") returned 2 [0128.542] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="66") returned 2 [0128.542] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="B0") returned 2 [0128.542] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="ED") returned 2 [0128.542] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="C9") returned 2 [0128.542] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="E3") returned 2 [0128.542] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="7D") returned 2 [0128.554] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites" [0128.554] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites" [0128.554] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites", lpString2=".B0237971DDF1C186EBFC7261A184C35DEEBF829AEDAC63493AA466B0EDC9E37D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites.B0237971DDF1C186EBFC7261A184C35DEEBF829AEDAC63493AA466B0EDC9E37D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites.B0237971DDF1C186EBFC7261A184C35DEEBF829AEDAC63493AA466B0EDC9E37D" [0128.554] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0128.554] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0128.555] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80d8c9a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80d8c9a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81984910, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Top Sites-journal", cAlternateFileName="TOPSIT~2")) returned 1 [0128.555] lstrcmpiW (lpString1="Top Sites-journal", lpString2="Windows") returned -1 [0128.555] lstrcmpiW (lpString1="Top Sites-journal", lpString2="Program Files") returned 1 [0128.555] lstrcmpiW (lpString1="Top Sites-journal", lpString2="Program Files (x86)") returned 1 [0128.555] lstrcmpiW (lpString1="Top Sites-journal", lpString2="$Recycle.bin") returned 1 [0128.555] lstrcmpiW (lpString1="Top Sites-journal", lpString2="System Volume Information") returned 1 [0128.555] lstrcmpiW (lpString1="Top Sites-journal", lpString2=".") returned 1 [0128.555] lstrcmpiW (lpString1="Top Sites-journal", lpString2="..") returned 1 [0128.555] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal") returned 97 [0128.555] lstrcmpW (lpString1="Top Sites-journal", lpString2="PUSSY.TXT") returned 1 [0128.555] PathFindExtensionW (pszPath="Top Sites-journal") returned="" [0128.555] lstrlenW (lpString="") returned 0 [0128.555] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0128.555] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0128.556] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0128.556] CloseHandle (hObject=0x1d4) returned 1 [0128.556] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x88c2e920, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x88c2e920, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x88c2e920, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x278, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="TransportSecurity", cAlternateFileName="TRANSP~1")) returned 1 [0128.557] lstrcmpiW (lpString1="TransportSecurity", lpString2="Windows") returned -1 [0128.557] lstrcmpiW (lpString1="TransportSecurity", lpString2="Program Files") returned 1 [0128.557] lstrcmpiW (lpString1="TransportSecurity", lpString2="Program Files (x86)") returned 1 [0128.557] lstrcmpiW (lpString1="TransportSecurity", lpString2="$Recycle.bin") returned 1 [0128.557] lstrcmpiW (lpString1="TransportSecurity", lpString2="System Volume Information") returned 1 [0128.557] lstrcmpiW (lpString1="TransportSecurity", lpString2=".") returned 1 [0128.566] lstrcmpiW (lpString1="TransportSecurity", lpString2="..") returned 1 [0128.566] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity") returned 97 [0128.566] lstrcmpW (lpString1="TransportSecurity", lpString2="PUSSY.TXT") returned 1 [0128.566] PathFindExtensionW (pszPath="TransportSecurity") returned="" [0128.566] lstrlenW (lpString="") returned 0 [0128.566] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0128.566] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\transportsecurity"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0128.567] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=632) returned 1 [0128.567] GetProcessHeap () returned 0x4c0000 [0128.567] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0128.581] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="53") returned 2 [0128.581] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="7B") returned 2 [0128.581] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="69") returned 2 [0128.581] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="20") returned 2 [0128.581] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="FA") returned 2 [0128.581] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="A9") returned 2 [0128.581] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="AB") returned 2 [0128.581] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="AB") returned 2 [0128.581] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="49") returned 2 [0128.581] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="FC") returned 2 [0128.581] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="00") returned 2 [0128.581] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="C3") returned 2 [0128.581] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="29") returned 2 [0128.581] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="8F") returned 2 [0128.581] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="7C") returned 2 [0128.581] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="D9") returned 2 [0128.581] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="71") returned 2 [0128.581] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="55") returned 2 [0128.581] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="E7") returned 2 [0128.581] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="81") returned 2 [0128.581] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="B8") returned 2 [0128.581] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="81") returned 2 [0128.581] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="BD") returned 2 [0128.582] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="69") returned 2 [0128.582] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="20") returned 2 [0128.582] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="23") returned 2 [0128.582] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="13") returned 2 [0128.582] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="34") returned 2 [0128.582] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="8A") returned 2 [0128.582] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="E9") returned 2 [0128.582] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="7B") returned 2 [0128.582] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="1B") returned 2 [0128.594] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity" [0128.594] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity" [0128.594] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity", lpString2=".537B6920FAA9ABAB49FC00C3298F7CD97155E781B881BD69202313348AE97B1B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity.537B6920FAA9ABAB49FC00C3298F7CD97155E781B881BD69202313348AE97B1B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity.537B6920FAA9ABAB49FC00C3298F7CD97155E781B881BD69202313348AE97B1B" [0128.594] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0128.594] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0128.595] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80ee3600, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x80ee3600, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8c6cde50, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Visited Links", cAlternateFileName="VISITE~1")) returned 1 [0128.595] lstrcmpiW (lpString1="Visited Links", lpString2="Windows") returned -1 [0128.595] lstrcmpiW (lpString1="Visited Links", lpString2="Program Files") returned 1 [0128.595] lstrcmpiW (lpString1="Visited Links", lpString2="Program Files (x86)") returned 1 [0128.595] lstrcmpiW (lpString1="Visited Links", lpString2="$Recycle.bin") returned 1 [0128.595] lstrcmpiW (lpString1="Visited Links", lpString2="System Volume Information") returned 1 [0128.595] lstrcmpiW (lpString1="Visited Links", lpString2=".") returned 1 [0128.595] lstrcmpiW (lpString1="Visited Links", lpString2="..") returned 1 [0128.595] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links") returned 93 [0128.595] lstrcmpW (lpString1="Visited Links", lpString2="PUSSY.TXT") returned 1 [0128.595] PathFindExtensionW (pszPath="Visited Links") returned="" [0128.595] lstrlenW (lpString="") returned 0 [0128.596] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0128.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\visited links"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0128.597] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=131072) returned 1 [0128.597] GetProcessHeap () returned 0x4c0000 [0128.597] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0128.611] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="AD") returned 2 [0128.611] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="15") returned 2 [0128.611] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="71") returned 2 [0128.611] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="E3") returned 2 [0128.611] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="AE") returned 2 [0128.611] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="0A") returned 2 [0128.611] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="63") returned 2 [0128.611] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="5A") returned 2 [0128.611] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="32") returned 2 [0128.611] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="40") returned 2 [0128.611] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="E9") returned 2 [0128.611] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="59") returned 2 [0128.611] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="47") returned 2 [0128.611] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="D6") returned 2 [0128.612] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="6D") returned 2 [0128.612] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="86") returned 2 [0128.612] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="50") returned 2 [0128.612] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="B0") returned 2 [0128.612] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="23") returned 2 [0128.612] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="15") returned 2 [0128.612] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="CE") returned 2 [0128.612] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="F1") returned 2 [0128.612] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="20") returned 2 [0128.612] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="75") returned 2 [0128.612] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="97") returned 2 [0128.612] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="9E") returned 2 [0128.612] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="32") returned 2 [0128.612] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="4A") returned 2 [0128.612] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="AF") returned 2 [0128.612] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="E0") returned 2 [0128.612] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="22") returned 2 [0128.612] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="2F") returned 2 [0128.625] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links" [0128.625] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links" [0128.625] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links", lpString2=".AD1571E3AE0A635A3240E95947D66D8650B02315CEF12075979E324AAFE0222F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links.AD1571E3AE0A635A3240E95947D66D8650B02315CEF12075979E324AAFE0222F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links.AD1571E3AE0A635A3240E95947D66D8650B02315CEF12075979E324AAFE0222F" [0128.625] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0128.625] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0128.639] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x868593b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x868593b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x868593b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Web Applications", cAlternateFileName="WEBAPP~1")) returned 1 [0128.639] lstrcmpiW (lpString1="Web Applications", lpString2="Windows") returned -1 [0128.639] lstrcmpiW (lpString1="Web Applications", lpString2="Program Files") returned 1 [0128.639] lstrcmpiW (lpString1="Web Applications", lpString2="Program Files (x86)") returned 1 [0128.639] lstrcmpiW (lpString1="Web Applications", lpString2="$Recycle.bin") returned 1 [0128.639] lstrcmpiW (lpString1="Web Applications", lpString2="System Volume Information") returned 1 [0128.639] lstrcmpiW (lpString1="Web Applications", lpString2=".") returned 1 [0128.639] lstrcmpiW (lpString1="Web Applications", lpString2="..") returned 1 [0128.639] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications") returned 96 [0128.639] GetProcessHeap () returned 0x4c0000 [0128.639] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0128.640] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications" [0128.640] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\*" [0128.640] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x868593b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x868593b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x868593b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0128.640] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0128.641] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0128.641] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0128.641] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0128.641] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0128.641] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0128.641] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x868593b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x868593b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x868593b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0128.641] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0128.641] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0128.641] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0128.641] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0128.641] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0128.641] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0128.641] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0128.641] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x868593b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86989eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86989eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="_crx_aohghmighlieiainnegkcijnfilokake", cAlternateFileName="_CRX_A~1")) returned 1 [0128.641] lstrcmpiW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2="Windows") returned -1 [0128.641] lstrcmpiW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2="Program Files") returned -1 [0128.641] lstrcmpiW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2="Program Files (x86)") returned -1 [0128.641] lstrcmpiW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2="$Recycle.bin") returned 1 [0128.641] lstrcmpiW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2="System Volume Information") returned -1 [0128.641] lstrcmpiW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2=".") returned 1 [0128.641] lstrcmpiW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2="..") returned 1 [0128.641] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake") returned 134 [0128.641] GetProcessHeap () returned 0x4c0000 [0128.642] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0128.643] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake" [0128.643] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\*" [0128.643] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x868593b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86989eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86989eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0128.643] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0128.643] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0128.643] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0128.643] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0128.643] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0128.643] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0128.643] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x868593b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86989eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86989eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0128.644] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0128.644] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0128.644] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0128.644] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0128.644] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0128.644] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0128.644] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0128.644] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8687f510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8687f510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8687f510, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x28df6, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="Google Docs.ico", cAlternateFileName="GOOGLE~1.ICO")) returned 1 [0128.644] lstrcmpiW (lpString1="Google Docs.ico", lpString2="Windows") returned -1 [0128.644] lstrcmpiW (lpString1="Google Docs.ico", lpString2="Program Files") returned -1 [0128.644] lstrcmpiW (lpString1="Google Docs.ico", lpString2="Program Files (x86)") returned -1 [0128.644] lstrcmpiW (lpString1="Google Docs.ico", lpString2="$Recycle.bin") returned 1 [0128.644] lstrcmpiW (lpString1="Google Docs.ico", lpString2="System Volume Information") returned -1 [0128.644] lstrcmpiW (lpString1="Google Docs.ico", lpString2=".") returned 1 [0128.644] lstrcmpiW (lpString1="Google Docs.ico", lpString2="..") returned 1 [0128.644] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico") returned 150 [0128.644] lstrcmpW (lpString1="Google Docs.ico", lpString2="PUSSY.TXT") returned -1 [0128.644] PathFindExtensionW (pszPath="Google Docs.ico") returned=".ico" [0128.645] lstrlenW (lpString=".ico") returned 4 [0128.645] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0128.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0128.645] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=167414) returned 1 [0128.645] GetProcessHeap () returned 0x4c0000 [0128.645] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54caf8 [0128.677] wsprintfW (in: param_1=0x28a5c6, param_2="%02X" | out: param_1="B1") returned 2 [0128.677] wsprintfW (in: param_1=0x28a5ca, param_2="%02X" | out: param_1="15") returned 2 [0128.677] wsprintfW (in: param_1=0x28a5ce, param_2="%02X" | out: param_1="45") returned 2 [0128.677] wsprintfW (in: param_1=0x28a5d2, param_2="%02X" | out: param_1="33") returned 2 [0128.677] wsprintfW (in: param_1=0x28a5d6, param_2="%02X" | out: param_1="E4") returned 2 [0128.677] wsprintfW (in: param_1=0x28a5da, param_2="%02X" | out: param_1="CE") returned 2 [0128.677] wsprintfW (in: param_1=0x28a5de, param_2="%02X" | out: param_1="89") returned 2 [0128.678] wsprintfW (in: param_1=0x28a5e2, param_2="%02X" | out: param_1="42") returned 2 [0128.678] wsprintfW (in: param_1=0x28a5e6, param_2="%02X" | out: param_1="A4") returned 2 [0128.678] wsprintfW (in: param_1=0x28a5ea, param_2="%02X" | out: param_1="B3") returned 2 [0128.678] wsprintfW (in: param_1=0x28a5ee, param_2="%02X" | out: param_1="5E") returned 2 [0128.678] wsprintfW (in: param_1=0x28a5f2, param_2="%02X" | out: param_1="EE") returned 2 [0128.678] wsprintfW (in: param_1=0x28a5f6, param_2="%02X" | out: param_1="9E") returned 2 [0128.678] wsprintfW (in: param_1=0x28a5fa, param_2="%02X" | out: param_1="D7") returned 2 [0128.678] wsprintfW (in: param_1=0x28a5fe, param_2="%02X" | out: param_1="F9") returned 2 [0128.678] wsprintfW (in: param_1=0x28a602, param_2="%02X" | out: param_1="CF") returned 2 [0128.678] wsprintfW (in: param_1=0x28a606, param_2="%02X" | out: param_1="FF") returned 2 [0128.678] wsprintfW (in: param_1=0x28a60a, param_2="%02X" | out: param_1="81") returned 2 [0128.678] wsprintfW (in: param_1=0x28a60e, param_2="%02X" | out: param_1="B6") returned 2 [0128.678] wsprintfW (in: param_1=0x28a612, param_2="%02X" | out: param_1="98") returned 2 [0128.678] wsprintfW (in: param_1=0x28a616, param_2="%02X" | out: param_1="E5") returned 2 [0128.678] wsprintfW (in: param_1=0x28a61a, param_2="%02X" | out: param_1="D8") returned 2 [0128.678] wsprintfW (in: param_1=0x28a61e, param_2="%02X" | out: param_1="50") returned 2 [0128.678] wsprintfW (in: param_1=0x28a622, param_2="%02X" | out: param_1="A8") returned 2 [0128.678] wsprintfW (in: param_1=0x28a626, param_2="%02X" | out: param_1="DA") returned 2 [0128.678] wsprintfW (in: param_1=0x28a62a, param_2="%02X" | out: param_1="61") returned 2 [0128.678] wsprintfW (in: param_1=0x28a62e, param_2="%02X" | out: param_1="17") returned 2 [0128.678] wsprintfW (in: param_1=0x28a632, param_2="%02X" | out: param_1="3B") returned 2 [0128.678] wsprintfW (in: param_1=0x28a636, param_2="%02X" | out: param_1="80") returned 2 [0128.678] wsprintfW (in: param_1=0x28a63a, param_2="%02X" | out: param_1="99") returned 2 [0128.678] wsprintfW (in: param_1=0x28a63e, param_2="%02X" | out: param_1="79") returned 2 [0128.678] wsprintfW (in: param_1=0x28a642, param_2="%02X" | out: param_1="18") returned 2 [0128.689] lstrcpyW (in: lpString1=0x55cb2c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico" [0128.689] lstrcpyW (in: lpString1=0x54cb2c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico" [0128.689] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico", lpString2=".B1154533E4CE8942A4B35EEE9ED7F9CFFF81B698E5D850A8DA61173B80997918" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.B1154533E4CE8942A4B35EEE9ED7F9CFFF81B698E5D850A8DA61173B80997918") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.B1154533E4CE8942A4B35EEE9ED7F9CFFF81B698E5D850A8DA61173B80997918" [0128.689] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x54caf8, NumberOfConcurrentThreads=0x0) returned 0x94 [0128.689] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54caf8, lpOverlapped=0x54caf8) returned 1 [0128.690] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86989eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86989eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86989eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="Google Docs.ico.md5", cAlternateFileName="GOOGLE~1.MD5")) returned 1 [0128.690] lstrcmpiW (lpString1="Google Docs.ico.md5", lpString2="Windows") returned -1 [0128.690] lstrcmpiW (lpString1="Google Docs.ico.md5", lpString2="Program Files") returned -1 [0128.690] lstrcmpiW (lpString1="Google Docs.ico.md5", lpString2="Program Files (x86)") returned -1 [0128.690] lstrcmpiW (lpString1="Google Docs.ico.md5", lpString2="$Recycle.bin") returned 1 [0128.690] lstrcmpiW (lpString1="Google Docs.ico.md5", lpString2="System Volume Information") returned -1 [0128.690] lstrcmpiW (lpString1="Google Docs.ico.md5", lpString2=".") returned 1 [0128.690] lstrcmpiW (lpString1="Google Docs.ico.md5", lpString2="..") returned 1 [0128.690] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5") returned 154 [0128.690] lstrcmpW (lpString1="Google Docs.ico.md5", lpString2="PUSSY.TXT") returned -1 [0128.690] PathFindExtensionW (pszPath="Google Docs.ico.md5") returned=".md5" [0128.690] lstrlenW (lpString=".md5") returned 4 [0128.690] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0128.690] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico.md5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0128.719] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=16) returned 1 [0128.719] CloseHandle (hObject=0x1c0) returned 1 [0128.719] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86989eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86989eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86989eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x10, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="Google Docs.ico.md5", cAlternateFileName="GOOGLE~1.MD5")) returned 0 [0128.719] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0128.719] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\PUSSY.TXT") returned 144 [0128.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0129.146] lstrlenA (lpString="abcd") returned 4 [0129.146] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0129.147] CloseHandle (hObject=0x18c) returned 1 [0129.147] GetProcessHeap () returned 0x4c0000 [0129.147] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0129.149] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x868593b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x86989eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x86989eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="_crx_aohghmighlieiainnegkcijnfilokake", cAlternateFileName="_CRX_A~1")) returned 0 [0129.149] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0129.149] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\PUSSY.TXT") returned 106 [0129.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0129.150] lstrlenA (lpString="abcd") returned 4 [0129.151] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0129.152] CloseHandle (hObject=0x184) returned 1 [0129.152] GetProcessHeap () returned 0x4c0000 [0129.152] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0129.152] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7f86c660, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f86c660, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82d370c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Web Data", cAlternateFileName="WEBDAT~1")) returned 1 [0129.152] lstrcmpiW (lpString1="Web Data", lpString2="Windows") returned -1 [0129.152] lstrcmpiW (lpString1="Web Data", lpString2="Program Files") returned 1 [0129.152] lstrcmpiW (lpString1="Web Data", lpString2="Program Files (x86)") returned 1 [0129.152] lstrcmpiW (lpString1="Web Data", lpString2="$Recycle.bin") returned 1 [0129.152] lstrcmpiW (lpString1="Web Data", lpString2="System Volume Information") returned 1 [0129.152] lstrcmpiW (lpString1="Web Data", lpString2=".") returned 1 [0129.152] lstrcmpiW (lpString1="Web Data", lpString2="..") returned 1 [0129.152] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data") returned 88 [0129.152] lstrcmpW (lpString1="Web Data", lpString2="PUSSY.TXT") returned 1 [0129.152] PathFindExtensionW (pszPath="Web Data") returned="" [0129.152] lstrlenW (lpString="") returned 0 [0129.153] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0129.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0129.153] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=69632) returned 1 [0129.153] GetProcessHeap () returned 0x4c0000 [0129.153] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c480a8 [0129.192] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="A9") returned 2 [0129.192] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="CB") returned 2 [0129.192] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="D2") returned 2 [0129.192] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="B2") returned 2 [0129.193] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="AE") returned 2 [0129.193] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="C4") returned 2 [0129.193] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="CF") returned 2 [0129.193] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="F7") returned 2 [0129.193] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="50") returned 2 [0129.193] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="A2") returned 2 [0129.193] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="99") returned 2 [0129.193] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="17") returned 2 [0129.193] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="C6") returned 2 [0129.193] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="4B") returned 2 [0129.193] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="79") returned 2 [0129.193] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="56") returned 2 [0129.193] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="DD") returned 2 [0129.193] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="89") returned 2 [0129.193] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="89") returned 2 [0129.193] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="1B") returned 2 [0129.193] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="30") returned 2 [0129.193] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="80") returned 2 [0129.193] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="8B") returned 2 [0129.194] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="81") returned 2 [0129.194] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="A8") returned 2 [0129.194] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="A6") returned 2 [0129.194] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="E4") returned 2 [0129.194] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="97") returned 2 [0129.194] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="CB") returned 2 [0129.194] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="8E") returned 2 [0129.194] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="F8") returned 2 [0129.194] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="05") returned 2 [0129.215] lstrcpyW (in: lpString1=0x3c580dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data" [0129.215] lstrcpyW (in: lpString1=0x3c480dc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data" [0129.215] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data", lpString2=".A9CBD2B2AEC4CFF750A29917C64B7956DD89891B30808B81A8A6E497CB8EF805" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data.A9CBD2B2AEC4CFF750A29917C64B7956DD89891B30808B81A8A6E497CB8EF805") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data.A9CBD2B2AEC4CFF750A29917C64B7956DD89891B30808B81A8A6E497CB8EF805" [0129.215] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c480a8, NumberOfConcurrentThreads=0x0) returned 0x94 [0129.216] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c480a8, lpOverlapped=0x3c480a8) returned 1 [0129.264] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7f86c660, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f86c660, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82d608d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Web Data-journal", cAlternateFileName="WEBDAT~2")) returned 1 [0129.264] lstrcmpiW (lpString1="Web Data-journal", lpString2="Windows") returned -1 [0129.264] lstrcmpiW (lpString1="Web Data-journal", lpString2="Program Files") returned 1 [0129.264] lstrcmpiW (lpString1="Web Data-journal", lpString2="Program Files (x86)") returned 1 [0129.264] lstrcmpiW (lpString1="Web Data-journal", lpString2="$Recycle.bin") returned 1 [0129.264] lstrcmpiW (lpString1="Web Data-journal", lpString2="System Volume Information") returned 1 [0129.264] lstrcmpiW (lpString1="Web Data-journal", lpString2=".") returned 1 [0129.264] lstrcmpiW (lpString1="Web Data-journal", lpString2="..") returned 1 [0129.264] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal") returned 96 [0129.264] lstrcmpW (lpString1="Web Data-journal", lpString2="PUSSY.TXT") returned 1 [0129.264] PathFindExtensionW (pszPath="Web Data-journal") returned="" [0129.264] lstrlenW (lpString="") returned 0 [0129.264] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0129.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0129.266] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0129.266] CloseHandle (hObject=0x1d0) returned 1 [0129.266] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7f86c660, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f86c660, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82d608d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="Web Data-journal", cAlternateFileName="WEBDAT~2")) returned 0 [0129.266] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0129.266] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\PUSSY.TXT") returned 89 [0129.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0129.267] lstrlenA (lpString="abcd") returned 4 [0129.267] WriteFile (in: hFile=0x1a8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0129.269] CloseHandle (hObject=0x1a8) returned 1 [0129.269] GetProcessHeap () returned 0x4c0000 [0129.269] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0129.271] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="EVWhitelist", cAlternateFileName="EVWHIT~1")) returned 1 [0129.271] lstrcmpiW (lpString1="EVWhitelist", lpString2="Windows") returned -1 [0129.271] lstrcmpiW (lpString1="EVWhitelist", lpString2="Program Files") returned -1 [0129.272] lstrcmpiW (lpString1="EVWhitelist", lpString2="Program Files (x86)") returned -1 [0129.272] lstrcmpiW (lpString1="EVWhitelist", lpString2="$Recycle.bin") returned 1 [0129.272] lstrcmpiW (lpString1="EVWhitelist", lpString2="System Volume Information") returned -1 [0129.272] lstrcmpiW (lpString1="EVWhitelist", lpString2=".") returned 1 [0129.272] lstrcmpiW (lpString1="EVWhitelist", lpString2="..") returned 1 [0129.272] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist") returned 83 [0129.272] GetProcessHeap () returned 0x4c0000 [0129.272] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0129.273] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist" [0129.273] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\*" [0129.273] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0129.274] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0129.275] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0129.275] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0129.275] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0129.275] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0129.275] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.275] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="..", cAlternateFileName="")) returned 1 [0129.275] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0129.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0129.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0129.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0129.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0129.275] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.275] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.276] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="..", cAlternateFileName="")) returned 0 [0129.276] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0129.276] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\PUSSY.TXT") returned 93 [0129.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\evwhitelist\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0129.277] lstrlenA (lpString="abcd") returned 4 [0129.277] WriteFile (in: hFile=0x1a8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0129.278] CloseHandle (hObject=0x1a8) returned 1 [0129.278] GetProcessHeap () returned 0x4c0000 [0129.278] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0129.278] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="FileTypePolicies", cAlternateFileName="FILETY~1")) returned 1 [0129.278] lstrcmpiW (lpString1="FileTypePolicies", lpString2="Windows") returned -1 [0129.278] lstrcmpiW (lpString1="FileTypePolicies", lpString2="Program Files") returned -1 [0129.278] lstrcmpiW (lpString1="FileTypePolicies", lpString2="Program Files (x86)") returned -1 [0129.278] lstrcmpiW (lpString1="FileTypePolicies", lpString2="$Recycle.bin") returned 1 [0129.278] lstrcmpiW (lpString1="FileTypePolicies", lpString2="System Volume Information") returned -1 [0129.278] lstrcmpiW (lpString1="FileTypePolicies", lpString2=".") returned 1 [0129.278] lstrcmpiW (lpString1="FileTypePolicies", lpString2="..") returned 1 [0129.278] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies") returned 88 [0129.278] GetProcessHeap () returned 0x4c0000 [0129.278] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0129.278] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies" [0129.278] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\*" [0129.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0129.279] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0129.279] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0129.279] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0129.279] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0129.279] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0129.279] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.279] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="..", cAlternateFileName="")) returned 1 [0129.279] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0129.279] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0129.279] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0129.279] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0129.279] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0129.279] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.279] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.279] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x1a3b612, cFileName="..", cAlternateFileName="")) returned 0 [0129.279] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0129.280] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\PUSSY.TXT") returned 98 [0129.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\filetypepolicies\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0129.280] lstrlenA (lpString="abcd") returned 4 [0129.280] WriteFile (in: hFile=0x1a8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0129.282] CloseHandle (hObject=0x1a8) returned 1 [0129.282] GetProcessHeap () returned 0x4c0000 [0129.282] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0129.282] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7f8b8920, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f8b8920, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f8b8920, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="First Run", cAlternateFileName="FIRSTR~1")) returned 1 [0129.282] lstrcmpiW (lpString1="First Run", lpString2="Windows") returned -1 [0129.282] lstrcmpiW (lpString1="First Run", lpString2="Program Files") returned -1 [0129.282] lstrcmpiW (lpString1="First Run", lpString2="Program Files (x86)") returned -1 [0129.282] lstrcmpiW (lpString1="First Run", lpString2="$Recycle.bin") returned 1 [0129.282] lstrcmpiW (lpString1="First Run", lpString2="System Volume Information") returned -1 [0129.282] lstrcmpiW (lpString1="First Run", lpString2=".") returned 1 [0129.282] lstrcmpiW (lpString1="First Run", lpString2="..") returned 1 [0129.282] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run") returned 81 [0129.282] lstrcmpW (lpString1="First Run", lpString2="PUSSY.TXT") returned -1 [0129.282] PathFindExtensionW (pszPath="First Run") returned="" [0129.282] lstrlenW (lpString="") returned 0 [0129.282] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0129.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\first run"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a8 [0129.283] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0129.283] CloseHandle (hObject=0x1a8) returned 1 [0129.283] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85749110, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c0bcce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c0bf3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1082a, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="Local State", cAlternateFileName="LOCALS~1")) returned 1 [0129.283] lstrcmpiW (lpString1="Local State", lpString2="Windows") returned -1 [0129.283] lstrcmpiW (lpString1="Local State", lpString2="Program Files") returned -1 [0129.283] lstrcmpiW (lpString1="Local State", lpString2="Program Files (x86)") returned -1 [0129.283] lstrcmpiW (lpString1="Local State", lpString2="$Recycle.bin") returned 1 [0129.283] lstrcmpiW (lpString1="Local State", lpString2="System Volume Information") returned -1 [0129.283] lstrcmpiW (lpString1="Local State", lpString2=".") returned 1 [0129.283] lstrcmpiW (lpString1="Local State", lpString2="..") returned 1 [0129.283] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State") returned 83 [0129.283] lstrcmpW (lpString1="Local State", lpString2="PUSSY.TXT") returned -1 [0129.283] PathFindExtensionW (pszPath="Local State") returned="" [0129.283] lstrlenW (lpString="") returned 0 [0129.283] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0129.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\local state"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a8 [0129.284] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=67626) returned 1 [0129.284] GetProcessHeap () returned 0x4c0000 [0129.284] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0129.298] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="5B") returned 2 [0129.298] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="29") returned 2 [0129.298] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="9B") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="AD") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="4A") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="76") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="F6") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="24") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="BA") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="86") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="6A") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="6F") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="57") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="2E") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="2B") returned 2 [0129.299] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="CF") returned 2 [0129.299] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="A9") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="CB") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="07") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="FB") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="9E") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="40") returned 2 [0129.299] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="6D") returned 2 [0129.299] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="84") returned 2 [0129.299] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="69") returned 2 [0129.299] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="DF") returned 2 [0129.299] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="98") returned 2 [0129.300] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="C5") returned 2 [0129.300] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="C9") returned 2 [0129.300] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="D5") returned 2 [0129.300] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="26") returned 2 [0129.300] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="42") returned 2 [0129.349] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" [0129.349] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" [0129.349] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State", lpString2=".5B299BAD4A76F624BA866A6F572E2BCFA9CB07FB9E406D8469DF98C5C9D52642" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.5B299BAD4A76F624BA866A6F572E2BCFA9CB07FB9E406D8469DF98C5C9D52642") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.5B299BAD4A76F624BA866A6F572E2BCFA9CB07FB9E406D8469DF98C5C9D52642" [0129.349] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0129.349] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0129.350] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="OriginTrials", cAlternateFileName="ORIGIN~1")) returned 1 [0129.350] lstrcmpiW (lpString1="OriginTrials", lpString2="Windows") returned -1 [0129.350] lstrcmpiW (lpString1="OriginTrials", lpString2="Program Files") returned -1 [0129.350] lstrcmpiW (lpString1="OriginTrials", lpString2="Program Files (x86)") returned -1 [0129.350] lstrcmpiW (lpString1="OriginTrials", lpString2="$Recycle.bin") returned 1 [0129.350] lstrcmpiW (lpString1="OriginTrials", lpString2="System Volume Information") returned -1 [0129.350] lstrcmpiW (lpString1="OriginTrials", lpString2=".") returned 1 [0129.350] lstrcmpiW (lpString1="OriginTrials", lpString2="..") returned 1 [0129.350] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials") returned 84 [0129.350] GetProcessHeap () returned 0x4c0000 [0129.350] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0129.350] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials" [0129.351] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\*" [0129.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0129.351] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0129.351] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0129.351] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0129.351] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0129.351] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0129.351] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.351] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0129.351] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0129.351] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0129.351] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0129.351] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0129.351] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0129.352] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.352] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.352] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0129.352] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0129.352] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\PUSSY.TXT") returned 94 [0129.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\origintrials\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0129.353] lstrlenA (lpString="abcd") returned 4 [0129.353] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0129.354] CloseHandle (hObject=0x1d0) returned 1 [0129.354] GetProcessHeap () returned 0x4c0000 [0129.354] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0129.354] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="PepperFlash", cAlternateFileName="PEPPER~1")) returned 1 [0129.354] lstrcmpiW (lpString1="PepperFlash", lpString2="Windows") returned -1 [0129.354] lstrcmpiW (lpString1="PepperFlash", lpString2="Program Files") returned -1 [0129.354] lstrcmpiW (lpString1="PepperFlash", lpString2="Program Files (x86)") returned -1 [0129.354] lstrcmpiW (lpString1="PepperFlash", lpString2="$Recycle.bin") returned 1 [0129.355] lstrcmpiW (lpString1="PepperFlash", lpString2="System Volume Information") returned -1 [0129.355] lstrcmpiW (lpString1="PepperFlash", lpString2=".") returned 1 [0129.355] lstrcmpiW (lpString1="PepperFlash", lpString2="..") returned 1 [0129.355] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash") returned 83 [0129.355] GetProcessHeap () returned 0x4c0000 [0129.355] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0129.355] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash" [0129.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\*" [0129.355] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0129.355] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0129.355] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0129.355] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0129.355] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0129.355] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0129.355] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.355] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0129.356] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0129.356] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0129.356] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0129.356] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0129.356] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0129.356] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.356] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.356] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0129.356] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0129.356] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\PUSSY.TXT") returned 93 [0129.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\pepperflash\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0129.357] lstrlenA (lpString="abcd") returned 4 [0129.357] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0129.358] CloseHandle (hObject=0x1d0) returned 1 [0129.358] GetProcessHeap () returned 0x4c0000 [0129.358] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0129.358] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e47510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e47510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e47510, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="pnacl", cAlternateFileName="")) returned 1 [0129.358] lstrcmpiW (lpString1="pnacl", lpString2="Windows") returned -1 [0129.358] lstrcmpiW (lpString1="pnacl", lpString2="Program Files") returned -1 [0129.358] lstrcmpiW (lpString1="pnacl", lpString2="Program Files (x86)") returned -1 [0129.358] lstrcmpiW (lpString1="pnacl", lpString2="$Recycle.bin") returned 1 [0129.358] lstrcmpiW (lpString1="pnacl", lpString2="System Volume Information") returned -1 [0129.358] lstrcmpiW (lpString1="pnacl", lpString2=".") returned 1 [0129.358] lstrcmpiW (lpString1="pnacl", lpString2="..") returned 1 [0129.359] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl") returned 77 [0129.359] GetProcessHeap () returned 0x4c0000 [0129.359] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0129.359] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl" [0129.359] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\*" [0129.359] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e47510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e47510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e47510, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0129.359] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0129.359] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0129.359] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0129.359] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0129.359] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0129.359] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.359] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e47510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e47510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e47510, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0129.359] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0129.360] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0129.360] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0129.360] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0129.360] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0129.360] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.360] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.360] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e47510, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e47510, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e47510, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0129.360] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0129.360] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\PUSSY.TXT") returned 87 [0129.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\pnacl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0129.362] lstrlenA (lpString="abcd") returned 4 [0129.362] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0129.364] CloseHandle (hObject=0x1d0) returned 1 [0129.364] GetProcessHeap () returned 0x4c0000 [0129.364] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0129.364] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x97f6e8b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="Safe Browsing Channel IDs", cAlternateFileName="SAFEBR~3")) returned 1 [0129.364] lstrcmpiW (lpString1="Safe Browsing Channel IDs", lpString2="Windows") returned -1 [0129.364] lstrcmpiW (lpString1="Safe Browsing Channel IDs", lpString2="Program Files") returned 1 [0129.364] lstrcmpiW (lpString1="Safe Browsing Channel IDs", lpString2="Program Files (x86)") returned 1 [0129.364] lstrcmpiW (lpString1="Safe Browsing Channel IDs", lpString2="$Recycle.bin") returned 1 [0129.364] lstrcmpiW (lpString1="Safe Browsing Channel IDs", lpString2="System Volume Information") returned -1 [0129.364] lstrcmpiW (lpString1="Safe Browsing Channel IDs", lpString2=".") returned 1 [0129.364] lstrcmpiW (lpString1="Safe Browsing Channel IDs", lpString2="..") returned 1 [0129.364] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs") returned 97 [0129.364] lstrcmpW (lpString1="Safe Browsing Channel IDs", lpString2="PUSSY.TXT") returned 1 [0129.364] PathFindExtensionW (pszPath="Safe Browsing Channel IDs") returned="" [0129.364] lstrlenW (lpString="") returned 0 [0129.364] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0129.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0129.365] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=5120) returned 1 [0129.365] GetProcessHeap () returned 0x4c0000 [0129.365] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c20058 [0129.379] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="2C") returned 2 [0129.379] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="1A") returned 2 [0129.379] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="9C") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="9D") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="B1") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="03") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="5A") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="89") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="7D") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="B6") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="E1") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="AC") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="67") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="3D") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="D4") returned 2 [0129.380] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="6F") returned 2 [0129.380] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="64") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="F0") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="C7") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="70") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="F0") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="A3") returned 2 [0129.380] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="30") returned 2 [0129.380] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="B3") returned 2 [0129.380] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="0C") returned 2 [0129.380] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="05") returned 2 [0129.381] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="13") returned 2 [0129.381] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="25") returned 2 [0129.381] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="6F") returned 2 [0129.381] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="0D") returned 2 [0129.381] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="6F") returned 2 [0129.381] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="5A") returned 2 [0129.393] lstrcpyW (in: lpString1=0x3c3008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs" [0129.393] lstrcpyW (in: lpString1=0x3c2008c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs" [0129.393] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs", lpString2=".2C1A9C9DB1035A897DB6E1AC673DD46F64F0C770F0A330B30C0513256F0D6F5A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs.2C1A9C9DB1035A897DB6E1AC673DD46F64F0C770F0A330B30C0513256F0D6F5A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs.2C1A9C9DB1035A897DB6E1AC673DD46F64F0C770F0A330B30C0513256F0D6F5A" [0129.393] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3c20058, NumberOfConcurrentThreads=0x0) returned 0x94 [0129.393] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c20058, lpOverlapped=0x3c20058) returned 1 [0129.394] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85e6fa20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85e6fa20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x97f94a10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="Safe Browsing Channel IDs-journal", cAlternateFileName="SAFEBR~4")) returned 1 [0129.394] lstrcmpiW (lpString1="Safe Browsing Channel IDs-journal", lpString2="Windows") returned -1 [0129.394] lstrcmpiW (lpString1="Safe Browsing Channel IDs-journal", lpString2="Program Files") returned 1 [0129.394] lstrcmpiW (lpString1="Safe Browsing Channel IDs-journal", lpString2="Program Files (x86)") returned 1 [0129.394] lstrcmpiW (lpString1="Safe Browsing Channel IDs-journal", lpString2="$Recycle.bin") returned 1 [0129.394] lstrcmpiW (lpString1="Safe Browsing Channel IDs-journal", lpString2="System Volume Information") returned -1 [0129.394] lstrcmpiW (lpString1="Safe Browsing Channel IDs-journal", lpString2=".") returned 1 [0129.394] lstrcmpiW (lpString1="Safe Browsing Channel IDs-journal", lpString2="..") returned 1 [0129.394] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal") returned 105 [0129.394] lstrcmpW (lpString1="Safe Browsing Channel IDs-journal", lpString2="PUSSY.TXT") returned 1 [0129.394] PathFindExtensionW (pszPath="Safe Browsing Channel IDs-journal") returned="" [0129.395] lstrlenW (lpString="") returned 0 [0129.395] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0129.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0129.396] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0129.396] CloseHandle (hObject=0x17c) returned 1 [0129.396] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8582d950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8582d950, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="Safe Browsing Cookies", cAlternateFileName="SAFEBR~1")) returned 1 [0129.396] lstrcmpiW (lpString1="Safe Browsing Cookies", lpString2="Windows") returned -1 [0129.396] lstrcmpiW (lpString1="Safe Browsing Cookies", lpString2="Program Files") returned 1 [0129.396] lstrcmpiW (lpString1="Safe Browsing Cookies", lpString2="Program Files (x86)") returned 1 [0129.396] lstrcmpiW (lpString1="Safe Browsing Cookies", lpString2="$Recycle.bin") returned 1 [0129.396] lstrcmpiW (lpString1="Safe Browsing Cookies", lpString2="System Volume Information") returned -1 [0129.396] lstrcmpiW (lpString1="Safe Browsing Cookies", lpString2=".") returned 1 [0129.396] lstrcmpiW (lpString1="Safe Browsing Cookies", lpString2="..") returned 1 [0129.396] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies") returned 93 [0129.396] lstrcmpW (lpString1="Safe Browsing Cookies", lpString2="PUSSY.TXT") returned 1 [0129.396] PathFindExtensionW (pszPath="Safe Browsing Cookies") returned="" [0129.396] lstrlenW (lpString="") returned 0 [0129.396] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0129.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0129.397] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=7168) returned 1 [0129.397] GetProcessHeap () returned 0x4c0000 [0129.397] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0129.454] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="5D") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="4A") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="59") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="FA") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="DC") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="71") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="07") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="F1") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="59") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="F3") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="26") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="10") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="76") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="DD") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="C8") returned 2 [0129.454] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="49") returned 2 [0129.454] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="50") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="C0") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="85") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="80") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="03") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="CD") returned 2 [0129.454] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="DC") returned 2 [0129.454] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="78") returned 2 [0129.455] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="DC") returned 2 [0129.455] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="08") returned 2 [0129.455] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="68") returned 2 [0129.455] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="99") returned 2 [0129.455] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="C6") returned 2 [0129.455] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="AB") returned 2 [0129.455] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="AA") returned 2 [0129.455] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="06") returned 2 [0129.468] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies" [0129.468] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies" [0129.468] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies", lpString2=".5D4A59FADC7107F159F3261076DDC84950C0858003CDDC78DC086899C6ABAA06" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies.5D4A59FADC7107F159F3261076DDC84950C0858003CDDC78DC086899C6ABAA06") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies.5D4A59FADC7107F159F3261076DDC84950C0858003CDDC78DC086899C6ABAA06" [0129.468] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0129.468] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0129.469] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8582d950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8582d950, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85d166b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="Safe Browsing Cookies-journal", cAlternateFileName="SAFEBR~2")) returned 1 [0129.469] lstrcmpiW (lpString1="Safe Browsing Cookies-journal", lpString2="Windows") returned -1 [0129.469] lstrcmpiW (lpString1="Safe Browsing Cookies-journal", lpString2="Program Files") returned 1 [0129.469] lstrcmpiW (lpString1="Safe Browsing Cookies-journal", lpString2="Program Files (x86)") returned 1 [0129.469] lstrcmpiW (lpString1="Safe Browsing Cookies-journal", lpString2="$Recycle.bin") returned 1 [0129.469] lstrcmpiW (lpString1="Safe Browsing Cookies-journal", lpString2="System Volume Information") returned -1 [0129.469] lstrcmpiW (lpString1="Safe Browsing Cookies-journal", lpString2=".") returned 1 [0129.469] lstrcmpiW (lpString1="Safe Browsing Cookies-journal", lpString2="..") returned 1 [0129.469] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal") returned 101 [0129.469] lstrcmpW (lpString1="Safe Browsing Cookies-journal", lpString2="PUSSY.TXT") returned 1 [0129.469] PathFindExtensionW (pszPath="Safe Browsing Cookies-journal") returned="" [0129.470] lstrlenW (lpString="") returned 0 [0129.470] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0129.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0129.471] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0129.471] CloseHandle (hObject=0x1d4) returned 1 [0129.471] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="SSLErrorAssistant", cAlternateFileName="SSLERR~1")) returned 1 [0129.471] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="Windows") returned -1 [0129.471] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="Program Files") returned 1 [0129.471] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="Program Files (x86)") returned 1 [0129.471] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="$Recycle.bin") returned 1 [0129.471] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="System Volume Information") returned -1 [0129.471] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2=".") returned 1 [0129.471] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="..") returned 1 [0129.471] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant") returned 89 [0129.471] GetProcessHeap () returned 0x4c0000 [0129.471] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0129.471] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant" [0129.471] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\*" [0129.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0129.472] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0129.472] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0129.472] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0129.472] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0129.472] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0129.472] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.472] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0129.472] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0129.472] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0129.472] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0129.472] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0129.472] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0129.472] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.472] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.473] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0129.473] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0129.473] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\PUSSY.TXT") returned 99 [0129.473] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\sslerrorassistant\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0129.871] lstrlenA (lpString="abcd") returned 4 [0129.871] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0129.872] CloseHandle (hObject=0x1d0) returned 1 [0129.872] GetProcessHeap () returned 0x4c0000 [0129.872] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0129.875] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="SwReporter", cAlternateFileName="SWREPO~1")) returned 1 [0129.875] lstrcmpiW (lpString1="SwReporter", lpString2="Windows") returned -1 [0129.875] lstrcmpiW (lpString1="SwReporter", lpString2="Program Files") returned 1 [0129.875] lstrcmpiW (lpString1="SwReporter", lpString2="Program Files (x86)") returned 1 [0129.875] lstrcmpiW (lpString1="SwReporter", lpString2="$Recycle.bin") returned 1 [0129.875] lstrcmpiW (lpString1="SwReporter", lpString2="System Volume Information") returned -1 [0129.875] lstrcmpiW (lpString1="SwReporter", lpString2=".") returned 1 [0129.875] lstrcmpiW (lpString1="SwReporter", lpString2="..") returned 1 [0129.875] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter") returned 82 [0129.876] GetProcessHeap () returned 0x4c0000 [0129.876] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0129.876] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter" [0129.876] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\*" [0129.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0129.877] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0129.877] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0129.877] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0129.877] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0129.877] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0129.877] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.877] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0129.877] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0129.877] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0129.877] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0129.877] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0129.877] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0129.877] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.877] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.877] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0129.878] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0129.878] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\PUSSY.TXT") returned 92 [0129.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\swreporter\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0129.879] lstrlenA (lpString="abcd") returned 4 [0129.879] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0129.880] CloseHandle (hObject=0x1d0) returned 1 [0129.880] GetProcessHeap () returned 0x4c0000 [0129.880] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0129.880] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="WidevineCdm", cAlternateFileName="WIDEVI~1")) returned 1 [0129.880] lstrcmpiW (lpString1="WidevineCdm", lpString2="Windows") returned -1 [0129.880] lstrcmpiW (lpString1="WidevineCdm", lpString2="Program Files") returned 1 [0129.880] lstrcmpiW (lpString1="WidevineCdm", lpString2="Program Files (x86)") returned 1 [0129.880] lstrcmpiW (lpString1="WidevineCdm", lpString2="$Recycle.bin") returned 1 [0129.880] lstrcmpiW (lpString1="WidevineCdm", lpString2="System Volume Information") returned 1 [0129.880] lstrcmpiW (lpString1="WidevineCdm", lpString2=".") returned 1 [0129.880] lstrcmpiW (lpString1="WidevineCdm", lpString2="..") returned 1 [0129.880] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm") returned 83 [0129.880] GetProcessHeap () returned 0x4c0000 [0129.880] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0129.881] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm" [0129.881] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\*" [0129.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0129.881] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0129.881] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0129.881] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0129.881] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0129.881] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0129.881] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.881] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0129.881] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0129.881] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0129.881] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0129.881] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0129.882] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0129.882] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.882] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.882] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0129.882] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0129.882] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\PUSSY.TXT") returned 93 [0129.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\widevinecdm\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0129.883] lstrlenA (lpString="abcd") returned 4 [0129.883] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0129.884] CloseHandle (hObject=0x1d0) returned 1 [0129.884] GetProcessHeap () returned 0x4c0000 [0129.884] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0129.884] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c15f66e, cFileName="WidevineCdm", cAlternateFileName="WIDEVI~1")) returned 0 [0129.884] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0129.884] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PUSSY.TXT") returned 81 [0129.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0129.885] lstrlenA (lpString="abcd") returned 4 [0129.885] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0129.887] CloseHandle (hObject=0xec) returned 1 [0129.887] GetProcessHeap () returned 0x4c0000 [0129.887] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0129.887] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c593160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c593160, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe45d5e1, dwReserved1=0xfe000000, cFileName="User Data", cAlternateFileName="USERDA~1")) returned 0 [0129.887] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0129.887] wnsprintfW (in: pszDest=0x3c10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\PUSSY.TXT") returned 71 [0129.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0129.888] lstrlenA (lpString="abcd") returned 4 [0129.888] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0129.889] CloseHandle (hObject=0x180) returned 1 [0129.889] GetProcessHeap () returned 0x4c0000 [0129.889] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c10050 | out: hHeap=0x4c0000) returned 1 [0129.890] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6b0b7d20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6b0b7d20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="CrashReports", cAlternateFileName="CRASHR~1")) returned 1 [0129.890] lstrcmpiW (lpString1="CrashReports", lpString2="Windows") returned -1 [0129.891] lstrcmpiW (lpString1="CrashReports", lpString2="Program Files") returned -1 [0129.891] lstrcmpiW (lpString1="CrashReports", lpString2="Program Files (x86)") returned -1 [0129.891] lstrcmpiW (lpString1="CrashReports", lpString2="$Recycle.bin") returned 1 [0129.891] lstrcmpiW (lpString1="CrashReports", lpString2="System Volume Information") returned -1 [0129.891] lstrcmpiW (lpString1="CrashReports", lpString2=".") returned 1 [0129.891] lstrcmpiW (lpString1="CrashReports", lpString2="..") returned 1 [0129.891] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports") returned 67 [0129.891] GetProcessHeap () returned 0x4c0000 [0129.891] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0129.892] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports" [0129.892] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\*" [0129.892] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6b0b7d20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6b0b7d20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe45d5e1, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0129.892] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0129.892] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0129.892] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0129.892] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0129.892] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0129.892] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.892] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6b0b7d20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6b0b7d20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe45d5e1, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0129.893] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0129.893] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0129.893] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0129.893] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0129.893] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0129.893] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.893] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.893] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6b0b7d20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6b0b7d20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe45d5e1, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0129.893] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0129.893] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\PUSSY.TXT") returned 77 [0129.893] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\crashreports\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0129.894] lstrlenA (lpString="abcd") returned 4 [0129.894] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0129.895] CloseHandle (hObject=0x180) returned 1 [0129.895] GetProcessHeap () returned 0x4c0000 [0129.895] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0129.899] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6b0b7d20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6b0b7d20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="CrashReports", cAlternateFileName="CRASHR~1")) returned 0 [0129.899] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0129.900] wnsprintfW (in: pszDest=0x3c00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\PUSSY.TXT") returned 64 [0129.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0129.901] lstrlenA (lpString="abcd") returned 4 [0129.901] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0129.902] CloseHandle (hObject=0x174) returned 1 [0129.902] GetProcessHeap () returned 0x4c0000 [0129.902] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0129.904] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29175f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29175f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29175f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="History", cAlternateFileName="")) returned 1 [0129.904] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0129.904] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0129.904] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0129.904] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0129.904] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0129.904] lstrcmpiW (lpString1="History", lpString2=".") returned 1 [0129.904] lstrcmpiW (lpString1="History", lpString2="..") returned 1 [0129.904] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History") returned 55 [0129.904] GetProcessHeap () returned 0x4c0000 [0129.904] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0129.905] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History" [0129.905] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\*" [0129.905] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6b0b7d20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6b0b7d20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="CrashReports", cAlternateFileName="y")) returned 0xffffffff [0129.906] GetProcessHeap () returned 0x4c0000 [0129.906] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0129.909] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x8de8eaa0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x126da7, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0129.909] lstrcmpiW (lpString1="IconCache.db", lpString2="Windows") returned -1 [0129.909] lstrcmpiW (lpString1="IconCache.db", lpString2="Program Files") returned -1 [0129.909] lstrcmpiW (lpString1="IconCache.db", lpString2="Program Files (x86)") returned -1 [0129.909] lstrcmpiW (lpString1="IconCache.db", lpString2="$Recycle.bin") returned 1 [0129.909] lstrcmpiW (lpString1="IconCache.db", lpString2="System Volume Information") returned -1 [0129.909] lstrcmpiW (lpString1="IconCache.db", lpString2=".") returned 1 [0129.909] lstrcmpiW (lpString1="IconCache.db", lpString2="..") returned 1 [0129.909] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned 60 [0129.909] lstrcmpW (lpString1="IconCache.db", lpString2="PUSSY.TXT") returned -1 [0129.909] PathFindExtensionW (pszPath="IconCache.db") returned=".db" [0129.909] lstrlenW (lpString=".db") returned 3 [0129.909] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0129.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0129.912] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=1207719) returned 1 [0129.912] GetProcessHeap () returned 0x4c0000 [0129.912] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0129.926] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="FD") returned 2 [0129.926] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="7B") returned 2 [0129.926] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="F3") returned 2 [0129.926] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="52") returned 2 [0129.926] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="DC") returned 2 [0129.926] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="50") returned 2 [0129.926] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="0A") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="A0") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="22") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="8F") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="CE") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="2E") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="96") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="0D") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="CA") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="B7") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="34") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="7B") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="DB") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="5F") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="DA") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="24") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="F4") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="A3") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="13") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="D7") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="BE") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="28") returned 2 [0129.927] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="8D") returned 2 [0129.928] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="6C") returned 2 [0129.928] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="BD") returned 2 [0129.928] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="7A") returned 2 [0129.940] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" [0129.940] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" [0129.940] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db", lpString2=".FD7BF352DC500AA0228FCE2E960DCAB7347BDB5FDA24F4A313D7BE288D6CBD7A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.FD7BF352DC500AA0228FCE2E960DCAB7347BDB5FDA24F4A313D7BE288D6CBD7A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.FD7BF352DC500AA0228FCE2E960DCAB7347BDB5FDA24F4A313D7BE288D6CBD7A" [0129.940] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0129.940] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0129.940] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x962f4540, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x962f4540, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0129.940] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0129.940] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0129.940] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0129.940] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0129.940] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0129.940] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0129.940] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0129.940] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft") returned 57 [0129.941] GetProcessHeap () returned 0x4c0000 [0129.941] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0129.942] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft" [0129.942] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*" [0129.942] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x962f4540, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x962f4540, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0129.942] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0129.942] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0129.942] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0129.942] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0129.942] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0129.942] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.942] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x962f4540, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x962f4540, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0129.943] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0129.943] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0129.943] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0129.943] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0129.943] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0129.943] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.943] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.943] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0129.943] lstrcmpiW (lpString1="Credentials", lpString2="Windows") returned -1 [0129.943] lstrcmpiW (lpString1="Credentials", lpString2="Program Files") returned -1 [0129.943] lstrcmpiW (lpString1="Credentials", lpString2="Program Files (x86)") returned -1 [0129.943] lstrcmpiW (lpString1="Credentials", lpString2="$Recycle.bin") returned 1 [0129.943] lstrcmpiW (lpString1="Credentials", lpString2="System Volume Information") returned -1 [0129.943] lstrcmpiW (lpString1="Credentials", lpString2=".") returned 1 [0129.943] lstrcmpiW (lpString1="Credentials", lpString2="..") returned 1 [0129.943] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials") returned 69 [0129.943] GetProcessHeap () returned 0x4c0000 [0129.943] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0129.945] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials" [0129.945] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\*" [0129.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0129.945] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0129.945] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0129.945] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0129.945] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0129.945] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0129.945] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.945] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0129.946] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0129.946] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0129.946] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0129.946] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0129.946] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0129.946] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.946] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.946] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0129.946] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0129.946] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\PUSSY.TXT") returned 79 [0129.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\credentials\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0129.948] lstrlenA (lpString="abcd") returned 4 [0129.948] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0129.949] CloseHandle (hObject=0xec) returned 1 [0129.949] GetProcessHeap () returned 0x4c0000 [0129.949] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0129.949] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x32121370, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x32121370, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x32121370, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0129.949] lstrcmpiW (lpString1="Event Viewer", lpString2="Windows") returned -1 [0129.949] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files") returned -1 [0129.949] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files (x86)") returned -1 [0129.949] lstrcmpiW (lpString1="Event Viewer", lpString2="$Recycle.bin") returned 1 [0129.949] lstrcmpiW (lpString1="Event Viewer", lpString2="System Volume Information") returned -1 [0129.950] lstrcmpiW (lpString1="Event Viewer", lpString2=".") returned 1 [0129.950] lstrcmpiW (lpString1="Event Viewer", lpString2="..") returned 1 [0129.950] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer") returned 70 [0129.950] GetProcessHeap () returned 0x4c0000 [0129.950] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0129.950] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer" [0129.950] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\*" [0129.950] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x32121370, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x32121370, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x32121370, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0129.951] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0129.951] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0129.951] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0129.951] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0129.951] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0129.951] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0129.951] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x32121370, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x32121370, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x32121370, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0129.951] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0129.951] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0129.951] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0129.951] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0129.951] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0129.952] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0129.952] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0129.952] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x32121370, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x32121370, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x32121370, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0129.952] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0129.952] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\PUSSY.TXT") returned 80 [0129.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\event viewer\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0129.955] lstrlenA (lpString="abcd") returned 4 [0129.955] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0129.956] CloseHandle (hObject=0xec) returned 1 [0129.956] GetProcessHeap () returned 0x4c0000 [0129.956] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0129.957] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Feeds", cAlternateFileName="")) returned 1 [0129.957] lstrcmpiW (lpString1="Feeds", lpString2="Windows") returned -1 [0129.957] lstrcmpiW (lpString1="Feeds", lpString2="Program Files") returned -1 [0129.957] lstrcmpiW (lpString1="Feeds", lpString2="Program Files (x86)") returned -1 [0129.957] lstrcmpiW (lpString1="Feeds", lpString2="$Recycle.bin") returned 1 [0129.957] lstrcmpiW (lpString1="Feeds", lpString2="System Volume Information") returned -1 [0129.957] lstrcmpiW (lpString1="Feeds", lpString2=".") returned 1 [0129.957] lstrcmpiW (lpString1="Feeds", lpString2="..") returned 1 [0129.957] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds") returned 63 [0129.957] GetProcessHeap () returned 0x4c0000 [0129.957] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0129.957] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds" [0129.957] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\*" [0129.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0130.001] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.001] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.001] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.001] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.001] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.001] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.001] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0130.002] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.002] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.002] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.002] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.002] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.002] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.002] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.002] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x6e0227e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="FeedsStore.feedsdb-ms", cAlternateFileName="FEEDSS~1.FEE")) returned 1 [0130.002] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="Windows") returned -1 [0130.002] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="Program Files") returned -1 [0130.002] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="Program Files (x86)") returned -1 [0130.002] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="$Recycle.bin") returned 1 [0130.002] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="System Volume Information") returned -1 [0130.002] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2=".") returned 1 [0130.002] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="..") returned 1 [0130.002] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 85 [0130.002] lstrcmpW (lpString1="FeedsStore.feedsdb-ms", lpString2="PUSSY.TXT") returned -1 [0130.002] PathFindExtensionW (pszPath="FeedsStore.feedsdb-ms") returned=".feedsdb-ms" [0130.002] lstrlenW (lpString=".feedsdb-ms") returned 11 [0130.002] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0130.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0130.003] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=6656) returned 1 [0130.004] GetProcessHeap () returned 0x4c0000 [0130.004] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0130.032] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="41") returned 2 [0130.032] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="19") returned 2 [0130.032] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="0D") returned 2 [0130.032] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="74") returned 2 [0130.032] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="5E") returned 2 [0130.032] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="98") returned 2 [0130.032] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="B5") returned 2 [0130.032] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="75") returned 2 [0130.032] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="69") returned 2 [0130.033] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="FD") returned 2 [0130.033] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="D9") returned 2 [0130.033] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="BB") returned 2 [0130.033] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="95") returned 2 [0130.033] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="31") returned 2 [0130.033] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="16") returned 2 [0130.033] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="23") returned 2 [0130.033] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="C9") returned 2 [0130.033] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="D1") returned 2 [0130.033] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="63") returned 2 [0130.033] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="D8") returned 2 [0130.033] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="5B") returned 2 [0130.033] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="82") returned 2 [0130.033] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="85") returned 2 [0130.033] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="09") returned 2 [0130.033] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="1B") returned 2 [0130.033] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="73") returned 2 [0130.033] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="A9") returned 2 [0130.033] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="B4") returned 2 [0130.033] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="D3") returned 2 [0130.033] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="9E") returned 2 [0130.033] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="A0") returned 2 [0130.033] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="2E") returned 2 [0130.045] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" [0130.045] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" [0130.045] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms", lpString2=".41190D745E98B57569FDD9BB95311623C9D163D85B8285091B73A9B4D39EA02E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.41190D745E98B57569FDD9BB95311623C9D163D85B8285091B73A9B4D39EA02E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.41190D745E98B57569FDD9BB95311623C9D163D85B8285091B73A9B4D39EA02E" [0130.045] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0130.046] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0130.046] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee3456d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Microsoft Feeds~", cAlternateFileName="MICROS~1")) returned 1 [0130.046] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="Windows") returned -1 [0130.057] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="Program Files") returned -1 [0130.057] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="Program Files (x86)") returned -1 [0130.057] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="$Recycle.bin") returned 1 [0130.057] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="System Volume Information") returned -1 [0130.057] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2=".") returned 1 [0130.057] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="..") returned 1 [0130.057] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 80 [0130.057] GetProcessHeap () returned 0x4c0000 [0130.059] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0130.060] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~" [0130.060] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*" [0130.060] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee3456d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0130.100] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.101] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.101] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.101] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.101] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.101] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.101] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee3456d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0130.101] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.101] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.101] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.101] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.101] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.101] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.101] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.101] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeaa2466, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="Microsoft at Home~.feed-ms", cAlternateFileName="MICROS~2.FEE")) returned 1 [0130.101] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="Windows") returned -1 [0130.101] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="Program Files") returned -1 [0130.101] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="Program Files (x86)") returned -1 [0130.101] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="$Recycle.bin") returned 1 [0130.101] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="System Volume Information") returned -1 [0130.101] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2=".") returned 1 [0130.101] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="..") returned 1 [0130.101] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 107 [0130.102] lstrcmpW (lpString1="Microsoft at Home~.feed-ms", lpString2="PUSSY.TXT") returned -1 [0130.102] PathFindExtensionW (pszPath="Microsoft at Home~.feed-ms") returned=".feed-ms" [0130.102] lstrlenW (lpString=".feed-ms") returned 8 [0130.102] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0130.103] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=28672) returned 1 [0130.103] GetProcessHeap () returned 0x4c0000 [0130.103] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0130.116] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="B4") returned 2 [0130.116] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="BD") returned 2 [0130.116] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="D5") returned 2 [0130.116] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="8E") returned 2 [0130.116] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="DE") returned 2 [0130.116] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="44") returned 2 [0130.116] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="A8") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="8C") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="90") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="90") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="64") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="65") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="75") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="57") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="CA") returned 2 [0130.117] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="59") returned 2 [0130.117] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="00") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="53") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="B5") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="81") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="98") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="95") returned 2 [0130.117] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="5A") returned 2 [0130.117] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="64") returned 2 [0130.117] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="D9") returned 2 [0130.117] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="2E") returned 2 [0130.117] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="A8") returned 2 [0130.117] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="CA") returned 2 [0130.117] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="24") returned 2 [0130.117] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="B5") returned 2 [0130.117] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="65") returned 2 [0130.117] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="34") returned 2 [0130.130] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" [0130.130] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" [0130.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms", lpString2=".B4BDD58EDE44A88C909064657557CA590053B58198955A64D92EA8CA24B56534" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.B4BDD58EDE44A88C909064657557CA590053B58198955A64D92EA8CA24B56534") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.B4BDD58EDE44A88C909064657557CA590053B58198955A64D92EA8CA24B56534" [0130.130] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0130.130] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0130.130] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="Microsoft at Work~.feed-ms", cAlternateFileName="MICROS~1.FEE")) returned 1 [0130.130] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="Windows") returned -1 [0130.130] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="Program Files") returned -1 [0130.130] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="Program Files (x86)") returned -1 [0130.130] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="$Recycle.bin") returned 1 [0130.130] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="System Volume Information") returned -1 [0130.130] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2=".") returned 1 [0130.130] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="..") returned 1 [0130.130] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 107 [0130.130] lstrcmpW (lpString1="Microsoft at Work~.feed-ms", lpString2="PUSSY.TXT") returned -1 [0130.131] PathFindExtensionW (pszPath="Microsoft at Work~.feed-ms") returned=".feed-ms" [0130.131] lstrlenW (lpString=".feed-ms") returned 8 [0130.131] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a8 [0130.132] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=28672) returned 1 [0130.132] GetProcessHeap () returned 0x4c0000 [0130.132] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0130.144] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="CC") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="71") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="E9") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="89") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="11") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="A4") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="A0") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="45") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="FF") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="A1") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="E2") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="C0") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="88") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="00") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="01") returned 2 [0130.145] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="6F") returned 2 [0130.145] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="61") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="DE") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="38") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="68") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="F7") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="38") returned 2 [0130.145] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="92") returned 2 [0130.145] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="DC") returned 2 [0130.146] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="C8") returned 2 [0130.146] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="36") returned 2 [0130.146] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="77") returned 2 [0130.146] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="41") returned 2 [0130.146] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="24") returned 2 [0130.146] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="04") returned 2 [0130.146] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="5D") returned 2 [0130.146] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="7B") returned 2 [0130.158] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" [0130.158] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" [0130.159] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms", lpString2=".CC71E98911A4A045FFA1E2C08800016F61DE3868F73892DCC836774124045D7B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.CC71E98911A4A045FFA1E2C08800016F61DE3868F73892DCC836774124045D7B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.CC71E98911A4A045FFA1E2C08800016F61DE3868F73892DCC836774124045D7B" [0130.159] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0130.159] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0130.159] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="MSNBC News~.feed-ms", cAlternateFileName="MSNBCN~1.FEE")) returned 1 [0130.159] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="Windows") returned -1 [0130.159] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="Program Files") returned -1 [0130.200] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="Program Files (x86)") returned -1 [0130.200] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="$Recycle.bin") returned 1 [0130.200] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="System Volume Information") returned -1 [0130.200] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2=".") returned 1 [0130.200] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="..") returned 1 [0130.200] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 100 [0130.200] lstrcmpW (lpString1="MSNBC News~.feed-ms", lpString2="PUSSY.TXT") returned -1 [0130.200] PathFindExtensionW (pszPath="MSNBC News~.feed-ms") returned=".feed-ms" [0130.200] lstrlenW (lpString=".feed-ms") returned 8 [0130.200] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0130.201] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=28672) returned 1 [0130.201] GetProcessHeap () returned 0x4c0000 [0130.201] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0130.269] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="57") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="83") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="F7") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="01") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="52") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="EA") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="61") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="84") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="A7") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="5D") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="14") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="E0") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="06") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="15") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="DE") returned 2 [0130.269] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="D1") returned 2 [0130.269] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="D6") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="27") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="68") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="B0") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="90") returned 2 [0130.269] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="6A") returned 2 [0130.270] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="EE") returned 2 [0130.270] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="EF") returned 2 [0130.270] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="02") returned 2 [0130.270] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="7C") returned 2 [0130.270] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="7D") returned 2 [0130.270] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="B3") returned 2 [0130.270] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="6C") returned 2 [0130.270] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="35") returned 2 [0130.270] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="AC") returned 2 [0130.270] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="28") returned 2 [0130.283] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" [0130.283] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" [0130.283] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms", lpString2=".5783F70152EA6184A75D14E00615DED1D62768B0906AEEEF027C7DB36C35AC28" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.5783F70152EA6184A75D14E00615DED1D62768B0906AEEEF027C7DB36C35AC28") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.5783F70152EA6184A75D14E00615DED1D62768B0906AEEEF027C7DB36C35AC28" [0130.283] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0130.283] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0130.283] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="MSNBC News~.feed-ms", cAlternateFileName="MSNBCN~1.FEE")) returned 0 [0130.283] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0130.284] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\PUSSY.TXT") returned 90 [0130.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0130.285] lstrlenA (lpString="abcd") returned 4 [0130.285] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0130.286] CloseHandle (hObject=0x174) returned 1 [0130.286] GetProcessHeap () returned 0x4c0000 [0130.286] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0130.286] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 1 [0130.286] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="Windows") returned -1 [0130.286] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="Program Files") returned -1 [0130.286] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="Program Files (x86)") returned -1 [0130.286] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="$Recycle.bin") returned 1 [0130.286] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="System Volume Information") returned -1 [0130.286] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2=".") returned 1 [0130.286] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="..") returned 1 [0130.286] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 103 [0130.286] GetProcessHeap () returned 0x4c0000 [0130.287] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0130.287] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~" [0130.287] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*" [0130.287] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0130.287] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.287] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.287] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.287] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.287] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.287] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.287] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0130.288] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.288] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.288] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.288] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.288] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.288] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.288] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.288] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52d69eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52d69eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="WebSlices~", cAlternateFileName="WEBSLI~1")) returned 1 [0130.288] lstrcmpiW (lpString1="WebSlices~", lpString2="Windows") returned -1 [0130.288] lstrcmpiW (lpString1="WebSlices~", lpString2="Program Files") returned 1 [0130.288] lstrcmpiW (lpString1="WebSlices~", lpString2="Program Files (x86)") returned 1 [0130.328] lstrcmpiW (lpString1="WebSlices~", lpString2="$Recycle.bin") returned 1 [0130.328] lstrcmpiW (lpString1="WebSlices~", lpString2="System Volume Information") returned 1 [0130.328] lstrcmpiW (lpString1="WebSlices~", lpString2=".") returned 1 [0130.328] lstrcmpiW (lpString1="WebSlices~", lpString2="..") returned 1 [0130.328] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 114 [0130.328] GetProcessHeap () returned 0x4c0000 [0130.328] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0130.329] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~" [0130.329] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*" [0130.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52d69eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52d69eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0130.330] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.330] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.330] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.330] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.330] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.330] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.330] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52d69eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52d69eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0130.331] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.331] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.331] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.331] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.331] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.331] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.331] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.331] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x52d69eb0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x52d69eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6e0227e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="Suggested Sites~.feed-ms", cAlternateFileName="SUGGES~1.FEE")) returned 1 [0130.331] lstrcmpiW (lpString1="Suggested Sites~.feed-ms", lpString2="Windows") returned -1 [0130.331] lstrcmpiW (lpString1="Suggested Sites~.feed-ms", lpString2="Program Files") returned 1 [0130.331] lstrcmpiW (lpString1="Suggested Sites~.feed-ms", lpString2="Program Files (x86)") returned 1 [0130.331] lstrcmpiW (lpString1="Suggested Sites~.feed-ms", lpString2="$Recycle.bin") returned 1 [0130.331] lstrcmpiW (lpString1="Suggested Sites~.feed-ms", lpString2="System Volume Information") returned -1 [0130.331] lstrcmpiW (lpString1="Suggested Sites~.feed-ms", lpString2=".") returned 1 [0130.331] lstrcmpiW (lpString1="Suggested Sites~.feed-ms", lpString2="..") returned 1 [0130.331] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms") returned 139 [0130.331] lstrcmpW (lpString1="Suggested Sites~.feed-ms", lpString2="PUSSY.TXT") returned 1 [0130.331] PathFindExtensionW (pszPath="Suggested Sites~.feed-ms") returned=".feed-ms" [0130.331] lstrlenW (lpString=".feed-ms") returned 8 [0130.332] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0130.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\suggested sites~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0130.333] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=32768) returned 1 [0130.333] GetProcessHeap () returned 0x4c0000 [0130.333] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0130.348] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="79") returned 2 [0130.348] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="B5") returned 2 [0130.348] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="95") returned 2 [0130.348] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="D6") returned 2 [0130.348] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="F5") returned 2 [0130.348] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="0B") returned 2 [0130.348] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="77") returned 2 [0130.348] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="47") returned 2 [0130.348] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="EC") returned 2 [0130.348] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="30") returned 2 [0130.348] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="B4") returned 2 [0130.348] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="EB") returned 2 [0130.348] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="0D") returned 2 [0130.348] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="53") returned 2 [0130.348] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="A8") returned 2 [0130.348] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="ED") returned 2 [0130.348] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="BA") returned 2 [0130.348] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="4D") returned 2 [0130.348] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="3F") returned 2 [0130.348] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="FD") returned 2 [0130.349] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="27") returned 2 [0130.349] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="DD") returned 2 [0130.349] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="69") returned 2 [0130.349] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="A6") returned 2 [0130.349] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="B2") returned 2 [0130.349] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="9D") returned 2 [0130.349] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="A9") returned 2 [0130.349] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="9B") returned 2 [0130.349] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="2D") returned 2 [0130.349] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="4B") returned 2 [0130.349] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="32") returned 2 [0130.349] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="2B") returned 2 [0130.362] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms" [0130.362] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms" [0130.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms", lpString2=".79B595D6F50B7747EC30B4EB0D53A8EDBA4D3FFD27DD69A6B29DA99B2D4B322B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms.79B595D6F50B7747EC30B4EB0D53A8EDBA4D3FFD27DD69A6B29DA99B2D4B322B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms.79B595D6F50B7747EC30B4EB0D53A8EDBA4D3FFD27DD69A6B29DA99B2D4B322B" [0130.362] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0130.362] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0130.362] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="Web Slice Gallery~.feed-ms", cAlternateFileName="WEBSLI~1.FEE")) returned 1 [0130.362] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="Windows") returned -1 [0130.362] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="Program Files") returned 1 [0130.362] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="Program Files (x86)") returned 1 [0130.362] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="$Recycle.bin") returned 1 [0130.362] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="System Volume Information") returned 1 [0130.362] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2=".") returned 1 [0130.362] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="..") returned 1 [0130.362] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 141 [0130.362] lstrcmpW (lpString1="Web Slice Gallery~.feed-ms", lpString2="PUSSY.TXT") returned 1 [0130.363] PathFindExtensionW (pszPath="Web Slice Gallery~.feed-ms") returned=".feed-ms" [0130.363] lstrlenW (lpString=".feed-ms") returned 8 [0130.363] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0130.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0130.411] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=28672) returned 1 [0130.411] GetProcessHeap () returned 0x4c0000 [0130.411] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0130.428] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="A6") returned 2 [0130.428] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="E9") returned 2 [0130.428] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="07") returned 2 [0130.428] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="4F") returned 2 [0130.428] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="64") returned 2 [0130.428] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="8F") returned 2 [0130.428] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="65") returned 2 [0130.428] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="93") returned 2 [0130.428] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="5F") returned 2 [0130.428] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="CD") returned 2 [0130.429] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="44") returned 2 [0130.429] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="E8") returned 2 [0130.429] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="0E") returned 2 [0130.429] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="5A") returned 2 [0130.429] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="07") returned 2 [0130.429] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="FE") returned 2 [0130.429] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="68") returned 2 [0130.429] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="C6") returned 2 [0130.429] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="37") returned 2 [0130.429] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="DA") returned 2 [0130.429] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="E3") returned 2 [0130.429] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="B3") returned 2 [0130.429] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="60") returned 2 [0130.429] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="EC") returned 2 [0130.429] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="77") returned 2 [0130.429] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="07") returned 2 [0130.429] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="58") returned 2 [0130.429] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="FC") returned 2 [0130.429] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="A5") returned 2 [0130.429] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="03") returned 2 [0130.429] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="4F") returned 2 [0130.429] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="5B") returned 2 [0130.442] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" [0130.442] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" [0130.442] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms", lpString2=".A6E9074F648F65935FCD44E80E5A07FE68C637DAE3B360EC770758FCA5034F5B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.A6E9074F648F65935FCD44E80E5A07FE68C637DAE3B360EC770758FCA5034F5B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.A6E9074F648F65935FCD44E80E5A07FE68C637DAE3B360EC770758FCA5034F5B" [0130.442] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0130.442] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0130.443] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="Web Slice Gallery~.feed-ms", cAlternateFileName="WEBSLI~1.FEE")) returned 0 [0130.443] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0130.443] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\PUSSY.TXT") returned 124 [0130.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0130.485] lstrlenA (lpString="abcd") returned 4 [0130.485] WriteFile (in: hFile=0x1a8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0130.486] CloseHandle (hObject=0x1a8) returned 1 [0130.486] GetProcessHeap () returned 0x4c0000 [0130.486] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0130.489] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52d69eb0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52d69eb0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="WebSlices~", cAlternateFileName="WEBSLI~1")) returned 0 [0130.489] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0130.489] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\PUSSY.TXT") returned 113 [0130.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0130.490] lstrlenA (lpString="abcd") returned 4 [0130.490] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0130.491] CloseHandle (hObject=0x174) returned 1 [0130.491] GetProcessHeap () returned 0x4c0000 [0130.491] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0130.491] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 0 [0130.491] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0130.491] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\PUSSY.TXT") returned 73 [0130.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0130.501] lstrlenA (lpString="abcd") returned 4 [0130.501] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0130.510] CloseHandle (hObject=0xec) returned 1 [0130.511] GetProcessHeap () returned 0x4c0000 [0130.511] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0130.511] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Feeds Cache", cAlternateFileName="FEEDSC~1")) returned 1 [0130.511] lstrcmpiW (lpString1="Feeds Cache", lpString2="Windows") returned -1 [0130.511] lstrcmpiW (lpString1="Feeds Cache", lpString2="Program Files") returned -1 [0130.511] lstrcmpiW (lpString1="Feeds Cache", lpString2="Program Files (x86)") returned -1 [0130.511] lstrcmpiW (lpString1="Feeds Cache", lpString2="$Recycle.bin") returned 1 [0130.511] lstrcmpiW (lpString1="Feeds Cache", lpString2="System Volume Information") returned -1 [0130.511] lstrcmpiW (lpString1="Feeds Cache", lpString2=".") returned 1 [0130.511] lstrcmpiW (lpString1="Feeds Cache", lpString2="..") returned 1 [0130.511] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache") returned 69 [0130.511] GetProcessHeap () returned 0x4c0000 [0130.511] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0130.511] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache" [0130.511] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\*" [0130.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0130.514] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.514] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.514] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.514] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.514] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.514] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.515] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0130.515] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.515] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.515] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.515] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.515] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.515] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.515] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.515] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="1NBUR4HR", cAlternateFileName="")) returned 1 [0130.515] lstrcmpiW (lpString1="1NBUR4HR", lpString2="Windows") returned -1 [0130.515] lstrcmpiW (lpString1="1NBUR4HR", lpString2="Program Files") returned -1 [0130.515] lstrcmpiW (lpString1="1NBUR4HR", lpString2="Program Files (x86)") returned -1 [0130.515] lstrcmpiW (lpString1="1NBUR4HR", lpString2="$Recycle.bin") returned 1 [0130.515] lstrcmpiW (lpString1="1NBUR4HR", lpString2="System Volume Information") returned -1 [0130.515] lstrcmpiW (lpString1="1NBUR4HR", lpString2=".") returned 1 [0130.515] lstrcmpiW (lpString1="1NBUR4HR", lpString2="..") returned 1 [0130.515] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR") returned 78 [0130.515] GetProcessHeap () returned 0x4c0000 [0130.515] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0130.515] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR" [0130.515] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\*" [0130.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0130.516] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.516] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.516] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.516] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.516] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.516] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.516] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0130.516] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.516] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.516] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.516] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.516] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.516] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.516] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.516] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0130.516] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0130.516] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0130.516] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0130.517] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0130.517] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0130.517] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0130.517] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0130.517] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini") returned 90 [0130.517] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0130.517] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0130.517] lstrlenW (lpString=".ini") returned 4 [0130.517] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0130.518] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=67) returned 1 [0130.518] CloseHandle (hObject=0x1d0) returned 1 [0130.518] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0130.518] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0130.518] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0130.518] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0130.518] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0130.518] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0130.518] lstrcmpiW (lpString1="fwlink[1]", lpString2=".") returned 1 [0130.518] lstrcmpiW (lpString1="fwlink[1]", lpString2="..") returned 1 [0130.518] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]") returned 88 [0130.518] lstrcmpW (lpString1="fwlink[1]", lpString2="PUSSY.TXT") returned -1 [0130.518] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0130.518] lstrlenW (lpString="") returned 0 [0130.518] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0130.519] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0130.519] CloseHandle (hObject=0x1d0) returned 1 [0130.519] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0130.519] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0130.519] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\PUSSY.TXT") returned 88 [0130.519] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0130.520] lstrlenA (lpString="abcd") returned 4 [0130.520] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0130.521] CloseHandle (hObject=0x17c) returned 1 [0130.521] GetProcessHeap () returned 0x4c0000 [0130.521] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0130.527] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="6ASVN7J7", cAlternateFileName="")) returned 1 [0130.527] lstrcmpiW (lpString1="6ASVN7J7", lpString2="Windows") returned -1 [0130.527] lstrcmpiW (lpString1="6ASVN7J7", lpString2="Program Files") returned -1 [0130.527] lstrcmpiW (lpString1="6ASVN7J7", lpString2="Program Files (x86)") returned -1 [0130.527] lstrcmpiW (lpString1="6ASVN7J7", lpString2="$Recycle.bin") returned 1 [0130.527] lstrcmpiW (lpString1="6ASVN7J7", lpString2="System Volume Information") returned -1 [0130.527] lstrcmpiW (lpString1="6ASVN7J7", lpString2=".") returned 1 [0130.527] lstrcmpiW (lpString1="6ASVN7J7", lpString2="..") returned 1 [0130.527] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7") returned 78 [0130.527] GetProcessHeap () returned 0x4c0000 [0130.527] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0130.528] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7" [0130.528] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\*" [0130.528] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0130.528] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.528] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.528] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.528] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.528] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.528] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.528] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0130.528] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.528] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.528] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.528] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.528] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.528] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.529] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.529] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0130.529] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0130.529] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0130.529] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0130.529] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0130.529] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0130.529] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0130.529] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0130.529] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini") returned 90 [0130.529] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0130.529] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0130.529] lstrlenW (lpString=".ini") returned 4 [0130.529] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0130.530] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=67) returned 1 [0130.530] CloseHandle (hObject=0x1d0) returned 1 [0130.530] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0130.530] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0130.530] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0130.530] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0130.530] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0130.530] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0130.530] lstrcmpiW (lpString1="fwlink[1]", lpString2=".") returned 1 [0130.530] lstrcmpiW (lpString1="fwlink[1]", lpString2="..") returned 1 [0130.530] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]") returned 88 [0130.530] lstrcmpW (lpString1="fwlink[1]", lpString2="PUSSY.TXT") returned -1 [0130.530] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0130.530] lstrlenW (lpString="") returned 0 [0130.530] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.530] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0130.531] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0130.531] CloseHandle (hObject=0x1d0) returned 1 [0130.531] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0130.532] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0130.532] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\PUSSY.TXT") returned 88 [0130.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0130.532] lstrlenA (lpString="abcd") returned 4 [0130.532] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0130.533] CloseHandle (hObject=0x17c) returned 1 [0130.533] GetProcessHeap () returned 0x4c0000 [0130.533] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0130.533] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="D68G7BIJ", cAlternateFileName="")) returned 1 [0130.533] lstrcmpiW (lpString1="D68G7BIJ", lpString2="Windows") returned -1 [0130.533] lstrcmpiW (lpString1="D68G7BIJ", lpString2="Program Files") returned -1 [0130.533] lstrcmpiW (lpString1="D68G7BIJ", lpString2="Program Files (x86)") returned -1 [0130.533] lstrcmpiW (lpString1="D68G7BIJ", lpString2="$Recycle.bin") returned 1 [0130.533] lstrcmpiW (lpString1="D68G7BIJ", lpString2="System Volume Information") returned -1 [0130.534] lstrcmpiW (lpString1="D68G7BIJ", lpString2=".") returned 1 [0130.534] lstrcmpiW (lpString1="D68G7BIJ", lpString2="..") returned 1 [0130.534] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ") returned 78 [0130.534] GetProcessHeap () returned 0x4c0000 [0130.534] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0130.534] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ" [0130.534] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\*" [0130.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0130.534] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.534] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.534] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.534] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.534] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.534] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.534] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0130.534] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.534] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.534] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.534] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.534] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.534] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.534] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.534] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0130.534] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0130.534] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0130.534] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0130.535] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0130.535] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0130.535] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0130.535] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0130.535] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini") returned 90 [0130.535] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0130.535] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0130.535] lstrlenW (lpString=".ini") returned 4 [0130.535] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0130.535] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=67) returned 1 [0130.535] CloseHandle (hObject=0x1d0) returned 1 [0130.535] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0130.535] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0130.535] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0130.535] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0130.535] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0130.535] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0130.535] lstrcmpiW (lpString1="fwlink[1]", lpString2=".") returned 1 [0130.535] lstrcmpiW (lpString1="fwlink[1]", lpString2="..") returned 1 [0130.535] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]") returned 88 [0130.536] lstrcmpW (lpString1="fwlink[1]", lpString2="PUSSY.TXT") returned -1 [0130.536] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0130.536] lstrlenW (lpString="") returned 0 [0130.536] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0130.536] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0130.536] CloseHandle (hObject=0x1d0) returned 1 [0130.536] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0130.536] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0130.536] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\PUSSY.TXT") returned 88 [0130.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0130.537] lstrlenA (lpString="abcd") returned 4 [0130.537] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0130.538] CloseHandle (hObject=0x17c) returned 1 [0130.538] GetProcessHeap () returned 0x4c0000 [0130.538] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0130.538] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe9e3d85, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0130.538] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0130.538] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0130.538] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0130.538] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0130.538] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0130.538] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0130.538] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0130.538] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 81 [0130.538] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0130.538] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0130.538] lstrlenW (lpString=".ini") returned 4 [0130.538] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0130.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0130.538] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=67) returned 1 [0130.539] CloseHandle (hObject=0x17c) returned 1 [0130.539] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2bc126f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="index.dat", cAlternateFileName="")) returned 1 [0130.539] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0130.539] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0130.539] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0130.539] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0130.539] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0130.539] lstrcmpiW (lpString1="index.dat", lpString2=".") returned 1 [0130.539] lstrcmpiW (lpString1="index.dat", lpString2="..") returned 1 [0130.539] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 79 [0130.539] lstrcmpW (lpString1="index.dat", lpString2="PUSSY.TXT") returned -1 [0130.539] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0130.539] lstrlenW (lpString=".dat") returned 4 [0130.539] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0130.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0130.540] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=32768) returned 1 [0130.540] GetProcessHeap () returned 0x4c0000 [0130.540] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0130.551] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="BE") returned 2 [0130.551] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="3D") returned 2 [0130.551] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="5A") returned 2 [0130.551] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="14") returned 2 [0130.551] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="92") returned 2 [0130.551] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="00") returned 2 [0130.551] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="DF") returned 2 [0130.551] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="2A") returned 2 [0130.551] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="41") returned 2 [0130.551] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="29") returned 2 [0130.551] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="EA") returned 2 [0130.551] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="33") returned 2 [0130.551] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="54") returned 2 [0130.551] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="66") returned 2 [0130.551] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="2E") returned 2 [0130.551] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="65") returned 2 [0130.551] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="DD") returned 2 [0130.551] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="0E") returned 2 [0130.551] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="F6") returned 2 [0130.552] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="D4") returned 2 [0130.552] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="08") returned 2 [0130.552] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="F4") returned 2 [0130.552] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="96") returned 2 [0130.552] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="92") returned 2 [0130.552] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="F6") returned 2 [0130.552] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="18") returned 2 [0130.552] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="92") returned 2 [0130.552] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="76") returned 2 [0130.552] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="9D") returned 2 [0130.552] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="0C") returned 2 [0130.552] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="B6") returned 2 [0130.552] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="55") returned 2 [0130.560] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" [0130.560] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" [0130.560] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat", lpString2=".BE3D5A149200DF2A4129EA3354662E65DD0EF6D408F49692F61892769D0CB655" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.BE3D5A149200DF2A4129EA3354662E65DD0EF6D408F49692F61892769D0CB655") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.BE3D5A149200DF2A4129EA3354662E65DD0EF6D408F49692F61892769D0CB655" [0130.560] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0130.561] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0130.561] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52d90010, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52d90010, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="KQMHSVKD", cAlternateFileName="")) returned 1 [0130.561] lstrcmpiW (lpString1="KQMHSVKD", lpString2="Windows") returned -1 [0130.561] lstrcmpiW (lpString1="KQMHSVKD", lpString2="Program Files") returned -1 [0130.561] lstrcmpiW (lpString1="KQMHSVKD", lpString2="Program Files (x86)") returned -1 [0130.561] lstrcmpiW (lpString1="KQMHSVKD", lpString2="$Recycle.bin") returned 1 [0130.561] lstrcmpiW (lpString1="KQMHSVKD", lpString2="System Volume Information") returned -1 [0130.561] lstrcmpiW (lpString1="KQMHSVKD", lpString2=".") returned 1 [0130.561] lstrcmpiW (lpString1="KQMHSVKD", lpString2="..") returned 1 [0130.561] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD") returned 78 [0130.561] GetProcessHeap () returned 0x4c0000 [0130.561] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0130.561] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD" [0130.561] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\*" [0130.561] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52d90010, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52d90010, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0130.561] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.562] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.562] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.562] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.562] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.562] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.562] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52d90010, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52d90010, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0130.562] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.562] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.562] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.562] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.562] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.562] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.562] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.562] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe9e3d85, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0130.562] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0130.562] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0130.562] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0130.562] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0130.562] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0130.562] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0130.562] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0130.562] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini") returned 90 [0130.562] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0130.562] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0130.562] lstrlenW (lpString=".ini") returned 4 [0130.562] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.562] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0130.563] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=67) returned 1 [0130.563] CloseHandle (hObject=0x1d8) returned 1 [0130.563] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfed03a6b, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0130.563] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0130.564] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0130.564] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0130.564] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0130.564] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0130.564] lstrcmpiW (lpString1="fwlink[1]", lpString2=".") returned 1 [0130.564] lstrcmpiW (lpString1="fwlink[1]", lpString2="..") returned 1 [0130.564] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]") returned 88 [0130.564] lstrcmpW (lpString1="fwlink[1]", lpString2="PUSSY.TXT") returned -1 [0130.564] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0130.564] lstrlenW (lpString="") returned 0 [0130.564] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0130.564] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0130.565] CloseHandle (hObject=0x1d8) returned 1 [0130.565] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0x52d90010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x52d90010, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52d90010, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="ieonline.microsoft[1]", cAlternateFileName="IEONLI~1.MIC")) returned 1 [0130.565] lstrcmpiW (lpString1="ieonline.microsoft[1]", lpString2="Windows") returned -1 [0130.565] lstrcmpiW (lpString1="ieonline.microsoft[1]", lpString2="Program Files") returned -1 [0130.565] lstrcmpiW (lpString1="ieonline.microsoft[1]", lpString2="Program Files (x86)") returned -1 [0130.565] lstrcmpiW (lpString1="ieonline.microsoft[1]", lpString2="$Recycle.bin") returned 1 [0130.565] lstrcmpiW (lpString1="ieonline.microsoft[1]", lpString2="System Volume Information") returned -1 [0130.565] lstrcmpiW (lpString1="ieonline.microsoft[1]", lpString2=".") returned 1 [0130.565] lstrcmpiW (lpString1="ieonline.microsoft[1]", lpString2="..") returned 1 [0130.565] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\ieonline.microsoft[1]") returned 100 [0130.565] lstrcmpW (lpString1="ieonline.microsoft[1]", lpString2="PUSSY.TXT") returned -1 [0130.565] PathFindExtensionW (pszPath="ieonline.microsoft[1]") returned=".microsoft[1]" [0130.565] lstrlenW (lpString=".microsoft[1]") returned 13 [0130.565] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\ieonline.microsoft[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\ieonline.microsoft[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0130.565] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0130.566] CloseHandle (hObject=0x1d8) returned 1 [0130.566] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0x52d90010, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x52d90010, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52d90010, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="ieonline.microsoft[1]", cAlternateFileName="IEONLI~1.MIC")) returned 0 [0130.566] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0130.566] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\PUSSY.TXT") returned 88 [0130.566] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0130.566] lstrlenA (lpString="abcd") returned 4 [0130.566] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0130.567] CloseHandle (hObject=0x1d0) returned 1 [0130.567] GetProcessHeap () returned 0x4c0000 [0130.567] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0130.567] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52d90010, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52d90010, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="KQMHSVKD", cAlternateFileName="")) returned 0 [0130.567] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0130.567] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\PUSSY.TXT") returned 79 [0130.567] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0130.568] lstrlenA (lpString="abcd") returned 4 [0130.568] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0130.569] CloseHandle (hObject=0xec) returned 1 [0130.569] GetProcessHeap () returned 0x4c0000 [0130.569] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0130.569] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d1d6940, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x3d1d6940, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x3d1d6940, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="FORMS", cAlternateFileName="")) returned 1 [0130.569] lstrcmpiW (lpString1="FORMS", lpString2="Windows") returned -1 [0130.569] lstrcmpiW (lpString1="FORMS", lpString2="Program Files") returned -1 [0130.569] lstrcmpiW (lpString1="FORMS", lpString2="Program Files (x86)") returned -1 [0130.569] lstrcmpiW (lpString1="FORMS", lpString2="$Recycle.bin") returned 1 [0130.569] lstrcmpiW (lpString1="FORMS", lpString2="System Volume Information") returned -1 [0130.569] lstrcmpiW (lpString1="FORMS", lpString2=".") returned 1 [0130.569] lstrcmpiW (lpString1="FORMS", lpString2="..") returned 1 [0130.569] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS") returned 63 [0130.569] GetProcessHeap () returned 0x4c0000 [0130.569] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0130.569] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS" [0130.569] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\*" [0130.569] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d1d6940, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x3d1d6940, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x3d1d6940, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0130.570] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.570] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.570] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.570] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.570] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.570] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.570] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d1d6940, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x3d1d6940, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x3d1d6940, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0130.570] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.570] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.570] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.570] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.570] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.570] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.570] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.570] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3d1d6940, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x3d1d6940, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x3d757c20, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x3c0dc, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="FRMCACHE.DAT", cAlternateFileName="")) returned 1 [0130.570] lstrcmpiW (lpString1="FRMCACHE.DAT", lpString2="Windows") returned -1 [0130.570] lstrcmpiW (lpString1="FRMCACHE.DAT", lpString2="Program Files") returned -1 [0130.570] lstrcmpiW (lpString1="FRMCACHE.DAT", lpString2="Program Files (x86)") returned -1 [0130.570] lstrcmpiW (lpString1="FRMCACHE.DAT", lpString2="$Recycle.bin") returned 1 [0130.570] lstrcmpiW (lpString1="FRMCACHE.DAT", lpString2="System Volume Information") returned -1 [0130.570] lstrcmpiW (lpString1="FRMCACHE.DAT", lpString2=".") returned 1 [0130.570] lstrcmpiW (lpString1="FRMCACHE.DAT", lpString2="..") returned 1 [0130.570] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT") returned 76 [0130.570] lstrcmpW (lpString1="FRMCACHE.DAT", lpString2="PUSSY.TXT") returned -1 [0130.570] PathFindExtensionW (pszPath="FRMCACHE.DAT") returned=".DAT" [0130.570] lstrlenW (lpString=".DAT") returned 4 [0130.570] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0130.571] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\frmcache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0130.571] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=245980) returned 1 [0130.571] GetProcessHeap () returned 0x4c0000 [0130.571] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0130.582] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="92") returned 2 [0130.582] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="B8") returned 2 [0130.582] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="57") returned 2 [0130.582] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="93") returned 2 [0130.582] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="4F") returned 2 [0130.582] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="B1") returned 2 [0130.582] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="90") returned 2 [0130.582] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="5A") returned 2 [0130.582] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="40") returned 2 [0130.582] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="9B") returned 2 [0130.582] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="2C") returned 2 [0130.582] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="B1") returned 2 [0130.582] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="C9") returned 2 [0130.582] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="0E") returned 2 [0130.582] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="90") returned 2 [0130.582] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="E7") returned 2 [0130.582] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="66") returned 2 [0130.582] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="EA") returned 2 [0130.582] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="8A") returned 2 [0130.582] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="0F") returned 2 [0130.582] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="24") returned 2 [0130.582] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="BE") returned 2 [0130.582] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="3A") returned 2 [0130.582] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="FC") returned 2 [0130.582] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="A4") returned 2 [0130.582] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="58") returned 2 [0130.583] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="D9") returned 2 [0130.583] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="16") returned 2 [0130.583] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="E7") returned 2 [0130.583] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="79") returned 2 [0130.583] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="23") returned 2 [0130.583] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="46") returned 2 [0130.593] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" [0130.593] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" [0130.593] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT", lpString2=".92B857934FB1905A409B2CB1C90E90E766EA8A0F24BE3AFCA458D916E7792346" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT.92B857934FB1905A409B2CB1C90E90E766EA8A0F24BE3AFCA458D916E7792346") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT.92B857934FB1905A409B2CB1C90E90E766EA8A0F24BE3AFCA458D916E7792346" [0130.593] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0130.593] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0130.593] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3d1d6940, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x3d1d6940, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x3d757c20, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x3c0dc, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="FRMCACHE.DAT", cAlternateFileName="")) returned 0 [0130.593] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0130.593] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\PUSSY.TXT") returned 73 [0130.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0130.594] lstrlenA (lpString="abcd") returned 4 [0130.594] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0130.595] CloseHandle (hObject=0xec) returned 1 [0130.595] GetProcessHeap () returned 0x4c0000 [0130.595] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0130.595] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd754c00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd754c00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd754c00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IME12", cAlternateFileName="")) returned 1 [0130.595] lstrcmpiW (lpString1="IME12", lpString2="Windows") returned -1 [0130.595] lstrcmpiW (lpString1="IME12", lpString2="Program Files") returned -1 [0130.595] lstrcmpiW (lpString1="IME12", lpString2="Program Files (x86)") returned -1 [0130.595] lstrcmpiW (lpString1="IME12", lpString2="$Recycle.bin") returned 1 [0130.595] lstrcmpiW (lpString1="IME12", lpString2="System Volume Information") returned -1 [0130.596] lstrcmpiW (lpString1="IME12", lpString2=".") returned 1 [0130.596] lstrcmpiW (lpString1="IME12", lpString2="..") returned 1 [0130.596] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12") returned 63 [0130.596] GetProcessHeap () returned 0x4c0000 [0130.596] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0130.596] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12" [0130.596] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\*" [0130.596] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd754c00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd754c00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd754c00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0130.596] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.596] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.596] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.597] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.597] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.597] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.597] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd754c00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd754c00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd754c00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0130.597] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.597] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.597] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.597] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.597] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.597] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.597] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.597] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd754c00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd754c00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd754c00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0130.597] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0130.597] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\PUSSY.TXT") returned 73 [0130.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ime12\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0130.598] lstrlenA (lpString="abcd") returned 4 [0130.598] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0130.599] CloseHandle (hObject=0xec) returned 1 [0130.599] GetProcessHeap () returned 0x4c0000 [0130.599] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0130.599] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IMJP12", cAlternateFileName="")) returned 1 [0130.599] lstrcmpiW (lpString1="IMJP12", lpString2="Windows") returned -1 [0130.599] lstrcmpiW (lpString1="IMJP12", lpString2="Program Files") returned -1 [0130.599] lstrcmpiW (lpString1="IMJP12", lpString2="Program Files (x86)") returned -1 [0130.600] lstrcmpiW (lpString1="IMJP12", lpString2="$Recycle.bin") returned 1 [0130.600] lstrcmpiW (lpString1="IMJP12", lpString2="System Volume Information") returned -1 [0130.600] lstrcmpiW (lpString1="IMJP12", lpString2=".") returned 1 [0130.600] lstrcmpiW (lpString1="IMJP12", lpString2="..") returned 1 [0130.600] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12") returned 64 [0130.600] GetProcessHeap () returned 0x4c0000 [0130.600] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0130.600] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12" [0130.600] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\*" [0130.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0130.714] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.715] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.715] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.715] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.715] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.715] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.715] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0130.715] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.715] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.715] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.715] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.715] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.715] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.715] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.715] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0130.715] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0130.715] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\PUSSY.TXT") returned 74 [0130.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\imjp12\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0130.717] lstrlenA (lpString="abcd") returned 4 [0130.717] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0130.718] CloseHandle (hObject=0x1d0) returned 1 [0130.718] GetProcessHeap () returned 0x4c0000 [0130.718] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0130.718] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IMJP8_1", cAlternateFileName="")) returned 1 [0130.718] lstrcmpiW (lpString1="IMJP8_1", lpString2="Windows") returned -1 [0130.718] lstrcmpiW (lpString1="IMJP8_1", lpString2="Program Files") returned -1 [0130.718] lstrcmpiW (lpString1="IMJP8_1", lpString2="Program Files (x86)") returned -1 [0130.718] lstrcmpiW (lpString1="IMJP8_1", lpString2="$Recycle.bin") returned 1 [0130.718] lstrcmpiW (lpString1="IMJP8_1", lpString2="System Volume Information") returned -1 [0130.718] lstrcmpiW (lpString1="IMJP8_1", lpString2=".") returned 1 [0130.718] lstrcmpiW (lpString1="IMJP8_1", lpString2="..") returned 1 [0130.718] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1") returned 65 [0130.718] GetProcessHeap () returned 0x4c0000 [0130.718] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0130.718] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1" [0130.718] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\*" [0130.718] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0130.720] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.720] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.720] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.720] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.720] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.720] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.720] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0130.720] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.720] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.720] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.720] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.720] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.720] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.720] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.720] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0130.720] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0130.721] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\PUSSY.TXT") returned 75 [0130.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\imjp8_1\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0130.722] lstrlenA (lpString="abcd") returned 4 [0130.722] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0130.723] CloseHandle (hObject=0x1d0) returned 1 [0130.723] GetProcessHeap () returned 0x4c0000 [0130.723] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0130.723] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IMJP9_0", cAlternateFileName="")) returned 1 [0130.723] lstrcmpiW (lpString1="IMJP9_0", lpString2="Windows") returned -1 [0130.723] lstrcmpiW (lpString1="IMJP9_0", lpString2="Program Files") returned -1 [0130.723] lstrcmpiW (lpString1="IMJP9_0", lpString2="Program Files (x86)") returned -1 [0130.723] lstrcmpiW (lpString1="IMJP9_0", lpString2="$Recycle.bin") returned 1 [0130.723] lstrcmpiW (lpString1="IMJP9_0", lpString2="System Volume Information") returned -1 [0130.723] lstrcmpiW (lpString1="IMJP9_0", lpString2=".") returned 1 [0130.723] lstrcmpiW (lpString1="IMJP9_0", lpString2="..") returned 1 [0130.723] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0") returned 65 [0130.723] GetProcessHeap () returned 0x4c0000 [0130.723] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0130.723] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0" [0130.723] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\*" [0130.723] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0130.724] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.724] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.724] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.724] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.724] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.724] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.724] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0130.724] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.724] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.724] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.724] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.724] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.724] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.724] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.724] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0130.724] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0130.724] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\PUSSY.TXT") returned 75 [0130.724] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\imjp9_0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0130.725] lstrlenA (lpString="abcd") returned 4 [0130.725] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0130.726] CloseHandle (hObject=0x1d0) returned 1 [0130.726] GetProcessHeap () returned 0x4c0000 [0130.726] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0130.726] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0130.726] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0130.726] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files") returned -1 [0130.726] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files (x86)") returned -1 [0130.727] lstrcmpiW (lpString1="Internet Explorer", lpString2="$Recycle.bin") returned 1 [0130.727] lstrcmpiW (lpString1="Internet Explorer", lpString2="System Volume Information") returned -1 [0130.727] lstrcmpiW (lpString1="Internet Explorer", lpString2=".") returned 1 [0130.727] lstrcmpiW (lpString1="Internet Explorer", lpString2="..") returned 1 [0130.727] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer") returned 75 [0130.727] GetProcessHeap () returned 0x4c0000 [0130.727] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0130.727] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer" [0130.727] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\*" [0130.727] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0130.733] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.733] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.734] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.734] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.734] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.734] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.734] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0130.734] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.734] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.734] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.734] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.734] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.734] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.734] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.734] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb371c2, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x2fa9, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="brndlog.bak", cAlternateFileName="")) returned 1 [0130.734] lstrcmpiW (lpString1="brndlog.bak", lpString2="Windows") returned -1 [0130.734] lstrcmpiW (lpString1="brndlog.bak", lpString2="Program Files") returned -1 [0130.734] lstrcmpiW (lpString1="brndlog.bak", lpString2="Program Files (x86)") returned -1 [0130.734] lstrcmpiW (lpString1="brndlog.bak", lpString2="$Recycle.bin") returned 1 [0130.734] lstrcmpiW (lpString1="brndlog.bak", lpString2="System Volume Information") returned -1 [0130.734] lstrcmpiW (lpString1="brndlog.bak", lpString2=".") returned 1 [0130.734] lstrcmpiW (lpString1="brndlog.bak", lpString2="..") returned 1 [0130.734] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 87 [0130.734] lstrcmpW (lpString1="brndlog.bak", lpString2="PUSSY.TXT") returned -1 [0130.734] PathFindExtensionW (pszPath="brndlog.bak") returned=".bak" [0130.734] lstrlenW (lpString=".bak") returned 4 [0130.735] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0130.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0130.736] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=12201) returned 1 [0130.736] GetProcessHeap () returned 0x4c0000 [0130.736] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0130.750] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="F1") returned 2 [0130.750] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="E9") returned 2 [0130.750] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="02") returned 2 [0130.750] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="41") returned 2 [0130.750] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="26") returned 2 [0130.750] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="4C") returned 2 [0130.750] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="CA") returned 2 [0130.751] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="18") returned 2 [0130.751] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="C3") returned 2 [0130.751] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="9B") returned 2 [0130.751] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="60") returned 2 [0130.751] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="C2") returned 2 [0130.751] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="8B") returned 2 [0130.751] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="97") returned 2 [0130.751] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="B2") returned 2 [0130.751] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="93") returned 2 [0130.751] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="7B") returned 2 [0130.751] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="A0") returned 2 [0130.751] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="58") returned 2 [0130.751] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="DA") returned 2 [0130.751] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="33") returned 2 [0130.751] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="3D") returned 2 [0130.751] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="45") returned 2 [0130.751] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="BF") returned 2 [0130.751] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="48") returned 2 [0130.751] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="76") returned 2 [0130.751] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="22") returned 2 [0130.751] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="01") returned 2 [0130.751] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="6F") returned 2 [0130.751] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="9F") returned 2 [0130.751] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="30") returned 2 [0130.751] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="46") returned 2 [0130.763] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" [0130.763] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" [0130.763] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak", lpString2=".F1E90241264CCA18C39B60C28B97B2937BA058DA333D45BF487622016F9F3046" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.F1E90241264CCA18C39B60C28B97B2937BA058DA333D45BF487622016F9F3046") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.F1E90241264CCA18C39B60C28B97B2937BA058DA333D45BF487622016F9F3046" [0130.763] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0130.763] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0130.764] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d977900, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2fb0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="brndlog.txt", cAlternateFileName="")) returned 1 [0130.764] lstrcmpiW (lpString1="brndlog.txt", lpString2="Windows") returned -1 [0130.764] lstrcmpiW (lpString1="brndlog.txt", lpString2="Program Files") returned -1 [0130.764] lstrcmpiW (lpString1="brndlog.txt", lpString2="Program Files (x86)") returned -1 [0130.764] lstrcmpiW (lpString1="brndlog.txt", lpString2="$Recycle.bin") returned 1 [0130.764] lstrcmpiW (lpString1="brndlog.txt", lpString2="System Volume Information") returned -1 [0130.764] lstrcmpiW (lpString1="brndlog.txt", lpString2=".") returned 1 [0130.764] lstrcmpiW (lpString1="brndlog.txt", lpString2="..") returned 1 [0130.764] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned 87 [0130.764] lstrcmpW (lpString1="brndlog.txt", lpString2="PUSSY.TXT") returned -1 [0130.764] PathFindExtensionW (pszPath="brndlog.txt") returned=".txt" [0130.764] lstrlenW (lpString=".txt") returned 4 [0130.764] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0130.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0130.783] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=12208) returned 1 [0130.783] GetProcessHeap () returned 0x4c0000 [0130.783] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0130.795] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="46") returned 2 [0130.795] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="FE") returned 2 [0130.795] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="DB") returned 2 [0130.795] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="82") returned 2 [0130.795] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="8D") returned 2 [0130.795] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="13") returned 2 [0130.795] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="08") returned 2 [0130.795] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="FB") returned 2 [0130.796] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="41") returned 2 [0130.796] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="71") returned 2 [0130.796] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="16") returned 2 [0130.796] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="8A") returned 2 [0130.796] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="EC") returned 2 [0130.796] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="24") returned 2 [0130.796] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="F4") returned 2 [0130.796] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="17") returned 2 [0130.796] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="DF") returned 2 [0130.796] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="6C") returned 2 [0130.796] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="F9") returned 2 [0130.796] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="11") returned 2 [0130.796] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="6E") returned 2 [0130.796] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="10") returned 2 [0130.796] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="DC") returned 2 [0130.796] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="EF") returned 2 [0130.796] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="71") returned 2 [0130.796] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="13") returned 2 [0130.796] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="47") returned 2 [0130.796] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="A0") returned 2 [0130.796] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="40") returned 2 [0130.796] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="6D") returned 2 [0130.796] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="18") returned 2 [0130.796] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="2B") returned 2 [0130.809] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" [0130.809] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" [0130.809] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt", lpString2=".46FEDB828D1308FB4171168AEC24F417DF6CF9116E10DCEF711347A0406D182B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.46FEDB828D1308FB4171168AEC24F417DF6CF9116E10DCEF711347A0406D182B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.46FEDB828D1308FB4171168AEC24F417DF6CF9116E10DCEF711347A0406D182B" [0130.809] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0130.809] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0130.809] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="DOMStore", cAlternateFileName="")) returned 1 [0130.809] lstrcmpiW (lpString1="DOMStore", lpString2="Windows") returned -1 [0130.809] lstrcmpiW (lpString1="DOMStore", lpString2="Program Files") returned -1 [0130.809] lstrcmpiW (lpString1="DOMStore", lpString2="Program Files (x86)") returned -1 [0130.809] lstrcmpiW (lpString1="DOMStore", lpString2="$Recycle.bin") returned 1 [0130.810] lstrcmpiW (lpString1="DOMStore", lpString2="System Volume Information") returned -1 [0130.810] lstrcmpiW (lpString1="DOMStore", lpString2=".") returned 1 [0130.810] lstrcmpiW (lpString1="DOMStore", lpString2="..") returned 1 [0130.810] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore") returned 84 [0130.810] GetProcessHeap () returned 0x4c0000 [0130.810] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0130.810] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore" [0130.810] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\*" [0130.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0130.812] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.812] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.812] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.812] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.812] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.812] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.812] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0130.812] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.813] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.813] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.813] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.813] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.813] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.813] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.813] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="3LKBQZJ3", cAlternateFileName="")) returned 1 [0130.813] lstrcmpiW (lpString1="3LKBQZJ3", lpString2="Windows") returned -1 [0130.813] lstrcmpiW (lpString1="3LKBQZJ3", lpString2="Program Files") returned -1 [0130.813] lstrcmpiW (lpString1="3LKBQZJ3", lpString2="Program Files (x86)") returned -1 [0130.813] lstrcmpiW (lpString1="3LKBQZJ3", lpString2="$Recycle.bin") returned 1 [0130.813] lstrcmpiW (lpString1="3LKBQZJ3", lpString2="System Volume Information") returned -1 [0130.813] lstrcmpiW (lpString1="3LKBQZJ3", lpString2=".") returned 1 [0130.813] lstrcmpiW (lpString1="3LKBQZJ3", lpString2="..") returned 1 [0130.813] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3") returned 93 [0130.813] GetProcessHeap () returned 0x4c0000 [0130.813] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0130.815] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3" [0130.815] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\*" [0130.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0130.816] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.816] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.816] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.816] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.816] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.816] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.816] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0130.816] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.816] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.817] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.817] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.817] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.817] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.817] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.817] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0130.817] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0130.817] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\PUSSY.TXT") returned 103 [0130.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\3lkbqzj3\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0130.818] lstrlenA (lpString="abcd") returned 4 [0130.818] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0130.853] CloseHandle (hObject=0x174) returned 1 [0130.853] GetProcessHeap () returned 0x4c0000 [0130.853] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0130.853] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="8NES5H33", cAlternateFileName="")) returned 1 [0130.853] lstrcmpiW (lpString1="8NES5H33", lpString2="Windows") returned -1 [0130.853] lstrcmpiW (lpString1="8NES5H33", lpString2="Program Files") returned -1 [0130.853] lstrcmpiW (lpString1="8NES5H33", lpString2="Program Files (x86)") returned -1 [0130.853] lstrcmpiW (lpString1="8NES5H33", lpString2="$Recycle.bin") returned 1 [0130.853] lstrcmpiW (lpString1="8NES5H33", lpString2="System Volume Information") returned -1 [0130.853] lstrcmpiW (lpString1="8NES5H33", lpString2=".") returned 1 [0130.853] lstrcmpiW (lpString1="8NES5H33", lpString2="..") returned 1 [0130.853] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33") returned 93 [0130.853] GetProcessHeap () returned 0x4c0000 [0130.853] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0130.853] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33" [0130.853] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\*" [0130.853] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0130.854] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.854] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.854] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.854] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.854] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.854] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.854] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0130.854] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.854] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.854] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.854] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.854] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.854] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.854] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.854] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d941010, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0xd, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="get.adobe[1].xml", cAlternateFileName="GETADO~1.XML")) returned 1 [0130.854] lstrcmpiW (lpString1="get.adobe[1].xml", lpString2="Windows") returned -1 [0130.854] lstrcmpiW (lpString1="get.adobe[1].xml", lpString2="Program Files") returned -1 [0130.854] lstrcmpiW (lpString1="get.adobe[1].xml", lpString2="Program Files (x86)") returned -1 [0130.854] lstrcmpiW (lpString1="get.adobe[1].xml", lpString2="$Recycle.bin") returned 1 [0130.854] lstrcmpiW (lpString1="get.adobe[1].xml", lpString2="System Volume Information") returned -1 [0130.854] lstrcmpiW (lpString1="get.adobe[1].xml", lpString2=".") returned 1 [0130.854] lstrcmpiW (lpString1="get.adobe[1].xml", lpString2="..") returned 1 [0130.854] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml") returned 110 [0130.854] lstrcmpW (lpString1="get.adobe[1].xml", lpString2="PUSSY.TXT") returned -1 [0130.854] PathFindExtensionW (pszPath="get.adobe[1].xml") returned=".xml" [0130.855] lstrlenW (lpString=".xml") returned 4 [0130.855] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0130.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\get.adobe[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a8 [0130.855] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=13) returned 1 [0130.855] CloseHandle (hObject=0x1a8) returned 1 [0130.856] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d941010, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0xd, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="get.adobe[1].xml", cAlternateFileName="GETADO~1.XML")) returned 0 [0130.856] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0130.856] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\PUSSY.TXT") returned 103 [0130.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0130.857] lstrlenA (lpString="abcd") returned 4 [0130.857] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0130.858] CloseHandle (hObject=0x174) returned 1 [0130.858] GetProcessHeap () returned 0x4c0000 [0130.858] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0130.858] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="FKLUIDU0", cAlternateFileName="")) returned 1 [0130.858] lstrcmpiW (lpString1="FKLUIDU0", lpString2="Windows") returned -1 [0130.858] lstrcmpiW (lpString1="FKLUIDU0", lpString2="Program Files") returned -1 [0130.858] lstrcmpiW (lpString1="FKLUIDU0", lpString2="Program Files (x86)") returned -1 [0130.858] lstrcmpiW (lpString1="FKLUIDU0", lpString2="$Recycle.bin") returned 1 [0130.858] lstrcmpiW (lpString1="FKLUIDU0", lpString2="System Volume Information") returned -1 [0130.858] lstrcmpiW (lpString1="FKLUIDU0", lpString2=".") returned 1 [0130.858] lstrcmpiW (lpString1="FKLUIDU0", lpString2="..") returned 1 [0130.858] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0") returned 93 [0130.858] GetProcessHeap () returned 0x4c0000 [0130.858] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0130.858] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0" [0130.858] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\*" [0130.858] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0130.859] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.859] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.859] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.859] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.859] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.859] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.859] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0130.859] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.859] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.859] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.859] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.859] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.859] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.859] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.859] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0130.860] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0130.860] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\PUSSY.TXT") returned 103 [0130.860] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\fkluidu0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0130.860] lstrlenA (lpString="abcd") returned 4 [0130.860] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0130.862] CloseHandle (hObject=0x174) returned 1 [0130.862] GetProcessHeap () returned 0x4c0000 [0130.862] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0130.862] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x125db390, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="index.dat", cAlternateFileName="")) returned 1 [0130.862] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0130.862] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0130.862] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0130.862] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0130.862] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0130.862] lstrcmpiW (lpString1="index.dat", lpString2=".") returned 1 [0130.862] lstrcmpiW (lpString1="index.dat", lpString2="..") returned 1 [0130.862] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned 94 [0130.862] lstrcmpW (lpString1="index.dat", lpString2="PUSSY.TXT") returned -1 [0130.862] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0130.862] lstrlenW (lpString=".dat") returned 4 [0130.862] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0130.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0130.863] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=32768) returned 1 [0130.863] GetProcessHeap () returned 0x4c0000 [0130.863] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0130.885] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="AF") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="7A") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="39") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="FF") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="55") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="92") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="27") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="ED") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="9F") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="BB") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="59") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="72") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="D3") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="5C") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="6B") returned 2 [0130.886] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="9A") returned 2 [0130.886] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="94") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="3B") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="30") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="F0") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="63") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="24") returned 2 [0130.886] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="E0") returned 2 [0130.886] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="70") returned 2 [0130.886] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="E6") returned 2 [0130.887] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="AB") returned 2 [0130.887] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="7F") returned 2 [0130.887] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="CC") returned 2 [0130.887] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="45") returned 2 [0130.887] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="E8") returned 2 [0130.887] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="F7") returned 2 [0130.887] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="4D") returned 2 [0130.899] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" [0130.899] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" [0130.899] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat", lpString2=".AF7A39FF559227ED9FBB5972D35C6B9A943B30F06324E070E6AB7FCC45E8F74D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.AF7A39FF559227ED9FBB5972D35C6B9A943B30F06324E070E6AB7FCC45E8F74D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.AF7A39FF559227ED9FBB5972D35C6B9A943B30F06324E070E6AB7FCC45E8F74D" [0130.899] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0130.899] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0130.944] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="OWLVMZRC", cAlternateFileName="")) returned 1 [0130.944] lstrcmpiW (lpString1="OWLVMZRC", lpString2="Windows") returned -1 [0130.944] lstrcmpiW (lpString1="OWLVMZRC", lpString2="Program Files") returned -1 [0130.944] lstrcmpiW (lpString1="OWLVMZRC", lpString2="Program Files (x86)") returned -1 [0130.944] lstrcmpiW (lpString1="OWLVMZRC", lpString2="$Recycle.bin") returned 1 [0130.944] lstrcmpiW (lpString1="OWLVMZRC", lpString2="System Volume Information") returned -1 [0130.944] lstrcmpiW (lpString1="OWLVMZRC", lpString2=".") returned 1 [0130.944] lstrcmpiW (lpString1="OWLVMZRC", lpString2="..") returned 1 [0130.947] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC") returned 93 [0130.947] GetProcessHeap () returned 0x4c0000 [0130.948] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0130.949] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC" [0130.949] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\*" [0130.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0130.949] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0130.949] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0130.949] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0130.949] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0130.949] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0130.949] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0130.949] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0130.950] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0130.950] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0130.950] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0130.950] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0130.950] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0130.950] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0130.950] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0130.950] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0130.950] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0130.950] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\PUSSY.TXT") returned 103 [0130.950] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\owlvmzrc\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0130.951] lstrlenA (lpString="abcd") returned 4 [0130.951] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0130.952] CloseHandle (hObject=0x174) returned 1 [0130.952] GetProcessHeap () returned 0x4c0000 [0130.952] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0130.952] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1d705b70, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="OWLVMZRC", cAlternateFileName="")) returned 0 [0130.952] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0130.953] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\PUSSY.TXT") returned 94 [0130.953] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0130.953] lstrlenA (lpString="abcd") returned 4 [0130.953] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0130.954] CloseHandle (hObject=0x1d8) returned 1 [0130.955] GetProcessHeap () returned 0x4c0000 [0130.955] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0130.958] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x65d58120, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65d58120, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65d58120, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x23f4, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="frameiconcache.dat", cAlternateFileName="FRAMEI~1.DAT")) returned 1 [0130.958] lstrcmpiW (lpString1="frameiconcache.dat", lpString2="Windows") returned -1 [0130.958] lstrcmpiW (lpString1="frameiconcache.dat", lpString2="Program Files") returned -1 [0130.958] lstrcmpiW (lpString1="frameiconcache.dat", lpString2="Program Files (x86)") returned -1 [0130.958] lstrcmpiW (lpString1="frameiconcache.dat", lpString2="$Recycle.bin") returned 1 [0130.958] lstrcmpiW (lpString1="frameiconcache.dat", lpString2="System Volume Information") returned -1 [0130.958] lstrcmpiW (lpString1="frameiconcache.dat", lpString2=".") returned 1 [0130.958] lstrcmpiW (lpString1="frameiconcache.dat", lpString2="..") returned 1 [0130.958] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat") returned 94 [0130.958] lstrcmpW (lpString1="frameiconcache.dat", lpString2="PUSSY.TXT") returned -1 [0130.958] PathFindExtensionW (pszPath="frameiconcache.dat") returned=".dat" [0130.958] lstrlenW (lpString=".dat") returned 4 [0130.958] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0130.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\frameiconcache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0130.960] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=9204) returned 1 [0130.960] GetProcessHeap () returned 0x4c0000 [0130.960] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0130.974] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="7C") returned 2 [0130.974] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="FF") returned 2 [0130.974] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="7F") returned 2 [0130.974] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="C7") returned 2 [0130.974] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="DE") returned 2 [0130.974] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="5F") returned 2 [0130.974] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="02") returned 2 [0130.974] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="13") returned 2 [0130.974] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="7D") returned 2 [0130.974] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="23") returned 2 [0130.974] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="64") returned 2 [0130.974] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="4E") returned 2 [0130.974] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="47") returned 2 [0130.974] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="41") returned 2 [0130.974] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="70") returned 2 [0130.974] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="65") returned 2 [0130.975] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="84") returned 2 [0130.975] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="21") returned 2 [0130.975] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="67") returned 2 [0130.975] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="47") returned 2 [0130.975] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="E8") returned 2 [0130.975] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="8B") returned 2 [0130.975] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="1B") returned 2 [0130.975] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="63") returned 2 [0130.975] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="B1") returned 2 [0130.975] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="24") returned 2 [0130.975] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="DB") returned 2 [0130.975] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="62") returned 2 [0130.975] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="64") returned 2 [0130.975] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="FB") returned 2 [0130.975] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="0B") returned 2 [0130.975] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="55") returned 2 [0130.986] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat" [0130.986] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat" [0130.986] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat", lpString2=".7CFF7FC7DE5F02137D23644E4741706584216747E88B1B63B124DB6264FB0B55" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat.7CFF7FC7DE5F02137D23644E4741706584216747E88B1B63B124DB6264FB0B55") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat.7CFF7FC7DE5F02137D23644E4741706584216747E88B1B63B124DB6264FB0B55" [0130.986] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0130.986] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0130.987] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95014270, ftCreationTime.dwHighDateTime=0x1d2fab5, ftLastAccessTime.dwLowDateTime=0x95014270, ftLastAccessTime.dwHighDateTime=0x1d2fab5, ftLastWriteTime.dwLowDateTime=0x95014270, ftLastWriteTime.dwHighDateTime=0x1d2fab5, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="MSIMGSIZ.DAT", cAlternateFileName="")) returned 1 [0130.987] lstrcmpiW (lpString1="MSIMGSIZ.DAT", lpString2="Windows") returned -1 [0130.987] lstrcmpiW (lpString1="MSIMGSIZ.DAT", lpString2="Program Files") returned -1 [0130.987] lstrcmpiW (lpString1="MSIMGSIZ.DAT", lpString2="Program Files (x86)") returned -1 [0130.987] lstrcmpiW (lpString1="MSIMGSIZ.DAT", lpString2="$Recycle.bin") returned 1 [0130.987] lstrcmpiW (lpString1="MSIMGSIZ.DAT", lpString2="System Volume Information") returned -1 [0130.987] lstrcmpiW (lpString1="MSIMGSIZ.DAT", lpString2=".") returned 1 [0130.987] lstrcmpiW (lpString1="MSIMGSIZ.DAT", lpString2="..") returned 1 [0130.987] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT") returned 88 [0130.987] lstrcmpW (lpString1="MSIMGSIZ.DAT", lpString2="PUSSY.TXT") returned -1 [0130.987] PathFindExtensionW (pszPath="MSIMGSIZ.DAT") returned=".DAT" [0130.987] lstrlenW (lpString=".DAT") returned 4 [0130.987] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0130.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\msimgsiz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0131.015] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=16384) returned 1 [0131.015] GetProcessHeap () returned 0x4c0000 [0131.015] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0131.027] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="42") returned 2 [0131.027] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="A9") returned 2 [0131.027] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="9C") returned 2 [0131.027] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="21") returned 2 [0131.027] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="F4") returned 2 [0131.027] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="4F") returned 2 [0131.027] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="EB") returned 2 [0131.027] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="A8") returned 2 [0131.027] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="76") returned 2 [0131.027] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="80") returned 2 [0131.027] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="C6") returned 2 [0131.027] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="A0") returned 2 [0131.027] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="36") returned 2 [0131.027] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="4B") returned 2 [0131.027] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="59") returned 2 [0131.027] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="A8") returned 2 [0131.027] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="61") returned 2 [0131.027] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="48") returned 2 [0131.027] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="1A") returned 2 [0131.027] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="39") returned 2 [0131.027] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="71") returned 2 [0131.027] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="0D") returned 2 [0131.027] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="4C") returned 2 [0131.027] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="75") returned 2 [0131.027] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="A1") returned 2 [0131.028] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="8F") returned 2 [0131.028] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="31") returned 2 [0131.028] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="D7") returned 2 [0131.028] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="9B") returned 2 [0131.028] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="D7") returned 2 [0131.028] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="21") returned 2 [0131.028] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="53") returned 2 [0131.047] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT" [0131.047] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT" [0131.047] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT", lpString2=".42A99C21F44FEBA87680C6A0364B59A861481A39710D4C75A18F31D79BD72153" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT.42A99C21F44FEBA87680C6A0364B59A861481A39710D4C75A18F31D79BD72153") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT.42A99C21F44FEBA87680C6A0364B59A861481A39710D4C75A18F31D79BD72153" [0131.047] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.047] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0131.074] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4ed4ae10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6db5fbe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6db5fbe0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Recovery", cAlternateFileName="")) returned 1 [0131.074] lstrcmpiW (lpString1="Recovery", lpString2="Windows") returned -1 [0131.074] lstrcmpiW (lpString1="Recovery", lpString2="Program Files") returned 1 [0131.074] lstrcmpiW (lpString1="Recovery", lpString2="Program Files (x86)") returned 1 [0131.074] lstrcmpiW (lpString1="Recovery", lpString2="$Recycle.bin") returned 1 [0131.074] lstrcmpiW (lpString1="Recovery", lpString2="System Volume Information") returned -1 [0131.074] lstrcmpiW (lpString1="Recovery", lpString2=".") returned 1 [0131.074] lstrcmpiW (lpString1="Recovery", lpString2="..") returned 1 [0131.074] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery") returned 84 [0131.074] GetProcessHeap () returned 0x4c0000 [0131.074] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0131.075] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery" [0131.075] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*" [0131.075] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4ed4ae10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6db5fbe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6db5fbe0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0131.076] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0131.076] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0131.076] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0131.076] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0131.076] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0131.076] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.076] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4ed4ae10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6db5fbe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6db5fbe0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0131.076] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0131.076] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0131.076] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0131.076] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0131.076] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0131.076] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.076] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.077] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4ed70f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bc84b10, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bc84b10, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="Active", cAlternateFileName="")) returned 1 [0131.077] lstrcmpiW (lpString1="Active", lpString2="Windows") returned -1 [0131.077] lstrcmpiW (lpString1="Active", lpString2="Program Files") returned -1 [0131.077] lstrcmpiW (lpString1="Active", lpString2="Program Files (x86)") returned -1 [0131.077] lstrcmpiW (lpString1="Active", lpString2="$Recycle.bin") returned 1 [0131.077] lstrcmpiW (lpString1="Active", lpString2="System Volume Information") returned -1 [0131.077] lstrcmpiW (lpString1="Active", lpString2=".") returned 1 [0131.077] lstrcmpiW (lpString1="Active", lpString2="..") returned 1 [0131.077] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active") returned 91 [0131.077] GetProcessHeap () returned 0x4c0000 [0131.077] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0131.077] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active" [0131.077] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*" [0131.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4ed70f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bc84b10, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bc84b10, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0131.077] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0131.078] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0131.078] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0131.078] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0131.078] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0131.078] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.078] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4ed70f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bc84b10, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bc84b10, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0131.078] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0131.078] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0131.078] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0131.078] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0131.078] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0131.078] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.078] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.078] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4ed70f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bc84b10, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bc84b10, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0131.078] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0131.079] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\PUSSY.TXT") returned 101 [0131.079] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0131.079] lstrlenA (lpString="abcd") returned 4 [0131.079] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0131.081] CloseHandle (hObject=0xec) returned 1 [0131.081] GetProcessHeap () returned 0x4c0000 [0131.081] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0131.081] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6db5fbe0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x30603250, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x30603250, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="Last Active", cAlternateFileName="LASTAC~1")) returned 1 [0131.081] lstrcmpiW (lpString1="Last Active", lpString2="Windows") returned -1 [0131.081] lstrcmpiW (lpString1="Last Active", lpString2="Program Files") returned -1 [0131.081] lstrcmpiW (lpString1="Last Active", lpString2="Program Files (x86)") returned -1 [0131.081] lstrcmpiW (lpString1="Last Active", lpString2="$Recycle.bin") returned 1 [0131.081] lstrcmpiW (lpString1="Last Active", lpString2="System Volume Information") returned -1 [0131.081] lstrcmpiW (lpString1="Last Active", lpString2=".") returned 1 [0131.081] lstrcmpiW (lpString1="Last Active", lpString2="..") returned 1 [0131.081] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active") returned 96 [0131.081] GetProcessHeap () returned 0x4c0000 [0131.081] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0131.081] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active" [0131.081] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\*" [0131.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6db5fbe0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x30603250, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x30603250, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0131.084] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0131.084] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0131.084] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0131.084] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0131.084] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0131.084] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.084] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6db5fbe0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x30603250, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x30603250, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0131.084] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0131.085] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0131.085] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0131.085] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0131.085] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0131.085] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.085] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.085] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe35acf0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0xe35acf0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x306293b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", cAlternateFileName="RECOVE~2.DAT")) returned 1 [0131.085] lstrcmpiW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Windows") returned -1 [0131.085] lstrcmpiW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Program Files") returned 1 [0131.085] lstrcmpiW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Program Files (x86)") returned 1 [0131.085] lstrcmpiW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="$Recycle.bin") returned 1 [0131.085] lstrcmpiW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="System Volume Information") returned -1 [0131.085] lstrcmpiW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2=".") returned 1 [0131.085] lstrcmpiW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="..") returned 1 [0131.085] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 153 [0131.085] lstrcmpW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="PUSSY.TXT") returned 1 [0131.085] PathFindExtensionW (pszPath="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned=".dat" [0131.085] lstrlenW (lpString=".dat") returned 4 [0131.085] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0131.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{4bd650f1-c8f9-11e7-b5bf-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0131.086] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=3584) returned 1 [0131.086] GetProcessHeap () returned 0x4c0000 [0131.086] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0131.098] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="FC") returned 2 [0131.098] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="66") returned 2 [0131.098] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="A3") returned 2 [0131.098] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="B2") returned 2 [0131.098] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="A2") returned 2 [0131.098] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="46") returned 2 [0131.098] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="1D") returned 2 [0131.098] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="B2") returned 2 [0131.098] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="D3") returned 2 [0131.098] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="4A") returned 2 [0131.098] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="56") returned 2 [0131.098] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="92") returned 2 [0131.099] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="CA") returned 2 [0131.099] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="6D") returned 2 [0131.099] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="9C") returned 2 [0131.099] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="8C") returned 2 [0131.099] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="A8") returned 2 [0131.099] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="F1") returned 2 [0131.099] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="FC") returned 2 [0131.099] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="15") returned 2 [0131.099] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="BB") returned 2 [0131.099] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="91") returned 2 [0131.099] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="9D") returned 2 [0131.099] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="1A") returned 2 [0131.099] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="11") returned 2 [0131.099] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="4A") returned 2 [0131.099] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="CE") returned 2 [0131.099] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="F6") returned 2 [0131.099] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="07") returned 2 [0131.099] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="9A") returned 2 [0131.099] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="4E") returned 2 [0131.099] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="0B") returned 2 [0131.112] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat" [0131.112] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat" [0131.112] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2=".FC66A3B2A2461DB2D34A5692CA6D9C8CA8F1FC15BB919D1A114ACEF6079A4E0B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat.FC66A3B2A2461DB2D34A5692CA6D9C8CA8F1FC15BB919D1A114ACEF6079A4E0B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat.FC66A3B2A2461DB2D34A5692CA6D9C8CA8F1FC15BB919D1A114ACEF6079A4E0B" [0131.112] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.112] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0131.112] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6dd28c60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6dd28c60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xe35acf0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", cAlternateFileName="RECOVE~1.DAT")) returned 1 [0131.112] lstrcmpiW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="Windows") returned -1 [0131.112] lstrcmpiW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="Program Files") returned 1 [0131.112] lstrcmpiW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="Program Files (x86)") returned 1 [0131.112] lstrcmpiW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="$Recycle.bin") returned 1 [0131.112] lstrcmpiW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="System Volume Information") returned -1 [0131.112] lstrcmpiW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2=".") returned 1 [0131.112] lstrcmpiW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="..") returned 1 [0131.112] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat") returned 153 [0131.113] lstrcmpW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="PUSSY.TXT") returned 1 [0131.113] PathFindExtensionW (pszPath="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat") returned=".dat" [0131.113] lstrlenW (lpString=".dat") returned 4 [0131.113] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0131.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{aae6bf5c-4991-11e7-8e2b-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0131.114] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=4608) returned 1 [0131.114] GetProcessHeap () returned 0x4c0000 [0131.114] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0131.129] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="67") returned 2 [0131.129] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="1D") returned 2 [0131.129] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="14") returned 2 [0131.129] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="60") returned 2 [0131.129] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="DE") returned 2 [0131.129] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="98") returned 2 [0131.129] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="3D") returned 2 [0131.129] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="CA") returned 2 [0131.129] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="DB") returned 2 [0131.129] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="51") returned 2 [0131.129] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="B4") returned 2 [0131.129] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="F1") returned 2 [0131.129] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="5E") returned 2 [0131.129] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="F1") returned 2 [0131.130] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="9E") returned 2 [0131.130] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="73") returned 2 [0131.130] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="FB") returned 2 [0131.130] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="4E") returned 2 [0131.130] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="E0") returned 2 [0131.130] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="0F") returned 2 [0131.130] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="61") returned 2 [0131.130] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="C5") returned 2 [0131.130] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="71") returned 2 [0131.130] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="E7") returned 2 [0131.130] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="20") returned 2 [0131.130] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="96") returned 2 [0131.130] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="F0") returned 2 [0131.130] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="75") returned 2 [0131.130] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="98") returned 2 [0131.130] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="B0") returned 2 [0131.130] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="A5") returned 2 [0131.130] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="44") returned 2 [0131.143] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat" [0131.143] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat" [0131.143] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2=".671D1460DE983DCADB51B4F15EF19E73FB4EE00F61C571E72096F07598B0A544" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat.671D1460DE983DCADB51B4F15EF19E73FB4EE00F61C571E72096F07598B0A544") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat.671D1460DE983DCADB51B4F15EF19E73FB4EE00F61C571E72096F07598B0A544" [0131.143] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.143] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0131.143] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe35acf0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0xe35acf0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe35acf0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", cAlternateFileName="{4BD65~1.DAT")) returned 1 [0131.143] lstrcmpiW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Windows") returned -1 [0131.143] lstrcmpiW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Program Files") returned -1 [0131.143] lstrcmpiW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Program Files (x86)") returned -1 [0131.143] lstrcmpiW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="$Recycle.bin") returned 1 [0131.143] lstrcmpiW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="System Volume Information") returned -1 [0131.143] lstrcmpiW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2=".") returned 1 [0131.143] lstrcmpiW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="..") returned 1 [0131.143] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 139 [0131.144] lstrcmpW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="PUSSY.TXT") returned -1 [0131.144] PathFindExtensionW (pszPath="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned=".dat" [0131.144] lstrlenW (lpString=".dat") returned 4 [0131.144] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0131.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{4bd650f0-c8f9-11e7-b5bf-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0131.164] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=4608) returned 1 [0131.164] GetProcessHeap () returned 0x4c0000 [0131.164] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0131.175] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="2B") returned 2 [0131.175] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="38") returned 2 [0131.175] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="06") returned 2 [0131.175] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="B3") returned 2 [0131.175] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="52") returned 2 [0131.175] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="E4") returned 2 [0131.175] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="70") returned 2 [0131.176] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="E4") returned 2 [0131.176] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="67") returned 2 [0131.176] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="AB") returned 2 [0131.176] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="B8") returned 2 [0131.176] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="ED") returned 2 [0131.176] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="58") returned 2 [0131.176] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="E2") returned 2 [0131.176] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="C2") returned 2 [0131.176] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="31") returned 2 [0131.176] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="30") returned 2 [0131.176] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="68") returned 2 [0131.176] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="4C") returned 2 [0131.176] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="31") returned 2 [0131.176] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="07") returned 2 [0131.176] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="34") returned 2 [0131.176] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="A1") returned 2 [0131.176] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="7A") returned 2 [0131.176] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="C2") returned 2 [0131.176] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="3A") returned 2 [0131.177] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="8F") returned 2 [0131.177] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="C4") returned 2 [0131.177] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="C1") returned 2 [0131.177] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="5C") returned 2 [0131.177] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="1F") returned 2 [0131.177] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="16") returned 2 [0131.188] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat" [0131.188] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat" [0131.188] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2=".2B3806B352E470E467ABB8ED58E2C23130684C310734A17AC23A8FC4C15C1F16" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat.2B3806B352E470E467ABB8ED58E2C23130684C310734A17AC23A8FC4C15C1F16") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat.2B3806B352E470E467ABB8ED58E2C23130684C310734A17AC23A8FC4C15C1F16" [0131.188] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.188] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0131.195] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30603250, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x30603250, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x306293b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", cAlternateFileName="{69512~1.DAT")) returned 1 [0131.195] lstrcmpiW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Windows") returned -1 [0131.195] lstrcmpiW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Program Files") returned -1 [0131.195] lstrcmpiW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Program Files (x86)") returned -1 [0131.195] lstrcmpiW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="$Recycle.bin") returned 1 [0131.195] lstrcmpiW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="System Volume Information") returned -1 [0131.196] lstrcmpiW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2=".") returned 1 [0131.199] lstrcmpiW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="..") returned 1 [0131.199] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 139 [0131.200] lstrcmpW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="PUSSY.TXT") returned -1 [0131.200] PathFindExtensionW (pszPath="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned=".dat" [0131.200] lstrlenW (lpString=".dat") returned 4 [0131.200] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0131.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{69512155-c8f9-11e7-b5bf-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0131.201] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=4608) returned 1 [0131.201] GetProcessHeap () returned 0x4c0000 [0131.201] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0131.211] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="DF") returned 2 [0131.211] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="A3") returned 2 [0131.211] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="4D") returned 2 [0131.211] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="E6") returned 2 [0131.211] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="1D") returned 2 [0131.211] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="96") returned 2 [0131.211] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="05") returned 2 [0131.211] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="92") returned 2 [0131.211] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="D5") returned 2 [0131.211] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="76") returned 2 [0131.211] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="B6") returned 2 [0131.211] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="9F") returned 2 [0131.211] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="61") returned 2 [0131.211] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="0A") returned 2 [0131.211] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="7B") returned 2 [0131.211] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="AA") returned 2 [0131.211] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="80") returned 2 [0131.211] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="82") returned 2 [0131.211] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="A4") returned 2 [0131.211] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="44") returned 2 [0131.211] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="4B") returned 2 [0131.211] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="0E") returned 2 [0131.211] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="77") returned 2 [0131.211] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="C2") returned 2 [0131.211] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="F9") returned 2 [0131.211] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="A3") returned 2 [0131.212] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="7A") returned 2 [0131.212] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="65") returned 2 [0131.212] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="63") returned 2 [0131.212] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="13") returned 2 [0131.212] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="9E") returned 2 [0131.212] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="15") returned 2 [0131.221] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat" [0131.221] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat" [0131.221] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2=".DFA34DE61D960592D576B69F610A7BAA8082A4444B0E77C2F9A37A6563139E15" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat.DFA34DE61D960592D576B69F610A7BAA8082A4444B0E77C2F9A37A6563139E15") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat.DFA34DE61D960592D576B69F610A7BAA8082A4444B0E77C2F9A37A6563139E15" [0131.221] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.221] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0131.222] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30603250, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x30603250, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x306293b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", cAlternateFileName="{69512~1.DAT")) returned 0 [0131.222] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0131.228] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\PUSSY.TXT") returned 106 [0131.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0131.230] lstrlenA (lpString="abcd") returned 4 [0131.230] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0131.231] CloseHandle (hObject=0x17c) returned 1 [0131.231] GetProcessHeap () returned 0x4c0000 [0131.231] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0131.231] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6db5fbe0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x30603250, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x30603250, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="Last Active", cAlternateFileName="LASTAC~1")) returned 0 [0131.232] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0131.232] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\PUSSY.TXT") returned 94 [0131.232] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0131.232] lstrlenA (lpString="abcd") returned 4 [0131.232] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0131.233] CloseHandle (hObject=0x174) returned 1 [0131.233] GetProcessHeap () returned 0x4c0000 [0131.233] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0131.237] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4ed4ae10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6db5fbe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6db5fbe0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Recovery", cAlternateFileName="")) returned 0 [0131.237] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0131.237] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\PUSSY.TXT") returned 85 [0131.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0131.238] lstrlenA (lpString="abcd") returned 4 [0131.238] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0131.239] CloseHandle (hObject=0x1d0) returned 1 [0131.239] GetProcessHeap () returned 0x4c0000 [0131.239] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0131.240] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf7f22040, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7f22040, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0131.240] lstrcmpiW (lpString1="Media Player", lpString2="Windows") returned -1 [0131.240] lstrcmpiW (lpString1="Media Player", lpString2="Program Files") returned -1 [0131.240] lstrcmpiW (lpString1="Media Player", lpString2="Program Files (x86)") returned -1 [0131.240] lstrcmpiW (lpString1="Media Player", lpString2="$Recycle.bin") returned 1 [0131.240] lstrcmpiW (lpString1="Media Player", lpString2="System Volume Information") returned -1 [0131.240] lstrcmpiW (lpString1="Media Player", lpString2=".") returned 1 [0131.240] lstrcmpiW (lpString1="Media Player", lpString2="..") returned 1 [0131.240] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player") returned 70 [0131.240] GetProcessHeap () returned 0x4c0000 [0131.240] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0131.240] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player" [0131.240] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\*" [0131.240] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf7f22040, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7f22040, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0131.242] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0131.243] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0131.243] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0131.243] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0131.243] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0131.243] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.243] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf7f22040, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7f22040, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0131.243] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0131.243] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0131.243] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0131.243] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0131.243] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0131.243] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.243] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.243] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28eee820, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28eee820, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2cf59b80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x105000, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="CurrentDatabase_372.wmdb", cAlternateFileName="CURREN~1.WMD")) returned 1 [0131.244] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="Windows") returned -1 [0131.244] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="Program Files") returned -1 [0131.244] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="Program Files (x86)") returned -1 [0131.244] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="$Recycle.bin") returned 1 [0131.244] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="System Volume Information") returned -1 [0131.244] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2=".") returned 1 [0131.244] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="..") returned 1 [0131.244] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 95 [0131.244] lstrcmpW (lpString1="CurrentDatabase_372.wmdb", lpString2="PUSSY.TXT") returned -1 [0131.244] PathFindExtensionW (pszPath="CurrentDatabase_372.wmdb") returned=".wmdb" [0131.244] lstrlenW (lpString=".wmdb") returned 5 [0131.244] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0131.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0131.245] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=1069056) returned 1 [0131.245] GetProcessHeap () returned 0x4c0000 [0131.245] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0131.255] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="8F") returned 2 [0131.255] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="62") returned 2 [0131.255] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="DF") returned 2 [0131.255] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="A2") returned 2 [0131.255] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="B1") returned 2 [0131.255] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="B7") returned 2 [0131.255] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="91") returned 2 [0131.255] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="60") returned 2 [0131.255] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="93") returned 2 [0131.255] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="0C") returned 2 [0131.255] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="BD") returned 2 [0131.255] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="0B") returned 2 [0131.255] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="66") returned 2 [0131.255] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="D2") returned 2 [0131.255] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="1D") returned 2 [0131.255] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="95") returned 2 [0131.255] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="FD") returned 2 [0131.255] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="0C") returned 2 [0131.255] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="CC") returned 2 [0131.256] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="37") returned 2 [0131.256] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="57") returned 2 [0131.256] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="6F") returned 2 [0131.256] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="B0") returned 2 [0131.256] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="A9") returned 2 [0131.256] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="C2") returned 2 [0131.256] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="2F") returned 2 [0131.256] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="5D") returned 2 [0131.256] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="BB") returned 2 [0131.256] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="6A") returned 2 [0131.256] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="E7") returned 2 [0131.256] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="E0") returned 2 [0131.256] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="3F") returned 2 [0131.265] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" [0131.265] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" [0131.265] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb", lpString2=".8F62DFA2B1B79160930CBD0B66D21D95FD0CCC37576FB0A9C22F5DBB6AE7E03F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.8F62DFA2B1B79160930CBD0B66D21D95FD0CCC37576FB0A9C22F5DBB6AE7E03F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.8F62DFA2B1B79160930CBD0B66D21D95FD0CCC37576FB0A9C22F5DBB6AE7E03F" [0131.265] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.265] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0131.265] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28eee820, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2cf33a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2cf33a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1106c, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="LocalMLS_3.wmdb", cAlternateFileName="LOCALM~1.WMD")) returned 1 [0131.265] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="Windows") returned -1 [0131.265] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="Program Files") returned -1 [0131.265] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="Program Files (x86)") returned -1 [0131.265] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="$Recycle.bin") returned 1 [0131.265] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="System Volume Information") returned -1 [0131.265] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2=".") returned 1 [0131.265] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="..") returned 1 [0131.265] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 86 [0131.265] lstrcmpW (lpString1="LocalMLS_3.wmdb", lpString2="PUSSY.TXT") returned -1 [0131.265] PathFindExtensionW (pszPath="LocalMLS_3.wmdb") returned=".wmdb" [0131.265] lstrlenW (lpString=".wmdb") returned 5 [0131.265] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0131.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0131.266] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=69740) returned 1 [0131.266] GetProcessHeap () returned 0x4c0000 [0131.266] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0131.277] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="4E") returned 2 [0131.277] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="A2") returned 2 [0131.277] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="E5") returned 2 [0131.278] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="B9") returned 2 [0131.278] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="1C") returned 2 [0131.278] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="0B") returned 2 [0131.278] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="21") returned 2 [0131.278] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="E6") returned 2 [0131.278] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="6E") returned 2 [0131.278] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="FA") returned 2 [0131.278] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="23") returned 2 [0131.278] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="3F") returned 2 [0131.278] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="0B") returned 2 [0131.278] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="CA") returned 2 [0131.278] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="56") returned 2 [0131.278] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="28") returned 2 [0131.278] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="EF") returned 2 [0131.278] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="AB") returned 2 [0131.278] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="77") returned 2 [0131.278] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="AA") returned 2 [0131.278] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="67") returned 2 [0131.278] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="34") returned 2 [0131.278] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="96") returned 2 [0131.278] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="43") returned 2 [0131.278] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="8F") returned 2 [0131.278] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="68") returned 2 [0131.278] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="34") returned 2 [0131.278] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="D9") returned 2 [0131.278] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="99") returned 2 [0131.278] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="AE") returned 2 [0131.279] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="E8") returned 2 [0131.279] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="30") returned 2 [0131.288] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" [0131.288] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" [0131.288] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb", lpString2=".4EA2E5B91C0B21E66EFA233F0BCA5628EFAB77AA673496438F6834D999AEE830" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.4EA2E5B91C0B21E66EFA233F0BCA5628EFAB77AA673496438F6834D999AEE830") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.4EA2E5B91C0B21E66EFA233F0BCA5628EFAB77AA673496438F6834D999AEE830" [0131.288] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.288] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0131.289] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Sync Playlists", cAlternateFileName="SYNCPL~1")) returned 1 [0131.289] lstrcmpiW (lpString1="Sync Playlists", lpString2="Windows") returned -1 [0131.289] lstrcmpiW (lpString1="Sync Playlists", lpString2="Program Files") returned 1 [0131.289] lstrcmpiW (lpString1="Sync Playlists", lpString2="Program Files (x86)") returned 1 [0131.289] lstrcmpiW (lpString1="Sync Playlists", lpString2="$Recycle.bin") returned 1 [0131.289] lstrcmpiW (lpString1="Sync Playlists", lpString2="System Volume Information") returned -1 [0131.289] lstrcmpiW (lpString1="Sync Playlists", lpString2=".") returned 1 [0131.289] lstrcmpiW (lpString1="Sync Playlists", lpString2="..") returned 1 [0131.289] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists") returned 85 [0131.322] GetProcessHeap () returned 0x4c0000 [0131.322] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0131.325] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists" [0131.325] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*" [0131.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0131.326] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0131.326] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0131.326] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0131.326] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0131.326] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0131.326] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.326] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0131.326] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0131.326] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0131.326] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0131.326] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0131.326] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0131.327] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.327] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.327] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="en-US", cAlternateFileName="")) returned 1 [0131.327] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0131.327] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0131.327] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0131.327] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0131.327] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0131.327] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0131.327] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0131.327] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US") returned 91 [0131.327] GetProcessHeap () returned 0x4c0000 [0131.327] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0131.327] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US" [0131.327] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*" [0131.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0131.328] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0131.328] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0131.328] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0131.328] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0131.328] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0131.328] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.328] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0131.328] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0131.328] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0131.328] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0131.328] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0131.328] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0131.328] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.328] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.328] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="0000E713", cAlternateFileName="")) returned 1 [0131.328] lstrcmpiW (lpString1="0000E713", lpString2="Windows") returned -1 [0131.328] lstrcmpiW (lpString1="0000E713", lpString2="Program Files") returned -1 [0131.329] lstrcmpiW (lpString1="0000E713", lpString2="Program Files (x86)") returned -1 [0131.329] lstrcmpiW (lpString1="0000E713", lpString2="$Recycle.bin") returned 1 [0131.329] lstrcmpiW (lpString1="0000E713", lpString2="System Volume Information") returned -1 [0131.329] lstrcmpiW (lpString1="0000E713", lpString2=".") returned 1 [0131.329] lstrcmpiW (lpString1="0000E713", lpString2="..") returned 1 [0131.329] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713") returned 100 [0131.329] GetProcessHeap () returned 0x4c0000 [0131.329] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0131.329] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713" [0131.329] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\*" [0131.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0131.363] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0131.363] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0131.363] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0131.363] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0131.363] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0131.363] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.363] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="..", cAlternateFileName="")) returned 1 [0131.363] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0131.363] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0131.363] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0131.363] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0131.363] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0131.363] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.363] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.363] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="01_Music_auto_rated_at_5_stars.wpl", cAlternateFileName="01_MUS~1.WPL")) returned 1 [0131.363] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Windows") returned -1 [0131.363] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Program Files") returned -1 [0131.363] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0131.364] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0131.364] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="System Volume Information") returned -1 [0131.364] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2=".") returned 1 [0131.364] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="..") returned 1 [0131.364] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl") returned 135 [0131.364] lstrcmpW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="PUSSY.TXT") returned -1 [0131.364] PathFindExtensionW (pszPath="01_Music_auto_rated_at_5_stars.wpl") returned=".wpl" [0131.364] lstrlenW (lpString=".wpl") returned 4 [0131.364] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a8 [0131.365] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1044) returned 1 [0131.365] GetProcessHeap () returned 0x4c0000 [0131.365] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0131.376] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="13") returned 2 [0131.376] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="B1") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="22") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="16") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="D7") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="97") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="79") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="27") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="2E") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="95") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="06") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="8C") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="C2") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="93") returned 2 [0131.377] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="93") returned 2 [0131.377] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="58") returned 2 [0131.377] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="2A") returned 2 [0131.377] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="3D") returned 2 [0131.377] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="93") returned 2 [0131.377] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="9B") returned 2 [0131.377] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="78") returned 2 [0131.377] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="39") returned 2 [0131.377] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="41") returned 2 [0131.377] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="9F") returned 2 [0131.377] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="A6") returned 2 [0131.377] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="E3") returned 2 [0131.377] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="43") returned 2 [0131.377] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="95") returned 2 [0131.377] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="CE") returned 2 [0131.378] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="09") returned 2 [0131.378] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="36") returned 2 [0131.378] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="5F") returned 2 [0131.432] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl" [0131.432] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl" [0131.432] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl", lpString2=".13B12216D79779272E95068CC29393582A3D939B7839419FA6E34395CE09365F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl.13B12216D79779272E95068CC29393582A3D939B7839419FA6E34395CE09365F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl.13B12216D79779272E95068CC29393582A3D939B7839419FA6E34395CE09365F" [0131.432] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.433] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0131.433] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x4ff, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="02_Music_added_in_the_last_month.wpl", cAlternateFileName="02_MUS~1.WPL")) returned 1 [0131.433] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Windows") returned -1 [0131.437] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0131.437] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0131.437] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0131.437] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0131.437] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2=".") returned 1 [0131.437] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="..") returned 1 [0131.437] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl") returned 137 [0131.437] lstrcmpW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="PUSSY.TXT") returned -1 [0131.437] PathFindExtensionW (pszPath="02_Music_added_in_the_last_month.wpl") returned=".wpl" [0131.437] lstrlenW (lpString=".wpl") returned 4 [0131.437] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0131.439] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1279) returned 1 [0131.439] GetProcessHeap () returned 0x4c0000 [0131.439] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0131.452] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="0C") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="89") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="AA") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="4A") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="4F") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="E4") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="92") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="2D") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="20") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="77") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="45") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="E9") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="F2") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="6E") returned 2 [0131.452] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="82") returned 2 [0131.452] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="8B") returned 2 [0131.453] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="4B") returned 2 [0131.453] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="46") returned 2 [0131.453] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="DE") returned 2 [0131.453] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="98") returned 2 [0131.453] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="53") returned 2 [0131.453] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="6B") returned 2 [0131.453] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="EB") returned 2 [0131.453] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="69") returned 2 [0131.453] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="81") returned 2 [0131.453] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="5A") returned 2 [0131.453] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="66") returned 2 [0131.453] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="1C") returned 2 [0131.453] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="35") returned 2 [0131.453] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="E7") returned 2 [0131.453] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="A4") returned 2 [0131.453] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="73") returned 2 [0131.467] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl" [0131.467] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl" [0131.467] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl", lpString2=".0C89AA4A4FE4922D207745E9F26E828B4B46DE98536BEB69815A661C35E7A473" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl.0C89AA4A4FE4922D207745E9F26E828B4B46DE98536BEB69815A661C35E7A473") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl.0C89AA4A4FE4922D207745E9F26E828B4B46DE98536BEB69815A661C35E7A473" [0131.467] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.467] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0131.467] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x4f3, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="03_Music_rated_at_4_or_5_stars.wpl", cAlternateFileName="03_MUS~1.WPL")) returned 1 [0131.467] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0131.467] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0131.467] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0131.467] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0131.467] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0131.467] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2=".") returned 1 [0131.467] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="..") returned 1 [0131.467] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl") returned 135 [0131.468] lstrcmpW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="PUSSY.TXT") returned -1 [0131.468] PathFindExtensionW (pszPath="03_Music_rated_at_4_or_5_stars.wpl") returned=".wpl" [0131.468] lstrlenW (lpString=".wpl") returned 4 [0131.468] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.468] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0131.469] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1267) returned 1 [0131.469] GetProcessHeap () returned 0x4c0000 [0131.469] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0131.482] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="0B") returned 2 [0131.482] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="0C") returned 2 [0131.482] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="33") returned 2 [0131.482] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="08") returned 2 [0131.482] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="BC") returned 2 [0131.482] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="FF") returned 2 [0131.482] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="9D") returned 2 [0131.482] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="AB") returned 2 [0131.483] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="D4") returned 2 [0131.483] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="F4") returned 2 [0131.483] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="F5") returned 2 [0131.483] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="6F") returned 2 [0131.483] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="88") returned 2 [0131.483] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="48") returned 2 [0131.483] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="F6") returned 2 [0131.483] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="B0") returned 2 [0131.483] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="85") returned 2 [0131.483] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="B7") returned 2 [0131.483] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="22") returned 2 [0131.483] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="D4") returned 2 [0131.483] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="50") returned 2 [0131.483] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="C8") returned 2 [0131.483] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="03") returned 2 [0131.483] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="9E") returned 2 [0131.483] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="C5") returned 2 [0131.483] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="72") returned 2 [0131.483] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="90") returned 2 [0131.483] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="E5") returned 2 [0131.483] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="F3") returned 2 [0131.483] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="88") returned 2 [0131.483] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="66") returned 2 [0131.483] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="1B") returned 2 [0131.495] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl" [0131.495] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl" [0131.495] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl", lpString2=".0B0C3308BCFF9DABD4F4F56F8848F6B085B722D450C8039EC57290E5F388661B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl.0B0C3308BCFF9DABD4F4F56F8848F6B085B722D450C8039EC57290E5F388661B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl.0B0C3308BCFF9DABD4F4F56F8848F6B085B722D450C8039EC57290E5F388661B" [0131.495] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.495] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0131.495] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="04_Music_played_in_the_last_month.wpl", cAlternateFileName="04_MUS~1.WPL")) returned 1 [0131.496] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Windows") returned -1 [0131.496] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0131.496] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0131.496] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0131.496] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0131.496] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2=".") returned 1 [0131.496] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="..") returned 1 [0131.496] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl") returned 138 [0131.496] lstrcmpW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="PUSSY.TXT") returned -1 [0131.496] PathFindExtensionW (pszPath="04_Music_played_in_the_last_month.wpl") returned=".wpl" [0131.496] lstrlenW (lpString=".wpl") returned 4 [0131.496] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0131.504] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1284) returned 1 [0131.504] GetProcessHeap () returned 0x4c0000 [0131.504] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0131.518] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="A0") returned 2 [0131.518] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="D2") returned 2 [0131.518] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="67") returned 2 [0131.518] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="13") returned 2 [0131.518] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="50") returned 2 [0131.518] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="BD") returned 2 [0131.519] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="BB") returned 2 [0131.519] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="5D") returned 2 [0131.519] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="80") returned 2 [0131.519] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="29") returned 2 [0131.519] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="16") returned 2 [0131.519] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="6C") returned 2 [0131.519] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="D9") returned 2 [0131.519] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="42") returned 2 [0131.519] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="CF") returned 2 [0131.519] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="08") returned 2 [0131.519] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="F8") returned 2 [0131.519] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="07") returned 2 [0131.519] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="F5") returned 2 [0131.519] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="90") returned 2 [0131.519] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="CB") returned 2 [0131.519] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="20") returned 2 [0131.519] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="69") returned 2 [0131.519] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="D7") returned 2 [0131.519] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="2D") returned 2 [0131.519] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="6E") returned 2 [0131.520] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="7E") returned 2 [0131.520] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="C2") returned 2 [0131.520] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="32") returned 2 [0131.520] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="E9") returned 2 [0131.520] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="7F") returned 2 [0131.520] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="23") returned 2 [0131.531] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl" [0131.532] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl" [0131.532] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl", lpString2=".A0D2671350BDBB5D8029166CD942CF08F807F590CB2069D72D6E7EC232E97F23" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl.A0D2671350BDBB5D8029166CD942CF08F807F590CB2069D72D6E7EC232E97F23") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl.A0D2671350BDBB5D8029166CD942CF08F807F590CB2069D72D6E7EC232E97F23" [0131.532] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.532] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0131.532] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x31d, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="05_Pictures_taken_in_the_last_month.wpl", cAlternateFileName="05_PIC~1.WPL")) returned 1 [0131.532] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Windows") returned -1 [0131.532] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0131.532] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0131.532] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0131.532] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0131.532] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2=".") returned 1 [0131.532] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="..") returned 1 [0131.532] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl") returned 140 [0131.532] lstrcmpW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="PUSSY.TXT") returned -1 [0131.533] PathFindExtensionW (pszPath="05_Pictures_taken_in_the_last_month.wpl") returned=".wpl" [0131.533] lstrlenW (lpString=".wpl") returned 4 [0131.533] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0131.534] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=797) returned 1 [0131.534] GetProcessHeap () returned 0x4c0000 [0131.534] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0131.561] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="E2") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="6D") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="19") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="36") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="FB") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="E9") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="5B") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="60") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="1E") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="BF") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="AC") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="AD") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="F0") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="04") returned 2 [0131.562] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="B0") returned 2 [0131.562] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="21") returned 2 [0131.562] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="A9") returned 2 [0131.562] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="97") returned 2 [0131.562] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="28") returned 2 [0131.562] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="32") returned 2 [0131.562] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="0F") returned 2 [0131.562] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="C3") returned 2 [0131.562] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="FD") returned 2 [0131.562] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="85") returned 2 [0131.562] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="29") returned 2 [0131.563] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="C8") returned 2 [0131.563] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="BC") returned 2 [0131.563] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="3C") returned 2 [0131.563] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="2F") returned 2 [0131.563] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="F6") returned 2 [0131.563] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="1A") returned 2 [0131.563] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="39") returned 2 [0131.572] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl" [0131.572] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl" [0131.572] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl", lpString2=".E26D1936FBE95B601EBFACADF004B021A99728320FC3FD8529C8BC3C2FF61A39" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl.E26D1936FBE95B601EBFACADF004B021A99728320FC3FD8529C8BC3C2FF61A39") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl.E26D1936FBE95B601EBFACADF004B021A99728320FC3FD8529C8BC3C2FF61A39" [0131.572] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.572] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0131.574] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x311, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="06_Pictures_rated_4_or_5_stars.wpl", cAlternateFileName="06_PIC~1.WPL")) returned 1 [0131.574] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0131.574] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0131.574] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0131.574] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0131.574] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0131.575] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2=".") returned 1 [0131.575] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="..") returned 1 [0131.575] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl") returned 135 [0131.575] lstrcmpW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="PUSSY.TXT") returned -1 [0131.575] PathFindExtensionW (pszPath="06_Pictures_rated_4_or_5_stars.wpl") returned=".wpl" [0131.575] lstrlenW (lpString=".wpl") returned 4 [0131.575] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.575] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a8 [0131.577] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=785) returned 1 [0131.577] GetProcessHeap () returned 0x4c0000 [0131.577] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0131.587] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="82") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="91") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="2E") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="F8") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="DF") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="E9") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="65") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="40") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="32") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="A8") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="E8") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="E7") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="76") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="0D") returned 2 [0131.587] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="90") returned 2 [0131.587] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="37") returned 2 [0131.587] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="24") returned 2 [0131.587] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="0F") returned 2 [0131.588] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="1A") returned 2 [0131.588] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="6D") returned 2 [0131.588] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="36") returned 2 [0131.588] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="96") returned 2 [0131.588] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="77") returned 2 [0131.588] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="06") returned 2 [0131.588] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="33") returned 2 [0131.588] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="BD") returned 2 [0131.588] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="8A") returned 2 [0131.588] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="74") returned 2 [0131.588] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="FE") returned 2 [0131.588] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="F0") returned 2 [0131.588] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="C6") returned 2 [0131.588] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="00") returned 2 [0131.596] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl" [0131.596] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl" [0131.596] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl", lpString2=".82912EF8DFE9654032A8E8E7760D9037240F1A6D3696770633BD8A74FEF0C600" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl.82912EF8DFE9654032A8E8E7760D9037240F1A6D3696770633BD8A74FEF0C600") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl.82912EF8DFE9654032A8E8E7760D9037240F1A6D3696770633BD8A74FEF0C600" [0131.597] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.597] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0131.597] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x410, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="07_TV_recorded_in_the_last_week.wpl", cAlternateFileName="07_TV_~1.WPL")) returned 1 [0131.597] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Windows") returned -1 [0131.597] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Program Files") returned -1 [0131.597] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Program Files (x86)") returned -1 [0131.597] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="$Recycle.bin") returned 1 [0131.597] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="System Volume Information") returned -1 [0131.597] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2=".") returned 1 [0131.597] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="..") returned 1 [0131.597] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl") returned 136 [0131.597] lstrcmpW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="PUSSY.TXT") returned -1 [0131.597] PathFindExtensionW (pszPath="07_TV_recorded_in_the_last_week.wpl") returned=".wpl" [0131.597] lstrlenW (lpString=".wpl") returned 4 [0131.597] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0131.598] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1040) returned 1 [0131.598] GetProcessHeap () returned 0x4c0000 [0131.598] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0131.610] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="FD") returned 2 [0131.610] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="36") returned 2 [0131.610] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="DA") returned 2 [0131.610] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="41") returned 2 [0131.610] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="64") returned 2 [0131.610] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="64") returned 2 [0131.610] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="32") returned 2 [0131.610] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="78") returned 2 [0131.610] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="77") returned 2 [0131.611] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="23") returned 2 [0131.611] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="92") returned 2 [0131.611] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="EB") returned 2 [0131.611] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="F8") returned 2 [0131.611] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="CB") returned 2 [0131.611] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="38") returned 2 [0131.611] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="4B") returned 2 [0131.611] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="29") returned 2 [0131.611] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="FB") returned 2 [0131.611] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="62") returned 2 [0131.611] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="0B") returned 2 [0131.611] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="E8") returned 2 [0131.611] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="42") returned 2 [0131.611] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="24") returned 2 [0131.611] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="1C") returned 2 [0131.611] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="97") returned 2 [0131.611] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="E4") returned 2 [0131.611] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="E2") returned 2 [0131.612] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="AE") returned 2 [0131.612] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="4A") returned 2 [0131.612] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="F4") returned 2 [0131.612] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="DE") returned 2 [0131.612] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="13") returned 2 [0131.622] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl" [0131.622] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl" [0131.622] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl", lpString2=".FD36DA4164643278772392EBF8CB384B29FB620BE842241C97E4E2AE4AF4DE13" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl.FD36DA4164643278772392EBF8CB384B29FB620BE842241C97E4E2AE4AF4DE13") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl.FD36DA4164643278772392EBF8CB384B29FB620BE842241C97E4E2AE4AF4DE13" [0131.622] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.622] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0131.623] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x3fc, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="08_Video_rated_at_4_or_5_stars.wpl", cAlternateFileName="08_VID~1.WPL")) returned 1 [0131.623] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0131.623] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0131.623] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0131.623] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0131.623] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0131.623] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2=".") returned 1 [0131.623] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="..") returned 1 [0131.623] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl") returned 135 [0131.623] lstrcmpW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="PUSSY.TXT") returned -1 [0131.623] PathFindExtensionW (pszPath="08_Video_rated_at_4_or_5_stars.wpl") returned=".wpl" [0131.623] lstrlenW (lpString=".wpl") returned 4 [0131.623] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a8 [0131.642] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1020) returned 1 [0131.642] GetProcessHeap () returned 0x4c0000 [0131.642] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0131.661] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="72") returned 2 [0131.661] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="7A") returned 2 [0131.661] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="89") returned 2 [0131.661] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="AE") returned 2 [0131.661] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="B2") returned 2 [0131.661] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="93") returned 2 [0131.661] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="88") returned 2 [0131.661] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="1A") returned 2 [0131.661] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="C5") returned 2 [0131.662] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="4C") returned 2 [0131.662] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="2C") returned 2 [0131.662] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="0C") returned 2 [0131.662] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="31") returned 2 [0131.662] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="4D") returned 2 [0131.662] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="FF") returned 2 [0131.662] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="06") returned 2 [0131.662] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="24") returned 2 [0131.662] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="9E") returned 2 [0131.662] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="45") returned 2 [0131.662] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="52") returned 2 [0131.662] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="B3") returned 2 [0131.662] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="A2") returned 2 [0131.662] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="A7") returned 2 [0131.662] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="C9") returned 2 [0131.662] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="F2") returned 2 [0131.662] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="40") returned 2 [0131.662] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="54") returned 2 [0131.662] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="5E") returned 2 [0131.662] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="0D") returned 2 [0131.662] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="BA") returned 2 [0131.662] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="DE") returned 2 [0131.662] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="39") returned 2 [0131.670] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl" [0131.671] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl" [0131.671] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl", lpString2=".727A89AEB293881AC54C2C0C314DFF06249E4552B3A2A7C9F240545E0DBADE39" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl.727A89AEB293881AC54C2C0C314DFF06249E4552B3A2A7C9F240545E0DBADE39") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl.727A89AEB293881AC54C2C0C314DFF06249E4552B3A2A7C9F240545E0DBADE39" [0131.671] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.671] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0131.671] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x401, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="09_Music_played_the_most.wpl", cAlternateFileName="09_MUS~1.WPL")) returned 1 [0131.671] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Windows") returned -1 [0131.671] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Program Files") returned -1 [0131.671] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Program Files (x86)") returned -1 [0131.671] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="$Recycle.bin") returned 1 [0131.671] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="System Volume Information") returned -1 [0131.671] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2=".") returned 1 [0131.671] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="..") returned 1 [0131.671] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl") returned 129 [0131.671] lstrcmpW (lpString1="09_Music_played_the_most.wpl", lpString2="PUSSY.TXT") returned -1 [0131.671] PathFindExtensionW (pszPath="09_Music_played_the_most.wpl") returned=".wpl" [0131.671] lstrlenW (lpString=".wpl") returned 4 [0131.671] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.672] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0131.672] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1025) returned 1 [0131.673] GetProcessHeap () returned 0x4c0000 [0131.673] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0131.681] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="DC") returned 2 [0131.681] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="5A") returned 2 [0131.681] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="C9") returned 2 [0131.681] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="3A") returned 2 [0131.681] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="AE") returned 2 [0131.681] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="13") returned 2 [0131.681] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="53") returned 2 [0131.682] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="94") returned 2 [0131.682] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="13") returned 2 [0131.682] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="10") returned 2 [0131.682] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="4D") returned 2 [0131.682] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="CA") returned 2 [0131.682] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="D7") returned 2 [0131.682] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="C7") returned 2 [0131.682] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="69") returned 2 [0131.682] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="E8") returned 2 [0131.682] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="70") returned 2 [0131.682] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="17") returned 2 [0131.682] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="DB") returned 2 [0131.682] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="36") returned 2 [0131.682] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="C0") returned 2 [0131.682] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="D4") returned 2 [0131.682] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="48") returned 2 [0131.682] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="61") returned 2 [0131.682] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="4E") returned 2 [0131.682] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="5D") returned 2 [0131.682] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="23") returned 2 [0131.682] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="03") returned 2 [0131.682] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="DA") returned 2 [0131.682] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="90") returned 2 [0131.682] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="55") returned 2 [0131.682] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="65") returned 2 [0131.690] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl" [0131.690] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl" [0131.690] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl", lpString2=".DC5AC93AAE13539413104DCAD7C769E87017DB36C0D448614E5D2303DA905565" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl.DC5AC93AAE13539413104DCAD7C769E87017DB36C0D448614E5D2303DA905565") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl.DC5AC93AAE13539413104DCAD7C769E87017DB36C0D448614E5D2303DA905565" [0131.690] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.691] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0131.693] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x427, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="10_All_Music.wpl", cAlternateFileName="10_ALL~1.WPL")) returned 1 [0131.696] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Windows") returned -1 [0131.696] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Program Files") returned -1 [0131.696] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Program Files (x86)") returned -1 [0131.696] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="$Recycle.bin") returned 1 [0131.696] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="System Volume Information") returned -1 [0131.696] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2=".") returned 1 [0131.696] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="..") returned 1 [0131.696] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl") returned 117 [0131.696] lstrcmpW (lpString1="10_All_Music.wpl", lpString2="PUSSY.TXT") returned -1 [0131.696] PathFindExtensionW (pszPath="10_All_Music.wpl") returned=".wpl" [0131.696] lstrlenW (lpString=".wpl") returned 4 [0131.696] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.696] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0131.697] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1063) returned 1 [0131.697] GetProcessHeap () returned 0x4c0000 [0131.697] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0131.707] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="9E") returned 2 [0131.707] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="D9") returned 2 [0131.707] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="F1") returned 2 [0131.707] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="DE") returned 2 [0131.707] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="5D") returned 2 [0131.707] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="41") returned 2 [0131.707] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="86") returned 2 [0131.707] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="58") returned 2 [0131.707] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="84") returned 2 [0131.708] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="64") returned 2 [0131.708] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="73") returned 2 [0131.708] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="2C") returned 2 [0131.708] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="9C") returned 2 [0131.708] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="A1") returned 2 [0131.708] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="F8") returned 2 [0131.708] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="82") returned 2 [0131.708] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="74") returned 2 [0131.708] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="9F") returned 2 [0131.708] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="19") returned 2 [0131.708] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="42") returned 2 [0131.708] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="00") returned 2 [0131.708] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="1B") returned 2 [0131.708] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="69") returned 2 [0131.708] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="B8") returned 2 [0131.708] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="C5") returned 2 [0131.708] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="E5") returned 2 [0131.708] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="1A") returned 2 [0131.708] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="68") returned 2 [0131.708] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="D1") returned 2 [0131.708] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="D0") returned 2 [0131.708] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="02") returned 2 [0131.708] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="1F") returned 2 [0131.717] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl" [0131.717] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl" [0131.717] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl", lpString2=".9ED9F1DE5D4186588464732C9CA1F882749F1942001B69B8C5E51A68D1D0021F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl.9ED9F1DE5D4186588464732C9CA1F882749F1942001B69B8C5E51A68D1D0021F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl.9ED9F1DE5D4186588464732C9CA1F882749F1942001B69B8C5E51A68D1D0021F" [0131.717] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.717] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0131.717] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x249, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="11_All_Pictures.wpl", cAlternateFileName="11_ALL~1.WPL")) returned 1 [0131.720] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Windows") returned -1 [0131.720] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Program Files") returned -1 [0131.720] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Program Files (x86)") returned -1 [0131.720] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="$Recycle.bin") returned 1 [0131.720] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="System Volume Information") returned -1 [0131.720] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2=".") returned 1 [0131.720] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="..") returned 1 [0131.720] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl") returned 120 [0131.720] lstrcmpW (lpString1="11_All_Pictures.wpl", lpString2="PUSSY.TXT") returned -1 [0131.720] PathFindExtensionW (pszPath="11_All_Pictures.wpl") returned=".wpl" [0131.722] lstrlenW (lpString=".wpl") returned 4 [0131.722] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.722] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0131.724] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=585) returned 1 [0131.724] GetProcessHeap () returned 0x4c0000 [0131.724] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0131.732] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="95") returned 2 [0131.732] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="A0") returned 2 [0131.732] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="1E") returned 2 [0131.732] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="77") returned 2 [0131.732] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="9D") returned 2 [0131.732] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="38") returned 2 [0131.733] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="1A") returned 2 [0131.733] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="25") returned 2 [0131.733] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="47") returned 2 [0131.733] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="38") returned 2 [0131.733] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="31") returned 2 [0131.733] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="75") returned 2 [0131.733] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="BC") returned 2 [0131.733] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="47") returned 2 [0131.733] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="37") returned 2 [0131.733] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="B2") returned 2 [0131.733] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="35") returned 2 [0131.733] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="EE") returned 2 [0131.733] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="8C") returned 2 [0131.733] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="58") returned 2 [0131.733] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="0A") returned 2 [0131.733] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="F9") returned 2 [0131.733] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="12") returned 2 [0131.733] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="64") returned 2 [0131.733] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="1F") returned 2 [0131.733] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="E5") returned 2 [0131.733] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="77") returned 2 [0131.733] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="B0") returned 2 [0131.733] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="6F") returned 2 [0131.733] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="AC") returned 2 [0131.733] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="6D") returned 2 [0131.733] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="3F") returned 2 [0131.741] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl" [0131.742] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl" [0131.742] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl", lpString2=".95A01E779D381A2547383175BC4737B235EE8C580AF912641FE577B06FAC6D3F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl.95A01E779D381A2547383175BC4737B235EE8C580AF912641FE577B06FAC6D3F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl.95A01E779D381A2547383175BC4737B235EE8C580AF912641FE577B06FAC6D3F" [0131.742] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.742] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0131.742] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 1 [0131.742] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Windows") returned -1 [0131.742] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Program Files") returned -1 [0131.742] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Program Files (x86)") returned -1 [0131.742] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="$Recycle.bin") returned 1 [0131.742] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="System Volume Information") returned -1 [0131.742] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2=".") returned 1 [0131.742] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="..") returned 1 [0131.742] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl") returned 117 [0131.742] lstrcmpW (lpString1="12_All_Video.wpl", lpString2="PUSSY.TXT") returned -1 [0131.742] PathFindExtensionW (pszPath="12_All_Video.wpl") returned=".wpl" [0131.742] lstrlenW (lpString=".wpl") returned 4 [0131.742] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0131.743] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1079) returned 1 [0131.743] GetProcessHeap () returned 0x4c0000 [0131.743] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0131.752] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="AE") returned 2 [0131.752] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="8F") returned 2 [0131.752] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="D9") returned 2 [0131.752] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="E3") returned 2 [0131.753] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="2D") returned 2 [0131.753] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="42") returned 2 [0131.753] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="22") returned 2 [0131.753] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="36") returned 2 [0131.753] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="86") returned 2 [0131.753] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="A7") returned 2 [0131.753] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="FD") returned 2 [0131.753] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="CF") returned 2 [0131.753] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="4B") returned 2 [0131.753] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="E1") returned 2 [0131.753] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="BD") returned 2 [0131.753] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="C3") returned 2 [0131.753] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="E5") returned 2 [0131.753] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="68") returned 2 [0131.753] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="CD") returned 2 [0131.753] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="AE") returned 2 [0131.753] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="95") returned 2 [0131.753] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="C3") returned 2 [0131.753] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="07") returned 2 [0131.753] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="87") returned 2 [0131.753] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="34") returned 2 [0131.753] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="E8") returned 2 [0131.753] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="4E") returned 2 [0131.753] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="06") returned 2 [0131.753] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="7C") returned 2 [0131.753] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="67") returned 2 [0131.753] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="4F") returned 2 [0131.753] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="3F") returned 2 [0131.762] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl" [0131.762] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl" [0131.762] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl", lpString2=".AE8FD9E32D42223686A7FDCF4BE1BDC3E568CDAE95C3078734E84E067C674F3F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl.AE8FD9E32D42223686A7FDCF4BE1BDC3E568CDAE95C3078734E84E067C674F3F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl.AE8FD9E32D42223686A7FDCF4BE1BDC3E568CDAE95C3078734E84E067C674F3F" [0131.762] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.762] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0131.762] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ca96f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 0 [0131.765] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0131.765] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\PUSSY.TXT") returned 110 [0131.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0131.769] lstrlenA (lpString="abcd") returned 4 [0131.769] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0131.770] CloseHandle (hObject=0x194) returned 1 [0131.770] GetProcessHeap () returned 0x4c0000 [0131.770] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0131.770] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="00010C6E", cAlternateFileName="")) returned 1 [0131.770] lstrcmpiW (lpString1="00010C6E", lpString2="Windows") returned -1 [0131.770] lstrcmpiW (lpString1="00010C6E", lpString2="Program Files") returned -1 [0131.770] lstrcmpiW (lpString1="00010C6E", lpString2="Program Files (x86)") returned -1 [0131.770] lstrcmpiW (lpString1="00010C6E", lpString2="$Recycle.bin") returned 1 [0131.770] lstrcmpiW (lpString1="00010C6E", lpString2="System Volume Information") returned -1 [0131.770] lstrcmpiW (lpString1="00010C6E", lpString2=".") returned 1 [0131.770] lstrcmpiW (lpString1="00010C6E", lpString2="..") returned 1 [0131.770] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E") returned 100 [0131.770] GetProcessHeap () returned 0x4c0000 [0131.770] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0131.770] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E" [0131.770] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\*" [0131.771] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0131.776] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0131.776] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0131.776] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0131.776] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0131.776] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0131.776] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.776] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="..", cAlternateFileName="")) returned 1 [0131.776] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0131.776] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0131.776] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0131.776] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0131.776] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0131.776] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.777] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.777] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28eee820, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28eee820, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="01_Music_auto_rated_at_5_stars.wpl", cAlternateFileName="01_MUS~1.WPL")) returned 1 [0131.777] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Windows") returned -1 [0131.777] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Program Files") returned -1 [0131.777] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0131.777] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0131.777] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="System Volume Information") returned -1 [0131.777] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2=".") returned 1 [0131.777] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="..") returned 1 [0131.777] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned 135 [0131.777] lstrcmpW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="PUSSY.TXT") returned -1 [0131.777] PathFindExtensionW (pszPath="01_Music_auto_rated_at_5_stars.wpl") returned=".wpl" [0131.777] lstrlenW (lpString=".wpl") returned 4 [0131.777] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.777] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0131.778] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1044) returned 1 [0131.778] GetProcessHeap () returned 0x4c0000 [0131.778] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0131.786] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="7E") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="85") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="3E") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="5B") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="CE") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="E5") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="1D") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="3E") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="54") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="8D") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="CD") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="03") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="8A") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="CB") returned 2 [0131.786] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="93") returned 2 [0131.786] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="A9") returned 2 [0131.787] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="24") returned 2 [0131.787] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="6D") returned 2 [0131.787] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="78") returned 2 [0131.787] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="67") returned 2 [0131.787] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="6F") returned 2 [0131.787] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="83") returned 2 [0131.787] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="24") returned 2 [0131.787] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="24") returned 2 [0131.787] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="45") returned 2 [0131.787] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="02") returned 2 [0131.787] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="D8") returned 2 [0131.787] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="29") returned 2 [0131.787] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="35") returned 2 [0131.787] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="35") returned 2 [0131.787] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="EF") returned 2 [0131.787] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="49") returned 2 [0131.797] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" [0131.797] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" [0131.797] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl", lpString2=".7E853E5BCEE51D3E548DCD038ACB93A9246D78676F8324244502D8293535EF49" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.7E853E5BCEE51D3E548DCD038ACB93A9246D78676F8324244502D8293535EF49") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.7E853E5BCEE51D3E548DCD038ACB93A9246D78676F8324244502D8293535EF49" [0131.797] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.797] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0131.797] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28eee820, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28eee820, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x4ff, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="02_Music_added_in_the_last_month.wpl", cAlternateFileName="02_MUS~1.WPL")) returned 1 [0131.797] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Windows") returned -1 [0131.797] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0131.797] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0131.797] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0131.797] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0131.797] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2=".") returned 1 [0131.797] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="..") returned 1 [0131.797] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned 137 [0131.797] lstrcmpW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="PUSSY.TXT") returned -1 [0131.797] PathFindExtensionW (pszPath="02_Music_added_in_the_last_month.wpl") returned=".wpl" [0131.797] lstrlenW (lpString=".wpl") returned 4 [0131.797] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0131.806] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1279) returned 1 [0131.806] GetProcessHeap () returned 0x4c0000 [0131.806] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0131.814] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="A7") returned 2 [0131.814] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="E8") returned 2 [0131.814] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="37") returned 2 [0131.815] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="7B") returned 2 [0131.815] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="A5") returned 2 [0131.815] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="2F") returned 2 [0131.815] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="62") returned 2 [0131.815] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="13") returned 2 [0131.815] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="5B") returned 2 [0131.815] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="A7") returned 2 [0131.815] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="BB") returned 2 [0131.815] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="41") returned 2 [0131.815] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="E1") returned 2 [0131.815] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="D2") returned 2 [0131.815] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="EB") returned 2 [0131.815] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="79") returned 2 [0131.815] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="97") returned 2 [0131.815] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="CC") returned 2 [0131.815] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="77") returned 2 [0131.815] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="91") returned 2 [0131.815] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="9D") returned 2 [0131.815] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="06") returned 2 [0131.815] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="A8") returned 2 [0131.815] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="8F") returned 2 [0131.815] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="7E") returned 2 [0131.815] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="CB") returned 2 [0131.815] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="DD") returned 2 [0131.815] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="3A") returned 2 [0131.815] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="78") returned 2 [0131.815] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="B8") returned 2 [0131.815] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="8A") returned 2 [0131.815] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="33") returned 2 [0131.872] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" [0131.873] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" [0131.873] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl", lpString2=".A7E8377BA52F62135BA7BB41E1D2EB7997CC77919D06A88F7ECBDD3A78B88A33" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.A7E8377BA52F62135BA7BB41E1D2EB7997CC77919D06A88F7ECBDD3A78B88A33") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.A7E8377BA52F62135BA7BB41E1D2EB7997CC77919D06A88F7ECBDD3A78B88A33" [0131.873] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.873] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0131.873] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28eee820, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28eee820, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x4f3, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="03_Music_rated_at_4_or_5_stars.wpl", cAlternateFileName="03_MUS~1.WPL")) returned 1 [0131.873] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0131.873] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0131.873] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0131.873] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0131.874] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0131.874] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2=".") returned 1 [0131.874] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="..") returned 1 [0131.874] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned 135 [0131.874] lstrcmpW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="PUSSY.TXT") returned -1 [0131.874] PathFindExtensionW (pszPath="03_Music_rated_at_4_or_5_stars.wpl") returned=".wpl" [0131.874] lstrlenW (lpString=".wpl") returned 4 [0131.874] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.874] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0131.875] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1267) returned 1 [0131.875] GetProcessHeap () returned 0x4c0000 [0131.875] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0131.888] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="12") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="D8") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="70") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="A4") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="78") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="4A") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="46") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="40") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="5B") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="E0") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="DD") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="D6") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="81") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="28") returned 2 [0131.888] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="D9") returned 2 [0131.888] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="FD") returned 2 [0131.888] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="8A") returned 2 [0131.888] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="09") returned 2 [0131.888] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="23") returned 2 [0131.888] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="C9") returned 2 [0131.888] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="95") returned 2 [0131.888] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="D8") returned 2 [0131.889] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="7C") returned 2 [0131.889] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="36") returned 2 [0131.889] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="D7") returned 2 [0131.889] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="25") returned 2 [0131.889] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="3C") returned 2 [0131.889] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="BF") returned 2 [0131.889] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="A9") returned 2 [0131.889] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="B5") returned 2 [0131.889] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="C7") returned 2 [0131.889] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="7E") returned 2 [0131.901] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" [0131.901] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" [0131.902] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl", lpString2=".12D870A4784A46405BE0DDD68128D9FD8A0923C995D87C36D7253CBFA9B5C77E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.12D870A4784A46405BE0DDD68128D9FD8A0923C995D87C36D7253CBFA9B5C77E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.12D870A4784A46405BE0DDD68128D9FD8A0923C995D87C36D7253CBFA9B5C77E" [0131.902] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.902] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0131.904] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28eee820, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28eee820, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="04_Music_played_in_the_last_month.wpl", cAlternateFileName="04_MUS~1.WPL")) returned 1 [0131.904] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Windows") returned -1 [0131.904] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0131.904] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0131.904] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0131.905] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0131.905] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2=".") returned 1 [0131.905] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="..") returned 1 [0131.905] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned 138 [0131.905] lstrcmpW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="PUSSY.TXT") returned -1 [0131.905] PathFindExtensionW (pszPath="04_Music_played_in_the_last_month.wpl") returned=".wpl" [0131.905] lstrlenW (lpString=".wpl") returned 4 [0131.905] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.905] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0131.907] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1284) returned 1 [0131.907] GetProcessHeap () returned 0x4c0000 [0131.907] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0131.921] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="B5") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="55") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="3D") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="2D") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="C3") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="79") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="37") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="6B") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="2D") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="EC") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="23") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="27") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="69") returned 2 [0131.921] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="16") returned 2 [0131.922] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="5C") returned 2 [0131.922] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="04") returned 2 [0131.922] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="E6") returned 2 [0131.922] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="0F") returned 2 [0131.922] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="A5") returned 2 [0131.922] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="8D") returned 2 [0131.922] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="ED") returned 2 [0131.922] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="13") returned 2 [0131.922] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="D0") returned 2 [0131.922] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="56") returned 2 [0131.922] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="2D") returned 2 [0131.922] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="86") returned 2 [0131.922] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="0F") returned 2 [0131.922] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="6D") returned 2 [0131.922] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="EE") returned 2 [0131.922] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="AE") returned 2 [0131.922] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="AA") returned 2 [0131.922] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="66") returned 2 [0131.935] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" [0131.935] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" [0131.935] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl", lpString2=".B5553D2DC379376B2DEC232769165C04E60FA58DED13D0562D860F6DEEAEAA66" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.B5553D2DC379376B2DEC232769165C04E60FA58DED13D0562D860F6DEEAEAA66") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.B5553D2DC379376B2DEC232769165C04E60FA58DED13D0562D860F6DEEAEAA66" [0131.935] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.935] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0131.935] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28eee820, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28eee820, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x31d, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="05_Pictures_taken_in_the_last_month.wpl", cAlternateFileName="05_PIC~1.WPL")) returned 1 [0131.935] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Windows") returned -1 [0131.935] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0131.935] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0131.935] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0131.935] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0131.935] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2=".") returned 1 [0131.936] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="..") returned 1 [0131.936] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned 140 [0131.936] lstrcmpW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="PUSSY.TXT") returned -1 [0131.936] PathFindExtensionW (pszPath="05_Pictures_taken_in_the_last_month.wpl") returned=".wpl" [0131.936] lstrlenW (lpString=".wpl") returned 4 [0131.936] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0131.937] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=797) returned 1 [0131.937] GetProcessHeap () returned 0x4c0000 [0131.937] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0131.967] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="8E") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="25") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="CC") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="75") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="8D") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="0B") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="D2") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="45") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="25") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="8C") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="63") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="31") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="58") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="A6") returned 2 [0131.968] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="7B") returned 2 [0131.968] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="71") returned 2 [0131.968] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="02") returned 2 [0131.968] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="00") returned 2 [0131.968] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="30") returned 2 [0131.968] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="8A") returned 2 [0131.968] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="89") returned 2 [0131.968] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="59") returned 2 [0131.968] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="67") returned 2 [0131.968] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="DB") returned 2 [0131.968] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="DA") returned 2 [0131.968] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="80") returned 2 [0131.968] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="23") returned 2 [0131.968] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="39") returned 2 [0131.968] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="B0") returned 2 [0131.969] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="3A") returned 2 [0131.969] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="FB") returned 2 [0131.969] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="44") returned 2 [0131.984] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" [0131.984] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" [0131.985] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl", lpString2=".8E25CC758D0BD245258C633158A67B710200308A895967DBDA802339B03AFB44" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.8E25CC758D0BD245258C633158A67B710200308A895967DBDA802339B03AFB44") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.8E25CC758D0BD245258C633158A67B710200308A895967DBDA802339B03AFB44" [0131.985] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0131.985] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0131.996] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28eee820, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28eee820, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x311, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="06_Pictures_rated_4_or_5_stars.wpl", cAlternateFileName="06_PIC~1.WPL")) returned 1 [0131.997] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0131.997] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0131.997] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0131.997] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0131.997] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0131.997] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2=".") returned 1 [0131.997] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="..") returned 1 [0131.997] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned 135 [0131.997] lstrcmpW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="PUSSY.TXT") returned -1 [0131.997] PathFindExtensionW (pszPath="06_Pictures_rated_4_or_5_stars.wpl") returned=".wpl" [0131.997] lstrlenW (lpString=".wpl") returned 4 [0131.997] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0131.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0132.009] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=785) returned 1 [0132.009] GetProcessHeap () returned 0x4c0000 [0132.009] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0132.024] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="75") returned 2 [0132.024] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="FC") returned 2 [0132.024] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="85") returned 2 [0132.024] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="0C") returned 2 [0132.024] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="00") returned 2 [0132.024] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="BC") returned 2 [0132.024] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="A6") returned 2 [0132.024] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="31") returned 2 [0132.024] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="F0") returned 2 [0132.024] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="AB") returned 2 [0132.024] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="31") returned 2 [0132.024] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="50") returned 2 [0132.025] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="6A") returned 2 [0132.025] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="96") returned 2 [0132.025] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="70") returned 2 [0132.025] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="E9") returned 2 [0132.025] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="3D") returned 2 [0132.025] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="CA") returned 2 [0132.025] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="B6") returned 2 [0132.025] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="7A") returned 2 [0132.025] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="5C") returned 2 [0132.025] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="C0") returned 2 [0132.025] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="2F") returned 2 [0132.025] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="BB") returned 2 [0132.025] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="E4") returned 2 [0132.025] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="7B") returned 2 [0132.025] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="F2") returned 2 [0132.025] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="16") returned 2 [0132.025] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="25") returned 2 [0132.025] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="2A") returned 2 [0132.025] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="72") returned 2 [0132.025] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="38") returned 2 [0132.048] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" [0132.048] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" [0132.048] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl", lpString2=".75FC850C00BCA631F0AB31506A9670E93DCAB67A5CC02FBBE47BF216252A7238" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.75FC850C00BCA631F0AB31506A9670E93DCAB67A5CC02FBBE47BF216252A7238") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.75FC850C00BCA631F0AB31506A9670E93DCAB67A5CC02FBBE47BF216252A7238" [0132.048] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.049] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0132.049] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28eee820, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28eee820, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x410, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="07_TV_recorded_in_the_last_week.wpl", cAlternateFileName="07_TV_~1.WPL")) returned 1 [0132.049] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Windows") returned -1 [0132.049] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Program Files") returned -1 [0132.049] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Program Files (x86)") returned -1 [0132.049] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="$Recycle.bin") returned 1 [0132.049] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="System Volume Information") returned -1 [0132.049] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2=".") returned 1 [0132.049] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="..") returned 1 [0132.049] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned 136 [0132.049] lstrcmpW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="PUSSY.TXT") returned -1 [0132.049] PathFindExtensionW (pszPath="07_TV_recorded_in_the_last_week.wpl") returned=".wpl" [0132.049] lstrlenW (lpString=".wpl") returned 4 [0132.049] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0132.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0132.050] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1040) returned 1 [0132.051] GetProcessHeap () returned 0x4c0000 [0132.051] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0132.070] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="37") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="8D") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="47") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="6B") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="83") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="7D") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="7B") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="17") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="B6") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="B3") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="CF") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="1F") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="9D") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="0A") returned 2 [0132.070] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="3A") returned 2 [0132.070] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="2E") returned 2 [0132.070] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="E7") returned 2 [0132.070] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="1F") returned 2 [0132.070] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="D6") returned 2 [0132.070] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="30") returned 2 [0132.070] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="64") returned 2 [0132.070] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="82") returned 2 [0132.070] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="CC") returned 2 [0132.071] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="D8") returned 2 [0132.071] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="71") returned 2 [0132.071] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="B8") returned 2 [0132.071] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="B3") returned 2 [0132.071] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="F7") returned 2 [0132.071] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="0F") returned 2 [0132.071] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="D0") returned 2 [0132.071] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="92") returned 2 [0132.071] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="6A") returned 2 [0132.087] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" [0132.087] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" [0132.087] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl", lpString2=".378D476B837D7B17B6B3CF1F9D0A3A2EE71FD6306482CCD871B8B3F70FD0926A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.378D476B837D7B17B6B3CF1F9D0A3A2EE71FD6306482CCD871B8B3F70FD0926A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.378D476B837D7B17B6B3CF1F9D0A3A2EE71FD6306482CCD871B8B3F70FD0926A" [0132.087] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.087] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0132.087] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28eee820, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28eee820, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x3fc, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="08_Video_rated_at_4_or_5_stars.wpl", cAlternateFileName="08_VID~1.WPL")) returned 1 [0132.087] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0132.087] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0132.087] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0132.088] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0132.088] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0132.088] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2=".") returned 1 [0132.088] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="..") returned 1 [0132.088] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned 135 [0132.088] lstrcmpW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="PUSSY.TXT") returned -1 [0132.088] PathFindExtensionW (pszPath="08_Video_rated_at_4_or_5_stars.wpl") returned=".wpl" [0132.088] lstrlenW (lpString=".wpl") returned 4 [0132.088] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0132.088] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0132.089] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1020) returned 1 [0132.089] GetProcessHeap () returned 0x4c0000 [0132.089] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0132.106] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="FF") returned 2 [0132.106] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="5D") returned 2 [0132.106] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="8C") returned 2 [0132.106] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="0C") returned 2 [0132.106] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="94") returned 2 [0132.106] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="9E") returned 2 [0132.106] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="51") returned 2 [0132.106] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="A2") returned 2 [0132.106] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="F8") returned 2 [0132.106] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="F9") returned 2 [0132.106] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="8A") returned 2 [0132.106] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="56") returned 2 [0132.106] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="C7") returned 2 [0132.107] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="93") returned 2 [0132.107] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="1B") returned 2 [0132.107] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="7A") returned 2 [0132.107] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="93") returned 2 [0132.107] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="EB") returned 2 [0132.107] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="78") returned 2 [0132.107] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="2D") returned 2 [0132.107] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="BA") returned 2 [0132.107] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="0F") returned 2 [0132.107] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="4F") returned 2 [0132.107] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="99") returned 2 [0132.107] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="D3") returned 2 [0132.107] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="9A") returned 2 [0132.107] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="6B") returned 2 [0132.107] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="13") returned 2 [0132.107] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="A5") returned 2 [0132.107] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="E6") returned 2 [0132.107] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="48") returned 2 [0132.107] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="2C") returned 2 [0132.145] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" [0132.145] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" [0132.145] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl", lpString2=".FF5D8C0C949E51A2F8F98A56C7931B7A93EB782DBA0F4F99D39A6B13A5E6482C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.FF5D8C0C949E51A2F8F98A56C7931B7A93EB782DBA0F4F99D39A6B13A5E6482C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.FF5D8C0C949E51A2F8F98A56C7931B7A93EB782DBA0F4F99D39A6B13A5E6482C" [0132.145] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.145] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0132.156] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28eee820, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28eee820, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x401, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="09_Music_played_the_most.wpl", cAlternateFileName="09_MUS~1.WPL")) returned 1 [0132.156] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Windows") returned -1 [0132.156] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Program Files") returned -1 [0132.156] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Program Files (x86)") returned -1 [0132.156] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="$Recycle.bin") returned 1 [0132.156] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="System Volume Information") returned -1 [0132.156] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2=".") returned 1 [0132.156] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="..") returned 1 [0132.156] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned 129 [0132.156] lstrcmpW (lpString1="09_Music_played_the_most.wpl", lpString2="PUSSY.TXT") returned -1 [0132.156] PathFindExtensionW (pszPath="09_Music_played_the_most.wpl") returned=".wpl" [0132.156] lstrlenW (lpString=".wpl") returned 4 [0132.156] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0132.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0132.158] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1025) returned 1 [0132.158] GetProcessHeap () returned 0x4c0000 [0132.158] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0132.177] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="4D") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="8D") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="CE") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="5B") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="2D") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="E1") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="61") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="3C") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="0A") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="87") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="BE") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="1C") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="F0") returned 2 [0132.177] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="83") returned 2 [0132.178] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="45") returned 2 [0132.178] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="AE") returned 2 [0132.178] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="A4") returned 2 [0132.178] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="0F") returned 2 [0132.178] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="5A") returned 2 [0132.178] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="28") returned 2 [0132.178] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="A0") returned 2 [0132.178] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="C3") returned 2 [0132.178] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="E3") returned 2 [0132.178] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="7C") returned 2 [0132.178] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="74") returned 2 [0132.178] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="3B") returned 2 [0132.178] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="6D") returned 2 [0132.178] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="20") returned 2 [0132.178] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="0C") returned 2 [0132.178] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="46") returned 2 [0132.178] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="3D") returned 2 [0132.178] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="6F") returned 2 [0132.187] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" [0132.187] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" [0132.187] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl", lpString2=".4D8DCE5B2DE1613C0A87BE1CF08345AEA40F5A28A0C3E37C743B6D200C463D6F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.4D8DCE5B2DE1613C0A87BE1CF08345AEA40F5A28A0C3E37C743B6D200C463D6F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.4D8DCE5B2DE1613C0A87BE1CF08345AEA40F5A28A0C3E37C743B6D200C463D6F" [0132.187] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.187] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0132.187] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28ec86c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28ec86c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x427, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="10_All_Music.wpl", cAlternateFileName="10_ALL~1.WPL")) returned 1 [0132.187] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Windows") returned -1 [0132.187] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Program Files") returned -1 [0132.187] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Program Files (x86)") returned -1 [0132.187] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="$Recycle.bin") returned 1 [0132.187] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="System Volume Information") returned -1 [0132.187] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2=".") returned 1 [0132.187] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="..") returned 1 [0132.187] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned 117 [0132.187] lstrcmpW (lpString1="10_All_Music.wpl", lpString2="PUSSY.TXT") returned -1 [0132.187] PathFindExtensionW (pszPath="10_All_Music.wpl") returned=".wpl" [0132.187] lstrlenW (lpString=".wpl") returned 4 [0132.187] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0132.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a8 [0132.193] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1063) returned 1 [0132.193] GetProcessHeap () returned 0x4c0000 [0132.193] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0132.203] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="57") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="09") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="14") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="58") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="4E") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="D6") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="71") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="18") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="6F") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="A9") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="34") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="77") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="CB") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="3A") returned 2 [0132.203] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="F8") returned 2 [0132.203] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="DA") returned 2 [0132.203] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="F6") returned 2 [0132.203] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="D8") returned 2 [0132.203] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="46") returned 2 [0132.203] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="E1") returned 2 [0132.203] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="0F") returned 2 [0132.203] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="80") returned 2 [0132.203] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="56") returned 2 [0132.203] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="4E") returned 2 [0132.203] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="96") returned 2 [0132.204] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="11") returned 2 [0132.204] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="EE") returned 2 [0132.204] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="A7") returned 2 [0132.204] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="E3") returned 2 [0132.204] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="18") returned 2 [0132.204] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="20") returned 2 [0132.204] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="5B") returned 2 [0132.214] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" [0132.215] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" [0132.215] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl", lpString2=".570914584ED671186FA93477CB3AF8DAF6D846E10F80564E9611EEA7E318205B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.570914584ED671186FA93477CB3AF8DAF6D846E10F80564E9611EEA7E318205B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.570914584ED671186FA93477CB3AF8DAF6D846E10F80564E9611EEA7E318205B" [0132.215] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.215] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0132.215] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28ec86c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28ec86c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x249, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="11_All_Pictures.wpl", cAlternateFileName="11_ALL~1.WPL")) returned 1 [0132.215] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Windows") returned -1 [0132.215] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Program Files") returned -1 [0132.215] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Program Files (x86)") returned -1 [0132.215] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="$Recycle.bin") returned 1 [0132.215] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="System Volume Information") returned -1 [0132.215] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2=".") returned 1 [0132.215] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="..") returned 1 [0132.215] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned 120 [0132.215] lstrcmpW (lpString1="11_All_Pictures.wpl", lpString2="PUSSY.TXT") returned -1 [0132.215] PathFindExtensionW (pszPath="11_All_Pictures.wpl") returned=".wpl" [0132.215] lstrlenW (lpString=".wpl") returned 4 [0132.215] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0132.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0132.218] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=585) returned 1 [0132.218] GetProcessHeap () returned 0x4c0000 [0132.218] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0132.233] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="47") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="EF") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="F0") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="1F") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="A6") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="9E") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="72") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="7C") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="00") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="DF") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="C7") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="0C") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="86") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="D9") returned 2 [0132.233] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="9F") returned 2 [0132.233] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="39") returned 2 [0132.233] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="CD") returned 2 [0132.234] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="82") returned 2 [0132.234] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="C9") returned 2 [0132.234] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="15") returned 2 [0132.234] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="BB") returned 2 [0132.234] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="C8") returned 2 [0132.234] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="91") returned 2 [0132.234] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="B8") returned 2 [0132.234] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="9E") returned 2 [0132.234] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="D2") returned 2 [0132.234] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="3D") returned 2 [0132.234] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="9C") returned 2 [0132.234] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="55") returned 2 [0132.234] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="DB") returned 2 [0132.234] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="8C") returned 2 [0132.234] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="28") returned 2 [0132.249] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" [0132.249] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" [0132.249] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl", lpString2=".47EFF01FA69E727C00DFC70C86D99F39CD82C915BBC891B89ED23D9C55DB8C28" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.47EFF01FA69E727C00DFC70C86D99F39CD82C915BBC891B89ED23D9C55DB8C28") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.47EFF01FA69E727C00DFC70C86D99F39CD82C915BBC891B89ED23D9C55DB8C28" [0132.249] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.250] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0132.250] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28ec86c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28ec86c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 1 [0132.250] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Windows") returned -1 [0132.250] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Program Files") returned -1 [0132.250] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Program Files (x86)") returned -1 [0132.250] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="$Recycle.bin") returned 1 [0132.250] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="System Volume Information") returned -1 [0132.250] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2=".") returned 1 [0132.250] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="..") returned 1 [0132.250] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned 117 [0132.250] lstrcmpW (lpString1="12_All_Video.wpl", lpString2="PUSSY.TXT") returned -1 [0132.250] PathFindExtensionW (pszPath="12_All_Video.wpl") returned=".wpl" [0132.250] lstrlenW (lpString=".wpl") returned 4 [0132.250] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0132.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0132.252] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1079) returned 1 [0132.252] GetProcessHeap () returned 0x4c0000 [0132.252] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0132.290] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="74") returned 2 [0132.290] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="27") returned 2 [0132.290] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="93") returned 2 [0132.290] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="DE") returned 2 [0132.290] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="8F") returned 2 [0132.290] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="67") returned 2 [0132.290] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="E2") returned 2 [0132.290] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="EE") returned 2 [0132.290] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="AD") returned 2 [0132.290] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="5B") returned 2 [0132.290] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="7E") returned 2 [0132.291] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="D0") returned 2 [0132.291] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="65") returned 2 [0132.291] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="30") returned 2 [0132.291] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="57") returned 2 [0132.291] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="ED") returned 2 [0132.291] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="C6") returned 2 [0132.291] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="98") returned 2 [0132.291] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="B3") returned 2 [0132.291] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="56") returned 2 [0132.291] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="43") returned 2 [0132.291] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="41") returned 2 [0132.291] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="50") returned 2 [0132.291] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="60") returned 2 [0132.291] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="B8") returned 2 [0132.291] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="A5") returned 2 [0132.291] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="1B") returned 2 [0132.291] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="3C") returned 2 [0132.291] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="7C") returned 2 [0132.291] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="7B") returned 2 [0132.291] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="16") returned 2 [0132.291] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="73") returned 2 [0132.299] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" [0132.299] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" [0132.299] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl", lpString2=".742793DE8F67E2EEAD5B7ED0653057EDC698B35643415060B8A51B3C7C7B1673" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.742793DE8F67E2EEAD5B7ED0653057EDC698B35643415060B8A51B3C7C7B1673") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.742793DE8F67E2EEAD5B7ED0653057EDC698B35643415060B8A51B3C7C7B1673" [0132.299] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.300] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0132.306] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28ec86c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28ec86c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x4ddd20, dwReserved1=0x2ce4eda2, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 0 [0132.306] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0132.306] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\PUSSY.TXT") returned 110 [0132.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0132.307] lstrlenA (lpString="abcd") returned 4 [0132.307] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0132.308] CloseHandle (hObject=0x194) returned 1 [0132.308] GetProcessHeap () returned 0x4c0000 [0132.308] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0132.312] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="00010C6E", cAlternateFileName="")) returned 0 [0132.312] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0132.313] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\PUSSY.TXT") returned 101 [0132.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0132.314] lstrlenA (lpString="abcd") returned 4 [0132.314] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0132.315] CloseHandle (hObject=0xec) returned 1 [0132.315] GetProcessHeap () returned 0x4c0000 [0132.315] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0132.315] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ca96f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ca96f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="en-US", cAlternateFileName="")) returned 0 [0132.315] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0132.315] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\PUSSY.TXT") returned 95 [0132.315] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0132.316] lstrlenA (lpString="abcd") returned 4 [0132.316] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0132.317] CloseHandle (hObject=0x17c) returned 1 [0132.317] GetProcessHeap () returned 0x4c0000 [0132.318] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0132.319] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7f22040, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7f22040, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7f22040, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Transcoded Files Cache", cAlternateFileName="TRANSC~1")) returned 1 [0132.319] lstrcmpiW (lpString1="Transcoded Files Cache", lpString2="Windows") returned -1 [0132.319] lstrcmpiW (lpString1="Transcoded Files Cache", lpString2="Program Files") returned 1 [0132.319] lstrcmpiW (lpString1="Transcoded Files Cache", lpString2="Program Files (x86)") returned 1 [0132.319] lstrcmpiW (lpString1="Transcoded Files Cache", lpString2="$Recycle.bin") returned 1 [0132.319] lstrcmpiW (lpString1="Transcoded Files Cache", lpString2="System Volume Information") returned 1 [0132.319] lstrcmpiW (lpString1="Transcoded Files Cache", lpString2=".") returned 1 [0132.319] lstrcmpiW (lpString1="Transcoded Files Cache", lpString2="..") returned 1 [0132.319] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache") returned 93 [0132.319] GetProcessHeap () returned 0x4c0000 [0132.319] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0132.320] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache" [0132.320] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*" [0132.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7f22040, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7f22040, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7f22040, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0132.321] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.321] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.321] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.321] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.322] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.322] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.322] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7f22040, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7f22040, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7f22040, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0132.322] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.322] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.322] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.322] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.322] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.322] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.322] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.322] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7f22040, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7f22040, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7f22040, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0132.322] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0132.322] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\PUSSY.TXT") returned 103 [0132.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\transcoded files cache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0132.323] lstrlenA (lpString="abcd") returned 4 [0132.323] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0132.324] CloseHandle (hObject=0x17c) returned 1 [0132.324] GetProcessHeap () returned 0x4c0000 [0132.324] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0132.324] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7f22040, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7f22040, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7f22040, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Transcoded Files Cache", cAlternateFileName="TRANSC~1")) returned 0 [0132.324] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0132.324] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\PUSSY.TXT") returned 80 [0132.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0132.325] lstrlenA (lpString="abcd") returned 4 [0132.325] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0132.326] CloseHandle (hObject=0x1d0) returned 1 [0132.326] GetProcessHeap () returned 0x4c0000 [0132.326] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0132.326] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4bb72310, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4bb72310, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Office", cAlternateFileName="")) returned 1 [0132.326] lstrcmpiW (lpString1="Office", lpString2="Windows") returned -1 [0132.326] lstrcmpiW (lpString1="Office", lpString2="Program Files") returned -1 [0132.326] lstrcmpiW (lpString1="Office", lpString2="Program Files (x86)") returned -1 [0132.326] lstrcmpiW (lpString1="Office", lpString2="$Recycle.bin") returned 1 [0132.326] lstrcmpiW (lpString1="Office", lpString2="System Volume Information") returned -1 [0132.326] lstrcmpiW (lpString1="Office", lpString2=".") returned 1 [0132.326] lstrcmpiW (lpString1="Office", lpString2="..") returned 1 [0132.326] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office") returned 64 [0132.326] GetProcessHeap () returned 0x4c0000 [0132.326] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0132.326] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office" [0132.326] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\*" [0132.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4bb72310, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4bb72310, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0132.327] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.327] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.327] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.327] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.327] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.327] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.327] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4bb72310, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4bb72310, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0132.327] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.327] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.327] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.327] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.328] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.328] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.328] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.328] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x197ec0b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xf7a855a0, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7a855a0, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="14.0", cAlternateFileName="")) returned 1 [0132.328] lstrcmpiW (lpString1="14.0", lpString2="Windows") returned -1 [0132.328] lstrcmpiW (lpString1="14.0", lpString2="Program Files") returned -1 [0132.328] lstrcmpiW (lpString1="14.0", lpString2="Program Files (x86)") returned -1 [0132.328] lstrcmpiW (lpString1="14.0", lpString2="$Recycle.bin") returned 1 [0132.328] lstrcmpiW (lpString1="14.0", lpString2="System Volume Information") returned -1 [0132.328] lstrcmpiW (lpString1="14.0", lpString2=".") returned 1 [0132.328] lstrcmpiW (lpString1="14.0", lpString2="..") returned 1 [0132.328] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0") returned 69 [0132.328] GetProcessHeap () returned 0x4c0000 [0132.328] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0132.328] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0" [0132.328] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\*" [0132.328] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x197ec0b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xf7a855a0, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7a855a0, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0132.329] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.329] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.329] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.329] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.329] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.329] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.329] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x197ec0b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xf7a855a0, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7a855a0, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0132.329] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.329] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.329] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.329] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.330] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.330] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.330] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.330] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7a855a0, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7ad1860, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7ad1860, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="OfficeFileCache", cAlternateFileName="OFFICE~1")) returned 1 [0132.330] lstrcmpiW (lpString1="OfficeFileCache", lpString2="Windows") returned -1 [0132.330] lstrcmpiW (lpString1="OfficeFileCache", lpString2="Program Files") returned -1 [0132.330] lstrcmpiW (lpString1="OfficeFileCache", lpString2="Program Files (x86)") returned -1 [0132.330] lstrcmpiW (lpString1="OfficeFileCache", lpString2="$Recycle.bin") returned 1 [0132.330] lstrcmpiW (lpString1="OfficeFileCache", lpString2="System Volume Information") returned -1 [0132.330] lstrcmpiW (lpString1="OfficeFileCache", lpString2=".") returned 1 [0132.330] lstrcmpiW (lpString1="OfficeFileCache", lpString2="..") returned 1 [0132.330] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache") returned 85 [0132.330] GetProcessHeap () returned 0x4c0000 [0132.330] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0132.331] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache" [0132.331] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\*" [0132.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7a855a0, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7ad1860, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7ad1860, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0132.332] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.332] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.332] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.333] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.333] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.333] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.333] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7a855a0, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7ad1860, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7ad1860, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0132.333] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.333] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.333] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.333] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.333] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.333] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.333] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.333] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf7aab700, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7aab700, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7ad1860, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="FSD-CNRY.FSD", cAlternateFileName="")) returned 1 [0132.333] lstrcmpiW (lpString1="FSD-CNRY.FSD", lpString2="Windows") returned -1 [0132.333] lstrcmpiW (lpString1="FSD-CNRY.FSD", lpString2="Program Files") returned -1 [0132.333] lstrcmpiW (lpString1="FSD-CNRY.FSD", lpString2="Program Files (x86)") returned -1 [0132.333] lstrcmpiW (lpString1="FSD-CNRY.FSD", lpString2="$Recycle.bin") returned 1 [0132.333] lstrcmpiW (lpString1="FSD-CNRY.FSD", lpString2="System Volume Information") returned -1 [0132.333] lstrcmpiW (lpString1="FSD-CNRY.FSD", lpString2=".") returned 1 [0132.334] lstrcmpiW (lpString1="FSD-CNRY.FSD", lpString2="..") returned 1 [0132.334] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD") returned 98 [0132.334] lstrcmpW (lpString1="FSD-CNRY.FSD", lpString2="PUSSY.TXT") returned -1 [0132.334] PathFindExtensionW (pszPath="FSD-CNRY.FSD") returned=".FSD" [0132.334] lstrlenW (lpString=".FSD") returned 4 [0132.334] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0132.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-cnry.fsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0132.335] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=131072) returned 1 [0132.335] GetProcessHeap () returned 0x4c0000 [0132.335] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0132.345] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="B7") returned 2 [0132.345] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="E9") returned 2 [0132.345] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="7B") returned 2 [0132.345] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="4C") returned 2 [0132.345] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="D4") returned 2 [0132.345] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="F3") returned 2 [0132.345] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="D6") returned 2 [0132.345] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="9C") returned 2 [0132.345] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="A6") returned 2 [0132.345] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="22") returned 2 [0132.345] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="61") returned 2 [0132.345] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="8C") returned 2 [0132.345] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="D3") returned 2 [0132.346] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="E8") returned 2 [0132.346] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="62") returned 2 [0132.346] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="89") returned 2 [0132.346] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="E2") returned 2 [0132.346] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="C9") returned 2 [0132.346] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="B8") returned 2 [0132.346] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="0E") returned 2 [0132.346] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="6F") returned 2 [0132.346] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="9F") returned 2 [0132.346] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="28") returned 2 [0132.346] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="13") returned 2 [0132.346] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="1F") returned 2 [0132.346] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="8B") returned 2 [0132.346] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="2E") returned 2 [0132.346] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="EC") returned 2 [0132.346] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="10") returned 2 [0132.346] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="CA") returned 2 [0132.346] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="E1") returned 2 [0132.346] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="09") returned 2 [0132.354] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD" [0132.354] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD" [0132.354] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD", lpString2=".B7E97B4CD4F3D69CA622618CD3E86289E2C9B80E6F9F28131F8B2EEC10CAE109" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD.B7E97B4CD4F3D69CA622618CD3E86289E2C9B80E6F9F28131F8B2EEC10CAE109") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD.B7E97B4CD4F3D69CA622618CD3E86289E2C9B80E6F9F28131F8B2EEC10CAE109" [0132.354] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.354] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0132.355] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf7ad1860, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7ad1860, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7af79c0, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", cAlternateFileName="FSD-{4~1.FSD")) returned 1 [0132.355] lstrcmpiW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="Windows") returned -1 [0132.355] lstrcmpiW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="Program Files") returned -1 [0132.355] lstrcmpiW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="Program Files (x86)") returned -1 [0132.355] lstrcmpiW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="$Recycle.bin") returned 1 [0132.355] lstrcmpiW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="System Volume Information") returned -1 [0132.355] lstrcmpiW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2=".") returned 1 [0132.355] lstrcmpiW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="..") returned 1 [0132.355] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD") returned 132 [0132.355] lstrcmpW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="PUSSY.TXT") returned -1 [0132.355] PathFindExtensionW (pszPath="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD") returned=".FSD" [0132.355] lstrlenW (lpString=".FSD") returned 4 [0132.355] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0132.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-{48508c83-ec67-468f-aa1f-6f3caf625658}.fsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0132.356] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=131072) returned 1 [0132.356] GetProcessHeap () returned 0x4c0000 [0132.356] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0132.367] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="B6") returned 2 [0132.367] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="62") returned 2 [0132.367] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="99") returned 2 [0132.367] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="84") returned 2 [0132.367] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="73") returned 2 [0132.367] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="07") returned 2 [0132.367] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="C9") returned 2 [0132.367] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="55") returned 2 [0132.367] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="0A") returned 2 [0132.367] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="4B") returned 2 [0132.367] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="45") returned 2 [0132.367] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="78") returned 2 [0132.367] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="83") returned 2 [0132.367] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="DC") returned 2 [0132.367] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="53") returned 2 [0132.367] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="0D") returned 2 [0132.367] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="2B") returned 2 [0132.367] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="AB") returned 2 [0132.367] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="8E") returned 2 [0132.367] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="7B") returned 2 [0132.367] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="96") returned 2 [0132.368] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="F9") returned 2 [0132.368] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="5B") returned 2 [0132.368] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="2F") returned 2 [0132.368] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="6A") returned 2 [0132.368] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="2C") returned 2 [0132.368] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="86") returned 2 [0132.368] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="D7") returned 2 [0132.368] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="60") returned 2 [0132.368] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="BF") returned 2 [0132.368] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="1F") returned 2 [0132.368] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="4A") returned 2 [0132.376] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD" [0132.376] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD" [0132.376] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2=".B66299847307C9550A4B457883DC530D2BAB8E7B96F95B2F6A2C86D760BF1F4A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD.B66299847307C9550A4B457883DC530D2BAB8E7B96F95B2F6A2C86D760BF1F4A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD.B66299847307C9550A4B457883DC530D2BAB8E7B96F95B2F6A2C86D760BF1F4A" [0132.376] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.376] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0132.376] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf7ad1860, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7ad1860, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7af79c0, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="FSF-CTBL.FSF", cAlternateFileName="")) returned 1 [0132.376] lstrcmpiW (lpString1="FSF-CTBL.FSF", lpString2="Windows") returned -1 [0132.377] lstrcmpiW (lpString1="FSF-CTBL.FSF", lpString2="Program Files") returned -1 [0132.377] lstrcmpiW (lpString1="FSF-CTBL.FSF", lpString2="Program Files (x86)") returned -1 [0132.377] lstrcmpiW (lpString1="FSF-CTBL.FSF", lpString2="$Recycle.bin") returned 1 [0132.377] lstrcmpiW (lpString1="FSF-CTBL.FSF", lpString2="System Volume Information") returned -1 [0132.377] lstrcmpiW (lpString1="FSF-CTBL.FSF", lpString2=".") returned 1 [0132.377] lstrcmpiW (lpString1="FSF-CTBL.FSF", lpString2="..") returned 1 [0132.377] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF") returned 98 [0132.377] lstrcmpW (lpString1="FSF-CTBL.FSF", lpString2="PUSSY.TXT") returned -1 [0132.377] PathFindExtensionW (pszPath="FSF-CTBL.FSF") returned=".FSF" [0132.377] lstrlenW (lpString=".FSF") returned 4 [0132.377] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0132.377] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsf-ctbl.fsf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0132.378] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=114) returned 1 [0132.378] CloseHandle (hObject=0x184) returned 1 [0132.378] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf7ad1860, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7ad1860, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7af79c0, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x72, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="FSF-CTBL.FSF", cAlternateFileName="")) returned 0 [0132.378] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0132.378] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\PUSSY.TXT") returned 95 [0132.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0132.467] lstrlenA (lpString="abcd") returned 4 [0132.467] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0132.468] CloseHandle (hObject=0x1d8) returned 1 [0132.468] GetProcessHeap () returned 0x4c0000 [0132.469] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0132.469] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7a855a0, ftCreationTime.dwHighDateTime=0x1d3373f, ftLastAccessTime.dwLowDateTime=0xf7ad1860, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7ad1860, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="OfficeFileCache", cAlternateFileName="OFFICE~1")) returned 0 [0132.469] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0132.469] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\PUSSY.TXT") returned 79 [0132.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0132.469] lstrlenA (lpString="abcd") returned 4 [0132.469] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0132.470] CloseHandle (hObject=0x17c) returned 1 [0132.471] GetProcessHeap () returned 0x4c0000 [0132.471] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0132.478] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4f780d90, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0x4f780d90, ftLastWriteTime.dwHighDateTime=0x1d2dda2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Groove", cAlternateFileName="")) returned 1 [0132.478] lstrcmpiW (lpString1="Groove", lpString2="Windows") returned -1 [0132.478] lstrcmpiW (lpString1="Groove", lpString2="Program Files") returned -1 [0132.478] lstrcmpiW (lpString1="Groove", lpString2="Program Files (x86)") returned -1 [0132.478] lstrcmpiW (lpString1="Groove", lpString2="$Recycle.bin") returned 1 [0132.478] lstrcmpiW (lpString1="Groove", lpString2="System Volume Information") returned -1 [0132.478] lstrcmpiW (lpString1="Groove", lpString2=".") returned 1 [0132.478] lstrcmpiW (lpString1="Groove", lpString2="..") returned 1 [0132.478] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove") returned 71 [0132.479] GetProcessHeap () returned 0x4c0000 [0132.479] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0132.479] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove" [0132.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\*" [0132.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4f780d90, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0x4f780d90, ftLastWriteTime.dwHighDateTime=0x1d2dda2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0132.480] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.480] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.480] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.480] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.480] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.480] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.480] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4f780d90, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0x4f780d90, ftLastWriteTime.dwHighDateTime=0x1d2dda2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0132.480] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.480] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.480] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.480] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.480] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.480] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.481] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.481] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4f780d90, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0x4f780d90, ftLastWriteTime.dwHighDateTime=0x1d2dda2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="System", cAlternateFileName="")) returned 1 [0132.481] lstrcmpiW (lpString1="System", lpString2="Windows") returned -1 [0132.481] lstrcmpiW (lpString1="System", lpString2="Program Files") returned 1 [0132.481] lstrcmpiW (lpString1="System", lpString2="Program Files (x86)") returned 1 [0132.481] lstrcmpiW (lpString1="System", lpString2="$Recycle.bin") returned 1 [0132.481] lstrcmpiW (lpString1="System", lpString2="System Volume Information") returned -1 [0132.481] lstrcmpiW (lpString1="System", lpString2=".") returned 1 [0132.481] lstrcmpiW (lpString1="System", lpString2="..") returned 1 [0132.481] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System") returned 78 [0132.481] GetProcessHeap () returned 0x4c0000 [0132.481] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0132.482] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System" [0132.482] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\*" [0132.482] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4f780d90, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0x4f780d90, ftLastWriteTime.dwHighDateTime=0x1d2dda2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0132.483] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.483] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.483] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.483] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.483] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.483] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.483] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4f780d90, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0x4f780d90, ftLastWriteTime.dwHighDateTime=0x1d2dda2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0132.483] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.483] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.483] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.483] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.483] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.483] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.483] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.484] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4f780d90, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0x4f780d90, ftLastWriteTime.dwHighDateTime=0x1d2dda2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0132.484] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0132.484] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\PUSSY.TXT") returned 88 [0132.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\system\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0132.486] lstrlenA (lpString="abcd") returned 4 [0132.487] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0132.488] CloseHandle (hObject=0x1d8) returned 1 [0132.488] GetProcessHeap () returned 0x4c0000 [0132.488] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0132.488] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4f780d90, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0x4f780d90, ftLastWriteTime.dwHighDateTime=0x1d2dda2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="User", cAlternateFileName="")) returned 1 [0132.488] lstrcmpiW (lpString1="User", lpString2="Windows") returned -1 [0132.488] lstrcmpiW (lpString1="User", lpString2="Program Files") returned 1 [0132.488] lstrcmpiW (lpString1="User", lpString2="Program Files (x86)") returned 1 [0132.488] lstrcmpiW (lpString1="User", lpString2="$Recycle.bin") returned 1 [0132.488] lstrcmpiW (lpString1="User", lpString2="System Volume Information") returned 1 [0132.488] lstrcmpiW (lpString1="User", lpString2=".") returned 1 [0132.488] lstrcmpiW (lpString1="User", lpString2="..") returned 1 [0132.488] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User") returned 76 [0132.488] GetProcessHeap () returned 0x4c0000 [0132.488] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0132.488] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User" [0132.488] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\*" [0132.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4f780d90, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0x4f780d90, ftLastWriteTime.dwHighDateTime=0x1d2dda2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0132.489] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.489] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.489] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.489] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.489] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.489] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.489] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4f780d90, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0x4f780d90, ftLastWriteTime.dwHighDateTime=0x1d2dda2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0132.489] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.489] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.489] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.489] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.489] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.489] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.489] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.489] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4f780d90, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0x4f780d90, ftLastWriteTime.dwHighDateTime=0x1d2dda2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0132.489] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0132.489] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\PUSSY.TXT") returned 86 [0132.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\user\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0132.490] lstrlenA (lpString="abcd") returned 4 [0132.490] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0132.491] CloseHandle (hObject=0x1d8) returned 1 [0132.492] GetProcessHeap () returned 0x4c0000 [0132.492] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0132.492] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4f780d90, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0x4f780d90, ftLastWriteTime.dwHighDateTime=0x1d2dda2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="User", cAlternateFileName="")) returned 0 [0132.492] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0132.492] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\PUSSY.TXT") returned 81 [0132.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0132.492] lstrlenA (lpString="abcd") returned 4 [0132.492] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0132.494] CloseHandle (hObject=0x17c) returned 1 [0132.494] GetProcessHeap () returned 0x4c0000 [0132.494] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0132.495] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb72310, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x29ae1d20, ftLastAccessTime.dwHighDateTime=0x1d2e626, ftLastWriteTime.dwLowDateTime=0x29ae1d20, ftLastWriteTime.dwHighDateTime=0x1d2e626, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="ONetConfig", cAlternateFileName="ONETCO~1")) returned 1 [0132.495] lstrcmpiW (lpString1="ONetConfig", lpString2="Windows") returned -1 [0132.495] lstrcmpiW (lpString1="ONetConfig", lpString2="Program Files") returned -1 [0132.495] lstrcmpiW (lpString1="ONetConfig", lpString2="Program Files (x86)") returned -1 [0132.495] lstrcmpiW (lpString1="ONetConfig", lpString2="$Recycle.bin") returned 1 [0132.496] lstrcmpiW (lpString1="ONetConfig", lpString2="System Volume Information") returned -1 [0132.496] lstrcmpiW (lpString1="ONetConfig", lpString2=".") returned 1 [0132.496] lstrcmpiW (lpString1="ONetConfig", lpString2="..") returned 1 [0132.496] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig") returned 75 [0132.496] GetProcessHeap () returned 0x4c0000 [0132.496] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0132.497] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig" [0132.497] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\*" [0132.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb72310, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x29ae1d20, ftLastAccessTime.dwHighDateTime=0x1d2e626, ftLastWriteTime.dwLowDateTime=0x29ae1d20, ftLastWriteTime.dwHighDateTime=0x1d2e626, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0132.497] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.497] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.497] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.497] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.497] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.497] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.497] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb72310, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x29ae1d20, ftLastAccessTime.dwHighDateTime=0x1d2e626, ftLastWriteTime.dwLowDateTime=0x29ae1d20, ftLastWriteTime.dwHighDateTime=0x1d2e626, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0132.497] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.497] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.497] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.497] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.498] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.498] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.498] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.498] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4bd15230, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x29ae1d20, ftLastAccessTime.dwHighDateTime=0x1d2e626, ftLastWriteTime.dwLowDateTime=0x29ae1d20, ftLastWriteTime.dwHighDateTime=0x1d2e626, nFileSizeHigh=0x0, nFileSizeLow=0x80, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="350db95df4cbd94b2a1c300510e12e11.sig", cAlternateFileName="350DB9~1.SIG")) returned 1 [0132.498] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="Windows") returned -1 [0132.498] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="Program Files") returned -1 [0132.498] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="Program Files (x86)") returned -1 [0132.498] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="$Recycle.bin") returned 1 [0132.498] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="System Volume Information") returned -1 [0132.498] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2=".") returned 1 [0132.498] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="..") returned 1 [0132.498] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig") returned 112 [0132.498] lstrcmpW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="PUSSY.TXT") returned -1 [0132.498] PathFindExtensionW (pszPath="350db95df4cbd94b2a1c300510e12e11.sig") returned=".sig" [0132.498] lstrlenW (lpString=".sig") returned 4 [0132.498] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0132.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.sig"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0132.501] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=128) returned 1 [0132.501] CloseHandle (hObject=0x1d8) returned 1 [0132.501] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4bd15230, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x29ae1d20, ftLastAccessTime.dwHighDateTime=0x1d2e626, ftLastWriteTime.dwLowDateTime=0x29ae1d20, ftLastWriteTime.dwHighDateTime=0x1d2e626, nFileSizeHigh=0x0, nFileSizeLow=0x7ef, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="350db95df4cbd94b2a1c300510e12e11.xml", cAlternateFileName="350DB9~1.XML")) returned 1 [0132.501] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="Windows") returned -1 [0132.501] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="Program Files") returned -1 [0132.501] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="Program Files (x86)") returned -1 [0132.501] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="$Recycle.bin") returned 1 [0132.501] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="System Volume Information") returned -1 [0132.501] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2=".") returned 1 [0132.501] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="..") returned 1 [0132.501] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml") returned 112 [0132.501] lstrcmpW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="PUSSY.TXT") returned -1 [0132.501] PathFindExtensionW (pszPath="350db95df4cbd94b2a1c300510e12e11.xml") returned=".xml" [0132.501] lstrlenW (lpString=".xml") returned 4 [0132.501] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0132.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0132.502] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=2031) returned 1 [0132.502] GetProcessHeap () returned 0x4c0000 [0132.502] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0132.517] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="4E") returned 2 [0132.517] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="ED") returned 2 [0132.517] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="E3") returned 2 [0132.517] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="92") returned 2 [0132.517] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="EB") returned 2 [0132.517] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="ED") returned 2 [0132.517] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="A2") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="FF") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="DD") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="EA") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="74") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="28") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="8B") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="4C") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="BD") returned 2 [0132.518] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="25") returned 2 [0132.518] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="C9") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="AB") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="33") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="5B") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="D5") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="43") returned 2 [0132.518] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="38") returned 2 [0132.518] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="8C") returned 2 [0132.518] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="99") returned 2 [0132.518] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="A0") returned 2 [0132.518] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="BB") returned 2 [0132.518] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="88") returned 2 [0132.518] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="F4") returned 2 [0132.518] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="06") returned 2 [0132.518] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="06") returned 2 [0132.518] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="0C") returned 2 [0132.529] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml" [0132.529] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml" [0132.529] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml", lpString2=".4EEDE392EBEDA2FFDDEA74288B4CBD25C9AB335BD543388C99A0BB88F406060C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml.4EEDE392EBEDA2FFDDEA74288B4CBD25C9AB335BD543388C99A0BB88F406060C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml.4EEDE392EBEDA2FFDDEA74288B4CBD25C9AB335BD543388C99A0BB88F406060C" [0132.529] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.529] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0132.529] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4bd15230, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x29ae1d20, ftLastAccessTime.dwHighDateTime=0x1d2e626, ftLastWriteTime.dwLowDateTime=0x29ae1d20, ftLastWriteTime.dwHighDateTime=0x1d2e626, nFileSizeHigh=0x0, nFileSizeLow=0x7ef, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="350db95df4cbd94b2a1c300510e12e11.xml", cAlternateFileName="350DB9~1.XML")) returned 0 [0132.529] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0132.529] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\PUSSY.TXT") returned 85 [0132.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0132.533] lstrlenA (lpString="abcd") returned 4 [0132.533] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0132.534] CloseHandle (hObject=0x17c) returned 1 [0132.534] GetProcessHeap () returned 0x4c0000 [0132.535] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0132.535] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb72310, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x29ae1d20, ftLastAccessTime.dwHighDateTime=0x1d2e626, ftLastWriteTime.dwLowDateTime=0x29ae1d20, ftLastWriteTime.dwHighDateTime=0x1d2e626, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="ONetConfig", cAlternateFileName="ONETCO~1")) returned 0 [0132.535] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0132.535] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\PUSSY.TXT") returned 74 [0132.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0132.535] lstrlenA (lpString="abcd") returned 4 [0132.536] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0132.537] CloseHandle (hObject=0x1d0) returned 1 [0132.537] GetProcessHeap () returned 0x4c0000 [0132.537] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0132.537] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3dc40980, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8ae80e80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8ae80e80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Outlook", cAlternateFileName="")) returned 1 [0132.537] lstrcmpiW (lpString1="Outlook", lpString2="Windows") returned -1 [0132.537] lstrcmpiW (lpString1="Outlook", lpString2="Program Files") returned -1 [0132.537] lstrcmpiW (lpString1="Outlook", lpString2="Program Files (x86)") returned -1 [0132.537] lstrcmpiW (lpString1="Outlook", lpString2="$Recycle.bin") returned 1 [0132.537] lstrcmpiW (lpString1="Outlook", lpString2="System Volume Information") returned -1 [0132.537] lstrcmpiW (lpString1="Outlook", lpString2=".") returned 1 [0132.537] lstrcmpiW (lpString1="Outlook", lpString2="..") returned 1 [0132.537] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook") returned 65 [0132.537] GetProcessHeap () returned 0x4c0000 [0132.537] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0132.537] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook" [0132.537] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\*" [0132.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3dc40980, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8ae80e80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8ae80e80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0132.540] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.540] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.540] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.540] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.540] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.540] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.540] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3dc40980, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8ae80e80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8ae80e80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0132.540] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.540] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.541] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.541] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.541] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.541] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.541] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.541] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3dc8cc40, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x3dc8cc40, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x3dc8cc40, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x462, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="mapisvc.inf", cAlternateFileName="")) returned 1 [0132.541] lstrcmpiW (lpString1="mapisvc.inf", lpString2="Windows") returned -1 [0132.541] lstrcmpiW (lpString1="mapisvc.inf", lpString2="Program Files") returned -1 [0132.541] lstrcmpiW (lpString1="mapisvc.inf", lpString2="Program Files (x86)") returned -1 [0132.541] lstrcmpiW (lpString1="mapisvc.inf", lpString2="$Recycle.bin") returned 1 [0132.541] lstrcmpiW (lpString1="mapisvc.inf", lpString2="System Volume Information") returned -1 [0132.541] lstrcmpiW (lpString1="mapisvc.inf", lpString2=".") returned 1 [0132.541] lstrcmpiW (lpString1="mapisvc.inf", lpString2="..") returned 1 [0132.541] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf") returned 77 [0132.541] lstrcmpW (lpString1="mapisvc.inf", lpString2="PUSSY.TXT") returned -1 [0132.541] PathFindExtensionW (pszPath="mapisvc.inf") returned=".inf" [0132.541] lstrlenW (lpString=".inf") returned 4 [0132.541] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0132.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\mapisvc.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0132.542] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=1122) returned 1 [0132.542] GetProcessHeap () returned 0x4c0000 [0132.542] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0132.556] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="6C") returned 2 [0132.556] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="B5") returned 2 [0132.556] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="68") returned 2 [0132.556] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="9E") returned 2 [0132.556] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="B6") returned 2 [0132.556] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="71") returned 2 [0132.556] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="26") returned 2 [0132.556] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="52") returned 2 [0132.557] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="4E") returned 2 [0132.557] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="8E") returned 2 [0132.557] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="C5") returned 2 [0132.557] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="2E") returned 2 [0132.557] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="41") returned 2 [0132.557] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="92") returned 2 [0132.557] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="69") returned 2 [0132.557] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="65") returned 2 [0132.557] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="89") returned 2 [0132.557] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="C0") returned 2 [0132.557] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="1D") returned 2 [0132.557] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="FB") returned 2 [0132.557] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="37") returned 2 [0132.557] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="F5") returned 2 [0132.557] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="38") returned 2 [0132.557] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="9A") returned 2 [0132.557] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="3D") returned 2 [0132.557] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="AD") returned 2 [0132.557] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="DF") returned 2 [0132.557] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="49") returned 2 [0132.557] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="AB") returned 2 [0132.557] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="FE") returned 2 [0132.557] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="F0") returned 2 [0132.557] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="62") returned 2 [0132.569] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf" [0132.569] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf" [0132.570] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf", lpString2=".6CB5689EB67126524E8EC52E4192696589C01DFB37F5389A3DADDF49ABFEF062" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf.6CB5689EB67126524E8EC52E4192696589C01DFB37F5389A3DADDF49ABFEF062") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf.6CB5689EB67126524E8EC52E4192696589C01DFB37F5389A3DADDF49ABFEF062" [0132.570] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.570] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0132.570] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5c4d2d00, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8ae80e80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8ae80e80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Outlook.sharing.xml.obi", cAlternateFileName="OUTLOO~1.OBI")) returned 1 [0132.570] lstrcmpiW (lpString1="Outlook.sharing.xml.obi", lpString2="Windows") returned -1 [0132.570] lstrcmpiW (lpString1="Outlook.sharing.xml.obi", lpString2="Program Files") returned -1 [0132.570] lstrcmpiW (lpString1="Outlook.sharing.xml.obi", lpString2="Program Files (x86)") returned -1 [0132.570] lstrcmpiW (lpString1="Outlook.sharing.xml.obi", lpString2="$Recycle.bin") returned 1 [0132.570] lstrcmpiW (lpString1="Outlook.sharing.xml.obi", lpString2="System Volume Information") returned -1 [0132.570] lstrcmpiW (lpString1="Outlook.sharing.xml.obi", lpString2=".") returned 1 [0132.570] lstrcmpiW (lpString1="Outlook.sharing.xml.obi", lpString2="..") returned 1 [0132.570] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi") returned 89 [0132.570] lstrcmpW (lpString1="Outlook.sharing.xml.obi", lpString2="PUSSY.TXT") returned -1 [0132.570] PathFindExtensionW (pszPath="Outlook.sharing.xml.obi") returned=".obi" [0132.570] lstrlenW (lpString=".obi") returned 4 [0132.570] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0132.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\outlook.sharing.xml.obi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0132.597] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=185) returned 1 [0132.597] CloseHandle (hObject=0x17c) returned 1 [0132.597] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x609dab00, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x609dab00, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x609dab00, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="RoamCache", cAlternateFileName="ROAMCA~1")) returned 1 [0132.597] lstrcmpiW (lpString1="RoamCache", lpString2="Windows") returned -1 [0132.597] lstrcmpiW (lpString1="RoamCache", lpString2="Program Files") returned 1 [0132.597] lstrcmpiW (lpString1="RoamCache", lpString2="Program Files (x86)") returned 1 [0132.597] lstrcmpiW (lpString1="RoamCache", lpString2="$Recycle.bin") returned 1 [0132.597] lstrcmpiW (lpString1="RoamCache", lpString2="System Volume Information") returned -1 [0132.597] lstrcmpiW (lpString1="RoamCache", lpString2=".") returned 1 [0132.597] lstrcmpiW (lpString1="RoamCache", lpString2="..") returned 1 [0132.597] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache") returned 75 [0132.597] GetProcessHeap () returned 0x4c0000 [0132.597] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0132.597] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache" [0132.597] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\*" [0132.597] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x609dab00, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x609dab00, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x609dab00, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0132.598] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.598] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.598] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.598] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.598] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.598] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.598] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x609dab00, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x609dab00, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x609dab00, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0132.598] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.598] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.598] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.598] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.598] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.598] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.598] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.598] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x609dab00, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x609dab00, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x60a26dc0, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0132.598] lstrcmpiW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="Windows") returned -1 [0132.598] lstrcmpiW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="Program Files") returned 1 [0132.598] lstrcmpiW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="Program Files (x86)") returned 1 [0132.599] lstrcmpiW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="$Recycle.bin") returned 1 [0132.599] lstrcmpiW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="System Volume Information") returned -1 [0132.599] lstrcmpiW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2=".") returned 1 [0132.599] lstrcmpiW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="..") returned 1 [0132.599] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat") returned 134 [0132.599] lstrcmpW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="PUSSY.TXT") returned 1 [0132.599] PathFindExtensionW (pszPath="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat") returned=".dat" [0132.599] lstrlenW (lpString=".dat") returned 4 [0132.599] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0132.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_contactprefs_2_f230e11936b7d740a008ffc660e83c71.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0132.599] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=260) returned 1 [0132.600] CloseHandle (hObject=0x1d8) returned 1 [0132.600] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x609dab00, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x609dab00, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x60a26dc0, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0132.600] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0132.600] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\PUSSY.TXT") returned 85 [0132.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\roamcache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0132.600] lstrlenA (lpString="abcd") returned 4 [0132.600] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0132.602] CloseHandle (hObject=0x17c) returned 1 [0132.602] GetProcessHeap () returned 0x4c0000 [0132.602] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0132.606] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8ae80e80, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0x8ae80e80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x5c4d2d00, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="~last~.sharing.xml.obi", cAlternateFileName="~LAST~~1.OBI")) returned 1 [0132.606] lstrcmpiW (lpString1="~last~.sharing.xml.obi", lpString2="Windows") returned -1 [0132.606] lstrcmpiW (lpString1="~last~.sharing.xml.obi", lpString2="Program Files") returned -1 [0132.606] lstrcmpiW (lpString1="~last~.sharing.xml.obi", lpString2="Program Files (x86)") returned -1 [0132.606] lstrcmpiW (lpString1="~last~.sharing.xml.obi", lpString2="$Recycle.bin") returned 1 [0132.606] lstrcmpiW (lpString1="~last~.sharing.xml.obi", lpString2="System Volume Information") returned -1 [0132.606] lstrcmpiW (lpString1="~last~.sharing.xml.obi", lpString2=".") returned 1 [0132.606] lstrcmpiW (lpString1="~last~.sharing.xml.obi", lpString2="..") returned 1 [0132.606] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\~last~.sharing.xml.obi") returned 88 [0132.607] lstrcmpW (lpString1="~last~.sharing.xml.obi", lpString2="PUSSY.TXT") returned -1 [0132.607] PathFindExtensionW (pszPath="~last~.sharing.xml.obi") returned=".obi" [0132.607] lstrlenW (lpString=".obi") returned 4 [0132.607] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0132.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\~last~.sharing.xml.obi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\~last~.sharing.xml.obi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0132.608] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=185) returned 1 [0132.608] CloseHandle (hObject=0x17c) returned 1 [0132.608] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8ae80e80, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0x8ae80e80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x5c4d2d00, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="~last~.sharing.xml.obi", cAlternateFileName="~LAST~~1.OBI")) returned 0 [0132.608] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0132.608] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\PUSSY.TXT") returned 75 [0132.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0132.609] lstrlenA (lpString="abcd") returned 4 [0132.609] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0132.610] CloseHandle (hObject=0x1d0) returned 1 [0132.610] GetProcessHeap () returned 0x4c0000 [0132.610] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0132.610] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4bb4c1b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4bb4c1b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0132.610] lstrcmpiW (lpString1="Publisher", lpString2="Windows") returned -1 [0132.611] lstrcmpiW (lpString1="Publisher", lpString2="Program Files") returned 1 [0132.611] lstrcmpiW (lpString1="Publisher", lpString2="Program Files (x86)") returned 1 [0132.611] lstrcmpiW (lpString1="Publisher", lpString2="$Recycle.bin") returned 1 [0132.611] lstrcmpiW (lpString1="Publisher", lpString2="System Volume Information") returned -1 [0132.611] lstrcmpiW (lpString1="Publisher", lpString2=".") returned 1 [0132.611] lstrcmpiW (lpString1="Publisher", lpString2="..") returned 1 [0132.611] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher") returned 67 [0132.611] GetProcessHeap () returned 0x4c0000 [0132.611] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0132.611] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher" [0132.611] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\*" [0132.611] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4bb4c1b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4bb4c1b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0132.613] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.613] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.613] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.613] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.613] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.613] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.614] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4bb4c1b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4bb4c1b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0132.614] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.614] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.614] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.614] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.614] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.614] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.614] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.614] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4bb4c1b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4bb4c1b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0132.614] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0132.614] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\PUSSY.TXT") returned 77 [0132.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\publisher\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0132.615] lstrlenA (lpString="abcd") returned 4 [0132.615] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0132.616] CloseHandle (hObject=0x1d0) returned 1 [0132.616] GetProcessHeap () returned 0x4c0000 [0132.616] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0132.616] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3abef650, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3abef650, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3abef650, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="TaskSchedulerConfig", cAlternateFileName="TASKSC~1")) returned 1 [0132.616] lstrcmpiW (lpString1="TaskSchedulerConfig", lpString2="Windows") returned -1 [0132.616] lstrcmpiW (lpString1="TaskSchedulerConfig", lpString2="Program Files") returned 1 [0132.616] lstrcmpiW (lpString1="TaskSchedulerConfig", lpString2="Program Files (x86)") returned 1 [0132.616] lstrcmpiW (lpString1="TaskSchedulerConfig", lpString2="$Recycle.bin") returned 1 [0132.616] lstrcmpiW (lpString1="TaskSchedulerConfig", lpString2="System Volume Information") returned 1 [0132.616] lstrcmpiW (lpString1="TaskSchedulerConfig", lpString2=".") returned 1 [0132.616] lstrcmpiW (lpString1="TaskSchedulerConfig", lpString2="..") returned 1 [0132.616] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig") returned 77 [0132.616] GetProcessHeap () returned 0x4c0000 [0132.616] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0132.617] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig" [0132.617] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\*" [0132.617] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3abef650, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3abef650, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3abef650, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0132.617] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.617] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.617] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.617] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.618] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.618] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.618] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3abef650, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3abef650, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3abef650, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0132.618] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.618] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.618] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.618] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.618] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.618] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.618] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.618] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3abef650, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3abef650, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3abef650, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0132.618] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0132.618] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\PUSSY.TXT") returned 87 [0132.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\taskschedulerconfig\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0132.630] lstrlenA (lpString="abcd") returned 4 [0132.630] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0132.631] CloseHandle (hObject=0x1d0) returned 1 [0132.631] GetProcessHeap () returned 0x4c0000 [0132.631] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0132.631] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x962f4540, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x5ef99320, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5ef99320, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Visio", cAlternateFileName="")) returned 1 [0132.631] lstrcmpiW (lpString1="Visio", lpString2="Windows") returned -1 [0132.631] lstrcmpiW (lpString1="Visio", lpString2="Program Files") returned 1 [0132.631] lstrcmpiW (lpString1="Visio", lpString2="Program Files (x86)") returned 1 [0132.631] lstrcmpiW (lpString1="Visio", lpString2="$Recycle.bin") returned 1 [0132.631] lstrcmpiW (lpString1="Visio", lpString2="System Volume Information") returned 1 [0132.632] lstrcmpiW (lpString1="Visio", lpString2=".") returned 1 [0132.632] lstrcmpiW (lpString1="Visio", lpString2="..") returned 1 [0132.632] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio") returned 63 [0132.632] GetProcessHeap () returned 0x4c0000 [0132.632] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0132.632] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio" [0132.632] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\*" [0132.632] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x962f4540, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x5ef99320, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5ef99320, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0132.632] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.633] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.633] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.633] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.633] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.633] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.633] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x962f4540, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x5ef99320, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5ef99320, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0132.633] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.633] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.633] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.633] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.633] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.633] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.633] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.633] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5ef99320, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x5ef99320, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5efe55e0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x18ce0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="content14.dat", cAlternateFileName="CONTEN~1.DAT")) returned 1 [0132.633] lstrcmpiW (lpString1="content14.dat", lpString2="Windows") returned -1 [0132.633] lstrcmpiW (lpString1="content14.dat", lpString2="Program Files") returned -1 [0132.633] lstrcmpiW (lpString1="content14.dat", lpString2="Program Files (x86)") returned -1 [0132.633] lstrcmpiW (lpString1="content14.dat", lpString2="$Recycle.bin") returned 1 [0132.633] lstrcmpiW (lpString1="content14.dat", lpString2="System Volume Information") returned -1 [0132.633] lstrcmpiW (lpString1="content14.dat", lpString2=".") returned 1 [0132.633] lstrcmpiW (lpString1="content14.dat", lpString2="..") returned 1 [0132.633] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat") returned 77 [0132.633] lstrcmpW (lpString1="content14.dat", lpString2="PUSSY.TXT") returned -1 [0132.633] PathFindExtensionW (pszPath="content14.dat") returned=".dat" [0132.633] lstrlenW (lpString=".dat") returned 4 [0132.633] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0132.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\content14.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0132.634] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=101600) returned 1 [0132.634] GetProcessHeap () returned 0x4c0000 [0132.635] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0132.649] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="95") returned 2 [0132.649] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="88") returned 2 [0132.649] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="7E") returned 2 [0132.649] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="1C") returned 2 [0132.649] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="D4") returned 2 [0132.649] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="95") returned 2 [0132.649] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="49") returned 2 [0132.649] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="F0") returned 2 [0132.650] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="32") returned 2 [0132.650] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="48") returned 2 [0132.650] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="A8") returned 2 [0132.650] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="3D") returned 2 [0132.650] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="FF") returned 2 [0132.650] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="26") returned 2 [0132.650] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="FF") returned 2 [0132.650] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="58") returned 2 [0132.650] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="38") returned 2 [0132.650] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="C3") returned 2 [0132.650] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="CC") returned 2 [0132.650] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="AD") returned 2 [0132.650] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="09") returned 2 [0132.650] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="2C") returned 2 [0132.650] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="46") returned 2 [0132.650] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="9C") returned 2 [0132.650] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="EC") returned 2 [0132.650] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="0B") returned 2 [0132.650] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="60") returned 2 [0132.650] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="3E") returned 2 [0132.650] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="A6") returned 2 [0132.650] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="99") returned 2 [0132.650] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="FC") returned 2 [0132.650] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="0D") returned 2 [0132.662] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat" [0132.662] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat" [0132.662] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat", lpString2=".95887E1CD49549F03248A83DFF26FF5838C3CCAD092C469CEC0B603EA699FC0D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat.95887E1CD49549F03248A83DFF26FF5838C3CCAD092C469CEC0B603EA699FC0D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat.95887E1CD49549F03248A83DFF26FF5838C3CCAD092C469CEC0B603EA699FC0D" [0132.662] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.663] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0132.663] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x976e3d80, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x976e3d80, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x5f055ac0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1f400, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="thumbs.dat", cAlternateFileName="")) returned 1 [0132.663] lstrcmpiW (lpString1="thumbs.dat", lpString2="Windows") returned -1 [0132.663] lstrcmpiW (lpString1="thumbs.dat", lpString2="Program Files") returned 1 [0132.663] lstrcmpiW (lpString1="thumbs.dat", lpString2="Program Files (x86)") returned 1 [0132.663] lstrcmpiW (lpString1="thumbs.dat", lpString2="$Recycle.bin") returned 1 [0132.663] lstrcmpiW (lpString1="thumbs.dat", lpString2="System Volume Information") returned 1 [0132.663] lstrcmpiW (lpString1="thumbs.dat", lpString2=".") returned 1 [0132.663] lstrcmpiW (lpString1="thumbs.dat", lpString2="..") returned 1 [0132.663] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat") returned 74 [0132.663] lstrcmpW (lpString1="thumbs.dat", lpString2="PUSSY.TXT") returned 1 [0132.663] PathFindExtensionW (pszPath="thumbs.dat") returned=".dat" [0132.663] lstrlenW (lpString=".dat") returned 4 [0132.663] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0132.663] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\thumbs.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0132.664] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=128000) returned 1 [0132.664] GetProcessHeap () returned 0x4c0000 [0132.664] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0132.674] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="FB") returned 2 [0132.674] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="FC") returned 2 [0132.674] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="D6") returned 2 [0132.674] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="FF") returned 2 [0132.674] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="EF") returned 2 [0132.674] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="8F") returned 2 [0132.674] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="C4") returned 2 [0132.674] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="10") returned 2 [0132.674] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="A9") returned 2 [0132.674] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="B2") returned 2 [0132.674] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="CE") returned 2 [0132.674] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="28") returned 2 [0132.674] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="8D") returned 2 [0132.674] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="F1") returned 2 [0132.674] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="DE") returned 2 [0132.674] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="9B") returned 2 [0132.674] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="E5") returned 2 [0132.674] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="1A") returned 2 [0132.674] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="F7") returned 2 [0132.674] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="5A") returned 2 [0132.674] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="15") returned 2 [0132.674] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="F4") returned 2 [0132.675] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="16") returned 2 [0132.675] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="52") returned 2 [0132.675] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="F4") returned 2 [0132.675] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="39") returned 2 [0132.675] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="7E") returned 2 [0132.675] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="58") returned 2 [0132.675] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="07") returned 2 [0132.675] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="F2") returned 2 [0132.675] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="BF") returned 2 [0132.675] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="67") returned 2 [0132.684] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat" [0132.684] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat" [0132.684] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat", lpString2=".FBFCD6FFEF8FC410A9B2CE288DF1DE9BE51AF75A15F41652F4397E5807F2BF67" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat.FBFCD6FFEF8FC410A9B2CE288DF1DE9BE51AF75A15F41652F4397E5807F2BF67") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat.FBFCD6FFEF8FC410A9B2CE288DF1DE9BE51AF75A15F41652F4397E5807F2BF67" [0132.685] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.685] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0132.685] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x976e3d80, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x976e3d80, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x5f055ac0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1f400, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="thumbs.dat", cAlternateFileName="")) returned 0 [0132.685] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0132.685] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\PUSSY.TXT") returned 73 [0132.685] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0132.686] lstrlenA (lpString="abcd") returned 4 [0132.686] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0132.687] CloseHandle (hObject=0x1d0) returned 1 [0132.687] GetProcessHeap () returned 0x4c0000 [0132.687] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0132.687] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8d1fc80, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xd8d1fc80, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows", cAlternateFileName="")) returned 1 [0132.687] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0132.687] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2c881c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2c881c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows Mail", cAlternateFileName="WINDOW~3")) returned 1 [0132.687] lstrcmpiW (lpString1="Windows Mail", lpString2="Windows") returned 1 [0132.687] lstrcmpiW (lpString1="Windows Mail", lpString2="Program Files") returned 1 [0132.687] lstrcmpiW (lpString1="Windows Mail", lpString2="Program Files (x86)") returned 1 [0132.687] lstrcmpiW (lpString1="Windows Mail", lpString2="$Recycle.bin") returned 1 [0132.687] lstrcmpiW (lpString1="Windows Mail", lpString2="System Volume Information") returned 1 [0132.687] lstrcmpiW (lpString1="Windows Mail", lpString2=".") returned 1 [0132.687] lstrcmpiW (lpString1="Windows Mail", lpString2="..") returned 1 [0132.687] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail") returned 70 [0132.687] GetProcessHeap () returned 0x4c0000 [0132.687] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0132.687] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail" [0132.687] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\*" [0132.687] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2c881c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2c881c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0132.770] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.770] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.770] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.770] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.770] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.770] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.770] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2c881c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2c881c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0132.771] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.771] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.771] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.771] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.771] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.771] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.771] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.771] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e7c400, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e7c400, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf67dcad6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x5e4, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", cAlternateFileName="ACCOUN~3.OEA")) returned 1 [0132.771] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="Windows") returned -1 [0132.771] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="Program Files") returned -1 [0132.771] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="Program Files (x86)") returned -1 [0132.771] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="$Recycle.bin") returned 1 [0132.771] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="System Volume Information") returned -1 [0132.771] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2=".") returned 1 [0132.771] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="..") returned 1 [0132.771] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned 126 [0132.771] lstrcmpW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="PUSSY.TXT") returned -1 [0132.771] PathFindExtensionW (pszPath="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned=".oeaccount" [0132.771] lstrlenW (lpString=".oeaccount") returned 10 [0132.771] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0132.771] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0132.772] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=1508) returned 1 [0132.772] GetProcessHeap () returned 0x4c0000 [0132.772] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0132.780] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="89") returned 2 [0132.780] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="C7") returned 2 [0132.780] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="5B") returned 2 [0132.780] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="96") returned 2 [0132.780] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="18") returned 2 [0132.780] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="B4") returned 2 [0132.780] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="58") returned 2 [0132.780] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="5A") returned 2 [0132.781] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="56") returned 2 [0132.781] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="78") returned 2 [0132.781] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="03") returned 2 [0132.781] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="14") returned 2 [0132.781] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="3C") returned 2 [0132.781] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="8D") returned 2 [0132.781] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="C9") returned 2 [0132.781] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="BD") returned 2 [0132.781] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="23") returned 2 [0132.781] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="8E") returned 2 [0132.781] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="20") returned 2 [0132.781] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="B5") returned 2 [0132.781] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="DB") returned 2 [0132.781] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="21") returned 2 [0132.781] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="7A") returned 2 [0132.781] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="5C") returned 2 [0132.781] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="F9") returned 2 [0132.781] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="1F") returned 2 [0132.781] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="E3") returned 2 [0132.781] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="E2") returned 2 [0132.781] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="9E") returned 2 [0132.781] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="FA") returned 2 [0132.781] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="96") returned 2 [0132.781] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="50") returned 2 [0132.789] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" [0132.789] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" [0132.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2=".89C75B9618B4585A567803143C8DC9BD238E20B5DB217A5CF91FE3E29EFA9650" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.89C75B9618B4585A567803143C8DC9BD238E20B5DB217A5CF91FE3E29EFA9650") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.89C75B9618B4585A567803143C8DC9BD238E20B5DB217A5CF91FE3E29EFA9650" [0132.789] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.789] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0132.789] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e7c400, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e7c400, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf657b4d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x2a0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", cAlternateFileName="ACCOUN~2.OEA")) returned 1 [0132.789] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="Windows") returned -1 [0132.789] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="Program Files") returned -1 [0132.789] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="Program Files (x86)") returned -1 [0132.790] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="$Recycle.bin") returned 1 [0132.790] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="System Volume Information") returned -1 [0132.790] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2=".") returned 1 [0132.790] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="..") returned 1 [0132.790] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned 126 [0132.790] lstrcmpW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="PUSSY.TXT") returned -1 [0132.790] PathFindExtensionW (pszPath="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned=".oeaccount" [0132.790] lstrlenW (lpString=".oeaccount") returned 10 [0132.790] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0132.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0132.791] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=672) returned 1 [0132.791] GetProcessHeap () returned 0x4c0000 [0132.791] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0132.799] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="AE") returned 2 [0132.799] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="C7") returned 2 [0132.799] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="D4") returned 2 [0132.799] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="36") returned 2 [0132.799] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="48") returned 2 [0132.799] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="FB") returned 2 [0132.799] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="F6") returned 2 [0132.799] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="15") returned 2 [0132.799] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="98") returned 2 [0132.799] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="85") returned 2 [0132.799] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="3F") returned 2 [0132.799] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="C3") returned 2 [0132.799] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="F3") returned 2 [0132.799] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="C5") returned 2 [0132.799] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="5B") returned 2 [0132.799] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="0D") returned 2 [0132.799] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="AB") returned 2 [0132.799] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="98") returned 2 [0132.799] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="E5") returned 2 [0132.799] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="A4") returned 2 [0132.800] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="78") returned 2 [0132.800] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="FC") returned 2 [0132.800] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="B0") returned 2 [0132.800] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="D7") returned 2 [0132.800] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="34") returned 2 [0132.800] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="9D") returned 2 [0132.800] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="0D") returned 2 [0132.800] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="17") returned 2 [0132.800] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="8B") returned 2 [0132.800] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="2E") returned 2 [0132.800] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="19") returned 2 [0132.800] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="5E") returned 2 [0132.808] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" [0132.808] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" [0132.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2=".AEC7D43648FBF61598853FC3F3C55B0DAB98E5A478FCB0D7349D0D178B2E195E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.AEC7D43648FBF61598853FC3F3C55B0DAB98E5A478FCB0D7349D0D178B2E195E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.AEC7D43648FBF61598853FC3F3C55B0DAB98E5A478FCB0D7349D0D178B2E195E" [0132.808] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.808] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0132.808] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e7c400, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e7c400, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf67b6975, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x6c8, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", cAlternateFileName="ACCOUN~1.OEA")) returned 1 [0132.808] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="Windows") returned -1 [0132.808] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="Program Files") returned -1 [0132.808] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="Program Files (x86)") returned -1 [0132.808] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="$Recycle.bin") returned 1 [0132.808] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="System Volume Information") returned -1 [0132.808] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2=".") returned 1 [0132.808] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="..") returned 1 [0132.808] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned 126 [0132.808] lstrcmpW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="PUSSY.TXT") returned -1 [0132.808] PathFindExtensionW (pszPath="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned=".oeaccount" [0132.809] lstrlenW (lpString=".oeaccount") returned 10 [0132.809] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0132.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0132.839] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=1736) returned 1 [0132.839] GetProcessHeap () returned 0x4c0000 [0132.839] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0132.847] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="61") returned 2 [0132.848] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="7A") returned 2 [0132.848] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="A7") returned 2 [0132.848] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="A2") returned 2 [0132.848] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="59") returned 2 [0132.848] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="58") returned 2 [0132.848] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="2D") returned 2 [0132.848] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="23") returned 2 [0132.848] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="37") returned 2 [0132.848] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="62") returned 2 [0132.848] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="CE") returned 2 [0132.848] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="70") returned 2 [0132.848] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="10") returned 2 [0132.848] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="06") returned 2 [0132.848] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="30") returned 2 [0132.848] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="9A") returned 2 [0132.848] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="15") returned 2 [0132.848] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="78") returned 2 [0132.848] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="D0") returned 2 [0132.848] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="4B") returned 2 [0132.848] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="61") returned 2 [0132.848] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="D9") returned 2 [0132.848] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="C0") returned 2 [0132.848] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="7C") returned 2 [0132.848] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="CC") returned 2 [0132.848] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="02") returned 2 [0132.848] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="36") returned 2 [0132.848] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="99") returned 2 [0132.848] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="5D") returned 2 [0132.848] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="30") returned 2 [0132.848] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="75") returned 2 [0132.848] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="3C") returned 2 [0132.856] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" [0132.856] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" [0132.856] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2=".617AA7A259582D233762CE701006309A1578D04B61D9C07CCC0236995D30753C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.617AA7A259582D233762CE701006309A1578D04B61D9C07CCC0236995D30753C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.617AA7A259582D233762CE701006309A1578D04B61D9C07CCC0236995D30753C" [0132.857] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.857] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0132.862] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2b9ed580, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2b9ed580, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Backup", cAlternateFileName="")) returned 1 [0132.862] lstrcmpiW (lpString1="Backup", lpString2="Windows") returned -1 [0132.862] lstrcmpiW (lpString1="Backup", lpString2="Program Files") returned -1 [0132.862] lstrcmpiW (lpString1="Backup", lpString2="Program Files (x86)") returned -1 [0132.862] lstrcmpiW (lpString1="Backup", lpString2="$Recycle.bin") returned 1 [0132.862] lstrcmpiW (lpString1="Backup", lpString2="System Volume Information") returned -1 [0132.862] lstrcmpiW (lpString1="Backup", lpString2=".") returned 1 [0132.862] lstrcmpiW (lpString1="Backup", lpString2="..") returned 1 [0132.862] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup") returned 77 [0132.862] GetProcessHeap () returned 0x4c0000 [0132.862] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0132.863] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup" [0132.863] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*" [0132.863] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2b9ed580, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2b9ed580, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0132.864] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.864] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.864] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.864] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.864] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.864] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.864] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2b9ed580, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2b9ed580, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0132.864] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.864] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.864] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.864] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.864] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.864] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.864] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.864] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2f7a14e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="old", cAlternateFileName="")) returned 1 [0132.864] lstrcmpiW (lpString1="old", lpString2="Windows") returned -1 [0132.864] lstrcmpiW (lpString1="old", lpString2="Program Files") returned -1 [0132.864] lstrcmpiW (lpString1="old", lpString2="Program Files (x86)") returned -1 [0132.864] lstrcmpiW (lpString1="old", lpString2="$Recycle.bin") returned 1 [0132.864] lstrcmpiW (lpString1="old", lpString2="System Volume Information") returned -1 [0132.864] lstrcmpiW (lpString1="old", lpString2=".") returned 1 [0132.864] lstrcmpiW (lpString1="old", lpString2="..") returned 1 [0132.864] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old") returned 81 [0132.864] GetProcessHeap () returned 0x4c0000 [0132.864] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0132.864] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old" [0132.864] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\*" [0132.864] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2f7a14e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe2858df, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0132.866] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0132.866] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0132.866] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0132.866] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0132.866] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0132.866] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.866] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2f7a14e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe2858df, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0132.867] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0132.867] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0132.867] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0132.867] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0132.867] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0132.867] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.867] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.867] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e562a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e562a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2f2de8d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xfe2858df, dwReserved1=0xfe000000, cFileName="edb00001.log", cAlternateFileName="")) returned 1 [0132.867] lstrcmpiW (lpString1="edb00001.log", lpString2="Windows") returned -1 [0132.867] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files") returned -1 [0132.867] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files (x86)") returned -1 [0132.867] lstrcmpiW (lpString1="edb00001.log", lpString2="$Recycle.bin") returned 1 [0132.867] lstrcmpiW (lpString1="edb00001.log", lpString2="System Volume Information") returned -1 [0132.867] lstrcmpiW (lpString1="edb00001.log", lpString2=".") returned 1 [0132.867] lstrcmpiW (lpString1="edb00001.log", lpString2="..") returned 1 [0132.867] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log") returned 94 [0132.867] lstrcmpW (lpString1="edb00001.log", lpString2="PUSSY.TXT") returned -1 [0132.867] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0132.867] lstrlenW (lpString=".log") returned 4 [0132.867] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0132.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0132.868] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=2097152) returned 1 [0132.868] GetProcessHeap () returned 0x4c0000 [0132.868] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0132.877] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="01") returned 2 [0132.877] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="52") returned 2 [0132.877] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="A4") returned 2 [0132.877] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="DC") returned 2 [0132.877] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="53") returned 2 [0132.877] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="75") returned 2 [0132.877] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="EB") returned 2 [0132.877] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="5C") returned 2 [0132.877] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="A6") returned 2 [0132.877] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="83") returned 2 [0132.877] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="B1") returned 2 [0132.877] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="A8") returned 2 [0132.877] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="02") returned 2 [0132.877] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="EF") returned 2 [0132.877] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="71") returned 2 [0132.877] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="BA") returned 2 [0132.877] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="E7") returned 2 [0132.877] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="05") returned 2 [0132.877] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="33") returned 2 [0132.877] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="D3") returned 2 [0132.877] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="4F") returned 2 [0132.877] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="A9") returned 2 [0132.877] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="5A") returned 2 [0132.877] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="F5") returned 2 [0132.877] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="95") returned 2 [0132.877] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="56") returned 2 [0132.877] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="3E") returned 2 [0132.877] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="DC") returned 2 [0132.877] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="8D") returned 2 [0132.877] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="41") returned 2 [0132.877] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="E5") returned 2 [0132.877] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="4B") returned 2 [0132.887] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" [0132.887] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" [0132.887] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log", lpString2=".0152A4DC5375EB5CA683B1A802EF71BAE70533D34FA95AF595563EDC8D41E54B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log.0152A4DC5375EB5CA683B1A802EF71BAE70533D34FA95AF595563EDC8D41E54B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log.0152A4DC5375EB5CA683B1A802EF71BAE70533D34FA95AF595563EDC8D41E54B" [0132.887] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.887] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0132.887] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e562a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e562a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2ab7545, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x206000, dwReserved0=0xfe2858df, dwReserved1=0xfe000000, cFileName="WindowsMail.MSMessageStore", cAlternateFileName="WINDOW~1.MSM")) returned 1 [0132.887] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Windows") returned 1 [0132.887] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files") returned 1 [0132.887] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files (x86)") returned 1 [0132.887] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="$Recycle.bin") returned 1 [0132.887] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="System Volume Information") returned 1 [0132.887] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2=".") returned 1 [0132.887] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="..") returned 1 [0132.887] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore") returned 108 [0132.887] lstrcmpW (lpString1="WindowsMail.MSMessageStore", lpString2="PUSSY.TXT") returned 1 [0132.887] PathFindExtensionW (pszPath="WindowsMail.MSMessageStore") returned=".MSMessageStore" [0132.887] lstrlenW (lpString=".MSMessageStore") returned 15 [0132.887] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0132.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.msmessagestore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0132.888] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=2121728) returned 1 [0132.888] GetProcessHeap () returned 0x4c0000 [0132.888] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0132.898] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="AC") returned 2 [0132.898] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="49") returned 2 [0132.898] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="C2") returned 2 [0132.898] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="4F") returned 2 [0132.898] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="D9") returned 2 [0132.899] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="DE") returned 2 [0132.899] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="5B") returned 2 [0132.899] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="E3") returned 2 [0132.899] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="9B") returned 2 [0132.899] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="E6") returned 2 [0132.899] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="34") returned 2 [0132.899] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="41") returned 2 [0132.899] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="D3") returned 2 [0132.899] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="51") returned 2 [0132.899] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="B5") returned 2 [0132.899] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="BA") returned 2 [0132.899] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="2E") returned 2 [0132.899] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="A6") returned 2 [0132.899] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="B5") returned 2 [0132.899] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="32") returned 2 [0132.899] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="F6") returned 2 [0132.899] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="FE") returned 2 [0132.899] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="3D") returned 2 [0132.899] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="8A") returned 2 [0132.899] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="06") returned 2 [0132.899] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="90") returned 2 [0132.899] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="88") returned 2 [0132.899] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="33") returned 2 [0132.899] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="99") returned 2 [0132.899] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="83") returned 2 [0132.899] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="F5") returned 2 [0132.899] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="4A") returned 2 [0132.907] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore" [0132.907] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore" [0132.907] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore", lpString2=".AC49C24FD9DE5BE39BE63441D351B5BA2EA6B532F6FE3D8A069088339983F54A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore.AC49C24FD9DE5BE39BE63441D351B5BA2EA6B532F6FE3D8A069088339983F54A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore.AC49C24FD9DE5BE39BE63441D351B5BA2EA6B532F6FE3D8A069088339983F54A" [0132.907] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0132.908] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0132.908] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e562a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e562a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2fec56f, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xfe2858df, dwReserved1=0xfe000000, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 1 [0132.908] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Windows") returned 1 [0132.908] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files") returned 1 [0132.908] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files (x86)") returned 1 [0132.908] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="$Recycle.bin") returned 1 [0132.908] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="System Volume Information") returned 1 [0132.908] lstrcmpiW (lpString1="WindowsMail.pat", lpString2=".") returned 1 [0132.908] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="..") returned 1 [0132.908] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat") returned 97 [0132.908] lstrcmpW (lpString1="WindowsMail.pat", lpString2="PUSSY.TXT") returned 1 [0132.908] PathFindExtensionW (pszPath="WindowsMail.pat") returned=".pat" [0132.908] lstrlenW (lpString=".pat") returned 4 [0132.908] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0132.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.pat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0132.909] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=16384) returned 1 [0132.909] GetProcessHeap () returned 0x4c0000 [0132.909] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0132.991] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="01") returned 2 [0132.991] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="28") returned 2 [0132.991] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="AD") returned 2 [0132.991] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="F5") returned 2 [0132.991] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="22") returned 2 [0132.991] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="BE") returned 2 [0132.991] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="69") returned 2 [0132.991] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="12") returned 2 [0132.991] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="0F") returned 2 [0132.991] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="95") returned 2 [0132.991] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="14") returned 2 [0132.991] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="4E") returned 2 [0132.992] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="D9") returned 2 [0132.992] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="F2") returned 2 [0132.992] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="BC") returned 2 [0132.992] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="7C") returned 2 [0132.992] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="29") returned 2 [0132.992] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="E6") returned 2 [0132.992] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="CB") returned 2 [0132.992] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="1B") returned 2 [0132.992] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="33") returned 2 [0132.992] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="00") returned 2 [0132.992] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="CC") returned 2 [0132.992] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="D0") returned 2 [0132.992] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="60") returned 2 [0132.992] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="19") returned 2 [0132.992] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="09") returned 2 [0132.992] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="D5") returned 2 [0132.992] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="39") returned 2 [0132.992] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="DB") returned 2 [0132.992] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="11") returned 2 [0132.992] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="78") returned 2 [0133.000] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat" [0133.000] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat" [0133.000] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat", lpString2=".0128ADF522BE69120F95144ED9F2BC7C29E6CB1B3300CCD0601909D539DB1178" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat.0128ADF522BE69120F95144ED9F2BC7C29E6CB1B3300CCD0601909D539DB1178") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat.0128ADF522BE69120F95144ED9F2BC7C29E6CB1B3300CCD0601909D539DB1178" [0133.000] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.000] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0133.001] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e562a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e562a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2fec56f, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xfe2858df, dwReserved1=0xfe000000, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 0 [0133.001] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0133.001] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\PUSSY.TXT") returned 91 [0133.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0133.016] lstrlenA (lpString="abcd") returned 4 [0133.016] WriteFile (in: hFile=0x17c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0133.017] CloseHandle (hObject=0x17c) returned 1 [0133.017] GetProcessHeap () returned 0x4c0000 [0133.017] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0133.018] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2f7a14e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="old", cAlternateFileName="")) returned 0 [0133.018] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0133.018] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\PUSSY.TXT") returned 87 [0133.018] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0133.018] lstrlenA (lpString="abcd") returned 4 [0133.018] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0133.019] CloseHandle (hObject=0x1d0) returned 1 [0133.019] GetProcessHeap () returned 0x4c0000 [0133.019] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0133.021] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e562a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e562a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2c881c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0133.021] lstrcmpiW (lpString1="edb.chk", lpString2="Windows") returned -1 [0133.021] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files") returned -1 [0133.021] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files (x86)") returned -1 [0133.021] lstrcmpiW (lpString1="edb.chk", lpString2="$Recycle.bin") returned 1 [0133.021] lstrcmpiW (lpString1="edb.chk", lpString2="System Volume Information") returned -1 [0133.021] lstrcmpiW (lpString1="edb.chk", lpString2=".") returned 1 [0133.021] lstrcmpiW (lpString1="edb.chk", lpString2="..") returned 1 [0133.021] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 78 [0133.022] lstrcmpW (lpString1="edb.chk", lpString2="PUSSY.TXT") returned -1 [0133.022] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0133.022] lstrlenW (lpString=".chk") returned 4 [0133.022] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0133.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0133.022] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=8192) returned 1 [0133.022] GetProcessHeap () returned 0x4c0000 [0133.022] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0133.032] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="40") returned 2 [0133.032] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="9A") returned 2 [0133.032] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="A9") returned 2 [0133.032] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="4E") returned 2 [0133.032] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="33") returned 2 [0133.032] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="40") returned 2 [0133.032] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="0B") returned 2 [0133.033] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="29") returned 2 [0133.033] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="6F") returned 2 [0133.033] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="77") returned 2 [0133.033] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="0B") returned 2 [0133.033] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="49") returned 2 [0133.033] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="72") returned 2 [0133.033] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="93") returned 2 [0133.033] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="19") returned 2 [0133.033] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="0F") returned 2 [0133.033] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="DB") returned 2 [0133.033] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="1F") returned 2 [0133.033] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="D7") returned 2 [0133.033] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="79") returned 2 [0133.033] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="9D") returned 2 [0133.033] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="A3") returned 2 [0133.033] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="05") returned 2 [0133.033] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="72") returned 2 [0133.033] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="53") returned 2 [0133.033] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="F8") returned 2 [0133.033] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="29") returned 2 [0133.033] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="79") returned 2 [0133.033] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="4A") returned 2 [0133.033] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="83") returned 2 [0133.033] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="A7") returned 2 [0133.033] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="66") returned 2 [0133.046] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" [0133.046] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" [0133.046] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk", lpString2=".409AA94E33400B296F770B497293190FDB1FD7799DA3057253F829794A83A766" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.409AA94E33400B296F770B497293190FDB1FD7799DA3057253F829794A83A766") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.409AA94E33400B296F770B497293190FDB1FD7799DA3057253F829794A83A766" [0133.046] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.046] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0133.074] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e30140, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e30140, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2c881c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="edb.log", cAlternateFileName="")) returned 1 [0133.075] lstrcmpiW (lpString1="edb.log", lpString2="Windows") returned -1 [0133.075] lstrcmpiW (lpString1="edb.log", lpString2="Program Files") returned -1 [0133.075] lstrcmpiW (lpString1="edb.log", lpString2="Program Files (x86)") returned -1 [0133.075] lstrcmpiW (lpString1="edb.log", lpString2="$Recycle.bin") returned 1 [0133.075] lstrcmpiW (lpString1="edb.log", lpString2="System Volume Information") returned -1 [0133.075] lstrcmpiW (lpString1="edb.log", lpString2=".") returned 1 [0133.075] lstrcmpiW (lpString1="edb.log", lpString2="..") returned 1 [0133.075] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 78 [0133.076] lstrcmpW (lpString1="edb.log", lpString2="PUSSY.TXT") returned -1 [0133.076] PathFindExtensionW (pszPath="edb.log") returned=".log" [0133.076] lstrlenW (lpString=".log") returned 4 [0133.076] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0133.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0133.077] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2097152) returned 1 [0133.077] GetProcessHeap () returned 0x4c0000 [0133.077] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0133.087] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="28") returned 2 [0133.087] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="F7") returned 2 [0133.087] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="A0") returned 2 [0133.087] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="C2") returned 2 [0133.087] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="7E") returned 2 [0133.087] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="95") returned 2 [0133.087] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="38") returned 2 [0133.087] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="65") returned 2 [0133.087] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="1E") returned 2 [0133.087] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="3F") returned 2 [0133.087] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="A7") returned 2 [0133.087] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="B8") returned 2 [0133.087] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="55") returned 2 [0133.087] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="F4") returned 2 [0133.087] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="A2") returned 2 [0133.087] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="EC") returned 2 [0133.087] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="19") returned 2 [0133.087] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="7D") returned 2 [0133.087] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="3F") returned 2 [0133.087] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="A7") returned 2 [0133.087] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="E2") returned 2 [0133.087] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="54") returned 2 [0133.087] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="77") returned 2 [0133.087] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="26") returned 2 [0133.087] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="31") returned 2 [0133.087] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="C3") returned 2 [0133.088] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="45") returned 2 [0133.088] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="3F") returned 2 [0133.088] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="01") returned 2 [0133.088] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="25") returned 2 [0133.088] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="DE") returned 2 [0133.088] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="4C") returned 2 [0133.099] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" [0133.099] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" [0133.099] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log", lpString2=".28F7A0C27E9538651E3FA7B855F4A2EC197D3FA7E254772631C3453F0125DE4C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.28F7A0C27E9538651E3FA7B855F4A2EC197D3FA7E254772631C3453F0125DE4C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.28F7A0C27E9538651E3FA7B855F4A2EC197D3FA7E254772631C3453F0125DE4C" [0133.099] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.099] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0133.099] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e30140, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e30140, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2b29966, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="edb00001.log", cAlternateFileName="")) returned 1 [0133.099] lstrcmpiW (lpString1="edb00001.log", lpString2="Windows") returned -1 [0133.099] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files") returned -1 [0133.100] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files (x86)") returned -1 [0133.150] lstrcmpiW (lpString1="edb00001.log", lpString2="$Recycle.bin") returned 1 [0133.150] lstrcmpiW (lpString1="edb00001.log", lpString2="System Volume Information") returned -1 [0133.150] lstrcmpiW (lpString1="edb00001.log", lpString2=".") returned 1 [0133.150] lstrcmpiW (lpString1="edb00001.log", lpString2="..") returned 1 [0133.150] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 83 [0133.150] lstrcmpW (lpString1="edb00001.log", lpString2="PUSSY.TXT") returned -1 [0133.150] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0133.150] lstrlenW (lpString=".log") returned 4 [0133.150] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0133.150] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0133.151] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2097152) returned 1 [0133.151] GetProcessHeap () returned 0x4c0000 [0133.151] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0133.163] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="97") returned 2 [0133.163] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="FA") returned 2 [0133.163] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="55") returned 2 [0133.163] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="8E") returned 2 [0133.163] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="E4") returned 2 [0133.163] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="4D") returned 2 [0133.163] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="9F") returned 2 [0133.163] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="16") returned 2 [0133.163] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="16") returned 2 [0133.163] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="97") returned 2 [0133.163] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="0F") returned 2 [0133.163] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="01") returned 2 [0133.164] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="EE") returned 2 [0133.164] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="83") returned 2 [0133.164] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="3F") returned 2 [0133.164] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="96") returned 2 [0133.164] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="A3") returned 2 [0133.164] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="93") returned 2 [0133.164] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="93") returned 2 [0133.164] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="C8") returned 2 [0133.164] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="24") returned 2 [0133.164] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="FD") returned 2 [0133.164] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="61") returned 2 [0133.164] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="1C") returned 2 [0133.164] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="9F") returned 2 [0133.164] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="99") returned 2 [0133.164] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="E1") returned 2 [0133.164] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="ED") returned 2 [0133.164] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="3F") returned 2 [0133.164] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="70") returned 2 [0133.164] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="E6") returned 2 [0133.164] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="43") returned 2 [0133.174] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" [0133.174] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" [0133.174] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log", lpString2=".97FA558EE44D9F1616970F01EE833F96A39393C824FD611C9F99E1ED3F70E643" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.97FA558EE44D9F1616970F01EE833F96A39393C824FD611C9F99E1ED3F70E643") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.97FA558EE44D9F1616970F01EE833F96A39393C824FD611C9F99E1ED3F70E643" [0133.174] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.174] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0133.212] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e30140, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e30140, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2027392, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0133.212] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Windows") returned -1 [0133.212] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files") returned -1 [0133.212] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files (x86)") returned -1 [0133.212] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="$Recycle.bin") returned 1 [0133.212] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="System Volume Information") returned -1 [0133.212] lstrcmpiW (lpString1="edbres00001.jrs", lpString2=".") returned 1 [0133.212] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="..") returned 1 [0133.212] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 86 [0133.212] lstrcmpW (lpString1="edbres00001.jrs", lpString2="PUSSY.TXT") returned -1 [0133.212] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0133.212] lstrlenW (lpString=".jrs") returned 4 [0133.212] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0133.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0133.213] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2097152) returned 1 [0133.213] GetProcessHeap () returned 0x4c0000 [0133.213] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0133.227] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="69") returned 2 [0133.227] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="26") returned 2 [0133.227] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="7C") returned 2 [0133.227] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="6D") returned 2 [0133.227] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="BC") returned 2 [0133.227] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="FE") returned 2 [0133.227] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="9E") returned 2 [0133.227] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="24") returned 2 [0133.227] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="B6") returned 2 [0133.227] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="51") returned 2 [0133.227] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="06") returned 2 [0133.228] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="50") returned 2 [0133.228] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="6C") returned 2 [0133.228] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="88") returned 2 [0133.228] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="CA") returned 2 [0133.228] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="C1") returned 2 [0133.228] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="B2") returned 2 [0133.228] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="5E") returned 2 [0133.228] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="A5") returned 2 [0133.228] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="46") returned 2 [0133.228] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="00") returned 2 [0133.228] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="B7") returned 2 [0133.228] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="7B") returned 2 [0133.228] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="12") returned 2 [0133.228] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="DF") returned 2 [0133.228] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="AB") returned 2 [0133.228] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="79") returned 2 [0133.228] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="13") returned 2 [0133.228] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="45") returned 2 [0133.228] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="85") returned 2 [0133.228] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="37") returned 2 [0133.228] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="52") returned 2 [0133.241] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" [0133.241] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" [0133.241] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs", lpString2=".69267C6DBCFE9E24B65106506C88CAC1B25EA54600B77B12DFAB791345853752" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.69267C6DBCFE9E24B65106506C88CAC1B25EA54600B77B12DFAB791345853752") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.69267C6DBCFE9E24B65106506C88CAC1B25EA54600B77B12DFAB791345853752" [0133.241] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.241] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0133.242] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2216575, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0133.242] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Windows") returned -1 [0133.242] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files") returned -1 [0133.242] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files (x86)") returned -1 [0133.242] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="$Recycle.bin") returned 1 [0133.242] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="System Volume Information") returned -1 [0133.242] lstrcmpiW (lpString1="edbres00002.jrs", lpString2=".") returned 1 [0133.242] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="..") returned 1 [0133.242] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 86 [0133.242] lstrcmpW (lpString1="edbres00002.jrs", lpString2="PUSSY.TXT") returned -1 [0133.242] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0133.288] lstrlenW (lpString=".jrs") returned 4 [0133.288] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0133.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0133.289] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2097152) returned 1 [0133.289] GetProcessHeap () returned 0x4c0000 [0133.290] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0133.306] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="96") returned 2 [0133.306] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="C7") returned 2 [0133.306] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="34") returned 2 [0133.306] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="6E") returned 2 [0133.306] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="A7") returned 2 [0133.306] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="19") returned 2 [0133.306] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="77") returned 2 [0133.306] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="8F") returned 2 [0133.306] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="EE") returned 2 [0133.306] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="15") returned 2 [0133.306] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="27") returned 2 [0133.306] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="F6") returned 2 [0133.307] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="7F") returned 2 [0133.307] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="2A") returned 2 [0133.307] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="DB") returned 2 [0133.307] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="7E") returned 2 [0133.307] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="AF") returned 2 [0133.307] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="E8") returned 2 [0133.307] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="9F") returned 2 [0133.307] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="0E") returned 2 [0133.307] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="00") returned 2 [0133.307] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="CF") returned 2 [0133.307] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="29") returned 2 [0133.307] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="B1") returned 2 [0133.307] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="10") returned 2 [0133.307] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="C9") returned 2 [0133.307] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="3B") returned 2 [0133.307] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="2C") returned 2 [0133.307] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="EA") returned 2 [0133.307] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="7A") returned 2 [0133.307] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="E5") returned 2 [0133.307] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="37") returned 2 [0133.320] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" [0133.320] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" [0133.320] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs", lpString2=".96C7346EA719778FEE1527F67F2ADB7EAFE89F0E00CF29B110C93B2CEA7AE537" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.96C7346EA719778FEE1527F67F2ADB7EAFE89F0E00CF29B110C93B2CEA7AE537") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.96C7346EA719778FEE1527F67F2ADB7EAFE89F0E00CF29B110C93B2CEA7AE537" [0133.320] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.320] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0133.320] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf67dcad6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="oeold.xml", cAlternateFileName="")) returned 1 [0133.320] lstrcmpiW (lpString1="oeold.xml", lpString2="Windows") returned -1 [0133.320] lstrcmpiW (lpString1="oeold.xml", lpString2="Program Files") returned -1 [0133.320] lstrcmpiW (lpString1="oeold.xml", lpString2="Program Files (x86)") returned -1 [0133.320] lstrcmpiW (lpString1="oeold.xml", lpString2="$Recycle.bin") returned 1 [0133.320] lstrcmpiW (lpString1="oeold.xml", lpString2="System Volume Information") returned -1 [0133.320] lstrcmpiW (lpString1="oeold.xml", lpString2=".") returned 1 [0133.321] lstrcmpiW (lpString1="oeold.xml", lpString2="..") returned 1 [0133.321] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 80 [0133.321] lstrcmpW (lpString1="oeold.xml", lpString2="PUSSY.TXT") returned -1 [0133.321] PathFindExtensionW (pszPath="oeold.xml") returned=".xml" [0133.321] lstrlenW (lpString=".xml") returned 4 [0133.321] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0133.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\oeold.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a8 [0133.322] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=260) returned 1 [0133.322] CloseHandle (hObject=0x1a8) returned 1 [0133.322] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf690d5d8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0133.322] lstrcmpiW (lpString1="Stationery", lpString2="Windows") returned -1 [0133.322] lstrcmpiW (lpString1="Stationery", lpString2="Program Files") returned 1 [0133.322] lstrcmpiW (lpString1="Stationery", lpString2="Program Files (x86)") returned 1 [0133.322] lstrcmpiW (lpString1="Stationery", lpString2="$Recycle.bin") returned 1 [0133.322] lstrcmpiW (lpString1="Stationery", lpString2="System Volume Information") returned -1 [0133.322] lstrcmpiW (lpString1="Stationery", lpString2=".") returned 1 [0133.322] lstrcmpiW (lpString1="Stationery", lpString2="..") returned 1 [0133.322] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery") returned 81 [0133.322] GetProcessHeap () returned 0x4c0000 [0133.323] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0133.323] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery" [0133.324] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*" [0133.324] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf690d5d8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0133.372] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0133.372] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0133.372] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0133.372] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0133.372] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0133.372] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0133.372] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf690d5d8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0133.372] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0133.372] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0133.373] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0133.373] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0133.373] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0133.373] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0133.373] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0133.373] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xcdfff30e, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xff, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Bears.htm", cAlternateFileName="")) returned 1 [0133.373] lstrcmpiW (lpString1="Bears.htm", lpString2="Windows") returned -1 [0133.373] lstrcmpiW (lpString1="Bears.htm", lpString2="Program Files") returned -1 [0133.373] lstrcmpiW (lpString1="Bears.htm", lpString2="Program Files (x86)") returned -1 [0133.373] lstrcmpiW (lpString1="Bears.htm", lpString2="$Recycle.bin") returned 1 [0133.373] lstrcmpiW (lpString1="Bears.htm", lpString2="System Volume Information") returned -1 [0133.373] lstrcmpiW (lpString1="Bears.htm", lpString2=".") returned 1 [0133.373] lstrcmpiW (lpString1="Bears.htm", lpString2="..") returned 1 [0133.373] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 91 [0133.373] lstrcmpW (lpString1="Bears.htm", lpString2="PUSSY.TXT") returned -1 [0133.373] PathFindExtensionW (pszPath="Bears.htm") returned=".htm" [0133.373] lstrlenW (lpString=".htm") returned 4 [0133.373] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0133.374] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=255) returned 1 [0133.375] CloseHandle (hObject=0x178) returned 1 [0133.375] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa352261, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Bears.jpg", cAlternateFileName="")) returned 1 [0133.375] lstrcmpiW (lpString1="Bears.jpg", lpString2="Windows") returned -1 [0133.375] lstrcmpiW (lpString1="Bears.jpg", lpString2="Program Files") returned -1 [0133.375] lstrcmpiW (lpString1="Bears.jpg", lpString2="Program Files (x86)") returned -1 [0133.375] lstrcmpiW (lpString1="Bears.jpg", lpString2="$Recycle.bin") returned 1 [0133.375] lstrcmpiW (lpString1="Bears.jpg", lpString2="System Volume Information") returned -1 [0133.375] lstrcmpiW (lpString1="Bears.jpg", lpString2=".") returned 1 [0133.375] lstrcmpiW (lpString1="Bears.jpg", lpString2="..") returned 1 [0133.375] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 91 [0133.375] lstrcmpW (lpString1="Bears.jpg", lpString2="PUSSY.TXT") returned -1 [0133.375] PathFindExtensionW (pszPath="Bears.jpg") returned=".jpg" [0133.375] lstrlenW (lpString=".jpg") returned 4 [0133.375] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0133.377] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1074) returned 1 [0133.377] GetProcessHeap () returned 0x4c0000 [0133.377] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0133.391] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="B7") returned 2 [0133.391] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="EA") returned 2 [0133.391] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="CA") returned 2 [0133.391] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="71") returned 2 [0133.391] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="C7") returned 2 [0133.391] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="86") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="57") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="49") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="DA") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="6E") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="9A") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="74") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="42") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="F0") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="7A") returned 2 [0133.392] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="F6") returned 2 [0133.392] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="8B") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="75") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="86") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="93") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="D9") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="D9") returned 2 [0133.392] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="D4") returned 2 [0133.392] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="8A") returned 2 [0133.392] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="4A") returned 2 [0133.392] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="CB") returned 2 [0133.392] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="80") returned 2 [0133.392] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="36") returned 2 [0133.392] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="7B") returned 2 [0133.392] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="D1") returned 2 [0133.392] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="43") returned 2 [0133.393] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="70") returned 2 [0133.405] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" [0133.405] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" [0133.405] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg", lpString2=".B7EACA71C7865749DA6E9A7442F07AF68B758693D9D9D48A4ACB80367BD14370" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.B7EACA71C7865749DA6E9A7442F07AF68B758693D9D9D48A4ACB80367BD14370") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.B7EACA71C7865749DA6E9A7442F07AF68B758693D9D9D48A4ACB80367BD14370" [0133.405] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.405] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0133.405] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7bf1d2d9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0133.405] lstrcmpiW (lpString1="Desktop.ini", lpString2="Windows") returned -1 [0133.405] lstrcmpiW (lpString1="Desktop.ini", lpString2="Program Files") returned -1 [0133.405] lstrcmpiW (lpString1="Desktop.ini", lpString2="Program Files (x86)") returned -1 [0133.405] lstrcmpiW (lpString1="Desktop.ini", lpString2="$Recycle.bin") returned 1 [0133.405] lstrcmpiW (lpString1="Desktop.ini", lpString2="System Volume Information") returned -1 [0133.405] lstrcmpiW (lpString1="Desktop.ini", lpString2=".") returned 1 [0133.405] lstrcmpiW (lpString1="Desktop.ini", lpString2="..") returned 1 [0133.405] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 93 [0133.405] lstrcmpW (lpString1="Desktop.ini", lpString2="PUSSY.TXT") returned -1 [0133.405] PathFindExtensionW (pszPath="Desktop.ini") returned=".ini" [0133.405] lstrlenW (lpString=".ini") returned 4 [0133.405] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.406] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0133.407] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=645) returned 1 [0133.407] GetProcessHeap () returned 0x4c0000 [0133.407] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0133.491] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="50") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="F0") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="F2") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="B3") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="0D") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="C6") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="66") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="D2") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="86") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="0E") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="C7") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="C1") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="31") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="4A") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="24") returned 2 [0133.491] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="B8") returned 2 [0133.491] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="09") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="03") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="D0") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="E4") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="70") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="46") returned 2 [0133.491] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="C0") returned 2 [0133.491] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="41") returned 2 [0133.491] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="12") returned 2 [0133.491] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="2F") returned 2 [0133.492] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="33") returned 2 [0133.492] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="43") returned 2 [0133.492] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="9F") returned 2 [0133.492] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="FB") returned 2 [0133.492] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="C9") returned 2 [0133.492] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="67") returned 2 [0133.500] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" [0133.500] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" [0133.500] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini", lpString2=".50F0F2B30DC666D2860EC7C1314A24B80903D0E47046C041122F33439FFBC967" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.50F0F2B30DC666D2860EC7C1314A24B80903D0E47046C041122F33439FFBC967") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.50F0F2B30DC666D2860EC7C1314A24B80903D0E47046C041122F33439FFBC967" [0133.501] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.501] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0133.506] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce04b5c8, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe7, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Garden.htm", cAlternateFileName="")) returned 1 [0133.506] lstrcmpiW (lpString1="Garden.htm", lpString2="Windows") returned -1 [0133.506] lstrcmpiW (lpString1="Garden.htm", lpString2="Program Files") returned -1 [0133.506] lstrcmpiW (lpString1="Garden.htm", lpString2="Program Files (x86)") returned -1 [0133.509] lstrcmpiW (lpString1="Garden.htm", lpString2="$Recycle.bin") returned 1 [0133.509] lstrcmpiW (lpString1="Garden.htm", lpString2="System Volume Information") returned -1 [0133.509] lstrcmpiW (lpString1="Garden.htm", lpString2=".") returned 1 [0133.509] lstrcmpiW (lpString1="Garden.htm", lpString2="..") returned 1 [0133.509] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 92 [0133.509] lstrcmpW (lpString1="Garden.htm", lpString2="PUSSY.TXT") returned -1 [0133.509] PathFindExtensionW (pszPath="Garden.htm") returned=".htm" [0133.509] lstrlenW (lpString=".htm") returned 4 [0133.509] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0133.510] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=231) returned 1 [0133.510] CloseHandle (hObject=0x1d4) returned 1 [0133.510] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa410937, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x5d3f, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Garden.jpg", cAlternateFileName="")) returned 1 [0133.510] lstrcmpiW (lpString1="Garden.jpg", lpString2="Windows") returned -1 [0133.510] lstrcmpiW (lpString1="Garden.jpg", lpString2="Program Files") returned -1 [0133.510] lstrcmpiW (lpString1="Garden.jpg", lpString2="Program Files (x86)") returned -1 [0133.510] lstrcmpiW (lpString1="Garden.jpg", lpString2="$Recycle.bin") returned 1 [0133.510] lstrcmpiW (lpString1="Garden.jpg", lpString2="System Volume Information") returned -1 [0133.510] lstrcmpiW (lpString1="Garden.jpg", lpString2=".") returned 1 [0133.510] lstrcmpiW (lpString1="Garden.jpg", lpString2="..") returned 1 [0133.511] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 92 [0133.511] lstrcmpW (lpString1="Garden.jpg", lpString2="PUSSY.TXT") returned -1 [0133.511] PathFindExtensionW (pszPath="Garden.jpg") returned=".jpg" [0133.511] lstrlenW (lpString=".jpg") returned 4 [0133.511] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0133.511] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=23871) returned 1 [0133.511] GetProcessHeap () returned 0x4c0000 [0133.511] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0133.524] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="2F") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="AA") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="69") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="4B") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="BB") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="A1") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="85") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="57") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="E1") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="08") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="C6") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="EB") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="57") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="AA") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="22") returned 2 [0133.524] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="A8") returned 2 [0133.524] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="81") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="87") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="BC") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="13") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="7C") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="27") returned 2 [0133.524] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="72") returned 2 [0133.524] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="D5") returned 2 [0133.524] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="24") returned 2 [0133.524] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="CE") returned 2 [0133.524] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="DA") returned 2 [0133.524] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="F8") returned 2 [0133.525] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="4C") returned 2 [0133.525] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="C8") returned 2 [0133.525] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="54") returned 2 [0133.525] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="4C") returned 2 [0133.534] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" [0133.534] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" [0133.534] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg", lpString2=".2FAA694BBBA18557E108C6EB57AA22A88187BC137C2772D524CEDAF84CC8544C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.2FAA694BBBA18557E108C6EB57AA22A88187BC137C2772D524CEDAF84CC8544C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.2FAA694BBBA18557E108C6EB57AA22A88187BC137C2772D524CEDAF84CC8544C" [0133.534] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.534] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0133.535] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce071725, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Green Bubbles.htm", cAlternateFileName="GREENB~1.HTM")) returned 1 [0133.535] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Windows") returned -1 [0133.535] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Program Files") returned -1 [0133.535] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Program Files (x86)") returned -1 [0133.535] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="$Recycle.bin") returned 1 [0133.535] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="System Volume Information") returned -1 [0133.535] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2=".") returned 1 [0133.535] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="..") returned 1 [0133.535] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 99 [0133.535] lstrcmpW (lpString1="Green Bubbles.htm", lpString2="PUSSY.TXT") returned -1 [0133.535] PathFindExtensionW (pszPath="Green Bubbles.htm") returned=".htm" [0133.535] lstrlenW (lpString=".htm") returned 4 [0133.536] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0133.537] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=237) returned 1 [0133.537] CloseHandle (hObject=0x184) returned 1 [0133.537] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa436a95, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1906, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="GreenBubbles.jpg", cAlternateFileName="GREENB~1.JPG")) returned 1 [0133.537] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Windows") returned -1 [0133.537] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Program Files") returned -1 [0133.537] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Program Files (x86)") returned -1 [0133.537] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="$Recycle.bin") returned 1 [0133.537] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="System Volume Information") returned -1 [0133.537] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2=".") returned 1 [0133.537] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="..") returned 1 [0133.537] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 98 [0133.537] lstrcmpW (lpString1="GreenBubbles.jpg", lpString2="PUSSY.TXT") returned -1 [0133.537] PathFindExtensionW (pszPath="GreenBubbles.jpg") returned=".jpg" [0133.537] lstrlenW (lpString=".jpg") returned 4 [0133.537] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0133.538] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=6406) returned 1 [0133.538] GetProcessHeap () returned 0x4c0000 [0133.538] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0133.575] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="47") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="33") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="9D") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="A2") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="39") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="62") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="04") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="4B") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="75") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="FE") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="12") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="95") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="CA") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="39") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="53") returned 2 [0133.575] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="E0") returned 2 [0133.575] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="68") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="40") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="3D") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="D7") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="D4") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="5C") returned 2 [0133.575] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="E1") returned 2 [0133.575] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="2F") returned 2 [0133.576] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="48") returned 2 [0133.576] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="56") returned 2 [0133.576] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="99") returned 2 [0133.576] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="60") returned 2 [0133.576] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="10") returned 2 [0133.576] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="59") returned 2 [0133.576] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="4B") returned 2 [0133.576] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="38") returned 2 [0133.585] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" [0133.585] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" [0133.585] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg", lpString2=".47339DA23962044B75FE1295CA3953E068403DD7D45CE12F4856996010594B38" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.47339DA23962044B75FE1295CA3953E068403DD7D45CE12F4856996010594B38") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.47339DA23962044B75FE1295CA3953E068403DD7D45CE12F4856996010594B38" [0133.585] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.585] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0133.586] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce0bd9df, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Hand Prints.htm", cAlternateFileName="HANDPR~1.HTM")) returned 1 [0133.586] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Windows") returned -1 [0133.586] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Program Files") returned -1 [0133.586] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Program Files (x86)") returned -1 [0133.586] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="$Recycle.bin") returned 1 [0133.586] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="System Volume Information") returned -1 [0133.586] lstrcmpiW (lpString1="Hand Prints.htm", lpString2=".") returned 1 [0133.586] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="..") returned 1 [0133.586] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 97 [0133.586] lstrcmpW (lpString1="Hand Prints.htm", lpString2="PUSSY.TXT") returned -1 [0133.587] PathFindExtensionW (pszPath="Hand Prints.htm") returned=".htm" [0133.587] lstrlenW (lpString=".htm") returned 4 [0133.587] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0133.595] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=235) returned 1 [0133.595] CloseHandle (hObject=0x1d0) returned 1 [0133.595] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa45cbf3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x107e, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="HandPrints.jpg", cAlternateFileName="HANDPR~1.JPG")) returned 1 [0133.606] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Windows") returned -1 [0133.606] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Program Files") returned -1 [0133.606] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Program Files (x86)") returned -1 [0133.606] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="$Recycle.bin") returned 1 [0133.606] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="System Volume Information") returned -1 [0133.606] lstrcmpiW (lpString1="HandPrints.jpg", lpString2=".") returned 1 [0133.607] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="..") returned 1 [0133.607] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 96 [0133.607] lstrcmpW (lpString1="HandPrints.jpg", lpString2="PUSSY.TXT") returned -1 [0133.607] PathFindExtensionW (pszPath="HandPrints.jpg") returned=".jpg" [0133.607] lstrlenW (lpString=".jpg") returned 4 [0133.607] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0133.608] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=4222) returned 1 [0133.608] GetProcessHeap () returned 0x4c0000 [0133.608] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0133.621] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="68") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="6E") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="52") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="F6") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="C6") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="F7") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="62") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="40") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="C8") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="22") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="53") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="F8") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="55") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="A5") returned 2 [0133.621] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="0B") returned 2 [0133.622] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="CD") returned 2 [0133.622] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="D8") returned 2 [0133.622] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="D4") returned 2 [0133.622] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="81") returned 2 [0133.622] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="FD") returned 2 [0133.622] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="CC") returned 2 [0133.622] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="AB") returned 2 [0133.622] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="BB") returned 2 [0133.622] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="27") returned 2 [0133.622] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="E3") returned 2 [0133.622] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="74") returned 2 [0133.622] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="97") returned 2 [0133.622] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="D0") returned 2 [0133.622] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="F6") returned 2 [0133.622] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="10") returned 2 [0133.622] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="11") returned 2 [0133.622] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="7A") returned 2 [0133.635] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" [0133.635] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" [0133.635] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg", lpString2=".686E52F6C6F76240C82253F855A50BCDD8D481FDCCABBB27E37497D0F610117A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.686E52F6C6F76240C82253F855A50BCDD8D481FDCCABBB27E37497D0F610117A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.686E52F6C6F76240C82253F855A50BCDD8D481FDCCABBB27E37497D0F610117A" [0133.635] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.635] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0133.659] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce0e3b3c, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Orange Circles.htm", cAlternateFileName="ORANGE~1.HTM")) returned 1 [0133.659] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Windows") returned -1 [0133.659] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Program Files") returned -1 [0133.659] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Program Files (x86)") returned -1 [0133.659] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="$Recycle.bin") returned 1 [0133.659] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="System Volume Information") returned -1 [0133.659] lstrcmpiW (lpString1="Orange Circles.htm", lpString2=".") returned 1 [0133.659] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="..") returned 1 [0133.659] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 100 [0133.659] lstrcmpW (lpString1="Orange Circles.htm", lpString2="PUSSY.TXT") returned -1 [0133.659] PathFindExtensionW (pszPath="Orange Circles.htm") returned=".htm" [0133.659] lstrlenW (lpString=".htm") returned 4 [0133.659] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0133.661] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=237) returned 1 [0133.661] CloseHandle (hObject=0x174) returned 1 [0133.661] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa4cf00d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x18ed, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="OrangeCircles.jpg", cAlternateFileName="ORANGE~1.JPG")) returned 1 [0133.661] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Windows") returned -1 [0133.661] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Program Files") returned -1 [0133.661] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Program Files (x86)") returned -1 [0133.661] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="$Recycle.bin") returned 1 [0133.661] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="System Volume Information") returned -1 [0133.661] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2=".") returned 1 [0133.661] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="..") returned 1 [0133.661] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 99 [0133.661] lstrcmpW (lpString1="OrangeCircles.jpg", lpString2="PUSSY.TXT") returned -1 [0133.662] PathFindExtensionW (pszPath="OrangeCircles.jpg") returned=".jpg" [0133.662] lstrlenW (lpString=".jpg") returned 4 [0133.662] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0133.665] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=6381) returned 1 [0133.665] GetProcessHeap () returned 0x4c0000 [0133.665] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0133.681] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="00") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="DE") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="54") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="AD") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="EF") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="53") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="23") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="09") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="03") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="14") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="B0") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="8A") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="30") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="49") returned 2 [0133.681] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="36") returned 2 [0133.681] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="B3") returned 2 [0133.681] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="1C") returned 2 [0133.682] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="AE") returned 2 [0133.682] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="FE") returned 2 [0133.682] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="D5") returned 2 [0133.682] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="EE") returned 2 [0133.682] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="25") returned 2 [0133.682] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="3C") returned 2 [0133.682] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="E3") returned 2 [0133.682] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="66") returned 2 [0133.682] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="39") returned 2 [0133.682] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="29") returned 2 [0133.682] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="A1") returned 2 [0133.682] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="A6") returned 2 [0133.682] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="E9") returned 2 [0133.682] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="00") returned 2 [0133.682] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="35") returned 2 [0133.695] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" [0133.695] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" [0133.695] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg", lpString2=".00DE54ADEF5323090314B08A304936B31CAEFED5EE253CE3663929A1A6E90035" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.00DE54ADEF5323090314B08A304936B31CAEFED5EE253CE3663929A1A6E90035") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.00DE54ADEF5323090314B08A304936B31CAEFED5EE253CE3663929A1A6E90035" [0133.695] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.696] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0133.696] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce109c99, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Peacock.htm", cAlternateFileName="")) returned 1 [0133.696] lstrcmpiW (lpString1="Peacock.htm", lpString2="Windows") returned -1 [0133.696] lstrcmpiW (lpString1="Peacock.htm", lpString2="Program Files") returned -1 [0133.696] lstrcmpiW (lpString1="Peacock.htm", lpString2="Program Files (x86)") returned -1 [0133.696] lstrcmpiW (lpString1="Peacock.htm", lpString2="$Recycle.bin") returned 1 [0133.696] lstrcmpiW (lpString1="Peacock.htm", lpString2="System Volume Information") returned -1 [0133.696] lstrcmpiW (lpString1="Peacock.htm", lpString2=".") returned 1 [0133.696] lstrcmpiW (lpString1="Peacock.htm", lpString2="..") returned 1 [0133.696] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 93 [0133.696] lstrcmpW (lpString1="Peacock.htm", lpString2="PUSSY.TXT") returned -1 [0133.696] PathFindExtensionW (pszPath="Peacock.htm") returned=".htm" [0133.696] lstrlenW (lpString=".htm") returned 4 [0133.696] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.696] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0133.697] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=232) returned 1 [0133.697] CloseHandle (hObject=0x184) returned 1 [0133.697] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28e09fe0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28e09fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa51b2c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Peacock.jpg", cAlternateFileName="")) returned 1 [0133.697] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Windows") returned -1 [0133.697] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Program Files") returned -1 [0133.697] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Program Files (x86)") returned -1 [0133.698] lstrcmpiW (lpString1="Peacock.jpg", lpString2="$Recycle.bin") returned 1 [0133.698] lstrcmpiW (lpString1="Peacock.jpg", lpString2="System Volume Information") returned -1 [0133.698] lstrcmpiW (lpString1="Peacock.jpg", lpString2=".") returned 1 [0133.698] lstrcmpiW (lpString1="Peacock.jpg", lpString2="..") returned 1 [0133.698] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 93 [0133.698] lstrcmpW (lpString1="Peacock.jpg", lpString2="PUSSY.TXT") returned -1 [0133.698] PathFindExtensionW (pszPath="Peacock.jpg") returned=".jpg" [0133.698] lstrlenW (lpString=".jpg") returned 4 [0133.698] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0133.699] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=5115) returned 1 [0133.699] GetProcessHeap () returned 0x4c0000 [0133.699] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0133.732] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="9F") returned 2 [0133.732] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="D2") returned 2 [0133.732] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="94") returned 2 [0133.732] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="16") returned 2 [0133.732] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="8F") returned 2 [0133.732] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="94") returned 2 [0133.732] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="38") returned 2 [0133.732] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="D3") returned 2 [0133.732] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="DF") returned 2 [0133.732] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="77") returned 2 [0133.733] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="D3") returned 2 [0133.733] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="0E") returned 2 [0133.733] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="3E") returned 2 [0133.733] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="2F") returned 2 [0133.733] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="AE") returned 2 [0133.733] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="CC") returned 2 [0133.733] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="4C") returned 2 [0133.733] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="AF") returned 2 [0133.733] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="22") returned 2 [0133.733] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="9E") returned 2 [0133.733] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="D6") returned 2 [0133.733] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="4A") returned 2 [0133.733] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="6B") returned 2 [0133.733] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="7E") returned 2 [0133.733] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="3C") returned 2 [0133.733] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="D5") returned 2 [0133.733] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="04") returned 2 [0133.733] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="27") returned 2 [0133.733] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="7E") returned 2 [0133.733] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="2F") returned 2 [0133.733] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="C1") returned 2 [0133.733] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="64") returned 2 [0133.746] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" [0133.746] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" [0133.746] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg", lpString2=".9FD294168F9438D3DF77D30E3E2FAECC4CAF229ED64A6B7E3CD504277E2FC164" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.9FD294168F9438D3DF77D30E3E2FAECC4CAF229ED64A6B7E3CD504277E2FC164") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.9FD294168F9438D3DF77D30E3E2FAECC4CAF229ED64A6B7E3CD504277E2FC164" [0133.746] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.746] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0133.746] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f3aae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce12fdf6, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe9, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Roses.htm", cAlternateFileName="")) returned 1 [0133.746] lstrcmpiW (lpString1="Roses.htm", lpString2="Windows") returned -1 [0133.746] lstrcmpiW (lpString1="Roses.htm", lpString2="Program Files") returned 1 [0133.746] lstrcmpiW (lpString1="Roses.htm", lpString2="Program Files (x86)") returned 1 [0133.746] lstrcmpiW (lpString1="Roses.htm", lpString2="$Recycle.bin") returned 1 [0133.746] lstrcmpiW (lpString1="Roses.htm", lpString2="System Volume Information") returned -1 [0133.746] lstrcmpiW (lpString1="Roses.htm", lpString2=".") returned 1 [0133.746] lstrcmpiW (lpString1="Roses.htm", lpString2="..") returned 1 [0133.746] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 91 [0133.746] lstrcmpW (lpString1="Roses.htm", lpString2="PUSSY.TXT") returned 1 [0133.747] PathFindExtensionW (pszPath="Roses.htm") returned=".htm" [0133.747] lstrlenW (lpString=".htm") returned 4 [0133.747] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0133.748] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=233) returned 1 [0133.748] CloseHandle (hObject=0x1d0) returned 1 [0133.748] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f3aae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa567585, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x780, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Roses.jpg", cAlternateFileName="")) returned 1 [0133.748] lstrcmpiW (lpString1="Roses.jpg", lpString2="Windows") returned -1 [0133.748] lstrcmpiW (lpString1="Roses.jpg", lpString2="Program Files") returned 1 [0133.748] lstrcmpiW (lpString1="Roses.jpg", lpString2="Program Files (x86)") returned 1 [0133.748] lstrcmpiW (lpString1="Roses.jpg", lpString2="$Recycle.bin") returned 1 [0133.748] lstrcmpiW (lpString1="Roses.jpg", lpString2="System Volume Information") returned -1 [0133.748] lstrcmpiW (lpString1="Roses.jpg", lpString2=".") returned 1 [0133.748] lstrcmpiW (lpString1="Roses.jpg", lpString2="..") returned 1 [0133.748] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 91 [0133.748] lstrcmpW (lpString1="Roses.jpg", lpString2="PUSSY.TXT") returned 1 [0133.748] PathFindExtensionW (pszPath="Roses.jpg") returned=".jpg" [0133.748] lstrlenW (lpString=".jpg") returned 4 [0133.748] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0133.749] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1920) returned 1 [0133.749] GetProcessHeap () returned 0x4c0000 [0133.749] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0133.763] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="B0") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="BB") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="77") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="1C") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="EE") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="14") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="C5") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="D4") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="FC") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="B5") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="B5") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="4E") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="75") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="A2") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="F0") returned 2 [0133.763] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="D5") returned 2 [0133.763] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="58") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="59") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="AE") returned 2 [0133.763] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="33") returned 2 [0133.764] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="35") returned 2 [0133.764] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="C8") returned 2 [0133.764] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="73") returned 2 [0133.764] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="47") returned 2 [0133.764] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="69") returned 2 [0133.764] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="4F") returned 2 [0133.764] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="2B") returned 2 [0133.764] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="F7") returned 2 [0133.764] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="7F") returned 2 [0133.764] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="63") returned 2 [0133.764] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="19") returned 2 [0133.764] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="1E") returned 2 [0133.773] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" [0133.773] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" [0133.773] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg", lpString2=".B0BB771CEE14C5D4FCB5B54E75A2F0D55859AE3335C87347694F2BF77F63191E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.B0BB771CEE14C5D4FCB5B54E75A2F0D55859AE3335C87347694F2BF77F63191E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.B0BB771CEE14C5D4FCB5B54E75A2F0D55859AE3335C87347694F2BF77F63191E" [0133.773] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.773] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0133.773] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f3aae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce17c0b0, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Shades of Blue.htm", cAlternateFileName="SHADES~1.HTM")) returned 1 [0133.773] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Windows") returned -1 [0133.773] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Program Files") returned 1 [0133.773] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Program Files (x86)") returned 1 [0133.773] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="$Recycle.bin") returned 1 [0133.773] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="System Volume Information") returned -1 [0133.773] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2=".") returned 1 [0133.773] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="..") returned 1 [0133.773] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 100 [0133.773] lstrcmpW (lpString1="Shades of Blue.htm", lpString2="PUSSY.TXT") returned 1 [0133.773] PathFindExtensionW (pszPath="Shades of Blue.htm") returned=".htm" [0133.773] lstrlenW (lpString=".htm") returned 4 [0133.773] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.773] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0133.774] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=237) returned 1 [0133.774] CloseHandle (hObject=0xec) returned 1 [0133.774] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28f3aae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa58d6e3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x127e, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ShadesOfBlue.jpg", cAlternateFileName="SHADES~1.JPG")) returned 1 [0133.774] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Windows") returned -1 [0133.774] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Program Files") returned 1 [0133.774] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Program Files (x86)") returned 1 [0133.774] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="$Recycle.bin") returned 1 [0133.774] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="System Volume Information") returned -1 [0133.774] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2=".") returned 1 [0133.774] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="..") returned 1 [0133.775] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 98 [0133.775] lstrcmpW (lpString1="ShadesOfBlue.jpg", lpString2="PUSSY.TXT") returned 1 [0133.775] PathFindExtensionW (pszPath="ShadesOfBlue.jpg") returned=".jpg" [0133.775] lstrlenW (lpString=".jpg") returned 4 [0133.775] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0133.775] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=4734) returned 1 [0133.775] GetProcessHeap () returned 0x4c0000 [0133.775] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0133.836] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="D4") returned 2 [0133.836] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="38") returned 2 [0133.836] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="5A") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="B5") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="A2") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="50") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="1A") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="F5") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="8A") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="1D") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="52") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="35") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="22") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="F2") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="8C") returned 2 [0133.837] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="6C") returned 2 [0133.837] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="39") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="91") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="28") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="21") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="CD") returned 2 [0133.837] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="53") returned 2 [0133.838] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="48") returned 2 [0133.838] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="69") returned 2 [0133.838] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="E8") returned 2 [0133.838] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="61") returned 2 [0133.838] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="A1") returned 2 [0133.838] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="B3") returned 2 [0133.838] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="A3") returned 2 [0133.838] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="47") returned 2 [0133.838] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="FA") returned 2 [0133.838] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="1E") returned 2 [0133.846] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" [0133.847] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" [0133.847] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg", lpString2=".D4385AB5A2501AF58A1D523522F28C6C39912821CD534869E861A1B3A347FA1E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.D4385AB5A2501AF58A1D523522F28C6C39912821CD534869E861A1B3A347FA1E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.D4385AB5A2501AF58A1D523522F28C6C39912821CD534869E861A1B3A347FA1E" [0133.847] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.847] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0133.852] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce1a220d, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Soft Blue.htm", cAlternateFileName="SOFTBL~1.HTM")) returned 1 [0133.852] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Windows") returned -1 [0133.852] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Program Files") returned 1 [0133.852] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Program Files (x86)") returned 1 [0133.852] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="$Recycle.bin") returned 1 [0133.852] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="System Volume Information") returned -1 [0133.852] lstrcmpiW (lpString1="Soft Blue.htm", lpString2=".") returned 1 [0133.852] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="..") returned 1 [0133.852] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 95 [0133.852] lstrcmpW (lpString1="Soft Blue.htm", lpString2="PUSSY.TXT") returned 1 [0133.852] PathFindExtensionW (pszPath="Soft Blue.htm") returned=".htm" [0133.852] lstrlenW (lpString=".htm") returned 4 [0133.852] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0133.853] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=232) returned 1 [0133.853] CloseHandle (hObject=0x1d4) returned 1 [0133.853] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa5b3841, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2949, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="SoftBlue.jpg", cAlternateFileName="")) returned 1 [0133.853] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Windows") returned -1 [0133.853] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Program Files") returned 1 [0133.853] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Program Files (x86)") returned 1 [0133.853] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="$Recycle.bin") returned 1 [0133.853] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="System Volume Information") returned -1 [0133.853] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2=".") returned 1 [0133.853] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="..") returned 1 [0133.853] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 94 [0133.853] lstrcmpW (lpString1="SoftBlue.jpg", lpString2="PUSSY.TXT") returned 1 [0133.853] PathFindExtensionW (pszPath="SoftBlue.jpg") returned=".jpg" [0133.853] lstrlenW (lpString=".jpg") returned 4 [0133.853] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0133.855] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=10569) returned 1 [0133.855] GetProcessHeap () returned 0x4c0000 [0133.855] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0133.864] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="69") returned 2 [0133.864] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="B1") returned 2 [0133.864] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="D9") returned 2 [0133.864] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="7A") returned 2 [0133.864] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="E1") returned 2 [0133.864] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="D9") returned 2 [0133.864] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="13") returned 2 [0133.864] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="08") returned 2 [0133.864] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="7E") returned 2 [0133.864] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="E6") returned 2 [0133.864] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="C9") returned 2 [0133.864] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="8F") returned 2 [0133.864] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="6B") returned 2 [0133.865] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="C6") returned 2 [0133.865] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="4F") returned 2 [0133.865] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="E1") returned 2 [0133.865] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="CB") returned 2 [0133.865] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="1D") returned 2 [0133.865] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="51") returned 2 [0133.865] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="06") returned 2 [0133.865] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="C5") returned 2 [0133.865] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="F6") returned 2 [0133.865] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="49") returned 2 [0133.865] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="16") returned 2 [0133.865] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="6B") returned 2 [0133.865] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="4E") returned 2 [0133.865] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="64") returned 2 [0133.865] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="24") returned 2 [0133.865] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="37") returned 2 [0133.865] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="56") returned 2 [0133.865] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="15") returned 2 [0133.865] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="41") returned 2 [0133.873] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" [0133.873] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" [0133.873] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg", lpString2=".69B1D97AE1D913087EE6C98F6BC64FE1CB1D5106C5F649166B4E642437561541" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.69B1D97AE1D913087EE6C98F6BC64FE1CB1D5106C5F649166B4E642437561541") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.69B1D97AE1D913087EE6C98F6BC64FE1CB1D5106C5F649166B4E642437561541" [0133.873] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.873] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0133.874] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce1c836a, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Stars.htm", cAlternateFileName="")) returned 1 [0133.874] lstrcmpiW (lpString1="Stars.htm", lpString2="Windows") returned -1 [0133.874] lstrcmpiW (lpString1="Stars.htm", lpString2="Program Files") returned 1 [0133.874] lstrcmpiW (lpString1="Stars.htm", lpString2="Program Files (x86)") returned 1 [0133.874] lstrcmpiW (lpString1="Stars.htm", lpString2="$Recycle.bin") returned 1 [0133.874] lstrcmpiW (lpString1="Stars.htm", lpString2="System Volume Information") returned -1 [0133.874] lstrcmpiW (lpString1="Stars.htm", lpString2=".") returned 1 [0133.874] lstrcmpiW (lpString1="Stars.htm", lpString2="..") returned 1 [0133.874] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 91 [0133.874] lstrcmpW (lpString1="Stars.htm", lpString2="PUSSY.TXT") returned 1 [0133.875] PathFindExtensionW (pszPath="Stars.htm") returned=".htm" [0133.875] lstrlenW (lpString=".htm") returned 4 [0133.875] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0133.875] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=230) returned 1 [0133.876] CloseHandle (hObject=0x1d0) returned 1 [0133.876] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa5ffafd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Stars.jpg", cAlternateFileName="")) returned 1 [0133.876] lstrcmpiW (lpString1="Stars.jpg", lpString2="Windows") returned -1 [0133.876] lstrcmpiW (lpString1="Stars.jpg", lpString2="Program Files") returned 1 [0133.876] lstrcmpiW (lpString1="Stars.jpg", lpString2="Program Files (x86)") returned 1 [0133.876] lstrcmpiW (lpString1="Stars.jpg", lpString2="$Recycle.bin") returned 1 [0133.876] lstrcmpiW (lpString1="Stars.jpg", lpString2="System Volume Information") returned -1 [0133.876] lstrcmpiW (lpString1="Stars.jpg", lpString2=".") returned 1 [0133.876] lstrcmpiW (lpString1="Stars.jpg", lpString2="..") returned 1 [0133.876] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 91 [0133.876] lstrcmpW (lpString1="Stars.jpg", lpString2="PUSSY.TXT") returned 1 [0133.876] PathFindExtensionW (pszPath="Stars.jpg") returned=".jpg" [0133.876] lstrlenW (lpString=".jpg") returned 4 [0133.876] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0133.876] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0133.877] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=7505) returned 1 [0133.877] GetProcessHeap () returned 0x4c0000 [0133.877] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0133.887] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="28") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="AA") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="98") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="6F") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="BC") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="6F") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="ED") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="9E") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="05") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="B0") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="2A") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="4F") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="6B") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="14") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="F7") returned 2 [0133.887] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="9A") returned 2 [0133.887] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="59") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="32") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="BC") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="E1") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="AD") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="6B") returned 2 [0133.887] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="D4") returned 2 [0133.887] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="74") returned 2 [0133.887] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="6D") returned 2 [0133.888] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="04") returned 2 [0133.888] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="3D") returned 2 [0133.888] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="F9") returned 2 [0133.888] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="43") returned 2 [0133.888] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="DA") returned 2 [0133.888] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="65") returned 2 [0133.888] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="0F") returned 2 [0133.896] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" [0133.896] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" [0133.896] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg", lpString2=".28AA986FBC6FED9E05B02A4F6B14F79A5932BCE1AD6BD4746D043DF943DA650F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.28AA986FBC6FED9E05B02A4F6B14F79A5932BCE1AD6BD4746D043DF943DA650F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.28AA986FBC6FED9E05B02A4F6B14F79A5932BCE1AD6BD4746D043DF943DA650F" [0133.896] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.896] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0133.896] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa5ffafd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Stars.jpg", cAlternateFileName="")) returned 0 [0133.896] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0133.896] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\PUSSY.TXT") returned 91 [0133.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0133.915] lstrlenA (lpString="abcd") returned 4 [0133.915] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0133.916] CloseHandle (hObject=0xec) returned 1 [0133.916] GetProcessHeap () returned 0x4c0000 [0133.916] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0133.919] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2c881c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x204000, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="WindowsMail.MSMessageStore", cAlternateFileName="WINDOW~1.MSM")) returned 1 [0133.919] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Windows") returned 1 [0133.919] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files") returned 1 [0133.919] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files (x86)") returned 1 [0133.919] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="$Recycle.bin") returned 1 [0133.919] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="System Volume Information") returned 1 [0133.920] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2=".") returned 1 [0133.920] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="..") returned 1 [0133.920] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 97 [0133.920] lstrcmpW (lpString1="WindowsMail.MSMessageStore", lpString2="PUSSY.TXT") returned 1 [0133.920] PathFindExtensionW (pszPath="WindowsMail.MSMessageStore") returned=".MSMessageStore" [0133.920] lstrlenW (lpString=".MSMessageStore") returned 15 [0133.920] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0133.920] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0133.920] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2113536) returned 1 [0133.921] GetProcessHeap () returned 0x4c0000 [0133.921] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0133.932] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="57") returned 2 [0133.932] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="2A") returned 2 [0133.932] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="EB") returned 2 [0133.932] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="DD") returned 2 [0133.932] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="A5") returned 2 [0133.932] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="FF") returned 2 [0133.932] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="B6") returned 2 [0133.932] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="8A") returned 2 [0133.932] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="A1") returned 2 [0133.932] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="F1") returned 2 [0133.932] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="D7") returned 2 [0133.932] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="27") returned 2 [0133.932] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="49") returned 2 [0133.932] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="92") returned 2 [0133.932] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="83") returned 2 [0133.932] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="5F") returned 2 [0133.932] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="07") returned 2 [0133.932] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="CC") returned 2 [0133.932] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="E6") returned 2 [0133.932] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="15") returned 2 [0133.932] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="AB") returned 2 [0133.932] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="43") returned 2 [0133.932] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="E3") returned 2 [0133.932] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="38") returned 2 [0133.932] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="46") returned 2 [0133.932] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="8C") returned 2 [0133.932] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="A1") returned 2 [0133.933] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="7B") returned 2 [0133.933] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="1C") returned 2 [0133.933] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="17") returned 2 [0133.933] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="63") returned 2 [0133.933] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="3B") returned 2 [0133.964] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" [0133.964] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" [0133.964] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore", lpString2=".572AEBDDA5FFB68AA1F1D7274992835F07CCE615AB43E338468CA17B1C17633B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.572AEBDDA5FFB68AA1F1D7274992835F07CCE615AB43E338468CA17B1C17633B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.572AEBDDA5FFB68AA1F1D7274992835F07CCE615AB43E338468CA17B1C17633B" [0133.964] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0133.964] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0133.964] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2b9a12c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 1 [0133.964] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Windows") returned 1 [0133.964] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files") returned 1 [0133.964] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files (x86)") returned 1 [0133.964] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="$Recycle.bin") returned 1 [0133.964] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="System Volume Information") returned 1 [0133.964] lstrcmpiW (lpString1="WindowsMail.pat", lpString2=".") returned 1 [0133.964] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="..") returned 1 [0133.965] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 86 [0133.965] lstrcmpW (lpString1="WindowsMail.pat", lpString2="PUSSY.TXT") returned 1 [0133.965] PathFindExtensionW (pszPath="WindowsMail.pat") returned=".pat" [0133.965] lstrlenW (lpString=".pat") returned 4 [0133.965] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0133.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0133.967] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=0) returned 1 [0133.967] CloseHandle (hObject=0x1d0) returned 1 [0133.967] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2b9a12c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 0 [0133.967] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0133.967] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\PUSSY.TXT") returned 80 [0133.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0134.002] lstrlenA (lpString="abcd") returned 4 [0134.002] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0134.003] CloseHandle (hObject=0x1d8) returned 1 [0134.003] GetProcessHeap () returned 0x4c0000 [0134.003] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0134.004] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows Media", cAlternateFileName="WINDOW~2")) returned 1 [0134.004] lstrcmpiW (lpString1="Windows Media", lpString2="Windows") returned 1 [0134.004] lstrcmpiW (lpString1="Windows Media", lpString2="Program Files") returned 1 [0134.004] lstrcmpiW (lpString1="Windows Media", lpString2="Program Files (x86)") returned 1 [0134.004] lstrcmpiW (lpString1="Windows Media", lpString2="$Recycle.bin") returned 1 [0134.004] lstrcmpiW (lpString1="Windows Media", lpString2="System Volume Information") returned 1 [0134.004] lstrcmpiW (lpString1="Windows Media", lpString2=".") returned 1 [0134.004] lstrcmpiW (lpString1="Windows Media", lpString2="..") returned 1 [0134.004] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media") returned 71 [0134.004] GetProcessHeap () returned 0x4c0000 [0134.004] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0134.004] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media" [0134.004] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\*" [0134.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0134.005] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.005] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.005] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.005] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.005] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.005] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.005] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0134.005] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.005] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.005] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.005] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.005] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.006] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.006] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.006] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf928f5c4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="12.0", cAlternateFileName="")) returned 1 [0134.006] lstrcmpiW (lpString1="12.0", lpString2="Windows") returned -1 [0134.006] lstrcmpiW (lpString1="12.0", lpString2="Program Files") returned -1 [0134.006] lstrcmpiW (lpString1="12.0", lpString2="Program Files (x86)") returned -1 [0134.006] lstrcmpiW (lpString1="12.0", lpString2="$Recycle.bin") returned 1 [0134.006] lstrcmpiW (lpString1="12.0", lpString2="System Volume Information") returned -1 [0134.006] lstrcmpiW (lpString1="12.0", lpString2=".") returned 1 [0134.006] lstrcmpiW (lpString1="12.0", lpString2="..") returned 1 [0134.006] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0") returned 76 [0134.006] GetProcessHeap () returned 0x4c0000 [0134.006] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0134.006] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0" [0134.006] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*" [0134.007] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf928f5c4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0134.007] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.007] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.007] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.007] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.007] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.007] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.007] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf928f5c4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0134.007] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.007] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.007] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.007] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.007] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.007] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.007] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.007] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x1f2, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="WMSDKNS.DTD", cAlternateFileName="")) returned 1 [0134.007] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="Windows") returned 1 [0134.008] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="Program Files") returned 1 [0134.008] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="Program Files (x86)") returned 1 [0134.008] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="$Recycle.bin") returned 1 [0134.008] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="System Volume Information") returned 1 [0134.008] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2=".") returned 1 [0134.008] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="..") returned 1 [0134.008] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 88 [0134.008] lstrcmpW (lpString1="WMSDKNS.DTD", lpString2="PUSSY.TXT") returned 1 [0134.008] PathFindExtensionW (pszPath="WMSDKNS.DTD") returned=".DTD" [0134.008] lstrlenW (lpString=".DTD") returned 4 [0134.008] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0134.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0134.009] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=498) returned 1 [0134.009] CloseHandle (hObject=0x1d4) returned 1 [0134.009] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf9269464, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x27cf, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="WMSDKNS.XML", cAlternateFileName="")) returned 1 [0134.009] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="Windows") returned 1 [0134.009] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="Program Files") returned 1 [0134.009] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="Program Files (x86)") returned 1 [0134.009] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="$Recycle.bin") returned 1 [0134.009] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="System Volume Information") returned 1 [0134.009] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2=".") returned 1 [0134.009] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="..") returned 1 [0134.009] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 88 [0134.010] lstrcmpW (lpString1="WMSDKNS.XML", lpString2="PUSSY.TXT") returned 1 [0134.010] PathFindExtensionW (pszPath="WMSDKNS.XML") returned=".XML" [0134.010] lstrlenW (lpString=".XML") returned 4 [0134.010] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0134.010] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0134.015] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=10191) returned 1 [0134.015] GetProcessHeap () returned 0x4c0000 [0134.015] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0134.028] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="FA") returned 2 [0134.028] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="E4") returned 2 [0134.028] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="D2") returned 2 [0134.028] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="9A") returned 2 [0134.028] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="3E") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="4E") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="FB") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="7E") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="F6") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="AA") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="C7") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="67") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="F2") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="54") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="7D") returned 2 [0134.029] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="40") returned 2 [0134.029] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="64") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="FB") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="98") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="36") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="48") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="90") returned 2 [0134.029] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="26") returned 2 [0134.029] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="59") returned 2 [0134.029] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="CF") returned 2 [0134.030] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="48") returned 2 [0134.030] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="10") returned 2 [0134.030] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="23") returned 2 [0134.030] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="E0") returned 2 [0134.030] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="09") returned 2 [0134.030] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="E6") returned 2 [0134.030] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="18") returned 2 [0134.042] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" [0134.043] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" [0134.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML", lpString2=".FAE4D29A3E4EFB7EF6AAC767F2547D4064FB983648902659CF481023E009E618" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.FAE4D29A3E4EFB7EF6AAC767F2547D4064FB983648902659CF481023E009E618") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.FAE4D29A3E4EFB7EF6AAC767F2547D4064FB983648902659CF481023E009E618" [0134.043] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0134.043] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0134.043] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf9269464, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x27cf, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="WMSDKNS.XML", cAlternateFileName="")) returned 0 [0134.043] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0134.044] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\PUSSY.TXT") returned 86 [0134.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0134.045] lstrlenA (lpString="abcd") returned 4 [0134.045] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0134.046] CloseHandle (hObject=0x1d0) returned 1 [0134.046] GetProcessHeap () returned 0x4c0000 [0134.046] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0134.049] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf928f5c4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="12.0", cAlternateFileName="")) returned 0 [0134.049] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0134.049] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\PUSSY.TXT") returned 81 [0134.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0134.050] lstrlenA (lpString="abcd") returned 4 [0134.050] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0134.052] CloseHandle (hObject=0x1d8) returned 1 [0134.054] GetProcessHeap () returned 0x4c0000 [0134.054] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0134.054] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0134.054] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Windows") returned 1 [0134.054] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Program Files") returned 1 [0134.054] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Program Files (x86)") returned 1 [0134.054] lstrcmpiW (lpString1="Windows Sidebar", lpString2="$Recycle.bin") returned 1 [0134.054] lstrcmpiW (lpString1="Windows Sidebar", lpString2="System Volume Information") returned 1 [0134.054] lstrcmpiW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0134.054] lstrcmpiW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0134.054] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar") returned 73 [0134.055] GetProcessHeap () returned 0x4c0000 [0134.055] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0134.055] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar" [0134.055] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\*" [0134.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0134.055] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.055] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.055] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.056] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.056] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.056] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.056] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0134.056] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.056] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.056] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.056] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.056] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.056] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.056] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.056] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0134.056] lstrcmpiW (lpString1="Gadgets", lpString2="Windows") returned -1 [0134.056] lstrcmpiW (lpString1="Gadgets", lpString2="Program Files") returned -1 [0134.056] lstrcmpiW (lpString1="Gadgets", lpString2="Program Files (x86)") returned -1 [0134.056] lstrcmpiW (lpString1="Gadgets", lpString2="$Recycle.bin") returned 1 [0134.056] lstrcmpiW (lpString1="Gadgets", lpString2="System Volume Information") returned -1 [0134.056] lstrcmpiW (lpString1="Gadgets", lpString2=".") returned 1 [0134.056] lstrcmpiW (lpString1="Gadgets", lpString2="..") returned 1 [0134.056] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned 81 [0134.056] GetProcessHeap () returned 0x4c0000 [0134.057] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0134.057] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" [0134.057] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*" [0134.057] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0134.057] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.057] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.057] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.058] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.058] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.058] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.058] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0134.058] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.058] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.058] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.058] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.058] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.058] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.058] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.058] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0134.058] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0134.058] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\PUSSY.TXT") returned 91 [0134.058] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0134.059] lstrlenA (lpString="abcd") returned 4 [0134.059] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0134.060] CloseHandle (hObject=0x1d0) returned 1 [0134.061] GetProcessHeap () returned 0x4c0000 [0134.061] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0134.061] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x54, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Settings.ini", cAlternateFileName="")) returned 1 [0134.061] lstrcmpiW (lpString1="Settings.ini", lpString2="Windows") returned -1 [0134.061] lstrcmpiW (lpString1="Settings.ini", lpString2="Program Files") returned 1 [0134.061] lstrcmpiW (lpString1="Settings.ini", lpString2="Program Files (x86)") returned 1 [0134.061] lstrcmpiW (lpString1="Settings.ini", lpString2="$Recycle.bin") returned 1 [0134.061] lstrcmpiW (lpString1="Settings.ini", lpString2="System Volume Information") returned -1 [0134.061] lstrcmpiW (lpString1="Settings.ini", lpString2=".") returned 1 [0134.061] lstrcmpiW (lpString1="Settings.ini", lpString2="..") returned 1 [0134.061] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 86 [0134.061] lstrcmpW (lpString1="Settings.ini", lpString2="PUSSY.TXT") returned 1 [0134.061] PathFindExtensionW (pszPath="Settings.ini") returned=".ini" [0134.061] lstrlenW (lpString=".ini") returned 4 [0134.061] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0134.061] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0134.063] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=84) returned 1 [0134.063] CloseHandle (hObject=0x1d0) returned 1 [0134.063] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x54, dwReserved0=0xfe4af0cb, dwReserved1=0xfe000000, cFileName="Settings.ini", cAlternateFileName="")) returned 0 [0134.063] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0134.063] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\PUSSY.TXT") returned 83 [0134.063] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows sidebar\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0134.064] lstrlenA (lpString="abcd") returned 4 [0134.064] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0134.065] CloseHandle (hObject=0x1d8) returned 1 [0134.065] GetProcessHeap () returned 0x4c0000 [0134.065] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0134.066] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 0 [0134.066] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0134.066] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\PUSSY.TXT") returned 67 [0134.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0134.067] lstrlenA (lpString="abcd") returned 4 [0134.067] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0134.068] CloseHandle (hObject=0x180) returned 1 [0134.068] GetProcessHeap () returned 0x4c0000 [0134.068] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0134.070] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe80ff230, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0134.070] lstrcmpiW (lpString1="Microsoft Help", lpString2="Windows") returned -1 [0134.070] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files") returned -1 [0134.070] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files (x86)") returned -1 [0134.070] lstrcmpiW (lpString1="Microsoft Help", lpString2="$Recycle.bin") returned 1 [0134.070] lstrcmpiW (lpString1="Microsoft Help", lpString2="System Volume Information") returned -1 [0134.070] lstrcmpiW (lpString1="Microsoft Help", lpString2=".") returned 1 [0134.070] lstrcmpiW (lpString1="Microsoft Help", lpString2="..") returned 1 [0134.070] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help") returned 62 [0134.070] GetProcessHeap () returned 0x4c0000 [0134.071] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0134.071] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help" [0134.071] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\*" [0134.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe80ff230, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0134.072] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.072] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.072] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.072] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.072] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.072] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.072] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe80ff230, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0134.073] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.073] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.073] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.073] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.073] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.073] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.073] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.073] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe80ff230, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0134.073] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0134.073] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\PUSSY.TXT") returned 72 [0134.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft help\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0134.074] lstrlenA (lpString="abcd") returned 4 [0134.074] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0134.075] CloseHandle (hObject=0x180) returned 1 [0134.075] GetProcessHeap () returned 0x4c0000 [0134.075] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0134.075] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0134.075] lstrcmpiW (lpString1="Mozilla", lpString2="Windows") returned -1 [0134.075] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files") returned -1 [0134.075] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files (x86)") returned -1 [0134.075] lstrcmpiW (lpString1="Mozilla", lpString2="$Recycle.bin") returned 1 [0134.075] lstrcmpiW (lpString1="Mozilla", lpString2="System Volume Information") returned -1 [0134.075] lstrcmpiW (lpString1="Mozilla", lpString2=".") returned 1 [0134.076] lstrcmpiW (lpString1="Mozilla", lpString2="..") returned 1 [0134.076] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla") returned 55 [0134.076] GetProcessHeap () returned 0x4c0000 [0134.076] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0134.076] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla" [0134.076] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*" [0134.076] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0134.076] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.076] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.077] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.077] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.077] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.077] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.077] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0134.077] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.077] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.077] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.077] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.077] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.077] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.077] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.077] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Firefox", cAlternateFileName="")) returned 1 [0134.077] lstrcmpiW (lpString1="Firefox", lpString2="Windows") returned -1 [0134.077] lstrcmpiW (lpString1="Firefox", lpString2="Program Files") returned -1 [0134.077] lstrcmpiW (lpString1="Firefox", lpString2="Program Files (x86)") returned -1 [0134.077] lstrcmpiW (lpString1="Firefox", lpString2="$Recycle.bin") returned 1 [0134.077] lstrcmpiW (lpString1="Firefox", lpString2="System Volume Information") returned -1 [0134.077] lstrcmpiW (lpString1="Firefox", lpString2=".") returned 1 [0134.077] lstrcmpiW (lpString1="Firefox", lpString2="..") returned 1 [0134.077] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox") returned 63 [0134.078] GetProcessHeap () returned 0x4c0000 [0134.078] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0134.079] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox" [0134.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\*" [0134.079] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0134.080] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.080] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.080] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.080] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.080] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.080] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.080] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0134.081] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.081] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.081] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.081] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.081] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.081] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.081] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.081] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="Profiles", cAlternateFileName="")) returned 1 [0134.081] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0134.081] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0134.081] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0134.081] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0134.081] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0134.081] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0134.081] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0134.081] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles") returned 72 [0134.081] GetProcessHeap () returned 0x4c0000 [0134.082] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0134.082] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles" [0134.082] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*" [0134.082] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0134.083] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.083] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.083] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.083] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.083] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.083] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.083] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0134.083] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.083] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.083] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.083] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.083] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.083] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.083] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.083] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x826e2030, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826e2030, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="silmbjec.default", cAlternateFileName="SILMBJ~1.DEF")) returned 1 [0134.083] lstrcmpiW (lpString1="silmbjec.default", lpString2="Windows") returned -1 [0134.083] lstrcmpiW (lpString1="silmbjec.default", lpString2="Program Files") returned 1 [0134.083] lstrcmpiW (lpString1="silmbjec.default", lpString2="Program Files (x86)") returned 1 [0134.083] lstrcmpiW (lpString1="silmbjec.default", lpString2="$Recycle.bin") returned 1 [0134.083] lstrcmpiW (lpString1="silmbjec.default", lpString2="System Volume Information") returned -1 [0134.084] lstrcmpiW (lpString1="silmbjec.default", lpString2=".") returned 1 [0134.084] lstrcmpiW (lpString1="silmbjec.default", lpString2="..") returned 1 [0134.084] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default") returned 89 [0134.084] GetProcessHeap () returned 0x4c0000 [0134.084] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0134.085] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default" [0134.085] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\*" [0134.085] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x826e2030, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826e2030, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0134.090] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.090] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.090] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.090] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.090] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.090] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.090] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x826e2030, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826e2030, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0134.090] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.090] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.091] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.091] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.091] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.091] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.091] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.091] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="Cache", cAlternateFileName="")) returned 1 [0134.091] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0134.091] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0134.091] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0134.091] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0134.091] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0134.091] lstrcmpiW (lpString1="Cache", lpString2=".") returned 1 [0134.091] lstrcmpiW (lpString1="Cache", lpString2="..") returned 1 [0134.091] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache") returned 95 [0134.091] GetProcessHeap () returned 0x4c0000 [0134.091] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0134.092] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache" [0134.092] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\*" [0134.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0134.104] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.104] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.105] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.105] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.105] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.105] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.105] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0134.105] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.105] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.105] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.105] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.105] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.105] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.105] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.105] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x81eff750, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81eff750, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="0", cAlternateFileName="")) returned 1 [0134.105] lstrcmpiW (lpString1="0", lpString2="Windows") returned -1 [0134.105] lstrcmpiW (lpString1="0", lpString2="Program Files") returned -1 [0134.105] lstrcmpiW (lpString1="0", lpString2="Program Files (x86)") returned -1 [0134.105] lstrcmpiW (lpString1="0", lpString2="$Recycle.bin") returned 1 [0134.105] lstrcmpiW (lpString1="0", lpString2="System Volume Information") returned -1 [0134.105] lstrcmpiW (lpString1="0", lpString2=".") returned 1 [0134.105] lstrcmpiW (lpString1="0", lpString2="..") returned 1 [0134.105] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0") returned 97 [0134.105] GetProcessHeap () returned 0x4c0000 [0134.106] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0134.106] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0" [0134.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\*" [0134.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x81eff750, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81eff750, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0134.107] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.107] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.107] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.107] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.107] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.107] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.107] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x81eff750, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81eff750, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0134.107] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.107] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.107] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.107] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.107] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.107] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.107] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.107] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb8c39470, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb8c39470, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb8c39470, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="98", cAlternateFileName="")) returned 1 [0134.107] lstrcmpiW (lpString1="98", lpString2="Windows") returned -1 [0134.107] lstrcmpiW (lpString1="98", lpString2="Program Files") returned -1 [0134.108] lstrcmpiW (lpString1="98", lpString2="Program Files (x86)") returned -1 [0134.108] lstrcmpiW (lpString1="98", lpString2="$Recycle.bin") returned 1 [0134.108] lstrcmpiW (lpString1="98", lpString2="System Volume Information") returned -1 [0134.108] lstrcmpiW (lpString1="98", lpString2=".") returned 1 [0134.108] lstrcmpiW (lpString1="98", lpString2="..") returned 1 [0134.108] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98") returned 100 [0134.108] GetProcessHeap () returned 0x4c0000 [0134.108] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x54caf8 [0134.108] lstrcpyW (in: lpString1=0x54caf8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98" [0134.108] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\*" [0134.108] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb8c39470, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb8c39470, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb8c39470, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0134.109] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.109] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.109] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.109] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.109] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.109] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.109] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb8c39470, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb8c39470, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb8c39470, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0134.110] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.110] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.110] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.110] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.110] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.110] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.110] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.110] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb8c39470, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb8c39470, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb8cd19f0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xb67e, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="B60F3d01", cAlternateFileName="")) returned 1 [0134.110] lstrcmpiW (lpString1="B60F3d01", lpString2="Windows") returned -1 [0134.110] lstrcmpiW (lpString1="B60F3d01", lpString2="Program Files") returned -1 [0134.110] lstrcmpiW (lpString1="B60F3d01", lpString2="Program Files (x86)") returned -1 [0134.110] lstrcmpiW (lpString1="B60F3d01", lpString2="$Recycle.bin") returned 1 [0134.110] lstrcmpiW (lpString1="B60F3d01", lpString2="System Volume Information") returned -1 [0134.110] lstrcmpiW (lpString1="B60F3d01", lpString2=".") returned 1 [0134.110] lstrcmpiW (lpString1="B60F3d01", lpString2="..") returned 1 [0134.110] wnsprintfW (in: pszDest=0x54caf8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01") returned 109 [0134.110] lstrcmpW (lpString1="B60F3d01", lpString2="PUSSY.TXT") returned -1 [0134.110] PathFindExtensionW (pszPath="B60F3d01") returned="" [0134.110] lstrlenW (lpString="") returned 0 [0134.110] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0134.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\98\\b60f3d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0134.126] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=46718) returned 1 [0134.126] GetProcessHeap () returned 0x4c0000 [0134.126] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x55cb00 [0134.139] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="8E") returned 2 [0134.141] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="EC") returned 2 [0134.141] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="66") returned 2 [0134.141] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="19") returned 2 [0134.141] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="54") returned 2 [0134.141] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="35") returned 2 [0134.141] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="3A") returned 2 [0134.141] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="C3") returned 2 [0134.141] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="2D") returned 2 [0134.141] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="6D") returned 2 [0134.141] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="60") returned 2 [0134.141] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="25") returned 2 [0134.141] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="83") returned 2 [0134.141] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="6F") returned 2 [0134.141] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="87") returned 2 [0134.141] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="2B") returned 2 [0134.141] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="9C") returned 2 [0134.141] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="63") returned 2 [0134.141] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="4B") returned 2 [0134.141] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="E6") returned 2 [0134.141] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="7F") returned 2 [0134.141] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="9D") returned 2 [0134.142] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="7E") returned 2 [0134.142] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="EB") returned 2 [0134.142] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="D7") returned 2 [0134.142] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="68") returned 2 [0134.142] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="79") returned 2 [0134.142] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="0C") returned 2 [0134.142] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="81") returned 2 [0134.142] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="00") returned 2 [0134.142] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="CB") returned 2 [0134.142] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="17") returned 2 [0134.154] lstrcpyW (in: lpString1=0x56cb34, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01" [0134.154] lstrcpyW (in: lpString1=0x55cb34, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01" [0134.154] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01", lpString2=".8EEC661954353AC32D6D6025836F872B9C634BE67F9D7EEBD768790C8100CB17" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01.8EEC661954353AC32D6D6025836F872B9C634BE67F9D7EEBD768790C8100CB17") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01.8EEC661954353AC32D6D6025836F872B9C634BE67F9D7EEBD768790C8100CB17" [0134.154] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x55cb00, NumberOfConcurrentThreads=0x0) returned 0x94 [0134.154] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x55cb00, lpOverlapped=0x55cb00) returned 1 [0134.155] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb8c39470, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb8c39470, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb8cd19f0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xb67e, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="B60F3d01", cAlternateFileName="")) returned 0 [0134.155] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0134.155] wnsprintfW (in: pszDest=0x54caf8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\PUSSY.TXT") returned 110 [0134.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\98\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0134.157] lstrlenA (lpString="abcd") returned 4 [0134.157] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0134.158] CloseHandle (hObject=0x174) returned 1 [0134.158] GetProcessHeap () returned 0x4c0000 [0134.158] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54caf8 | out: hHeap=0x4c0000) returned 1 [0134.158] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81eff750, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81eff750, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81eff750, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="A8", cAlternateFileName="")) returned 1 [0134.158] lstrcmpiW (lpString1="A8", lpString2="Windows") returned -1 [0134.158] lstrcmpiW (lpString1="A8", lpString2="Program Files") returned -1 [0134.158] lstrcmpiW (lpString1="A8", lpString2="Program Files (x86)") returned -1 [0134.158] lstrcmpiW (lpString1="A8", lpString2="$Recycle.bin") returned 1 [0134.158] lstrcmpiW (lpString1="A8", lpString2="System Volume Information") returned -1 [0134.158] lstrcmpiW (lpString1="A8", lpString2=".") returned 1 [0134.158] lstrcmpiW (lpString1="A8", lpString2="..") returned 1 [0134.158] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8") returned 100 [0134.158] GetProcessHeap () returned 0x4c0000 [0134.158] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x54caf8 [0134.158] lstrcpyW (in: lpString1=0x54caf8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8" [0134.159] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\*" [0134.159] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81eff750, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81eff750, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81eff750, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0134.160] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.160] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.160] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.160] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.160] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.160] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.160] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81eff750, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81eff750, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81eff750, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0134.160] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.160] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.160] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.160] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.160] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.160] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.160] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.160] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x81eff750, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81eff750, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81eff750, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x4898, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="C3B7Bd01", cAlternateFileName="")) returned 1 [0134.160] lstrcmpiW (lpString1="C3B7Bd01", lpString2="Windows") returned -1 [0134.160] lstrcmpiW (lpString1="C3B7Bd01", lpString2="Program Files") returned -1 [0134.161] lstrcmpiW (lpString1="C3B7Bd01", lpString2="Program Files (x86)") returned -1 [0134.161] lstrcmpiW (lpString1="C3B7Bd01", lpString2="$Recycle.bin") returned 1 [0134.161] lstrcmpiW (lpString1="C3B7Bd01", lpString2="System Volume Information") returned -1 [0134.161] lstrcmpiW (lpString1="C3B7Bd01", lpString2=".") returned 1 [0134.161] lstrcmpiW (lpString1="C3B7Bd01", lpString2="..") returned 1 [0134.161] wnsprintfW (in: pszDest=0x54caf8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01") returned 109 [0134.161] lstrcmpW (lpString1="C3B7Bd01", lpString2="PUSSY.TXT") returned -1 [0134.161] PathFindExtensionW (pszPath="C3B7Bd01") returned="" [0134.161] lstrlenW (lpString="") returned 0 [0134.161] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0134.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\a8\\c3b7bd01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0134.208] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=18584) returned 1 [0134.208] GetProcessHeap () returned 0x4c0000 [0134.208] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x55cb00 [0134.221] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="F2") returned 2 [0134.221] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="41") returned 2 [0134.221] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="FE") returned 2 [0134.221] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="4C") returned 2 [0134.221] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="8F") returned 2 [0134.221] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="4A") returned 2 [0134.221] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="5D") returned 2 [0134.221] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="22") returned 2 [0134.221] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="D6") returned 2 [0134.221] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="B0") returned 2 [0134.221] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="9D") returned 2 [0134.222] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="4F") returned 2 [0134.222] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="20") returned 2 [0134.222] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="72") returned 2 [0134.222] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="23") returned 2 [0134.222] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="19") returned 2 [0134.222] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="42") returned 2 [0134.222] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="0A") returned 2 [0134.222] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="D0") returned 2 [0134.222] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="06") returned 2 [0134.222] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="47") returned 2 [0134.222] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="D3") returned 2 [0134.222] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="18") returned 2 [0134.222] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="33") returned 2 [0134.222] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="08") returned 2 [0134.222] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="92") returned 2 [0134.222] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="FF") returned 2 [0134.222] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="1B") returned 2 [0134.222] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="3B") returned 2 [0134.222] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="3D") returned 2 [0134.222] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="95") returned 2 [0134.222] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="50") returned 2 [0134.234] lstrcpyW (in: lpString1=0x56cb34, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01" [0134.234] lstrcpyW (in: lpString1=0x55cb34, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01" [0134.234] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01", lpString2=".F241FE4C8F4A5D22D6B09D4F20722319420AD00647D318330892FF1B3B3D9550" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01.F241FE4C8F4A5D22D6B09D4F20722319420AD00647D318330892FF1B3B3D9550") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01.F241FE4C8F4A5D22D6B09D4F20722319420AD00647D318330892FF1B3B3D9550" [0134.234] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x55cb00, NumberOfConcurrentThreads=0x0) returned 0x94 [0134.234] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x55cb00, lpOverlapped=0x55cb00) returned 1 [0134.235] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x81eff750, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81eff750, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81eff750, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x4898, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="C3B7Bd01", cAlternateFileName="")) returned 0 [0134.235] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0134.235] wnsprintfW (in: pszDest=0x54caf8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\PUSSY.TXT") returned 110 [0134.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\a8\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0134.236] lstrlenA (lpString="abcd") returned 4 [0134.236] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0134.238] CloseHandle (hObject=0x174) returned 1 [0134.238] GetProcessHeap () returned 0x4c0000 [0134.238] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54caf8 | out: hHeap=0x4c0000) returned 1 [0134.238] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81eff750, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81eff750, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81eff750, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="A8", cAlternateFileName="")) returned 0 [0134.238] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0134.238] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\PUSSY.TXT") returned 107 [0134.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0134.239] lstrlenA (lpString="abcd") returned 4 [0134.239] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0134.240] CloseHandle (hObject=0xec) returned 1 [0134.240] GetProcessHeap () returned 0x4c0000 [0134.240] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0134.267] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x826bbed0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826bbed0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="1", cAlternateFileName="")) returned 1 [0134.267] lstrcmpiW (lpString1="1", lpString2="Windows") returned -1 [0134.267] lstrcmpiW (lpString1="1", lpString2="Program Files") returned -1 [0134.268] lstrcmpiW (lpString1="1", lpString2="Program Files (x86)") returned -1 [0134.268] lstrcmpiW (lpString1="1", lpString2="$Recycle.bin") returned 1 [0134.268] lstrcmpiW (lpString1="1", lpString2="System Volume Information") returned -1 [0134.268] lstrcmpiW (lpString1="1", lpString2=".") returned 1 [0134.268] lstrcmpiW (lpString1="1", lpString2="..") returned 1 [0134.268] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1") returned 97 [0134.268] GetProcessHeap () returned 0x4c0000 [0134.268] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x584b50 [0134.269] lstrcpyW (in: lpString1=0x584b50, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1" [0134.269] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\*" [0134.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x826bbed0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826bbed0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0134.269] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.269] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.269] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.269] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.270] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.270] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.270] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x826bbed0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826bbed0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0134.270] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.270] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.270] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.270] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.270] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.270] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.270] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.270] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7680bb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7680bb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7680bb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="0B", cAlternateFileName="")) returned 1 [0134.270] lstrcmpiW (lpString1="0B", lpString2="Windows") returned -1 [0134.270] lstrcmpiW (lpString1="0B", lpString2="Program Files") returned -1 [0134.270] lstrcmpiW (lpString1="0B", lpString2="Program Files (x86)") returned -1 [0134.270] lstrcmpiW (lpString1="0B", lpString2="$Recycle.bin") returned 1 [0134.270] lstrcmpiW (lpString1="0B", lpString2="System Volume Information") returned -1 [0134.270] lstrcmpiW (lpString1="0B", lpString2=".") returned 1 [0134.270] lstrcmpiW (lpString1="0B", lpString2="..") returned 1 [0134.270] wnsprintfW (in: pszDest=0x584b50, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B") returned 100 [0134.270] GetProcessHeap () returned 0x4c0000 [0134.270] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0134.271] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B" [0134.271] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\*" [0134.272] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7680bb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7680bb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7680bb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0134.272] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.272] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.272] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.272] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.272] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.272] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.272] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7680bb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7680bb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7680bb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0134.272] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.272] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.273] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.273] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.273] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.273] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.273] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.273] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7680bb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7680bb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7680bb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x204fd, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="FCBF5d01", cAlternateFileName="")) returned 1 [0134.273] lstrcmpiW (lpString1="FCBF5d01", lpString2="Windows") returned -1 [0134.273] lstrcmpiW (lpString1="FCBF5d01", lpString2="Program Files") returned -1 [0134.273] lstrcmpiW (lpString1="FCBF5d01", lpString2="Program Files (x86)") returned -1 [0134.273] lstrcmpiW (lpString1="FCBF5d01", lpString2="$Recycle.bin") returned 1 [0134.273] lstrcmpiW (lpString1="FCBF5d01", lpString2="System Volume Information") returned -1 [0134.273] lstrcmpiW (lpString1="FCBF5d01", lpString2=".") returned 1 [0134.273] lstrcmpiW (lpString1="FCBF5d01", lpString2="..") returned 1 [0134.273] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01") returned 109 [0134.273] lstrcmpW (lpString1="FCBF5d01", lpString2="PUSSY.TXT") returned -1 [0134.273] PathFindExtensionW (pszPath="FCBF5d01") returned="" [0134.273] lstrlenW (lpString="") returned 0 [0134.273] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0134.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\0b\\fcbf5d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0134.275] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=132349) returned 1 [0134.275] GetProcessHeap () returned 0x4c0000 [0134.275] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0134.290] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="F4") returned 2 [0134.290] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="B7") returned 2 [0134.290] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="3D") returned 2 [0134.290] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="5F") returned 2 [0134.290] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="AF") returned 2 [0134.290] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="64") returned 2 [0134.290] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="1C") returned 2 [0134.290] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="C4") returned 2 [0134.290] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="A7") returned 2 [0134.290] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="E3") returned 2 [0134.290] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="02") returned 2 [0134.290] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="EE") returned 2 [0134.290] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="C8") returned 2 [0134.290] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="CC") returned 2 [0134.290] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="D2") returned 2 [0134.290] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="89") returned 2 [0134.290] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="3B") returned 2 [0134.290] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="76") returned 2 [0134.290] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="16") returned 2 [0134.290] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="11") returned 2 [0134.290] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="3E") returned 2 [0134.291] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="56") returned 2 [0134.291] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="88") returned 2 [0134.291] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="2C") returned 2 [0134.291] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="1E") returned 2 [0134.291] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="E9") returned 2 [0134.291] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="B6") returned 2 [0134.291] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="7C") returned 2 [0134.291] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="C0") returned 2 [0134.291] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="78") returned 2 [0134.291] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="F7") returned 2 [0134.291] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="51") returned 2 [0134.306] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01" [0134.306] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01" [0134.306] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01", lpString2=".F4B73D5FAF641CC4A7E302EEC8CCD2893B7616113E56882C1EE9B67CC078F751" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01.F4B73D5FAF641CC4A7E302EEC8CCD2893B7616113E56882C1EE9B67CC078F751") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01.F4B73D5FAF641CC4A7E302EEC8CCD2893B7616113E56882C1EE9B67CC078F751" [0134.306] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0134.306] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0134.307] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7680bb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7680bb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7680bb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x204fd, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="FCBF5d01", cAlternateFileName="")) returned 0 [0134.307] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0134.307] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\PUSSY.TXT") returned 110 [0134.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\0b\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0134.308] lstrlenA (lpString="abcd") returned 4 [0134.308] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0134.353] CloseHandle (hObject=0x174) returned 1 [0134.353] GetProcessHeap () returned 0x4c0000 [0134.353] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0134.353] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826bbed0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x826bbed0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826bbed0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="C2", cAlternateFileName="")) returned 1 [0134.354] lstrcmpiW (lpString1="C2", lpString2="Windows") returned -1 [0134.354] lstrcmpiW (lpString1="C2", lpString2="Program Files") returned -1 [0134.354] lstrcmpiW (lpString1="C2", lpString2="Program Files (x86)") returned -1 [0134.354] lstrcmpiW (lpString1="C2", lpString2="$Recycle.bin") returned 1 [0134.354] lstrcmpiW (lpString1="C2", lpString2="System Volume Information") returned -1 [0134.354] lstrcmpiW (lpString1="C2", lpString2=".") returned 1 [0134.354] lstrcmpiW (lpString1="C2", lpString2="..") returned 1 [0134.354] wnsprintfW (in: pszDest=0x584b50, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2") returned 100 [0134.354] GetProcessHeap () returned 0x4c0000 [0134.354] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0134.354] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2" [0134.354] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\*" [0134.354] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826bbed0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x826bbed0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826bbed0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0134.355] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.355] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.355] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.355] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.355] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.355] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.355] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x826bbed0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x826bbed0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826bbed0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0134.355] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.355] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.356] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.356] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.356] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.356] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.356] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.356] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826bbed0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x826bbed0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x8272e2f0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xaa05, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="0B619d01", cAlternateFileName="")) returned 1 [0134.356] lstrcmpiW (lpString1="0B619d01", lpString2="Windows") returned -1 [0134.356] lstrcmpiW (lpString1="0B619d01", lpString2="Program Files") returned -1 [0134.356] lstrcmpiW (lpString1="0B619d01", lpString2="Program Files (x86)") returned -1 [0134.356] lstrcmpiW (lpString1="0B619d01", lpString2="$Recycle.bin") returned 1 [0134.356] lstrcmpiW (lpString1="0B619d01", lpString2="System Volume Information") returned -1 [0134.356] lstrcmpiW (lpString1="0B619d01", lpString2=".") returned 1 [0134.356] lstrcmpiW (lpString1="0B619d01", lpString2="..") returned 1 [0134.356] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01") returned 109 [0134.356] lstrcmpW (lpString1="0B619d01", lpString2="PUSSY.TXT") returned -1 [0134.356] PathFindExtensionW (pszPath="0B619d01") returned="" [0134.356] lstrlenW (lpString="") returned 0 [0134.356] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0134.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\c2\\0b619d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0134.357] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=43525) returned 1 [0134.357] GetProcessHeap () returned 0x4c0000 [0134.357] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x54caf8 [0134.370] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="FA") returned 2 [0134.370] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="DF") returned 2 [0134.370] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="4D") returned 2 [0134.371] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="D5") returned 2 [0134.371] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="BE") returned 2 [0134.371] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="EA") returned 2 [0134.371] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="D0") returned 2 [0134.371] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="24") returned 2 [0134.371] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="2B") returned 2 [0134.371] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="92") returned 2 [0134.371] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="97") returned 2 [0134.371] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="35") returned 2 [0134.371] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="B8") returned 2 [0134.371] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="90") returned 2 [0134.371] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="42") returned 2 [0134.371] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="A9") returned 2 [0134.371] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="3B") returned 2 [0134.371] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="73") returned 2 [0134.371] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="ED") returned 2 [0134.371] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="99") returned 2 [0134.371] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="2C") returned 2 [0134.371] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="6E") returned 2 [0134.371] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="F2") returned 2 [0134.371] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="17") returned 2 [0134.371] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="AE") returned 2 [0134.371] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="D9") returned 2 [0134.371] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="D9") returned 2 [0134.371] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="C8") returned 2 [0134.372] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="79") returned 2 [0134.372] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="C4") returned 2 [0134.372] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="ED") returned 2 [0134.372] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="28") returned 2 [0134.384] lstrcpyW (in: lpString1=0x55cb2c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01" [0134.384] lstrcpyW (in: lpString1=0x54cb2c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01" [0134.384] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01", lpString2=".FADF4DD5BEEAD0242B929735B89042A93B73ED992C6EF217AED9D9C879C4ED28" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01.FADF4DD5BEEAD0242B929735B89042A93B73ED992C6EF217AED9D9C879C4ED28") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01.FADF4DD5BEEAD0242B929735B89042A93B73ED992C6EF217AED9D9C879C4ED28" [0134.384] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x54caf8, NumberOfConcurrentThreads=0x0) returned 0x94 [0134.384] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x54caf8, lpOverlapped=0x54caf8) returned 1 [0134.385] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x826bbed0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x826bbed0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x8272e2f0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xaa05, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="0B619d01", cAlternateFileName="")) returned 0 [0134.385] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0134.385] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\PUSSY.TXT") returned 110 [0134.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\c2\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0134.420] lstrlenA (lpString="abcd") returned 4 [0134.420] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0134.421] CloseHandle (hObject=0x174) returned 1 [0134.421] GetProcessHeap () returned 0x4c0000 [0134.421] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0134.421] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7d7ec50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d7ec50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7d7ec50, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="F6", cAlternateFileName="")) returned 1 [0134.421] lstrcmpiW (lpString1="F6", lpString2="Windows") returned -1 [0134.422] lstrcmpiW (lpString1="F6", lpString2="Program Files") returned -1 [0134.422] lstrcmpiW (lpString1="F6", lpString2="Program Files (x86)") returned -1 [0134.422] lstrcmpiW (lpString1="F6", lpString2="$Recycle.bin") returned 1 [0134.422] lstrcmpiW (lpString1="F6", lpString2="System Volume Information") returned -1 [0134.422] lstrcmpiW (lpString1="F6", lpString2=".") returned 1 [0134.422] lstrcmpiW (lpString1="F6", lpString2="..") returned 1 [0134.422] wnsprintfW (in: pszDest=0x584b50, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6") returned 100 [0134.422] GetProcessHeap () returned 0x4c0000 [0134.422] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0134.422] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6" [0134.422] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\*" [0134.422] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7d7ec50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d7ec50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7d7ec50, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0134.422] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.422] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.422] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.422] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.422] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.422] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.422] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7d7ec50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d7ec50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7d7ec50, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0134.423] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.423] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.423] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.423] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.423] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.423] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.423] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.423] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7d7ec50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d7ec50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7eaf750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa60b, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="CBD4Dd01", cAlternateFileName="")) returned 1 [0134.423] lstrcmpiW (lpString1="CBD4Dd01", lpString2="Windows") returned -1 [0134.423] lstrcmpiW (lpString1="CBD4Dd01", lpString2="Program Files") returned -1 [0134.423] lstrcmpiW (lpString1="CBD4Dd01", lpString2="Program Files (x86)") returned -1 [0134.423] lstrcmpiW (lpString1="CBD4Dd01", lpString2="$Recycle.bin") returned 1 [0134.423] lstrcmpiW (lpString1="CBD4Dd01", lpString2="System Volume Information") returned -1 [0134.423] lstrcmpiW (lpString1="CBD4Dd01", lpString2=".") returned 1 [0134.423] lstrcmpiW (lpString1="CBD4Dd01", lpString2="..") returned 1 [0134.423] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01") returned 109 [0134.423] lstrcmpW (lpString1="CBD4Dd01", lpString2="PUSSY.TXT") returned -1 [0134.423] PathFindExtensionW (pszPath="CBD4Dd01") returned="" [0134.423] lstrlenW (lpString="") returned 0 [0134.423] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0134.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\f6\\cbd4dd01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0134.424] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=42507) returned 1 [0134.424] GetProcessHeap () returned 0x4c0000 [0134.424] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0134.433] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="5D") returned 2 [0134.433] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="90") returned 2 [0134.433] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="7F") returned 2 [0134.433] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="50") returned 2 [0134.433] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="BE") returned 2 [0134.433] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="8B") returned 2 [0134.433] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="C5") returned 2 [0134.433] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="59") returned 2 [0134.433] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="2B") returned 2 [0134.434] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="6F") returned 2 [0134.434] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="54") returned 2 [0134.434] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="65") returned 2 [0134.434] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="3B") returned 2 [0134.434] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="2B") returned 2 [0134.434] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="01") returned 2 [0134.434] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="BC") returned 2 [0134.434] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="D7") returned 2 [0134.434] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="B9") returned 2 [0134.434] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="13") returned 2 [0134.434] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="ED") returned 2 [0134.434] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="55") returned 2 [0134.434] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="DD") returned 2 [0134.434] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="CC") returned 2 [0134.434] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="2D") returned 2 [0134.434] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="8D") returned 2 [0134.434] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="4B") returned 2 [0134.434] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="97") returned 2 [0134.434] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="DA") returned 2 [0134.434] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="1E") returned 2 [0134.434] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="7C") returned 2 [0134.434] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="0B") returned 2 [0134.434] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="4D") returned 2 [0134.442] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01" [0134.443] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01" [0134.443] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01", lpString2=".5D907F50BE8BC5592B6F54653B2B01BCD7B913ED55DDCC2D8D4B97DA1E7C0B4D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01.5D907F50BE8BC5592B6F54653B2B01BCD7B913ED55DDCC2D8D4B97DA1E7C0B4D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01.5D907F50BE8BC5592B6F54653B2B01BCD7B913ED55DDCC2D8D4B97DA1E7C0B4D" [0134.443] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0134.443] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0134.444] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7d7ec50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d7ec50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7eaf750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa60b, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="CBD4Dd01", cAlternateFileName="")) returned 0 [0134.444] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0134.444] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\PUSSY.TXT") returned 110 [0134.444] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\f6\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0134.445] lstrlenA (lpString="abcd") returned 4 [0134.445] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0134.478] CloseHandle (hObject=0x174) returned 1 [0134.478] GetProcessHeap () returned 0x4c0000 [0134.478] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0134.478] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7d7ec50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d7ec50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7d7ec50, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="F6", cAlternateFileName="")) returned 0 [0134.478] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0134.478] wnsprintfW (in: pszDest=0x584b50, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\PUSSY.TXT") returned 107 [0134.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0134.479] lstrlenA (lpString="abcd") returned 4 [0134.479] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0134.480] CloseHandle (hObject=0xec) returned 1 [0134.480] GetProcessHeap () returned 0x4c0000 [0134.480] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x584b50 | out: hHeap=0x4c0000) returned 1 [0134.480] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb64f2970, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="2", cAlternateFileName="")) returned 1 [0134.480] lstrcmpiW (lpString1="2", lpString2="Windows") returned -1 [0134.480] lstrcmpiW (lpString1="2", lpString2="Program Files") returned -1 [0134.480] lstrcmpiW (lpString1="2", lpString2="Program Files (x86)") returned -1 [0134.480] lstrcmpiW (lpString1="2", lpString2="$Recycle.bin") returned 1 [0134.480] lstrcmpiW (lpString1="2", lpString2="System Volume Information") returned -1 [0134.480] lstrcmpiW (lpString1="2", lpString2=".") returned 1 [0134.480] lstrcmpiW (lpString1="2", lpString2="..") returned 1 [0134.480] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2") returned 97 [0134.480] GetProcessHeap () returned 0x4c0000 [0134.480] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0134.480] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2" [0134.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2\\*" [0134.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb64f2970, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0134.481] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.481] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.481] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.481] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.481] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.481] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.481] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb64f2970, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0134.482] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.482] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.482] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.482] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.482] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.482] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.482] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.482] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb64f2970, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 0 [0134.482] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0134.482] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2\\PUSSY.TXT") returned 107 [0134.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\2\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0134.483] lstrlenA (lpString="abcd") returned 4 [0134.483] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0134.484] CloseHandle (hObject=0xec) returned 1 [0134.484] GetProcessHeap () returned 0x4c0000 [0134.484] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0134.484] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb727c690, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb727c690, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="3", cAlternateFileName="")) returned 1 [0134.484] lstrcmpiW (lpString1="3", lpString2="Windows") returned -1 [0134.484] lstrcmpiW (lpString1="3", lpString2="Program Files") returned -1 [0134.484] lstrcmpiW (lpString1="3", lpString2="Program Files (x86)") returned -1 [0134.484] lstrcmpiW (lpString1="3", lpString2="$Recycle.bin") returned 1 [0134.484] lstrcmpiW (lpString1="3", lpString2="System Volume Information") returned -1 [0134.484] lstrcmpiW (lpString1="3", lpString2=".") returned 1 [0134.484] lstrcmpiW (lpString1="3", lpString2="..") returned 1 [0134.484] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3") returned 97 [0134.484] GetProcessHeap () returned 0x4c0000 [0134.484] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0134.484] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3" [0134.484] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\*" [0134.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb727c690, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb727c690, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0134.485] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.485] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.485] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.485] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.485] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.485] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.485] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb727c690, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb727c690, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0134.486] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.486] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.486] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.486] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.486] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.486] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.486] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.486] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb727c690, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb727c690, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb727c690, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="4B", cAlternateFileName="")) returned 1 [0134.486] lstrcmpiW (lpString1="4B", lpString2="Windows") returned -1 [0134.486] lstrcmpiW (lpString1="4B", lpString2="Program Files") returned -1 [0134.486] lstrcmpiW (lpString1="4B", lpString2="Program Files (x86)") returned -1 [0134.486] lstrcmpiW (lpString1="4B", lpString2="$Recycle.bin") returned 1 [0134.486] lstrcmpiW (lpString1="4B", lpString2="System Volume Information") returned -1 [0134.486] lstrcmpiW (lpString1="4B", lpString2=".") returned 1 [0134.486] lstrcmpiW (lpString1="4B", lpString2="..") returned 1 [0134.486] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B") returned 100 [0134.486] GetProcessHeap () returned 0x4c0000 [0134.486] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0134.486] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B" [0134.487] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\*" [0134.487] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb727c690, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb727c690, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb727c690, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0134.487] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.487] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.487] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.487] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.488] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.488] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.488] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb727c690, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb727c690, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb727c690, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0134.488] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.488] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.488] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.488] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.488] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.488] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.488] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.488] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb727c690, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb727c690, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb72eeab0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x20543, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="1D8FDd01", cAlternateFileName="")) returned 1 [0134.488] lstrcmpiW (lpString1="1D8FDd01", lpString2="Windows") returned -1 [0134.488] lstrcmpiW (lpString1="1D8FDd01", lpString2="Program Files") returned -1 [0134.488] lstrcmpiW (lpString1="1D8FDd01", lpString2="Program Files (x86)") returned -1 [0134.488] lstrcmpiW (lpString1="1D8FDd01", lpString2="$Recycle.bin") returned 1 [0134.488] lstrcmpiW (lpString1="1D8FDd01", lpString2="System Volume Information") returned -1 [0134.488] lstrcmpiW (lpString1="1D8FDd01", lpString2=".") returned 1 [0134.488] lstrcmpiW (lpString1="1D8FDd01", lpString2="..") returned 1 [0134.488] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01") returned 109 [0134.488] lstrcmpW (lpString1="1D8FDd01", lpString2="PUSSY.TXT") returned -1 [0134.488] PathFindExtensionW (pszPath="1D8FDd01") returned="" [0134.488] lstrlenW (lpString="") returned 0 [0134.488] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0134.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\4b\\1d8fdd01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0134.490] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=132419) returned 1 [0134.490] GetProcessHeap () returned 0x4c0000 [0134.490] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0134.502] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="47") returned 2 [0134.502] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="C6") returned 2 [0134.502] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="A0") returned 2 [0134.502] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="BD") returned 2 [0134.502] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="5C") returned 2 [0134.502] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="92") returned 2 [0134.502] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="21") returned 2 [0134.502] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="7C") returned 2 [0134.503] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="24") returned 2 [0134.503] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="E3") returned 2 [0134.503] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="01") returned 2 [0134.503] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="E6") returned 2 [0134.503] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="EA") returned 2 [0134.503] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="3C") returned 2 [0134.503] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="98") returned 2 [0134.503] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="02") returned 2 [0134.503] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="59") returned 2 [0134.503] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="80") returned 2 [0134.503] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="0F") returned 2 [0134.503] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="B8") returned 2 [0134.503] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="47") returned 2 [0134.503] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="28") returned 2 [0134.503] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="61") returned 2 [0134.503] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="05") returned 2 [0134.503] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="29") returned 2 [0134.503] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="72") returned 2 [0134.503] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="04") returned 2 [0134.503] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="42") returned 2 [0134.503] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="BD") returned 2 [0134.503] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="B2") returned 2 [0134.503] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="15") returned 2 [0134.503] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="50") returned 2 [0134.518] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01" [0134.518] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01" [0134.518] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01", lpString2=".47C6A0BD5C92217C24E301E6EA3C980259800FB84728610529720442BDB21550" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01.47C6A0BD5C92217C24E301E6EA3C980259800FB84728610529720442BDB21550") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01.47C6A0BD5C92217C24E301E6EA3C980259800FB84728610529720442BDB21550" [0134.519] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0134.519] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0134.519] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb727c690, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb727c690, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb72eeab0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x20543, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="1D8FDd01", cAlternateFileName="")) returned 0 [0134.519] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0134.519] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\PUSSY.TXT") returned 110 [0134.519] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\4b\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0134.520] lstrlenA (lpString="abcd") returned 4 [0134.520] WriteFile (in: hFile=0x174, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0134.521] CloseHandle (hObject=0x174) returned 1 [0134.521] GetProcessHeap () returned 0x4c0000 [0134.521] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0134.521] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb727c690, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb727c690, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb727c690, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="4B", cAlternateFileName="")) returned 0 [0134.522] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0134.522] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\PUSSY.TXT") returned 107 [0134.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0134.523] lstrlenA (lpString="abcd") returned 4 [0134.523] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0134.524] CloseHandle (hObject=0xec) returned 1 [0134.524] GetProcessHeap () returned 0x4c0000 [0134.524] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0134.524] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb64f2970, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="4", cAlternateFileName="")) returned 1 [0134.524] lstrcmpiW (lpString1="4", lpString2="Windows") returned -1 [0134.524] lstrcmpiW (lpString1="4", lpString2="Program Files") returned -1 [0134.524] lstrcmpiW (lpString1="4", lpString2="Program Files (x86)") returned -1 [0134.524] lstrcmpiW (lpString1="4", lpString2="$Recycle.bin") returned 1 [0134.524] lstrcmpiW (lpString1="4", lpString2="System Volume Information") returned -1 [0134.524] lstrcmpiW (lpString1="4", lpString2=".") returned 1 [0134.524] lstrcmpiW (lpString1="4", lpString2="..") returned 1 [0134.524] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4") returned 97 [0134.524] GetProcessHeap () returned 0x4c0000 [0134.524] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0134.524] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4" [0134.524] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4\\*" [0134.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb64f2970, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0134.525] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.525] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.525] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.525] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.525] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.525] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.525] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb64f2970, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0134.525] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.525] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.525] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.525] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.525] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.525] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.525] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.525] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb64f2970, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 0 [0134.525] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0134.526] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4\\PUSSY.TXT") returned 107 [0134.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\4\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0134.526] lstrlenA (lpString="abcd") returned 4 [0134.526] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0134.528] CloseHandle (hObject=0xec) returned 1 [0134.528] GetProcessHeap () returned 0x4c0000 [0134.528] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0134.528] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb64f2970, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="5", cAlternateFileName="")) returned 1 [0134.528] lstrcmpiW (lpString1="5", lpString2="Windows") returned -1 [0134.528] lstrcmpiW (lpString1="5", lpString2="Program Files") returned -1 [0134.528] lstrcmpiW (lpString1="5", lpString2="Program Files (x86)") returned -1 [0134.528] lstrcmpiW (lpString1="5", lpString2="$Recycle.bin") returned 1 [0134.528] lstrcmpiW (lpString1="5", lpString2="System Volume Information") returned -1 [0134.528] lstrcmpiW (lpString1="5", lpString2=".") returned 1 [0134.528] lstrcmpiW (lpString1="5", lpString2="..") returned 1 [0134.528] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5") returned 97 [0134.528] GetProcessHeap () returned 0x4c0000 [0134.528] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0134.528] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5" [0134.528] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5\\*" [0134.528] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb64f2970, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0134.591] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.592] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.592] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.592] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.592] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.592] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.592] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb64f2970, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0134.592] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.592] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.592] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.592] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.592] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.592] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.592] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.592] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb64f2970, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 0 [0134.592] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0134.592] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5\\PUSSY.TXT") returned 107 [0134.592] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\5\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0134.942] lstrlenA (lpString="abcd") returned 4 [0134.942] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0134.943] CloseHandle (hObject=0x1d4) returned 1 [0134.943] GetProcessHeap () returned 0x4c0000 [0134.943] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0134.943] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="6", cAlternateFileName="")) returned 1 [0134.943] lstrcmpiW (lpString1="6", lpString2="Windows") returned -1 [0134.943] lstrcmpiW (lpString1="6", lpString2="Program Files") returned -1 [0134.943] lstrcmpiW (lpString1="6", lpString2="Program Files (x86)") returned -1 [0134.944] lstrcmpiW (lpString1="6", lpString2="$Recycle.bin") returned 1 [0134.944] lstrcmpiW (lpString1="6", lpString2="System Volume Information") returned -1 [0134.944] lstrcmpiW (lpString1="6", lpString2=".") returned 1 [0134.944] lstrcmpiW (lpString1="6", lpString2="..") returned 1 [0134.944] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6") returned 97 [0134.944] GetProcessHeap () returned 0x4c0000 [0134.944] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0134.948] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6" [0134.948] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6\\*" [0134.948] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0134.948] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.948] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.948] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.948] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.948] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.948] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.948] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0134.948] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.948] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.948] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.948] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.948] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.949] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.949] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.949] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 0 [0134.949] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0134.951] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6\\PUSSY.TXT") returned 107 [0134.951] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\6\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0134.952] lstrlenA (lpString="abcd") returned 4 [0134.952] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0134.953] CloseHandle (hObject=0x18c) returned 1 [0134.953] GetProcessHeap () returned 0x4c0000 [0134.953] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0134.953] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="7", cAlternateFileName="")) returned 1 [0134.953] lstrcmpiW (lpString1="7", lpString2="Windows") returned -1 [0134.953] lstrcmpiW (lpString1="7", lpString2="Program Files") returned -1 [0134.953] lstrcmpiW (lpString1="7", lpString2="Program Files (x86)") returned -1 [0134.953] lstrcmpiW (lpString1="7", lpString2="$Recycle.bin") returned 1 [0134.953] lstrcmpiW (lpString1="7", lpString2="System Volume Information") returned -1 [0134.953] lstrcmpiW (lpString1="7", lpString2=".") returned 1 [0134.953] lstrcmpiW (lpString1="7", lpString2="..") returned 1 [0134.953] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7") returned 97 [0134.953] GetProcessHeap () returned 0x4c0000 [0134.954] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0134.954] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7" [0134.954] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7\\*" [0134.954] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0134.955] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.955] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.955] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.955] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.955] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.955] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.956] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0134.956] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.956] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.956] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.956] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.956] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.956] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.956] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.956] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 0 [0134.956] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0134.956] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7\\PUSSY.TXT") returned 107 [0134.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\7\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0134.957] lstrlenA (lpString="abcd") returned 4 [0134.957] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0134.958] CloseHandle (hObject=0x18c) returned 1 [0134.958] GetProcessHeap () returned 0x4c0000 [0134.958] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0134.958] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="8", cAlternateFileName="")) returned 1 [0134.958] lstrcmpiW (lpString1="8", lpString2="Windows") returned -1 [0134.958] lstrcmpiW (lpString1="8", lpString2="Program Files") returned -1 [0134.958] lstrcmpiW (lpString1="8", lpString2="Program Files (x86)") returned -1 [0134.958] lstrcmpiW (lpString1="8", lpString2="$Recycle.bin") returned 1 [0134.958] lstrcmpiW (lpString1="8", lpString2="System Volume Information") returned -1 [0134.958] lstrcmpiW (lpString1="8", lpString2=".") returned 1 [0134.958] lstrcmpiW (lpString1="8", lpString2="..") returned 1 [0134.958] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8") returned 97 [0134.958] GetProcessHeap () returned 0x4c0000 [0134.958] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0134.958] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8" [0134.958] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8\\*" [0134.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0134.958] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.959] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.959] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.959] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.959] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.959] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.959] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0134.959] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.959] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.959] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.959] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.959] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.959] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.959] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.959] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 0 [0134.959] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0134.959] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8\\PUSSY.TXT") returned 107 [0134.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\8\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0134.960] lstrlenA (lpString="abcd") returned 4 [0134.960] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0134.961] CloseHandle (hObject=0x18c) returned 1 [0134.961] GetProcessHeap () returned 0x4c0000 [0134.961] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0134.961] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x81e8d330, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e8d330, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="9", cAlternateFileName="")) returned 1 [0134.961] lstrcmpiW (lpString1="9", lpString2="Windows") returned -1 [0134.961] lstrcmpiW (lpString1="9", lpString2="Program Files") returned -1 [0134.961] lstrcmpiW (lpString1="9", lpString2="Program Files (x86)") returned -1 [0134.961] lstrcmpiW (lpString1="9", lpString2="$Recycle.bin") returned 1 [0134.961] lstrcmpiW (lpString1="9", lpString2="System Volume Information") returned -1 [0134.961] lstrcmpiW (lpString1="9", lpString2=".") returned 1 [0134.961] lstrcmpiW (lpString1="9", lpString2="..") returned 1 [0134.961] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9") returned 97 [0134.961] GetProcessHeap () returned 0x4c0000 [0134.961] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0134.961] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9" [0134.961] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\*" [0134.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x81e8d330, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e8d330, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0134.962] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.962] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.962] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.962] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.962] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.962] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.962] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x81e8d330, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e8d330, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0134.962] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.962] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.962] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.962] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.962] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.962] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.962] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.963] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f47cd0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f47cd0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f47cd0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="10", cAlternateFileName="")) returned 1 [0134.963] lstrcmpiW (lpString1="10", lpString2="Windows") returned -1 [0134.963] lstrcmpiW (lpString1="10", lpString2="Program Files") returned -1 [0134.963] lstrcmpiW (lpString1="10", lpString2="Program Files (x86)") returned -1 [0134.963] lstrcmpiW (lpString1="10", lpString2="$Recycle.bin") returned 1 [0134.963] lstrcmpiW (lpString1="10", lpString2="System Volume Information") returned -1 [0134.963] lstrcmpiW (lpString1="10", lpString2=".") returned 1 [0134.963] lstrcmpiW (lpString1="10", lpString2="..") returned 1 [0134.963] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10") returned 100 [0134.963] GetProcessHeap () returned 0x4c0000 [0134.963] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0134.963] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10" [0134.963] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\*" [0134.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f47cd0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f47cd0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f47cd0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0134.963] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.964] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.964] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.964] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.964] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.964] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.964] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f47cd0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f47cd0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f47cd0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0134.964] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.964] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.964] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.964] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.964] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.964] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.964] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.964] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7f47cd0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f47cd0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f47cd0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x534f, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="16A09d01", cAlternateFileName="")) returned 1 [0134.964] lstrcmpiW (lpString1="16A09d01", lpString2="Windows") returned -1 [0134.964] lstrcmpiW (lpString1="16A09d01", lpString2="Program Files") returned -1 [0134.964] lstrcmpiW (lpString1="16A09d01", lpString2="Program Files (x86)") returned -1 [0134.964] lstrcmpiW (lpString1="16A09d01", lpString2="$Recycle.bin") returned 1 [0134.965] lstrcmpiW (lpString1="16A09d01", lpString2="System Volume Information") returned -1 [0134.965] lstrcmpiW (lpString1="16A09d01", lpString2=".") returned 1 [0134.965] lstrcmpiW (lpString1="16A09d01", lpString2="..") returned 1 [0134.965] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01") returned 109 [0134.965] lstrcmpW (lpString1="16A09d01", lpString2="PUSSY.TXT") returned -1 [0134.965] PathFindExtensionW (pszPath="16A09d01") returned="" [0134.965] lstrlenW (lpString="") returned 0 [0134.965] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0134.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\10\\16a09d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0134.966] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=21327) returned 1 [0134.966] GetProcessHeap () returned 0x4c0000 [0134.966] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0134.974] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="46") returned 2 [0134.974] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="3D") returned 2 [0134.974] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="12") returned 2 [0134.974] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="A6") returned 2 [0134.974] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="DA") returned 2 [0134.974] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="E3") returned 2 [0134.974] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="1D") returned 2 [0134.974] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="D0") returned 2 [0134.974] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="4D") returned 2 [0134.974] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="75") returned 2 [0134.975] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="72") returned 2 [0134.975] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="27") returned 2 [0134.975] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="33") returned 2 [0134.975] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="74") returned 2 [0134.975] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="CF") returned 2 [0134.975] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="32") returned 2 [0134.975] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="10") returned 2 [0134.975] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="A6") returned 2 [0134.975] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="C8") returned 2 [0134.975] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="21") returned 2 [0134.975] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="E1") returned 2 [0134.975] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="F3") returned 2 [0134.975] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="27") returned 2 [0134.975] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="7C") returned 2 [0134.975] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="AF") returned 2 [0134.975] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="60") returned 2 [0134.975] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="F2") returned 2 [0134.975] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="E3") returned 2 [0134.975] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="E4") returned 2 [0134.975] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="E9") returned 2 [0134.975] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="4F") returned 2 [0134.975] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="5C") returned 2 [0134.983] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01" [0134.983] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01" [0134.983] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01", lpString2=".463D12A6DAE31DD04D7572273374CF3210A6C821E1F3277CAF60F2E3E4E94F5C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01.463D12A6DAE31DD04D7572273374CF3210A6C821E1F3277CAF60F2E3E4E94F5C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01.463D12A6DAE31DD04D7572273374CF3210A6C821E1F3277CAF60F2E3E4E94F5C" [0134.983] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0134.983] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0134.983] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7f47cd0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f47cd0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f47cd0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x534f, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="16A09d01", cAlternateFileName="")) returned 0 [0134.983] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0134.984] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\PUSSY.TXT") returned 110 [0134.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\10\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0134.985] lstrlenA (lpString="abcd") returned 4 [0134.985] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0134.986] CloseHandle (hObject=0x1d4) returned 1 [0134.986] GetProcessHeap () returned 0x4c0000 [0134.986] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0134.990] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7d58af0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d58af0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7d58af0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="2C", cAlternateFileName="")) returned 1 [0134.990] lstrcmpiW (lpString1="2C", lpString2="Windows") returned -1 [0134.990] lstrcmpiW (lpString1="2C", lpString2="Program Files") returned -1 [0134.990] lstrcmpiW (lpString1="2C", lpString2="Program Files (x86)") returned -1 [0134.990] lstrcmpiW (lpString1="2C", lpString2="$Recycle.bin") returned 1 [0134.990] lstrcmpiW (lpString1="2C", lpString2="System Volume Information") returned -1 [0134.990] lstrcmpiW (lpString1="2C", lpString2=".") returned 1 [0134.990] lstrcmpiW (lpString1="2C", lpString2="..") returned 1 [0134.990] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C") returned 100 [0134.990] GetProcessHeap () returned 0x4c0000 [0134.990] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0134.991] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C" [0134.991] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\*" [0134.991] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7d58af0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d58af0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7d58af0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0134.991] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0134.991] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0134.992] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0134.992] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0134.992] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0134.992] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.992] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7d58af0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d58af0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7d58af0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0134.992] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0134.992] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0134.992] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0134.992] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0134.992] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0134.992] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.992] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.992] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7d58af0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d58af0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7dcaf10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x133d5, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="24B53d01", cAlternateFileName="")) returned 1 [0134.992] lstrcmpiW (lpString1="24B53d01", lpString2="Windows") returned -1 [0134.992] lstrcmpiW (lpString1="24B53d01", lpString2="Program Files") returned -1 [0134.992] lstrcmpiW (lpString1="24B53d01", lpString2="Program Files (x86)") returned -1 [0134.992] lstrcmpiW (lpString1="24B53d01", lpString2="$Recycle.bin") returned 1 [0134.992] lstrcmpiW (lpString1="24B53d01", lpString2="System Volume Information") returned -1 [0134.992] lstrcmpiW (lpString1="24B53d01", lpString2=".") returned 1 [0134.992] lstrcmpiW (lpString1="24B53d01", lpString2="..") returned 1 [0134.992] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01") returned 109 [0134.992] lstrcmpW (lpString1="24B53d01", lpString2="PUSSY.TXT") returned -1 [0134.992] PathFindExtensionW (pszPath="24B53d01") returned="" [0134.992] lstrlenW (lpString="") returned 0 [0134.992] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0134.992] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\2c\\24b53d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0135.014] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=78805) returned 1 [0135.015] GetProcessHeap () returned 0x4c0000 [0135.015] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0135.024] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="60") returned 2 [0135.024] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="FF") returned 2 [0135.024] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="04") returned 2 [0135.024] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="D4") returned 2 [0135.025] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="D7") returned 2 [0135.025] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="7A") returned 2 [0135.025] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="5A") returned 2 [0135.025] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="92") returned 2 [0135.025] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="92") returned 2 [0135.025] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="A9") returned 2 [0135.025] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="D0") returned 2 [0135.025] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="89") returned 2 [0135.025] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="F6") returned 2 [0135.025] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="88") returned 2 [0135.025] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="3E") returned 2 [0135.025] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="73") returned 2 [0135.025] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="41") returned 2 [0135.025] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="CD") returned 2 [0135.025] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="48") returned 2 [0135.025] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="09") returned 2 [0135.025] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="F4") returned 2 [0135.025] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="23") returned 2 [0135.025] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="A1") returned 2 [0135.025] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="0B") returned 2 [0135.025] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="49") returned 2 [0135.025] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="68") returned 2 [0135.025] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="E5") returned 2 [0135.025] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="B1") returned 2 [0135.025] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="C2") returned 2 [0135.025] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="49") returned 2 [0135.025] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="37") returned 2 [0135.025] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="7E") returned 2 [0135.034] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01" [0135.034] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01" [0135.034] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01", lpString2=".60FF04D4D77A5A9292A9D089F6883E7341CD4809F423A10B4968E5B1C249377E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01.60FF04D4D77A5A9292A9D089F6883E7341CD4809F423A10B4968E5B1C249377E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01.60FF04D4D77A5A9292A9D089F6883E7341CD4809F423A10B4968E5B1C249377E" [0135.034] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.034] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0135.081] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7d58af0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d58af0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7dcaf10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x133d5, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="24B53d01", cAlternateFileName="")) returned 0 [0135.082] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0135.082] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\PUSSY.TXT") returned 110 [0135.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\2c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0135.083] lstrlenA (lpString="abcd") returned 4 [0135.083] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0135.084] CloseHandle (hObject=0x1d4) returned 1 [0135.085] GetProcessHeap () returned 0x4c0000 [0135.085] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0135.085] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f47cd0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f47cd0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f47cd0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="61", cAlternateFileName="")) returned 1 [0135.085] lstrcmpiW (lpString1="61", lpString2="Windows") returned -1 [0135.085] lstrcmpiW (lpString1="61", lpString2="Program Files") returned -1 [0135.085] lstrcmpiW (lpString1="61", lpString2="Program Files (x86)") returned -1 [0135.085] lstrcmpiW (lpString1="61", lpString2="$Recycle.bin") returned 1 [0135.085] lstrcmpiW (lpString1="61", lpString2="System Volume Information") returned -1 [0135.085] lstrcmpiW (lpString1="61", lpString2=".") returned 1 [0135.085] lstrcmpiW (lpString1="61", lpString2="..") returned 1 [0135.085] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61") returned 100 [0135.085] GetProcessHeap () returned 0x4c0000 [0135.085] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0135.085] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61" [0135.085] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\*" [0135.085] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f47cd0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f47cd0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f47cd0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0135.086] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.086] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.086] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.086] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.086] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.086] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.086] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f47cd0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f47cd0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f47cd0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0135.086] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.086] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.086] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.086] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.086] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.086] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.086] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.086] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7f47cd0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f47cd0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7fba0f0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa949, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="28E95d01", cAlternateFileName="")) returned 1 [0135.086] lstrcmpiW (lpString1="28E95d01", lpString2="Windows") returned -1 [0135.086] lstrcmpiW (lpString1="28E95d01", lpString2="Program Files") returned -1 [0135.086] lstrcmpiW (lpString1="28E95d01", lpString2="Program Files (x86)") returned -1 [0135.087] lstrcmpiW (lpString1="28E95d01", lpString2="$Recycle.bin") returned 1 [0135.087] lstrcmpiW (lpString1="28E95d01", lpString2="System Volume Information") returned -1 [0135.087] lstrcmpiW (lpString1="28E95d01", lpString2=".") returned 1 [0135.087] lstrcmpiW (lpString1="28E95d01", lpString2="..") returned 1 [0135.087] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01") returned 109 [0135.087] lstrcmpW (lpString1="28E95d01", lpString2="PUSSY.TXT") returned -1 [0135.087] PathFindExtensionW (pszPath="28E95d01") returned="" [0135.087] lstrlenW (lpString="") returned 0 [0135.087] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0135.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\61\\28e95d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0135.088] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=43337) returned 1 [0135.088] GetProcessHeap () returned 0x4c0000 [0135.088] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0135.104] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="56") returned 2 [0135.104] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="5D") returned 2 [0135.105] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="AF") returned 2 [0135.105] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="7F") returned 2 [0135.105] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="A4") returned 2 [0135.105] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="23") returned 2 [0135.105] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="BB") returned 2 [0135.105] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="2E") returned 2 [0135.105] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="86") returned 2 [0135.105] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="C0") returned 2 [0135.105] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="C0") returned 2 [0135.105] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="88") returned 2 [0135.105] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="C8") returned 2 [0135.105] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="47") returned 2 [0135.105] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="04") returned 2 [0135.105] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="A5") returned 2 [0135.105] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="76") returned 2 [0135.105] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="FC") returned 2 [0135.105] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="9C") returned 2 [0135.105] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="05") returned 2 [0135.105] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="C5") returned 2 [0135.105] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="54") returned 2 [0135.105] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="73") returned 2 [0135.105] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="93") returned 2 [0135.105] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="1E") returned 2 [0135.105] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="BF") returned 2 [0135.106] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="7B") returned 2 [0135.106] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="48") returned 2 [0135.106] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="7B") returned 2 [0135.106] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="65") returned 2 [0135.106] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="79") returned 2 [0135.106] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="16") returned 2 [0135.119] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01" [0135.119] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01" [0135.119] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01", lpString2=".565DAF7FA423BB2E86C0C088C84704A576FC9C05C55473931EBF7B487B657916" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01.565DAF7FA423BB2E86C0C088C84704A576FC9C05C55473931EBF7B487B657916") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01.565DAF7FA423BB2E86C0C088C84704A576FC9C05C55473931EBF7B487B657916" [0135.119] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.119] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0135.119] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7f47cd0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f47cd0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7fba0f0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa949, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="28E95d01", cAlternateFileName="")) returned 0 [0135.119] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0135.119] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\PUSSY.TXT") returned 110 [0135.119] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\61\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0135.120] lstrlenA (lpString="abcd") returned 4 [0135.121] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0135.122] CloseHandle (hObject=0x1d4) returned 1 [0135.122] GetProcessHeap () returned 0x4c0000 [0135.122] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0135.122] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e8d330, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81e8d330, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e8d330, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="E0", cAlternateFileName="")) returned 1 [0135.122] lstrcmpiW (lpString1="E0", lpString2="Windows") returned -1 [0135.122] lstrcmpiW (lpString1="E0", lpString2="Program Files") returned -1 [0135.122] lstrcmpiW (lpString1="E0", lpString2="Program Files (x86)") returned -1 [0135.122] lstrcmpiW (lpString1="E0", lpString2="$Recycle.bin") returned 1 [0135.122] lstrcmpiW (lpString1="E0", lpString2="System Volume Information") returned -1 [0135.122] lstrcmpiW (lpString1="E0", lpString2=".") returned 1 [0135.122] lstrcmpiW (lpString1="E0", lpString2="..") returned 1 [0135.122] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0") returned 100 [0135.122] GetProcessHeap () returned 0x4c0000 [0135.122] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0135.122] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0" [0135.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\*" [0135.123] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e8d330, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81e8d330, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e8d330, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0135.184] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.184] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.184] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.184] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.184] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.184] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.184] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e8d330, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81e8d330, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e8d330, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0135.185] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.185] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.185] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.185] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.185] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.185] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.185] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.185] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x81e8d330, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81e8d330, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e8d330, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x404f, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="F17B2d01", cAlternateFileName="")) returned 1 [0135.185] lstrcmpiW (lpString1="F17B2d01", lpString2="Windows") returned -1 [0135.185] lstrcmpiW (lpString1="F17B2d01", lpString2="Program Files") returned -1 [0135.185] lstrcmpiW (lpString1="F17B2d01", lpString2="Program Files (x86)") returned -1 [0135.185] lstrcmpiW (lpString1="F17B2d01", lpString2="$Recycle.bin") returned 1 [0135.185] lstrcmpiW (lpString1="F17B2d01", lpString2="System Volume Information") returned -1 [0135.185] lstrcmpiW (lpString1="F17B2d01", lpString2=".") returned 1 [0135.185] lstrcmpiW (lpString1="F17B2d01", lpString2="..") returned 1 [0135.185] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01") returned 109 [0135.185] lstrcmpW (lpString1="F17B2d01", lpString2="PUSSY.TXT") returned -1 [0135.185] PathFindExtensionW (pszPath="F17B2d01") returned="" [0135.185] lstrlenW (lpString="") returned 0 [0135.185] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0135.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\e0\\f17b2d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0135.186] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=16463) returned 1 [0135.186] GetProcessHeap () returned 0x4c0000 [0135.186] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0135.201] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="4D") returned 2 [0135.201] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="DA") returned 2 [0135.201] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="E4") returned 2 [0135.201] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="E0") returned 2 [0135.201] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="96") returned 2 [0135.201] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="E0") returned 2 [0135.201] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="A6") returned 2 [0135.202] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="98") returned 2 [0135.202] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="51") returned 2 [0135.202] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="43") returned 2 [0135.202] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="97") returned 2 [0135.202] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="2F") returned 2 [0135.202] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="8B") returned 2 [0135.202] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="FF") returned 2 [0135.202] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="18") returned 2 [0135.202] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="55") returned 2 [0135.202] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="6D") returned 2 [0135.202] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="1D") returned 2 [0135.202] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="0B") returned 2 [0135.202] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="25") returned 2 [0135.202] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="84") returned 2 [0135.202] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="E6") returned 2 [0135.202] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="71") returned 2 [0135.202] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="D8") returned 2 [0135.202] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="AC") returned 2 [0135.202] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="B2") returned 2 [0135.202] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="B3") returned 2 [0135.202] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="DC") returned 2 [0135.202] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="9F") returned 2 [0135.202] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="CF") returned 2 [0135.203] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="8B") returned 2 [0135.203] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="4F") returned 2 [0135.215] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01" [0135.216] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01" [0135.216] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01", lpString2=".4DDAE4E096E0A6985143972F8BFF18556D1D0B2584E671D8ACB2B3DC9FCF8B4F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01.4DDAE4E096E0A6985143972F8BFF18556D1D0B2584E671D8ACB2B3DC9FCF8B4F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01.4DDAE4E096E0A6985143972F8BFF18556D1D0B2584E671D8ACB2B3DC9FCF8B4F" [0135.216] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.216] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0135.217] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x81e8d330, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81e8d330, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e8d330, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x404f, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="F17B2d01", cAlternateFileName="")) returned 0 [0135.217] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0135.217] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\PUSSY.TXT") returned 110 [0135.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\e0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0135.254] lstrlenA (lpString="abcd") returned 4 [0135.254] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0135.255] CloseHandle (hObject=0x194) returned 1 [0135.255] GetProcessHeap () returned 0x4c0000 [0135.256] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0135.256] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e8d330, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81e8d330, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e8d330, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="E0", cAlternateFileName="")) returned 0 [0135.256] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0135.256] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\PUSSY.TXT") returned 107 [0135.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0135.257] lstrlenA (lpString="abcd") returned 4 [0135.257] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0135.258] CloseHandle (hObject=0x18c) returned 1 [0135.258] GetProcessHeap () returned 0x4c0000 [0135.258] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0135.258] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="A", cAlternateFileName="")) returned 1 [0135.259] lstrcmpiW (lpString1="A", lpString2="Windows") returned -1 [0135.259] lstrcmpiW (lpString1="A", lpString2="Program Files") returned -1 [0135.259] lstrcmpiW (lpString1="A", lpString2="Program Files (x86)") returned -1 [0135.259] lstrcmpiW (lpString1="A", lpString2="$Recycle.bin") returned 1 [0135.259] lstrcmpiW (lpString1="A", lpString2="System Volume Information") returned -1 [0135.259] lstrcmpiW (lpString1="A", lpString2=".") returned 1 [0135.259] lstrcmpiW (lpString1="A", lpString2="..") returned 1 [0135.259] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A") returned 97 [0135.259] GetProcessHeap () returned 0x4c0000 [0135.259] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0135.259] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A" [0135.259] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A\\*" [0135.259] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0135.259] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.260] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.260] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.260] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.260] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.260] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.260] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0135.260] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.260] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.260] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.260] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.260] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.260] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.260] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.260] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 0 [0135.260] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0135.260] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A\\PUSSY.TXT") returned 107 [0135.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\a\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0135.261] lstrlenA (lpString="abcd") returned 4 [0135.261] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0135.262] CloseHandle (hObject=0x18c) returned 1 [0135.262] GetProcessHeap () returned 0x4c0000 [0135.262] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0135.262] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="B", cAlternateFileName="")) returned 1 [0135.262] lstrcmpiW (lpString1="B", lpString2="Windows") returned -1 [0135.263] lstrcmpiW (lpString1="B", lpString2="Program Files") returned -1 [0135.263] lstrcmpiW (lpString1="B", lpString2="Program Files (x86)") returned -1 [0135.263] lstrcmpiW (lpString1="B", lpString2="$Recycle.bin") returned 1 [0135.263] lstrcmpiW (lpString1="B", lpString2="System Volume Information") returned -1 [0135.263] lstrcmpiW (lpString1="B", lpString2=".") returned 1 [0135.263] lstrcmpiW (lpString1="B", lpString2="..") returned 1 [0135.263] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B") returned 97 [0135.263] GetProcessHeap () returned 0x4c0000 [0135.263] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0135.263] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B" [0135.263] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B\\*" [0135.263] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0135.264] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.264] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.264] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.264] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.264] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.264] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.264] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0135.264] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.264] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.265] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.265] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.265] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.265] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.265] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.265] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6518ad0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 0 [0135.265] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0135.265] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B\\PUSSY.TXT") returned 107 [0135.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\b\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0135.266] lstrlenA (lpString="abcd") returned 4 [0135.266] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0135.267] CloseHandle (hObject=0x18c) returned 1 [0135.267] GetProcessHeap () returned 0x4c0000 [0135.267] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0135.267] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7eaf750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7eaf750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="C", cAlternateFileName="")) returned 1 [0135.267] lstrcmpiW (lpString1="C", lpString2="Windows") returned -1 [0135.267] lstrcmpiW (lpString1="C", lpString2="Program Files") returned -1 [0135.267] lstrcmpiW (lpString1="C", lpString2="Program Files (x86)") returned -1 [0135.267] lstrcmpiW (lpString1="C", lpString2="$Recycle.bin") returned 1 [0135.267] lstrcmpiW (lpString1="C", lpString2="System Volume Information") returned -1 [0135.267] lstrcmpiW (lpString1="C", lpString2=".") returned 1 [0135.267] lstrcmpiW (lpString1="C", lpString2="..") returned 1 [0135.267] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C") returned 97 [0135.267] GetProcessHeap () returned 0x4c0000 [0135.268] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0135.268] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C" [0135.268] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\*" [0135.268] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7eaf750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7eaf750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0135.268] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.268] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.268] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.268] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.268] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.268] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.268] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7eaf750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7eaf750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0135.268] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.268] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.268] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.268] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.268] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.269] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.269] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.269] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7eaf750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7eaf750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7eaf750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="E6", cAlternateFileName="")) returned 1 [0135.269] lstrcmpiW (lpString1="E6", lpString2="Windows") returned -1 [0135.269] lstrcmpiW (lpString1="E6", lpString2="Program Files") returned -1 [0135.269] lstrcmpiW (lpString1="E6", lpString2="Program Files (x86)") returned -1 [0135.269] lstrcmpiW (lpString1="E6", lpString2="$Recycle.bin") returned 1 [0135.269] lstrcmpiW (lpString1="E6", lpString2="System Volume Information") returned -1 [0135.269] lstrcmpiW (lpString1="E6", lpString2=".") returned 1 [0135.269] lstrcmpiW (lpString1="E6", lpString2="..") returned 1 [0135.269] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6") returned 100 [0135.269] GetProcessHeap () returned 0x4c0000 [0135.269] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0135.269] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6" [0135.269] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\*" [0135.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7eaf750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7eaf750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7eaf750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0135.269] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.270] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.270] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.270] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.270] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.270] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.270] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7eaf750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7eaf750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7eaf750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0135.270] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.270] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.270] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.270] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.270] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.270] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.270] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.270] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7eaf750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7eaf750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f21b70, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x21839, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="9DCB7d01", cAlternateFileName="")) returned 1 [0135.270] lstrcmpiW (lpString1="9DCB7d01", lpString2="Windows") returned -1 [0135.270] lstrcmpiW (lpString1="9DCB7d01", lpString2="Program Files") returned -1 [0135.270] lstrcmpiW (lpString1="9DCB7d01", lpString2="Program Files (x86)") returned -1 [0135.270] lstrcmpiW (lpString1="9DCB7d01", lpString2="$Recycle.bin") returned 1 [0135.270] lstrcmpiW (lpString1="9DCB7d01", lpString2="System Volume Information") returned -1 [0135.270] lstrcmpiW (lpString1="9DCB7d01", lpString2=".") returned 1 [0135.270] lstrcmpiW (lpString1="9DCB7d01", lpString2="..") returned 1 [0135.270] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01") returned 109 [0135.271] lstrcmpW (lpString1="9DCB7d01", lpString2="PUSSY.TXT") returned -1 [0135.271] PathFindExtensionW (pszPath="9DCB7d01") returned="" [0135.271] lstrlenW (lpString="") returned 0 [0135.271] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0135.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\e6\\9dcb7d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0135.271] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=137273) returned 1 [0135.271] GetProcessHeap () returned 0x4c0000 [0135.271] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0135.288] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="A1") returned 2 [0135.288] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="ED") returned 2 [0135.288] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="A9") returned 2 [0135.288] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="59") returned 2 [0135.288] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="00") returned 2 [0135.288] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="CA") returned 2 [0135.288] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="BE") returned 2 [0135.288] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="50") returned 2 [0135.288] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="43") returned 2 [0135.288] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="AF") returned 2 [0135.288] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="A7") returned 2 [0135.288] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="46") returned 2 [0135.288] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="11") returned 2 [0135.288] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="4E") returned 2 [0135.288] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="42") returned 2 [0135.288] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="CD") returned 2 [0135.288] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="6D") returned 2 [0135.288] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="86") returned 2 [0135.288] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="BC") returned 2 [0135.288] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="F9") returned 2 [0135.289] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="1D") returned 2 [0135.289] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="A8") returned 2 [0135.289] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="BC") returned 2 [0135.289] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="22") returned 2 [0135.289] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="E8") returned 2 [0135.289] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="2B") returned 2 [0135.289] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="F5") returned 2 [0135.289] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="32") returned 2 [0135.289] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="D1") returned 2 [0135.289] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="8A") returned 2 [0135.289] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="B0") returned 2 [0135.289] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="70") returned 2 [0135.302] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01" [0135.302] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01" [0135.302] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01", lpString2=".A1EDA95900CABE5043AFA746114E42CD6D86BCF91DA8BC22E82BF532D18AB070" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01.A1EDA95900CABE5043AFA746114E42CD6D86BCF91DA8BC22E82BF532D18AB070") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01.A1EDA95900CABE5043AFA746114E42CD6D86BCF91DA8BC22E82BF532D18AB070" [0135.302] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.302] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0135.302] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7eaf750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7eaf750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f21b70, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x21839, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="9DCB7d01", cAlternateFileName="")) returned 0 [0135.302] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0135.302] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\PUSSY.TXT") returned 110 [0135.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\e6\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0135.304] lstrlenA (lpString="abcd") returned 4 [0135.304] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0135.305] CloseHandle (hObject=0x194) returned 1 [0135.305] GetProcessHeap () returned 0x4c0000 [0135.305] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0135.305] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7eaf750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7eaf750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7eaf750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="E6", cAlternateFileName="")) returned 0 [0135.305] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0135.305] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\PUSSY.TXT") returned 107 [0135.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0135.306] lstrlenA (lpString="abcd") returned 4 [0135.306] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0135.307] CloseHandle (hObject=0x18c) returned 1 [0135.308] GetProcessHeap () returned 0x4c0000 [0135.308] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0135.308] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x81e671d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e671d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="D", cAlternateFileName="")) returned 1 [0135.308] lstrcmpiW (lpString1="D", lpString2="Windows") returned -1 [0135.308] lstrcmpiW (lpString1="D", lpString2="Program Files") returned -1 [0135.308] lstrcmpiW (lpString1="D", lpString2="Program Files (x86)") returned -1 [0135.308] lstrcmpiW (lpString1="D", lpString2="$Recycle.bin") returned 1 [0135.308] lstrcmpiW (lpString1="D", lpString2="System Volume Information") returned -1 [0135.308] lstrcmpiW (lpString1="D", lpString2=".") returned 1 [0135.308] lstrcmpiW (lpString1="D", lpString2="..") returned 1 [0135.308] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D") returned 97 [0135.308] GetProcessHeap () returned 0x4c0000 [0135.308] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0135.308] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D" [0135.308] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\*" [0135.308] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x81e671d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e671d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0135.310] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.310] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.310] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.310] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.310] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.310] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.310] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x81e671d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e671d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0135.310] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.310] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.310] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.310] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.310] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.310] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.310] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.310] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e671d0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81e671d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e671d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="08", cAlternateFileName="")) returned 1 [0135.310] lstrcmpiW (lpString1="08", lpString2="Windows") returned -1 [0135.310] lstrcmpiW (lpString1="08", lpString2="Program Files") returned -1 [0135.310] lstrcmpiW (lpString1="08", lpString2="Program Files (x86)") returned -1 [0135.310] lstrcmpiW (lpString1="08", lpString2="$Recycle.bin") returned 1 [0135.311] lstrcmpiW (lpString1="08", lpString2="System Volume Information") returned -1 [0135.311] lstrcmpiW (lpString1="08", lpString2=".") returned 1 [0135.311] lstrcmpiW (lpString1="08", lpString2="..") returned 1 [0135.311] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08") returned 100 [0135.311] GetProcessHeap () returned 0x4c0000 [0135.311] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0135.311] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08" [0135.311] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\*" [0135.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e671d0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81e671d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e671d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0135.312] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.312] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.312] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.312] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.312] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.312] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.312] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e671d0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81e671d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e671d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0135.312] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.312] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.312] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.312] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.312] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.312] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.313] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.313] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x81e671d0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81e671d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e671d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x8266, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="71469d01", cAlternateFileName="")) returned 1 [0135.313] lstrcmpiW (lpString1="71469d01", lpString2="Windows") returned -1 [0135.313] lstrcmpiW (lpString1="71469d01", lpString2="Program Files") returned -1 [0135.313] lstrcmpiW (lpString1="71469d01", lpString2="Program Files (x86)") returned -1 [0135.313] lstrcmpiW (lpString1="71469d01", lpString2="$Recycle.bin") returned 1 [0135.313] lstrcmpiW (lpString1="71469d01", lpString2="System Volume Information") returned -1 [0135.313] lstrcmpiW (lpString1="71469d01", lpString2=".") returned 1 [0135.313] lstrcmpiW (lpString1="71469d01", lpString2="..") returned 1 [0135.313] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01") returned 109 [0135.313] lstrcmpW (lpString1="71469d01", lpString2="PUSSY.TXT") returned -1 [0135.313] PathFindExtensionW (pszPath="71469d01") returned="" [0135.313] lstrlenW (lpString="") returned 0 [0135.313] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0135.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\08\\71469d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0135.314] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=33382) returned 1 [0135.314] GetProcessHeap () returned 0x4c0000 [0135.314] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0135.327] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="D4") returned 2 [0135.418] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="4F") returned 2 [0135.418] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="F0") returned 2 [0135.418] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="7C") returned 2 [0135.418] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="70") returned 2 [0135.418] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="7D") returned 2 [0135.418] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="C3") returned 2 [0135.418] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="90") returned 2 [0135.418] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="5C") returned 2 [0135.418] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="48") returned 2 [0135.418] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="CF") returned 2 [0135.418] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="A3") returned 2 [0135.418] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="9F") returned 2 [0135.419] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="3C") returned 2 [0135.419] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="86") returned 2 [0135.419] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="EC") returned 2 [0135.419] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="0C") returned 2 [0135.419] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="23") returned 2 [0135.419] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="07") returned 2 [0135.419] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="2B") returned 2 [0135.419] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="A7") returned 2 [0135.419] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="3F") returned 2 [0135.419] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="B4") returned 2 [0135.419] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="BC") returned 2 [0135.419] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="2E") returned 2 [0135.419] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="7C") returned 2 [0135.419] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="42") returned 2 [0135.419] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="A8") returned 2 [0135.419] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="D9") returned 2 [0135.419] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="61") returned 2 [0135.419] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="A4") returned 2 [0135.419] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="28") returned 2 [0135.428] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01" [0135.428] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01" [0135.428] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01", lpString2=".D44FF07C707DC3905C48CFA39F3C86EC0C23072BA73FB4BC2E7C42A8D961A428" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01.D44FF07C707DC3905C48CFA39F3C86EC0C23072BA73FB4BC2E7C42A8D961A428") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01.D44FF07C707DC3905C48CFA39F3C86EC0C23072BA73FB4BC2E7C42A8D961A428" [0135.428] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.429] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0135.429] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x81e671d0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81e671d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e671d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x8266, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="71469d01", cAlternateFileName="")) returned 0 [0135.429] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0135.430] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\PUSSY.TXT") returned 110 [0135.430] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\08\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0135.430] lstrlenA (lpString="abcd") returned 4 [0135.430] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0135.431] CloseHandle (hObject=0x194) returned 1 [0135.431] GetProcessHeap () returned 0x4c0000 [0135.432] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0135.434] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e671d0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81e671d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81e671d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="08", cAlternateFileName="")) returned 0 [0135.434] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0135.434] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\PUSSY.TXT") returned 107 [0135.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0135.435] lstrlenA (lpString="abcd") returned 4 [0135.435] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0135.435] CloseHandle (hObject=0x18c) returned 1 [0135.436] GetProcessHeap () returned 0x4c0000 [0135.436] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0135.436] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f6de30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="E", cAlternateFileName="")) returned 1 [0135.436] lstrcmpiW (lpString1="E", lpString2="Windows") returned -1 [0135.436] lstrcmpiW (lpString1="E", lpString2="Program Files") returned -1 [0135.436] lstrcmpiW (lpString1="E", lpString2="Program Files (x86)") returned -1 [0135.436] lstrcmpiW (lpString1="E", lpString2="$Recycle.bin") returned 1 [0135.436] lstrcmpiW (lpString1="E", lpString2="System Volume Information") returned -1 [0135.436] lstrcmpiW (lpString1="E", lpString2=".") returned 1 [0135.436] lstrcmpiW (lpString1="E", lpString2="..") returned 1 [0135.436] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E") returned 97 [0135.436] GetProcessHeap () returned 0x4c0000 [0135.436] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0135.437] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E" [0135.437] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\*" [0135.438] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f6de30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0135.438] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.438] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.438] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.438] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.438] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.438] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.438] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f6de30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0135.438] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.438] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.438] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.438] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.438] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.438] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.438] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.438] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f6de30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f6de30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="69", cAlternateFileName="")) returned 1 [0135.438] lstrcmpiW (lpString1="69", lpString2="Windows") returned -1 [0135.438] lstrcmpiW (lpString1="69", lpString2="Program Files") returned -1 [0135.438] lstrcmpiW (lpString1="69", lpString2="Program Files (x86)") returned -1 [0135.438] lstrcmpiW (lpString1="69", lpString2="$Recycle.bin") returned 1 [0135.439] lstrcmpiW (lpString1="69", lpString2="System Volume Information") returned -1 [0135.439] lstrcmpiW (lpString1="69", lpString2=".") returned 1 [0135.439] lstrcmpiW (lpString1="69", lpString2="..") returned 1 [0135.439] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69") returned 100 [0135.439] GetProcessHeap () returned 0x4c0000 [0135.439] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0135.439] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69" [0135.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\*" [0135.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f6de30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f6de30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0135.439] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.439] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.439] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.439] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.440] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.440] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.440] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f6de30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f6de30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0135.440] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.440] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.440] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.440] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.440] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.440] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.440] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.440] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7f6de30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb80063b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x10d22, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="885EEd01", cAlternateFileName="")) returned 1 [0135.440] lstrcmpiW (lpString1="885EEd01", lpString2="Windows") returned -1 [0135.440] lstrcmpiW (lpString1="885EEd01", lpString2="Program Files") returned -1 [0135.440] lstrcmpiW (lpString1="885EEd01", lpString2="Program Files (x86)") returned -1 [0135.440] lstrcmpiW (lpString1="885EEd01", lpString2="$Recycle.bin") returned 1 [0135.440] lstrcmpiW (lpString1="885EEd01", lpString2="System Volume Information") returned -1 [0135.440] lstrcmpiW (lpString1="885EEd01", lpString2=".") returned 1 [0135.440] lstrcmpiW (lpString1="885EEd01", lpString2="..") returned 1 [0135.440] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01") returned 109 [0135.440] lstrcmpW (lpString1="885EEd01", lpString2="PUSSY.TXT") returned -1 [0135.440] PathFindExtensionW (pszPath="885EEd01") returned="" [0135.440] lstrlenW (lpString="") returned 0 [0135.440] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0135.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\69\\885eed01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0135.441] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=68898) returned 1 [0135.441] GetProcessHeap () returned 0x4c0000 [0135.441] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0135.450] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="57") returned 2 [0135.450] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="AE") returned 2 [0135.450] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="41") returned 2 [0135.450] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="B4") returned 2 [0135.450] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="F2") returned 2 [0135.450] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="0A") returned 2 [0135.450] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="55") returned 2 [0135.450] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="13") returned 2 [0135.450] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="9D") returned 2 [0135.450] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="BA") returned 2 [0135.450] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="D7") returned 2 [0135.450] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="56") returned 2 [0135.450] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="F4") returned 2 [0135.451] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="E6") returned 2 [0135.451] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="2D") returned 2 [0135.451] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="B6") returned 2 [0135.451] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="6F") returned 2 [0135.451] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="37") returned 2 [0135.451] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="67") returned 2 [0135.451] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="3F") returned 2 [0135.451] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="9D") returned 2 [0135.451] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="E9") returned 2 [0135.451] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="51") returned 2 [0135.451] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="A0") returned 2 [0135.451] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="D8") returned 2 [0135.451] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="9F") returned 2 [0135.451] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="B7") returned 2 [0135.451] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="8F") returned 2 [0135.451] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="45") returned 2 [0135.451] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="83") returned 2 [0135.451] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="43") returned 2 [0135.451] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="06") returned 2 [0135.461] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01" [0135.461] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01" [0135.461] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01", lpString2=".57AE41B4F20A55139DBAD756F4E62DB66F37673F9DE951A0D89FB78F45834306" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01.57AE41B4F20A55139DBAD756F4E62DB66F37673F9DE951A0D89FB78F45834306") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01.57AE41B4F20A55139DBAD756F4E62DB66F37673F9DE951A0D89FB78F45834306" [0135.461] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.461] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0135.462] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7f6de30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb80063b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x10d22, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="885EEd01", cAlternateFileName="")) returned 0 [0135.462] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0135.462] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\PUSSY.TXT") returned 110 [0135.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\69\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0135.463] lstrlenA (lpString="abcd") returned 4 [0135.463] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0135.464] CloseHandle (hObject=0x194) returned 1 [0135.464] GetProcessHeap () returned 0x4c0000 [0135.464] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0135.465] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f6de30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f6de30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="69", cAlternateFileName="")) returned 0 [0135.465] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0135.465] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\PUSSY.TXT") returned 107 [0135.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0135.465] lstrlenA (lpString="abcd") returned 4 [0135.465] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0135.466] CloseHandle (hObject=0x18c) returned 1 [0135.466] GetProcessHeap () returned 0x4c0000 [0135.466] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0135.466] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x82329dd0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x82329dd0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="F", cAlternateFileName="")) returned 1 [0135.466] lstrcmpiW (lpString1="F", lpString2="Windows") returned -1 [0135.467] lstrcmpiW (lpString1="F", lpString2="Program Files") returned -1 [0135.467] lstrcmpiW (lpString1="F", lpString2="Program Files (x86)") returned -1 [0135.467] lstrcmpiW (lpString1="F", lpString2="$Recycle.bin") returned 1 [0135.467] lstrcmpiW (lpString1="F", lpString2="System Volume Information") returned -1 [0135.467] lstrcmpiW (lpString1="F", lpString2=".") returned 1 [0135.467] lstrcmpiW (lpString1="F", lpString2="..") returned 1 [0135.467] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F") returned 97 [0135.467] GetProcessHeap () returned 0x4c0000 [0135.467] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0135.467] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F" [0135.467] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\*" [0135.467] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x82329dd0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x82329dd0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0135.468] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.468] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.468] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.468] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.468] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.468] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.468] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x82329dd0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x82329dd0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="..", cAlternateFileName="")) returned 1 [0135.468] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.468] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.468] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.469] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.469] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.469] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.469] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.469] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f6de30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f6de30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="23", cAlternateFileName="")) returned 1 [0135.469] lstrcmpiW (lpString1="23", lpString2="Windows") returned -1 [0135.469] lstrcmpiW (lpString1="23", lpString2="Program Files") returned -1 [0135.469] lstrcmpiW (lpString1="23", lpString2="Program Files (x86)") returned -1 [0135.469] lstrcmpiW (lpString1="23", lpString2="$Recycle.bin") returned 1 [0135.469] lstrcmpiW (lpString1="23", lpString2="System Volume Information") returned -1 [0135.469] lstrcmpiW (lpString1="23", lpString2=".") returned 1 [0135.469] lstrcmpiW (lpString1="23", lpString2="..") returned 1 [0135.469] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23") returned 100 [0135.469] GetProcessHeap () returned 0x4c0000 [0135.469] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0135.469] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23" [0135.469] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\*" [0135.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f6de30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f6de30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0135.470] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.470] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.470] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.470] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.470] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.470] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.470] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7f6de30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7f6de30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0135.470] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.470] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.470] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.470] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.470] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.470] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.470] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.470] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7f6de30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7fe0250, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xf888, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="7E0FEd01", cAlternateFileName="")) returned 1 [0135.470] lstrcmpiW (lpString1="7E0FEd01", lpString2="Windows") returned -1 [0135.470] lstrcmpiW (lpString1="7E0FEd01", lpString2="Program Files") returned -1 [0135.470] lstrcmpiW (lpString1="7E0FEd01", lpString2="Program Files (x86)") returned -1 [0135.470] lstrcmpiW (lpString1="7E0FEd01", lpString2="$Recycle.bin") returned 1 [0135.470] lstrcmpiW (lpString1="7E0FEd01", lpString2="System Volume Information") returned -1 [0135.470] lstrcmpiW (lpString1="7E0FEd01", lpString2=".") returned 1 [0135.470] lstrcmpiW (lpString1="7E0FEd01", lpString2="..") returned 1 [0135.470] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01") returned 109 [0135.470] lstrcmpW (lpString1="7E0FEd01", lpString2="PUSSY.TXT") returned -1 [0135.470] PathFindExtensionW (pszPath="7E0FEd01") returned="" [0135.470] lstrlenW (lpString="") returned 0 [0135.470] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0135.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\23\\7e0fed01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x174 [0135.471] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=63624) returned 1 [0135.471] GetProcessHeap () returned 0x4c0000 [0135.471] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0135.481] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="9C") returned 2 [0135.481] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="05") returned 2 [0135.481] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="53") returned 2 [0135.481] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="C8") returned 2 [0135.481] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="D1") returned 2 [0135.481] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="DA") returned 2 [0135.481] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="1E") returned 2 [0135.482] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="E2") returned 2 [0135.482] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="41") returned 2 [0135.482] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="5D") returned 2 [0135.482] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="E5") returned 2 [0135.482] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="83") returned 2 [0135.482] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="CB") returned 2 [0135.482] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="0E") returned 2 [0135.482] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="FE") returned 2 [0135.482] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="91") returned 2 [0135.482] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="2D") returned 2 [0135.482] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="77") returned 2 [0135.482] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="66") returned 2 [0135.482] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="9B") returned 2 [0135.482] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="00") returned 2 [0135.482] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="9A") returned 2 [0135.482] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="7F") returned 2 [0135.482] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="67") returned 2 [0135.482] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="5D") returned 2 [0135.482] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="49") returned 2 [0135.482] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="A0") returned 2 [0135.482] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="69") returned 2 [0135.482] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="39") returned 2 [0135.482] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="0E") returned 2 [0135.482] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="EE") returned 2 [0135.482] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="5F") returned 2 [0135.491] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01" [0135.491] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01" [0135.491] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01", lpString2=".9C0553C8D1DA1EE2415DE583CB0EFE912D77669B009A7F675D49A069390EEE5F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01.9C0553C8D1DA1EE2415DE583CB0EFE912D77669B009A7F675D49A069390EEE5F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01.9C0553C8D1DA1EE2415DE583CB0EFE912D77669B009A7F675D49A069390EEE5F" [0135.491] CreateIoCompletionPort (FileHandle=0x174, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.491] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0135.491] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7f6de30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7f6de30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7fe0250, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xf888, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="7E0FEd01", cAlternateFileName="")) returned 0 [0135.491] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0135.492] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\PUSSY.TXT") returned 110 [0135.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\23\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0135.492] lstrlenA (lpString="abcd") returned 4 [0135.492] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0135.493] CloseHandle (hObject=0x194) returned 1 [0135.493] GetProcessHeap () returned 0x4c0000 [0135.494] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0135.494] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82329dd0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x82329dd0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x82329dd0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="F0", cAlternateFileName="")) returned 1 [0135.494] lstrcmpiW (lpString1="F0", lpString2="Windows") returned -1 [0135.494] lstrcmpiW (lpString1="F0", lpString2="Program Files") returned -1 [0135.494] lstrcmpiW (lpString1="F0", lpString2="Program Files (x86)") returned -1 [0135.494] lstrcmpiW (lpString1="F0", lpString2="$Recycle.bin") returned 1 [0135.494] lstrcmpiW (lpString1="F0", lpString2="System Volume Information") returned -1 [0135.494] lstrcmpiW (lpString1="F0", lpString2=".") returned 1 [0135.494] lstrcmpiW (lpString1="F0", lpString2="..") returned 1 [0135.494] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0") returned 100 [0135.494] GetProcessHeap () returned 0x4c0000 [0135.494] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0135.494] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0" [0135.494] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\*" [0135.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82329dd0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x82329dd0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x82329dd0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0135.526] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.526] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.526] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.526] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.526] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.526] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.526] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82329dd0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x82329dd0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x82329dd0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="..", cAlternateFileName="")) returned 1 [0135.526] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.526] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.526] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.526] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.526] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.526] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.526] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.526] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82329dd0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x82329dd0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x823c2350, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xa80f, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="ECB2Dd01", cAlternateFileName="")) returned 1 [0135.526] lstrcmpiW (lpString1="ECB2Dd01", lpString2="Windows") returned -1 [0135.526] lstrcmpiW (lpString1="ECB2Dd01", lpString2="Program Files") returned -1 [0135.527] lstrcmpiW (lpString1="ECB2Dd01", lpString2="Program Files (x86)") returned -1 [0135.527] lstrcmpiW (lpString1="ECB2Dd01", lpString2="$Recycle.bin") returned 1 [0135.527] lstrcmpiW (lpString1="ECB2Dd01", lpString2="System Volume Information") returned -1 [0135.527] lstrcmpiW (lpString1="ECB2Dd01", lpString2=".") returned 1 [0135.527] lstrcmpiW (lpString1="ECB2Dd01", lpString2="..") returned 1 [0135.527] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01") returned 109 [0135.527] lstrcmpW (lpString1="ECB2Dd01", lpString2="PUSSY.TXT") returned -1 [0135.527] PathFindExtensionW (pszPath="ECB2Dd01") returned="" [0135.527] lstrlenW (lpString="") returned 0 [0135.527] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0135.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\f0\\ecb2dd01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0135.528] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=43023) returned 1 [0135.528] GetProcessHeap () returned 0x4c0000 [0135.528] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0135.540] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="FF") returned 2 [0135.540] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="0E") returned 2 [0135.540] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="18") returned 2 [0135.540] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="09") returned 2 [0135.540] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="D5") returned 2 [0135.540] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="83") returned 2 [0135.540] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="73") returned 2 [0135.540] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="15") returned 2 [0135.540] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="C4") returned 2 [0135.540] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="82") returned 2 [0135.540] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="E3") returned 2 [0135.540] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="CB") returned 2 [0135.540] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="BF") returned 2 [0135.540] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="B1") returned 2 [0135.540] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="AF") returned 2 [0135.540] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="AE") returned 2 [0135.541] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="A2") returned 2 [0135.541] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="37") returned 2 [0135.541] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="03") returned 2 [0135.541] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="C0") returned 2 [0135.541] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="01") returned 2 [0135.541] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="19") returned 2 [0135.541] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="D6") returned 2 [0135.541] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="86") returned 2 [0135.541] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="FD") returned 2 [0135.541] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="01") returned 2 [0135.541] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="22") returned 2 [0135.541] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="EF") returned 2 [0135.541] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="2F") returned 2 [0135.541] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="C6") returned 2 [0135.541] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="32") returned 2 [0135.541] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="66") returned 2 [0135.615] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01" [0135.615] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01" [0135.615] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01", lpString2=".FF0E1809D5837315C482E3CBBFB1AFAEA23703C00119D686FD0122EF2FC63266" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01.FF0E1809D5837315C482E3CBBFB1AFAEA23703C00119D686FD0122EF2FC63266") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01.FF0E1809D5837315C482E3CBBFB1AFAEA23703C00119D686FD0122EF2FC63266" [0135.615] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.616] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0135.618] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82329dd0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x82329dd0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x823c2350, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xa80f, dwReserved0=0x4ddd20, dwReserved1=0xfd808e00, cFileName="ECB2Dd01", cAlternateFileName="")) returned 0 [0135.618] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0135.618] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\PUSSY.TXT") returned 110 [0135.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\f0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0135.620] lstrlenA (lpString="abcd") returned 4 [0135.620] WriteFile (in: hFile=0x194, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0135.621] CloseHandle (hObject=0x194) returned 1 [0135.621] GetProcessHeap () returned 0x4c0000 [0135.621] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0135.621] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82329dd0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x82329dd0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x82329dd0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x2c053e73, cFileName="F0", cAlternateFileName="")) returned 0 [0135.621] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0135.621] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\PUSSY.TXT") returned 107 [0135.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0135.622] lstrlenA (lpString="abcd") returned 4 [0135.622] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0135.623] CloseHandle (hObject=0x18c) returned 1 [0135.623] GetProcessHeap () returned 0x4c0000 [0135.624] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0135.627] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x851226b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="_CACHE_001_", cAlternateFileName="_CACHE~2")) returned 1 [0135.627] lstrcmpiW (lpString1="_CACHE_001_", lpString2="Windows") returned -1 [0135.627] lstrcmpiW (lpString1="_CACHE_001_", lpString2="Program Files") returned -1 [0135.627] lstrcmpiW (lpString1="_CACHE_001_", lpString2="Program Files (x86)") returned -1 [0135.627] lstrcmpiW (lpString1="_CACHE_001_", lpString2="$Recycle.bin") returned 1 [0135.628] lstrcmpiW (lpString1="_CACHE_001_", lpString2="System Volume Information") returned -1 [0135.628] lstrcmpiW (lpString1="_CACHE_001_", lpString2=".") returned 1 [0135.628] lstrcmpiW (lpString1="_CACHE_001_", lpString2="..") returned 1 [0135.628] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_") returned 107 [0135.628] lstrcmpW (lpString1="_CACHE_001_", lpString2="PUSSY.TXT") returned -1 [0135.628] PathFindExtensionW (pszPath="_CACHE_001_") returned="" [0135.628] lstrlenW (lpString="") returned 0 [0135.628] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0135.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_001_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0135.629] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=4194304) returned 1 [0135.629] GetProcessHeap () returned 0x4c0000 [0135.629] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0135.648] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="E4") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="20") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="0B") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="EC") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="A4") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="1A") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="31") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="31") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="CF") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="F4") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="16") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="6C") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="16") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="98") returned 2 [0135.648] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="A1") returned 2 [0135.648] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="1A") returned 2 [0135.648] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="BB") returned 2 [0135.648] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="70") returned 2 [0135.649] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="CD") returned 2 [0135.649] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="2B") returned 2 [0135.649] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="F2") returned 2 [0135.649] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="D2") returned 2 [0135.649] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="F9") returned 2 [0135.649] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="2F") returned 2 [0135.649] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="F7") returned 2 [0135.649] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="3E") returned 2 [0135.649] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="D3") returned 2 [0135.649] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="29") returned 2 [0135.649] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="3E") returned 2 [0135.649] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="3D") returned 2 [0135.649] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="CB") returned 2 [0135.649] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="3D") returned 2 [0135.730] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_" [0135.730] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_" [0135.730] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_", lpString2=".E4200BECA41A3131CFF4166C1698A11ABB70CD2BF2D2F92FF73ED3293E3DCB3D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_.E4200BECA41A3131CFF4166C1698A11ABB70CD2BF2D2F92FF73ED3293E3DCB3D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_.E4200BECA41A3131CFF4166C1698A11ABB70CD2BF2D2F92FF73ED3293E3DCB3D" [0135.730] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.730] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0135.730] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x851e0d90, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="_CACHE_002_", cAlternateFileName="_CACHE~3")) returned 1 [0135.730] lstrcmpiW (lpString1="_CACHE_002_", lpString2="Windows") returned -1 [0135.730] lstrcmpiW (lpString1="_CACHE_002_", lpString2="Program Files") returned -1 [0135.731] lstrcmpiW (lpString1="_CACHE_002_", lpString2="Program Files (x86)") returned -1 [0135.731] lstrcmpiW (lpString1="_CACHE_002_", lpString2="$Recycle.bin") returned 1 [0135.731] lstrcmpiW (lpString1="_CACHE_002_", lpString2="System Volume Information") returned -1 [0135.731] lstrcmpiW (lpString1="_CACHE_002_", lpString2=".") returned 1 [0135.731] lstrcmpiW (lpString1="_CACHE_002_", lpString2="..") returned 1 [0135.731] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_") returned 107 [0135.731] lstrcmpW (lpString1="_CACHE_002_", lpString2="PUSSY.TXT") returned -1 [0135.731] PathFindExtensionW (pszPath="_CACHE_002_") returned="" [0135.731] lstrlenW (lpString="") returned 0 [0135.731] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0135.731] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_002_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0135.733] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=4194304) returned 1 [0135.733] GetProcessHeap () returned 0x4c0000 [0135.733] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0135.784] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="59") returned 2 [0135.784] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="78") returned 2 [0135.784] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="35") returned 2 [0135.784] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="4E") returned 2 [0135.784] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="26") returned 2 [0135.784] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="C3") returned 2 [0135.784] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="5C") returned 2 [0135.784] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="B1") returned 2 [0135.785] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="34") returned 2 [0135.785] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="4B") returned 2 [0135.785] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="4A") returned 2 [0135.785] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="2F") returned 2 [0135.785] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="1F") returned 2 [0135.785] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="A1") returned 2 [0135.785] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="4E") returned 2 [0135.785] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="97") returned 2 [0135.785] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="2B") returned 2 [0135.785] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="B3") returned 2 [0135.785] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="CD") returned 2 [0135.785] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="8A") returned 2 [0135.785] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="5C") returned 2 [0135.785] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="4B") returned 2 [0135.785] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="23") returned 2 [0135.785] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="1C") returned 2 [0135.785] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="26") returned 2 [0135.785] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="6A") returned 2 [0135.785] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="17") returned 2 [0135.785] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="B8") returned 2 [0135.785] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="27") returned 2 [0135.785] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="E7") returned 2 [0135.785] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="75") returned 2 [0135.785] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="18") returned 2 [0135.794] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_" [0135.794] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_" [0135.794] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_", lpString2=".5978354E26C35CB1344B4A2F1FA14E972BB3CD8A5C4B231C266A17B827E77518" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_.5978354E26C35CB1344B4A2F1FA14E972BB3CD8A5C4B231C266A17B827E77518") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_.5978354E26C35CB1344B4A2F1FA14E972BB3CD8A5C4B231C266A17B827E77518" [0135.794] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.794] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0135.794] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x8529f470, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="_CACHE_003_", cAlternateFileName="_CACHE~4")) returned 1 [0135.794] lstrcmpiW (lpString1="_CACHE_003_", lpString2="Windows") returned -1 [0135.794] lstrcmpiW (lpString1="_CACHE_003_", lpString2="Program Files") returned -1 [0135.794] lstrcmpiW (lpString1="_CACHE_003_", lpString2="Program Files (x86)") returned -1 [0135.794] lstrcmpiW (lpString1="_CACHE_003_", lpString2="$Recycle.bin") returned 1 [0135.794] lstrcmpiW (lpString1="_CACHE_003_", lpString2="System Volume Information") returned -1 [0135.795] lstrcmpiW (lpString1="_CACHE_003_", lpString2=".") returned 1 [0135.836] lstrcmpiW (lpString1="_CACHE_003_", lpString2="..") returned 1 [0135.836] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_") returned 107 [0135.836] lstrcmpW (lpString1="_CACHE_003_", lpString2="PUSSY.TXT") returned -1 [0135.836] PathFindExtensionW (pszPath="_CACHE_003_") returned="" [0135.836] lstrlenW (lpString="") returned 0 [0135.836] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0135.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_003_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0135.838] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=4194304) returned 1 [0135.838] GetProcessHeap () returned 0x4c0000 [0135.838] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0135.851] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="16") returned 2 [0135.851] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="31") returned 2 [0135.851] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="F9") returned 2 [0135.851] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="73") returned 2 [0135.852] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="B2") returned 2 [0135.852] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="45") returned 2 [0135.852] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="CC") returned 2 [0135.852] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="5F") returned 2 [0135.852] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="A1") returned 2 [0135.852] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="78") returned 2 [0135.852] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="37") returned 2 [0135.852] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="C8") returned 2 [0135.852] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="4A") returned 2 [0135.852] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="2C") returned 2 [0135.852] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="85") returned 2 [0135.852] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="11") returned 2 [0135.852] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="A4") returned 2 [0135.852] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="A9") returned 2 [0135.852] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="63") returned 2 [0135.852] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="4C") returned 2 [0135.852] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="DE") returned 2 [0135.852] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="7E") returned 2 [0135.852] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="87") returned 2 [0135.852] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="81") returned 2 [0135.852] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="97") returned 2 [0135.852] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="7C") returned 2 [0135.852] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="46") returned 2 [0135.852] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="E8") returned 2 [0135.852] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="09") returned 2 [0135.852] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="24") returned 2 [0135.852] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="3A") returned 2 [0135.852] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="4E") returned 2 [0135.861] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_" [0135.861] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_" [0135.861] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_", lpString2=".1631F973B245CC5FA17837C84A2C8511A4A9634CDE7E8781977C46E809243A4E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_.1631F973B245CC5FA17837C84A2C8511A4A9634CDE7E8781977C46E809243A4E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_.1631F973B245CC5FA17837C84A2C8511A4A9634CDE7E8781977C46E809243A4E" [0135.861] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.861] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0135.862] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x8535db50, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2114, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="_CACHE_MAP_", cAlternateFileName="_CACHE~1")) returned 1 [0135.862] lstrcmpiW (lpString1="_CACHE_MAP_", lpString2="Windows") returned -1 [0135.862] lstrcmpiW (lpString1="_CACHE_MAP_", lpString2="Program Files") returned -1 [0135.862] lstrcmpiW (lpString1="_CACHE_MAP_", lpString2="Program Files (x86)") returned -1 [0135.862] lstrcmpiW (lpString1="_CACHE_MAP_", lpString2="$Recycle.bin") returned 1 [0135.862] lstrcmpiW (lpString1="_CACHE_MAP_", lpString2="System Volume Information") returned -1 [0135.862] lstrcmpiW (lpString1="_CACHE_MAP_", lpString2=".") returned 1 [0135.862] lstrcmpiW (lpString1="_CACHE_MAP_", lpString2="..") returned 1 [0135.862] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_") returned 107 [0135.862] lstrcmpW (lpString1="_CACHE_MAP_", lpString2="PUSSY.TXT") returned -1 [0135.862] PathFindExtensionW (pszPath="_CACHE_MAP_") returned="" [0135.862] lstrlenW (lpString="") returned 0 [0135.862] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0135.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_map_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x17c [0135.894] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=8468) returned 1 [0135.894] GetProcessHeap () returned 0x4c0000 [0135.894] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0135.904] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="E8") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="A5") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="7A") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="CE") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="D7") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="72") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="46") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="95") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="91") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="06") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="CD") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="81") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="2E") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="56") returned 2 [0135.904] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="99") returned 2 [0135.904] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="DF") returned 2 [0135.904] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="BA") returned 2 [0135.904] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="67") returned 2 [0135.904] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="0C") returned 2 [0135.904] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="7F") returned 2 [0135.904] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="63") returned 2 [0135.904] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="DA") returned 2 [0135.905] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="0E") returned 2 [0135.905] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="9A") returned 2 [0135.905] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="F4") returned 2 [0135.905] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="F7") returned 2 [0135.905] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="40") returned 2 [0135.905] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="9C") returned 2 [0135.905] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="F2") returned 2 [0135.905] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="B2") returned 2 [0135.905] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="D2") returned 2 [0135.905] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="15") returned 2 [0135.915] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_" [0135.915] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_" [0135.915] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_", lpString2=".E8A57ACED77246959106CD812E5699DFBA670C7F63DA0E9AF4F7409CF2B2D215" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_.E8A57ACED77246959106CD812E5699DFBA670C7F63DA0E9AF4F7409CF2B2D215") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_.E8A57ACED77246959106CD812E5699DFBA670C7F63DA0E9AF4F7409CF2B2D215" [0135.915] CreateIoCompletionPort (FileHandle=0x17c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.916] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0135.916] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x8535db50, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2114, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="_CACHE_MAP_", cAlternateFileName="_CACHE~1")) returned 0 [0135.916] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0135.916] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\PUSSY.TXT") returned 105 [0135.916] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0135.917] lstrlenA (lpString="abcd") returned 4 [0135.918] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0135.918] CloseHandle (hObject=0x184) returned 1 [0135.919] GetProcessHeap () returned 0x4c0000 [0135.919] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0135.919] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbece2650, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbecfd400, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbecfd400, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="OfflineCache", cAlternateFileName="OFFLIN~1")) returned 1 [0135.919] lstrcmpiW (lpString1="OfflineCache", lpString2="Windows") returned -1 [0135.928] lstrcmpiW (lpString1="OfflineCache", lpString2="Program Files") returned -1 [0135.928] lstrcmpiW (lpString1="OfflineCache", lpString2="Program Files (x86)") returned -1 [0135.928] lstrcmpiW (lpString1="OfflineCache", lpString2="$Recycle.bin") returned 1 [0135.928] lstrcmpiW (lpString1="OfflineCache", lpString2="System Volume Information") returned -1 [0135.928] lstrcmpiW (lpString1="OfflineCache", lpString2=".") returned 1 [0135.928] lstrcmpiW (lpString1="OfflineCache", lpString2="..") returned 1 [0135.928] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache") returned 102 [0135.928] GetProcessHeap () returned 0x4c0000 [0135.928] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0135.928] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache" [0135.928] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\*" [0135.928] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbece2650, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbecfd400, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbecfd400, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0135.929] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.929] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0135.929] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0135.929] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0135.930] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0135.930] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.930] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbece2650, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbecfd400, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbecfd400, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0135.930] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.930] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0135.930] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0135.930] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0135.930] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0135.930] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.930] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.930] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbece4d60, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbece4d60, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xc399b820, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="index.sqlite", cAlternateFileName="INDEX~1.SQL")) returned 1 [0135.930] lstrcmpiW (lpString1="index.sqlite", lpString2="Windows") returned -1 [0135.930] lstrcmpiW (lpString1="index.sqlite", lpString2="Program Files") returned -1 [0135.930] lstrcmpiW (lpString1="index.sqlite", lpString2="Program Files (x86)") returned -1 [0135.930] lstrcmpiW (lpString1="index.sqlite", lpString2="$Recycle.bin") returned 1 [0135.930] lstrcmpiW (lpString1="index.sqlite", lpString2="System Volume Information") returned -1 [0135.930] lstrcmpiW (lpString1="index.sqlite", lpString2=".") returned 1 [0135.930] lstrcmpiW (lpString1="index.sqlite", lpString2="..") returned 1 [0135.930] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite") returned 115 [0135.930] lstrcmpW (lpString1="index.sqlite", lpString2="PUSSY.TXT") returned -1 [0135.930] PathFindExtensionW (pszPath="index.sqlite") returned=".sqlite" [0135.930] lstrlenW (lpString=".sqlite") returned 7 [0135.930] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0135.930] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\offlinecache\\index.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0135.931] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=262144) returned 1 [0135.931] GetProcessHeap () returned 0x4c0000 [0135.931] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0135.943] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="81") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="36") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="7C") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="73") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="56") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="E4") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="0A") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="68") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="DB") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="1E") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="4B") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="25") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="01") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="76") returned 2 [0135.943] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="32") returned 2 [0135.943] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="12") returned 2 [0135.943] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="64") returned 2 [0135.943] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="4E") returned 2 [0135.943] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="B5") returned 2 [0135.943] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="1A") returned 2 [0135.943] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="58") returned 2 [0135.943] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="79") returned 2 [0135.943] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="C8") returned 2 [0135.943] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="E4") returned 2 [0135.943] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="75") returned 2 [0135.943] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="3B") returned 2 [0135.944] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="D9") returned 2 [0135.944] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="FF") returned 2 [0135.944] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="10") returned 2 [0135.944] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="02") returned 2 [0135.944] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="E7") returned 2 [0135.944] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="67") returned 2 [0135.952] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite" [0135.952] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite" [0135.952] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite", lpString2=".81367C7356E40A68DB1E4B2501763212644EB51A5879C8E4753BD9FF1002E767" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite.81367C7356E40A68DB1E4B2501763212644EB51A5879C8E4753BD9FF1002E767") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite.81367C7356E40A68DB1E4B2501763212644EB51A5879C8E4753BD9FF1002E767" [0135.952] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0135.952] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0135.952] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbece4d60, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbece4d60, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xc399b820, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="index.sqlite", cAlternateFileName="INDEX~1.SQL")) returned 0 [0135.953] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0135.953] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\PUSSY.TXT") returned 112 [0135.953] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\offlinecache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0135.954] lstrlenA (lpString="abcd") returned 4 [0135.954] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0135.954] CloseHandle (hObject=0x184) returned 1 [0135.955] GetProcessHeap () returned 0x4c0000 [0135.955] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0135.955] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8234ff30, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x826bbed0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826bbed0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="safebrowsing", cAlternateFileName="SAFEBR~2")) returned 1 [0135.955] lstrcmpiW (lpString1="safebrowsing", lpString2="Windows") returned -1 [0135.955] lstrcmpiW (lpString1="safebrowsing", lpString2="Program Files") returned 1 [0135.955] lstrcmpiW (lpString1="safebrowsing", lpString2="Program Files (x86)") returned 1 [0135.955] lstrcmpiW (lpString1="safebrowsing", lpString2="$Recycle.bin") returned 1 [0135.955] lstrcmpiW (lpString1="safebrowsing", lpString2="System Volume Information") returned -1 [0135.955] lstrcmpiW (lpString1="safebrowsing", lpString2=".") returned 1 [0135.955] lstrcmpiW (lpString1="safebrowsing", lpString2="..") returned 1 [0135.955] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing") returned 102 [0135.955] GetProcessHeap () returned 0x4c0000 [0135.955] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0135.955] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing" [0135.955] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\*" [0135.955] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8234ff30, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x826bbed0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826bbed0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0136.001] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0136.001] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0136.001] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0136.001] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0136.001] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0136.001] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.001] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8234ff30, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x826bbed0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826bbed0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0136.001] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0136.001] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0136.001] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0136.001] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0136.001] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0136.001] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.001] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.005] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x825fd7f0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x825fd7f0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x825fd7f0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2c, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="test-malware-simple.cache", cAlternateFileName="TEST-M~1.CAC")) returned 1 [0136.005] lstrcmpiW (lpString1="test-malware-simple.cache", lpString2="Windows") returned -1 [0136.005] lstrcmpiW (lpString1="test-malware-simple.cache", lpString2="Program Files") returned 1 [0136.005] lstrcmpiW (lpString1="test-malware-simple.cache", lpString2="Program Files (x86)") returned 1 [0136.005] lstrcmpiW (lpString1="test-malware-simple.cache", lpString2="$Recycle.bin") returned 1 [0136.005] lstrcmpiW (lpString1="test-malware-simple.cache", lpString2="System Volume Information") returned 1 [0136.005] lstrcmpiW (lpString1="test-malware-simple.cache", lpString2=".") returned 1 [0136.005] lstrcmpiW (lpString1="test-malware-simple.cache", lpString2="..") returned 1 [0136.005] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache") returned 128 [0136.005] lstrcmpW (lpString1="test-malware-simple.cache", lpString2="PUSSY.TXT") returned 1 [0136.005] PathFindExtensionW (pszPath="test-malware-simple.cache") returned=".cache" [0136.005] lstrlenW (lpString=".cache") returned 6 [0136.005] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0136.005] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0136.006] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=44) returned 1 [0136.006] CloseHandle (hObject=0x194) returned 1 [0136.006] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8234ff30, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x8234ff30, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x82649ab0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x10, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="test-malware-simple.pset", cAlternateFileName="TEST-M~1.PSE")) returned 1 [0136.006] lstrcmpiW (lpString1="test-malware-simple.pset", lpString2="Windows") returned -1 [0136.006] lstrcmpiW (lpString1="test-malware-simple.pset", lpString2="Program Files") returned 1 [0136.006] lstrcmpiW (lpString1="test-malware-simple.pset", lpString2="Program Files (x86)") returned 1 [0136.006] lstrcmpiW (lpString1="test-malware-simple.pset", lpString2="$Recycle.bin") returned 1 [0136.006] lstrcmpiW (lpString1="test-malware-simple.pset", lpString2="System Volume Information") returned 1 [0136.006] lstrcmpiW (lpString1="test-malware-simple.pset", lpString2=".") returned 1 [0136.006] lstrcmpiW (lpString1="test-malware-simple.pset", lpString2="..") returned 1 [0136.006] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset") returned 127 [0136.006] lstrcmpW (lpString1="test-malware-simple.pset", lpString2="PUSSY.TXT") returned 1 [0136.006] PathFindExtensionW (pszPath="test-malware-simple.pset") returned=".pset" [0136.006] lstrlenW (lpString=".pset") returned 5 [0136.006] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0136.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0136.007] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=16) returned 1 [0136.007] CloseHandle (hObject=0x194) returned 1 [0136.007] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82376090, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x82376090, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x82376090, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="test-malware-simple.sbstore", cAlternateFileName="TEST-M~1.SBS")) returned 1 [0136.007] lstrcmpiW (lpString1="test-malware-simple.sbstore", lpString2="Windows") returned -1 [0136.007] lstrcmpiW (lpString1="test-malware-simple.sbstore", lpString2="Program Files") returned 1 [0136.007] lstrcmpiW (lpString1="test-malware-simple.sbstore", lpString2="Program Files (x86)") returned 1 [0136.007] lstrcmpiW (lpString1="test-malware-simple.sbstore", lpString2="$Recycle.bin") returned 1 [0136.007] lstrcmpiW (lpString1="test-malware-simple.sbstore", lpString2="System Volume Information") returned 1 [0136.007] lstrcmpiW (lpString1="test-malware-simple.sbstore", lpString2=".") returned 1 [0136.007] lstrcmpiW (lpString1="test-malware-simple.sbstore", lpString2="..") returned 1 [0136.007] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore") returned 130 [0136.007] lstrcmpW (lpString1="test-malware-simple.sbstore", lpString2="PUSSY.TXT") returned 1 [0136.007] PathFindExtensionW (pszPath="test-malware-simple.sbstore") returned=".sbstore" [0136.007] lstrlenW (lpString=".sbstore") returned 8 [0136.007] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0136.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0136.008] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=232) returned 1 [0136.008] CloseHandle (hObject=0x194) returned 1 [0136.008] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82695d70, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x82695d70, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x82695d70, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2c, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="test-phish-simple.cache", cAlternateFileName="TEST-P~1.CAC")) returned 1 [0136.008] lstrcmpiW (lpString1="test-phish-simple.cache", lpString2="Windows") returned -1 [0136.008] lstrcmpiW (lpString1="test-phish-simple.cache", lpString2="Program Files") returned 1 [0136.008] lstrcmpiW (lpString1="test-phish-simple.cache", lpString2="Program Files (x86)") returned 1 [0136.008] lstrcmpiW (lpString1="test-phish-simple.cache", lpString2="$Recycle.bin") returned 1 [0136.008] lstrcmpiW (lpString1="test-phish-simple.cache", lpString2="System Volume Information") returned 1 [0136.008] lstrcmpiW (lpString1="test-phish-simple.cache", lpString2=".") returned 1 [0136.008] lstrcmpiW (lpString1="test-phish-simple.cache", lpString2="..") returned 1 [0136.008] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache") returned 126 [0136.008] lstrcmpW (lpString1="test-phish-simple.cache", lpString2="PUSSY.TXT") returned 1 [0136.008] PathFindExtensionW (pszPath="test-phish-simple.cache") returned=".cache" [0136.008] lstrlenW (lpString=".cache") returned 6 [0136.008] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0136.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0136.009] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=44) returned 1 [0136.009] CloseHandle (hObject=0x194) returned 1 [0136.009] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82376090, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x82376090, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826bbed0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x10, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="test-phish-simple.pset", cAlternateFileName="TEST-P~1.PSE")) returned 1 [0136.009] lstrcmpiW (lpString1="test-phish-simple.pset", lpString2="Windows") returned -1 [0136.009] lstrcmpiW (lpString1="test-phish-simple.pset", lpString2="Program Files") returned 1 [0136.009] lstrcmpiW (lpString1="test-phish-simple.pset", lpString2="Program Files (x86)") returned 1 [0136.009] lstrcmpiW (lpString1="test-phish-simple.pset", lpString2="$Recycle.bin") returned 1 [0136.009] lstrcmpiW (lpString1="test-phish-simple.pset", lpString2="System Volume Information") returned 1 [0136.009] lstrcmpiW (lpString1="test-phish-simple.pset", lpString2=".") returned 1 [0136.009] lstrcmpiW (lpString1="test-phish-simple.pset", lpString2="..") returned 1 [0136.009] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset") returned 125 [0136.010] lstrcmpW (lpString1="test-phish-simple.pset", lpString2="PUSSY.TXT") returned 1 [0136.010] PathFindExtensionW (pszPath="test-phish-simple.pset") returned=".pset" [0136.010] lstrlenW (lpString=".pset") returned 5 [0136.010] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0136.010] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0136.010] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=16) returned 1 [0136.010] CloseHandle (hObject=0x194) returned 1 [0136.010] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82649ab0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x82649ab0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x82649ab0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="test-phish-simple.sbstore", cAlternateFileName="TEST-P~1.SBS")) returned 1 [0136.010] lstrcmpiW (lpString1="test-phish-simple.sbstore", lpString2="Windows") returned -1 [0136.010] lstrcmpiW (lpString1="test-phish-simple.sbstore", lpString2="Program Files") returned 1 [0136.010] lstrcmpiW (lpString1="test-phish-simple.sbstore", lpString2="Program Files (x86)") returned 1 [0136.010] lstrcmpiW (lpString1="test-phish-simple.sbstore", lpString2="$Recycle.bin") returned 1 [0136.010] lstrcmpiW (lpString1="test-phish-simple.sbstore", lpString2="System Volume Information") returned 1 [0136.010] lstrcmpiW (lpString1="test-phish-simple.sbstore", lpString2=".") returned 1 [0136.010] lstrcmpiW (lpString1="test-phish-simple.sbstore", lpString2="..") returned 1 [0136.010] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore") returned 128 [0136.010] lstrcmpW (lpString1="test-phish-simple.sbstore", lpString2="PUSSY.TXT") returned 1 [0136.010] PathFindExtensionW (pszPath="test-phish-simple.sbstore") returned=".sbstore" [0136.011] lstrlenW (lpString=".sbstore") returned 8 [0136.011] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0136.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0136.011] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=232) returned 1 [0136.011] CloseHandle (hObject=0x194) returned 1 [0136.011] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82649ab0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x82649ab0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x82649ab0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="test-phish-simple.sbstore", cAlternateFileName="TEST-P~1.SBS")) returned 0 [0136.011] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0136.011] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\PUSSY.TXT") returned 112 [0136.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0136.012] lstrlenA (lpString="abcd") returned 4 [0136.012] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0136.013] CloseHandle (hObject=0x184) returned 1 [0136.013] GetProcessHeap () returned 0x4c0000 [0136.013] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0136.016] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x807f0230, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x854b47b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="startupCache", cAlternateFileName="STARTU~1")) returned 1 [0136.016] lstrcmpiW (lpString1="startupCache", lpString2="Windows") returned -1 [0136.016] lstrcmpiW (lpString1="startupCache", lpString2="Program Files") returned 1 [0136.016] lstrcmpiW (lpString1="startupCache", lpString2="Program Files (x86)") returned 1 [0136.016] lstrcmpiW (lpString1="startupCache", lpString2="$Recycle.bin") returned 1 [0136.016] lstrcmpiW (lpString1="startupCache", lpString2="System Volume Information") returned -1 [0136.016] lstrcmpiW (lpString1="startupCache", lpString2=".") returned 1 [0136.016] lstrcmpiW (lpString1="startupCache", lpString2="..") returned 1 [0136.017] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache") returned 102 [0136.017] GetProcessHeap () returned 0x4c0000 [0136.017] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0136.017] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache" [0136.017] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\*" [0136.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x807f0230, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x854b47b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0136.018] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0136.018] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0136.018] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0136.018] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0136.018] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0136.018] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.018] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x807f0230, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x854b47b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0136.019] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0136.019] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0136.019] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0136.019] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0136.019] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0136.019] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.019] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.019] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x854b47b0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x85572e90, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xe59f6, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="startupCache.4.little", cAlternateFileName="STARTU~1.LIT")) returned 1 [0136.019] lstrcmpiW (lpString1="startupCache.4.little", lpString2="Windows") returned -1 [0136.019] lstrcmpiW (lpString1="startupCache.4.little", lpString2="Program Files") returned 1 [0136.019] lstrcmpiW (lpString1="startupCache.4.little", lpString2="Program Files (x86)") returned 1 [0136.019] lstrcmpiW (lpString1="startupCache.4.little", lpString2="$Recycle.bin") returned 1 [0136.019] lstrcmpiW (lpString1="startupCache.4.little", lpString2="System Volume Information") returned -1 [0136.019] lstrcmpiW (lpString1="startupCache.4.little", lpString2=".") returned 1 [0136.019] lstrcmpiW (lpString1="startupCache.4.little", lpString2="..") returned 1 [0136.019] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little") returned 124 [0136.019] lstrcmpW (lpString1="startupCache.4.little", lpString2="PUSSY.TXT") returned 1 [0136.019] PathFindExtensionW (pszPath="startupCache.4.little") returned=".little" [0136.019] lstrlenW (lpString=".little") returned 7 [0136.019] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0136.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\startupcache\\startupcache.4.little"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0136.020] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=940534) returned 1 [0136.020] GetProcessHeap () returned 0x4c0000 [0136.020] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0136.035] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="50") returned 2 [0136.035] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="A5") returned 2 [0136.035] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="E7") returned 2 [0136.035] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="2F") returned 2 [0136.035] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="29") returned 2 [0136.035] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="0E") returned 2 [0136.035] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="60") returned 2 [0136.035] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="80") returned 2 [0136.035] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="84") returned 2 [0136.035] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="5C") returned 2 [0136.035] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="C4") returned 2 [0136.035] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="75") returned 2 [0136.035] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="ED") returned 2 [0136.036] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="85") returned 2 [0136.036] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="86") returned 2 [0136.036] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="73") returned 2 [0136.036] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="B7") returned 2 [0136.036] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="E5") returned 2 [0136.036] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="25") returned 2 [0136.036] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="31") returned 2 [0136.036] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="BF") returned 2 [0136.036] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="15") returned 2 [0136.036] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="E3") returned 2 [0136.036] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="7E") returned 2 [0136.036] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="7C") returned 2 [0136.036] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="A1") returned 2 [0136.036] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="D9") returned 2 [0136.036] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="23") returned 2 [0136.036] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="73") returned 2 [0136.036] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="E4") returned 2 [0136.036] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="4A") returned 2 [0136.036] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="41") returned 2 [0136.048] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little" [0136.048] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little" [0136.048] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little", lpString2=".50A5E72F290E6080845CC475ED858673B7E52531BF15E37E7CA1D92373E44A41" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little.50A5E72F290E6080845CC475ED858673B7E52531BF15E37E7CA1D92373E44A41") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little.50A5E72F290E6080845CC475ED858673B7E52531BF15E37E7CA1D92373E44A41" [0136.048] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.048] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0136.048] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x854b47b0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x85572e90, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xe59f6, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="startupCache.4.little", cAlternateFileName="STARTU~1.LIT")) returned 0 [0136.048] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0136.048] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\PUSSY.TXT") returned 112 [0136.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\startupcache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0136.049] lstrlenA (lpString="abcd") returned 4 [0136.049] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0136.050] CloseHandle (hObject=0x184) returned 1 [0136.050] GetProcessHeap () returned 0x4c0000 [0136.050] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0136.050] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb653ec30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x83ce6bb0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x83ce6bb0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="thumbnails", cAlternateFileName="THUMBN~1")) returned 1 [0136.050] lstrcmpiW (lpString1="thumbnails", lpString2="Windows") returned -1 [0136.050] lstrcmpiW (lpString1="thumbnails", lpString2="Program Files") returned 1 [0136.051] lstrcmpiW (lpString1="thumbnails", lpString2="Program Files (x86)") returned 1 [0136.051] lstrcmpiW (lpString1="thumbnails", lpString2="$Recycle.bin") returned 1 [0136.051] lstrcmpiW (lpString1="thumbnails", lpString2="System Volume Information") returned 1 [0136.051] lstrcmpiW (lpString1="thumbnails", lpString2=".") returned 1 [0136.051] lstrcmpiW (lpString1="thumbnails", lpString2="..") returned 1 [0136.051] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails") returned 100 [0136.051] GetProcessHeap () returned 0x4c0000 [0136.051] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0136.051] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails" [0136.051] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\*" [0136.051] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb653ec30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x83ce6bb0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x83ce6bb0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0136.093] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0136.093] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0136.093] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0136.093] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0136.093] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0136.093] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.093] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb653ec30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x83ce6bb0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x83ce6bb0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0136.093] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0136.093] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0136.093] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0136.093] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0136.093] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0136.093] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.094] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.094] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83cc0a50, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x83cc0a50, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x83ce6bb0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x40b0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="4cc87c1409819bf06f42b782d4902b2f.png", cAlternateFileName="4CC87C~1.PNG")) returned 1 [0136.094] lstrcmpiW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="Windows") returned -1 [0136.094] lstrcmpiW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="Program Files") returned -1 [0136.094] lstrcmpiW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="Program Files (x86)") returned -1 [0136.094] lstrcmpiW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="$Recycle.bin") returned 1 [0136.094] lstrcmpiW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="System Volume Information") returned -1 [0136.094] lstrcmpiW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2=".") returned 1 [0136.094] lstrcmpiW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="..") returned 1 [0136.094] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png") returned 137 [0136.094] lstrcmpW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="PUSSY.TXT") returned -1 [0136.094] PathFindExtensionW (pszPath="4cc87c1409819bf06f42b782d4902b2f.png") returned=".png" [0136.094] lstrlenW (lpString=".png") returned 4 [0136.094] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0136.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0136.095] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=16560) returned 1 [0136.095] GetProcessHeap () returned 0x4c0000 [0136.095] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0136.105] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="D1") returned 2 [0136.105] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="07") returned 2 [0136.105] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="EA") returned 2 [0136.105] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="69") returned 2 [0136.105] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="1B") returned 2 [0136.105] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="3F") returned 2 [0136.105] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="44") returned 2 [0136.106] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="FB") returned 2 [0136.106] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="EC") returned 2 [0136.106] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="73") returned 2 [0136.106] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="32") returned 2 [0136.106] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="D0") returned 2 [0136.106] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="66") returned 2 [0136.106] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="8B") returned 2 [0136.106] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="20") returned 2 [0136.106] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="D8") returned 2 [0136.106] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="0B") returned 2 [0136.106] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="A9") returned 2 [0136.106] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="18") returned 2 [0136.106] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="8C") returned 2 [0136.106] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="B3") returned 2 [0136.106] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="EC") returned 2 [0136.106] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="4D") returned 2 [0136.106] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="75") returned 2 [0136.106] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="2E") returned 2 [0136.106] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="61") returned 2 [0136.106] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="0D") returned 2 [0136.106] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="D1") returned 2 [0136.106] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="D6") returned 2 [0136.106] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="82") returned 2 [0136.106] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="B9") returned 2 [0136.106] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="0A") returned 2 [0136.115] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png" [0136.115] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png" [0136.115] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png", lpString2=".D107EA691B3F44FBEC7332D0668B20D80BA9188CB3EC4D752E610DD1D682B90A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png.D107EA691B3F44FBEC7332D0668B20D80BA9188CB3EC4D752E610DD1D682B90A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png.D107EA691B3F44FBEC7332D0668B20D80BA9188CB3EC4D752E610DD1D682B90A" [0136.115] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.115] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0136.115] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x83ce6bb0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x83ce6bb0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x83ce6bb0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x40b0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="ba182bcd131f1f3c6b6fbbb1ba078341.png", cAlternateFileName="BA182B~1.PNG")) returned 1 [0136.115] lstrcmpiW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="Windows") returned -1 [0136.115] lstrcmpiW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="Program Files") returned -1 [0136.115] lstrcmpiW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="Program Files (x86)") returned -1 [0136.115] lstrcmpiW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="$Recycle.bin") returned 1 [0136.115] lstrcmpiW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="System Volume Information") returned -1 [0136.115] lstrcmpiW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2=".") returned 1 [0136.115] lstrcmpiW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="..") returned 1 [0136.115] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png") returned 137 [0136.116] lstrcmpW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="PUSSY.TXT") returned -1 [0136.116] PathFindExtensionW (pszPath="ba182bcd131f1f3c6b6fbbb1ba078341.png") returned=".png" [0136.116] lstrlenW (lpString=".png") returned 4 [0136.116] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0136.116] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0136.116] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=16560) returned 1 [0136.117] GetProcessHeap () returned 0x4c0000 [0136.117] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0136.148] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="4A") returned 2 [0136.148] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="2B") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="1D") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="28") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="30") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="EB") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="0B") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="6A") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="B0") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="58") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="C2") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="59") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="A5") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="6E") returned 2 [0136.149] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="F4") returned 2 [0136.149] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="6E") returned 2 [0136.149] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="03") returned 2 [0136.149] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="09") returned 2 [0136.149] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="13") returned 2 [0136.149] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="90") returned 2 [0136.149] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="3D") returned 2 [0136.149] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="73") returned 2 [0136.149] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="82") returned 2 [0136.149] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="AD") returned 2 [0136.149] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="79") returned 2 [0136.149] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="7E") returned 2 [0136.149] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="CA") returned 2 [0136.149] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="CD") returned 2 [0136.149] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="E0") returned 2 [0136.149] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="A1") returned 2 [0136.149] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="08") returned 2 [0136.149] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="34") returned 2 [0136.158] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png" [0136.158] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png" [0136.158] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2=".4A2B1D2830EB0B6AB058C259A56EF46E030913903D7382AD797ECACDE0A10834" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png.4A2B1D2830EB0B6AB058C259A56EF46E030913903D7382AD797ECACDE0A10834") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png.4A2B1D2830EB0B6AB058C259A56EF46E030913903D7382AD797ECACDE0A10834" [0136.159] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.159] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0136.159] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb97ade50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb97ade50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb97ade50, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x1c362, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="ce8c0453589216a67cddb50284fbfe8d.png", cAlternateFileName="CE8C04~1.PNG")) returned 1 [0136.160] lstrcmpiW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="Windows") returned -1 [0136.160] lstrcmpiW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="Program Files") returned -1 [0136.160] lstrcmpiW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="Program Files (x86)") returned -1 [0136.160] lstrcmpiW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="$Recycle.bin") returned 1 [0136.160] lstrcmpiW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="System Volume Information") returned -1 [0136.160] lstrcmpiW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2=".") returned 1 [0136.160] lstrcmpiW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="..") returned 1 [0136.160] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png") returned 137 [0136.160] lstrcmpW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="PUSSY.TXT") returned -1 [0136.160] PathFindExtensionW (pszPath="ce8c0453589216a67cddb50284fbfe8d.png") returned=".png" [0136.160] lstrlenW (lpString=".png") returned 4 [0136.160] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0136.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0136.161] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=115554) returned 1 [0136.162] GetProcessHeap () returned 0x4c0000 [0136.162] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0136.188] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="C3") returned 2 [0136.188] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="99") returned 2 [0136.188] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="BC") returned 2 [0136.188] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="16") returned 2 [0136.188] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="93") returned 2 [0136.188] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="FB") returned 2 [0136.189] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="F4") returned 2 [0136.189] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="DB") returned 2 [0136.189] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="67") returned 2 [0136.189] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="2D") returned 2 [0136.189] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="1A") returned 2 [0136.189] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="68") returned 2 [0136.189] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="6B") returned 2 [0136.189] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="64") returned 2 [0136.189] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="8B") returned 2 [0136.189] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="21") returned 2 [0136.189] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="76") returned 2 [0136.189] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="86") returned 2 [0136.189] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="F3") returned 2 [0136.189] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="F7") returned 2 [0136.189] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="7D") returned 2 [0136.189] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="8C") returned 2 [0136.189] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="1F") returned 2 [0136.189] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="1E") returned 2 [0136.189] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="92") returned 2 [0136.189] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="1B") returned 2 [0136.189] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="2C") returned 2 [0136.189] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="0A") returned 2 [0136.189] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="CA") returned 2 [0136.189] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="F5") returned 2 [0136.189] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="00") returned 2 [0136.189] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="4A") returned 2 [0136.198] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png" [0136.198] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png" [0136.198] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png", lpString2=".C399BC1693FBF4DB672D1A686B648B217686F3F77D8C1F1E921B2C0ACAF5004A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png.C399BC1693FBF4DB672D1A686B648B217686F3F77D8C1F1E921B2C0ACAF5004A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png.C399BC1693FBF4DB672D1A686B648B217686F3F77D8C1F1E921B2C0ACAF5004A" [0136.198] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.198] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0136.198] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb97ade50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb97ade50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb97ade50, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x1c362, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="ce8c0453589216a67cddb50284fbfe8d.png", cAlternateFileName="CE8C04~1.PNG")) returned 0 [0136.198] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0136.198] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\PUSSY.TXT") returned 110 [0136.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0136.201] lstrlenA (lpString="abcd") returned 4 [0136.201] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0136.202] CloseHandle (hObject=0x184) returned 1 [0136.202] GetProcessHeap () returned 0x4c0000 [0136.202] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0136.202] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x853a9e10, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="_CACHE_CLEAN_", cAlternateFileName="_CACHE~1")) returned 1 [0136.202] lstrcmpiW (lpString1="_CACHE_CLEAN_", lpString2="Windows") returned -1 [0136.202] lstrcmpiW (lpString1="_CACHE_CLEAN_", lpString2="Program Files") returned -1 [0136.202] lstrcmpiW (lpString1="_CACHE_CLEAN_", lpString2="Program Files (x86)") returned -1 [0136.202] lstrcmpiW (lpString1="_CACHE_CLEAN_", lpString2="$Recycle.bin") returned 1 [0136.202] lstrcmpiW (lpString1="_CACHE_CLEAN_", lpString2="System Volume Information") returned -1 [0136.203] lstrcmpiW (lpString1="_CACHE_CLEAN_", lpString2=".") returned 1 [0136.203] lstrcmpiW (lpString1="_CACHE_CLEAN_", lpString2="..") returned 1 [0136.203] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_") returned 103 [0136.203] lstrcmpW (lpString1="_CACHE_CLEAN_", lpString2="PUSSY.TXT") returned -1 [0136.203] PathFindExtensionW (pszPath="_CACHE_CLEAN_") returned="" [0136.203] lstrlenW (lpString="") returned 0 [0136.203] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0136.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\_cache_clean_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0136.204] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=1) returned 1 [0136.204] CloseHandle (hObject=0x184) returned 1 [0136.204] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb64f2970, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb64f2970, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x853a9e10, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x4ddd20, dwReserved1=0x77c61b06, cFileName="_CACHE_CLEAN_", cAlternateFileName="_CACHE~1")) returned 0 [0136.204] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0136.204] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\PUSSY.TXT") returned 99 [0136.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0136.205] lstrlenA (lpString="abcd") returned 4 [0136.205] WriteFile (in: hFile=0x1a8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0136.205] CloseHandle (hObject=0x1a8) returned 1 [0136.206] GetProcessHeap () returned 0x4c0000 [0136.206] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0136.208] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x826e2030, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x826e2030, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="silmbjec.default", cAlternateFileName="SILMBJ~1.DEF")) returned 0 [0136.208] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0136.208] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\PUSSY.TXT") returned 82 [0136.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0136.209] lstrlenA (lpString="abcd") returned 4 [0136.209] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0136.210] CloseHandle (hObject=0x1d0) returned 1 [0136.210] GetProcessHeap () returned 0x4c0000 [0136.210] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0136.210] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="Profiles", cAlternateFileName="")) returned 0 [0136.210] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0136.210] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\PUSSY.TXT") returned 73 [0136.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0136.210] lstrlenA (lpString="abcd") returned 4 [0136.210] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0136.211] CloseHandle (hObject=0x1d8) returned 1 [0136.211] GetProcessHeap () returned 0x4c0000 [0136.211] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0136.211] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="updates", cAlternateFileName="")) returned 1 [0136.211] lstrcmpiW (lpString1="updates", lpString2="Windows") returned -1 [0136.211] lstrcmpiW (lpString1="updates", lpString2="Program Files") returned 1 [0136.212] lstrcmpiW (lpString1="updates", lpString2="Program Files (x86)") returned 1 [0136.212] lstrcmpiW (lpString1="updates", lpString2="$Recycle.bin") returned 1 [0136.212] lstrcmpiW (lpString1="updates", lpString2="System Volume Information") returned 1 [0136.212] lstrcmpiW (lpString1="updates", lpString2=".") returned 1 [0136.212] lstrcmpiW (lpString1="updates", lpString2="..") returned 1 [0136.212] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates") returned 63 [0136.212] GetProcessHeap () returned 0x4c0000 [0136.212] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0136.212] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates" [0136.212] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\*" [0136.212] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0136.212] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0136.212] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0136.212] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0136.212] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0136.212] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0136.213] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.213] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0136.213] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0136.213] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0136.213] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0136.213] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0136.213] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0136.213] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.213] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.213] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x854b47b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="E7CF176E110C211B", cAlternateFileName="E7CF17~1")) returned 1 [0136.213] lstrcmpiW (lpString1="E7CF176E110C211B", lpString2="Windows") returned -1 [0136.213] lstrcmpiW (lpString1="E7CF176E110C211B", lpString2="Program Files") returned -1 [0136.213] lstrcmpiW (lpString1="E7CF176E110C211B", lpString2="Program Files (x86)") returned -1 [0136.213] lstrcmpiW (lpString1="E7CF176E110C211B", lpString2="$Recycle.bin") returned 1 [0136.213] lstrcmpiW (lpString1="E7CF176E110C211B", lpString2="System Volume Information") returned -1 [0136.213] lstrcmpiW (lpString1="E7CF176E110C211B", lpString2=".") returned 1 [0136.213] lstrcmpiW (lpString1="E7CF176E110C211B", lpString2="..") returned 1 [0136.213] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B") returned 80 [0136.213] GetProcessHeap () returned 0x4c0000 [0136.213] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0136.213] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B" [0136.213] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\*" [0136.213] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x854b47b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0136.217] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0136.217] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0136.217] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0136.217] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0136.217] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0136.217] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.217] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x854b47b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0136.217] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0136.217] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0136.217] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0136.217] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0136.218] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0136.218] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.218] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.218] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80a2b6d0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x85442390, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x85442390, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x464, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="active-update.xml", cAlternateFileName="ACTIVE~1.XML")) returned 1 [0136.218] lstrcmpiW (lpString1="active-update.xml", lpString2="Windows") returned -1 [0136.218] lstrcmpiW (lpString1="active-update.xml", lpString2="Program Files") returned -1 [0136.218] lstrcmpiW (lpString1="active-update.xml", lpString2="Program Files (x86)") returned -1 [0136.218] lstrcmpiW (lpString1="active-update.xml", lpString2="$Recycle.bin") returned 1 [0136.218] lstrcmpiW (lpString1="active-update.xml", lpString2="System Volume Information") returned -1 [0136.218] lstrcmpiW (lpString1="active-update.xml", lpString2=".") returned 1 [0136.218] lstrcmpiW (lpString1="active-update.xml", lpString2="..") returned 1 [0136.218] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml") returned 98 [0136.218] lstrcmpW (lpString1="active-update.xml", lpString2="PUSSY.TXT") returned -1 [0136.218] PathFindExtensionW (pszPath="active-update.xml") returned=".xml" [0136.218] lstrlenW (lpString=".xml") returned 4 [0136.218] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0136.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\active-update.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a8 [0136.219] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1124) returned 1 [0136.219] GetProcessHeap () returned 0x4c0000 [0136.219] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0136.230] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="84") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="9F") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="3F") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="5D") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="08") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="94") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="DC") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="68") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="93") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="31") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="98") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="D8") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="64") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="C7") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="7D") returned 2 [0136.230] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="66") returned 2 [0136.230] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="AB") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="61") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="81") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="09") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="19") returned 2 [0136.230] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="45") returned 2 [0136.231] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="C3") returned 2 [0136.231] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="B1") returned 2 [0136.231] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="D4") returned 2 [0136.231] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="05") returned 2 [0136.231] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="E9") returned 2 [0136.231] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="35") returned 2 [0136.231] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="86") returned 2 [0136.231] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="10") returned 2 [0136.231] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="A1") returned 2 [0136.231] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="6C") returned 2 [0136.285] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml" [0136.285] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml" [0136.285] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml", lpString2=".849F3F5D0894DC68933198D864C77D66AB6181091945C3B1D405E9358610A16C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml.849F3F5D0894DC68933198D864C77D66AB6181091945C3B1D405E9358610A16C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml.849F3F5D0894DC68933198D864C77D66AB6181091945C3B1D405E9358610A16C" [0136.285] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.285] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0136.286] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb74b7b30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb74b7b30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="updates", cAlternateFileName="")) returned 1 [0136.286] lstrcmpiW (lpString1="updates", lpString2="Windows") returned -1 [0136.286] lstrcmpiW (lpString1="updates", lpString2="Program Files") returned 1 [0136.286] lstrcmpiW (lpString1="updates", lpString2="Program Files (x86)") returned 1 [0136.286] lstrcmpiW (lpString1="updates", lpString2="$Recycle.bin") returned 1 [0136.286] lstrcmpiW (lpString1="updates", lpString2="System Volume Information") returned 1 [0136.286] lstrcmpiW (lpString1="updates", lpString2=".") returned 1 [0136.286] lstrcmpiW (lpString1="updates", lpString2="..") returned 1 [0136.286] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates") returned 88 [0136.286] GetProcessHeap () returned 0x4c0000 [0136.286] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53caf0 [0136.286] lstrcpyW (in: lpString1=0x53caf0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates" [0136.286] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\*" [0136.286] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb74b7b30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb74b7b30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0136.287] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0136.287] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0136.287] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0136.288] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0136.288] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0136.288] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.288] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb74b7b30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb74b7b30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0136.288] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0136.288] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0136.288] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0136.288] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0136.288] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0136.288] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.288] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.288] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80a2b6d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80a2b6d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="0", cAlternateFileName="")) returned 1 [0136.288] lstrcmpiW (lpString1="0", lpString2="Windows") returned -1 [0136.288] lstrcmpiW (lpString1="0", lpString2="Program Files") returned -1 [0136.288] lstrcmpiW (lpString1="0", lpString2="Program Files (x86)") returned -1 [0136.288] lstrcmpiW (lpString1="0", lpString2="$Recycle.bin") returned 1 [0136.288] lstrcmpiW (lpString1="0", lpString2="System Volume Information") returned -1 [0136.288] lstrcmpiW (lpString1="0", lpString2=".") returned 1 [0136.288] lstrcmpiW (lpString1="0", lpString2="..") returned 1 [0136.289] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0") returned 90 [0136.289] GetProcessHeap () returned 0x4c0000 [0136.289] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x54caf8 [0136.289] lstrcpyW (in: lpString1=0x54caf8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0" [0136.289] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\*" [0136.289] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80a2b6d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80a2b6d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0136.289] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0136.289] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0136.289] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0136.289] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0136.289] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0136.289] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.290] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80a2b6d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80a2b6d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0136.290] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0136.290] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0136.290] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0136.290] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0136.290] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0136.290] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.290] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.290] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7d7ec50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d7ec50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x818016b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x927c0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="update.mar", cAlternateFileName="")) returned 1 [0136.290] lstrcmpiW (lpString1="update.mar", lpString2="Windows") returned -1 [0136.290] lstrcmpiW (lpString1="update.mar", lpString2="Program Files") returned 1 [0136.290] lstrcmpiW (lpString1="update.mar", lpString2="Program Files (x86)") returned 1 [0136.290] lstrcmpiW (lpString1="update.mar", lpString2="$Recycle.bin") returned 1 [0136.290] lstrcmpiW (lpString1="update.mar", lpString2="System Volume Information") returned 1 [0136.290] lstrcmpiW (lpString1="update.mar", lpString2=".") returned 1 [0136.290] lstrcmpiW (lpString1="update.mar", lpString2="..") returned 1 [0136.290] wnsprintfW (in: pszDest=0x54caf8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar") returned 101 [0136.290] lstrcmpW (lpString1="update.mar", lpString2="PUSSY.TXT") returned 1 [0136.290] PathFindExtensionW (pszPath="update.mar") returned=".mar" [0136.291] lstrlenW (lpString=".mar") returned 4 [0136.291] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0136.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.mar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0136.292] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=600000) returned 1 [0136.292] GetProcessHeap () returned 0x4c0000 [0136.292] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0136.305] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="05") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="0F") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="10") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="74") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="D9") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="A1") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="01") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="64") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="E0") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="00") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="4F") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="FD") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="ED") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="93") returned 2 [0136.305] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="98") returned 2 [0136.305] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="38") returned 2 [0136.305] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="1F") returned 2 [0136.305] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="18") returned 2 [0136.305] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="5C") returned 2 [0136.306] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="42") returned 2 [0136.306] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="01") returned 2 [0136.306] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="CA") returned 2 [0136.306] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="1A") returned 2 [0136.306] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="92") returned 2 [0136.306] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="2D") returned 2 [0136.306] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="30") returned 2 [0136.306] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="9C") returned 2 [0136.306] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="8C") returned 2 [0136.306] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="49") returned 2 [0136.306] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="80") returned 2 [0136.306] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="70") returned 2 [0136.306] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="1A") returned 2 [0136.315] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar" [0136.315] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar" [0136.315] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar", lpString2=".050F1074D9A10164E0004FFDED9398381F185C4201CA1A922D309C8C4980701A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar.050F1074D9A10164E0004FFDED9398381F185C4201CA1A922D309C8C4980701A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar.050F1074D9A10164E0004FFDED9398381F185C4201CA1A922D309C8C4980701A" [0136.315] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.315] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0136.315] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80993150, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x80993150, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80993150, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xc, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="update.status", cAlternateFileName="UPDATE~1.STA")) returned 1 [0136.315] lstrcmpiW (lpString1="update.status", lpString2="Windows") returned -1 [0136.315] lstrcmpiW (lpString1="update.status", lpString2="Program Files") returned 1 [0136.315] lstrcmpiW (lpString1="update.status", lpString2="Program Files (x86)") returned 1 [0136.315] lstrcmpiW (lpString1="update.status", lpString2="$Recycle.bin") returned 1 [0136.315] lstrcmpiW (lpString1="update.status", lpString2="System Volume Information") returned 1 [0136.315] lstrcmpiW (lpString1="update.status", lpString2=".") returned 1 [0136.315] lstrcmpiW (lpString1="update.status", lpString2="..") returned 1 [0136.315] wnsprintfW (in: pszDest=0x54caf8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status") returned 104 [0136.315] lstrcmpW (lpString1="update.status", lpString2="PUSSY.TXT") returned 1 [0136.315] PathFindExtensionW (pszPath="update.status") returned=".status" [0136.315] lstrlenW (lpString=".status") returned 7 [0136.315] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0136.315] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.status"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x154 [0136.324] GetFileSizeEx (in: hFile=0x154, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=12) returned 1 [0136.324] CloseHandle (hObject=0x154) returned 1 [0136.324] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80993150, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x80993150, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80993150, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xc, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="update.status", cAlternateFileName="UPDATE~1.STA")) returned 0 [0136.324] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0136.324] wnsprintfW (in: pszDest=0x54caf8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\PUSSY.TXT") returned 100 [0136.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0136.325] lstrlenA (lpString="abcd") returned 4 [0136.325] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0136.326] CloseHandle (hObject=0x184) returned 1 [0136.326] GetProcessHeap () returned 0x4c0000 [0136.326] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54caf8 | out: hHeap=0x4c0000) returned 1 [0136.326] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80a2b6d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80a2b6d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="0", cAlternateFileName="")) returned 0 [0136.326] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0136.326] wnsprintfW (in: pszDest=0x53caf0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\PUSSY.TXT") returned 98 [0136.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0136.327] lstrlenA (lpString="abcd") returned 4 [0136.327] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0136.328] CloseHandle (hObject=0x1b8) returned 1 [0136.328] GetProcessHeap () returned 0x4c0000 [0136.328] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0136.328] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80a9daf0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x8548e650, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x8548e650, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x39, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="updates.xml", cAlternateFileName="")) returned 1 [0136.328] lstrcmpiW (lpString1="updates.xml", lpString2="Windows") returned -1 [0136.328] lstrcmpiW (lpString1="updates.xml", lpString2="Program Files") returned 1 [0136.328] lstrcmpiW (lpString1="updates.xml", lpString2="Program Files (x86)") returned 1 [0136.328] lstrcmpiW (lpString1="updates.xml", lpString2="$Recycle.bin") returned 1 [0136.328] lstrcmpiW (lpString1="updates.xml", lpString2="System Volume Information") returned 1 [0136.328] lstrcmpiW (lpString1="updates.xml", lpString2=".") returned 1 [0136.328] lstrcmpiW (lpString1="updates.xml", lpString2="..") returned 1 [0136.328] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml") returned 92 [0136.328] lstrcmpW (lpString1="updates.xml", lpString2="PUSSY.TXT") returned 1 [0136.328] PathFindExtensionW (pszPath="updates.xml") returned=".xml" [0136.328] lstrlenW (lpString=".xml") returned 4 [0136.328] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0136.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0136.329] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=57) returned 1 [0136.329] CloseHandle (hObject=0x1b8) returned 1 [0136.329] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80a9daf0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x8548e650, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x8548e650, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x39, dwReserved0=0x4ddd20, dwReserved1=0x77c5f9e2, cFileName="updates.xml", cAlternateFileName="")) returned 0 [0136.329] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0136.329] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\PUSSY.TXT") returned 90 [0136.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0136.330] lstrlenA (lpString="abcd") returned 4 [0136.330] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0136.331] CloseHandle (hObject=0x1d0) returned 1 [0136.331] GetProcessHeap () returned 0x4c0000 [0136.331] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0136.333] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x854b47b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddd20, dwReserved1=0xfe000000, cFileName="E7CF176E110C211B", cAlternateFileName="E7CF17~1")) returned 0 [0136.333] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0136.333] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\PUSSY.TXT") returned 73 [0136.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0136.333] lstrlenA (lpString="abcd") returned 4 [0136.333] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0136.334] CloseHandle (hObject=0x1d8) returned 1 [0136.335] GetProcessHeap () returned 0x4c0000 [0136.335] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0136.335] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="updates", cAlternateFileName="")) returned 0 [0136.335] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0136.335] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\PUSSY.TXT") returned 65 [0136.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0136.336] lstrlenA (lpString="abcd") returned 4 [0136.336] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0136.337] CloseHandle (hObject=0x180) returned 1 [0136.337] GetProcessHeap () returned 0x4c0000 [0136.337] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0136.337] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xaf62d220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xaf62d220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Temp", cAlternateFileName="")) returned 1 [0136.337] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0136.337] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0136.337] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0136.337] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0136.337] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0136.337] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0136.337] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0136.337] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp") returned 52 [0136.337] GetProcessHeap () returned 0x4c0000 [0136.337] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0136.337] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp" [0136.338] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*" [0136.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xaf62d220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xaf62d220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0136.338] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0136.338] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0136.338] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0136.338] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0136.338] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0136.338] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.338] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xaf62d220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xaf62d220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0136.338] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0136.338] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0136.338] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0136.338] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0136.338] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0136.338] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.338] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.338] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x25d187d0, ftCreationTime.dwHighDateTime=0x1d5e21f, ftLastAccessTime.dwLowDateTime=0xb3814ff0, ftLastAccessTime.dwHighDateTime=0x1d5e794, ftLastWriteTime.dwLowDateTime=0xb3814ff0, ftLastWriteTime.dwHighDateTime=0x1d5e794, nFileSizeHigh=0x0, nFileSizeLow=0x488c, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="4iTgJBluuOHPh.avi", cAlternateFileName="4ITGJB~1.AVI")) returned 1 [0136.338] lstrcmpiW (lpString1="4iTgJBluuOHPh.avi", lpString2="Windows") returned -1 [0136.339] lstrcmpiW (lpString1="4iTgJBluuOHPh.avi", lpString2="Program Files") returned -1 [0136.339] lstrcmpiW (lpString1="4iTgJBluuOHPh.avi", lpString2="Program Files (x86)") returned -1 [0136.339] lstrcmpiW (lpString1="4iTgJBluuOHPh.avi", lpString2="$Recycle.bin") returned 1 [0136.339] lstrcmpiW (lpString1="4iTgJBluuOHPh.avi", lpString2="System Volume Information") returned -1 [0136.339] lstrcmpiW (lpString1="4iTgJBluuOHPh.avi", lpString2=".") returned 1 [0136.339] lstrcmpiW (lpString1="4iTgJBluuOHPh.avi", lpString2="..") returned 1 [0136.339] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi") returned 70 [0136.339] lstrcmpW (lpString1="4iTgJBluuOHPh.avi", lpString2="PUSSY.TXT") returned -1 [0136.339] PathFindExtensionW (pszPath="4iTgJBluuOHPh.avi") returned=".avi" [0136.339] lstrlenW (lpString=".avi") returned 4 [0136.339] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\4itgjbluuohph.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0136.340] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=18572) returned 1 [0136.340] GetProcessHeap () returned 0x4c0000 [0136.340] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0136.350] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="4E") returned 2 [0136.350] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="4B") returned 2 [0136.350] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="C6") returned 2 [0136.350] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="96") returned 2 [0136.350] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="CA") returned 2 [0136.351] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="24") returned 2 [0136.351] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="C5") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="92") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="70") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="33") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="33") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="15") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="5D") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="A6") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="10") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="BE") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="67") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="77") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="2E") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="52") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="D2") returned 2 [0136.351] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="BB") returned 2 [0136.352] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="25") returned 2 [0136.352] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="08") returned 2 [0136.352] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="BD") returned 2 [0136.352] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="9A") returned 2 [0136.352] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="44") returned 2 [0136.352] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="40") returned 2 [0136.352] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="40") returned 2 [0136.352] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="16") returned 2 [0136.352] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="EC") returned 2 [0136.352] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="5D") returned 2 [0136.369] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi" [0136.369] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi" [0136.369] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi", lpString2=".4E4BC696CA24C592703333155DA610BE67772E52D2BB2508BD9A44404016EC5D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi.4E4BC696CA24C592703333155DA610BE67772E52D2BB2508BD9A44404016EC5D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi.4E4BC696CA24C592703333155DA610BE67772E52D2BB2508BD9A44404016EC5D" [0136.369] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.369] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0136.369] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8ccacba0, ftCreationTime.dwHighDateTime=0x1d5d9e0, ftLastAccessTime.dwLowDateTime=0x7b5d5a00, ftLastAccessTime.dwHighDateTime=0x1d5ddcc, ftLastWriteTime.dwLowDateTime=0x7b5d5a00, ftLastWriteTime.dwHighDateTime=0x1d5ddcc, nFileSizeHigh=0x0, nFileSizeLow=0x16ec, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="5IrZISH2ND.flv", cAlternateFileName="5IRZIS~1.FLV")) returned 1 [0136.369] lstrcmpiW (lpString1="5IrZISH2ND.flv", lpString2="Windows") returned -1 [0136.369] lstrcmpiW (lpString1="5IrZISH2ND.flv", lpString2="Program Files") returned -1 [0136.370] lstrcmpiW (lpString1="5IrZISH2ND.flv", lpString2="Program Files (x86)") returned -1 [0136.370] lstrcmpiW (lpString1="5IrZISH2ND.flv", lpString2="$Recycle.bin") returned 1 [0136.370] lstrcmpiW (lpString1="5IrZISH2ND.flv", lpString2="System Volume Information") returned -1 [0136.370] lstrcmpiW (lpString1="5IrZISH2ND.flv", lpString2=".") returned 1 [0136.370] lstrcmpiW (lpString1="5IrZISH2ND.flv", lpString2="..") returned 1 [0136.370] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv") returned 67 [0136.370] lstrcmpW (lpString1="5IrZISH2ND.flv", lpString2="PUSSY.TXT") returned -1 [0136.370] PathFindExtensionW (pszPath="5IrZISH2ND.flv") returned=".flv" [0136.370] lstrlenW (lpString=".flv") returned 4 [0136.370] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5irzish2nd.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0136.372] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=5868) returned 1 [0136.372] GetProcessHeap () returned 0x4c0000 [0136.372] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0136.387] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="2A") returned 2 [0136.387] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="AA") returned 2 [0136.387] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="D8") returned 2 [0136.387] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="87") returned 2 [0136.387] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="D9") returned 2 [0136.387] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="1C") returned 2 [0136.387] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="B7") returned 2 [0136.387] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="8E") returned 2 [0136.387] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="EE") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="65") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="C4") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="07") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="99") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="61") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="83") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="D4") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="31") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="5B") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="B3") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="86") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="C1") returned 2 [0136.388] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="CE") returned 2 [0136.448] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="1C") returned 2 [0136.448] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="55") returned 2 [0136.448] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="E7") returned 2 [0136.448] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="55") returned 2 [0136.448] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="84") returned 2 [0136.448] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="40") returned 2 [0136.448] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C2") returned 2 [0136.448] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="0F") returned 2 [0136.448] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="15") returned 2 [0136.448] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="3D") returned 2 [0136.456] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv" [0136.456] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv" [0136.457] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv", lpString2=".2AAAD887D91CB78EEE65C407996183D4315BB386C1CE1C55E7558440C20F153D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv.2AAAD887D91CB78EEE65C407996183D4315BB386C1CE1C55E7558440C20F153D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv.2AAAD887D91CB78EEE65C407996183D4315BB386C1CE1C55E7558440C20F153D" [0136.457] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.457] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0136.467] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa46c1510, ftCreationTime.dwHighDateTime=0x1d5dcac, ftLastAccessTime.dwLowDateTime=0xa2c08e30, ftLastAccessTime.dwHighDateTime=0x1d5e58f, ftLastWriteTime.dwLowDateTime=0xa2c08e30, ftLastWriteTime.dwHighDateTime=0x1d5e58f, nFileSizeHigh=0x0, nFileSizeLow=0x1b8b, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="9 6J9QDKbOEzRSfwYh.mp3", cAlternateFileName="96J9QD~1.MP3")) returned 1 [0136.467] lstrcmpiW (lpString1="9 6J9QDKbOEzRSfwYh.mp3", lpString2="Windows") returned -1 [0136.467] lstrcmpiW (lpString1="9 6J9QDKbOEzRSfwYh.mp3", lpString2="Program Files") returned -1 [0136.467] lstrcmpiW (lpString1="9 6J9QDKbOEzRSfwYh.mp3", lpString2="Program Files (x86)") returned -1 [0136.467] lstrcmpiW (lpString1="9 6J9QDKbOEzRSfwYh.mp3", lpString2="$Recycle.bin") returned 1 [0136.468] lstrcmpiW (lpString1="9 6J9QDKbOEzRSfwYh.mp3", lpString2="System Volume Information") returned -1 [0136.468] lstrcmpiW (lpString1="9 6J9QDKbOEzRSfwYh.mp3", lpString2=".") returned 1 [0136.468] lstrcmpiW (lpString1="9 6J9QDKbOEzRSfwYh.mp3", lpString2="..") returned 1 [0136.468] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3") returned 75 [0136.468] lstrcmpW (lpString1="9 6J9QDKbOEzRSfwYh.mp3", lpString2="PUSSY.TXT") returned -1 [0136.468] PathFindExtensionW (pszPath="9 6J9QDKbOEzRSfwYh.mp3") returned=".mp3" [0136.468] lstrlenW (lpString=".mp3") returned 4 [0136.468] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.468] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\9 6j9qdkboezrsfwyh.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0136.468] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=7051) returned 1 [0136.469] GetProcessHeap () returned 0x4c0000 [0136.469] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0136.477] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="64") returned 2 [0136.477] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="0E") returned 2 [0136.477] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="1F") returned 2 [0136.477] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="B2") returned 2 [0136.477] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="65") returned 2 [0136.477] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="BD") returned 2 [0136.477] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="A7") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="28") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="A8") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="B8") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="72") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="4D") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="D7") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="C6") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="BD") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="4C") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="F8") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="EF") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="A4") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="BA") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="7A") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="DC") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="87") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="14") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="AB") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="72") returned 2 [0136.477] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="77") returned 2 [0136.478] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="46") returned 2 [0136.478] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="60") returned 2 [0136.478] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="6B") returned 2 [0136.478] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="24") returned 2 [0136.478] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="64") returned 2 [0136.486] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3" [0136.486] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3" [0136.486] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3", lpString2=".640E1FB265BDA728A8B8724DD7C6BD4CF8EFA4BA7ADC8714AB727746606B2464" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3.640E1FB265BDA728A8B8724DD7C6BD4CF8EFA4BA7ADC8714AB727746606B2464") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3.640E1FB265BDA728A8B8724DD7C6BD4CF8EFA4BA7ADC8714AB727746606B2464" [0136.486] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.486] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0136.505] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6199c30, ftCreationTime.dwHighDateTime=0x1d5dac4, ftLastAccessTime.dwLowDateTime=0x38b76000, ftLastAccessTime.dwHighDateTime=0x1d5e633, ftLastWriteTime.dwLowDateTime=0x38b76000, ftLastWriteTime.dwHighDateTime=0x1d5e633, nFileSizeHigh=0x0, nFileSizeLow=0x10c83, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="AD8NbrdA5R-dSu6Hiug.mkv", cAlternateFileName="AD8NBR~1.MKV")) returned 1 [0136.506] lstrcmpiW (lpString1="AD8NbrdA5R-dSu6Hiug.mkv", lpString2="Windows") returned -1 [0136.506] lstrcmpiW (lpString1="AD8NbrdA5R-dSu6Hiug.mkv", lpString2="Program Files") returned -1 [0136.506] lstrcmpiW (lpString1="AD8NbrdA5R-dSu6Hiug.mkv", lpString2="Program Files (x86)") returned -1 [0136.506] lstrcmpiW (lpString1="AD8NbrdA5R-dSu6Hiug.mkv", lpString2="$Recycle.bin") returned 1 [0136.506] lstrcmpiW (lpString1="AD8NbrdA5R-dSu6Hiug.mkv", lpString2="System Volume Information") returned -1 [0136.506] lstrcmpiW (lpString1="AD8NbrdA5R-dSu6Hiug.mkv", lpString2=".") returned 1 [0136.506] lstrcmpiW (lpString1="AD8NbrdA5R-dSu6Hiug.mkv", lpString2="..") returned 1 [0136.506] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv") returned 76 [0136.506] lstrcmpW (lpString1="AD8NbrdA5R-dSu6Hiug.mkv", lpString2="PUSSY.TXT") returned -1 [0136.506] PathFindExtensionW (pszPath="AD8NbrdA5R-dSu6Hiug.mkv") returned=".mkv" [0136.506] lstrlenW (lpString=".mkv") returned 4 [0136.506] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ad8nbrda5r-dsu6hiug.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0136.507] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=68739) returned 1 [0136.507] GetProcessHeap () returned 0x4c0000 [0136.507] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0136.519] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="32") returned 2 [0136.519] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="BB") returned 2 [0136.519] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="B0") returned 2 [0136.519] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="04") returned 2 [0136.519] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="B2") returned 2 [0136.519] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="F6") returned 2 [0136.519] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="BE") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="8E") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="6B") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="C5") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="E5") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="D1") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="8C") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="D2") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="B9") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="EF") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="39") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="39") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="7F") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="B3") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="2A") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="30") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="53") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="DD") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="4F") returned 2 [0136.519] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="C8") returned 2 [0136.520] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="DF") returned 2 [0136.520] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="A5") returned 2 [0136.520] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="62") returned 2 [0136.520] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="D7") returned 2 [0136.520] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="C5") returned 2 [0136.520] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="0D") returned 2 [0136.528] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv" [0136.528] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv" [0136.528] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv", lpString2=".32BBB004B2F6BE8E6BC5E5D18CD2B9EF39397FB32A3053DD4FC8DFA562D7C50D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv.32BBB004B2F6BE8E6BC5E5D18CD2B9EF39397FB32A3053DD4FC8DFA562D7C50D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv.32BBB004B2F6BE8E6BC5E5D18CD2B9EF39397FB32A3053DD4FC8DFA562D7C50D" [0136.528] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.528] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0136.556] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a0318e0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0x6a0318e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xb20126a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5fe, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="AdobeARM.log", cAlternateFileName="")) returned 1 [0136.557] lstrcmpiW (lpString1="AdobeARM.log", lpString2="Windows") returned -1 [0136.557] lstrcmpiW (lpString1="AdobeARM.log", lpString2="Program Files") returned -1 [0136.557] lstrcmpiW (lpString1="AdobeARM.log", lpString2="Program Files (x86)") returned -1 [0136.557] lstrcmpiW (lpString1="AdobeARM.log", lpString2="$Recycle.bin") returned 1 [0136.557] lstrcmpiW (lpString1="AdobeARM.log", lpString2="System Volume Information") returned -1 [0136.557] lstrcmpiW (lpString1="AdobeARM.log", lpString2=".") returned 1 [0136.557] lstrcmpiW (lpString1="AdobeARM.log", lpString2="..") returned 1 [0136.557] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log") returned 65 [0136.557] lstrcmpW (lpString1="AdobeARM.log", lpString2="PUSSY.TXT") returned -1 [0136.557] PathFindExtensionW (pszPath="AdobeARM.log") returned=".log" [0136.557] lstrlenW (lpString=".log") returned 4 [0136.557] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\adobearm.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0136.565] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=1534) returned 1 [0136.565] GetProcessHeap () returned 0x4c0000 [0136.565] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0136.573] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="69") returned 2 [0136.573] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="54") returned 2 [0136.573] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="A6") returned 2 [0136.573] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="56") returned 2 [0136.574] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="13") returned 2 [0136.574] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="AD") returned 2 [0136.574] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="1E") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="26") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="D4") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="8A") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="3A") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="FB") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="6C") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="3F") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="95") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="C0") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="F7") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="B9") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="90") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="B8") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="29") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="F6") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="71") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="82") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="81") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="F8") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="6E") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="E3") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="82") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="18") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="31") returned 2 [0136.574] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="3E") returned 2 [0136.583] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log" [0136.583] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log" [0136.583] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log", lpString2=".6954A65613AD1E26D48A3AFB6C3F95C0F7B990B829F6718281F86EE38218313E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log.6954A65613AD1E26D48A3AFB6C3F95C0F7B990B829F6718281F86EE38218313E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log.6954A65613AD1E26D48A3AFB6C3F95C0F7B990B829F6718281F86EE38218313E" [0136.583] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.583] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0136.588] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6be9bb00, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0x6be9bb00, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x6be9bb00, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="bst449D.tmp", cAlternateFileName="")) returned 1 [0136.588] lstrcmpiW (lpString1="bst449D.tmp", lpString2="Windows") returned -1 [0136.588] lstrcmpiW (lpString1="bst449D.tmp", lpString2="Program Files") returned -1 [0136.588] lstrcmpiW (lpString1="bst449D.tmp", lpString2="Program Files (x86)") returned -1 [0136.588] lstrcmpiW (lpString1="bst449D.tmp", lpString2="$Recycle.bin") returned 1 [0136.588] lstrcmpiW (lpString1="bst449D.tmp", lpString2="System Volume Information") returned -1 [0136.588] lstrcmpiW (lpString1="bst449D.tmp", lpString2=".") returned 1 [0136.588] lstrcmpiW (lpString1="bst449D.tmp", lpString2="..") returned 1 [0136.589] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\bst449D.tmp") returned 64 [0136.589] lstrcmpW (lpString1="bst449D.tmp", lpString2="PUSSY.TXT") returned -1 [0136.589] PathFindExtensionW (pszPath="bst449D.tmp") returned=".tmp" [0136.589] lstrlenW (lpString=".tmp") returned 4 [0136.589] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.589] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\bst449D.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\bst449d.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0136.590] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=0) returned 1 [0136.590] CloseHandle (hObject=0x1d0) returned 1 [0136.590] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x53656850, ftCreationTime.dwHighDateTime=0x1d5e16c, ftLastAccessTime.dwLowDateTime=0x47800020, ftLastAccessTime.dwHighDateTime=0x1d5dae3, ftLastWriteTime.dwLowDateTime=0x47800020, ftLastWriteTime.dwHighDateTime=0x1d5dae3, nFileSizeHigh=0x0, nFileSizeLow=0x51f6, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="CeO6ZVJkF_8.m4a", cAlternateFileName="CEO6ZV~1.M4A")) returned 1 [0136.590] lstrcmpiW (lpString1="CeO6ZVJkF_8.m4a", lpString2="Windows") returned -1 [0136.590] lstrcmpiW (lpString1="CeO6ZVJkF_8.m4a", lpString2="Program Files") returned -1 [0136.590] lstrcmpiW (lpString1="CeO6ZVJkF_8.m4a", lpString2="Program Files (x86)") returned -1 [0136.590] lstrcmpiW (lpString1="CeO6ZVJkF_8.m4a", lpString2="$Recycle.bin") returned 1 [0136.590] lstrcmpiW (lpString1="CeO6ZVJkF_8.m4a", lpString2="System Volume Information") returned -1 [0136.590] lstrcmpiW (lpString1="CeO6ZVJkF_8.m4a", lpString2=".") returned 1 [0136.590] lstrcmpiW (lpString1="CeO6ZVJkF_8.m4a", lpString2="..") returned 1 [0136.590] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a") returned 68 [0136.590] lstrcmpW (lpString1="CeO6ZVJkF_8.m4a", lpString2="PUSSY.TXT") returned -1 [0136.590] PathFindExtensionW (pszPath="CeO6ZVJkF_8.m4a") returned=".m4a" [0136.590] lstrlenW (lpString=".m4a") returned 4 [0136.590] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ceo6zvjkf_8.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0136.591] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=20982) returned 1 [0136.591] GetProcessHeap () returned 0x4c0000 [0136.591] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0136.599] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="3D") returned 2 [0136.599] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="71") returned 2 [0136.599] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="9B") returned 2 [0136.599] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="B0") returned 2 [0136.599] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="0A") returned 2 [0136.599] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="33") returned 2 [0136.599] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="C7") returned 2 [0136.599] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="E5") returned 2 [0136.599] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="87") returned 2 [0136.599] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="B0") returned 2 [0136.599] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="96") returned 2 [0136.599] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="E8") returned 2 [0136.599] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="6D") returned 2 [0136.599] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="3A") returned 2 [0136.599] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="C4") returned 2 [0136.599] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="A4") returned 2 [0136.599] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="05") returned 2 [0136.599] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="C0") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="5A") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="E4") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="FB") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="99") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="8D") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="F7") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="79") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="07") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="41") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="E6") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C2") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="BC") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="93") returned 2 [0136.600] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="12") returned 2 [0136.611] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a" [0136.611] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a" [0136.611] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a", lpString2=".3D719BB00A33C7E587B096E86D3AC4A405C05AE4FB998DF7790741E6C2BC9312" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a.3D719BB00A33C7E587B096E86D3AC4A405C05AE4FB998DF7790741E6C2BC9312") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a.3D719BB00A33C7E587B096E86D3AC4A405C05AE4FB998DF7790741E6C2BC9312" [0136.611] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.611] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0136.643] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Cookies", cAlternateFileName="")) returned 1 [0136.643] lstrcmpiW (lpString1="Cookies", lpString2="Windows") returned -1 [0136.643] lstrcmpiW (lpString1="Cookies", lpString2="Program Files") returned -1 [0136.643] lstrcmpiW (lpString1="Cookies", lpString2="Program Files (x86)") returned -1 [0136.643] lstrcmpiW (lpString1="Cookies", lpString2="$Recycle.bin") returned 1 [0136.643] lstrcmpiW (lpString1="Cookies", lpString2="System Volume Information") returned -1 [0136.643] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0136.644] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0136.644] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies") returned 60 [0136.644] GetProcessHeap () returned 0x4c0000 [0136.644] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0136.644] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies" [0136.645] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\*" [0136.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0136.646] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0136.647] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0136.647] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0136.647] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0136.647] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0136.647] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.647] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0136.647] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0136.647] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0136.647] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0136.647] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0136.647] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0136.647] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.647] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.647] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="index.dat", cAlternateFileName="")) returned 1 [0136.647] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0136.647] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0136.647] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0136.647] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0136.647] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0136.647] lstrcmpiW (lpString1="index.dat", lpString2=".") returned 1 [0136.647] lstrcmpiW (lpString1="index.dat", lpString2="..") returned 1 [0136.647] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat") returned 70 [0136.647] lstrcmpW (lpString1="index.dat", lpString2="PUSSY.TXT") returned -1 [0136.647] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0136.647] lstrlenW (lpString=".dat") returned 4 [0136.647] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0136.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a8 [0136.648] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=16384) returned 1 [0136.648] GetProcessHeap () returned 0x4c0000 [0136.649] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0136.672] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="A4") returned 2 [0136.672] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="CD") returned 2 [0136.672] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="66") returned 2 [0136.672] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="83") returned 2 [0136.672] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="53") returned 2 [0136.672] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="E8") returned 2 [0136.672] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="20") returned 2 [0136.672] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="4E") returned 2 [0136.672] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="DE") returned 2 [0136.672] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="C0") returned 2 [0136.672] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="87") returned 2 [0136.672] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="7F") returned 2 [0136.672] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="41") returned 2 [0136.672] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="E1") returned 2 [0136.672] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="E1") returned 2 [0136.672] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="92") returned 2 [0136.672] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="0D") returned 2 [0136.672] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="13") returned 2 [0136.672] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="F7") returned 2 [0136.672] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="6F") returned 2 [0136.672] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="16") returned 2 [0136.672] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="14") returned 2 [0136.672] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="D8") returned 2 [0136.672] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="C6") returned 2 [0136.673] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="8F") returned 2 [0136.673] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="3E") returned 2 [0136.673] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="6A") returned 2 [0136.673] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="88") returned 2 [0136.673] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="15") returned 2 [0136.673] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="81") returned 2 [0136.673] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="EB") returned 2 [0136.673] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="03") returned 2 [0136.682] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat" [0136.682] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat" [0136.682] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat", lpString2=".A4CD668353E8204EDEC0877F41E1E1920D13F76F1614D8C68F3E6A881581EB03" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat.A4CD668353E8204EDEC0877F41E1E1920D13F76F1614D8C68F3E6A881581EB03") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat.A4CD668353E8204EDEC0877F41E1E1920D13F76F1614D8C68F3E6A881581EB03" [0136.682] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.682] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0136.682] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="index.dat", cAlternateFileName="")) returned 0 [0136.682] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0136.683] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\PUSSY.TXT") returned 70 [0136.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0136.684] lstrlenA (lpString="abcd") returned 4 [0136.684] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0136.685] CloseHandle (hObject=0x1d0) returned 1 [0136.685] GetProcessHeap () returned 0x4c0000 [0136.685] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0136.688] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe0ce1bb0, ftCreationTime.dwHighDateTime=0x1d5e478, ftLastAccessTime.dwLowDateTime=0x510760a0, ftLastAccessTime.dwHighDateTime=0x1d5e3c8, ftLastWriteTime.dwLowDateTime=0x510760a0, ftLastWriteTime.dwHighDateTime=0x1d5e3c8, nFileSizeHigh=0x0, nFileSizeLow=0x313b, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="CVc6v1RP3r.bmp", cAlternateFileName="CVC6V1~1.BMP")) returned 1 [0136.688] lstrcmpiW (lpString1="CVc6v1RP3r.bmp", lpString2="Windows") returned -1 [0136.688] lstrcmpiW (lpString1="CVc6v1RP3r.bmp", lpString2="Program Files") returned -1 [0136.688] lstrcmpiW (lpString1="CVc6v1RP3r.bmp", lpString2="Program Files (x86)") returned -1 [0136.688] lstrcmpiW (lpString1="CVc6v1RP3r.bmp", lpString2="$Recycle.bin") returned 1 [0136.688] lstrcmpiW (lpString1="CVc6v1RP3r.bmp", lpString2="System Volume Information") returned -1 [0136.688] lstrcmpiW (lpString1="CVc6v1RP3r.bmp", lpString2=".") returned 1 [0136.688] lstrcmpiW (lpString1="CVc6v1RP3r.bmp", lpString2="..") returned 1 [0136.688] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp") returned 67 [0136.688] lstrcmpW (lpString1="CVc6v1RP3r.bmp", lpString2="PUSSY.TXT") returned -1 [0136.688] PathFindExtensionW (pszPath="CVc6v1RP3r.bmp") returned=".bmp" [0136.688] lstrlenW (lpString=".bmp") returned 4 [0136.689] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.689] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cvc6v1rp3r.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0136.690] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=12603) returned 1 [0136.690] GetProcessHeap () returned 0x4c0000 [0136.690] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0136.700] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="52") returned 2 [0136.700] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="22") returned 2 [0136.700] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="93") returned 2 [0136.700] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="84") returned 2 [0136.700] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="7F") returned 2 [0136.700] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="99") returned 2 [0136.700] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="58") returned 2 [0136.700] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="42") returned 2 [0136.700] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="7F") returned 2 [0136.700] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="F5") returned 2 [0136.700] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="91") returned 2 [0136.700] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="E0") returned 2 [0136.700] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="5C") returned 2 [0136.700] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="3B") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="EA") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="82") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="BD") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="F1") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="C0") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="22") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="E1") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="D5") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="F8") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="C8") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="65") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="93") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="CE") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="0B") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="82") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="43") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="2F") returned 2 [0136.701] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="3D") returned 2 [0136.709] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp" [0136.709] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp" [0136.709] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp", lpString2=".522293847F9958427FF591E05C3BEA82BDF1C022E1D5F8C86593CE0B82432F3D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp.522293847F9958427FF591E05C3BEA82BDF1C022E1D5F8C86593CE0B82432F3D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp.522293847F9958427FF591E05C3BEA82BDF1C022E1D5F8C86593CE0B82432F3D" [0136.709] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.709] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0136.735] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cdad8e0, ftCreationTime.dwHighDateTime=0x1d5e488, ftLastAccessTime.dwLowDateTime=0xcbccd440, ftLastAccessTime.dwHighDateTime=0x1d5dd48, ftLastWriteTime.dwLowDateTime=0xcbccd440, ftLastWriteTime.dwHighDateTime=0x1d5dd48, nFileSizeHigh=0x0, nFileSizeLow=0x1d8e, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="DeEi61KghvciKoee4O.wav", cAlternateFileName="DEEI61~1.WAV")) returned 1 [0136.735] lstrcmpiW (lpString1="DeEi61KghvciKoee4O.wav", lpString2="Windows") returned -1 [0136.736] lstrcmpiW (lpString1="DeEi61KghvciKoee4O.wav", lpString2="Program Files") returned -1 [0136.736] lstrcmpiW (lpString1="DeEi61KghvciKoee4O.wav", lpString2="Program Files (x86)") returned -1 [0136.736] lstrcmpiW (lpString1="DeEi61KghvciKoee4O.wav", lpString2="$Recycle.bin") returned 1 [0136.736] lstrcmpiW (lpString1="DeEi61KghvciKoee4O.wav", lpString2="System Volume Information") returned -1 [0136.736] lstrcmpiW (lpString1="DeEi61KghvciKoee4O.wav", lpString2=".") returned 1 [0136.736] lstrcmpiW (lpString1="DeEi61KghvciKoee4O.wav", lpString2="..") returned 1 [0136.736] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav") returned 75 [0136.736] lstrcmpW (lpString1="DeEi61KghvciKoee4O.wav", lpString2="PUSSY.TXT") returned -1 [0136.736] PathFindExtensionW (pszPath="DeEi61KghvciKoee4O.wav") returned=".wav" [0136.736] lstrlenW (lpString=".wav") returned 4 [0136.736] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.736] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\deei61kghvcikoee4o.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0136.737] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=7566) returned 1 [0136.737] GetProcessHeap () returned 0x4c0000 [0136.737] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0136.745] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="BF") returned 2 [0136.745] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="58") returned 2 [0136.745] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="1C") returned 2 [0136.745] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="7F") returned 2 [0136.745] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="23") returned 2 [0136.745] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="E9") returned 2 [0136.745] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="27") returned 2 [0136.745] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="3F") returned 2 [0136.745] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="0C") returned 2 [0136.745] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="56") returned 2 [0136.745] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="C4") returned 2 [0136.745] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="29") returned 2 [0136.745] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="2D") returned 2 [0136.745] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="0C") returned 2 [0136.745] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="86") returned 2 [0136.745] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="6B") returned 2 [0136.745] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="2F") returned 2 [0136.745] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="EA") returned 2 [0136.745] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="1D") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="72") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="C3") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="7D") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="50") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="51") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="3C") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="2D") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="33") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="02") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="E8") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="91") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="F3") returned 2 [0136.746] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="52") returned 2 [0136.754] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav" [0136.754] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav" [0136.754] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav", lpString2=".BF581C7F23E9273F0C56C4292D0C866B2FEA1D72C37D50513C2D3302E891F352" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav.BF581C7F23E9273F0C56C4292D0C866B2FEA1D72C37D50513C2D3302E891F352") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav.BF581C7F23E9273F0C56C4292D0C866B2FEA1D72C37D50513C2D3302E891F352" [0136.754] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.754] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0136.764] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x33d9ad10, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x33d9ad10, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="FXSAPI~1.TXT")) returned 1 [0136.764] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="Windows") returned -1 [0136.764] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="Program Files") returned -1 [0136.764] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="Program Files (x86)") returned -1 [0136.765] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="$Recycle.bin") returned 1 [0136.765] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="System Volume Information") returned -1 [0136.765] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2=".") returned 1 [0136.765] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="..") returned 1 [0136.765] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt") returned 75 [0136.765] lstrcmpW (lpString1="FXSAPIDebugLogFile.txt", lpString2="PUSSY.TXT") returned -1 [0136.765] PathFindExtensionW (pszPath="FXSAPIDebugLogFile.txt") returned=".txt" [0136.765] lstrlenW (lpString=".txt") returned 4 [0136.765] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\fxsapidebuglogfile.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0136.765] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf0595b60, ftCreationTime.dwHighDateTime=0x1d5dc50, ftLastAccessTime.dwLowDateTime=0x2353d030, ftLastAccessTime.dwHighDateTime=0x1d5de46, ftLastWriteTime.dwLowDateTime=0x2353d030, ftLastWriteTime.dwHighDateTime=0x1d5de46, nFileSizeHigh=0x0, nFileSizeLow=0x9f24, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="gz_kT.wav", cAlternateFileName="")) returned 1 [0136.765] lstrcmpiW (lpString1="gz_kT.wav", lpString2="Windows") returned -1 [0136.765] lstrcmpiW (lpString1="gz_kT.wav", lpString2="Program Files") returned -1 [0136.765] lstrcmpiW (lpString1="gz_kT.wav", lpString2="Program Files (x86)") returned -1 [0136.765] lstrcmpiW (lpString1="gz_kT.wav", lpString2="$Recycle.bin") returned 1 [0136.765] lstrcmpiW (lpString1="gz_kT.wav", lpString2="System Volume Information") returned -1 [0136.765] lstrcmpiW (lpString1="gz_kT.wav", lpString2=".") returned 1 [0136.765] lstrcmpiW (lpString1="gz_kT.wav", lpString2="..") returned 1 [0136.765] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav") returned 62 [0136.765] lstrcmpW (lpString1="gz_kT.wav", lpString2="PUSSY.TXT") returned -1 [0136.766] PathFindExtensionW (pszPath="gz_kT.wav") returned=".wav" [0136.766] lstrlenW (lpString=".wav") returned 4 [0136.766] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.766] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gz_kt.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0136.766] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=40740) returned 1 [0136.766] GetProcessHeap () returned 0x4c0000 [0136.766] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0136.775] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="BB") returned 2 [0136.775] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="C8") returned 2 [0136.775] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="95") returned 2 [0136.775] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="C8") returned 2 [0136.775] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="56") returned 2 [0136.775] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="3A") returned 2 [0136.775] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="DD") returned 2 [0136.775] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="17") returned 2 [0136.775] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="F7") returned 2 [0136.775] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="BE") returned 2 [0136.775] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="26") returned 2 [0136.775] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="74") returned 2 [0136.775] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="99") returned 2 [0136.775] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="5E") returned 2 [0136.775] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="93") returned 2 [0136.775] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="17") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="07") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="0B") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="43") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="E3") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="78") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="AC") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="FE") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="79") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="51") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="AD") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="F8") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="BB") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="3E") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="74") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="B4") returned 2 [0136.776] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="52") returned 2 [0136.784] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav" [0136.784] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav" [0136.784] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav", lpString2=".BBC895C8563ADD17F7BE2674995E9317070B43E378ACFE7951ADF8BB3E74B452" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav.BBC895C8563ADD17F7BE2674995E9317070B43E378ACFE7951ADF8BB3E74B452") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav.BBC895C8563ADD17F7BE2674995E9317070B43E378ACFE7951ADF8BB3E74B452" [0136.784] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.784] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0136.840] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="History", cAlternateFileName="")) returned 1 [0136.840] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0136.840] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0136.840] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0136.840] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0136.841] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0136.841] lstrcmpiW (lpString1="History", lpString2=".") returned 1 [0136.841] lstrcmpiW (lpString1="History", lpString2="..") returned 1 [0136.841] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History") returned 60 [0136.841] GetProcessHeap () returned 0x4c0000 [0136.841] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0136.842] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History" [0136.842] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\*" [0136.842] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0136.843] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0136.843] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0136.843] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0136.843] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0136.843] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0136.843] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.843] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0136.843] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0136.843] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0136.843] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0136.843] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0136.843] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0136.843] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.843] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.843] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="History.IE5", cAlternateFileName="")) returned 1 [0136.843] lstrcmpiW (lpString1="History.IE5", lpString2="Windows") returned -1 [0136.844] lstrcmpiW (lpString1="History.IE5", lpString2="Program Files") returned -1 [0136.844] lstrcmpiW (lpString1="History.IE5", lpString2="Program Files (x86)") returned -1 [0136.844] lstrcmpiW (lpString1="History.IE5", lpString2="$Recycle.bin") returned 1 [0136.844] lstrcmpiW (lpString1="History.IE5", lpString2="System Volume Information") returned -1 [0136.844] lstrcmpiW (lpString1="History.IE5", lpString2=".") returned 1 [0136.844] lstrcmpiW (lpString1="History.IE5", lpString2="..") returned 1 [0136.844] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5") returned 72 [0136.844] GetProcessHeap () returned 0x4c0000 [0136.844] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0136.844] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5" [0136.844] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\*" [0136.844] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0136.845] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0136.845] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0136.845] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0136.845] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0136.845] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0136.845] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0136.845] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0136.845] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0136.845] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0136.845] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0136.845] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0136.845] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0136.845] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0136.845] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0136.845] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9824200, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x91, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0136.845] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0136.845] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0136.845] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0136.845] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0136.845] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0136.845] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0136.845] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0136.845] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini") returned 84 [0136.845] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0136.845] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0136.845] lstrlenW (lpString=".ini") returned 4 [0136.845] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0136.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0136.846] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=145) returned 1 [0136.846] CloseHandle (hObject=0x1d4) returned 1 [0136.846] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="index.dat", cAlternateFileName="")) returned 1 [0136.846] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0136.846] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0136.846] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0136.847] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0136.847] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0136.847] lstrcmpiW (lpString1="index.dat", lpString2=".") returned 1 [0136.847] lstrcmpiW (lpString1="index.dat", lpString2="..") returned 1 [0136.847] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat") returned 82 [0136.847] lstrcmpW (lpString1="index.dat", lpString2="PUSSY.TXT") returned -1 [0136.847] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0136.847] lstrlenW (lpString=".dat") returned 4 [0136.847] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0136.847] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0136.847] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=16384) returned 1 [0136.847] GetProcessHeap () returned 0x4c0000 [0136.847] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0136.858] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="9B") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="9F") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="CF") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="B1") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="EF") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="44") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="49") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="AF") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="22") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="1B") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="A9") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="59") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="50") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="27") returned 2 [0136.858] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="3D") returned 2 [0136.859] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="50") returned 2 [0136.859] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="3F") returned 2 [0136.859] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="0D") returned 2 [0136.859] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="68") returned 2 [0136.859] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="3B") returned 2 [0136.859] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="AC") returned 2 [0136.859] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="8C") returned 2 [0136.859] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="C1") returned 2 [0136.859] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="01") returned 2 [0136.859] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="EC") returned 2 [0136.859] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="AD") returned 2 [0136.859] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="D6") returned 2 [0136.859] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="4A") returned 2 [0136.859] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="AE") returned 2 [0136.859] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="AE") returned 2 [0136.859] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="C0") returned 2 [0136.859] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="31") returned 2 [0136.868] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" [0136.868] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" [0136.868] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat", lpString2=".9B9FCFB1EF4449AF221BA95950273D503F0D683BAC8CC101ECADD64AAEAEC031" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat.9B9FCFB1EF4449AF221BA95950273D503F0D683BAC8CC101ECADD64AAEAEC031") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat.9B9FCFB1EF4449AF221BA95950273D503F0D683BAC8CC101ECADD64AAEAEC031" [0136.868] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.868] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0136.868] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="index.dat", cAlternateFileName="")) returned 0 [0136.868] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0136.869] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\PUSSY.TXT") returned 82 [0136.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0136.869] lstrlenA (lpString="abcd") returned 4 [0136.870] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0136.870] CloseHandle (hObject=0x18c) returned 1 [0136.870] GetProcessHeap () returned 0x4c0000 [0136.871] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0136.871] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="History.IE5", cAlternateFileName="")) returned 0 [0136.871] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0136.871] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\PUSSY.TXT") returned 70 [0136.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0136.871] lstrlenA (lpString="abcd") returned 4 [0136.871] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0136.872] CloseHandle (hObject=0x1d0) returned 1 [0136.872] GetProcessHeap () returned 0x4c0000 [0136.872] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0136.872] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf31cb340, ftCreationTime.dwHighDateTime=0x1d5e2b5, ftLastAccessTime.dwLowDateTime=0x22168e60, ftLastAccessTime.dwHighDateTime=0x1d5e6cf, ftLastWriteTime.dwLowDateTime=0x22168e60, ftLastWriteTime.dwHighDateTime=0x1d5e6cf, nFileSizeHigh=0x0, nFileSizeLow=0x53b9, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="hPnY-.flv", cAlternateFileName="")) returned 1 [0136.873] lstrcmpiW (lpString1="hPnY-.flv", lpString2="Windows") returned -1 [0136.873] lstrcmpiW (lpString1="hPnY-.flv", lpString2="Program Files") returned -1 [0136.873] lstrcmpiW (lpString1="hPnY-.flv", lpString2="Program Files (x86)") returned -1 [0136.873] lstrcmpiW (lpString1="hPnY-.flv", lpString2="$Recycle.bin") returned 1 [0136.873] lstrcmpiW (lpString1="hPnY-.flv", lpString2="System Volume Information") returned -1 [0136.873] lstrcmpiW (lpString1="hPnY-.flv", lpString2=".") returned 1 [0136.873] lstrcmpiW (lpString1="hPnY-.flv", lpString2="..") returned 1 [0136.873] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv") returned 62 [0136.873] lstrcmpW (lpString1="hPnY-.flv", lpString2="PUSSY.TXT") returned -1 [0136.873] PathFindExtensionW (pszPath="hPnY-.flv") returned=".flv" [0136.873] lstrlenW (lpString=".flv") returned 4 [0136.873] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\hpny-.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0136.874] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=21433) returned 1 [0136.874] GetProcessHeap () returned 0x4c0000 [0136.874] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0136.885] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="23") returned 2 [0136.885] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="16") returned 2 [0136.885] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="1E") returned 2 [0136.885] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="BD") returned 2 [0136.885] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="5B") returned 2 [0136.885] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="BB") returned 2 [0136.885] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="A6") returned 2 [0136.885] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="BC") returned 2 [0136.885] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="70") returned 2 [0136.885] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="44") returned 2 [0136.885] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="A1") returned 2 [0136.885] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="69") returned 2 [0136.885] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="A8") returned 2 [0136.885] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="8A") returned 2 [0136.885] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="BC") returned 2 [0136.885] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="61") returned 2 [0136.885] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="A3") returned 2 [0136.885] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="04") returned 2 [0136.885] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="06") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="6E") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="B9") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="CC") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="3A") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="C5") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="BF") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="83") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="39") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="F6") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="28") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="F5") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="35") returned 2 [0136.886] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="2E") returned 2 [0136.894] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv" [0136.894] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv" [0136.894] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv", lpString2=".23161EBD5BBBA6BC7044A169A88ABC61A304066EB9CC3AC5BF8339F628F5352E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv.23161EBD5BBBA6BC7044A169A88ABC61A304066EB9CC3AC5BF8339F628F5352E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv.23161EBD5BBBA6BC7044A169A88ABC61A304066EB9CC3AC5BF8339F628F5352E" [0136.894] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.894] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0136.916] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d792d20, ftCreationTime.dwHighDateTime=0x1d5e2df, ftLastAccessTime.dwLowDateTime=0x2deba5c0, ftLastAccessTime.dwHighDateTime=0x1d5e019, ftLastWriteTime.dwLowDateTime=0x2deba5c0, ftLastWriteTime.dwHighDateTime=0x1d5e019, nFileSizeHigh=0x0, nFileSizeLow=0xe9d0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="j48UIqdP.xls", cAlternateFileName="")) returned 1 [0136.916] lstrcmpiW (lpString1="j48UIqdP.xls", lpString2="Windows") returned -1 [0136.916] lstrcmpiW (lpString1="j48UIqdP.xls", lpString2="Program Files") returned -1 [0136.916] lstrcmpiW (lpString1="j48UIqdP.xls", lpString2="Program Files (x86)") returned -1 [0136.916] lstrcmpiW (lpString1="j48UIqdP.xls", lpString2="$Recycle.bin") returned 1 [0136.916] lstrcmpiW (lpString1="j48UIqdP.xls", lpString2="System Volume Information") returned -1 [0136.916] lstrcmpiW (lpString1="j48UIqdP.xls", lpString2=".") returned 1 [0136.916] lstrcmpiW (lpString1="j48UIqdP.xls", lpString2="..") returned 1 [0136.916] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls") returned 65 [0136.916] lstrcmpW (lpString1="j48UIqdP.xls", lpString2="PUSSY.TXT") returned -1 [0136.916] PathFindExtensionW (pszPath="j48UIqdP.xls") returned=".xls" [0136.916] lstrlenW (lpString=".xls") returned 4 [0136.916] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.916] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\j48uiqdp.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0136.917] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=59856) returned 1 [0136.917] GetProcessHeap () returned 0x4c0000 [0136.917] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0136.928] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="35") returned 2 [0136.928] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="B9") returned 2 [0136.928] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="E9") returned 2 [0136.928] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="BE") returned 2 [0136.928] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="24") returned 2 [0136.928] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="69") returned 2 [0136.928] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="9D") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="B5") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="D8") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="CF") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="15") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="C1") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="50") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="39") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="ED") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="3E") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="0B") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="BF") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="65") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="DD") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="2E") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="0F") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="7B") returned 2 [0136.928] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="54") returned 2 [0136.929] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="0B") returned 2 [0136.929] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="36") returned 2 [0136.929] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="3D") returned 2 [0136.929] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="32") returned 2 [0136.929] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="FE") returned 2 [0136.929] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="EB") returned 2 [0136.929] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="61") returned 2 [0136.929] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="61") returned 2 [0136.937] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls" [0136.937] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls" [0136.937] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls", lpString2=".35B9E9BE24699DB5D8CF15C15039ED3E0BBF65DD2E0F7B540B363D32FEEB6161" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls.35B9E9BE24699DB5D8CF15C15039ED3E0BBF65DD2E0F7B540B363D32FEEB6161") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls.35B9E9BE24699DB5D8CF15C15039ED3E0BBF65DD2E0F7B540B363D32FEEB6161" [0136.937] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.937] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0136.965] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9da17300, ftCreationTime.dwHighDateTime=0x1d5e14e, ftLastAccessTime.dwLowDateTime=0xebb69f10, ftLastAccessTime.dwHighDateTime=0x1d5d8b2, ftLastWriteTime.dwLowDateTime=0xebb69f10, ftLastWriteTime.dwHighDateTime=0x1d5d8b2, nFileSizeHigh=0x0, nFileSizeLow=0x5e29, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="JBSxAwEacZEO- 7_.ods", cAlternateFileName="JBSXAW~1.ODS")) returned 1 [0136.965] lstrcmpiW (lpString1="JBSxAwEacZEO- 7_.ods", lpString2="Windows") returned -1 [0136.965] lstrcmpiW (lpString1="JBSxAwEacZEO- 7_.ods", lpString2="Program Files") returned -1 [0136.965] lstrcmpiW (lpString1="JBSxAwEacZEO- 7_.ods", lpString2="Program Files (x86)") returned -1 [0136.965] lstrcmpiW (lpString1="JBSxAwEacZEO- 7_.ods", lpString2="$Recycle.bin") returned 1 [0136.965] lstrcmpiW (lpString1="JBSxAwEacZEO- 7_.ods", lpString2="System Volume Information") returned -1 [0136.965] lstrcmpiW (lpString1="JBSxAwEacZEO- 7_.ods", lpString2=".") returned 1 [0136.965] lstrcmpiW (lpString1="JBSxAwEacZEO- 7_.ods", lpString2="..") returned 1 [0136.965] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods") returned 73 [0136.965] lstrcmpW (lpString1="JBSxAwEacZEO- 7_.ods", lpString2="PUSSY.TXT") returned -1 [0136.965] PathFindExtensionW (pszPath="JBSxAwEacZEO- 7_.ods") returned=".ods" [0136.965] lstrlenW (lpString=".ods") returned 4 [0136.965] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0136.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\jbsxaweaczeo- 7_.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0136.966] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=24105) returned 1 [0136.966] GetProcessHeap () returned 0x4c0000 [0136.966] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0136.975] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="57") returned 2 [0136.975] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="18") returned 2 [0136.975] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="51") returned 2 [0136.975] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="FD") returned 2 [0136.976] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="2D") returned 2 [0136.976] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="60") returned 2 [0136.976] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="1E") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="3E") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="C9") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="E5") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="F5") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="EC") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="33") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="9D") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="9A") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="64") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="F5") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="EA") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="82") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="83") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="A2") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="41") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="61") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="0C") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="9E") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="BE") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="01") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="EB") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="84") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="4C") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="2D") returned 2 [0136.976] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="77") returned 2 [0136.985] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods" [0136.985] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods" [0136.985] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods", lpString2=".571851FD2D601E3EC9E5F5EC339D9A64F5EA8283A241610C9EBE01EB844C2D77" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods.571851FD2D601E3EC9E5F5EC339D9A64F5EA8283A241610C9EBE01EB844C2D77") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods.571851FD2D601E3EC9E5F5EC339D9A64F5EA8283A241610C9EBE01EB844C2D77" [0136.985] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0136.985] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0137.020] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc08f71f0, ftCreationTime.dwHighDateTime=0x1d5e6d0, ftLastAccessTime.dwLowDateTime=0x30cccf90, ftLastAccessTime.dwHighDateTime=0x1d5e3f1, ftLastWriteTime.dwLowDateTime=0x30cccf90, ftLastWriteTime.dwHighDateTime=0x1d5e3f1, nFileSizeHigh=0x0, nFileSizeLow=0xcdaa, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="KxRTMsLzTS0-9.gif", cAlternateFileName="KXRTMS~1.GIF")) returned 1 [0137.020] lstrcmpiW (lpString1="KxRTMsLzTS0-9.gif", lpString2="Windows") returned -1 [0137.020] lstrcmpiW (lpString1="KxRTMsLzTS0-9.gif", lpString2="Program Files") returned -1 [0137.020] lstrcmpiW (lpString1="KxRTMsLzTS0-9.gif", lpString2="Program Files (x86)") returned -1 [0137.020] lstrcmpiW (lpString1="KxRTMsLzTS0-9.gif", lpString2="$Recycle.bin") returned 1 [0137.020] lstrcmpiW (lpString1="KxRTMsLzTS0-9.gif", lpString2="System Volume Information") returned -1 [0137.020] lstrcmpiW (lpString1="KxRTMsLzTS0-9.gif", lpString2=".") returned 1 [0137.020] lstrcmpiW (lpString1="KxRTMsLzTS0-9.gif", lpString2="..") returned 1 [0137.020] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif") returned 70 [0137.020] lstrcmpW (lpString1="KxRTMsLzTS0-9.gif", lpString2="PUSSY.TXT") returned -1 [0137.020] PathFindExtensionW (pszPath="KxRTMsLzTS0-9.gif") returned=".gif" [0137.020] lstrlenW (lpString=".gif") returned 4 [0137.020] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0137.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\kxrtmslzts0-9.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a8 [0137.021] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=52650) returned 1 [0137.021] GetProcessHeap () returned 0x4c0000 [0137.021] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0137.032] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="43") returned 2 [0137.032] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="1C") returned 2 [0137.032] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="F8") returned 2 [0137.032] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="9B") returned 2 [0137.032] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="48") returned 2 [0137.032] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="E7") returned 2 [0137.032] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="D1") returned 2 [0137.032] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="34") returned 2 [0137.032] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="A1") returned 2 [0137.032] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="61") returned 2 [0137.032] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="71") returned 2 [0137.032] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="D2") returned 2 [0137.032] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="F2") returned 2 [0137.032] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="AD") returned 2 [0137.032] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="7C") returned 2 [0137.032] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="35") returned 2 [0137.032] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="B0") returned 2 [0137.032] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="CB") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="2C") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="11") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="58") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="E1") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="13") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="74") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="E5") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="F5") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="75") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="E9") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="41") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="51") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="42") returned 2 [0137.033] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="2B") returned 2 [0137.042] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif" [0137.042] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif" [0137.042] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif", lpString2=".431CF89B48E7D134A16171D2F2AD7C35B0CB2C1158E11374E5F575E94151422B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif.431CF89B48E7D134A16171D2F2AD7C35B0CB2C1158E11374E5F575E94151422B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif.431CF89B48E7D134A16171D2F2AD7C35B0CB2C1158E11374E5F575E94151422B" [0137.042] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0137.042] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0137.082] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb2d9630, ftCreationTime.dwHighDateTime=0x1d5e4b8, ftLastAccessTime.dwLowDateTime=0xb914e650, ftLastAccessTime.dwHighDateTime=0x1d5e2aa, ftLastWriteTime.dwLowDateTime=0xb914e650, ftLastWriteTime.dwHighDateTime=0x1d5e2aa, nFileSizeHigh=0x0, nFileSizeLow=0x6656, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Mml91SMnftMo.jpg", cAlternateFileName="MML91S~1.JPG")) returned 1 [0137.082] lstrcmpiW (lpString1="Mml91SMnftMo.jpg", lpString2="Windows") returned -1 [0137.082] lstrcmpiW (lpString1="Mml91SMnftMo.jpg", lpString2="Program Files") returned -1 [0137.082] lstrcmpiW (lpString1="Mml91SMnftMo.jpg", lpString2="Program Files (x86)") returned -1 [0137.082] lstrcmpiW (lpString1="Mml91SMnftMo.jpg", lpString2="$Recycle.bin") returned 1 [0137.082] lstrcmpiW (lpString1="Mml91SMnftMo.jpg", lpString2="System Volume Information") returned -1 [0137.082] lstrcmpiW (lpString1="Mml91SMnftMo.jpg", lpString2=".") returned 1 [0137.082] lstrcmpiW (lpString1="Mml91SMnftMo.jpg", lpString2="..") returned 1 [0137.082] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg") returned 69 [0137.082] lstrcmpW (lpString1="Mml91SMnftMo.jpg", lpString2="PUSSY.TXT") returned -1 [0137.082] PathFindExtensionW (pszPath="Mml91SMnftMo.jpg") returned=".jpg" [0137.082] lstrlenW (lpString=".jpg") returned 4 [0137.082] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0137.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\mml91smnftmo.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0137.083] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=26198) returned 1 [0137.083] GetProcessHeap () returned 0x4c0000 [0137.083] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0137.094] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="8D") returned 2 [0137.094] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="31") returned 2 [0137.094] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="D5") returned 2 [0137.094] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="AA") returned 2 [0137.094] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="61") returned 2 [0137.094] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="43") returned 2 [0137.094] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="DC") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="DB") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="E2") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="22") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="42") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="98") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="32") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="3D") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="3B") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="26") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="17") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="FF") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="11") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="2C") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="48") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="24") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="8D") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="38") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="F9") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="46") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="49") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="1B") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="56") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="BF") returned 2 [0137.094] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="75") returned 2 [0137.095] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="7C") returned 2 [0137.103] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg" [0137.103] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg" [0137.103] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg", lpString2=".8D31D5AA6143DCDBE2224298323D3B2617FF112C48248D38F946491B56BF757C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg.8D31D5AA6143DCDBE2224298323D3B2617FF112C48248D38F946491B56BF757C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg.8D31D5AA6143DCDBE2224298323D3B2617FF112C48248D38F946491B56BF757C" [0137.103] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0137.103] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0137.126] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdd1d2c0, ftCreationTime.dwHighDateTime=0x1d5e319, ftLastAccessTime.dwLowDateTime=0x7f1aced0, ftLastAccessTime.dwHighDateTime=0x1d5e79e, ftLastWriteTime.dwLowDateTime=0x7f1aced0, ftLastWriteTime.dwHighDateTime=0x1d5e79e, nFileSizeHigh=0x0, nFileSizeLow=0x4390, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="ngaxkzeOsZtTQh5Tf.gif", cAlternateFileName="NGAXKZ~1.GIF")) returned 1 [0137.126] lstrcmpiW (lpString1="ngaxkzeOsZtTQh5Tf.gif", lpString2="Windows") returned -1 [0137.126] lstrcmpiW (lpString1="ngaxkzeOsZtTQh5Tf.gif", lpString2="Program Files") returned -1 [0137.126] lstrcmpiW (lpString1="ngaxkzeOsZtTQh5Tf.gif", lpString2="Program Files (x86)") returned -1 [0137.126] lstrcmpiW (lpString1="ngaxkzeOsZtTQh5Tf.gif", lpString2="$Recycle.bin") returned 1 [0137.126] lstrcmpiW (lpString1="ngaxkzeOsZtTQh5Tf.gif", lpString2="System Volume Information") returned -1 [0137.126] lstrcmpiW (lpString1="ngaxkzeOsZtTQh5Tf.gif", lpString2=".") returned 1 [0137.126] lstrcmpiW (lpString1="ngaxkzeOsZtTQh5Tf.gif", lpString2="..") returned 1 [0137.126] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif") returned 74 [0137.126] lstrcmpW (lpString1="ngaxkzeOsZtTQh5Tf.gif", lpString2="PUSSY.TXT") returned -1 [0137.126] PathFindExtensionW (pszPath="ngaxkzeOsZtTQh5Tf.gif") returned=".gif" [0137.126] lstrlenW (lpString=".gif") returned 4 [0137.126] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0137.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ngaxkzeoszttqh5tf.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0137.127] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=17296) returned 1 [0137.127] GetProcessHeap () returned 0x4c0000 [0137.127] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b88140 [0137.136] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="D9") returned 2 [0137.137] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="40") returned 2 [0137.137] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="F8") returned 2 [0137.137] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="A6") returned 2 [0137.137] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="6F") returned 2 [0137.137] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="E6") returned 2 [0137.137] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="4A") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="DB") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="A1") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="9C") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="BB") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="63") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="33") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="82") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="65") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="9A") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="3B") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="5E") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="15") returned 2 [0137.137] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="5E") returned 2 [0137.138] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="CF") returned 2 [0137.138] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="81") returned 2 [0137.138] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="81") returned 2 [0137.138] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="94") returned 2 [0137.138] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="07") returned 2 [0137.138] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="5D") returned 2 [0137.138] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="12") returned 2 [0137.138] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="6B") returned 2 [0137.138] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="A0") returned 2 [0137.138] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="5C") returned 2 [0137.138] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="13") returned 2 [0137.138] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="41") returned 2 [0137.146] lstrcpyW (in: lpString1=0x3b98174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif" [0137.146] lstrcpyW (in: lpString1=0x3b88174, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif" [0137.146] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif", lpString2=".D940F8A66FE64ADBA19CBB633382659A3B5E155ECF818194075D126BA05C1341" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif.D940F8A66FE64ADBA19CBB633382659A3B5E155ECF818194075D126BA05C1341") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif.D940F8A66FE64ADBA19CBB633382659A3B5E155ECF818194075D126BA05C1341" [0137.146] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3b88140, NumberOfConcurrentThreads=0x0) returned 0x94 [0137.146] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b88140, lpOverlapped=0x3b88140) returned 1 [0137.146] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8bf7630, ftCreationTime.dwHighDateTime=0x1d5e3ea, ftLastAccessTime.dwLowDateTime=0xf2ee630, ftLastAccessTime.dwHighDateTime=0x1d5de41, ftLastWriteTime.dwLowDateTime=0xf2ee630, ftLastWriteTime.dwHighDateTime=0x1d5de41, nFileSizeHigh=0x0, nFileSizeLow=0x7f01, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="NqDfGqVA8vFzG5.flv", cAlternateFileName="NQDFGQ~1.FLV")) returned 1 [0137.146] lstrcmpiW (lpString1="NqDfGqVA8vFzG5.flv", lpString2="Windows") returned -1 [0137.146] lstrcmpiW (lpString1="NqDfGqVA8vFzG5.flv", lpString2="Program Files") returned -1 [0137.146] lstrcmpiW (lpString1="NqDfGqVA8vFzG5.flv", lpString2="Program Files (x86)") returned -1 [0137.146] lstrcmpiW (lpString1="NqDfGqVA8vFzG5.flv", lpString2="$Recycle.bin") returned 1 [0137.146] lstrcmpiW (lpString1="NqDfGqVA8vFzG5.flv", lpString2="System Volume Information") returned -1 [0137.146] lstrcmpiW (lpString1="NqDfGqVA8vFzG5.flv", lpString2=".") returned 1 [0137.146] lstrcmpiW (lpString1="NqDfGqVA8vFzG5.flv", lpString2="..") returned 1 [0137.147] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv") returned 71 [0137.147] lstrcmpW (lpString1="NqDfGqVA8vFzG5.flv", lpString2="PUSSY.TXT") returned -1 [0137.147] PathFindExtensionW (pszPath="NqDfGqVA8vFzG5.flv") returned=".flv" [0137.147] lstrlenW (lpString=".flv") returned 4 [0137.147] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0137.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\nqdfgqva8vfzg5.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0137.148] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=32513) returned 1 [0137.148] GetProcessHeap () returned 0x4c0000 [0137.148] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0137.158] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="93") returned 2 [0137.158] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="E1") returned 2 [0137.158] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="7F") returned 2 [0137.158] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="DE") returned 2 [0137.158] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="4B") returned 2 [0137.159] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="40") returned 2 [0137.159] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="99") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="5E") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="C9") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="2B") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="4F") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="3C") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="73") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="CA") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="8A") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="07") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="8E") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="F8") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="D6") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="A4") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="D4") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="7F") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="09") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="86") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="94") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="A8") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="5B") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="61") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="7F") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="46") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="5C") returned 2 [0137.159] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="04") returned 2 [0137.170] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv" [0137.170] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv" [0137.170] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv", lpString2=".93E17FDE4B40995EC92B4F3C73CA8A078EF8D6A4D47F098694A85B617F465C04" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv.93E17FDE4B40995EC92B4F3C73CA8A078EF8D6A4D47F098694A85B617F465C04") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv.93E17FDE4B40995EC92B4F3C73CA8A078EF8D6A4D47F098694A85B617F465C04" [0137.170] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0137.170] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0137.170] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb3606a70, ftCreationTime.dwHighDateTime=0x1d5e473, ftLastAccessTime.dwLowDateTime=0xdfcb3f10, ftLastAccessTime.dwHighDateTime=0x1d5d95e, ftLastWriteTime.dwLowDateTime=0xdfcb3f10, ftLastWriteTime.dwHighDateTime=0x1d5d95e, nFileSizeHigh=0x0, nFileSizeLow=0x38ba, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="P-BGohlSAVantS.m4a", cAlternateFileName="P-BGOH~1.M4A")) returned 1 [0137.171] lstrcmpiW (lpString1="P-BGohlSAVantS.m4a", lpString2="Windows") returned -1 [0137.171] lstrcmpiW (lpString1="P-BGohlSAVantS.m4a", lpString2="Program Files") returned -1 [0137.171] lstrcmpiW (lpString1="P-BGohlSAVantS.m4a", lpString2="Program Files (x86)") returned -1 [0137.171] lstrcmpiW (lpString1="P-BGohlSAVantS.m4a", lpString2="$Recycle.bin") returned 1 [0137.171] lstrcmpiW (lpString1="P-BGohlSAVantS.m4a", lpString2="System Volume Information") returned -1 [0137.171] lstrcmpiW (lpString1="P-BGohlSAVantS.m4a", lpString2=".") returned 1 [0137.171] lstrcmpiW (lpString1="P-BGohlSAVantS.m4a", lpString2="..") returned 1 [0137.171] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a") returned 71 [0137.171] lstrcmpW (lpString1="P-BGohlSAVantS.m4a", lpString2="PUSSY.TXT") returned -1 [0137.171] PathFindExtensionW (pszPath="P-BGohlSAVantS.m4a") returned=".m4a" [0137.171] lstrlenW (lpString=".m4a") returned 4 [0137.171] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0137.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-bgohlsavants.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0137.172] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=14522) returned 1 [0137.172] GetProcessHeap () returned 0x4c0000 [0137.172] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0137.182] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="23") returned 2 [0137.182] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="DB") returned 2 [0137.182] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="61") returned 2 [0137.182] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="30") returned 2 [0137.182] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="A4") returned 2 [0137.182] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="02") returned 2 [0137.182] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="A3") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="A4") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="1B") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="87") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="8B") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="F6") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="F6") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="A6") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="B2") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="1D") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="7D") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="67") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="09") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="0D") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="55") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="39") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="EB") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="47") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="5F") returned 2 [0137.182] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="6F") returned 2 [0137.183] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="19") returned 2 [0137.183] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="02") returned 2 [0137.183] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="61") returned 2 [0137.183] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="67") returned 2 [0137.183] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="6C") returned 2 [0137.183] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="00") returned 2 [0137.191] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a" [0137.191] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a" [0137.191] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a", lpString2=".23DB6130A402A3A41B878BF6F6A6B21D7D67090D5539EB475F6F190261676C00" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a.23DB6130A402A3A41B878BF6F6A6B21D7D67090D5539EB475F6F190261676C00") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a.23DB6130A402A3A41B878BF6F6A6B21D7D67090D5539EB475F6F190261676C00" [0137.191] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0137.191] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0137.191] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5266f120, ftCreationTime.dwHighDateTime=0x1d5db37, ftLastAccessTime.dwLowDateTime=0xb3266400, ftLastAccessTime.dwHighDateTime=0x1d5e118, ftLastWriteTime.dwLowDateTime=0xb3266400, ftLastWriteTime.dwHighDateTime=0x1d5e118, nFileSizeHigh=0x0, nFileSizeLow=0x18279, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="PBWL.bmp", cAlternateFileName="")) returned 1 [0137.191] lstrcmpiW (lpString1="PBWL.bmp", lpString2="Windows") returned -1 [0137.191] lstrcmpiW (lpString1="PBWL.bmp", lpString2="Program Files") returned -1 [0137.191] lstrcmpiW (lpString1="PBWL.bmp", lpString2="Program Files (x86)") returned -1 [0137.191] lstrcmpiW (lpString1="PBWL.bmp", lpString2="$Recycle.bin") returned 1 [0137.191] lstrcmpiW (lpString1="PBWL.bmp", lpString2="System Volume Information") returned -1 [0137.191] lstrcmpiW (lpString1="PBWL.bmp", lpString2=".") returned 1 [0137.191] lstrcmpiW (lpString1="PBWL.bmp", lpString2="..") returned 1 [0137.191] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp") returned 61 [0137.191] lstrcmpW (lpString1="PBWL.bmp", lpString2="PUSSY.TXT") returned -1 [0137.191] PathFindExtensionW (pszPath="PBWL.bmp") returned=".bmp" [0137.191] lstrlenW (lpString=".bmp") returned 4 [0137.192] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0137.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\pbwl.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x154 [0137.193] GetFileSizeEx (in: hFile=0x154, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=98937) returned 1 [0137.193] GetProcessHeap () returned 0x4c0000 [0137.193] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3cc2198 [0137.203] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="22") returned 2 [0137.204] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="8B") returned 2 [0137.204] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="C4") returned 2 [0137.204] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="58") returned 2 [0137.204] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="05") returned 2 [0137.204] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="12") returned 2 [0137.204] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="24") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="D8") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="51") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="7B") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="15") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="E9") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="AC") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="94") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="71") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="6E") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="53") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="00") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="43") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="52") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="F1") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="1F") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="3B") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="65") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="F8") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="A4") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="7B") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="C1") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="0D") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="8B") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="89") returned 2 [0137.204] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="0B") returned 2 [0137.214] lstrcpyW (in: lpString1=0x3cd21cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp" [0137.214] lstrcpyW (in: lpString1=0x3cc21cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp" [0137.214] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp", lpString2=".228BC458051224D8517B15E9AC94716E53004352F11F3B65F8A47BC10D8B890B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp.228BC458051224D8517B15E9AC94716E53004352F11F3B65F8A47BC10D8B890B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp.228BC458051224D8517B15E9AC94716E53004352F11F3B65F8A47BC10D8B890B" [0137.214] CreateIoCompletionPort (FileHandle=0x154, ExistingCompletionPort=0x94, CompletionKey=0x3cc2198, NumberOfConcurrentThreads=0x0) returned 0x94 [0137.214] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3cc2198, lpOverlapped=0x3cc2198) returned 1 [0137.214] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1e3c0680, ftCreationTime.dwHighDateTime=0x1d5e783, ftLastAccessTime.dwLowDateTime=0x159e9cd0, ftLastAccessTime.dwHighDateTime=0x1d5dba9, ftLastWriteTime.dwLowDateTime=0x159e9cd0, ftLastWriteTime.dwHighDateTime=0x1d5dba9, nFileSizeHigh=0x0, nFileSizeLow=0x1898d, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="ry-Eoee1Dqk.m4a", cAlternateFileName="RY-EOE~1.M4A")) returned 1 [0137.214] lstrcmpiW (lpString1="ry-Eoee1Dqk.m4a", lpString2="Windows") returned -1 [0137.214] lstrcmpiW (lpString1="ry-Eoee1Dqk.m4a", lpString2="Program Files") returned 1 [0137.214] lstrcmpiW (lpString1="ry-Eoee1Dqk.m4a", lpString2="Program Files (x86)") returned 1 [0137.214] lstrcmpiW (lpString1="ry-Eoee1Dqk.m4a", lpString2="$Recycle.bin") returned 1 [0137.214] lstrcmpiW (lpString1="ry-Eoee1Dqk.m4a", lpString2="System Volume Information") returned -1 [0137.214] lstrcmpiW (lpString1="ry-Eoee1Dqk.m4a", lpString2=".") returned 1 [0137.214] lstrcmpiW (lpString1="ry-Eoee1Dqk.m4a", lpString2="..") returned 1 [0137.214] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a") returned 68 [0137.214] lstrcmpW (lpString1="ry-Eoee1Dqk.m4a", lpString2="PUSSY.TXT") returned 1 [0137.214] PathFindExtensionW (pszPath="ry-Eoee1Dqk.m4a") returned=".m4a" [0137.214] lstrlenW (lpString=".m4a") returned 4 [0137.214] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0137.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ry-eoee1dqk.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0137.223] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=100749) returned 1 [0137.223] GetProcessHeap () returned 0x4c0000 [0137.223] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3cea1e8 [0137.233] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="2A") returned 2 [0137.233] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="42") returned 2 [0137.233] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="07") returned 2 [0137.233] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="E8") returned 2 [0137.233] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="52") returned 2 [0137.233] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="3D") returned 2 [0137.233] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="0B") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="F1") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="8A") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="F2") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="56") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="38") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="4E") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="BA") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="B7") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="4C") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="3C") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="5C") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="3F") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="77") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="2E") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="BA") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="6D") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="EF") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="F6") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="B9") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="26") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="96") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="90") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="AE") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="F9") returned 2 [0137.233] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="1B") returned 2 [0137.242] lstrcpyW (in: lpString1=0x3cfa21c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a" [0137.242] lstrcpyW (in: lpString1=0x3cea21c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a" [0137.242] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a", lpString2=".2A4207E8523D0BF18AF256384EBAB74C3C5C3F772EBA6DEFF6B9269690AEF91B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a.2A4207E8523D0BF18AF256384EBAB74C3C5C3F772EBA6DEFF6B9269690AEF91B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a.2A4207E8523D0BF18AF256384EBAB74C3C5C3F772EBA6DEFF6B9269690AEF91B" [0137.242] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x3cea1e8, NumberOfConcurrentThreads=0x0) returned 0x94 [0137.242] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3cea1e8, lpOverlapped=0x3cea1e8) returned 1 [0137.242] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6cd40b30, ftCreationTime.dwHighDateTime=0x1d5d865, ftLastAccessTime.dwLowDateTime=0x4988b560, ftLastAccessTime.dwHighDateTime=0x1d5e15a, ftLastWriteTime.dwLowDateTime=0x4988b560, ftLastWriteTime.dwHighDateTime=0x1d5e15a, nFileSizeHigh=0x0, nFileSizeLow=0x152d2, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="SMb_dAM.swf", cAlternateFileName="")) returned 1 [0137.242] lstrcmpiW (lpString1="SMb_dAM.swf", lpString2="Windows") returned -1 [0137.242] lstrcmpiW (lpString1="SMb_dAM.swf", lpString2="Program Files") returned 1 [0137.242] lstrcmpiW (lpString1="SMb_dAM.swf", lpString2="Program Files (x86)") returned 1 [0137.242] lstrcmpiW (lpString1="SMb_dAM.swf", lpString2="$Recycle.bin") returned 1 [0137.242] lstrcmpiW (lpString1="SMb_dAM.swf", lpString2="System Volume Information") returned -1 [0137.242] lstrcmpiW (lpString1="SMb_dAM.swf", lpString2=".") returned 1 [0137.242] lstrcmpiW (lpString1="SMb_dAM.swf", lpString2="..") returned 1 [0137.242] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf") returned 64 [0137.242] lstrcmpW (lpString1="SMb_dAM.swf", lpString2="PUSSY.TXT") returned 1 [0137.242] PathFindExtensionW (pszPath="SMb_dAM.swf") returned=".swf" [0137.242] lstrlenW (lpString=".swf") returned 4 [0137.242] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0137.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\smb_dam.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0137.243] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=86738) returned 1 [0137.243] GetProcessHeap () returned 0x4c0000 [0137.243] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3d12238 [0137.257] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="C6") returned 2 [0137.257] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="5D") returned 2 [0137.257] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="4F") returned 2 [0137.257] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="97") returned 2 [0137.257] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="4F") returned 2 [0137.257] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="1B") returned 2 [0137.258] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="7F") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="A6") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="97") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="E0") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="3C") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="F6") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="0A") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="93") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="6B") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="42") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="50") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="B4") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="B6") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="2B") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="F4") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="05") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="06") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="54") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="7D") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="B4") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="66") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="CB") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="2B") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="A0") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="18") returned 2 [0137.258] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="05") returned 2 [0137.267] lstrcpyW (in: lpString1=0x3d2226c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf" [0137.267] lstrcpyW (in: lpString1=0x3d1226c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf" [0137.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf", lpString2=".C65D4F974F1B7FA697E03CF60A936B4250B4B62BF40506547DB466CB2BA01805" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf.C65D4F974F1B7FA697E03CF60A936B4250B4B62BF40506547DB466CB2BA01805") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf.C65D4F974F1B7FA697E03CF60A936B4250B4B62BF40506547DB466CB2BA01805" [0137.268] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x3d12238, NumberOfConcurrentThreads=0x0) returned 0x94 [0137.268] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3d12238, lpOverlapped=0x3d12238) returned 1 [0137.268] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd978bc80, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd978bc80, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0137.268] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Windows") returned -1 [0137.268] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files") returned 1 [0137.268] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files (x86)") returned 1 [0137.268] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="$Recycle.bin") returned 1 [0137.268] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="System Volume Information") returned 1 [0137.268] lstrcmpiW (lpString1="Temporary Internet Files", lpString2=".") returned 1 [0137.268] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="..") returned 1 [0137.268] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files") returned 77 [0137.268] GetProcessHeap () returned 0x4c0000 [0137.268] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0137.268] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files" [0137.269] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\*" [0137.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd978bc80, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd978bc80, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0137.269] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0137.269] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0137.269] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0137.269] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0137.269] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0137.269] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0137.269] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd978bc80, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd978bc80, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0137.269] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0137.269] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0137.269] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0137.269] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0137.269] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0137.269] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0137.269] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0137.270] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="Content.IE5", cAlternateFileName="")) returned 1 [0137.270] lstrcmpiW (lpString1="Content.IE5", lpString2="Windows") returned -1 [0137.270] lstrcmpiW (lpString1="Content.IE5", lpString2="Program Files") returned -1 [0137.270] lstrcmpiW (lpString1="Content.IE5", lpString2="Program Files (x86)") returned -1 [0137.270] lstrcmpiW (lpString1="Content.IE5", lpString2="$Recycle.bin") returned 1 [0137.270] lstrcmpiW (lpString1="Content.IE5", lpString2="System Volume Information") returned -1 [0137.270] lstrcmpiW (lpString1="Content.IE5", lpString2=".") returned 1 [0137.270] lstrcmpiW (lpString1="Content.IE5", lpString2="..") returned 1 [0137.270] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5") returned 89 [0137.270] GetProcessHeap () returned 0x4c0000 [0137.270] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0137.270] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5" [0137.270] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\*" [0137.270] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe854d53, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0137.271] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0137.271] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0137.271] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0137.271] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0137.271] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0137.271] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0137.271] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe854d53, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0137.271] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0137.271] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0137.271] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0137.271] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0137.271] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0137.271] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0137.271] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0137.271] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe854d53, dwReserved1=0xfe000000, cFileName="03J4UQW0", cAlternateFileName="")) returned 1 [0137.271] lstrcmpiW (lpString1="03J4UQW0", lpString2="Windows") returned -1 [0137.271] lstrcmpiW (lpString1="03J4UQW0", lpString2="Program Files") returned -1 [0137.271] lstrcmpiW (lpString1="03J4UQW0", lpString2="Program Files (x86)") returned -1 [0137.271] lstrcmpiW (lpString1="03J4UQW0", lpString2="$Recycle.bin") returned 1 [0137.271] lstrcmpiW (lpString1="03J4UQW0", lpString2="System Volume Information") returned -1 [0137.271] lstrcmpiW (lpString1="03J4UQW0", lpString2=".") returned 1 [0137.271] lstrcmpiW (lpString1="03J4UQW0", lpString2="..") returned 1 [0137.271] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0") returned 98 [0137.271] GetProcessHeap () returned 0x4c0000 [0137.271] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0137.271] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0" [0137.271] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\*" [0137.271] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x2dbea5cb, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0137.272] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0137.272] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0137.272] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0137.272] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0137.272] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0137.272] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0137.272] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x2dbea5cb, cFileName="..", cAlternateFileName="")) returned 1 [0137.273] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0137.273] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0137.273] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0137.273] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0137.273] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0137.273] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0137.273] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0137.273] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x3bf1228, dwReserved1=0x2dbea5cb, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0137.273] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0137.273] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0137.273] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0137.273] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0137.273] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0137.273] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0137.273] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0137.273] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini") returned 110 [0137.273] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0137.273] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0137.273] lstrlenW (lpString=".ini") returned 4 [0137.273] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0137.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\03j4uqw0\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1e4 [0137.274] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=67) returned 1 [0137.274] CloseHandle (hObject=0x1e4) returned 1 [0137.274] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x3bf1228, dwReserved1=0x2dbea5cb, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0137.274] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0137.274] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\PUSSY.TXT") returned 108 [0137.274] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\03j4uqw0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0137.769] lstrlenA (lpString="abcd") returned 4 [0137.769] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0137.770] CloseHandle (hObject=0x1b8) returned 1 [0137.770] GetProcessHeap () returned 0x4c0000 [0137.770] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0137.770] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0xfe854d53, dwReserved1=0xfe000000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0137.770] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0137.770] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0137.770] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0137.770] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0137.771] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0137.771] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0137.771] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0137.771] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini") returned 101 [0137.771] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0137.771] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0137.771] lstrlenW (lpString=".ini") returned 4 [0137.771] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0137.771] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0137.772] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=67) returned 1 [0137.772] CloseHandle (hObject=0x1b8) returned 1 [0137.772] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd978bc80, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xfe854d53, dwReserved1=0xfe000000, cFileName="index.dat", cAlternateFileName="")) returned 1 [0137.772] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0137.772] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0137.772] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0137.772] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0137.772] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0137.772] lstrcmpiW (lpString1="index.dat", lpString2=".") returned 1 [0137.772] lstrcmpiW (lpString1="index.dat", lpString2="..") returned 1 [0137.772] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat") returned 99 [0137.772] lstrcmpW (lpString1="index.dat", lpString2="PUSSY.TXT") returned -1 [0137.772] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0137.773] lstrlenW (lpString=".dat") returned 4 [0137.773] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0137.773] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0137.773] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=32768) returned 1 [0137.773] GetProcessHeap () returned 0x4c0000 [0137.773] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0137.783] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="A4") returned 2 [0137.783] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="AC") returned 2 [0137.783] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="4C") returned 2 [0137.783] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="1B") returned 2 [0137.783] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="08") returned 2 [0137.783] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="E8") returned 2 [0137.783] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="A2") returned 2 [0137.783] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="49") returned 2 [0137.783] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="20") returned 2 [0137.783] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="18") returned 2 [0137.783] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="BB") returned 2 [0137.783] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="08") returned 2 [0137.784] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="60") returned 2 [0137.784] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="36") returned 2 [0137.784] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="B7") returned 2 [0137.784] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="82") returned 2 [0137.784] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="4D") returned 2 [0137.784] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="11") returned 2 [0137.784] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="FE") returned 2 [0137.784] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="35") returned 2 [0137.784] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="B1") returned 2 [0137.784] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="20") returned 2 [0137.784] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="8E") returned 2 [0137.784] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="3E") returned 2 [0137.784] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="CE") returned 2 [0137.784] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="D1") returned 2 [0137.784] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="D9") returned 2 [0137.784] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="67") returned 2 [0137.784] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="BB") returned 2 [0137.784] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="26") returned 2 [0137.784] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="0A") returned 2 [0137.784] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="36") returned 2 [0137.793] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" [0137.793] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" [0137.793] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat", lpString2=".A4AC4C1B08E8A2492018BB086036B7824D11FE35B1208E3ECED1D967BB260A36" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat.A4AC4C1B08E8A2492018BB086036B7824D11FE35B1208E3ECED1D967BB260A36") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat.A4AC4C1B08E8A2492018BB086036B7824D11FE35B1208E3ECED1D967BB260A36" [0137.793] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0137.793] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0137.793] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe854d53, dwReserved1=0xfe000000, cFileName="KETAJP6D", cAlternateFileName="")) returned 1 [0137.793] lstrcmpiW (lpString1="KETAJP6D", lpString2="Windows") returned -1 [0137.793] lstrcmpiW (lpString1="KETAJP6D", lpString2="Program Files") returned -1 [0137.793] lstrcmpiW (lpString1="KETAJP6D", lpString2="Program Files (x86)") returned -1 [0137.794] lstrcmpiW (lpString1="KETAJP6D", lpString2="$Recycle.bin") returned 1 [0137.794] lstrcmpiW (lpString1="KETAJP6D", lpString2="System Volume Information") returned -1 [0137.794] lstrcmpiW (lpString1="KETAJP6D", lpString2=".") returned 1 [0137.794] lstrcmpiW (lpString1="KETAJP6D", lpString2="..") returned 1 [0137.794] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D") returned 98 [0137.794] GetProcessHeap () returned 0x4c0000 [0137.794] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0137.794] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D" [0137.794] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\*" [0137.794] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0137.794] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0137.794] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0137.794] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0137.794] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0137.794] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0137.794] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0137.794] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0137.795] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0137.795] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0137.795] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0137.795] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0137.795] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0137.795] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0137.795] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0137.795] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0137.795] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0137.795] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0137.795] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0137.795] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0137.795] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0137.795] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0137.795] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0137.795] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini") returned 110 [0137.795] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0137.795] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0137.795] lstrlenW (lpString=".ini") returned 4 [0137.795] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0137.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ketajp6d\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0137.796] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=67) returned 1 [0137.796] CloseHandle (hObject=0x184) returned 1 [0137.796] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0137.796] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0137.796] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\PUSSY.TXT") returned 108 [0137.796] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ketajp6d\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0137.797] lstrlenA (lpString="abcd") returned 4 [0137.797] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0137.798] CloseHandle (hObject=0x1d0) returned 1 [0137.798] GetProcessHeap () returned 0x4c0000 [0137.798] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0137.800] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe854d53, dwReserved1=0xfe000000, cFileName="VB18B0KB", cAlternateFileName="")) returned 1 [0137.800] lstrcmpiW (lpString1="VB18B0KB", lpString2="Windows") returned -1 [0137.800] lstrcmpiW (lpString1="VB18B0KB", lpString2="Program Files") returned 1 [0137.800] lstrcmpiW (lpString1="VB18B0KB", lpString2="Program Files (x86)") returned 1 [0137.800] lstrcmpiW (lpString1="VB18B0KB", lpString2="$Recycle.bin") returned 1 [0137.801] lstrcmpiW (lpString1="VB18B0KB", lpString2="System Volume Information") returned 1 [0137.801] lstrcmpiW (lpString1="VB18B0KB", lpString2=".") returned 1 [0137.801] lstrcmpiW (lpString1="VB18B0KB", lpString2="..") returned 1 [0137.801] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB") returned 98 [0137.801] GetProcessHeap () returned 0x4c0000 [0137.801] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0137.802] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB" [0137.802] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\*" [0137.802] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0137.802] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0137.802] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0137.802] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0137.802] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0137.802] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0137.802] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0137.802] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0137.802] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0137.802] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0137.802] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0137.802] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0137.802] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0137.802] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0137.802] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0137.803] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0137.803] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0137.803] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0137.803] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0137.803] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0137.803] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0137.803] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0137.803] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0137.803] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini") returned 110 [0137.803] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0137.803] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0137.803] lstrlenW (lpString=".ini") returned 4 [0137.803] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0137.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\vb18b0kb\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0137.803] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=67) returned 1 [0137.804] CloseHandle (hObject=0x184) returned 1 [0137.804] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0137.804] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0137.804] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\PUSSY.TXT") returned 108 [0137.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\vb18b0kb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0137.804] lstrlenA (lpString="abcd") returned 4 [0137.804] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0137.805] CloseHandle (hObject=0x1d0) returned 1 [0137.805] GetProcessHeap () returned 0x4c0000 [0137.805] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0137.805] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe854d53, dwReserved1=0xfe000000, cFileName="XT1RPYG9", cAlternateFileName="")) returned 1 [0137.805] lstrcmpiW (lpString1="XT1RPYG9", lpString2="Windows") returned 1 [0137.805] lstrcmpiW (lpString1="XT1RPYG9", lpString2="Program Files") returned 1 [0137.806] lstrcmpiW (lpString1="XT1RPYG9", lpString2="Program Files (x86)") returned 1 [0137.806] lstrcmpiW (lpString1="XT1RPYG9", lpString2="$Recycle.bin") returned 1 [0137.806] lstrcmpiW (lpString1="XT1RPYG9", lpString2="System Volume Information") returned 1 [0137.806] lstrcmpiW (lpString1="XT1RPYG9", lpString2=".") returned 1 [0137.806] lstrcmpiW (lpString1="XT1RPYG9", lpString2="..") returned 1 [0137.806] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9") returned 98 [0137.806] GetProcessHeap () returned 0x4c0000 [0137.806] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0137.806] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9" [0137.806] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\*" [0137.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0137.806] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0137.806] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0137.806] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0137.806] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0137.806] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0137.806] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0137.806] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0137.806] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0137.806] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0137.806] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0137.806] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0137.806] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0137.806] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0137.806] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0137.807] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0137.807] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0137.807] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0137.807] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0137.807] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0137.807] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0137.807] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0137.807] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0137.807] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini") returned 110 [0137.807] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0137.807] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0137.807] lstrlenW (lpString=".ini") returned 4 [0137.807] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0137.807] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\xt1rpyg9\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0137.807] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=67) returned 1 [0137.807] CloseHandle (hObject=0x184) returned 1 [0137.807] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0137.808] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0137.808] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\PUSSY.TXT") returned 108 [0137.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\xt1rpyg9\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0137.808] lstrlenA (lpString="abcd") returned 4 [0137.808] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0137.810] CloseHandle (hObject=0x1d0) returned 1 [0137.810] GetProcessHeap () returned 0x4c0000 [0137.810] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0137.810] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe854d53, dwReserved1=0xfe000000, cFileName="XT1RPYG9", cAlternateFileName="")) returned 0 [0137.810] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0137.810] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\PUSSY.TXT") returned 99 [0137.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0137.854] lstrlenA (lpString="abcd") returned 4 [0137.854] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0137.855] CloseHandle (hObject=0x178) returned 1 [0137.856] GetProcessHeap () returned 0x4c0000 [0137.856] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0137.857] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="Content.IE5", cAlternateFileName="")) returned 0 [0137.857] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0137.857] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\PUSSY.TXT") returned 87 [0137.857] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0137.858] lstrlenA (lpString="abcd") returned 4 [0137.858] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0137.859] CloseHandle (hObject=0x124) returned 1 [0137.860] GetProcessHeap () returned 0x4c0000 [0137.860] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0137.861] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69cb6010, ftCreationTime.dwHighDateTime=0x1d5e48f, ftLastAccessTime.dwLowDateTime=0xe6b5c950, ftLastAccessTime.dwHighDateTime=0x1d5dccc, ftLastWriteTime.dwLowDateTime=0xe6b5c950, ftLastWriteTime.dwHighDateTime=0x1d5dccc, nFileSizeHigh=0x0, nFileSizeLow=0x1451b, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="tZuuJ7ReAAzj5YmvVWiF.ods", cAlternateFileName="TZUUJ7~1.ODS")) returned 1 [0137.861] lstrcmpiW (lpString1="tZuuJ7ReAAzj5YmvVWiF.ods", lpString2="Windows") returned -1 [0137.861] lstrcmpiW (lpString1="tZuuJ7ReAAzj5YmvVWiF.ods", lpString2="Program Files") returned 1 [0137.861] lstrcmpiW (lpString1="tZuuJ7ReAAzj5YmvVWiF.ods", lpString2="Program Files (x86)") returned 1 [0137.861] lstrcmpiW (lpString1="tZuuJ7ReAAzj5YmvVWiF.ods", lpString2="$Recycle.bin") returned 1 [0137.861] lstrcmpiW (lpString1="tZuuJ7ReAAzj5YmvVWiF.ods", lpString2="System Volume Information") returned 1 [0137.861] lstrcmpiW (lpString1="tZuuJ7ReAAzj5YmvVWiF.ods", lpString2=".") returned 1 [0137.861] lstrcmpiW (lpString1="tZuuJ7ReAAzj5YmvVWiF.ods", lpString2="..") returned 1 [0137.861] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods") returned 77 [0137.861] lstrcmpW (lpString1="tZuuJ7ReAAzj5YmvVWiF.ods", lpString2="PUSSY.TXT") returned 1 [0137.861] PathFindExtensionW (pszPath="tZuuJ7ReAAzj5YmvVWiF.ods") returned=".ods" [0137.862] lstrlenW (lpString=".ods") returned 4 [0137.862] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0137.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tzuuj7reaazj5ymvvwif.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0137.862] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=83227) returned 1 [0137.863] GetProcessHeap () returned 0x4c0000 [0137.863] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0137.881] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="0B") returned 2 [0137.881] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="EC") returned 2 [0137.881] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="FB") returned 2 [0137.881] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="1C") returned 2 [0137.881] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="DD") returned 2 [0137.881] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="FC") returned 2 [0137.881] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="7A") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="2D") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="09") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="51") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="97") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="F8") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="32") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="5F") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="E3") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="C2") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="1C") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="7C") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="A4") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="B3") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="C8") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="F7") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="69") returned 2 [0137.882] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="0D") returned 2 [0137.883] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="2F") returned 2 [0137.883] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="AB") returned 2 [0137.883] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="F2") returned 2 [0137.883] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="65") returned 2 [0137.883] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="F7") returned 2 [0137.883] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="79") returned 2 [0137.883] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="8A") returned 2 [0137.883] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="76") returned 2 [0137.895] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods" [0137.895] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods" [0137.895] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods", lpString2=".0BECFB1CDDFC7A2D095197F8325FE3C21C7CA4B3C8F7690D2FABF265F7798A76" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods.0BECFB1CDDFC7A2D095197F8325FE3C21C7CA4B3C8F7690D2FABF265F7798A76") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods.0BECFB1CDDFC7A2D095197F8325FE3C21C7CA4B3C8F7690D2FABF265F7798A76" [0137.895] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0137.895] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0137.932] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x24ccca40, ftCreationTime.dwHighDateTime=0x1d5e60a, ftLastAccessTime.dwLowDateTime=0x83e0b9b0, ftLastAccessTime.dwHighDateTime=0x1d5e31c, ftLastWriteTime.dwLowDateTime=0x83e0b9b0, ftLastWriteTime.dwHighDateTime=0x1d5e31c, nFileSizeHigh=0x0, nFileSizeLow=0x12080, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="uZ_4j.png", cAlternateFileName="")) returned 1 [0137.932] lstrcmpiW (lpString1="uZ_4j.png", lpString2="Windows") returned -1 [0137.932] lstrcmpiW (lpString1="uZ_4j.png", lpString2="Program Files") returned 1 [0137.932] lstrcmpiW (lpString1="uZ_4j.png", lpString2="Program Files (x86)") returned 1 [0137.932] lstrcmpiW (lpString1="uZ_4j.png", lpString2="$Recycle.bin") returned 1 [0137.932] lstrcmpiW (lpString1="uZ_4j.png", lpString2="System Volume Information") returned 1 [0137.932] lstrcmpiW (lpString1="uZ_4j.png", lpString2=".") returned 1 [0137.932] lstrcmpiW (lpString1="uZ_4j.png", lpString2="..") returned 1 [0137.932] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png") returned 62 [0137.932] lstrcmpW (lpString1="uZ_4j.png", lpString2="PUSSY.TXT") returned 1 [0137.932] PathFindExtensionW (pszPath="uZ_4j.png") returned=".png" [0137.932] lstrlenW (lpString=".png") returned 4 [0137.932] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0137.932] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\uz_4j.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0137.933] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=73856) returned 1 [0137.933] GetProcessHeap () returned 0x4c0000 [0137.933] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0137.942] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="B6") returned 2 [0137.942] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="F1") returned 2 [0137.942] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="3D") returned 2 [0137.942] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="0B") returned 2 [0137.942] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="B5") returned 2 [0137.942] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="B0") returned 2 [0137.942] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="55") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="B5") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="7E") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="F0") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="C5") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="F0") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="27") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="96") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="F5") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="09") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="88") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="BD") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="70") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="CD") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="E2") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="FB") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="02") returned 2 [0137.942] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="60") returned 2 [0137.943] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="07") returned 2 [0137.943] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="59") returned 2 [0137.943] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="59") returned 2 [0137.943] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="66") returned 2 [0137.943] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="9B") returned 2 [0137.943] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="62") returned 2 [0137.943] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="AA") returned 2 [0137.943] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="59") returned 2 [0137.951] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png" [0137.951] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png" [0137.951] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png", lpString2=".B6F13D0BB5B055B57EF0C5F02796F50988BD70CDE2FB0260075959669B62AA59" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png.B6F13D0BB5B055B57EF0C5F02796F50988BD70CDE2FB0260075959669B62AA59") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png.B6F13D0BB5B055B57EF0C5F02796F50988BD70CDE2FB0260075959669B62AA59" [0137.951] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0137.951] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0137.951] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x57698070, ftCreationTime.dwHighDateTime=0x1d5e6c7, ftLastAccessTime.dwLowDateTime=0x23fe12a0, ftLastAccessTime.dwHighDateTime=0x1d5e749, ftLastWriteTime.dwLowDateTime=0x23fe12a0, ftLastWriteTime.dwHighDateTime=0x1d5e749, nFileSizeHigh=0x0, nFileSizeLow=0x18bc6, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="VvquaG3tma6oKBTooe59.jpg", cAlternateFileName="VVQUAG~1.JPG")) returned 1 [0137.951] lstrcmpiW (lpString1="VvquaG3tma6oKBTooe59.jpg", lpString2="Windows") returned -1 [0137.951] lstrcmpiW (lpString1="VvquaG3tma6oKBTooe59.jpg", lpString2="Program Files") returned 1 [0137.951] lstrcmpiW (lpString1="VvquaG3tma6oKBTooe59.jpg", lpString2="Program Files (x86)") returned 1 [0137.952] lstrcmpiW (lpString1="VvquaG3tma6oKBTooe59.jpg", lpString2="$Recycle.bin") returned 1 [0137.952] lstrcmpiW (lpString1="VvquaG3tma6oKBTooe59.jpg", lpString2="System Volume Information") returned 1 [0137.952] lstrcmpiW (lpString1="VvquaG3tma6oKBTooe59.jpg", lpString2=".") returned 1 [0137.952] lstrcmpiW (lpString1="VvquaG3tma6oKBTooe59.jpg", lpString2="..") returned 1 [0137.952] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg") returned 77 [0137.952] lstrcmpW (lpString1="VvquaG3tma6oKBTooe59.jpg", lpString2="PUSSY.TXT") returned 1 [0137.952] PathFindExtensionW (pszPath="VvquaG3tma6oKBTooe59.jpg") returned=".jpg" [0137.952] lstrlenW (lpString=".jpg") returned 4 [0137.952] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0137.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vvquag3tma6okbtooe59.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0137.953] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=101318) returned 1 [0137.953] GetProcessHeap () returned 0x4c0000 [0137.953] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0137.967] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="C5") returned 2 [0137.967] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="50") returned 2 [0137.967] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="36") returned 2 [0137.967] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="52") returned 2 [0137.967] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="BB") returned 2 [0137.967] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="F6") returned 2 [0137.967] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="82") returned 2 [0137.967] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="91") returned 2 [0137.967] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="8F") returned 2 [0137.967] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="D6") returned 2 [0137.967] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="97") returned 2 [0137.967] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="E9") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="9B") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="A4") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="8F") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="E4") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="E5") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="EF") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="96") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="1D") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="CD") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="A3") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="32") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="7D") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="82") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="99") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="3E") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="8F") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="AF") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="84") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="F3") returned 2 [0137.968] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="30") returned 2 [0137.976] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg" [0137.976] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg" [0137.976] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg", lpString2=".C5503652BBF682918FD697E99BA48FE4E5EF961DCDA3327D82993E8FAF84F330" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg.C5503652BBF682918FD697E99BA48FE4E5EF961DCDA3327D82993E8FAF84F330") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg.C5503652BBF682918FD697E99BA48FE4E5EF961DCDA3327D82993E8FAF84F330" [0137.976] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0137.977] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0138.009] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb5350c10, ftCreationTime.dwHighDateTime=0x1d5e7e4, ftLastAccessTime.dwLowDateTime=0x41a7cbe0, ftLastAccessTime.dwHighDateTime=0x1d5dc39, ftLastWriteTime.dwLowDateTime=0x41a7cbe0, ftLastWriteTime.dwHighDateTime=0x1d5dc39, nFileSizeHigh=0x0, nFileSizeLow=0x17f48, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="VZEltb-s.swf", cAlternateFileName="")) returned 1 [0138.009] lstrcmpiW (lpString1="VZEltb-s.swf", lpString2="Windows") returned -1 [0138.009] lstrcmpiW (lpString1="VZEltb-s.swf", lpString2="Program Files") returned 1 [0138.009] lstrcmpiW (lpString1="VZEltb-s.swf", lpString2="Program Files (x86)") returned 1 [0138.009] lstrcmpiW (lpString1="VZEltb-s.swf", lpString2="$Recycle.bin") returned 1 [0138.009] lstrcmpiW (lpString1="VZEltb-s.swf", lpString2="System Volume Information") returned 1 [0138.009] lstrcmpiW (lpString1="VZEltb-s.swf", lpString2=".") returned 1 [0138.009] lstrcmpiW (lpString1="VZEltb-s.swf", lpString2="..") returned 1 [0138.009] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf") returned 65 [0138.009] lstrcmpW (lpString1="VZEltb-s.swf", lpString2="PUSSY.TXT") returned 1 [0138.009] PathFindExtensionW (pszPath="VZEltb-s.swf") returned=".swf" [0138.009] lstrlenW (lpString=".swf") returned 4 [0138.009] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0138.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vzeltb-s.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0138.010] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=98120) returned 1 [0138.010] GetProcessHeap () returned 0x4c0000 [0138.010] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0138.022] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="C1") returned 2 [0138.022] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="BD") returned 2 [0138.022] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="07") returned 2 [0138.022] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="4E") returned 2 [0138.022] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="87") returned 2 [0138.022] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="5F") returned 2 [0138.022] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="8C") returned 2 [0138.022] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="59") returned 2 [0138.022] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="70") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="22") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="C5") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="81") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="EB") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="5E") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="57") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="FB") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="01") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="E6") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="02") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="A8") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="58") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="7B") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="8A") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="DD") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="20") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="77") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="F9") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="ED") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="95") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="E9") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="6C") returned 2 [0138.023] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="4C") returned 2 [0138.032] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf" [0138.032] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf" [0138.032] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf", lpString2=".C1BD074E875F8C597022C581EB5E57FB01E602A8587B8ADD2077F9ED95E96C4C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf.C1BD074E875F8C597022C581EB5E57FB01E602A8587B8ADD2077F9ED95E96C4C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf.C1BD074E875F8C597022C581EB5E57FB01E602A8587B8ADD2077F9ED95E96C4C" [0138.032] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.033] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0138.033] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb51728d0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xb51728d0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xb51728d0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="WPDNSE", cAlternateFileName="")) returned 1 [0138.033] lstrcmpiW (lpString1="WPDNSE", lpString2="Windows") returned 1 [0138.033] lstrcmpiW (lpString1="WPDNSE", lpString2="Program Files") returned 1 [0138.033] lstrcmpiW (lpString1="WPDNSE", lpString2="Program Files (x86)") returned 1 [0138.033] lstrcmpiW (lpString1="WPDNSE", lpString2="$Recycle.bin") returned 1 [0138.033] lstrcmpiW (lpString1="WPDNSE", lpString2="System Volume Information") returned 1 [0138.033] lstrcmpiW (lpString1="WPDNSE", lpString2=".") returned 1 [0138.033] lstrcmpiW (lpString1="WPDNSE", lpString2="..") returned 1 [0138.033] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE") returned 59 [0138.033] GetProcessHeap () returned 0x4c0000 [0138.033] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0138.034] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE" [0138.034] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\*" [0138.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb51728d0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xb51728d0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xb51728d0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0138.034] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.035] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.035] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.035] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.035] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.035] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.035] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb51728d0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xb51728d0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xb51728d0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0138.035] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.035] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.035] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.035] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.035] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.035] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.035] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.035] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb51728d0, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0xb51728d0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xb51728d0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0138.035] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0138.035] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\PUSSY.TXT") returned 69 [0138.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wpdnse\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0138.036] lstrlenA (lpString="abcd") returned 4 [0138.036] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0138.037] CloseHandle (hObject=0x124) returned 1 [0138.037] GetProcessHeap () returned 0x4c0000 [0138.037] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0138.040] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec70f850, ftCreationTime.dwHighDateTime=0x1d5db79, ftLastAccessTime.dwLowDateTime=0x54a4b640, ftLastAccessTime.dwHighDateTime=0x1d5e7e7, ftLastWriteTime.dwLowDateTime=0x54a4b640, ftLastWriteTime.dwHighDateTime=0x1d5e7e7, nFileSizeHigh=0x0, nFileSizeLow=0x12d36, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="x-2HH2TCzLZoBz.xlsx", cAlternateFileName="X-2HH2~1.XLS")) returned 1 [0138.040] lstrcmpiW (lpString1="x-2HH2TCzLZoBz.xlsx", lpString2="Windows") returned 1 [0138.040] lstrcmpiW (lpString1="x-2HH2TCzLZoBz.xlsx", lpString2="Program Files") returned 1 [0138.040] lstrcmpiW (lpString1="x-2HH2TCzLZoBz.xlsx", lpString2="Program Files (x86)") returned 1 [0138.040] lstrcmpiW (lpString1="x-2HH2TCzLZoBz.xlsx", lpString2="$Recycle.bin") returned 1 [0138.040] lstrcmpiW (lpString1="x-2HH2TCzLZoBz.xlsx", lpString2="System Volume Information") returned 1 [0138.040] lstrcmpiW (lpString1="x-2HH2TCzLZoBz.xlsx", lpString2=".") returned 1 [0138.040] lstrcmpiW (lpString1="x-2HH2TCzLZoBz.xlsx", lpString2="..") returned 1 [0138.040] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx") returned 72 [0138.041] lstrcmpW (lpString1="x-2HH2TCzLZoBz.xlsx", lpString2="PUSSY.TXT") returned 1 [0138.041] PathFindExtensionW (pszPath="x-2HH2TCzLZoBz.xlsx") returned=".xlsx" [0138.041] lstrlenW (lpString=".xlsx") returned 5 [0138.041] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0138.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\x-2hh2tczlzobz.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0138.109] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=77110) returned 1 [0138.109] GetProcessHeap () returned 0x4c0000 [0138.109] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0138.118] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="CE") returned 2 [0138.118] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="F2") returned 2 [0138.118] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="54") returned 2 [0138.118] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="A3") returned 2 [0138.118] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="99") returned 2 [0138.118] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="B3") returned 2 [0138.118] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="9B") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="9B") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="43") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="FB") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="CE") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="00") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="B3") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="87") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="B8") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="45") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="CC") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="4A") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="0A") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="E7") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="D8") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="DF") returned 2 [0138.118] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="8B") returned 2 [0138.119] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="47") returned 2 [0138.119] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="0D") returned 2 [0138.119] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="53") returned 2 [0138.119] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="97") returned 2 [0138.119] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="4A") returned 2 [0138.119] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="13") returned 2 [0138.119] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="CD") returned 2 [0138.119] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="C0") returned 2 [0138.119] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="09") returned 2 [0138.128] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx" [0138.128] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx" [0138.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx", lpString2=".CEF254A399B39B9B43FBCE00B387B845CC4A0AE7D8DF8B470D53974A13CDC009" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx.CEF254A399B39B9B43FBCE00B387B845CC4A0AE7D8DF8B470D53974A13CDC009") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx.CEF254A399B39B9B43FBCE00B387B845CC4A0AE7D8DF8B470D53974A13CDC009" [0138.128] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.128] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0138.128] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf7057a80, ftCreationTime.dwHighDateTime=0x1d5e447, ftLastAccessTime.dwLowDateTime=0x25307810, ftLastAccessTime.dwHighDateTime=0x1d5e59c, ftLastWriteTime.dwLowDateTime=0x25307810, ftLastWriteTime.dwHighDateTime=0x1d5e59c, nFileSizeHigh=0x0, nFileSizeLow=0x13798, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Yj aZkP.swf", cAlternateFileName="YJAZKP~1.SWF")) returned 1 [0138.128] lstrcmpiW (lpString1="Yj aZkP.swf", lpString2="Windows") returned 1 [0138.128] lstrcmpiW (lpString1="Yj aZkP.swf", lpString2="Program Files") returned 1 [0138.128] lstrcmpiW (lpString1="Yj aZkP.swf", lpString2="Program Files (x86)") returned 1 [0138.128] lstrcmpiW (lpString1="Yj aZkP.swf", lpString2="$Recycle.bin") returned 1 [0138.128] lstrcmpiW (lpString1="Yj aZkP.swf", lpString2="System Volume Information") returned 1 [0138.128] lstrcmpiW (lpString1="Yj aZkP.swf", lpString2=".") returned 1 [0138.128] lstrcmpiW (lpString1="Yj aZkP.swf", lpString2="..") returned 1 [0138.128] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf") returned 64 [0138.128] lstrcmpW (lpString1="Yj aZkP.swf", lpString2="PUSSY.TXT") returned 1 [0138.128] PathFindExtensionW (pszPath="Yj aZkP.swf") returned=".swf" [0138.128] lstrlenW (lpString=".swf") returned 4 [0138.128] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0138.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\yj azkp.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0138.129] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=79768) returned 1 [0138.130] GetProcessHeap () returned 0x4c0000 [0138.130] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0138.139] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="35") returned 2 [0138.139] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="18") returned 2 [0138.139] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="BA") returned 2 [0138.139] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="0D") returned 2 [0138.139] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="18") returned 2 [0138.139] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="F1") returned 2 [0138.139] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="FD") returned 2 [0138.139] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="B0") returned 2 [0138.139] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="1A") returned 2 [0138.139] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="11") returned 2 [0138.139] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="80") returned 2 [0138.139] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="1B") returned 2 [0138.139] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="AC") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="04") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="32") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="91") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="A6") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="6B") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="36") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="6C") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="6A") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="C0") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="B0") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="07") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="A9") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="81") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="8B") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="5F") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="DC") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="C3") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="D3") returned 2 [0138.140] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="51") returned 2 [0138.149] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf" [0138.149] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf" [0138.149] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf", lpString2=".3518BA0D18F1FDB01A11801BAC043291A66B366C6AC0B007A9818B5FDCC3D351" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf.3518BA0D18F1FDB01A11801BAC043291A66B366C6AC0B007A9818B5FDCC3D351") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf.3518BA0D18F1FDB01A11801BAC043291A66B366C6AC0B007A9818B5FDCC3D351" [0138.149] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.149] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0138.149] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7c24a00, ftCreationTime.dwHighDateTime=0x1d5e611, ftLastAccessTime.dwLowDateTime=0xc802c680, ftLastAccessTime.dwHighDateTime=0x1d5e815, ftLastWriteTime.dwLowDateTime=0xc802c680, ftLastWriteTime.dwHighDateTime=0x1d5e815, nFileSizeHigh=0x0, nFileSizeLow=0x5c49, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="_22-5iIE.odt", cAlternateFileName="")) returned 1 [0138.149] lstrcmpiW (lpString1="_22-5iIE.odt", lpString2="Windows") returned -1 [0138.149] lstrcmpiW (lpString1="_22-5iIE.odt", lpString2="Program Files") returned -1 [0138.149] lstrcmpiW (lpString1="_22-5iIE.odt", lpString2="Program Files (x86)") returned -1 [0138.149] lstrcmpiW (lpString1="_22-5iIE.odt", lpString2="$Recycle.bin") returned 1 [0138.149] lstrcmpiW (lpString1="_22-5iIE.odt", lpString2="System Volume Information") returned -1 [0138.149] lstrcmpiW (lpString1="_22-5iIE.odt", lpString2=".") returned 1 [0138.149] lstrcmpiW (lpString1="_22-5iIE.odt", lpString2="..") returned 1 [0138.149] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt") returned 65 [0138.149] lstrcmpW (lpString1="_22-5iIE.odt", lpString2="PUSSY.TXT") returned -1 [0138.149] PathFindExtensionW (pszPath="_22-5iIE.odt") returned=".odt" [0138.149] lstrlenW (lpString=".odt") returned 4 [0138.149] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0138.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_22-5iie.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0138.151] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=23625) returned 1 [0138.151] GetProcessHeap () returned 0x4c0000 [0138.151] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x53caf0 [0138.162] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="D2") returned 2 [0138.162] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="F0") returned 2 [0138.162] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="F1") returned 2 [0138.162] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="0A") returned 2 [0138.162] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="8C") returned 2 [0138.162] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="5E") returned 2 [0138.162] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="F6") returned 2 [0138.162] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="73") returned 2 [0138.162] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="5F") returned 2 [0138.162] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="EB") returned 2 [0138.162] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="CD") returned 2 [0138.162] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="A3") returned 2 [0138.162] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="6C") returned 2 [0138.162] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="B5") returned 2 [0138.162] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="9A") returned 2 [0138.162] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="9C") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="3F") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="05") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="81") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="8D") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="80") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="2A") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="8F") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="8F") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="86") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="F8") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="9B") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="3A") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="D8") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="52") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="1D") returned 2 [0138.163] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="1E") returned 2 [0138.171] lstrcpyW (in: lpString1=0x54cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt" [0138.171] lstrcpyW (in: lpString1=0x53cb24, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt" [0138.171] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt", lpString2=".D2F0F10A8C5EF6735FEBCDA36CB59A9C3F05818D802A8F8F86F89B3AD8521D1E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt.D2F0F10A8C5EF6735FEBCDA36CB59A9C3F05818D802A8F8F86F89B3AD8521D1E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt.D2F0F10A8C5EF6735FEBCDA36CB59A9C3F05818D802A8F8F86F89B3AD8521D1E" [0138.171] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x53caf0, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.171] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x53caf0, lpOverlapped=0x53caf0) returned 1 [0138.172] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7396c650, ftCreationTime.dwHighDateTime=0x1d5e801, ftLastAccessTime.dwLowDateTime=0x50721f50, ftLastAccessTime.dwHighDateTime=0x1d5df03, ftLastWriteTime.dwLowDateTime=0x50721f50, ftLastWriteTime.dwHighDateTime=0x1d5df03, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="_ZUebtG4ZM1wHCYX.mp3", cAlternateFileName="_ZUEBT~1.MP3")) returned 1 [0138.172] lstrcmpiW (lpString1="_ZUebtG4ZM1wHCYX.mp3", lpString2="Windows") returned -1 [0138.172] lstrcmpiW (lpString1="_ZUebtG4ZM1wHCYX.mp3", lpString2="Program Files") returned -1 [0138.172] lstrcmpiW (lpString1="_ZUebtG4ZM1wHCYX.mp3", lpString2="Program Files (x86)") returned -1 [0138.172] lstrcmpiW (lpString1="_ZUebtG4ZM1wHCYX.mp3", lpString2="$Recycle.bin") returned 1 [0138.172] lstrcmpiW (lpString1="_ZUebtG4ZM1wHCYX.mp3", lpString2="System Volume Information") returned -1 [0138.172] lstrcmpiW (lpString1="_ZUebtG4ZM1wHCYX.mp3", lpString2=".") returned 1 [0138.172] lstrcmpiW (lpString1="_ZUebtG4ZM1wHCYX.mp3", lpString2="..") returned 1 [0138.172] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3") returned 73 [0138.172] lstrcmpW (lpString1="_ZUebtG4ZM1wHCYX.mp3", lpString2="PUSSY.TXT") returned -1 [0138.172] PathFindExtensionW (pszPath="_ZUebtG4ZM1wHCYX.mp3") returned=".mp3" [0138.172] lstrlenW (lpString=".mp3") returned 4 [0138.172] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0138.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_zuebtg4zm1whcyx.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0138.173] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=16728) returned 1 [0138.173] GetProcessHeap () returned 0x4c0000 [0138.173] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x564b40 [0138.183] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="41") returned 2 [0138.183] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="8E") returned 2 [0138.183] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="B3") returned 2 [0138.183] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="A3") returned 2 [0138.183] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="52") returned 2 [0138.184] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="AE") returned 2 [0138.184] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="51") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="72") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="C0") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="B7") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="1B") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="D8") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="95") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="92") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="6C") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="23") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="6F") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="1E") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="4D") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="EA") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="7B") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="35") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="25") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="E8") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="5D") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="EB") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="0C") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="6C") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C3") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="F1") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="6D") returned 2 [0138.184] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="2D") returned 2 [0138.193] lstrcpyW (in: lpString1=0x574b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3" [0138.193] lstrcpyW (in: lpString1=0x564b74, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3" [0138.193] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3", lpString2=".418EB3A352AE5172C0B71BD895926C236F1E4DEA7B3525E85DEB0C6CC3F16D2D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3.418EB3A352AE5172C0B71BD895926C236F1E4DEA7B3525E85DEB0C6CC3F16D2D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3.418EB3A352AE5172C0B71BD895926C236F1E4DEA7B3525E85DEB0C6CC3F16D2D" [0138.193] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x564b40, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.193] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x564b40, lpOverlapped=0x564b40) returned 1 [0138.213] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7396c650, ftCreationTime.dwHighDateTime=0x1d5e801, ftLastAccessTime.dwLowDateTime=0x50721f50, ftLastAccessTime.dwHighDateTime=0x1d5df03, ftLastWriteTime.dwLowDateTime=0x50721f50, ftLastWriteTime.dwHighDateTime=0x1d5df03, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="_ZUebtG4ZM1wHCYX.mp3", cAlternateFileName="_ZUEBT~1.MP3")) returned 0 [0138.213] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0138.213] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PUSSY.TXT") returned 62 [0138.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0138.215] lstrlenA (lpString="abcd") returned 4 [0138.215] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0138.216] CloseHandle (hObject=0x180) returned 1 [0138.216] GetProcessHeap () returned 0x4c0000 [0138.216] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0138.217] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29175f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29175f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29175f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0138.217] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Windows") returned -1 [0138.217] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files") returned 1 [0138.217] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files (x86)") returned 1 [0138.217] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="$Recycle.bin") returned 1 [0138.217] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="System Volume Information") returned 1 [0138.218] lstrcmpiW (lpString1="Temporary Internet Files", lpString2=".") returned 1 [0138.218] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="..") returned 1 [0138.218] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files") returned 72 [0138.218] GetProcessHeap () returned 0x4c0000 [0138.218] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0138.218] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files" [0138.218] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\*" [0138.218] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7396c650, ftCreationTime.dwHighDateTime=0x1d5e801, ftLastAccessTime.dwLowDateTime=0x50721f50, ftLastAccessTime.dwHighDateTime=0x1d5df03, ftLastWriteTime.dwLowDateTime=0x50721f50, ftLastWriteTime.dwHighDateTime=0x1d5df03, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="_ZUebtG4ZM1wHCYX.mp3", cAlternateFileName="s")) returned 0xffffffff [0138.219] GetProcessHeap () returned 0x4c0000 [0138.219] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0138.219] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0138.219] lstrcmpiW (lpString1="VirtualStore", lpString2="Windows") returned -1 [0138.219] lstrcmpiW (lpString1="VirtualStore", lpString2="Program Files") returned 1 [0138.219] lstrcmpiW (lpString1="VirtualStore", lpString2="Program Files (x86)") returned 1 [0138.219] lstrcmpiW (lpString1="VirtualStore", lpString2="$Recycle.bin") returned 1 [0138.219] lstrcmpiW (lpString1="VirtualStore", lpString2="System Volume Information") returned 1 [0138.219] lstrcmpiW (lpString1="VirtualStore", lpString2=".") returned 1 [0138.219] lstrcmpiW (lpString1="VirtualStore", lpString2="..") returned 1 [0138.219] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore") returned 60 [0138.219] GetProcessHeap () returned 0x4c0000 [0138.219] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0138.219] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore" [0138.219] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\*" [0138.219] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0138.219] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.219] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.219] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.220] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.220] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.220] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.220] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0138.220] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.220] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.220] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.220] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.220] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.220] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.220] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.220] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0138.220] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0138.220] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\PUSSY.TXT") returned 70 [0138.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\virtualstore\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0138.221] lstrlenA (lpString="abcd") returned 4 [0138.221] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0138.222] CloseHandle (hObject=0x180) returned 1 [0138.222] GetProcessHeap () returned 0x4c0000 [0138.222] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0138.222] FindNextFileW (in: hFindFile=0x4e2920, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0138.222] FindClose (in: hFindFile=0x4e2920 | out: hFindFile=0x4e2920) returned 1 [0138.222] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\PUSSY.TXT") returned 57 [0138.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0138.222] lstrlenA (lpString="abcd") returned 4 [0138.223] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0138.223] CloseHandle (hObject=0x19c) returned 1 [0138.223] GetProcessHeap () returned 0x4c0000 [0138.224] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0138.224] FindNextFileW (in: hFindFile=0x4ddc08, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0138.224] lstrcmpiW (lpString1="LocalLow", lpString2="Windows") returned -1 [0138.224] lstrcmpiW (lpString1="LocalLow", lpString2="Program Files") returned -1 [0138.224] lstrcmpiW (lpString1="LocalLow", lpString2="Program Files (x86)") returned -1 [0138.224] lstrcmpiW (lpString1="LocalLow", lpString2="$Recycle.bin") returned 1 [0138.224] lstrcmpiW (lpString1="LocalLow", lpString2="System Volume Information") returned -1 [0138.224] lstrcmpiW (lpString1="LocalLow", lpString2=".") returned 1 [0138.224] lstrcmpiW (lpString1="LocalLow", lpString2="..") returned 1 [0138.224] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 50 [0138.224] GetProcessHeap () returned 0x4c0000 [0138.224] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0138.224] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow" [0138.224] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*" [0138.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0138.224] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.224] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.224] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.224] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.224] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.224] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.224] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.224] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.224] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.224] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.224] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.225] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.225] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.225] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.225] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Adobe", cAlternateFileName="")) returned 1 [0138.225] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0138.225] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0138.225] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0138.225] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0138.225] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0138.225] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0138.225] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0138.225] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe") returned 56 [0138.225] GetProcessHeap () returned 0x4c0000 [0138.225] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x52bae0 [0138.225] lstrcpyW (in: lpString1=0x52bae0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe" [0138.225] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*" [0138.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0138.318] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.318] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.318] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.318] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.318] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.318] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.318] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0138.318] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.318] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.319] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.319] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.319] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.319] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.319] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.319] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd6e27e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd6e27e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0138.319] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0138.319] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0138.319] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0138.319] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0138.319] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0138.319] lstrcmpiW (lpString1="Acrobat", lpString2=".") returned 1 [0138.319] lstrcmpiW (lpString1="Acrobat", lpString2="..") returned 1 [0138.319] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat") returned 64 [0138.319] GetProcessHeap () returned 0x4c0000 [0138.319] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0138.320] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat" [0138.320] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*" [0138.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd6e27e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd6e27e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0138.320] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.320] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.320] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.320] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.320] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.320] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.320] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd6e27e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd6e27e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0138.320] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.320] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.320] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.320] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.320] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.320] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.321] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.321] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe5b04330, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xe5b04330, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName="10.0", cAlternateFileName="")) returned 1 [0138.321] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0138.321] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0138.321] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0138.321] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0138.321] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0138.321] lstrcmpiW (lpString1="10.0", lpString2=".") returned 1 [0138.321] lstrcmpiW (lpString1="10.0", lpString2="..") returned 1 [0138.321] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0") returned 69 [0138.321] GetProcessHeap () returned 0x4c0000 [0138.321] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0138.321] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0" [0138.321] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*" [0138.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe5b04330, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xe5b04330, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0138.323] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.323] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.323] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.323] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.324] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.324] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.324] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe5b04330, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xe5b04330, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.324] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.324] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.324] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.324] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.324] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.324] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.324] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.324] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd9b6a040, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9b6a040, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xde963ca0, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0xa5ff, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="rdrmessage.zip", cAlternateFileName="RDRMES~1.ZIP")) returned 1 [0138.324] lstrcmpiW (lpString1="rdrmessage.zip", lpString2="Windows") returned -1 [0138.324] lstrcmpiW (lpString1="rdrmessage.zip", lpString2="Program Files") returned 1 [0138.324] lstrcmpiW (lpString1="rdrmessage.zip", lpString2="Program Files (x86)") returned 1 [0138.324] lstrcmpiW (lpString1="rdrmessage.zip", lpString2="$Recycle.bin") returned 1 [0138.324] lstrcmpiW (lpString1="rdrmessage.zip", lpString2="System Volume Information") returned -1 [0138.324] lstrcmpiW (lpString1="rdrmessage.zip", lpString2=".") returned 1 [0138.324] lstrcmpiW (lpString1="rdrmessage.zip", lpString2="..") returned 1 [0138.324] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip") returned 84 [0138.324] lstrcmpW (lpString1="rdrmessage.zip", lpString2="PUSSY.TXT") returned 1 [0138.324] PathFindExtensionW (pszPath="rdrmessage.zip") returned=".zip" [0138.324] lstrlenW (lpString=".zip") returned 4 [0138.324] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0138.326] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=42495) returned 1 [0138.326] GetProcessHeap () returned 0x4c0000 [0138.326] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0138.334] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="7F") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="B2") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="3E") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="0B") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="08") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="07") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="57") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="7E") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="47") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="38") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="79") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="D5") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="8B") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="45") returned 2 [0138.334] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="D3") returned 2 [0138.335] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="97") returned 2 [0138.335] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="4F") returned 2 [0138.335] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="15") returned 2 [0138.335] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="02") returned 2 [0138.335] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="5D") returned 2 [0138.335] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="9E") returned 2 [0138.335] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="5F") returned 2 [0138.335] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="63") returned 2 [0138.335] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="B3") returned 2 [0138.335] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="69") returned 2 [0138.335] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="83") returned 2 [0138.335] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="67") returned 2 [0138.335] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="76") returned 2 [0138.335] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="C8") returned 2 [0138.335] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="6D") returned 2 [0138.335] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="C6") returned 2 [0138.335] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="56") returned 2 [0138.344] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" [0138.344] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" [0138.345] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip", lpString2=".7FB23E0B0807577E473879D58B45D3974F15025D9E5F63B369836776C86DC656" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip.7FB23E0B0807577E473879D58B45D3974F15025D9E5F63B369836776C86DC656") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip.7FB23E0B0807577E473879D58B45D3974F15025D9E5F63B369836776C86DC656" [0138.345] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.345] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0138.345] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xce824760, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce824760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe5ab8070, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="ReaderMessages", cAlternateFileName="READER~1")) returned 1 [0138.345] lstrcmpiW (lpString1="ReaderMessages", lpString2="Windows") returned -1 [0138.345] lstrcmpiW (lpString1="ReaderMessages", lpString2="Program Files") returned 1 [0138.345] lstrcmpiW (lpString1="ReaderMessages", lpString2="Program Files (x86)") returned 1 [0138.345] lstrcmpiW (lpString1="ReaderMessages", lpString2="$Recycle.bin") returned 1 [0138.345] lstrcmpiW (lpString1="ReaderMessages", lpString2="System Volume Information") returned -1 [0138.345] lstrcmpiW (lpString1="ReaderMessages", lpString2=".") returned 1 [0138.345] lstrcmpiW (lpString1="ReaderMessages", lpString2="..") returned 1 [0138.345] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages") returned 84 [0138.345] lstrcmpW (lpString1="ReaderMessages", lpString2="PUSSY.TXT") returned 1 [0138.345] PathFindExtensionW (pszPath="ReaderMessages") returned="" [0138.345] lstrlenW (lpString="") returned 0 [0138.345] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\readermessages"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0138.346] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=8192) returned 1 [0138.346] GetProcessHeap () returned 0x4c0000 [0138.346] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0138.356] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="09") returned 2 [0138.356] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="73") returned 2 [0138.356] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="F5") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="09") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="A7") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="37") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="8E") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="9F") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="8E") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="DF") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="E9") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="41") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="8E") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="F7") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="C2") returned 2 [0138.357] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="C6") returned 2 [0138.357] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="1D") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="00") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="BD") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="88") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="C1") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="09") returned 2 [0138.357] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="26") returned 2 [0138.357] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="ED") returned 2 [0138.357] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="48") returned 2 [0138.357] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="CA") returned 2 [0138.357] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="4E") returned 2 [0138.357] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="C9") returned 2 [0138.357] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="6A") returned 2 [0138.357] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="1E") returned 2 [0138.357] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="5B") returned 2 [0138.357] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="2D") returned 2 [0138.365] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages" [0138.365] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages" [0138.365] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages", lpString2=".0973F509A7378E9F8EDFE9418EF7C2C61D00BD88C10926ED48CA4EC96A1E5B2D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages.0973F509A7378E9F8EDFE9418EF7C2C61D00BD88C10926ED48CA4EC96A1E5B2D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages.0973F509A7378E9F8EDFE9418EF7C2C61D00BD88C10926ED48CA4EC96A1E5B2D" [0138.366] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.366] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0138.366] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8287550, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe8287550, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe8287550, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Search", cAlternateFileName="")) returned 1 [0138.366] lstrcmpiW (lpString1="Search", lpString2="Windows") returned -1 [0138.366] lstrcmpiW (lpString1="Search", lpString2="Program Files") returned 1 [0138.366] lstrcmpiW (lpString1="Search", lpString2="Program Files (x86)") returned 1 [0138.366] lstrcmpiW (lpString1="Search", lpString2="$Recycle.bin") returned 1 [0138.366] lstrcmpiW (lpString1="Search", lpString2="System Volume Information") returned -1 [0138.366] lstrcmpiW (lpString1="Search", lpString2=".") returned 1 [0138.366] lstrcmpiW (lpString1="Search", lpString2="..") returned 1 [0138.366] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search") returned 76 [0138.366] GetProcessHeap () returned 0x4c0000 [0138.366] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x53bae8 [0138.366] lstrcpyW (in: lpString1=0x53bae8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search" [0138.366] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\*" [0138.366] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8287550, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe8287550, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe8287550, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0138.368] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.368] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.368] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.368] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.368] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.368] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.369] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8287550, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe8287550, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe8287550, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0138.369] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.369] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.369] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.369] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.369] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.369] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.369] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.369] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8287550, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe8287550, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe8287550, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0138.369] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0138.369] wnsprintfW (in: pszDest=0x53bae8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\PUSSY.TXT") returned 86 [0138.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\search\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.411] lstrlenA (lpString="abcd") returned 4 [0138.411] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0138.411] CloseHandle (hObject=0x1d0) returned 1 [0138.411] GetProcessHeap () returned 0x4c0000 [0138.412] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53bae8 | out: hHeap=0x4c0000) returned 1 [0138.412] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8287550, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe8287550, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe8287550, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Search", cAlternateFileName="")) returned 0 [0138.412] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0138.412] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\PUSSY.TXT") returned 79 [0138.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0138.412] lstrlenA (lpString="abcd") returned 4 [0138.412] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0138.413] CloseHandle (hObject=0x178) returned 1 [0138.413] GetProcessHeap () returned 0x4c0000 [0138.413] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0138.419] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe5b04330, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xe5b04330, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName="10.0", cAlternateFileName="")) returned 0 [0138.419] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0138.419] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\PUSSY.TXT") returned 74 [0138.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0138.420] lstrlenA (lpString="abcd") returned 4 [0138.420] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0138.421] CloseHandle (hObject=0x1b8) returned 1 [0138.421] GetProcessHeap () returned 0x4c0000 [0138.421] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0138.421] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 1 [0138.421] lstrcmpiW (lpString1="Linguistics", lpString2="Windows") returned -1 [0138.421] lstrcmpiW (lpString1="Linguistics", lpString2="Program Files") returned -1 [0138.421] lstrcmpiW (lpString1="Linguistics", lpString2="Program Files (x86)") returned -1 [0138.421] lstrcmpiW (lpString1="Linguistics", lpString2="$Recycle.bin") returned 1 [0138.421] lstrcmpiW (lpString1="Linguistics", lpString2="System Volume Information") returned -1 [0138.421] lstrcmpiW (lpString1="Linguistics", lpString2=".") returned 1 [0138.421] lstrcmpiW (lpString1="Linguistics", lpString2="..") returned 1 [0138.421] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics") returned 68 [0138.421] GetProcessHeap () returned 0x4c0000 [0138.421] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0138.421] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics" [0138.421] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*" [0138.422] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0138.422] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.422] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.422] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.422] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.422] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.422] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.422] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0138.422] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.422] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.422] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.422] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.422] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.422] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.422] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.422] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 1 [0138.422] lstrcmpiW (lpString1="Dictionaries", lpString2="Windows") returned -1 [0138.422] lstrcmpiW (lpString1="Dictionaries", lpString2="Program Files") returned -1 [0138.422] lstrcmpiW (lpString1="Dictionaries", lpString2="Program Files (x86)") returned -1 [0138.422] lstrcmpiW (lpString1="Dictionaries", lpString2="$Recycle.bin") returned 1 [0138.422] lstrcmpiW (lpString1="Dictionaries", lpString2="System Volume Information") returned -1 [0138.422] lstrcmpiW (lpString1="Dictionaries", lpString2=".") returned 1 [0138.422] lstrcmpiW (lpString1="Dictionaries", lpString2="..") returned 1 [0138.423] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries") returned 81 [0138.423] GetProcessHeap () returned 0x4c0000 [0138.423] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0138.423] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries" [0138.423] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*" [0138.423] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0138.424] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.424] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.424] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.424] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.424] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.424] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.424] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.425] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.425] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.425] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.425] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.425] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.425] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.425] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.425] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Adobe Custom Dictionary", cAlternateFileName="ADOBEC~1")) returned 1 [0138.425] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="Windows") returned -1 [0138.425] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="Program Files") returned -1 [0138.425] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="Program Files (x86)") returned -1 [0138.425] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="$Recycle.bin") returned 1 [0138.425] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="System Volume Information") returned -1 [0138.425] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2=".") returned 1 [0138.425] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="..") returned 1 [0138.425] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary") returned 105 [0138.425] GetProcessHeap () returned 0x4c0000 [0138.425] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0138.425] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary" [0138.425] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\*" [0138.425] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0138.440] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.440] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.440] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.440] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.440] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.440] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.440] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0138.440] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.440] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.440] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.440] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.440] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.440] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.440] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.440] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="all", cAlternateFileName="")) returned 1 [0138.440] lstrcmpiW (lpString1="all", lpString2="Windows") returned -1 [0138.440] lstrcmpiW (lpString1="all", lpString2="Program Files") returned -1 [0138.440] lstrcmpiW (lpString1="all", lpString2="Program Files (x86)") returned -1 [0138.440] lstrcmpiW (lpString1="all", lpString2="$Recycle.bin") returned 1 [0138.440] lstrcmpiW (lpString1="all", lpString2="System Volume Information") returned -1 [0138.440] lstrcmpiW (lpString1="all", lpString2=".") returned 1 [0138.440] lstrcmpiW (lpString1="all", lpString2="..") returned 1 [0138.440] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all") returned 109 [0138.440] GetProcessHeap () returned 0x4c0000 [0138.441] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.441] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all" [0138.441] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\*" [0138.441] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.441] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.441] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.441] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.441] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.441] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.441] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.441] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.441] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.441] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.441] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.441] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.441] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.441] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.441] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.441] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.441] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.442] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\PUSSY.TXT") returned 119 [0138.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\all\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.443] lstrlenA (lpString="abcd") returned 4 [0138.443] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.443] CloseHandle (hObject=0x1d0) returned 1 [0138.444] GetProcessHeap () returned 0x4c0000 [0138.444] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.444] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="brt", cAlternateFileName="")) returned 1 [0138.444] lstrcmpiW (lpString1="brt", lpString2="Windows") returned -1 [0138.444] lstrcmpiW (lpString1="brt", lpString2="Program Files") returned -1 [0138.444] lstrcmpiW (lpString1="brt", lpString2="Program Files (x86)") returned -1 [0138.444] lstrcmpiW (lpString1="brt", lpString2="$Recycle.bin") returned 1 [0138.444] lstrcmpiW (lpString1="brt", lpString2="System Volume Information") returned -1 [0138.444] lstrcmpiW (lpString1="brt", lpString2=".") returned 1 [0138.444] lstrcmpiW (lpString1="brt", lpString2="..") returned 1 [0138.444] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt") returned 109 [0138.444] GetProcessHeap () returned 0x4c0000 [0138.444] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.444] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt" [0138.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\*" [0138.444] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.445] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.445] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.445] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.445] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.445] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.445] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.445] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.445] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.445] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.445] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.445] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.445] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.445] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.446] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.446] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.446] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.446] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\PUSSY.TXT") returned 119 [0138.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\brt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.447] lstrlenA (lpString="abcd") returned 4 [0138.447] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.448] CloseHandle (hObject=0x1d0) returned 1 [0138.448] GetProcessHeap () returned 0x4c0000 [0138.448] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.448] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="brz", cAlternateFileName="")) returned 1 [0138.448] lstrcmpiW (lpString1="brz", lpString2="Windows") returned -1 [0138.448] lstrcmpiW (lpString1="brz", lpString2="Program Files") returned -1 [0138.448] lstrcmpiW (lpString1="brz", lpString2="Program Files (x86)") returned -1 [0138.448] lstrcmpiW (lpString1="brz", lpString2="$Recycle.bin") returned 1 [0138.448] lstrcmpiW (lpString1="brz", lpString2="System Volume Information") returned -1 [0138.448] lstrcmpiW (lpString1="brz", lpString2=".") returned 1 [0138.448] lstrcmpiW (lpString1="brz", lpString2="..") returned 1 [0138.448] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz") returned 109 [0138.449] GetProcessHeap () returned 0x4c0000 [0138.449] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.449] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz" [0138.449] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\*" [0138.449] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.450] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.450] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.450] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.450] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.450] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.450] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.450] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.450] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.450] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.450] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.450] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.450] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.450] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.450] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.450] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.450] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.451] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\PUSSY.TXT") returned 119 [0138.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\brz\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.452] lstrlenA (lpString="abcd") returned 4 [0138.452] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.453] CloseHandle (hObject=0x1d0) returned 1 [0138.453] GetProcessHeap () returned 0x4c0000 [0138.453] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.453] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="dan", cAlternateFileName="")) returned 1 [0138.453] lstrcmpiW (lpString1="dan", lpString2="Windows") returned -1 [0138.453] lstrcmpiW (lpString1="dan", lpString2="Program Files") returned -1 [0138.453] lstrcmpiW (lpString1="dan", lpString2="Program Files (x86)") returned -1 [0138.453] lstrcmpiW (lpString1="dan", lpString2="$Recycle.bin") returned 1 [0138.453] lstrcmpiW (lpString1="dan", lpString2="System Volume Information") returned -1 [0138.453] lstrcmpiW (lpString1="dan", lpString2=".") returned 1 [0138.453] lstrcmpiW (lpString1="dan", lpString2="..") returned 1 [0138.453] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan") returned 109 [0138.454] GetProcessHeap () returned 0x4c0000 [0138.454] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.454] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan" [0138.454] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\*" [0138.454] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.454] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.454] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.454] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.454] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.454] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.454] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.454] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.454] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.454] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.454] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.454] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.454] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.454] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.454] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.454] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.454] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.455] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\PUSSY.TXT") returned 119 [0138.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\dan\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.455] lstrlenA (lpString="abcd") returned 4 [0138.455] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.456] CloseHandle (hObject=0x1d0) returned 1 [0138.456] GetProcessHeap () returned 0x4c0000 [0138.456] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.456] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="dut", cAlternateFileName="")) returned 1 [0138.456] lstrcmpiW (lpString1="dut", lpString2="Windows") returned -1 [0138.456] lstrcmpiW (lpString1="dut", lpString2="Program Files") returned -1 [0138.456] lstrcmpiW (lpString1="dut", lpString2="Program Files (x86)") returned -1 [0138.456] lstrcmpiW (lpString1="dut", lpString2="$Recycle.bin") returned 1 [0138.456] lstrcmpiW (lpString1="dut", lpString2="System Volume Information") returned -1 [0138.456] lstrcmpiW (lpString1="dut", lpString2=".") returned 1 [0138.456] lstrcmpiW (lpString1="dut", lpString2="..") returned 1 [0138.457] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut") returned 109 [0138.457] GetProcessHeap () returned 0x4c0000 [0138.457] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.457] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut" [0138.457] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\*" [0138.457] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.457] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.457] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.457] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.458] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.458] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.458] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.458] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.458] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.458] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.458] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.458] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.458] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.458] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.459] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.459] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.459] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\PUSSY.TXT") returned 119 [0138.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\dut\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.459] lstrlenA (lpString="abcd") returned 4 [0138.459] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.460] CloseHandle (hObject=0x1d0) returned 1 [0138.460] GetProcessHeap () returned 0x4c0000 [0138.460] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.460] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="eng", cAlternateFileName="")) returned 1 [0138.461] lstrcmpiW (lpString1="eng", lpString2="Windows") returned -1 [0138.461] lstrcmpiW (lpString1="eng", lpString2="Program Files") returned -1 [0138.461] lstrcmpiW (lpString1="eng", lpString2="Program Files (x86)") returned -1 [0138.461] lstrcmpiW (lpString1="eng", lpString2="$Recycle.bin") returned 1 [0138.461] lstrcmpiW (lpString1="eng", lpString2="System Volume Information") returned -1 [0138.461] lstrcmpiW (lpString1="eng", lpString2=".") returned 1 [0138.461] lstrcmpiW (lpString1="eng", lpString2="..") returned 1 [0138.461] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng") returned 109 [0138.461] GetProcessHeap () returned 0x4c0000 [0138.461] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.461] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng" [0138.461] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\*" [0138.461] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.461] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.461] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.461] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.461] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.461] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.461] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.461] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.462] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.462] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.462] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.462] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.462] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.462] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.462] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.462] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.462] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.462] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\PUSSY.TXT") returned 119 [0138.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\eng\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.463] lstrlenA (lpString="abcd") returned 4 [0138.463] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.464] CloseHandle (hObject=0x1d0) returned 1 [0138.464] GetProcessHeap () returned 0x4c0000 [0138.464] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.464] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="frn", cAlternateFileName="")) returned 1 [0138.464] lstrcmpiW (lpString1="frn", lpString2="Windows") returned -1 [0138.464] lstrcmpiW (lpString1="frn", lpString2="Program Files") returned -1 [0138.464] lstrcmpiW (lpString1="frn", lpString2="Program Files (x86)") returned -1 [0138.464] lstrcmpiW (lpString1="frn", lpString2="$Recycle.bin") returned 1 [0138.464] lstrcmpiW (lpString1="frn", lpString2="System Volume Information") returned -1 [0138.464] lstrcmpiW (lpString1="frn", lpString2=".") returned 1 [0138.464] lstrcmpiW (lpString1="frn", lpString2="..") returned 1 [0138.464] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn") returned 109 [0138.464] GetProcessHeap () returned 0x4c0000 [0138.464] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.464] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn" [0138.464] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\*" [0138.464] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.464] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.465] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.465] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.465] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.465] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.465] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.465] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.465] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.465] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.465] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.465] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.465] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.465] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.465] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.465] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.465] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.465] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\PUSSY.TXT") returned 119 [0138.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\frn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.466] lstrlenA (lpString="abcd") returned 4 [0138.466] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.467] CloseHandle (hObject=0x1d0) returned 1 [0138.467] GetProcessHeap () returned 0x4c0000 [0138.467] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.467] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="grm", cAlternateFileName="")) returned 1 [0138.467] lstrcmpiW (lpString1="grm", lpString2="Windows") returned -1 [0138.467] lstrcmpiW (lpString1="grm", lpString2="Program Files") returned -1 [0138.467] lstrcmpiW (lpString1="grm", lpString2="Program Files (x86)") returned -1 [0138.467] lstrcmpiW (lpString1="grm", lpString2="$Recycle.bin") returned 1 [0138.467] lstrcmpiW (lpString1="grm", lpString2="System Volume Information") returned -1 [0138.467] lstrcmpiW (lpString1="grm", lpString2=".") returned 1 [0138.467] lstrcmpiW (lpString1="grm", lpString2="..") returned 1 [0138.467] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm") returned 109 [0138.467] GetProcessHeap () returned 0x4c0000 [0138.467] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.467] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm" [0138.467] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\*" [0138.467] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.468] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.468] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.468] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.468] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.468] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.468] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.468] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.468] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.468] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.468] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.468] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.468] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.468] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.468] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.468] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.468] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.468] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\PUSSY.TXT") returned 119 [0138.468] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\grm\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.469] lstrlenA (lpString="abcd") returned 4 [0138.469] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.470] CloseHandle (hObject=0x1d0) returned 1 [0138.470] GetProcessHeap () returned 0x4c0000 [0138.470] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.470] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="itl", cAlternateFileName="")) returned 1 [0138.470] lstrcmpiW (lpString1="itl", lpString2="Windows") returned -1 [0138.470] lstrcmpiW (lpString1="itl", lpString2="Program Files") returned -1 [0138.470] lstrcmpiW (lpString1="itl", lpString2="Program Files (x86)") returned -1 [0138.470] lstrcmpiW (lpString1="itl", lpString2="$Recycle.bin") returned 1 [0138.470] lstrcmpiW (lpString1="itl", lpString2="System Volume Information") returned -1 [0138.470] lstrcmpiW (lpString1="itl", lpString2=".") returned 1 [0138.470] lstrcmpiW (lpString1="itl", lpString2="..") returned 1 [0138.470] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl") returned 109 [0138.470] GetProcessHeap () returned 0x4c0000 [0138.470] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.470] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl" [0138.470] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\*" [0138.470] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.470] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.470] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.470] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.470] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.470] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.470] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.470] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.471] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.471] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.471] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.471] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.471] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.471] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.471] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.471] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.471] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.471] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\PUSSY.TXT") returned 119 [0138.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\itl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.471] lstrlenA (lpString="abcd") returned 4 [0138.471] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.472] CloseHandle (hObject=0x1d0) returned 1 [0138.472] GetProcessHeap () returned 0x4c0000 [0138.472] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.472] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="nrw", cAlternateFileName="")) returned 1 [0138.472] lstrcmpiW (lpString1="nrw", lpString2="Windows") returned -1 [0138.472] lstrcmpiW (lpString1="nrw", lpString2="Program Files") returned -1 [0138.472] lstrcmpiW (lpString1="nrw", lpString2="Program Files (x86)") returned -1 [0138.472] lstrcmpiW (lpString1="nrw", lpString2="$Recycle.bin") returned 1 [0138.472] lstrcmpiW (lpString1="nrw", lpString2="System Volume Information") returned -1 [0138.473] lstrcmpiW (lpString1="nrw", lpString2=".") returned 1 [0138.473] lstrcmpiW (lpString1="nrw", lpString2="..") returned 1 [0138.473] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw") returned 109 [0138.473] GetProcessHeap () returned 0x4c0000 [0138.473] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.473] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw" [0138.473] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\*" [0138.473] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.473] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.473] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.473] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.473] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.473] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.473] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.473] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.473] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.473] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.473] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.473] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.473] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.473] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.473] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.474] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.474] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.474] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\PUSSY.TXT") returned 119 [0138.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\nrw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.474] lstrlenA (lpString="abcd") returned 4 [0138.474] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.475] CloseHandle (hObject=0x1d0) returned 1 [0138.475] GetProcessHeap () returned 0x4c0000 [0138.475] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.475] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="prt", cAlternateFileName="")) returned 1 [0138.475] lstrcmpiW (lpString1="prt", lpString2="Windows") returned -1 [0138.475] lstrcmpiW (lpString1="prt", lpString2="Program Files") returned 1 [0138.475] lstrcmpiW (lpString1="prt", lpString2="Program Files (x86)") returned 1 [0138.475] lstrcmpiW (lpString1="prt", lpString2="$Recycle.bin") returned 1 [0138.475] lstrcmpiW (lpString1="prt", lpString2="System Volume Information") returned -1 [0138.475] lstrcmpiW (lpString1="prt", lpString2=".") returned 1 [0138.475] lstrcmpiW (lpString1="prt", lpString2="..") returned 1 [0138.475] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt") returned 109 [0138.475] GetProcessHeap () returned 0x4c0000 [0138.475] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.475] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt" [0138.475] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\*" [0138.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.476] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.476] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.476] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.476] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.476] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.476] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.476] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.476] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.476] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.476] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.476] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.476] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.476] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.476] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.476] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.476] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.476] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\PUSSY.TXT") returned 119 [0138.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\prt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.477] lstrlenA (lpString="abcd") returned 4 [0138.477] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.478] CloseHandle (hObject=0x1d0) returned 1 [0138.478] GetProcessHeap () returned 0x4c0000 [0138.478] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.478] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="spn", cAlternateFileName="")) returned 1 [0138.478] lstrcmpiW (lpString1="spn", lpString2="Windows") returned -1 [0138.478] lstrcmpiW (lpString1="spn", lpString2="Program Files") returned 1 [0138.478] lstrcmpiW (lpString1="spn", lpString2="Program Files (x86)") returned 1 [0138.478] lstrcmpiW (lpString1="spn", lpString2="$Recycle.bin") returned 1 [0138.478] lstrcmpiW (lpString1="spn", lpString2="System Volume Information") returned -1 [0138.478] lstrcmpiW (lpString1="spn", lpString2=".") returned 1 [0138.478] lstrcmpiW (lpString1="spn", lpString2="..") returned 1 [0138.478] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn") returned 109 [0138.478] GetProcessHeap () returned 0x4c0000 [0138.478] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.478] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn" [0138.478] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\*" [0138.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.478] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.479] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.479] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.479] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.482] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.482] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.482] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.482] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.482] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.482] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.482] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.482] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.482] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.482] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.482] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.482] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.482] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\PUSSY.TXT") returned 119 [0138.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\spn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.483] lstrlenA (lpString="abcd") returned 4 [0138.483] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.484] CloseHandle (hObject=0x1d0) returned 1 [0138.484] GetProcessHeap () returned 0x4c0000 [0138.484] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.484] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="swd", cAlternateFileName="")) returned 1 [0138.484] lstrcmpiW (lpString1="swd", lpString2="Windows") returned -1 [0138.484] lstrcmpiW (lpString1="swd", lpString2="Program Files") returned 1 [0138.484] lstrcmpiW (lpString1="swd", lpString2="Program Files (x86)") returned 1 [0138.484] lstrcmpiW (lpString1="swd", lpString2="$Recycle.bin") returned 1 [0138.484] lstrcmpiW (lpString1="swd", lpString2="System Volume Information") returned -1 [0138.484] lstrcmpiW (lpString1="swd", lpString2=".") returned 1 [0138.484] lstrcmpiW (lpString1="swd", lpString2="..") returned 1 [0138.484] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd") returned 109 [0138.484] GetProcessHeap () returned 0x4c0000 [0138.484] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0138.484] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd" [0138.484] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\*" [0138.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0138.485] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.485] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.485] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.485] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.485] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.485] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.485] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.485] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.485] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.485] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.485] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.485] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.485] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.485] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.485] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff5c31fd, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0138.485] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0138.485] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\PUSSY.TXT") returned 119 [0138.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\swd\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0138.486] lstrlenA (lpString="abcd") returned 4 [0138.486] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0138.487] CloseHandle (hObject=0x1d0) returned 1 [0138.487] GetProcessHeap () returned 0x4c0000 [0138.487] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0138.487] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="swd", cAlternateFileName="")) returned 0 [0138.487] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0138.487] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\PUSSY.TXT") returned 115 [0138.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0138.488] lstrlenA (lpString="abcd") returned 4 [0138.488] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0138.489] CloseHandle (hObject=0x178) returned 1 [0138.489] GetProcessHeap () returned 0x4c0000 [0138.489] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0138.489] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Adobe Custom Dictionary", cAlternateFileName="ADOBEC~1")) returned 0 [0138.489] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0138.489] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\PUSSY.TXT") returned 91 [0138.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0138.489] lstrlenA (lpString="abcd") returned 4 [0138.489] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0138.490] CloseHandle (hObject=0x180) returned 1 [0138.490] GetProcessHeap () returned 0x4c0000 [0138.490] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0138.492] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 0 [0138.492] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0138.492] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\PUSSY.TXT") returned 78 [0138.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0138.492] lstrlenA (lpString="abcd") returned 4 [0138.492] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0138.493] CloseHandle (hObject=0x1b8) returned 1 [0138.493] GetProcessHeap () returned 0x4c0000 [0138.493] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0138.494] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 0 [0138.494] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0138.494] wnsprintfW (in: pszDest=0x52bae0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\PUSSY.TXT") returned 66 [0138.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0138.494] lstrlenA (lpString="abcd") returned 4 [0138.494] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0138.495] CloseHandle (hObject=0x124) returned 1 [0138.495] GetProcessHeap () returned 0x4c0000 [0138.495] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0138.496] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0138.496] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0138.497] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0138.497] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0138.497] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0138.497] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0138.497] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0138.497] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0138.497] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft") returned 60 [0138.497] GetProcessHeap () returned 0x4c0000 [0138.497] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0138.497] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft" [0138.497] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*" [0138.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0138.497] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.497] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.497] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.497] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.497] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.497] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.497] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0138.497] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.497] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.497] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.497] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.497] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.497] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.498] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.498] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0138.498] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Windows") returned -1 [0138.498] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Program Files") returned -1 [0138.498] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Program Files (x86)") returned -1 [0138.498] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="$Recycle.bin") returned 1 [0138.498] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="System Volume Information") returned -1 [0138.498] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2=".") returned 1 [0138.498] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="..") returned 1 [0138.498] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned 77 [0138.498] GetProcessHeap () returned 0x4c0000 [0138.498] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0138.498] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" [0138.498] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*" [0138.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0138.498] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.498] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.498] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.498] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.498] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.498] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.499] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0138.499] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.499] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.499] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.499] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.499] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.499] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.499] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.499] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="Content", cAlternateFileName="")) returned 1 [0138.499] lstrcmpiW (lpString1="Content", lpString2="Windows") returned -1 [0138.499] lstrcmpiW (lpString1="Content", lpString2="Program Files") returned -1 [0138.499] lstrcmpiW (lpString1="Content", lpString2="Program Files (x86)") returned -1 [0138.499] lstrcmpiW (lpString1="Content", lpString2="$Recycle.bin") returned 1 [0138.499] lstrcmpiW (lpString1="Content", lpString2="System Volume Information") returned -1 [0138.499] lstrcmpiW (lpString1="Content", lpString2=".") returned 1 [0138.499] lstrcmpiW (lpString1="Content", lpString2="..") returned 1 [0138.499] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned 85 [0138.499] GetProcessHeap () returned 0x4c0000 [0138.499] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0138.500] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" [0138.500] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*" [0138.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0138.500] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0138.500] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0138.500] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0138.501] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0138.501] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0138.501] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0138.501] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0138.501] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0138.501] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0138.501] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0138.501] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0138.501] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0138.501] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0138.501] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0138.501] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf9eaad0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf9eaad0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf9eaad0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", cAlternateFileName="024823~1")) returned 1 [0138.501] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="Windows") returned -1 [0138.501] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="Program Files") returned -1 [0138.501] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="Program Files (x86)") returned -1 [0138.501] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="$Recycle.bin") returned 1 [0138.501] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="System Volume Information") returned -1 [0138.501] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2=".") returned 1 [0138.501] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="..") returned 1 [0138.501] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 151 [0138.501] lstrcmpW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="PUSSY.TXT") returned -1 [0138.501] PathFindExtensionW (pszPath="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned="" [0138.501] lstrlenW (lpString="") returned 0 [0138.501] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0138.502] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=471) returned 1 [0138.502] CloseHandle (hObject=0x178) returned 1 [0138.502] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53bd8410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53bd8410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbe98d390, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x561, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", cAlternateFileName="0F1583~1")) returned 1 [0138.502] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="Windows") returned -1 [0138.502] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="Program Files") returned -1 [0138.502] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="Program Files (x86)") returned -1 [0138.502] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="$Recycle.bin") returned 1 [0138.502] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="System Volume Information") returned -1 [0138.502] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2=".") returned 1 [0138.502] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="..") returned 1 [0138.502] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned 151 [0138.502] lstrcmpW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="PUSSY.TXT") returned -1 [0138.502] PathFindExtensionW (pszPath="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned="" [0138.503] lstrlenW (lpString="") returned 0 [0138.503] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0138.504] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1377) returned 1 [0138.504] GetProcessHeap () returned 0x4c0000 [0138.504] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0138.516] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="54") returned 2 [0138.516] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="68") returned 2 [0138.516] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="B7") returned 2 [0138.516] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="61") returned 2 [0138.516] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="A9") returned 2 [0138.516] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="D5") returned 2 [0138.516] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="90") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="EA") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="79") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="80") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="E2") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="01") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="FE") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="3F") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="51") returned 2 [0138.517] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="45") returned 2 [0138.517] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="DD") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="98") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="3A") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="94") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="85") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="71") returned 2 [0138.517] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="14") returned 2 [0138.517] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="77") returned 2 [0138.517] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="CC") returned 2 [0138.517] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="29") returned 2 [0138.517] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="1C") returned 2 [0138.517] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="B6") returned 2 [0138.517] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="A6") returned 2 [0138.517] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="5E") returned 2 [0138.517] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="26") returned 2 [0138.517] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="5A") returned 2 [0138.527] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" [0138.527] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" [0138.527] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2=".5468B761A9D590EA7980E201FE3F5145DD983A9485711477CC291CB6A65E265A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875.5468B761A9D590EA7980E201FE3F5145DD983A9485711477CC291CB6A65E265A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875.5468B761A9D590EA7980E201FE3F5145DD983A9485711477CC291CB6A65E265A" [0138.527] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.527] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0138.527] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf952550, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf952550, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf952550, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", cAlternateFileName="1BB09B~1")) returned 1 [0138.527] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="Windows") returned -1 [0138.527] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="Program Files") returned -1 [0138.527] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="Program Files (x86)") returned -1 [0138.527] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="$Recycle.bin") returned 1 [0138.527] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="System Volume Information") returned -1 [0138.527] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2=".") returned 1 [0138.527] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="..") returned 1 [0138.527] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned 151 [0138.528] lstrcmpW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="PUSSY.TXT") returned -1 [0138.528] PathFindExtensionW (pszPath="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned="" [0138.528] lstrlenW (lpString="") returned 0 [0138.528] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.528] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0138.529] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=472) returned 1 [0138.530] CloseHandle (hObject=0x1d0) returned 1 [0138.530] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4c00edb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4c00edb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4c00edb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xf1d, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="1DAF2884EC4DFA96BA4A58D4DBC9C406", cAlternateFileName="1DAF28~1")) returned 1 [0138.530] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="Windows") returned -1 [0138.530] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="Program Files") returned -1 [0138.530] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="Program Files (x86)") returned -1 [0138.530] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="$Recycle.bin") returned 1 [0138.530] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="System Volume Information") returned -1 [0138.530] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2=".") returned 1 [0138.530] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="..") returned 1 [0138.530] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned 118 [0138.530] lstrcmpW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="PUSSY.TXT") returned -1 [0138.530] PathFindExtensionW (pszPath="1DAF2884EC4DFA96BA4A58D4DBC9C406") returned="" [0138.530] lstrlenW (lpString="") returned 0 [0138.530] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.530] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1daf2884ec4dfa96ba4a58d4dbc9c406"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0138.559] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=3869) returned 1 [0138.559] GetProcessHeap () returned 0x4c0000 [0138.559] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0138.569] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="4A") returned 2 [0138.569] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="10") returned 2 [0138.569] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="25") returned 2 [0138.569] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="60") returned 2 [0138.569] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="2C") returned 2 [0138.569] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="D0") returned 2 [0138.569] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="C9") returned 2 [0138.569] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="04") returned 2 [0138.569] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="A3") returned 2 [0138.569] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="D2") returned 2 [0138.569] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="D0") returned 2 [0138.570] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="FF") returned 2 [0138.570] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="03") returned 2 [0138.570] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="B2") returned 2 [0138.570] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="87") returned 2 [0138.570] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="A9") returned 2 [0138.570] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="00") returned 2 [0138.570] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="CB") returned 2 [0138.570] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="B6") returned 2 [0138.570] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="50") returned 2 [0138.570] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="8F") returned 2 [0138.570] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="FF") returned 2 [0138.570] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="67") returned 2 [0138.570] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="26") returned 2 [0138.570] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="9C") returned 2 [0138.570] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="63") returned 2 [0138.570] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="8C") returned 2 [0138.570] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="C0") returned 2 [0138.570] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="B4") returned 2 [0138.570] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="5B") returned 2 [0138.570] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="0C") returned 2 [0138.570] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="3E") returned 2 [0138.579] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406" [0138.579] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406" [0138.579] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2=".4A1025602CD0C904A3D2D0FF03B287A900CBB6508FFF67269C638CC0B45B0C3E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406.4A1025602CD0C904A3D2D0FF03B287A900CBB6508FFF67269C638CC0B45B0C3E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406.4A1025602CD0C904A3D2D0FF03B287A900CBB6508FFF67269C638CC0B45B0C3E" [0138.579] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.579] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0138.580] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x580eb5c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x580eb5c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaedd4300, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x145, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="23B523C9E7746F715D33C6527C18EB9D", cAlternateFileName="23B523~1")) returned 1 [0138.580] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="Windows") returned -1 [0138.585] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="Program Files") returned -1 [0138.585] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="Program Files (x86)") returned -1 [0138.585] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="$Recycle.bin") returned 1 [0138.585] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="System Volume Information") returned -1 [0138.585] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2=".") returned 1 [0138.585] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="..") returned 1 [0138.585] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D") returned 118 [0138.585] lstrcmpW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="PUSSY.TXT") returned -1 [0138.585] PathFindExtensionW (pszPath="23B523C9E7746F715D33C6527C18EB9D") returned="" [0138.585] lstrlenW (lpString="") returned 0 [0138.585] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.585] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\23b523c9e7746f715d33c6527c18eb9d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0138.587] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=325) returned 1 [0138.587] CloseHandle (hObject=0x178) returned 1 [0138.587] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc3791460, ftCreationTime.dwHighDateTime=0x1d2e675, ftLastAccessTime.dwLowDateTime=0xc3791460, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0xc3791460, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x209, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="3130B1871A126520A8C47861EFE3ED4D", cAlternateFileName="3130B1~1")) returned 1 [0138.587] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="Windows") returned -1 [0138.587] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="Program Files") returned -1 [0138.587] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="Program Files (x86)") returned -1 [0138.587] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="$Recycle.bin") returned 1 [0138.587] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="System Volume Information") returned -1 [0138.587] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2=".") returned 1 [0138.587] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="..") returned 1 [0138.587] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D") returned 118 [0138.587] lstrcmpW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="PUSSY.TXT") returned -1 [0138.587] PathFindExtensionW (pszPath="3130B1871A126520A8C47861EFE3ED4D") returned="" [0138.587] lstrlenW (lpString="") returned 0 [0138.587] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3130b1871a126520a8c47861efe3ed4d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0138.589] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=521) returned 1 [0138.589] GetProcessHeap () returned 0x4c0000 [0138.589] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0138.598] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="40") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="BB") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="0B") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="3E") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="67") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="86") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="11") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="55") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="33") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="C3") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="49") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="26") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="E7") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="5D") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="63") returned 2 [0138.598] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="00") returned 2 [0138.598] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="8E") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="B9") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="0C") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="1A") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="97") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="3E") returned 2 [0138.598] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="E6") returned 2 [0138.598] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="7E") returned 2 [0138.598] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="80") returned 2 [0138.598] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="FF") returned 2 [0138.598] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="A8") returned 2 [0138.599] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="59") returned 2 [0138.599] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="91") returned 2 [0138.599] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="53") returned 2 [0138.599] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="11") returned 2 [0138.599] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="4E") returned 2 [0138.607] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D" [0138.607] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D" [0138.607] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D", lpString2=".40BB0B3E6786115533C34926E75D63008EB90C1A973EE67E80FFA8599153114E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D.40BB0B3E6786115533C34926E75D63008EB90C1A973EE67E80FFA8599153114E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D.40BB0B3E6786115533C34926E75D63008EB90C1A973EE67E80FFA8599153114E" [0138.607] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.607] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0138.607] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53fdc930, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53fdc930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf16fc70, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x58b, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", cAlternateFileName="3388EC~1")) returned 1 [0138.608] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="Windows") returned -1 [0138.608] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="Program Files") returned -1 [0138.608] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="Program Files (x86)") returned -1 [0138.608] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="$Recycle.bin") returned 1 [0138.608] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="System Volume Information") returned -1 [0138.608] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2=".") returned 1 [0138.608] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="..") returned 1 [0138.608] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned 151 [0138.608] lstrcmpW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="PUSSY.TXT") returned -1 [0138.608] PathFindExtensionW (pszPath="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned="" [0138.608] lstrlenW (lpString="") returned 0 [0138.608] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0138.609] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1419) returned 1 [0138.609] GetProcessHeap () returned 0x4c0000 [0138.609] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0138.618] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="E9") returned 2 [0138.618] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="9A") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="76") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="F6") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="78") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="8D") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="B5") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="35") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="D1") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="44") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="F7") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="44") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="5F") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="43") returned 2 [0138.619] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="D4") returned 2 [0138.619] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="15") returned 2 [0138.619] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="51") returned 2 [0138.627] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="FC") returned 2 [0138.627] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="BC") returned 2 [0138.627] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="46") returned 2 [0138.627] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="99") returned 2 [0138.627] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="A6") returned 2 [0138.627] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="E0") returned 2 [0138.627] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="00") returned 2 [0138.627] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="C1") returned 2 [0138.627] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="51") returned 2 [0138.627] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="F4") returned 2 [0138.627] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="1C") returned 2 [0138.627] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="E0") returned 2 [0138.627] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="5B") returned 2 [0138.627] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="51") returned 2 [0138.627] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="3F") returned 2 [0138.636] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" [0138.636] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" [0138.636] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2=".E99A76F6788DB535D144F7445F43D41551FCBC4699A6E000C151F41CE05B513F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D.E99A76F6788DB535D144F7445F43D41551FCBC4699A6E000C151F41CE05B513F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D.E99A76F6788DB535D144F7445F43D41551FCBC4699A6E000C151F41CE05B513F" [0138.636] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.636] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0138.638] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53b19d30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53b19d30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54583d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb68, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", cAlternateFileName="40E450~1")) returned 1 [0138.638] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Windows") returned -1 [0138.638] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Program Files") returned -1 [0138.638] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Program Files (x86)") returned -1 [0138.638] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="$Recycle.bin") returned 1 [0138.638] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="System Volume Information") returned -1 [0138.638] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2=".") returned 1 [0138.638] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="..") returned 1 [0138.638] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 151 [0138.638] lstrcmpW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="PUSSY.TXT") returned -1 [0138.638] PathFindExtensionW (pszPath="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned="" [0138.642] lstrlenW (lpString="") returned 0 [0138.642] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0138.644] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=2920) returned 1 [0138.644] GetProcessHeap () returned 0x4c0000 [0138.644] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0138.654] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="9E") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="79") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="BC") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="6D") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="5A") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="35") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="16") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="65") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="4D") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="AA") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="67") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="92") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="E1") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="19") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="BF") returned 2 [0138.654] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="7A") returned 2 [0138.654] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="A5") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="12") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="0F") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="03") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="7E") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="EC") returned 2 [0138.654] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="03") returned 2 [0138.654] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="C5") returned 2 [0138.654] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="C1") returned 2 [0138.654] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="AF") returned 2 [0138.654] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="88") returned 2 [0138.654] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="DE") returned 2 [0138.654] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="A9") returned 2 [0138.654] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="92") returned 2 [0138.654] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="D5") returned 2 [0138.655] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="0A") returned 2 [0138.663] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" [0138.663] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" [0138.663] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2=".9E79BC6D5A3516654DAA6792E119BF7AA5120F037EEC03C5C1AF88DEA992D50A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.9E79BC6D5A3516654DAA6792E119BF7AA5120F037EEC03C5C1AF88DEA992D50A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.9E79BC6D5A3516654DAA6792E119BF7AA5120F037EEC03C5C1AF88DEA992D50A" [0138.664] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.664] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0138.664] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x54537ab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54537ab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae76e7e0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", cAlternateFileName="4C8F84~1")) returned 1 [0138.668] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="Windows") returned -1 [0138.668] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="Program Files") returned -1 [0138.668] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="Program Files (x86)") returned -1 [0138.668] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="$Recycle.bin") returned 1 [0138.668] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="System Volume Information") returned -1 [0138.668] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2=".") returned 1 [0138.671] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="..") returned 1 [0138.671] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned 151 [0138.671] lstrcmpW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="PUSSY.TXT") returned -1 [0138.671] PathFindExtensionW (pszPath="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned="" [0138.671] lstrlenW (lpString="") returned 0 [0138.671] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0138.672] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=471) returned 1 [0138.672] CloseHandle (hObject=0x184) returned 1 [0138.672] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x7295ee20, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7295ee20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xadfb2060, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", cAlternateFileName="4DD397~1")) returned 1 [0138.672] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="Windows") returned -1 [0138.672] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="Program Files") returned -1 [0138.672] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="Program Files (x86)") returned -1 [0138.672] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="$Recycle.bin") returned 1 [0138.672] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="System Volume Information") returned -1 [0138.672] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2=".") returned 1 [0138.672] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="..") returned 1 [0138.673] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned 151 [0138.673] lstrcmpW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="PUSSY.TXT") returned -1 [0138.673] PathFindExtensionW (pszPath="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned="" [0138.673] lstrlenW (lpString="") returned 0 [0138.673] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.673] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0138.673] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1664) returned 1 [0138.673] GetProcessHeap () returned 0x4c0000 [0138.673] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0138.684] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="8C") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="92") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="2E") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="14") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="93") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="0B") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="01") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="7F") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="4F") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="9A") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="2F") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="5F") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="6A") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="FD") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="5B") returned 2 [0138.684] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="D9") returned 2 [0138.684] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="AB") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="4A") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="E7") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="35") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="C0") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="D3") returned 2 [0138.684] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="F7") returned 2 [0138.684] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="3E") returned 2 [0138.684] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="9B") returned 2 [0138.685] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="84") returned 2 [0138.685] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="76") returned 2 [0138.685] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="64") returned 2 [0138.685] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="05") returned 2 [0138.685] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="B6") returned 2 [0138.685] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="23") returned 2 [0138.685] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="46") returned 2 [0138.693] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" [0138.693] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" [0138.693] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2=".8C922E14930B017F4F9A2F5F6AFD5BD9AB4AE735C0D3F73E9B84766405B62346" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9.8C922E14930B017F4F9A2F5F6AFD5BD9AB4AE735C0D3F73E9B84766405B62346") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9.8C922E14930B017F4F9A2F5F6AFD5BD9AB4AE735C0D3F73E9B84766405B62346" [0138.693] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.693] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0138.699] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf8b9fd0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf8b9fd0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf8b9fd0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", cAlternateFileName="5080DC~2")) returned 1 [0138.699] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="Windows") returned -1 [0138.700] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="Program Files") returned -1 [0138.700] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="Program Files (x86)") returned -1 [0138.700] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="$Recycle.bin") returned 1 [0138.700] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="System Volume Information") returned -1 [0138.700] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2=".") returned 1 [0138.700] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="..") returned 1 [0138.700] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned 151 [0138.700] lstrcmpW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="PUSSY.TXT") returned -1 [0138.700] PathFindExtensionW (pszPath="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned="" [0138.700] lstrlenW (lpString="") returned 0 [0138.700] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.700] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0138.701] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=727) returned 1 [0138.701] GetProcessHeap () returned 0x4c0000 [0138.701] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0138.710] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="A7") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="56") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="49") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="54") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="24") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="E1") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="E6") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="92") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="C7") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="98") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="CE") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="01") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="F0") returned 2 [0138.710] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="4B") returned 2 [0138.711] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="19") returned 2 [0138.711] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="E0") returned 2 [0138.711] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="11") returned 2 [0138.711] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="83") returned 2 [0138.711] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="3A") returned 2 [0138.711] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="60") returned 2 [0138.711] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="CF") returned 2 [0138.711] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="AC") returned 2 [0138.711] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="0B") returned 2 [0138.711] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="37") returned 2 [0138.711] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="95") returned 2 [0138.711] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="20") returned 2 [0138.711] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="B2") returned 2 [0138.711] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="AA") returned 2 [0138.711] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="0C") returned 2 [0138.711] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="35") returned 2 [0138.711] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="1B") returned 2 [0138.711] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="0B") returned 2 [0138.720] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" [0138.720] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" [0138.720] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2=".A756495424E1E692C798CE01F04B19E011833A60CFAC0B379520B2AA0C351B0B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77.A756495424E1E692C798CE01F04B19E011833A60CFAC0B379520B2AA0C351B0B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77.A756495424E1E692C798CE01F04B19E011833A60CFAC0B379520B2AA0C351B0B" [0138.720] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.720] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0138.733] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf86dd10, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf86dd10, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf86dd10, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", cAlternateFileName="5080DC~1")) returned 1 [0138.733] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="Windows") returned -1 [0138.733] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="Program Files") returned -1 [0138.733] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="Program Files (x86)") returned -1 [0138.733] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="$Recycle.bin") returned 1 [0138.733] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="System Volume Information") returned -1 [0138.733] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2=".") returned 1 [0138.736] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="..") returned 1 [0138.736] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned 151 [0138.736] lstrcmpW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="PUSSY.TXT") returned -1 [0138.736] PathFindExtensionW (pszPath="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned="" [0138.736] lstrlenW (lpString="") returned 0 [0138.736] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.736] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0138.736] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=727) returned 1 [0138.736] GetProcessHeap () returned 0x4c0000 [0138.736] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0138.745] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="BC") returned 2 [0138.745] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="19") returned 2 [0138.745] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="67") returned 2 [0138.745] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="CC") returned 2 [0138.745] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="FE") returned 2 [0138.745] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="11") returned 2 [0138.745] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="30") returned 2 [0138.745] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="3C") returned 2 [0138.745] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="65") returned 2 [0138.745] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="F0") returned 2 [0138.745] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="77") returned 2 [0138.745] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="6E") returned 2 [0138.745] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="F7") returned 2 [0138.746] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="F3") returned 2 [0138.746] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="43") returned 2 [0138.746] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="1E") returned 2 [0138.746] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="FA") returned 2 [0138.746] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="B8") returned 2 [0138.746] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="27") returned 2 [0138.746] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="8E") returned 2 [0138.746] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="7D") returned 2 [0138.746] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="DB") returned 2 [0138.746] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="9A") returned 2 [0138.746] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="F3") returned 2 [0138.746] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="C5") returned 2 [0138.746] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="A3") returned 2 [0138.746] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="05") returned 2 [0138.746] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="39") returned 2 [0138.746] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="3F") returned 2 [0138.746] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="45") returned 2 [0138.746] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="22") returned 2 [0138.746] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="7A") returned 2 [0138.754] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" [0138.754] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" [0138.754] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2=".BC1967CCFE11303C65F0776EF7F3431EFAB8278E7DDB9AF3C5A305393F45227A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.BC1967CCFE11303C65F0776EF7F3431EFAB8278E7DDB9AF3C5A305393F45227A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.BC1967CCFE11303C65F0776EF7F3431EFAB8278E7DDB9AF3C5A305393F45227A" [0138.754] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.754] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0138.755] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf763370, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf763370, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf7af630, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", cAlternateFileName="5457A8~1")) returned 1 [0138.755] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="Windows") returned -1 [0138.755] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="Program Files") returned -1 [0138.757] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="Program Files (x86)") returned -1 [0138.757] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="$Recycle.bin") returned 1 [0138.757] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="System Volume Information") returned -1 [0138.757] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2=".") returned 1 [0138.757] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="..") returned 1 [0138.757] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned 151 [0138.757] lstrcmpW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="PUSSY.TXT") returned -1 [0138.757] PathFindExtensionW (pszPath="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned="" [0138.757] lstrlenW (lpString="") returned 0 [0138.757] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0138.778] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=471) returned 1 [0138.778] CloseHandle (hObject=0x178) returned 1 [0138.778] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xed9b0820, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xed9b0820, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xed9b0820, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x32d, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="696F3DE637E6DE85B458996D49D759AD", cAlternateFileName="696F3D~1")) returned 1 [0138.778] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="Windows") returned -1 [0138.778] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="Program Files") returned -1 [0138.778] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="Program Files (x86)") returned -1 [0138.778] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="$Recycle.bin") returned 1 [0138.778] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="System Volume Information") returned -1 [0138.778] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2=".") returned 1 [0138.779] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="..") returned 1 [0138.779] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD") returned 118 [0138.779] lstrcmpW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="PUSSY.TXT") returned -1 [0138.779] PathFindExtensionW (pszPath="696F3DE637E6DE85B458996D49D759AD") returned="" [0138.779] lstrlenW (lpString="") returned 0 [0138.779] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\696f3de637e6de85b458996d49d759ad"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0138.780] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=813) returned 1 [0138.780] GetProcessHeap () returned 0x4c0000 [0138.780] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0138.788] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="CE") returned 2 [0138.788] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="4B") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="B4") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="BC") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="2E") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="54") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="24") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="9D") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="82") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="4D") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="3A") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="7C") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="AD") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="89") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="5B") returned 2 [0138.789] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="FE") returned 2 [0138.789] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="27") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="9B") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="4D") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="7B") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="5C") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="5C") returned 2 [0138.789] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="16") returned 2 [0138.789] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="8F") returned 2 [0138.789] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="29") returned 2 [0138.789] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="AD") returned 2 [0138.789] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="40") returned 2 [0138.789] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="C4") returned 2 [0138.789] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="14") returned 2 [0138.789] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="6F") returned 2 [0138.789] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="70") returned 2 [0138.789] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="02") returned 2 [0138.798] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD" [0138.798] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD" [0138.798] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD", lpString2=".CE4BB4BC2E54249D824D3A7CAD895BFE279B4D7B5C5C168F29AD40C4146F7002" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD.CE4BB4BC2E54249D824D3A7CAD895BFE279B4D7B5C5C168F29AD40C4146F7002") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD.CE4BB4BC2E54249D824D3A7CAD895BFE279B4D7B5C5C168F29AD40C4146F7002" [0138.798] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.798] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0138.799] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf763370, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf763370, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf763370, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", cAlternateFileName="705A76~1")) returned 1 [0138.799] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="Windows") returned -1 [0138.802] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="Program Files") returned -1 [0138.802] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="Program Files (x86)") returned -1 [0138.802] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="$Recycle.bin") returned 1 [0138.802] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="System Volume Information") returned -1 [0138.802] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2=".") returned 1 [0138.802] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="..") returned 1 [0138.802] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned 151 [0138.802] lstrcmpW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="PUSSY.TXT") returned -1 [0138.802] PathFindExtensionW (pszPath="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned="" [0138.803] lstrlenW (lpString="") returned 0 [0138.803] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0138.804] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1608) returned 1 [0138.804] GetProcessHeap () returned 0x4c0000 [0138.804] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0138.816] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="D2") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="25") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="2D") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="4B") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="7F") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="FE") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="0F") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="26") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="B5") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="E7") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="CD") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="5B") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="5F") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="74") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="57") returned 2 [0138.816] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="C8") returned 2 [0138.816] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="B6") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="67") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="F2") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="BA") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="70") returned 2 [0138.816] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="F9") returned 2 [0138.817] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="BA") returned 2 [0138.817] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="90") returned 2 [0138.817] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="F5") returned 2 [0138.817] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="67") returned 2 [0138.817] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="8A") returned 2 [0138.817] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="43") returned 2 [0138.817] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="09") returned 2 [0138.817] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="8D") returned 2 [0138.817] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="A0") returned 2 [0138.817] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="4C") returned 2 [0138.847] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" [0138.847] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" [0138.847] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2=".D2252D4B7FFE0F26B5E7CD5B5F7457C8B667F2BA70F9BA90F5678A43098DA04C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21.D2252D4B7FFE0F26B5E7CD5B5F7457C8B667F2BA70F9BA90F5678A43098DA04C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21.D2252D4B7FFE0F26B5E7CD5B5F7457C8B667F2BA70F9BA90F5678A43098DA04C" [0138.847] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.847] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0138.847] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xedb2d5e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedb2d5e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedb2d5e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x22a, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="7396C420A8E1BC1DA97F1AF0D10BAD21", cAlternateFileName="7396C4~1")) returned 1 [0138.847] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="Windows") returned -1 [0138.847] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="Program Files") returned -1 [0138.847] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="Program Files (x86)") returned -1 [0138.847] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="$Recycle.bin") returned 1 [0138.847] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="System Volume Information") returned -1 [0138.847] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2=".") returned 1 [0138.847] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="..") returned 1 [0138.847] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 118 [0138.848] lstrcmpW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="PUSSY.TXT") returned -1 [0138.848] PathFindExtensionW (pszPath="7396C420A8E1BC1DA97F1AF0D10BAD21") returned="" [0138.848] lstrlenW (lpString="") returned 0 [0138.848] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7396c420a8e1bc1da97f1af0d10bad21"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0138.849] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=554) returned 1 [0138.849] GetProcessHeap () returned 0x4c0000 [0138.849] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0138.865] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="CF") returned 2 [0138.865] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="C7") returned 2 [0138.865] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="37") returned 2 [0138.865] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="D9") returned 2 [0138.865] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="DE") returned 2 [0138.865] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="E2") returned 2 [0138.865] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="CE") returned 2 [0138.865] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="C6") returned 2 [0138.865] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="67") returned 2 [0138.865] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="3C") returned 2 [0138.865] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="F2") returned 2 [0138.866] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="EF") returned 2 [0138.866] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="2A") returned 2 [0138.866] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="5C") returned 2 [0138.866] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="D1") returned 2 [0138.866] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="8A") returned 2 [0138.866] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="93") returned 2 [0138.866] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="E4") returned 2 [0138.866] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="E8") returned 2 [0138.866] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="57") returned 2 [0138.866] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="4B") returned 2 [0138.866] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="BC") returned 2 [0138.866] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="5B") returned 2 [0138.866] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="5A") returned 2 [0138.866] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="74") returned 2 [0138.866] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="35") returned 2 [0138.866] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="CA") returned 2 [0138.866] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="0F") returned 2 [0138.866] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="CA") returned 2 [0138.866] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="D5") returned 2 [0138.866] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="A5") returned 2 [0138.866] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="75") returned 2 [0138.879] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21" [0138.879] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21" [0138.879] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2=".CFC737D9DEE2CEC6673CF2EF2A5CD18A93E4E8574BBC5B5A7435CA0FCAD5A575" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21.CFC737D9DEE2CEC6673CF2EF2A5CD18A93E4E8574BBC5B5A7435CA0FCAD5A575") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21.CFC737D9DEE2CEC6673CF2EF2A5CD18A93E4E8574BBC5B5A7435CA0FCAD5A575" [0138.879] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.879] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0138.879] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x540c1170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x540c1170, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x312640, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", cAlternateFileName="7423F8~1")) returned 1 [0138.879] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="Windows") returned -1 [0138.879] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="Program Files") returned -1 [0138.880] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="Program Files (x86)") returned -1 [0138.880] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="$Recycle.bin") returned 1 [0138.880] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="System Volume Information") returned -1 [0138.880] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2=".") returned 1 [0138.880] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="..") returned 1 [0138.880] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned 151 [0138.880] lstrcmpW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="PUSSY.TXT") returned -1 [0138.880] PathFindExtensionW (pszPath="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned="" [0138.880] lstrlenW (lpString="") returned 0 [0138.880] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0138.899] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=471) returned 1 [0138.899] CloseHandle (hObject=0x128) returned 1 [0138.899] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd0e4c510, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x1fa, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="7B2238AACCEDC3F1FFE8E7EB5F575EC9", cAlternateFileName="7B2238~1")) returned 1 [0138.899] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Windows") returned -1 [0138.899] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files") returned -1 [0138.899] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files (x86)") returned -1 [0138.899] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="$Recycle.bin") returned 1 [0138.899] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="System Volume Information") returned -1 [0138.899] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2=".") returned 1 [0138.899] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="..") returned 1 [0138.899] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 118 [0138.900] lstrcmpW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="PUSSY.TXT") returned -1 [0138.900] PathFindExtensionW (pszPath="7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned="" [0138.900] lstrlenW (lpString="") returned 0 [0138.900] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0138.901] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=506) returned 1 [0138.901] CloseHandle (hObject=0x128) returned 1 [0138.901] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6b2324c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x6b2324c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x6b2324c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x67c, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", cAlternateFileName="7B8944~1")) returned 1 [0138.901] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="Windows") returned -1 [0138.901] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="Program Files") returned -1 [0138.901] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="Program Files (x86)") returned -1 [0138.901] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="$Recycle.bin") returned 1 [0138.901] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="System Volume Information") returned -1 [0138.901] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2=".") returned 1 [0138.901] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="..") returned 1 [0138.901] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned 151 [0138.902] lstrcmpW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="PUSSY.TXT") returned -1 [0138.902] PathFindExtensionW (pszPath="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned="" [0138.902] lstrlenW (lpString="") returned 0 [0138.902] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0138.902] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1660) returned 1 [0138.902] GetProcessHeap () returned 0x4c0000 [0138.902] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0138.911] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="97") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="CD") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="63") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="73") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="4F") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="06") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="D0") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="8D") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="1E") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="95") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="69") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="54") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="E5") returned 2 [0138.911] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="7C") returned 2 [0138.912] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="AB") returned 2 [0138.912] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="08") returned 2 [0138.912] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="8A") returned 2 [0138.912] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="4D") returned 2 [0138.912] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="35") returned 2 [0138.912] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="8D") returned 2 [0138.912] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="CC") returned 2 [0138.912] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="32") returned 2 [0138.912] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="6B") returned 2 [0138.912] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="DF") returned 2 [0138.912] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="CB") returned 2 [0138.912] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="FD") returned 2 [0138.912] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="84") returned 2 [0138.912] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="B1") returned 2 [0138.912] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="C3") returned 2 [0138.912] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="CB") returned 2 [0138.912] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="1D") returned 2 [0138.912] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="7E") returned 2 [0138.954] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" [0138.954] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" [0138.955] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2=".97CD63734F06D08D1E956954E57CAB088A4D358DCC326BDFCBFD84B1C3CB1D7E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D.97CD63734F06D08D1E956954E57CAB088A4D358DCC326BDFCBFD84B1C3CB1D7E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D.97CD63734F06D08D1E956954E57CAB088A4D358DCC326BDFCBFD84B1C3CB1D7E" [0138.955] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.955] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0138.959] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6b199f40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x6b199f40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x6b199f40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", cAlternateFileName="7D266D~2")) returned 1 [0138.965] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="Windows") returned -1 [0138.965] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="Program Files") returned -1 [0138.965] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="Program Files (x86)") returned -1 [0138.965] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="$Recycle.bin") returned 1 [0138.965] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="System Volume Information") returned -1 [0138.965] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2=".") returned 1 [0138.965] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="..") returned 1 [0138.965] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned 151 [0138.965] lstrcmpW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="PUSSY.TXT") returned -1 [0138.965] PathFindExtensionW (pszPath="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned="" [0138.965] lstrlenW (lpString="") returned 0 [0138.965] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0138.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0138.967] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1763) returned 1 [0138.967] GetProcessHeap () returned 0x4c0000 [0138.967] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0138.980] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="0D") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="EB") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="C3") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="AC") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="AD") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="FD") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="8E") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="4E") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="CB") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="5A") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="CC") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="6E") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="78") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="2E") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="DC") returned 2 [0138.980] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="BB") returned 2 [0138.980] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="79") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="C6") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="10") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="04") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="06") returned 2 [0138.980] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="E6") returned 2 [0138.981] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="17") returned 2 [0138.981] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="07") returned 2 [0138.981] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="F2") returned 2 [0138.981] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="E8") returned 2 [0138.981] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="81") returned 2 [0138.981] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="13") returned 2 [0138.981] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="88") returned 2 [0138.981] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="55") returned 2 [0138.981] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="C9") returned 2 [0138.981] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="6D") returned 2 [0138.993] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" [0138.993] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" [0138.993] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2=".0DEBC3ACADFD8E4ECB5ACC6E782EDCBB79C6100406E61707F2E881138855C96D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6.0DEBC3ACADFD8E4ECB5ACC6E782EDCBB79C6100406E61707F2E881138855C96D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6.0DEBC3ACADFD8E4ECB5ACC6E782EDCBB79C6100406E61707F2E881138855C96D" [0138.993] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0138.993] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0138.995] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xefaf7160, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xefaf7160, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xaec313e0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", cAlternateFileName="7D266D~1")) returned 1 [0138.995] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="Windows") returned -1 [0138.995] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="Program Files") returned -1 [0138.999] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="Program Files (x86)") returned -1 [0138.999] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="$Recycle.bin") returned 1 [0138.999] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="System Volume Information") returned -1 [0138.999] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2=".") returned 1 [0138.999] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="..") returned 1 [0139.002] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned 151 [0139.002] lstrcmpW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="PUSSY.TXT") returned -1 [0139.002] PathFindExtensionW (pszPath="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned="" [0139.002] lstrlenW (lpString="") returned 0 [0139.002] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0139.003] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1763) returned 1 [0139.003] GetProcessHeap () returned 0x4c0000 [0139.003] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0139.015] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="DC") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="DE") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="76") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="DF") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="7C") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="8C") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="86") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="99") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="9E") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="E9") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="A1") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="99") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="C8") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="34") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="22") returned 2 [0139.016] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="92") returned 2 [0139.016] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="90") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="8E") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="99") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="59") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="11") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="33") returned 2 [0139.016] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="FE") returned 2 [0139.016] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="0D") returned 2 [0139.016] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="8C") returned 2 [0139.016] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="7C") returned 2 [0139.017] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="F4") returned 2 [0139.017] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="E1") returned 2 [0139.017] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="14") returned 2 [0139.017] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="1D") returned 2 [0139.017] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="01") returned 2 [0139.017] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="20") returned 2 [0139.029] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" [0139.029] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" [0139.029] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2=".DCDE76DF7C8C86999EE9A199C8342292908E99591133FE0D8C7CF4E1141D0120" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD.DCDE76DF7C8C86999EE9A199C8342292908E99591133FE0D8C7CF4E1141D0120") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD.DCDE76DF7C8C86999EE9A199C8342292908E99591133FE0D8C7CF4E1141D0120" [0139.029] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.030] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0139.030] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6056b480, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6056b480, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1ef687a0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", cAlternateFileName="8059E9~3")) returned 1 [0139.030] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="Windows") returned -1 [0139.030] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="Program Files") returned -1 [0139.030] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="Program Files (x86)") returned -1 [0139.030] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="$Recycle.bin") returned 1 [0139.030] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="System Volume Information") returned -1 [0139.030] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2=".") returned 1 [0139.030] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="..") returned 1 [0139.030] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned 151 [0139.030] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="PUSSY.TXT") returned -1 [0139.030] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned="" [0139.030] lstrlenW (lpString="") returned 0 [0139.030] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.037] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=463) returned 1 [0139.037] CloseHandle (hObject=0x184) returned 1 [0139.037] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x61210960, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x61210960, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaecc9960, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", cAlternateFileName="80273C~1")) returned 1 [0139.037] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="Windows") returned -1 [0139.037] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="Program Files") returned -1 [0139.037] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="Program Files (x86)") returned -1 [0139.037] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="$Recycle.bin") returned 1 [0139.037] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="System Volume Information") returned -1 [0139.037] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2=".") returned 1 [0139.037] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="..") returned 1 [0139.037] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned 151 [0139.037] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="PUSSY.TXT") returned -1 [0139.038] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned="" [0139.038] lstrlenW (lpString="") returned 0 [0139.038] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.039] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=463) returned 1 [0139.039] CloseHandle (hObject=0x184) returned 1 [0139.039] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x58e24200, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x58e24200, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae9f5f40, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", cAlternateFileName="8059E9~2")) returned 1 [0139.039] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="Windows") returned -1 [0139.040] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="Program Files") returned -1 [0139.040] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="Program Files (x86)") returned -1 [0139.040] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="$Recycle.bin") returned 1 [0139.040] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="System Volume Information") returned -1 [0139.040] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2=".") returned 1 [0139.040] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="..") returned 1 [0139.040] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned 151 [0139.040] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="PUSSY.TXT") returned -1 [0139.040] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned="" [0139.040] lstrlenW (lpString="") returned 0 [0139.040] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.042] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=463) returned 1 [0139.042] CloseHandle (hObject=0x184) returned 1 [0139.042] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x61236ac0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x61236ac0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x3b0b01a0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", cAlternateFileName="809279~1")) returned 1 [0139.042] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="Windows") returned -1 [0139.042] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="Program Files") returned -1 [0139.042] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="Program Files (x86)") returned -1 [0139.042] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="$Recycle.bin") returned 1 [0139.042] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="System Volume Information") returned -1 [0139.042] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2=".") returned 1 [0139.042] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="..") returned 1 [0139.042] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned 151 [0139.042] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="PUSSY.TXT") returned -1 [0139.042] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned="" [0139.042] lstrlenW (lpString="") returned 0 [0139.042] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.042] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.043] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=463) returned 1 [0139.043] CloseHandle (hObject=0x184) returned 1 [0139.043] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x58394060, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x58394060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb0f739c0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", cAlternateFileName="8059E9~1")) returned 1 [0139.043] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="Windows") returned -1 [0139.043] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="Program Files") returned -1 [0139.043] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="Program Files (x86)") returned -1 [0139.043] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="$Recycle.bin") returned 1 [0139.043] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="System Volume Information") returned -1 [0139.043] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2=".") returned 1 [0139.043] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="..") returned 1 [0139.044] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned 151 [0139.044] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="PUSSY.TXT") returned -1 [0139.044] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned="" [0139.044] lstrlenW (lpString="") returned 0 [0139.044] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.045] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=463) returned 1 [0139.045] CloseHandle (hObject=0x184) returned 1 [0139.045] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x62378a40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x62378a40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae9a9c80, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", cAlternateFileName="80E4BE~1")) returned 1 [0139.045] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="Windows") returned -1 [0139.045] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="Program Files") returned -1 [0139.046] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="Program Files (x86)") returned -1 [0139.046] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="$Recycle.bin") returned 1 [0139.046] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="System Volume Information") returned -1 [0139.046] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2=".") returned 1 [0139.046] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="..") returned 1 [0139.046] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned 151 [0139.046] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="PUSSY.TXT") returned -1 [0139.046] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned="" [0139.046] lstrlenW (lpString="") returned 0 [0139.046] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.047] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=463) returned 1 [0139.047] CloseHandle (hObject=0x184) returned 1 [0139.047] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x613675c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x613675c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x69bba4a0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", cAlternateFileName="803B9E~1")) returned 1 [0139.047] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="Windows") returned -1 [0139.047] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="Program Files") returned -1 [0139.047] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="Program Files (x86)") returned -1 [0139.048] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="$Recycle.bin") returned 1 [0139.048] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="System Volume Information") returned -1 [0139.048] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2=".") returned 1 [0139.048] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="..") returned 1 [0139.048] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned 151 [0139.048] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="PUSSY.TXT") returned -1 [0139.048] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned="" [0139.048] lstrlenW (lpString="") returned 0 [0139.048] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.049] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=463) returned 1 [0139.049] CloseHandle (hObject=0x184) returned 1 [0139.049] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x63c50fe0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x63c50fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb100bf40, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", cAlternateFileName="803D37~1")) returned 1 [0139.049] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="Windows") returned -1 [0139.049] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="Program Files") returned -1 [0139.050] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="Program Files (x86)") returned -1 [0139.050] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="$Recycle.bin") returned 1 [0139.050] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="System Volume Information") returned -1 [0139.050] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2=".") returned 1 [0139.050] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="..") returned 1 [0139.050] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned 151 [0139.050] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="PUSSY.TXT") returned -1 [0139.050] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned="" [0139.050] lstrlenW (lpString="") returned 0 [0139.050] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.050] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.051] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=463) returned 1 [0139.051] CloseHandle (hObject=0x184) returned 1 [0139.051] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x61021780, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x61021780, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb1058200, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", cAlternateFileName="8059E9~4")) returned 1 [0139.051] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="Windows") returned -1 [0139.051] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="Program Files") returned -1 [0139.051] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="Program Files (x86)") returned -1 [0139.052] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="$Recycle.bin") returned 1 [0139.052] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="System Volume Information") returned -1 [0139.052] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2=".") returned 1 [0139.052] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="..") returned 1 [0139.052] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned 151 [0139.052] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="PUSSY.TXT") returned -1 [0139.052] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned="" [0139.052] lstrlenW (lpString="") returned 0 [0139.052] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.053] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=463) returned 1 [0139.053] CloseHandle (hObject=0x184) returned 1 [0139.053] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x636a9ba0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x636a9ba0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb139e040, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", cAlternateFileName="800D31~1")) returned 1 [0139.053] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="Windows") returned -1 [0139.053] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="Program Files") returned -1 [0139.053] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="Program Files (x86)") returned -1 [0139.053] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="$Recycle.bin") returned 1 [0139.054] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="System Volume Information") returned -1 [0139.054] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2=".") returned 1 [0139.054] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="..") returned 1 [0139.054] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned 151 [0139.054] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="PUSSY.TXT") returned -1 [0139.054] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned="" [0139.054] lstrlenW (lpString="") returned 0 [0139.054] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.055] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=463) returned 1 [0139.055] CloseHandle (hObject=0x184) returned 1 [0139.055] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x581f7ea0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x581f7ea0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb0f4d860, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x56e, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", cAlternateFileName="828298~1")) returned 1 [0139.055] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="Windows") returned -1 [0139.055] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="Program Files") returned -1 [0139.055] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="Program Files (x86)") returned -1 [0139.055] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="$Recycle.bin") returned 1 [0139.056] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="System Volume Information") returned -1 [0139.056] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2=".") returned 1 [0139.056] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="..") returned 1 [0139.056] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned 151 [0139.056] lstrcmpW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="PUSSY.TXT") returned -1 [0139.056] PathFindExtensionW (pszPath="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned="" [0139.056] lstrlenW (lpString="") returned 0 [0139.057] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.057] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1390) returned 1 [0139.057] GetProcessHeap () returned 0x4c0000 [0139.057] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0139.071] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="B9") returned 2 [0139.081] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="71") returned 2 [0139.081] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="3A") returned 2 [0139.081] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="62") returned 2 [0139.081] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="44") returned 2 [0139.081] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="DA") returned 2 [0139.081] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="B7") returned 2 [0139.081] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="DC") returned 2 [0139.081] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="00") returned 2 [0139.081] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="A9") returned 2 [0139.081] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="2A") returned 2 [0139.081] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="B8") returned 2 [0139.082] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="3F") returned 2 [0139.082] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="21") returned 2 [0139.082] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="E8") returned 2 [0139.082] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="1D") returned 2 [0139.082] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="A3") returned 2 [0139.082] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="08") returned 2 [0139.082] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="8E") returned 2 [0139.082] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="1C") returned 2 [0139.082] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="E1") returned 2 [0139.082] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="39") returned 2 [0139.082] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="2E") returned 2 [0139.082] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="09") returned 2 [0139.082] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="8A") returned 2 [0139.082] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="DB") returned 2 [0139.082] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="49") returned 2 [0139.082] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="0B") returned 2 [0139.082] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="8C") returned 2 [0139.082] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="19") returned 2 [0139.083] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="47") returned 2 [0139.083] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="1B") returned 2 [0139.095] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" [0139.095] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" [0139.095] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2=".B9713A6244DAB7DC00A92AB83F21E81DA3088E1CE1392E098ADB490B8C19471B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.B9713A6244DAB7DC00A92AB83F21E81DA3088E1CE1392E098ADB490B8C19471B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.B9713A6244DAB7DC00A92AB83F21E81DA3088E1CE1392E098ADB490B8C19471B" [0139.095] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.095] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0139.096] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xec3c5340, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xec3c5340, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xb16257a0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", cAlternateFileName="8828F3~1")) returned 1 [0139.100] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="Windows") returned -1 [0139.100] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="Program Files") returned -1 [0139.100] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="Program Files (x86)") returned -1 [0139.101] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="$Recycle.bin") returned 1 [0139.101] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="System Volume Information") returned -1 [0139.101] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2=".") returned 1 [0139.101] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="..") returned 1 [0139.101] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned 151 [0139.101] lstrcmpW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="PUSSY.TXT") returned -1 [0139.101] PathFindExtensionW (pszPath="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned="" [0139.101] lstrlenW (lpString="") returned 0 [0139.101] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0139.102] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1763) returned 1 [0139.102] GetProcessHeap () returned 0x4c0000 [0139.102] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0139.115] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="98") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="68") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="77") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="58") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="7E") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="77") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="0A") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="30") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="D3") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="FC") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="35") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="79") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="9C") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="3F") returned 2 [0139.115] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="C4") returned 2 [0139.115] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="EA") returned 2 [0139.116] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="21") returned 2 [0139.116] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="50") returned 2 [0139.116] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="23") returned 2 [0139.116] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="F5") returned 2 [0139.116] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="13") returned 2 [0139.116] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="5A") returned 2 [0139.116] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="58") returned 2 [0139.116] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="DA") returned 2 [0139.116] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="36") returned 2 [0139.116] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="B0") returned 2 [0139.116] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="1D") returned 2 [0139.116] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="FB") returned 2 [0139.116] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="BC") returned 2 [0139.116] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="EA") returned 2 [0139.116] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="14") returned 2 [0139.116] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="59") returned 2 [0139.129] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" [0139.129] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" [0139.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2=".986877587E770A30D3FC35799C3FC4EA215023F5135A58DA36B01DFBBCEA1459" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F.986877587E770A30D3FC35799C3FC4EA215023F5135A58DA36B01DFBBCEA1459") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F.986877587E770A30D3FC35799C3FC4EA215023F5135A58DA36B01DFBBCEA1459" [0139.129] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.129] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0139.133] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x8064ac00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x8064ac00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80670d60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", cAlternateFileName="8828F3~2")) returned 1 [0139.133] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="Windows") returned -1 [0139.133] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="Program Files") returned -1 [0139.133] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="Program Files (x86)") returned -1 [0139.133] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="$Recycle.bin") returned 1 [0139.133] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="System Volume Information") returned -1 [0139.133] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2=".") returned 1 [0139.133] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="..") returned 1 [0139.133] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned 151 [0139.134] lstrcmpW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="PUSSY.TXT") returned -1 [0139.134] PathFindExtensionW (pszPath="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned="" [0139.134] lstrlenW (lpString="") returned 0 [0139.134] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0139.136] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1763) returned 1 [0139.136] GetProcessHeap () returned 0x4c0000 [0139.136] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0139.148] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="A8") returned 2 [0139.148] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="64") returned 2 [0139.148] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="EE") returned 2 [0139.148] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="8C") returned 2 [0139.148] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="6B") returned 2 [0139.148] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="91") returned 2 [0139.148] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="53") returned 2 [0139.148] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="AB") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="50") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="50") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="12") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="7B") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="8B") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="3A") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="88") returned 2 [0139.149] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="63") returned 2 [0139.149] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="D4") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="AB") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="B2") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="70") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="9C") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="2D") returned 2 [0139.149] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="7F") returned 2 [0139.149] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="57") returned 2 [0139.149] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="76") returned 2 [0139.149] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="62") returned 2 [0139.149] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="B0") returned 2 [0139.149] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="02") returned 2 [0139.149] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="56") returned 2 [0139.149] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="D5") returned 2 [0139.149] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="94") returned 2 [0139.149] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="61") returned 2 [0139.162] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" [0139.162] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" [0139.162] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2=".A864EE8C6B9153AB5050127B8B3A8863D4ABB2709C2D7F577662B00256D59461" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416.A864EE8C6B9153AB5050127B8B3A8863D4ABB2709C2D7F577662B00256D59461") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416.A864EE8C6B9153AB5050127B8B3A8863D4ABB2709C2D7F577662B00256D59461" [0139.162] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.162] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0139.162] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6aa2c0a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6aa2c0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xadf19ae0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x59d, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", cAlternateFileName="8E4E51~1")) returned 1 [0139.162] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="Windows") returned -1 [0139.162] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="Program Files") returned -1 [0139.162] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="Program Files (x86)") returned -1 [0139.162] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="$Recycle.bin") returned 1 [0139.162] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="System Volume Information") returned -1 [0139.162] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2=".") returned 1 [0139.162] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="..") returned 1 [0139.162] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned 151 [0139.162] lstrcmpW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="PUSSY.TXT") returned -1 [0139.162] PathFindExtensionW (pszPath="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned="" [0139.162] lstrlenW (lpString="") returned 0 [0139.162] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0139.163] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1437) returned 1 [0139.163] GetProcessHeap () returned 0x4c0000 [0139.164] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0139.177] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="B1") returned 2 [0139.177] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="C0") returned 2 [0139.177] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="12") returned 2 [0139.177] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="9D") returned 2 [0139.177] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="2B") returned 2 [0139.177] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="33") returned 2 [0139.177] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="3A") returned 2 [0139.177] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="68") returned 2 [0139.177] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="1E") returned 2 [0139.178] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="23") returned 2 [0139.178] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="2C") returned 2 [0139.178] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="76") returned 2 [0139.178] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="31") returned 2 [0139.178] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="6A") returned 2 [0139.178] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="F2") returned 2 [0139.178] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="D9") returned 2 [0139.178] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="EB") returned 2 [0139.178] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="B1") returned 2 [0139.178] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="30") returned 2 [0139.178] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="8A") returned 2 [0139.178] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="F6") returned 2 [0139.178] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="FE") returned 2 [0139.178] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="B9") returned 2 [0139.178] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="44") returned 2 [0139.178] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="B7") returned 2 [0139.178] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="2A") returned 2 [0139.178] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="70") returned 2 [0139.178] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="92") returned 2 [0139.178] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="C9") returned 2 [0139.178] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="36") returned 2 [0139.178] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="70") returned 2 [0139.178] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="2D") returned 2 [0139.190] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" [0139.190] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" [0139.191] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2=".B1C0129D2B333A681E232C76316AF2D9EBB1308AF6FEB944B72A7092C936702D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61.B1C0129D2B333A681E232C76316AF2D9EBB1308AF6FEB944B72A7092C936702D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61.B1C0129D2B333A681E232C76316AF2D9EBB1308AF6FEB944B72A7092C936702D" [0139.191] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.191] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0139.191] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xbddd270, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0xd2da, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 1 [0139.191] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Windows") returned -1 [0139.191] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files") returned -1 [0139.191] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files (x86)") returned -1 [0139.191] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="$Recycle.bin") returned 1 [0139.191] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="System Volume Information") returned -1 [0139.191] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2=".") returned 1 [0139.191] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="..") returned 1 [0139.191] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 118 [0139.191] lstrcmpW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="PUSSY.TXT") returned -1 [0139.191] PathFindExtensionW (pszPath="94308059B57B3142E455B38A6EB92015") returned="" [0139.191] lstrlenW (lpString="") returned 0 [0139.191] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0139.192] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=53978) returned 1 [0139.193] GetProcessHeap () returned 0x4c0000 [0139.193] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0139.242] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="36") returned 2 [0139.242] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="13") returned 2 [0139.242] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="93") returned 2 [0139.242] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="9B") returned 2 [0139.242] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="C6") returned 2 [0139.242] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="13") returned 2 [0139.242] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="AD") returned 2 [0139.242] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="F6") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="6D") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="11") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="81") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="AA") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="C5") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="66") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="C9") returned 2 [0139.243] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="D2") returned 2 [0139.243] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="FB") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="13") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="D4") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="CE") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="D8") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="5B") returned 2 [0139.243] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="12") returned 2 [0139.243] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="E0") returned 2 [0139.243] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="FD") returned 2 [0139.243] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="41") returned 2 [0139.243] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="9C") returned 2 [0139.243] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="DC") returned 2 [0139.243] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="BD") returned 2 [0139.244] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="5E") returned 2 [0139.244] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="EC") returned 2 [0139.244] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="45") returned 2 [0139.255] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" [0139.256] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" [0139.256] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015", lpString2=".3613939BC613ADF66D1181AAC566C9D2FB13D4CED85B12E0FD419CDCBD5EEC45" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015.3613939BC613ADF66D1181AAC566C9D2FB13D4CED85B12E0FD419CDCBD5EEC45") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015.3613939BC613ADF66D1181AAC566C9D2FB13D4CED85B12E0FD419CDCBD5EEC45" [0139.256] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.256] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0139.305] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6a83cec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a83cec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaebe5120, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x5e0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", cAlternateFileName="955CAB~1")) returned 1 [0139.305] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="Windows") returned -1 [0139.305] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="Program Files") returned -1 [0139.305] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="Program Files (x86)") returned -1 [0139.305] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="$Recycle.bin") returned 1 [0139.305] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="System Volume Information") returned -1 [0139.305] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2=".") returned 1 [0139.305] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="..") returned 1 [0139.305] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned 151 [0139.305] lstrcmpW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="PUSSY.TXT") returned -1 [0139.305] PathFindExtensionW (pszPath="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned="" [0139.305] lstrlenW (lpString="") returned 0 [0139.305] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0139.307] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1504) returned 1 [0139.307] GetProcessHeap () returned 0x4c0000 [0139.307] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0139.320] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="1D") returned 2 [0139.320] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="37") returned 2 [0139.320] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="53") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="0E") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="E1") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="25") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="E5") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="0D") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="D1") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="3C") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="8A") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="9C") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="6B") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="57") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="A8") returned 2 [0139.321] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="4E") returned 2 [0139.321] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="76") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="BC") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="15") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="07") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="30") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="31") returned 2 [0139.321] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="54") returned 2 [0139.321] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="67") returned 2 [0139.321] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="43") returned 2 [0139.322] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="11") returned 2 [0139.322] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="A7") returned 2 [0139.322] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="B7") returned 2 [0139.322] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="EE") returned 2 [0139.322] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="A7") returned 2 [0139.322] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="6C") returned 2 [0139.322] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="41") returned 2 [0139.334] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" [0139.334] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" [0139.334] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2=".1D37530EE125E50DD13C8A9C6B57A84E76BC1507303154674311A7B7EEA76C41" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9.1D37530EE125E50DD13C8A9C6B57A84E76BC1507303154674311A7B7EEA76C41") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9.1D37530EE125E50DD13C8A9C6B57A84E76BC1507303154674311A7B7EEA76C41" [0139.334] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.334] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0139.334] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf3f73d0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf3f73d0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf3f73d0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x5ab, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", cAlternateFileName="9BC2FF~1")) returned 1 [0139.334] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="Windows") returned -1 [0139.334] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="Program Files") returned -1 [0139.334] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="Program Files (x86)") returned -1 [0139.335] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="$Recycle.bin") returned 1 [0139.335] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="System Volume Information") returned -1 [0139.335] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2=".") returned 1 [0139.335] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="..") returned 1 [0139.335] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned 151 [0139.335] lstrcmpW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="PUSSY.TXT") returned -1 [0139.335] PathFindExtensionW (pszPath="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned="" [0139.335] lstrlenW (lpString="") returned 0 [0139.335] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0139.353] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1451) returned 1 [0139.353] GetProcessHeap () returned 0x4c0000 [0139.353] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0139.366] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="B9") returned 2 [0139.366] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="D2") returned 2 [0139.366] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="91") returned 2 [0139.366] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="71") returned 2 [0139.366] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="EB") returned 2 [0139.366] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="9B") returned 2 [0139.366] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="90") returned 2 [0139.366] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="0A") returned 2 [0139.366] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="5A") returned 2 [0139.366] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="AC") returned 2 [0139.366] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="92") returned 2 [0139.367] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="3B") returned 2 [0139.367] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="F6") returned 2 [0139.367] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="C5") returned 2 [0139.367] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="3D") returned 2 [0139.367] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="1C") returned 2 [0139.367] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="97") returned 2 [0139.367] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="39") returned 2 [0139.367] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="7E") returned 2 [0139.367] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="66") returned 2 [0139.367] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="46") returned 2 [0139.367] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="85") returned 2 [0139.367] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="DF") returned 2 [0139.367] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="28") returned 2 [0139.367] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="CC") returned 2 [0139.367] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="4D") returned 2 [0139.367] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="41") returned 2 [0139.367] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="87") returned 2 [0139.367] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="AA") returned 2 [0139.367] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="03") returned 2 [0139.367] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="84") returned 2 [0139.367] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="02") returned 2 [0139.380] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" [0139.380] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" [0139.380] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2=".B9D29171EB9B900A5AAC923BF6C53D1C97397E664685DF28CC4D4187AA038402" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6.B9D29171EB9B900A5AAC923BF6C53D1C97397E664685DF28CC4D4187AA038402") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6.B9D29171EB9B900A5AAC923BF6C53D1C97397E664685DF28CC4D4187AA038402" [0139.380] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.380] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0139.381] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe06277d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe06277d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xb15d94e0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x652, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", cAlternateFileName="9C888B~1")) returned 1 [0139.384] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="Windows") returned -1 [0139.384] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="Program Files") returned -1 [0139.388] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="Program Files (x86)") returned -1 [0139.388] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="$Recycle.bin") returned 1 [0139.388] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="System Volume Information") returned -1 [0139.388] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2=".") returned 1 [0139.388] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="..") returned 1 [0139.388] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned 151 [0139.388] lstrcmpW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="PUSSY.TXT") returned -1 [0139.388] PathFindExtensionW (pszPath="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned="" [0139.388] lstrlenW (lpString="") returned 0 [0139.388] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0139.390] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1618) returned 1 [0139.390] GetProcessHeap () returned 0x4c0000 [0139.390] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0139.402] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="2D") returned 2 [0139.402] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="AF") returned 2 [0139.402] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="A6") returned 2 [0139.402] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="63") returned 2 [0139.402] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="0D") returned 2 [0139.402] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="55") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="27") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="42") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="9C") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="9E") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="E0") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="A1") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="96") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="38") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="46") returned 2 [0139.403] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="0F") returned 2 [0139.403] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="95") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="D5") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="CC") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="18") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="08") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="D8") returned 2 [0139.403] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="C3") returned 2 [0139.403] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="71") returned 2 [0139.403] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="AD") returned 2 [0139.403] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="64") returned 2 [0139.403] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="D3") returned 2 [0139.403] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="90") returned 2 [0139.403] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="60") returned 2 [0139.403] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="82") returned 2 [0139.404] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="0F") returned 2 [0139.404] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="19") returned 2 [0139.416] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" [0139.416] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" [0139.416] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2=".2DAFA6630D5527429C9EE0A19638460F95D5CC1808D8C371AD64D39060820F19" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E.2DAFA6630D5527429C9EE0A19638460F95D5CC1808D8C371AD64D39060820F19") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E.2DAFA6630D5527429C9EE0A19638460F95D5CC1808D8C371AD64D39060820F19" [0139.416] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.416] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0139.416] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe07ca6f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe07ca6f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0x965accc0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x652, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", cAlternateFileName="9C888B~2")) returned 1 [0139.416] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="Windows") returned -1 [0139.416] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="Program Files") returned -1 [0139.417] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="Program Files (x86)") returned -1 [0139.417] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="$Recycle.bin") returned 1 [0139.417] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="System Volume Information") returned -1 [0139.417] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2=".") returned 1 [0139.417] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="..") returned 1 [0139.417] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned 151 [0139.417] lstrcmpW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="PUSSY.TXT") returned -1 [0139.417] PathFindExtensionW (pszPath="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned="" [0139.417] lstrlenW (lpString="") returned 0 [0139.417] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.417] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0139.418] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1618) returned 1 [0139.418] GetProcessHeap () returned 0x4c0000 [0139.418] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0139.434] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="8A") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="FC") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="4B") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="0E") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="8B") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="90") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="F7") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="46") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="86") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="D0") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="51") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="C5") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="75") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="D0") returned 2 [0139.434] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="D2") returned 2 [0139.435] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="14") returned 2 [0139.435] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="99") returned 2 [0139.435] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="52") returned 2 [0139.435] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="F6") returned 2 [0139.435] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="A1") returned 2 [0139.435] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="EA") returned 2 [0139.435] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="F3") returned 2 [0139.435] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="DF") returned 2 [0139.435] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="12") returned 2 [0139.435] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="21") returned 2 [0139.435] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="44") returned 2 [0139.435] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="8C") returned 2 [0139.435] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="86") returned 2 [0139.435] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="FC") returned 2 [0139.435] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="66") returned 2 [0139.435] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="D7") returned 2 [0139.435] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="54") returned 2 [0139.448] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" [0139.448] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" [0139.448] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2=".8AFC4B0E8B90F74686D051C575D0D2149952F6A1EAF3DF1221448C86FC66D754" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061.8AFC4B0E8B90F74686D051C575D0D2149952F6A1EAF3DF1221448C86FC66D754") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061.8AFC4B0E8B90F74686D051C575D0D2149952F6A1EAF3DF1221448C86FC66D754" [0139.448] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.448] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0139.448] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x54bc3730, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54bc3730, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb11d4fc0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", cAlternateFileName="A9E4F7~1")) returned 1 [0139.448] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="Windows") returned -1 [0139.448] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="Program Files") returned -1 [0139.448] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="Program Files (x86)") returned -1 [0139.448] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="$Recycle.bin") returned 1 [0139.448] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="System Volume Information") returned -1 [0139.448] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2=".") returned 1 [0139.448] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="..") returned 1 [0139.448] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned 151 [0139.448] lstrcmpW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="PUSSY.TXT") returned -1 [0139.448] PathFindExtensionW (pszPath="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned="" [0139.448] lstrlenW (lpString="") returned 0 [0139.449] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.449] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0139.451] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=471) returned 1 [0139.451] CloseHandle (hObject=0x1d4) returned 1 [0139.451] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53bfe570, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53bfe570, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbe9b34f0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x5ee, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", cAlternateFileName="ACF244~1")) returned 1 [0139.451] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="Windows") returned -1 [0139.452] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="Program Files") returned -1 [0139.452] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="Program Files (x86)") returned -1 [0139.452] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="$Recycle.bin") returned 1 [0139.452] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="System Volume Information") returned -1 [0139.452] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2=".") returned 1 [0139.452] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="..") returned 1 [0139.452] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned 151 [0139.452] lstrcmpW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="PUSSY.TXT") returned -1 [0139.452] PathFindExtensionW (pszPath="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned="" [0139.452] lstrlenW (lpString="") returned 0 [0139.452] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.452] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0139.453] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1518) returned 1 [0139.453] GetProcessHeap () returned 0x4c0000 [0139.453] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0139.476] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="5D") returned 2 [0139.476] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="CA") returned 2 [0139.476] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="CB") returned 2 [0139.476] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="58") returned 2 [0139.476] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="C3") returned 2 [0139.476] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="11") returned 2 [0139.476] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="2C") returned 2 [0139.476] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="E6") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="67") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="2B") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="38") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="C9") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="29") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="77") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="83") returned 2 [0139.477] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="85") returned 2 [0139.477] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="7A") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="19") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="CD") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="19") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="F4") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="76") returned 2 [0139.477] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="D0") returned 2 [0139.478] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="0C") returned 2 [0139.478] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="B8") returned 2 [0139.478] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="6D") returned 2 [0139.478] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="3D") returned 2 [0139.478] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="BC") returned 2 [0139.478] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="EB") returned 2 [0139.478] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="29") returned 2 [0139.478] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="2E") returned 2 [0139.478] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="57") returned 2 [0139.490] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" [0139.490] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" [0139.490] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2=".5DCACB58C3112CE6672B38C9297783857A19CD19F476D00CB86D3DBCEB292E57" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001.5DCACB58C3112CE6672B38C9297783857A19CD19F476D00CB86D3DBCEB292E57") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001.5DCACB58C3112CE6672B38C9297783857A19CD19F476D00CB86D3DBCEB292E57" [0139.490] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.490] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0139.497] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe04aaa10, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe04aaa10, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xae4e7080, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x652, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", cAlternateFileName="B3BB9C~2")) returned 1 [0139.497] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="Windows") returned -1 [0139.497] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="Program Files") returned -1 [0139.497] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="Program Files (x86)") returned -1 [0139.497] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="$Recycle.bin") returned 1 [0139.497] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="System Volume Information") returned -1 [0139.497] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2=".") returned 1 [0139.497] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="..") returned 1 [0139.497] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned 151 [0139.497] lstrcmpW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="PUSSY.TXT") returned -1 [0139.497] PathFindExtensionW (pszPath="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned="" [0139.497] lstrlenW (lpString="") returned 0 [0139.497] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0139.498] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1618) returned 1 [0139.498] GetProcessHeap () returned 0x4c0000 [0139.499] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0139.564] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="C1") returned 2 [0139.564] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="BE") returned 2 [0139.564] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="F7") returned 2 [0139.564] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="0C") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="59") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="A1") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="F9") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="59") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="8C") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="06") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="2E") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="14") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="F9") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="45") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="43") returned 2 [0139.565] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="F9") returned 2 [0139.565] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="14") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="98") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="B5") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="A4") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="2C") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="3D") returned 2 [0139.565] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="FF") returned 2 [0139.565] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="00") returned 2 [0139.565] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="4C") returned 2 [0139.565] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="C2") returned 2 [0139.565] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="24") returned 2 [0139.565] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="D6") returned 2 [0139.565] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="D0") returned 2 [0139.565] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="71") returned 2 [0139.565] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="BD") returned 2 [0139.566] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="64") returned 2 [0139.578] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" [0139.578] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" [0139.578] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2=".C1BEF70C59A1F9598C062E14F94543F91498B5A42C3DFF004CC224D6D071BD64" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852.C1BEF70C59A1F9598C062E14F94543F91498B5A42C3DFF004CC224D6D071BD64") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852.C1BEF70C59A1F9598C062E14F94543F91498B5A42C3DFF004CC224D6D071BD64" [0139.578] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.578] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0139.589] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xefc01b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xefc01b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xaa4ee1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x652, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", cAlternateFileName="B3BB9C~1")) returned 1 [0139.589] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="Windows") returned -1 [0139.589] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="Program Files") returned -1 [0139.589] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="Program Files (x86)") returned -1 [0139.589] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="$Recycle.bin") returned 1 [0139.589] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="System Volume Information") returned -1 [0139.589] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2=".") returned 1 [0139.589] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="..") returned 1 [0139.589] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned 151 [0139.589] lstrcmpW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="PUSSY.TXT") returned -1 [0139.589] PathFindExtensionW (pszPath="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned="" [0139.589] lstrlenW (lpString="") returned 0 [0139.589] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.589] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0139.591] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1618) returned 1 [0139.591] GetProcessHeap () returned 0x4c0000 [0139.591] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0139.607] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="F5") returned 2 [0139.607] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="D6") returned 2 [0139.607] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="A9") returned 2 [0139.607] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="98") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="FA") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="8D") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="02") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="CB") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="FA") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="7E") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="B0") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="18") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="00") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="69") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="A9") returned 2 [0139.608] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="0B") returned 2 [0139.608] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="BE") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="69") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="D9") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="C3") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="8A") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="0C") returned 2 [0139.608] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="F1") returned 2 [0139.608] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="A2") returned 2 [0139.608] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="08") returned 2 [0139.608] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="66") returned 2 [0139.609] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="E6") returned 2 [0139.609] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="28") returned 2 [0139.609] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="E9") returned 2 [0139.609] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="92") returned 2 [0139.609] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="4B") returned 2 [0139.609] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="34") returned 2 [0139.621] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" [0139.621] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" [0139.622] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2=".F5D6A998FA8D02CBFA7EB0180069A90BBE69D9C38A0CF1A20866E628E9924B34" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8.F5D6A998FA8D02CBFA7EB0180069A90BBE69D9C38A0CF1A20866E628E9924B34") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8.F5D6A998FA8D02CBFA7EB0180069A90BBE69D9C38A0CF1A20866E628E9924B34" [0139.622] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.622] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0139.622] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x54322770, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54322770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf019010, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x5ed, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", cAlternateFileName="BC570E~2")) returned 1 [0139.622] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="Windows") returned -1 [0139.622] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="Program Files") returned -1 [0139.622] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="Program Files (x86)") returned -1 [0139.622] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="$Recycle.bin") returned 1 [0139.622] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="System Volume Information") returned -1 [0139.622] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2=".") returned 1 [0139.622] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="..") returned 1 [0139.622] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned 151 [0139.622] lstrcmpW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="PUSSY.TXT") returned -1 [0139.622] PathFindExtensionW (pszPath="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned="" [0139.622] lstrlenW (lpString="") returned 0 [0139.622] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.622] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.623] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1517) returned 1 [0139.624] GetProcessHeap () returned 0x4c0000 [0139.624] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0139.636] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="FF") returned 2 [0139.636] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="F8") returned 2 [0139.636] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="3C") returned 2 [0139.636] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="5B") returned 2 [0139.636] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="32") returned 2 [0139.636] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="94") returned 2 [0139.636] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="61") returned 2 [0139.636] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="01") returned 2 [0139.636] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="4D") returned 2 [0139.637] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="C7") returned 2 [0139.637] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="04") returned 2 [0139.637] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="A7") returned 2 [0139.637] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="CF") returned 2 [0139.637] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="33") returned 2 [0139.637] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="59") returned 2 [0139.637] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="B8") returned 2 [0139.637] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="84") returned 2 [0139.637] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="96") returned 2 [0139.637] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="BC") returned 2 [0139.637] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="E3") returned 2 [0139.637] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="96") returned 2 [0139.637] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="72") returned 2 [0139.637] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="F7") returned 2 [0139.637] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="BD") returned 2 [0139.637] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="02") returned 2 [0139.637] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="22") returned 2 [0139.637] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="B3") returned 2 [0139.637] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="CC") returned 2 [0139.637] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="CB") returned 2 [0139.637] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="91") returned 2 [0139.637] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="8D") returned 2 [0139.637] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="61") returned 2 [0139.649] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" [0139.649] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" [0139.649] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2=".FFF83C5B329461014DC704A7CF3359B88496BCE39672F7BD0222B3CCCB918D61" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.FFF83C5B329461014DC704A7CF3359B88496BCE39672F7BD0222B3CCCB918D61") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.FFF83C5B329461014DC704A7CF3359B88496BCE39672F7BD0222B3CCCB918D61" [0139.649] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.650] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0139.650] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x540c1170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x540c1170, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf019010, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x5ed, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", cAlternateFileName="BC570E~1")) returned 1 [0139.650] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="Windows") returned -1 [0139.650] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="Program Files") returned -1 [0139.650] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="Program Files (x86)") returned -1 [0139.650] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="$Recycle.bin") returned 1 [0139.650] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="System Volume Information") returned -1 [0139.650] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2=".") returned 1 [0139.650] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="..") returned 1 [0139.650] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned 151 [0139.650] lstrcmpW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="PUSSY.TXT") returned -1 [0139.650] PathFindExtensionW (pszPath="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned="" [0139.650] lstrlenW (lpString="") returned 0 [0139.650] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0139.651] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1517) returned 1 [0139.651] GetProcessHeap () returned 0x4c0000 [0139.651] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0139.667] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="4C") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="AF") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="8F") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="99") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="37") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="45") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="4F") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="F0") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="27") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="6C") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="52") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="12") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="C2") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="92") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="3C") returned 2 [0139.667] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="44") returned 2 [0139.667] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="0D") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="01") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="B9") returned 2 [0139.667] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="3F") returned 2 [0139.668] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="2F") returned 2 [0139.668] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="05") returned 2 [0139.668] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="A2") returned 2 [0139.668] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="C4") returned 2 [0139.668] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="58") returned 2 [0139.668] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="05") returned 2 [0139.668] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="6F") returned 2 [0139.668] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="F1") returned 2 [0139.668] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="4E") returned 2 [0139.668] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="07") returned 2 [0139.668] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="B9") returned 2 [0139.668] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="62") returned 2 [0139.707] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" [0139.707] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" [0139.707] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2=".4CAF8F9937454FF0276C5212C2923C440D01B93F2F05A2C458056FF14E07B962" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.4CAF8F9937454FF0276C5212C2923C440D01B93F2F05A2C458056FF14E07B962") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.4CAF8F9937454FF0276C5212C2923C440D01B93F2F05A2C458056FF14E07B962" [0139.707] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.707] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0139.710] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x56bb3b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x56bb3b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaeca3800, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", cAlternateFileName="C46E7B~2")) returned 1 [0139.710] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="Windows") returned -1 [0139.710] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="Program Files") returned -1 [0139.710] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="Program Files (x86)") returned -1 [0139.710] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="$Recycle.bin") returned 1 [0139.710] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="System Volume Information") returned -1 [0139.710] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2=".") returned 1 [0139.710] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="..") returned 1 [0139.710] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned 151 [0139.715] lstrcmpW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="PUSSY.TXT") returned -1 [0139.715] PathFindExtensionW (pszPath="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned="" [0139.716] lstrlenW (lpString="") returned 0 [0139.716] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0139.717] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1763) returned 1 [0139.717] GetProcessHeap () returned 0x4c0000 [0139.717] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0139.732] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="1D") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="E3") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="86") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="84") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="43") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="3F") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="E0") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="E7") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="3D") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="A8") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="F5") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="4B") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="73") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="90") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="64") returned 2 [0139.732] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="2F") returned 2 [0139.732] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="0F") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="DB") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="35") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="CC") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="1B") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="95") returned 2 [0139.732] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="05") returned 2 [0139.732] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="99") returned 2 [0139.732] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="27") returned 2 [0139.732] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="92") returned 2 [0139.732] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="AF") returned 2 [0139.733] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="7F") returned 2 [0139.733] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="9C") returned 2 [0139.733] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="AE") returned 2 [0139.733] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="6A") returned 2 [0139.733] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="64") returned 2 [0139.745] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" [0139.745] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" [0139.745] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2=".1DE38684433FE0E73DA8F54B7390642F0FDB35CC1B9505992792AF7F9CAE6A64" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873.1DE38684433FE0E73DA8F54B7390642F0FDB35CC1B9505992792AF7F9CAE6A64") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873.1DE38684433FE0E73DA8F54B7390642F0FDB35CC1B9505992792AF7F9CAE6A64" [0139.745] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.745] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0139.745] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x682fbd00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x682fbd00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae0bca00, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", cAlternateFileName="C46E7B~3")) returned 1 [0139.745] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="Windows") returned -1 [0139.745] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="Program Files") returned -1 [0139.745] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="Program Files (x86)") returned -1 [0139.745] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="$Recycle.bin") returned 1 [0139.745] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="System Volume Information") returned -1 [0139.745] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2=".") returned 1 [0139.745] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="..") returned 1 [0139.746] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned 151 [0139.746] lstrcmpW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="PUSSY.TXT") returned -1 [0139.746] PathFindExtensionW (pszPath="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned="" [0139.746] lstrlenW (lpString="") returned 0 [0139.746] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0139.747] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1763) returned 1 [0139.747] GetProcessHeap () returned 0x4c0000 [0139.747] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0139.782] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="66") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="5C") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="27") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="7F") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="21") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="84") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="53") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="71") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="B2") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="FC") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="3E") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="35") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="72") returned 2 [0139.782] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="3D") returned 2 [0139.783] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="D9") returned 2 [0139.783] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="FC") returned 2 [0139.783] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="9D") returned 2 [0139.783] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="DE") returned 2 [0139.783] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="01") returned 2 [0139.783] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="0F") returned 2 [0139.783] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="F5") returned 2 [0139.783] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="4B") returned 2 [0139.783] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="A6") returned 2 [0139.783] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="7F") returned 2 [0139.783] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="BE") returned 2 [0139.783] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="58") returned 2 [0139.783] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="92") returned 2 [0139.783] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="E6") returned 2 [0139.783] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="2D") returned 2 [0139.783] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="D4") returned 2 [0139.783] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="AD") returned 2 [0139.783] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="45") returned 2 [0139.794] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" [0139.794] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" [0139.794] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2=".665C277F21845371B2FC3E35723DD9FC9DDE010FF54BA67FBE5892E62DD4AD45" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE.665C277F21845371B2FC3E35723DD9FC9DDE010FF54BA67FBE5892E62DD4AD45") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE.665C277F21845371B2FC3E35723DD9FC9DDE010FF54BA67FBE5892E62DD4AD45" [0139.794] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.794] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0139.794] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5461c2f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5461c2f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf67eb30, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", cAlternateFileName="C46E7B~1")) returned 1 [0139.795] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Windows") returned -1 [0139.795] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Program Files") returned -1 [0139.795] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Program Files (x86)") returned -1 [0139.795] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="$Recycle.bin") returned 1 [0139.795] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="System Volume Information") returned -1 [0139.795] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2=".") returned 1 [0139.795] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="..") returned 1 [0139.795] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 151 [0139.795] lstrcmpW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="PUSSY.TXT") returned -1 [0139.795] PathFindExtensionW (pszPath="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned="" [0139.795] lstrlenW (lpString="") returned 0 [0139.795] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0139.796] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1763) returned 1 [0139.796] GetProcessHeap () returned 0x4c0000 [0139.796] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0139.812] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="EB") returned 2 [0139.812] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="6A") returned 2 [0139.812] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="85") returned 2 [0139.812] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="DB") returned 2 [0139.812] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="26") returned 2 [0139.812] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="FB") returned 2 [0139.812] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="E3") returned 2 [0139.812] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="1F") returned 2 [0139.812] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="9A") returned 2 [0139.812] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="8D") returned 2 [0139.812] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="A5") returned 2 [0139.812] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="5E") returned 2 [0139.812] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="1F") returned 2 [0139.813] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="8C") returned 2 [0139.813] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="39") returned 2 [0139.813] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="85") returned 2 [0139.813] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="C9") returned 2 [0139.813] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="CB") returned 2 [0139.813] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="1B") returned 2 [0139.813] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="83") returned 2 [0139.813] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="09") returned 2 [0139.813] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="55") returned 2 [0139.813] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="2F") returned 2 [0139.813] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="1E") returned 2 [0139.813] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="0F") returned 2 [0139.813] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="3B") returned 2 [0139.813] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="4D") returned 2 [0139.813] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="18") returned 2 [0139.813] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="07") returned 2 [0139.813] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="C5") returned 2 [0139.813] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="ED") returned 2 [0139.813] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="44") returned 2 [0139.842] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" [0139.842] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" [0139.842] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2=".EB6A85DB26FBE31F9A8DA55E1F8C3985C9CB1B8309552F1E0F3B4D1807C5ED44" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.EB6A85DB26FBE31F9A8DA55E1F8C3985C9CB1B8309552F1E0F3B4D1807C5ED44") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.EB6A85DB26FBE31F9A8DA55E1F8C3985C9CB1B8309552F1E0F3B4D1807C5ED44" [0139.842] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.842] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0139.842] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x728c68a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x728c68a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xae63dce0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x5ae, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", cAlternateFileName="D47DBD~2")) returned 1 [0139.843] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="Windows") returned -1 [0139.843] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="Program Files") returned -1 [0139.843] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="Program Files (x86)") returned -1 [0139.843] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="$Recycle.bin") returned 1 [0139.843] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="System Volume Information") returned -1 [0139.843] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2=".") returned 1 [0139.843] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="..") returned 1 [0139.843] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned 151 [0139.843] lstrcmpW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="PUSSY.TXT") returned -1 [0139.843] PathFindExtensionW (pszPath="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned="" [0139.843] lstrlenW (lpString="") returned 0 [0139.843] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0139.844] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1454) returned 1 [0139.844] GetProcessHeap () returned 0x4c0000 [0139.844] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0139.890] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="C1") returned 2 [0139.890] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="D1") returned 2 [0139.890] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="2D") returned 2 [0139.890] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="65") returned 2 [0139.890] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="02") returned 2 [0139.890] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="1B") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="D2") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="EB") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="74") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="AC") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="40") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="D2") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="32") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="5C") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="90") returned 2 [0139.891] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="3B") returned 2 [0139.891] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="C7") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="D3") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="AB") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="02") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="3D") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="EE") returned 2 [0139.891] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="77") returned 2 [0139.891] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="88") returned 2 [0139.891] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="54") returned 2 [0139.891] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="F2") returned 2 [0139.891] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="1E") returned 2 [0139.891] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="DA") returned 2 [0139.891] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="56") returned 2 [0139.891] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="05") returned 2 [0139.892] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="5A") returned 2 [0139.892] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="2F") returned 2 [0139.904] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" [0139.904] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" [0139.904] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2=".C1D12D65021BD2EB74AC40D2325C903BC7D3AB023DEE778854F21EDA56055A2F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC.C1D12D65021BD2EB74AC40D2325C903BC7D3AB023DEE778854F21EDA56055A2F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC.C1D12D65021BD2EB74AC40D2325C903BC7D3AB023DEE778854F21EDA56055A2F" [0139.904] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.904] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0139.907] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x545f6190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x545f6190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x69b6e1e0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x5ae, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", cAlternateFileName="D47DBD~1")) returned 1 [0139.911] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="Windows") returned -1 [0139.911] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="Program Files") returned -1 [0139.911] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="Program Files (x86)") returned -1 [0139.911] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="$Recycle.bin") returned 1 [0139.911] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="System Volume Information") returned -1 [0139.911] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2=".") returned 1 [0139.911] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="..") returned 1 [0139.911] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned 151 [0139.911] lstrcmpW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="PUSSY.TXT") returned -1 [0139.911] PathFindExtensionW (pszPath="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned="" [0139.911] lstrlenW (lpString="") returned 0 [0139.911] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0139.912] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1454) returned 1 [0139.912] GetProcessHeap () returned 0x4c0000 [0139.912] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0139.925] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="EC") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="87") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="B8") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="9A") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="D0") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="69") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="C5") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="14") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="B6") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="A0") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="F3") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="DB") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="24") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="B4") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="94") returned 2 [0139.925] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="2A") returned 2 [0139.925] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="1A") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="78") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="F1") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="78") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="E1") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="0F") returned 2 [0139.925] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="55") returned 2 [0139.925] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="1F") returned 2 [0139.926] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="CA") returned 2 [0139.926] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="54") returned 2 [0139.926] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="E4") returned 2 [0139.926] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="5A") returned 2 [0139.926] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="ED") returned 2 [0139.926] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="A5") returned 2 [0139.926] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="16") returned 2 [0139.926] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="59") returned 2 [0139.938] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" [0139.939] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" [0139.939] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2=".EC87B89AD069C514B6A0F3DB24B4942A1A78F178E10F551FCA54E45AEDA51659" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE.EC87B89AD069C514B6A0F3DB24B4942A1A78F178E10F551FCA54E45AEDA51659") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE.EC87B89AD069C514B6A0F3DB24B4942A1A78F178E10F551FCA54E45AEDA51659" [0139.939] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.939] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0139.939] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x808d4a70, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x808d4a70, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x808d4a70, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", cAlternateFileName="D52C56~1")) returned 1 [0139.943] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="Windows") returned -1 [0139.943] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="Program Files") returned -1 [0139.943] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="Program Files (x86)") returned -1 [0139.946] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="$Recycle.bin") returned 1 [0139.946] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="System Volume Information") returned -1 [0139.946] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2=".") returned 1 [0139.946] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="..") returned 1 [0139.946] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned 151 [0139.946] lstrcmpW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="PUSSY.TXT") returned -1 [0139.946] PathFindExtensionW (pszPath="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned="" [0139.946] lstrlenW (lpString="") returned 0 [0139.946] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0139.947] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1635) returned 1 [0139.947] GetProcessHeap () returned 0x4c0000 [0139.947] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0139.960] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="3E") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="65") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="B9") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="B4") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="D2") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="F0") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="70") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="37") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="FB") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="1F") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="B0") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="4D") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="CC") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="29") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="2A") returned 2 [0139.960] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="BD") returned 2 [0139.960] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="2F") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="2A") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="FF") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="A9") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="25") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="93") returned 2 [0139.960] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="E4") returned 2 [0139.960] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="7A") returned 2 [0139.960] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="79") returned 2 [0139.960] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="F4") returned 2 [0139.961] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="64") returned 2 [0139.961] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="53") returned 2 [0139.961] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="48") returned 2 [0139.961] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="A7") returned 2 [0139.961] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="B9") returned 2 [0139.961] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="28") returned 2 [0139.973] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" [0139.973] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" [0139.973] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2=".3E65B9B4D2F07037FB1FB04DCC292ABD2F2AFFA92593E47A79F4645348A7B928" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C.3E65B9B4D2F07037FB1FB04DCC292ABD2F2AFFA92593E47A79F4645348A7B928") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C.3E65B9B4D2F07037FB1FB04DCC292ABD2F2AFFA92593E47A79F4645348A7B928" [0139.973] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0139.973] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0139.974] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x683e0540, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x683e0540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb0f015a0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x64b, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", cAlternateFileName="EA6180~1")) returned 1 [0139.974] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="Windows") returned -1 [0139.974] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="Program Files") returned -1 [0139.974] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="Program Files (x86)") returned -1 [0139.974] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="$Recycle.bin") returned 1 [0139.974] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="System Volume Information") returned -1 [0139.974] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2=".") returned 1 [0139.974] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="..") returned 1 [0139.974] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned 151 [0139.974] lstrcmpW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="PUSSY.TXT") returned -1 [0139.974] PathFindExtensionW (pszPath="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned="" [0139.974] lstrlenW (lpString="") returned 0 [0139.974] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0139.974] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0139.980] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1611) returned 1 [0139.980] GetProcessHeap () returned 0x4c0000 [0139.980] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0139.998] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="33") returned 2 [0139.998] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="81") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="05") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="72") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="6E") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="26") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="50") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="33") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="D7") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="C5") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="24") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="F4") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="E0") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="EE") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="EB") returned 2 [0139.999] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="83") returned 2 [0139.999] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="4F") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="28") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="32") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="57") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="72") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="46") returned 2 [0139.999] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="74") returned 2 [0140.000] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="AD") returned 2 [0140.000] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="08") returned 2 [0140.000] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="0F") returned 2 [0140.000] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="89") returned 2 [0140.000] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="37") returned 2 [0140.000] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="0A") returned 2 [0140.000] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="FE") returned 2 [0140.000] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="EE") returned 2 [0140.000] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="75") returned 2 [0140.043] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" [0140.043] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" [0140.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2=".338105726E265033D7C524F4E0EEEB834F283257724674AD080F89370AFEEE75" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585.338105726E265033D7C524F4E0EEEB834F283257724674AD080F89370AFEEE75") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585.338105726E265033D7C524F4E0EEEB834F283257724674AD080F89370AFEEE75" [0140.043] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.043] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0140.044] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf312b90, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf312b90, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf312b90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x64c, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", cAlternateFileName="F293AE~1")) returned 1 [0140.046] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="Windows") returned -1 [0140.046] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="Program Files") returned -1 [0140.046] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="Program Files (x86)") returned -1 [0140.046] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="$Recycle.bin") returned 1 [0140.046] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="System Volume Information") returned -1 [0140.046] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2=".") returned 1 [0140.047] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="..") returned 1 [0140.047] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned 151 [0140.047] lstrcmpW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="PUSSY.TXT") returned -1 [0140.048] PathFindExtensionW (pszPath="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned="" [0140.048] lstrlenW (lpString="") returned 0 [0140.048] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.050] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1612) returned 1 [0140.050] GetProcessHeap () returned 0x4c0000 [0140.050] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0140.064] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="BA") returned 2 [0140.064] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="82") returned 2 [0140.064] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="61") returned 2 [0140.064] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="CA") returned 2 [0140.064] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="A2") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="EC") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="CE") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="9E") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="C0") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="53") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="D8") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="14") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="1B") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="53") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="A3") returned 2 [0140.065] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="6E") returned 2 [0140.065] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="DE") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="50") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="3F") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="66") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="05") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="74") returned 2 [0140.065] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="B0") returned 2 [0140.065] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="A7") returned 2 [0140.065] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="DC") returned 2 [0140.066] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="20") returned 2 [0140.066] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="3B") returned 2 [0140.066] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="57") returned 2 [0140.066] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="1A") returned 2 [0140.066] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="D9") returned 2 [0140.066] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="B8") returned 2 [0140.066] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="27") returned 2 [0140.078] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" [0140.078] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" [0140.078] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2=".BA8261CAA2ECCE9EC053D8141B53A36EDE503F660574B0A7DC203B571AD9B827" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1.BA8261CAA2ECCE9EC053D8141B53A36EDE503F660574B0A7DC203B571AD9B827") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1.BA8261CAA2ECCE9EC053D8141B53A36EDE503F660574B0A7DC203B571AD9B827" [0140.078] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.078] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0140.079] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x226, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="F90F18257CBB4D84216AC1E1F3BB2C76", cAlternateFileName="F90F18~1")) returned 1 [0140.079] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="Windows") returned -1 [0140.083] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="Program Files") returned -1 [0140.083] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="Program Files (x86)") returned -1 [0140.083] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="$Recycle.bin") returned 1 [0140.086] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="System Volume Information") returned -1 [0140.086] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2=".") returned 1 [0140.086] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="..") returned 1 [0140.086] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 118 [0140.086] lstrcmpW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="PUSSY.TXT") returned -1 [0140.086] PathFindExtensionW (pszPath="F90F18257CBB4D84216AC1E1F3BB2C76") returned="" [0140.086] lstrlenW (lpString="") returned 0 [0140.086] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.086] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f90f18257cbb4d84216ac1e1f3bb2c76"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.087] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=550) returned 1 [0140.087] GetProcessHeap () returned 0x4c0000 [0140.087] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0140.099] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="84") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="39") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="3C") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="02") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="E0") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="EB") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="E9") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="97") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="1C") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="D0") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="22") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="37") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="A8") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="0F") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="21") returned 2 [0140.100] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="8D") returned 2 [0140.100] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="9F") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="05") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="90") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="3E") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="B8") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="90") returned 2 [0140.100] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="74") returned 2 [0140.100] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="77") returned 2 [0140.100] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="D1") returned 2 [0140.100] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="CB") returned 2 [0140.100] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="0D") returned 2 [0140.100] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="EA") returned 2 [0140.101] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="38") returned 2 [0140.101] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="0A") returned 2 [0140.101] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="42") returned 2 [0140.101] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="2F") returned 2 [0140.113] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76" [0140.113] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76" [0140.113] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76", lpString2=".84393C02E0EBE9971CD02237A80F218D9F05903EB8907477D1CB0DEA380A422F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76.84393C02E0EBE9971CD02237A80F218D9F05903EB8907477D1CB0DEA380A422F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76.84393C02E0EBE9971CD02237A80F218D9F05903EB8907477D1CB0DEA380A422F" [0140.113] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.113] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0140.119] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x226, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="F90F18257CBB4D84216AC1E1F3BB2C76", cAlternateFileName="F90F18~1")) returned 0 [0140.121] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0140.123] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\PUSSY.TXT") returned 95 [0140.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0140.124] lstrlenA (lpString="abcd") returned 4 [0140.124] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0140.125] CloseHandle (hObject=0x180) returned 1 [0140.125] GetProcessHeap () returned 0x4c0000 [0140.125] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0140.126] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="MetaData", cAlternateFileName="")) returned 1 [0140.126] lstrcmpiW (lpString1="MetaData", lpString2="Windows") returned -1 [0140.126] lstrcmpiW (lpString1="MetaData", lpString2="Program Files") returned -1 [0140.126] lstrcmpiW (lpString1="MetaData", lpString2="Program Files (x86)") returned -1 [0140.126] lstrcmpiW (lpString1="MetaData", lpString2="$Recycle.bin") returned 1 [0140.126] lstrcmpiW (lpString1="MetaData", lpString2="System Volume Information") returned -1 [0140.126] lstrcmpiW (lpString1="MetaData", lpString2=".") returned 1 [0140.126] lstrcmpiW (lpString1="MetaData", lpString2="..") returned 1 [0140.126] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned 86 [0140.126] GetProcessHeap () returned 0x4c0000 [0140.126] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x57bb80 [0140.127] lstrcpyW (in: lpString1=0x57bb80, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" [0140.127] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*" [0140.127] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0140.128] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.128] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.128] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.128] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.128] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.128] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.128] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0140.128] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.128] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.128] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.128] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.128] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.128] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.128] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.128] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf9eaad0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf9eaad0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf9eaad0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x190, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", cAlternateFileName="024823~1")) returned 1 [0140.128] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="Windows") returned -1 [0140.128] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="Program Files") returned -1 [0140.129] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="Program Files (x86)") returned -1 [0140.129] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="$Recycle.bin") returned 1 [0140.129] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="System Volume Information") returned -1 [0140.129] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2=".") returned 1 [0140.129] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="..") returned 1 [0140.129] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 152 [0140.129] lstrcmpW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="PUSSY.TXT") returned -1 [0140.129] PathFindExtensionW (pszPath="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned="" [0140.129] lstrlenW (lpString="") returned 0 [0140.129] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.130] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=400) returned 1 [0140.130] CloseHandle (hObject=0x1d0) returned 1 [0140.130] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53bd8410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53bd8410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbe98d390, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x166, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", cAlternateFileName="0F1583~1")) returned 1 [0140.130] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="Windows") returned -1 [0140.130] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="Program Files") returned -1 [0140.130] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="Program Files (x86)") returned -1 [0140.130] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="$Recycle.bin") returned 1 [0140.130] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="System Volume Information") returned -1 [0140.130] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2=".") returned 1 [0140.130] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="..") returned 1 [0140.130] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned 152 [0140.130] lstrcmpW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="PUSSY.TXT") returned -1 [0140.130] PathFindExtensionW (pszPath="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned="" [0140.130] lstrlenW (lpString="") returned 0 [0140.130] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.132] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=358) returned 1 [0140.132] CloseHandle (hObject=0x1d0) returned 1 [0140.132] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf952550, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf952550, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf952550, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", cAlternateFileName="1BB09B~1")) returned 1 [0140.132] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="Windows") returned -1 [0140.132] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="Program Files") returned -1 [0140.132] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="Program Files (x86)") returned -1 [0140.132] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="$Recycle.bin") returned 1 [0140.132] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="System Volume Information") returned -1 [0140.132] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2=".") returned 1 [0140.132] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="..") returned 1 [0140.132] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned 152 [0140.132] lstrcmpW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="PUSSY.TXT") returned -1 [0140.132] PathFindExtensionW (pszPath="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned="" [0140.132] lstrlenW (lpString="") returned 0 [0140.132] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.132] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.134] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=404) returned 1 [0140.134] CloseHandle (hObject=0x1d0) returned 1 [0140.134] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4c00edb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4c00edb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4c00edb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x10c, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="1DAF2884EC4DFA96BA4A58D4DBC9C406", cAlternateFileName="1DAF28~1")) returned 1 [0140.134] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="Windows") returned -1 [0140.134] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="Program Files") returned -1 [0140.134] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="Program Files (x86)") returned -1 [0140.134] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="$Recycle.bin") returned 1 [0140.134] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="System Volume Information") returned -1 [0140.134] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2=".") returned 1 [0140.134] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="..") returned 1 [0140.134] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned 119 [0140.134] lstrcmpW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="PUSSY.TXT") returned -1 [0140.134] PathFindExtensionW (pszPath="1DAF2884EC4DFA96BA4A58D4DBC9C406") returned="" [0140.134] lstrlenW (lpString="") returned 0 [0140.134] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1daf2884ec4dfa96ba4a58d4dbc9c406"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.135] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=268) returned 1 [0140.135] CloseHandle (hObject=0x1d0) returned 1 [0140.135] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x580eb5c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x580eb5c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaedd4300, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x124, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="23B523C9E7746F715D33C6527C18EB9D", cAlternateFileName="23B523~1")) returned 1 [0140.135] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="Windows") returned -1 [0140.135] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="Program Files") returned -1 [0140.135] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="Program Files (x86)") returned -1 [0140.135] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="$Recycle.bin") returned 1 [0140.135] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="System Volume Information") returned -1 [0140.135] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2=".") returned 1 [0140.135] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="..") returned 1 [0140.135] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D") returned 119 [0140.135] lstrcmpW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="PUSSY.TXT") returned -1 [0140.135] PathFindExtensionW (pszPath="23B523C9E7746F715D33C6527C18EB9D") returned="" [0140.135] lstrlenW (lpString="") returned 0 [0140.135] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\23b523c9e7746f715d33c6527c18eb9d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.136] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=292) returned 1 [0140.136] CloseHandle (hObject=0x1d0) returned 1 [0140.136] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc3791460, ftCreationTime.dwHighDateTime=0x1d2e675, ftLastAccessTime.dwLowDateTime=0xc3791460, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0xc3791460, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0xdc, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="3130B1871A126520A8C47861EFE3ED4D", cAlternateFileName="3130B1~1")) returned 1 [0140.136] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="Windows") returned -1 [0140.136] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="Program Files") returned -1 [0140.136] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="Program Files (x86)") returned -1 [0140.136] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="$Recycle.bin") returned 1 [0140.136] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="System Volume Information") returned -1 [0140.136] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2=".") returned 1 [0140.136] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="..") returned 1 [0140.137] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D") returned 119 [0140.137] lstrcmpW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="PUSSY.TXT") returned -1 [0140.137] PathFindExtensionW (pszPath="3130B1871A126520A8C47861EFE3ED4D") returned="" [0140.137] lstrlenW (lpString="") returned 0 [0140.137] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3130b1871a126520a8c47861efe3ed4d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.137] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=220) returned 1 [0140.137] CloseHandle (hObject=0x1d0) returned 1 [0140.137] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53fdc930, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53fdc930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf16fc70, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x18a, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", cAlternateFileName="3388EC~1")) returned 1 [0140.137] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="Windows") returned -1 [0140.137] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="Program Files") returned -1 [0140.137] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="Program Files (x86)") returned -1 [0140.138] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="$Recycle.bin") returned 1 [0140.138] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="System Volume Information") returned -1 [0140.138] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2=".") returned 1 [0140.138] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="..") returned 1 [0140.138] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned 152 [0140.138] lstrcmpW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="PUSSY.TXT") returned -1 [0140.138] PathFindExtensionW (pszPath="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned="" [0140.138] lstrlenW (lpString="") returned 0 [0140.138] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.138] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=394) returned 1 [0140.138] CloseHandle (hObject=0x1d0) returned 1 [0140.139] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53b19d30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53b19d30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54583d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x190, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", cAlternateFileName="40E450~1")) returned 1 [0140.139] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Windows") returned -1 [0140.139] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Program Files") returned -1 [0140.139] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Program Files (x86)") returned -1 [0140.139] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="$Recycle.bin") returned 1 [0140.139] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="System Volume Information") returned -1 [0140.139] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2=".") returned 1 [0140.139] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="..") returned 1 [0140.139] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 152 [0140.139] lstrcmpW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="PUSSY.TXT") returned -1 [0140.139] PathFindExtensionW (pszPath="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned="" [0140.139] lstrlenW (lpString="") returned 0 [0140.139] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.140] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=400) returned 1 [0140.140] CloseHandle (hObject=0x1d0) returned 1 [0140.140] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x54537ab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54537ab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae76e7e0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1ae, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", cAlternateFileName="4C8F84~1")) returned 1 [0140.140] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="Windows") returned -1 [0140.140] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="Program Files") returned -1 [0140.140] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="Program Files (x86)") returned -1 [0140.140] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="$Recycle.bin") returned 1 [0140.140] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="System Volume Information") returned -1 [0140.140] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2=".") returned 1 [0140.140] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="..") returned 1 [0140.140] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned 152 [0140.140] lstrcmpW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="PUSSY.TXT") returned -1 [0140.140] PathFindExtensionW (pszPath="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned="" [0140.140] lstrlenW (lpString="") returned 0 [0140.140] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.141] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=430) returned 1 [0140.141] CloseHandle (hObject=0x1d0) returned 1 [0140.141] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x7295ee20, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7295ee20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xadfb2060, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", cAlternateFileName="4DD397~1")) returned 1 [0140.141] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="Windows") returned -1 [0140.141] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="Program Files") returned -1 [0140.141] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="Program Files (x86)") returned -1 [0140.141] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="$Recycle.bin") returned 1 [0140.141] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="System Volume Information") returned -1 [0140.141] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2=".") returned 1 [0140.141] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="..") returned 1 [0140.141] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned 152 [0140.141] lstrcmpW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="PUSSY.TXT") returned -1 [0140.141] PathFindExtensionW (pszPath="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned="" [0140.141] lstrlenW (lpString="") returned 0 [0140.141] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.141] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.142] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=404) returned 1 [0140.142] CloseHandle (hObject=0x1d0) returned 1 [0140.142] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf8b9fd0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf8b9fd0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf8b9fd0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", cAlternateFileName="5080DC~2")) returned 1 [0140.142] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="Windows") returned -1 [0140.142] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="Program Files") returned -1 [0140.142] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="Program Files (x86)") returned -1 [0140.142] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="$Recycle.bin") returned 1 [0140.142] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="System Volume Information") returned -1 [0140.142] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2=".") returned 1 [0140.142] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="..") returned 1 [0140.142] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned 152 [0140.142] lstrcmpW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="PUSSY.TXT") returned -1 [0140.142] PathFindExtensionW (pszPath="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned="" [0140.143] lstrlenW (lpString="") returned 0 [0140.143] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.143] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=404) returned 1 [0140.143] CloseHandle (hObject=0x1d0) returned 1 [0140.143] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf86dd10, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf86dd10, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf86dd10, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x190, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", cAlternateFileName="5080DC~1")) returned 1 [0140.143] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="Windows") returned -1 [0140.143] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="Program Files") returned -1 [0140.143] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="Program Files (x86)") returned -1 [0140.143] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="$Recycle.bin") returned 1 [0140.143] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="System Volume Information") returned -1 [0140.144] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2=".") returned 1 [0140.144] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="..") returned 1 [0140.144] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned 152 [0140.144] lstrcmpW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="PUSSY.TXT") returned -1 [0140.144] PathFindExtensionW (pszPath="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned="" [0140.144] lstrlenW (lpString="") returned 0 [0140.144] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.145] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=400) returned 1 [0140.145] CloseHandle (hObject=0x1d0) returned 1 [0140.145] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf763370, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf763370, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf7af630, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", cAlternateFileName="5457A8~1")) returned 1 [0140.145] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="Windows") returned -1 [0140.145] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="Program Files") returned -1 [0140.145] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="Program Files (x86)") returned -1 [0140.145] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="$Recycle.bin") returned 1 [0140.145] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="System Volume Information") returned -1 [0140.145] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2=".") returned 1 [0140.145] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="..") returned 1 [0140.146] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned 152 [0140.146] lstrcmpW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="PUSSY.TXT") returned -1 [0140.146] PathFindExtensionW (pszPath="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned="" [0140.146] lstrlenW (lpString="") returned 0 [0140.146] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.147] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=398) returned 1 [0140.147] CloseHandle (hObject=0x1d0) returned 1 [0140.147] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xed9b0820, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xed9b0820, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xed9b0820, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0xf4, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="696F3DE637E6DE85B458996D49D759AD", cAlternateFileName="696F3D~1")) returned 1 [0140.147] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="Windows") returned -1 [0140.147] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="Program Files") returned -1 [0140.147] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="Program Files (x86)") returned -1 [0140.147] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="$Recycle.bin") returned 1 [0140.147] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="System Volume Information") returned -1 [0140.147] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2=".") returned 1 [0140.147] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="..") returned 1 [0140.147] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD") returned 119 [0140.147] lstrcmpW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="PUSSY.TXT") returned -1 [0140.147] PathFindExtensionW (pszPath="696F3DE637E6DE85B458996D49D759AD") returned="" [0140.148] lstrlenW (lpString="") returned 0 [0140.148] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\696f3de637e6de85b458996d49d759ad"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.148] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=244) returned 1 [0140.148] CloseHandle (hObject=0x1d0) returned 1 [0140.148] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf763370, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf763370, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf763370, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", cAlternateFileName="705A76~1")) returned 1 [0140.148] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="Windows") returned -1 [0140.148] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="Program Files") returned -1 [0140.149] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="Program Files (x86)") returned -1 [0140.149] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="$Recycle.bin") returned 1 [0140.149] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="System Volume Information") returned -1 [0140.149] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2=".") returned 1 [0140.149] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="..") returned 1 [0140.149] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned 152 [0140.149] lstrcmpW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="PUSSY.TXT") returned -1 [0140.149] PathFindExtensionW (pszPath="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned="" [0140.149] lstrlenW (lpString="") returned 0 [0140.149] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.149] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=398) returned 1 [0140.150] CloseHandle (hObject=0x1d0) returned 1 [0140.150] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xedb2d5e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedb2d5e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedb2d5e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x100, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="7396C420A8E1BC1DA97F1AF0D10BAD21", cAlternateFileName="7396C4~1")) returned 1 [0140.150] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="Windows") returned -1 [0140.150] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="Program Files") returned -1 [0140.150] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="Program Files (x86)") returned -1 [0140.150] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="$Recycle.bin") returned 1 [0140.150] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="System Volume Information") returned -1 [0140.150] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2=".") returned 1 [0140.150] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="..") returned 1 [0140.150] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 119 [0140.150] lstrcmpW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="PUSSY.TXT") returned -1 [0140.150] PathFindExtensionW (pszPath="7396C420A8E1BC1DA97F1AF0D10BAD21") returned="" [0140.150] lstrlenW (lpString="") returned 0 [0140.150] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.150] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7396c420a8e1bc1da97f1af0d10bad21"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.151] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=256) returned 1 [0140.151] CloseHandle (hObject=0x1d0) returned 1 [0140.152] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x540c1170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x540c1170, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x312640, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", cAlternateFileName="7423F8~1")) returned 1 [0140.152] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="Windows") returned -1 [0140.152] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="Program Files") returned -1 [0140.152] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="Program Files (x86)") returned -1 [0140.152] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="$Recycle.bin") returned 1 [0140.152] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="System Volume Information") returned -1 [0140.152] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2=".") returned 1 [0140.152] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="..") returned 1 [0140.152] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned 152 [0140.152] lstrcmpW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="PUSSY.TXT") returned -1 [0140.152] PathFindExtensionW (pszPath="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned="" [0140.152] lstrlenW (lpString="") returned 0 [0140.152] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.153] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=434) returned 1 [0140.153] CloseHandle (hObject=0x1d0) returned 1 [0140.153] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd48e2bf0, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0xdc, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="7B2238AACCEDC3F1FFE8E7EB5F575EC9", cAlternateFileName="7B2238~1")) returned 1 [0140.153] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Windows") returned -1 [0140.153] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files") returned -1 [0140.153] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files (x86)") returned -1 [0140.153] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="$Recycle.bin") returned 1 [0140.153] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="System Volume Information") returned -1 [0140.153] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2=".") returned 1 [0140.153] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="..") returned 1 [0140.153] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 119 [0140.153] lstrcmpW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="PUSSY.TXT") returned -1 [0140.153] PathFindExtensionW (pszPath="7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned="" [0140.153] lstrlenW (lpString="") returned 0 [0140.153] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.154] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=220) returned 1 [0140.154] CloseHandle (hObject=0x1d0) returned 1 [0140.154] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6b2324c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x6b2324c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x6b2324c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", cAlternateFileName="7B8944~1")) returned 1 [0140.154] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="Windows") returned -1 [0140.154] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="Program Files") returned -1 [0140.154] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="Program Files (x86)") returned -1 [0140.154] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="$Recycle.bin") returned 1 [0140.154] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="System Volume Information") returned -1 [0140.154] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2=".") returned 1 [0140.154] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="..") returned 1 [0140.154] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned 152 [0140.154] lstrcmpW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="PUSSY.TXT") returned -1 [0140.154] PathFindExtensionW (pszPath="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned="" [0140.154] lstrlenW (lpString="") returned 0 [0140.154] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.170] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=404) returned 1 [0140.170] CloseHandle (hObject=0x178) returned 1 [0140.171] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6b199f40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x6b199f40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x6b199f40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", cAlternateFileName="7D266D~2")) returned 1 [0140.171] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="Windows") returned -1 [0140.171] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="Program Files") returned -1 [0140.171] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="Program Files (x86)") returned -1 [0140.171] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="$Recycle.bin") returned 1 [0140.171] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="System Volume Information") returned -1 [0140.171] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2=".") returned 1 [0140.171] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="..") returned 1 [0140.171] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned 152 [0140.171] lstrcmpW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="PUSSY.TXT") returned -1 [0140.171] PathFindExtensionW (pszPath="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned="" [0140.171] lstrlenW (lpString="") returned 0 [0140.171] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.172] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=404) returned 1 [0140.172] CloseHandle (hObject=0x178) returned 1 [0140.172] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xefaf7160, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xefaf7160, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xaec313e0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x198, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", cAlternateFileName="7D266D~1")) returned 1 [0140.172] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="Windows") returned -1 [0140.172] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="Program Files") returned -1 [0140.172] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="Program Files (x86)") returned -1 [0140.172] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="$Recycle.bin") returned 1 [0140.172] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="System Volume Information") returned -1 [0140.172] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2=".") returned 1 [0140.172] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="..") returned 1 [0140.172] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned 152 [0140.172] lstrcmpW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="PUSSY.TXT") returned -1 [0140.173] PathFindExtensionW (pszPath="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned="" [0140.173] lstrlenW (lpString="") returned 0 [0140.173] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.173] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=408) returned 1 [0140.173] CloseHandle (hObject=0x178) returned 1 [0140.173] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6056b480, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6056b480, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1ef687a0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", cAlternateFileName="8059E9~3")) returned 1 [0140.173] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="Windows") returned -1 [0140.173] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="Program Files") returned -1 [0140.173] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="Program Files (x86)") returned -1 [0140.174] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="$Recycle.bin") returned 1 [0140.174] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="System Volume Information") returned -1 [0140.174] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2=".") returned 1 [0140.174] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="..") returned 1 [0140.174] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned 152 [0140.174] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="PUSSY.TXT") returned -1 [0140.174] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned="" [0140.174] lstrlenW (lpString="") returned 0 [0140.174] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.175] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=386) returned 1 [0140.175] CloseHandle (hObject=0x178) returned 1 [0140.175] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x611ea800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x611ea800, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaecc9960, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", cAlternateFileName="80273C~1")) returned 1 [0140.175] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="Windows") returned -1 [0140.175] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="Program Files") returned -1 [0140.175] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="Program Files (x86)") returned -1 [0140.175] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="$Recycle.bin") returned 1 [0140.176] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="System Volume Information") returned -1 [0140.176] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2=".") returned 1 [0140.176] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="..") returned 1 [0140.176] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned 152 [0140.176] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="PUSSY.TXT") returned -1 [0140.176] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned="" [0140.176] lstrlenW (lpString="") returned 0 [0140.176] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.176] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=390) returned 1 [0140.176] CloseHandle (hObject=0x178) returned 1 [0140.177] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x58e24200, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x58e24200, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae9f5f40, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", cAlternateFileName="8059E9~2")) returned 1 [0140.177] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="Windows") returned -1 [0140.177] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="Program Files") returned -1 [0140.177] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="Program Files (x86)") returned -1 [0140.177] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="$Recycle.bin") returned 1 [0140.177] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="System Volume Information") returned -1 [0140.177] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2=".") returned 1 [0140.177] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="..") returned 1 [0140.177] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned 152 [0140.177] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="PUSSY.TXT") returned -1 [0140.177] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned="" [0140.177] lstrlenW (lpString="") returned 0 [0140.177] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.177] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.178] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=390) returned 1 [0140.178] CloseHandle (hObject=0x178) returned 1 [0140.178] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x61236ac0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x61236ac0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x3b0b01a0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", cAlternateFileName="809279~1")) returned 1 [0140.178] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="Windows") returned -1 [0140.178] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="Program Files") returned -1 [0140.178] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="Program Files (x86)") returned -1 [0140.178] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="$Recycle.bin") returned 1 [0140.178] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="System Volume Information") returned -1 [0140.178] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2=".") returned 1 [0140.178] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="..") returned 1 [0140.178] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned 152 [0140.178] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="PUSSY.TXT") returned -1 [0140.178] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned="" [0140.178] lstrlenW (lpString="") returned 0 [0140.178] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.179] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=386) returned 1 [0140.179] CloseHandle (hObject=0x178) returned 1 [0140.179] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5836df00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5836df00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb0f739c0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", cAlternateFileName="8059E9~1")) returned 1 [0140.179] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="Windows") returned -1 [0140.179] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="Program Files") returned -1 [0140.179] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="Program Files (x86)") returned -1 [0140.180] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="$Recycle.bin") returned 1 [0140.180] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="System Volume Information") returned -1 [0140.180] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2=".") returned 1 [0140.180] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="..") returned 1 [0140.180] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned 152 [0140.180] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="PUSSY.TXT") returned -1 [0140.180] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned="" [0140.180] lstrlenW (lpString="") returned 0 [0140.180] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.180] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=386) returned 1 [0140.180] CloseHandle (hObject=0x178) returned 1 [0140.181] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x62378a40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x62378a40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae9a9c80, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", cAlternateFileName="80E4BE~1")) returned 1 [0140.181] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="Windows") returned -1 [0140.181] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="Program Files") returned -1 [0140.181] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="Program Files (x86)") returned -1 [0140.181] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="$Recycle.bin") returned 1 [0140.181] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="System Volume Information") returned -1 [0140.181] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2=".") returned 1 [0140.181] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="..") returned 1 [0140.181] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned 152 [0140.181] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="PUSSY.TXT") returned -1 [0140.181] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned="" [0140.181] lstrlenW (lpString="") returned 0 [0140.181] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.182] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=386) returned 1 [0140.182] CloseHandle (hObject=0x178) returned 1 [0140.182] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x613675c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x613675c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x69bba4a0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", cAlternateFileName="803B9E~1")) returned 1 [0140.182] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="Windows") returned -1 [0140.182] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="Program Files") returned -1 [0140.182] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="Program Files (x86)") returned -1 [0140.182] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="$Recycle.bin") returned 1 [0140.182] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="System Volume Information") returned -1 [0140.182] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2=".") returned 1 [0140.182] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="..") returned 1 [0140.182] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned 152 [0140.182] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="PUSSY.TXT") returned -1 [0140.182] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned="" [0140.182] lstrlenW (lpString="") returned 0 [0140.182] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.183] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=390) returned 1 [0140.183] CloseHandle (hObject=0x178) returned 1 [0140.183] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x63c50fe0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x63c50fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb100bf40, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", cAlternateFileName="803D37~1")) returned 1 [0140.183] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="Windows") returned -1 [0140.183] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="Program Files") returned -1 [0140.183] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="Program Files (x86)") returned -1 [0140.183] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="$Recycle.bin") returned 1 [0140.183] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="System Volume Information") returned -1 [0140.183] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2=".") returned 1 [0140.183] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="..") returned 1 [0140.183] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned 152 [0140.183] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="PUSSY.TXT") returned -1 [0140.183] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned="" [0140.183] lstrlenW (lpString="") returned 0 [0140.183] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.184] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=390) returned 1 [0140.184] CloseHandle (hObject=0x178) returned 1 [0140.184] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x61021780, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x61021780, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb1058200, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", cAlternateFileName="8059E9~4")) returned 1 [0140.184] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="Windows") returned -1 [0140.184] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="Program Files") returned -1 [0140.184] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="Program Files (x86)") returned -1 [0140.184] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="$Recycle.bin") returned 1 [0140.184] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="System Volume Information") returned -1 [0140.184] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2=".") returned 1 [0140.184] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="..") returned 1 [0140.185] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned 152 [0140.185] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="PUSSY.TXT") returned -1 [0140.185] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned="" [0140.185] lstrlenW (lpString="") returned 0 [0140.185] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.185] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=386) returned 1 [0140.185] CloseHandle (hObject=0x178) returned 1 [0140.185] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x636a9ba0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x636a9ba0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb139e040, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", cAlternateFileName="800D31~1")) returned 1 [0140.185] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="Windows") returned -1 [0140.185] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="Program Files") returned -1 [0140.185] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="Program Files (x86)") returned -1 [0140.186] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="$Recycle.bin") returned 1 [0140.186] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="System Volume Information") returned -1 [0140.186] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2=".") returned 1 [0140.186] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="..") returned 1 [0140.186] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned 152 [0140.186] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="PUSSY.TXT") returned -1 [0140.186] PathFindExtensionW (pszPath="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned="" [0140.186] lstrlenW (lpString="") returned 0 [0140.186] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.187] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=390) returned 1 [0140.187] CloseHandle (hObject=0x178) returned 1 [0140.187] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x581f7ea0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x581f7ea0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb0f4d860, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x180, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", cAlternateFileName="828298~1")) returned 1 [0140.187] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="Windows") returned -1 [0140.187] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="Program Files") returned -1 [0140.187] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="Program Files (x86)") returned -1 [0140.187] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="$Recycle.bin") returned 1 [0140.187] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="System Volume Information") returned -1 [0140.187] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2=".") returned 1 [0140.187] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="..") returned 1 [0140.187] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned 152 [0140.188] lstrcmpW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="PUSSY.TXT") returned -1 [0140.188] PathFindExtensionW (pszPath="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned="" [0140.188] lstrlenW (lpString="") returned 0 [0140.188] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.188] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=384) returned 1 [0140.188] CloseHandle (hObject=0x178) returned 1 [0140.188] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xec3c5340, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xec3c5340, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xb16257a0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", cAlternateFileName="8828F3~1")) returned 1 [0140.188] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="Windows") returned -1 [0140.188] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="Program Files") returned -1 [0140.188] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="Program Files (x86)") returned -1 [0140.188] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="$Recycle.bin") returned 1 [0140.189] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="System Volume Information") returned -1 [0140.189] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2=".") returned 1 [0140.189] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="..") returned 1 [0140.189] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned 152 [0140.189] lstrcmpW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="PUSSY.TXT") returned -1 [0140.189] PathFindExtensionW (pszPath="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned="" [0140.189] lstrlenW (lpString="") returned 0 [0140.189] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.189] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=392) returned 1 [0140.189] CloseHandle (hObject=0x178) returned 1 [0140.189] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x8064ac00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x8064ac00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80670d60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", cAlternateFileName="8828F3~2")) returned 1 [0140.189] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="Windows") returned -1 [0140.190] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="Program Files") returned -1 [0140.190] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="Program Files (x86)") returned -1 [0140.190] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="$Recycle.bin") returned 1 [0140.190] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="System Volume Information") returned -1 [0140.190] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2=".") returned 1 [0140.190] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="..") returned 1 [0140.190] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned 152 [0140.190] lstrcmpW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="PUSSY.TXT") returned -1 [0140.190] PathFindExtensionW (pszPath="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned="" [0140.190] lstrlenW (lpString="") returned 0 [0140.190] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.191] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=392) returned 1 [0140.191] CloseHandle (hObject=0x178) returned 1 [0140.191] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6aa2c0a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6aa2c0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xadf19ae0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x196, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", cAlternateFileName="8E4E51~1")) returned 1 [0140.191] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="Windows") returned -1 [0140.191] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="Program Files") returned -1 [0140.191] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="Program Files (x86)") returned -1 [0140.191] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="$Recycle.bin") returned 1 [0140.191] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="System Volume Information") returned -1 [0140.191] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2=".") returned 1 [0140.191] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="..") returned 1 [0140.191] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned 152 [0140.191] lstrcmpW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="PUSSY.TXT") returned -1 [0140.191] PathFindExtensionW (pszPath="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned="" [0140.191] lstrlenW (lpString="") returned 0 [0140.191] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.194] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=406) returned 1 [0140.194] CloseHandle (hObject=0x178) returned 1 [0140.194] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xbf0dd70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x156, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 1 [0140.194] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Windows") returned -1 [0140.194] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files") returned -1 [0140.194] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files (x86)") returned -1 [0140.194] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="$Recycle.bin") returned 1 [0140.194] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="System Volume Information") returned -1 [0140.194] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2=".") returned 1 [0140.194] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="..") returned 1 [0140.194] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 119 [0140.194] lstrcmpW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="PUSSY.TXT") returned -1 [0140.194] PathFindExtensionW (pszPath="94308059B57B3142E455B38A6EB92015") returned="" [0140.194] lstrlenW (lpString="") returned 0 [0140.194] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.195] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=342) returned 1 [0140.195] CloseHandle (hObject=0x178) returned 1 [0140.195] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6a83cec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a83cec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaebe5120, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", cAlternateFileName="955CAB~1")) returned 1 [0140.195] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="Windows") returned -1 [0140.195] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="Program Files") returned -1 [0140.195] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="Program Files (x86)") returned -1 [0140.195] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="$Recycle.bin") returned 1 [0140.195] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="System Volume Information") returned -1 [0140.195] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2=".") returned 1 [0140.196] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="..") returned 1 [0140.196] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned 152 [0140.196] lstrcmpW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="PUSSY.TXT") returned -1 [0140.196] PathFindExtensionW (pszPath="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned="" [0140.196] lstrlenW (lpString="") returned 0 [0140.196] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.196] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=404) returned 1 [0140.196] CloseHandle (hObject=0x178) returned 1 [0140.196] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf3f73d0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf3f73d0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf3f73d0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", cAlternateFileName="9BC2FF~1")) returned 1 [0140.197] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="Windows") returned -1 [0140.197] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="Program Files") returned -1 [0140.197] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="Program Files (x86)") returned -1 [0140.197] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="$Recycle.bin") returned 1 [0140.197] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="System Volume Information") returned -1 [0140.197] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2=".") returned 1 [0140.197] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="..") returned 1 [0140.197] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned 152 [0140.197] lstrcmpW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="PUSSY.TXT") returned -1 [0140.197] PathFindExtensionW (pszPath="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned="" [0140.197] lstrlenW (lpString="") returned 0 [0140.197] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.198] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=390) returned 1 [0140.198] CloseHandle (hObject=0x178) returned 1 [0140.199] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe06277d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe06277d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xb15d94e0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", cAlternateFileName="9C888B~1")) returned 1 [0140.199] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="Windows") returned -1 [0140.199] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="Program Files") returned -1 [0140.199] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="Program Files (x86)") returned -1 [0140.199] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="$Recycle.bin") returned 1 [0140.199] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="System Volume Information") returned -1 [0140.199] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2=".") returned 1 [0140.199] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="..") returned 1 [0140.199] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned 152 [0140.199] lstrcmpW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="PUSSY.TXT") returned -1 [0140.199] PathFindExtensionW (pszPath="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned="" [0140.199] lstrlenW (lpString="") returned 0 [0140.199] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.200] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=386) returned 1 [0140.200] CloseHandle (hObject=0x178) returned 1 [0140.200] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe07ca6f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe07ca6f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0x965accc0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", cAlternateFileName="9C888B~2")) returned 1 [0140.200] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="Windows") returned -1 [0140.200] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="Program Files") returned -1 [0140.200] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="Program Files (x86)") returned -1 [0140.200] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="$Recycle.bin") returned 1 [0140.200] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="System Volume Information") returned -1 [0140.200] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2=".") returned 1 [0140.201] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="..") returned 1 [0140.201] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned 152 [0140.201] lstrcmpW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="PUSSY.TXT") returned -1 [0140.201] PathFindExtensionW (pszPath="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned="" [0140.201] lstrlenW (lpString="") returned 0 [0140.201] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.201] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=386) returned 1 [0140.201] CloseHandle (hObject=0x178) returned 1 [0140.201] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x54bc3730, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54bc3730, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb11d4fc0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1ae, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", cAlternateFileName="A9E4F7~1")) returned 1 [0140.201] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="Windows") returned -1 [0140.201] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="Program Files") returned -1 [0140.202] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="Program Files (x86)") returned -1 [0140.202] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="$Recycle.bin") returned 1 [0140.202] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="System Volume Information") returned -1 [0140.202] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2=".") returned 1 [0140.202] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="..") returned 1 [0140.202] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned 152 [0140.202] lstrcmpW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="PUSSY.TXT") returned -1 [0140.202] PathFindExtensionW (pszPath="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned="" [0140.202] lstrlenW (lpString="") returned 0 [0140.202] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.203] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=430) returned 1 [0140.203] CloseHandle (hObject=0x178) returned 1 [0140.203] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53bfe570, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53bfe570, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbe9b34f0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1ec, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", cAlternateFileName="ACF244~1")) returned 1 [0140.203] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="Windows") returned -1 [0140.203] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="Program Files") returned -1 [0140.203] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="Program Files (x86)") returned -1 [0140.203] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="$Recycle.bin") returned 1 [0140.203] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="System Volume Information") returned -1 [0140.203] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2=".") returned 1 [0140.204] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="..") returned 1 [0140.204] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned 152 [0140.204] lstrcmpW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="PUSSY.TXT") returned -1 [0140.204] PathFindExtensionW (pszPath="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned="" [0140.204] lstrlenW (lpString="") returned 0 [0140.204] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.204] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=492) returned 1 [0140.204] CloseHandle (hObject=0x178) returned 1 [0140.204] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe04aaa10, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe04aaa10, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xae4e7080, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", cAlternateFileName="B3BB9C~2")) returned 1 [0140.204] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="Windows") returned -1 [0140.205] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="Program Files") returned -1 [0140.205] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="Program Files (x86)") returned -1 [0140.205] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="$Recycle.bin") returned 1 [0140.205] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="System Volume Information") returned -1 [0140.205] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2=".") returned 1 [0140.205] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="..") returned 1 [0140.205] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned 152 [0140.205] lstrcmpW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="PUSSY.TXT") returned -1 [0140.205] PathFindExtensionW (pszPath="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned="" [0140.205] lstrlenW (lpString="") returned 0 [0140.205] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.205] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=416) returned 1 [0140.205] CloseHandle (hObject=0x178) returned 1 [0140.206] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xefc01b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xefc01b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xaa4ee1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", cAlternateFileName="B3BB9C~1")) returned 1 [0140.206] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="Windows") returned -1 [0140.206] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="Program Files") returned -1 [0140.206] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="Program Files (x86)") returned -1 [0140.206] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="$Recycle.bin") returned 1 [0140.206] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="System Volume Information") returned -1 [0140.206] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2=".") returned 1 [0140.206] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="..") returned 1 [0140.206] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned 152 [0140.206] lstrcmpW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="PUSSY.TXT") returned -1 [0140.206] PathFindExtensionW (pszPath="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned="" [0140.206] lstrlenW (lpString="") returned 0 [0140.206] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.207] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=416) returned 1 [0140.207] CloseHandle (hObject=0x178) returned 1 [0140.207] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x54322770, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54322770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf019010, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x204, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", cAlternateFileName="BC570E~2")) returned 1 [0140.207] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="Windows") returned -1 [0140.207] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="Program Files") returned -1 [0140.207] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="Program Files (x86)") returned -1 [0140.207] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="$Recycle.bin") returned 1 [0140.207] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="System Volume Information") returned -1 [0140.207] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2=".") returned 1 [0140.207] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="..") returned 1 [0140.207] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned 152 [0140.207] lstrcmpW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="PUSSY.TXT") returned -1 [0140.207] PathFindExtensionW (pszPath="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned="" [0140.207] lstrlenW (lpString="") returned 0 [0140.207] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.208] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=516) returned 1 [0140.208] GetProcessHeap () returned 0x4c0000 [0140.208] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3bc80e0 [0140.233] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="51") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="4A") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="B8") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="07") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="4F") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="53") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="A4") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="C5") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="42") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="48") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="59") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="88") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="9E") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="FD") returned 2 [0140.233] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="10") returned 2 [0140.233] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="F5") returned 2 [0140.233] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="23") returned 2 [0140.234] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="CC") returned 2 [0140.234] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="87") returned 2 [0140.234] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="73") returned 2 [0140.234] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="55") returned 2 [0140.234] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="EC") returned 2 [0140.234] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="D6") returned 2 [0140.234] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="E5") returned 2 [0140.234] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="67") returned 2 [0140.234] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="85") returned 2 [0140.234] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="CB") returned 2 [0140.234] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="CF") returned 2 [0140.234] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="F6") returned 2 [0140.234] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="57") returned 2 [0140.234] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="EA") returned 2 [0140.234] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="40") returned 2 [0140.247] lstrcpyW (in: lpString1=0x3bd8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" [0140.248] lstrcpyW (in: lpString1=0x3bc8114, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" [0140.248] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2=".514AB8074F53A4C5424859889EFD10F523CC877355ECD6E56785CBCFF657EA40" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.514AB8074F53A4C5424859889EFD10F523CC877355ECD6E56785CBCFF657EA40") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.514AB8074F53A4C5424859889EFD10F523CC877355ECD6E56785CBCFF657EA40" [0140.248] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3bc80e0, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.248] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3bc80e0, lpOverlapped=0x3bc80e0) returned 1 [0140.248] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x540c1170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x540c1170, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf019010, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x204, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", cAlternateFileName="BC570E~1")) returned 1 [0140.248] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="Windows") returned -1 [0140.248] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="Program Files") returned -1 [0140.248] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="Program Files (x86)") returned -1 [0140.248] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="$Recycle.bin") returned 1 [0140.248] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="System Volume Information") returned -1 [0140.249] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2=".") returned 1 [0140.249] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="..") returned 1 [0140.249] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned 152 [0140.249] lstrcmpW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="PUSSY.TXT") returned -1 [0140.249] PathFindExtensionW (pszPath="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned="" [0140.249] lstrlenW (lpString="") returned 0 [0140.249] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0140.251] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=516) returned 1 [0140.251] GetProcessHeap () returned 0x4c0000 [0140.251] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0140.264] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="21") returned 2 [0140.264] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="1F") returned 2 [0140.264] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="26") returned 2 [0140.264] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="7B") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="05") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="5F") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="AA") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="7E") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="D0") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="01") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="10") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="18") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="CD") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="A5") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="CC") returned 2 [0140.265] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="A0") returned 2 [0140.265] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="A0") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="D5") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="CD") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="13") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="15") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="E7") returned 2 [0140.265] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="26") returned 2 [0140.265] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="94") returned 2 [0140.265] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="3F") returned 2 [0140.265] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="A9") returned 2 [0140.265] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="5A") returned 2 [0140.265] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="D8") returned 2 [0140.265] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="50") returned 2 [0140.265] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="4C") returned 2 [0140.265] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="11") returned 2 [0140.266] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="50") returned 2 [0140.277] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" [0140.277] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" [0140.278] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2=".211F267B055FAA7ED0011018CDA5CCA0A0D5CD1315E726943FA95AD8504C1150" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.211F267B055FAA7ED0011018CDA5CCA0A0D5CD1315E726943FA95AD8504C1150") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.211F267B055FAA7ED0011018CDA5CCA0A0D5CD1315E726943FA95AD8504C1150" [0140.278] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.278] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0140.278] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x56bb3b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x56bb3b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaeca3800, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", cAlternateFileName="C46E7B~2")) returned 1 [0140.278] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="Windows") returned -1 [0140.278] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="Program Files") returned -1 [0140.278] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="Program Files (x86)") returned -1 [0140.278] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="$Recycle.bin") returned 1 [0140.278] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="System Volume Information") returned -1 [0140.278] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2=".") returned 1 [0140.278] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="..") returned 1 [0140.279] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned 152 [0140.279] lstrcmpW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="PUSSY.TXT") returned -1 [0140.279] PathFindExtensionW (pszPath="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned="" [0140.279] lstrlenW (lpString="") returned 0 [0140.279] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.280] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=402) returned 1 [0140.280] CloseHandle (hObject=0x1d0) returned 1 [0140.280] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x682fbd00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x682fbd00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae0bca00, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", cAlternateFileName="C46E7B~3")) returned 1 [0140.281] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="Windows") returned -1 [0140.281] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="Program Files") returned -1 [0140.281] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="Program Files (x86)") returned -1 [0140.281] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="$Recycle.bin") returned 1 [0140.281] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="System Volume Information") returned -1 [0140.281] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2=".") returned 1 [0140.281] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="..") returned 1 [0140.281] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned 152 [0140.281] lstrcmpW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="PUSSY.TXT") returned -1 [0140.281] PathFindExtensionW (pszPath="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned="" [0140.281] lstrlenW (lpString="") returned 0 [0140.281] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.281] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.282] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=398) returned 1 [0140.282] CloseHandle (hObject=0x1d0) returned 1 [0140.282] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5461c2f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5461c2f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf67eb30, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", cAlternateFileName="C46E7B~1")) returned 1 [0140.282] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Windows") returned -1 [0140.282] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Program Files") returned -1 [0140.282] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Program Files (x86)") returned -1 [0140.282] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="$Recycle.bin") returned 1 [0140.282] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="System Volume Information") returned -1 [0140.282] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2=".") returned 1 [0140.282] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="..") returned 1 [0140.282] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 152 [0140.282] lstrcmpW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="PUSSY.TXT") returned -1 [0140.282] PathFindExtensionW (pszPath="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned="" [0140.282] lstrlenW (lpString="") returned 0 [0140.283] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.283] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=398) returned 1 [0140.283] CloseHandle (hObject=0x1d0) returned 1 [0140.283] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x728c68a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x728c68a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xae63dce0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", cAlternateFileName="D47DBD~2")) returned 1 [0140.283] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="Windows") returned -1 [0140.284] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="Program Files") returned -1 [0140.284] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="Program Files (x86)") returned -1 [0140.284] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="$Recycle.bin") returned 1 [0140.284] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="System Volume Information") returned -1 [0140.284] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2=".") returned 1 [0140.284] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="..") returned 1 [0140.284] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned 152 [0140.284] lstrcmpW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="PUSSY.TXT") returned -1 [0140.284] PathFindExtensionW (pszPath="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned="" [0140.284] lstrlenW (lpString="") returned 0 [0140.284] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.285] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=404) returned 1 [0140.285] CloseHandle (hObject=0x1d0) returned 1 [0140.285] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x545f6190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x545f6190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x69b6e1e0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x198, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", cAlternateFileName="D47DBD~1")) returned 1 [0140.285] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="Windows") returned -1 [0140.285] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="Program Files") returned -1 [0140.285] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="Program Files (x86)") returned -1 [0140.285] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="$Recycle.bin") returned 1 [0140.285] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="System Volume Information") returned -1 [0140.285] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2=".") returned 1 [0140.286] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="..") returned 1 [0140.286] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned 152 [0140.286] lstrcmpW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="PUSSY.TXT") returned -1 [0140.286] PathFindExtensionW (pszPath="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned="" [0140.286] lstrlenW (lpString="") returned 0 [0140.286] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.286] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=408) returned 1 [0140.286] CloseHandle (hObject=0x1d0) returned 1 [0140.287] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x808d4a70, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x808d4a70, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x808d4a70, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x1a4, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", cAlternateFileName="D52C56~1")) returned 1 [0140.287] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="Windows") returned -1 [0140.287] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="Program Files") returned -1 [0140.287] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="Program Files (x86)") returned -1 [0140.287] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="$Recycle.bin") returned 1 [0140.287] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="System Volume Information") returned -1 [0140.287] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2=".") returned 1 [0140.287] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="..") returned 1 [0140.287] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned 152 [0140.287] lstrcmpW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="PUSSY.TXT") returned -1 [0140.287] PathFindExtensionW (pszPath="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned="" [0140.287] lstrlenW (lpString="") returned 0 [0140.287] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.305] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=420) returned 1 [0140.305] CloseHandle (hObject=0x178) returned 1 [0140.305] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x683e0540, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x683e0540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb0f015a0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", cAlternateFileName="EA6180~1")) returned 1 [0140.305] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="Windows") returned -1 [0140.305] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="Program Files") returned -1 [0140.305] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="Program Files (x86)") returned -1 [0140.306] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="$Recycle.bin") returned 1 [0140.306] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="System Volume Information") returned -1 [0140.306] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2=".") returned 1 [0140.306] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="..") returned 1 [0140.306] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned 152 [0140.306] lstrcmpW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="PUSSY.TXT") returned -1 [0140.306] PathFindExtensionW (pszPath="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned="" [0140.306] lstrlenW (lpString="") returned 0 [0140.306] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.306] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=398) returned 1 [0140.307] CloseHandle (hObject=0x178) returned 1 [0140.307] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf312b90, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf312b90, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf312b90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", cAlternateFileName="F293AE~1")) returned 1 [0140.307] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="Windows") returned -1 [0140.307] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="Program Files") returned -1 [0140.307] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="Program Files (x86)") returned -1 [0140.307] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="$Recycle.bin") returned 1 [0140.307] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="System Volume Information") returned -1 [0140.307] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2=".") returned 1 [0140.307] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="..") returned 1 [0140.307] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned 152 [0140.307] lstrcmpW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="PUSSY.TXT") returned -1 [0140.307] PathFindExtensionW (pszPath="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned="" [0140.307] lstrlenW (lpString="") returned 0 [0140.307] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.308] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=416) returned 1 [0140.308] CloseHandle (hObject=0x178) returned 1 [0140.308] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0xfc, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="F90F18257CBB4D84216AC1E1F3BB2C76", cAlternateFileName="F90F18~1")) returned 1 [0140.308] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="Windows") returned -1 [0140.308] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="Program Files") returned -1 [0140.308] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="Program Files (x86)") returned -1 [0140.308] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="$Recycle.bin") returned 1 [0140.308] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="System Volume Information") returned -1 [0140.308] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2=".") returned 1 [0140.308] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="..") returned 1 [0140.308] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 119 [0140.308] lstrcmpW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="PUSSY.TXT") returned -1 [0140.308] PathFindExtensionW (pszPath="F90F18257CBB4D84216AC1E1F3BB2C76") returned="" [0140.308] lstrlenW (lpString="") returned 0 [0140.308] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f90f18257cbb4d84216ac1e1f3bb2c76"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.310] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=252) returned 1 [0140.310] CloseHandle (hObject=0x178) returned 1 [0140.310] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0xfc, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="F90F18257CBB4D84216AC1E1F3BB2C76", cAlternateFileName="F90F18~1")) returned 0 [0140.310] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0140.314] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\PUSSY.TXT") returned 96 [0140.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0140.315] lstrlenA (lpString="abcd") returned 4 [0140.315] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0140.316] CloseHandle (hObject=0x180) returned 1 [0140.317] GetProcessHeap () returned 0x4c0000 [0140.317] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57bb80 | out: hHeap=0x4c0000) returned 1 [0140.318] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="MetaData", cAlternateFileName="")) returned 0 [0140.318] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0140.318] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\PUSSY.TXT") returned 87 [0140.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0140.319] lstrlenA (lpString="abcd") returned 4 [0140.319] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0140.320] CloseHandle (hObject=0x1b8) returned 1 [0140.323] GetProcessHeap () returned 0x4c0000 [0140.323] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0140.325] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IME12", cAlternateFileName="")) returned 1 [0140.325] lstrcmpiW (lpString1="IME12", lpString2="Windows") returned -1 [0140.325] lstrcmpiW (lpString1="IME12", lpString2="Program Files") returned -1 [0140.325] lstrcmpiW (lpString1="IME12", lpString2="Program Files (x86)") returned -1 [0140.325] lstrcmpiW (lpString1="IME12", lpString2="$Recycle.bin") returned 1 [0140.325] lstrcmpiW (lpString1="IME12", lpString2="System Volume Information") returned -1 [0140.325] lstrcmpiW (lpString1="IME12", lpString2=".") returned 1 [0140.325] lstrcmpiW (lpString1="IME12", lpString2="..") returned 1 [0140.326] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12") returned 66 [0140.326] GetProcessHeap () returned 0x4c0000 [0140.326] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0140.327] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12" [0140.327] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\*" [0140.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0140.328] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.328] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.328] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.328] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.328] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.328] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.329] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0140.329] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.329] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.329] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.329] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.329] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.329] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.329] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.329] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0140.329] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0140.329] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\PUSSY.TXT") returned 76 [0140.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\ime12\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0140.330] lstrlenA (lpString="abcd") returned 4 [0140.330] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0140.331] CloseHandle (hObject=0x1b8) returned 1 [0140.331] GetProcessHeap () returned 0x4c0000 [0140.331] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0140.331] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IMJP12", cAlternateFileName="")) returned 1 [0140.331] lstrcmpiW (lpString1="IMJP12", lpString2="Windows") returned -1 [0140.331] lstrcmpiW (lpString1="IMJP12", lpString2="Program Files") returned -1 [0140.331] lstrcmpiW (lpString1="IMJP12", lpString2="Program Files (x86)") returned -1 [0140.331] lstrcmpiW (lpString1="IMJP12", lpString2="$Recycle.bin") returned 1 [0140.331] lstrcmpiW (lpString1="IMJP12", lpString2="System Volume Information") returned -1 [0140.332] lstrcmpiW (lpString1="IMJP12", lpString2=".") returned 1 [0140.332] lstrcmpiW (lpString1="IMJP12", lpString2="..") returned 1 [0140.332] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12") returned 67 [0140.332] GetProcessHeap () returned 0x4c0000 [0140.332] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0140.332] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12" [0140.332] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\*" [0140.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0140.332] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.332] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.332] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.332] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.332] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.332] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.332] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0140.333] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.333] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.333] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.333] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.333] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.333] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.333] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.333] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0140.333] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0140.333] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\PUSSY.TXT") returned 77 [0140.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\imjp12\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0140.334] lstrlenA (lpString="abcd") returned 4 [0140.334] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0140.335] CloseHandle (hObject=0x1b8) returned 1 [0140.335] GetProcessHeap () returned 0x4c0000 [0140.335] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0140.336] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IMJP8_1", cAlternateFileName="")) returned 1 [0140.336] lstrcmpiW (lpString1="IMJP8_1", lpString2="Windows") returned -1 [0140.336] lstrcmpiW (lpString1="IMJP8_1", lpString2="Program Files") returned -1 [0140.336] lstrcmpiW (lpString1="IMJP8_1", lpString2="Program Files (x86)") returned -1 [0140.337] lstrcmpiW (lpString1="IMJP8_1", lpString2="$Recycle.bin") returned 1 [0140.337] lstrcmpiW (lpString1="IMJP8_1", lpString2="System Volume Information") returned -1 [0140.337] lstrcmpiW (lpString1="IMJP8_1", lpString2=".") returned 1 [0140.337] lstrcmpiW (lpString1="IMJP8_1", lpString2="..") returned 1 [0140.337] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1") returned 68 [0140.337] GetProcessHeap () returned 0x4c0000 [0140.337] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0140.337] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1" [0140.337] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\*" [0140.337] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0140.337] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.337] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.337] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.337] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.337] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.337] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.337] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0140.338] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.338] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.338] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.338] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.338] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.338] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.338] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.338] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0140.338] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0140.338] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\PUSSY.TXT") returned 78 [0140.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\imjp8_1\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0140.339] lstrlenA (lpString="abcd") returned 4 [0140.339] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0140.340] CloseHandle (hObject=0x1b8) returned 1 [0140.340] GetProcessHeap () returned 0x4c0000 [0140.340] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0140.340] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IMJP9_0", cAlternateFileName="")) returned 1 [0140.340] lstrcmpiW (lpString1="IMJP9_0", lpString2="Windows") returned -1 [0140.340] lstrcmpiW (lpString1="IMJP9_0", lpString2="Program Files") returned -1 [0140.340] lstrcmpiW (lpString1="IMJP9_0", lpString2="Program Files (x86)") returned -1 [0140.340] lstrcmpiW (lpString1="IMJP9_0", lpString2="$Recycle.bin") returned 1 [0140.340] lstrcmpiW (lpString1="IMJP9_0", lpString2="System Volume Information") returned -1 [0140.340] lstrcmpiW (lpString1="IMJP9_0", lpString2=".") returned 1 [0140.340] lstrcmpiW (lpString1="IMJP9_0", lpString2="..") returned 1 [0140.340] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0") returned 68 [0140.340] GetProcessHeap () returned 0x4c0000 [0140.340] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0140.340] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0" [0140.340] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\*" [0140.340] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0140.341] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.341] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.341] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.341] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.341] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.341] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.341] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0140.341] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.341] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.341] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.341] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.341] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.341] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.341] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.341] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0140.341] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0140.341] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\PUSSY.TXT") returned 78 [0140.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\imjp9_0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0140.342] lstrlenA (lpString="abcd") returned 4 [0140.342] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0140.343] CloseHandle (hObject=0x1b8) returned 1 [0140.343] GetProcessHeap () returned 0x4c0000 [0140.343] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0140.343] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5616fca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x5616fca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0140.343] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0140.343] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files") returned -1 [0140.343] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files (x86)") returned -1 [0140.343] lstrcmpiW (lpString1="Internet Explorer", lpString2="$Recycle.bin") returned 1 [0140.343] lstrcmpiW (lpString1="Internet Explorer", lpString2="System Volume Information") returned -1 [0140.344] lstrcmpiW (lpString1="Internet Explorer", lpString2=".") returned 1 [0140.344] lstrcmpiW (lpString1="Internet Explorer", lpString2="..") returned 1 [0140.344] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer") returned 78 [0140.344] GetProcessHeap () returned 0x4c0000 [0140.344] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0140.344] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer" [0140.344] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*" [0140.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5616fca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x5616fca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0140.345] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.345] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.345] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.345] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.345] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.345] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.345] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5616fca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x5616fca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0140.345] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.345] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.345] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.345] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.345] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.345] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.345] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.345] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="DOMStore", cAlternateFileName="")) returned 1 [0140.345] lstrcmpiW (lpString1="DOMStore", lpString2="Windows") returned -1 [0140.345] lstrcmpiW (lpString1="DOMStore", lpString2="Program Files") returned -1 [0140.345] lstrcmpiW (lpString1="DOMStore", lpString2="Program Files (x86)") returned -1 [0140.346] lstrcmpiW (lpString1="DOMStore", lpString2="$Recycle.bin") returned 1 [0140.346] lstrcmpiW (lpString1="DOMStore", lpString2="System Volume Information") returned -1 [0140.346] lstrcmpiW (lpString1="DOMStore", lpString2=".") returned 1 [0140.346] lstrcmpiW (lpString1="DOMStore", lpString2="..") returned 1 [0140.346] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore") returned 87 [0140.346] GetProcessHeap () returned 0x4c0000 [0140.346] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0140.347] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore" [0140.347] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*" [0140.347] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0140.347] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.347] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.347] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.348] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.348] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.348] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.348] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0140.348] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.348] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.348] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.348] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.348] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.348] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.348] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.348] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b05050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b05050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="36USA68T", cAlternateFileName="")) returned 1 [0140.348] lstrcmpiW (lpString1="36USA68T", lpString2="Windows") returned -1 [0140.348] lstrcmpiW (lpString1="36USA68T", lpString2="Program Files") returned -1 [0140.348] lstrcmpiW (lpString1="36USA68T", lpString2="Program Files (x86)") returned -1 [0140.349] lstrcmpiW (lpString1="36USA68T", lpString2="$Recycle.bin") returned 1 [0140.349] lstrcmpiW (lpString1="36USA68T", lpString2="System Volume Information") returned -1 [0140.349] lstrcmpiW (lpString1="36USA68T", lpString2=".") returned 1 [0140.349] lstrcmpiW (lpString1="36USA68T", lpString2="..") returned 1 [0140.349] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T") returned 96 [0140.349] GetProcessHeap () returned 0x4c0000 [0140.349] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0140.349] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T" [0140.349] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*" [0140.349] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b05050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b05050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0140.350] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.350] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.350] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.350] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.350] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.350] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.350] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b05050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b05050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0140.350] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.350] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.350] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.350] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.350] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.350] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.350] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.350] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x54b05050, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b05050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b05050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="imagesrv.adition[1].xml", cAlternateFileName="IMAGES~1.XML")) returned 1 [0140.350] lstrcmpiW (lpString1="imagesrv.adition[1].xml", lpString2="Windows") returned -1 [0140.350] lstrcmpiW (lpString1="imagesrv.adition[1].xml", lpString2="Program Files") returned -1 [0140.350] lstrcmpiW (lpString1="imagesrv.adition[1].xml", lpString2="Program Files (x86)") returned -1 [0140.350] lstrcmpiW (lpString1="imagesrv.adition[1].xml", lpString2="$Recycle.bin") returned 1 [0140.350] lstrcmpiW (lpString1="imagesrv.adition[1].xml", lpString2="System Volume Information") returned -1 [0140.350] lstrcmpiW (lpString1="imagesrv.adition[1].xml", lpString2=".") returned 1 [0140.351] lstrcmpiW (lpString1="imagesrv.adition[1].xml", lpString2="..") returned 1 [0140.351] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml") returned 120 [0140.351] lstrcmpW (lpString1="imagesrv.adition[1].xml", lpString2="PUSSY.TXT") returned -1 [0140.351] PathFindExtensionW (pszPath="imagesrv.adition[1].xml") returned=".xml" [0140.351] lstrlenW (lpString=".xml") returned 4 [0140.351] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0140.351] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\imagesrv.adition[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0140.352] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=13) returned 1 [0140.353] CloseHandle (hObject=0x18c) returned 1 [0140.353] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x54b05050, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b05050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b05050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="imagesrv.adition[1].xml", cAlternateFileName="IMAGES~1.XML")) returned 0 [0140.353] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0140.353] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\PUSSY.TXT") returned 106 [0140.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0140.354] lstrlenA (lpString="abcd") returned 4 [0140.354] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0140.355] CloseHandle (hObject=0x178) returned 1 [0140.355] GetProcessHeap () returned 0x4c0000 [0140.355] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0140.355] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x605dd8a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x605dd8a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="3O75JDME", cAlternateFileName="")) returned 1 [0140.355] lstrcmpiW (lpString1="3O75JDME", lpString2="Windows") returned -1 [0140.355] lstrcmpiW (lpString1="3O75JDME", lpString2="Program Files") returned -1 [0140.355] lstrcmpiW (lpString1="3O75JDME", lpString2="Program Files (x86)") returned -1 [0140.355] lstrcmpiW (lpString1="3O75JDME", lpString2="$Recycle.bin") returned 1 [0140.355] lstrcmpiW (lpString1="3O75JDME", lpString2="System Volume Information") returned -1 [0140.355] lstrcmpiW (lpString1="3O75JDME", lpString2=".") returned 1 [0140.355] lstrcmpiW (lpString1="3O75JDME", lpString2="..") returned 1 [0140.355] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME") returned 96 [0140.355] GetProcessHeap () returned 0x4c0000 [0140.355] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0140.355] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME" [0140.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*" [0140.355] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x605dd8a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x605dd8a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0140.356] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.357] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.357] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.357] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.357] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.357] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.357] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x605dd8a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x605dd8a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0140.357] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.357] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.357] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.357] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.357] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.357] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.357] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.357] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x605dd8a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x605dd8a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x696aec80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="www.google[1].xml", cAlternateFileName="WWWGOO~1.XML")) returned 1 [0140.357] lstrcmpiW (lpString1="www.google[1].xml", lpString2="Windows") returned 1 [0140.357] lstrcmpiW (lpString1="www.google[1].xml", lpString2="Program Files") returned 1 [0140.357] lstrcmpiW (lpString1="www.google[1].xml", lpString2="Program Files (x86)") returned 1 [0140.357] lstrcmpiW (lpString1="www.google[1].xml", lpString2="$Recycle.bin") returned 1 [0140.357] lstrcmpiW (lpString1="www.google[1].xml", lpString2="System Volume Information") returned 1 [0140.357] lstrcmpiW (lpString1="www.google[1].xml", lpString2=".") returned 1 [0140.357] lstrcmpiW (lpString1="www.google[1].xml", lpString2="..") returned 1 [0140.357] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml") returned 114 [0140.357] lstrcmpW (lpString1="www.google[1].xml", lpString2="PUSSY.TXT") returned 1 [0140.357] PathFindExtensionW (pszPath="www.google[1].xml") returned=".xml" [0140.357] lstrlenW (lpString=".xml") returned 4 [0140.358] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0140.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\www.google[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0140.359] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=13) returned 1 [0140.359] CloseHandle (hObject=0x18c) returned 1 [0140.359] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x605dd8a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x605dd8a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x696aec80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="www.google[1].xml", cAlternateFileName="WWWGOO~1.XML")) returned 0 [0140.359] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0140.359] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\PUSSY.TXT") returned 106 [0140.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0140.360] lstrlenA (lpString="abcd") returned 4 [0140.360] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0140.361] CloseHandle (hObject=0x178) returned 1 [0140.361] GetProcessHeap () returned 0x4c0000 [0140.361] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0140.361] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbaf619f0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="index.dat", cAlternateFileName="")) returned 1 [0140.361] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0140.361] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0140.361] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0140.361] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0140.361] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0140.361] lstrcmpiW (lpString1="index.dat", lpString2=".") returned 1 [0140.361] lstrcmpiW (lpString1="index.dat", lpString2="..") returned 1 [0140.361] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned 97 [0140.362] lstrcmpW (lpString1="index.dat", lpString2="PUSSY.TXT") returned -1 [0140.362] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0140.362] lstrlenW (lpString=".dat") returned 4 [0140.362] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.362] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=32768) returned 1 [0140.362] GetProcessHeap () returned 0x4c0000 [0140.362] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0140.377] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="3F") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="AF") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="FD") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="F1") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="EB") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="9F") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="72") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="37") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="7A") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="80") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="49") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="B0") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="B9") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="AF") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="28") returned 2 [0140.377] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="94") returned 2 [0140.377] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="E7") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="93") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="2B") returned 2 [0140.377] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="B1") returned 2 [0140.378] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="CF") returned 2 [0140.378] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="EF") returned 2 [0140.378] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="54") returned 2 [0140.378] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="F8") returned 2 [0140.378] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="63") returned 2 [0140.378] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="40") returned 2 [0140.378] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="27") returned 2 [0140.378] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="84") returned 2 [0140.378] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="15") returned 2 [0140.378] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="6F") returned 2 [0140.378] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="A0") returned 2 [0140.378] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="7E") returned 2 [0140.390] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" [0140.390] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" [0140.390] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat", lpString2=".3FAFFDF1EB9F72377A8049B0B9AF2894E7932BB1CFEF54F863402784156FA07E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.3FAFFDF1EB9F72377A8049B0B9AF2894E7932BB1CFEF54F863402784156FA07E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.3FAFFDF1EB9F72377A8049B0B9AF2894E7932BB1CFEF54F863402784156FA07E" [0140.390] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.390] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0140.390] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="UV0DUWVB", cAlternateFileName="")) returned 1 [0140.390] lstrcmpiW (lpString1="UV0DUWVB", lpString2="Windows") returned -1 [0140.390] lstrcmpiW (lpString1="UV0DUWVB", lpString2="Program Files") returned 1 [0140.390] lstrcmpiW (lpString1="UV0DUWVB", lpString2="Program Files (x86)") returned 1 [0140.390] lstrcmpiW (lpString1="UV0DUWVB", lpString2="$Recycle.bin") returned 1 [0140.391] lstrcmpiW (lpString1="UV0DUWVB", lpString2="System Volume Information") returned 1 [0140.391] lstrcmpiW (lpString1="UV0DUWVB", lpString2=".") returned 1 [0140.391] lstrcmpiW (lpString1="UV0DUWVB", lpString2="..") returned 1 [0140.391] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB") returned 96 [0140.391] GetProcessHeap () returned 0x4c0000 [0140.391] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0140.391] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB" [0140.391] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\*" [0140.391] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0140.391] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.391] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.391] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.391] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.391] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.392] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.392] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0140.392] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.392] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.392] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.392] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.392] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.392] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.392] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.392] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0140.392] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0140.392] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\PUSSY.TXT") returned 106 [0140.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\uv0duwvb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0140.393] lstrlenA (lpString="abcd") returned 4 [0140.393] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0140.394] CloseHandle (hObject=0x18c) returned 1 [0140.394] GetProcessHeap () returned 0x4c0000 [0140.394] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0140.395] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="VGMTOI09", cAlternateFileName="")) returned 1 [0140.395] lstrcmpiW (lpString1="VGMTOI09", lpString2="Windows") returned -1 [0140.395] lstrcmpiW (lpString1="VGMTOI09", lpString2="Program Files") returned 1 [0140.395] lstrcmpiW (lpString1="VGMTOI09", lpString2="Program Files (x86)") returned 1 [0140.395] lstrcmpiW (lpString1="VGMTOI09", lpString2="$Recycle.bin") returned 1 [0140.395] lstrcmpiW (lpString1="VGMTOI09", lpString2="System Volume Information") returned 1 [0140.395] lstrcmpiW (lpString1="VGMTOI09", lpString2=".") returned 1 [0140.395] lstrcmpiW (lpString1="VGMTOI09", lpString2="..") returned 1 [0140.395] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09") returned 96 [0140.395] GetProcessHeap () returned 0x4c0000 [0140.395] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0140.395] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09" [0140.395] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\*" [0140.395] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0140.395] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.395] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.395] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.395] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.395] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.396] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.396] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0140.396] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.396] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.396] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.396] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.396] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.396] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.396] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.396] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52878dd0, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x344, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="www.msn[1].xml", cAlternateFileName="WWWMSN~1.XML")) returned 1 [0140.396] lstrcmpiW (lpString1="www.msn[1].xml", lpString2="Windows") returned 1 [0140.396] lstrcmpiW (lpString1="www.msn[1].xml", lpString2="Program Files") returned 1 [0140.396] lstrcmpiW (lpString1="www.msn[1].xml", lpString2="Program Files (x86)") returned 1 [0140.396] lstrcmpiW (lpString1="www.msn[1].xml", lpString2="$Recycle.bin") returned 1 [0140.396] lstrcmpiW (lpString1="www.msn[1].xml", lpString2="System Volume Information") returned 1 [0140.396] lstrcmpiW (lpString1="www.msn[1].xml", lpString2=".") returned 1 [0140.396] lstrcmpiW (lpString1="www.msn[1].xml", lpString2="..") returned 1 [0140.396] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml") returned 111 [0140.396] lstrcmpW (lpString1="www.msn[1].xml", lpString2="PUSSY.TXT") returned 1 [0140.396] PathFindExtensionW (pszPath="www.msn[1].xml") returned=".xml" [0140.396] lstrlenW (lpString=".xml") returned 4 [0140.396] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0140.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\www.msn[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.430] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=836) returned 1 [0140.430] GetProcessHeap () returned 0x4c0000 [0140.430] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0140.441] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="F2") returned 2 [0140.441] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="94") returned 2 [0140.441] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="BA") returned 2 [0140.441] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="B0") returned 2 [0140.441] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="96") returned 2 [0140.441] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="A7") returned 2 [0140.441] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="C1") returned 2 [0140.441] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="23") returned 2 [0140.441] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="C1") returned 2 [0140.441] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="03") returned 2 [0140.441] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="8C") returned 2 [0140.441] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="B7") returned 2 [0140.441] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="B9") returned 2 [0140.441] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="DE") returned 2 [0140.441] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="0A") returned 2 [0140.441] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="47") returned 2 [0140.441] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="1E") returned 2 [0140.441] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="54") returned 2 [0140.441] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="92") returned 2 [0140.441] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="E0") returned 2 [0140.441] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="C1") returned 2 [0140.441] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="B2") returned 2 [0140.441] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="EB") returned 2 [0140.441] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="72") returned 2 [0140.441] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="3D") returned 2 [0140.441] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="B9") returned 2 [0140.441] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="50") returned 2 [0140.441] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="3D") returned 2 [0140.441] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="47") returned 2 [0140.441] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="0F") returned 2 [0140.441] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="1A") returned 2 [0140.441] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="20") returned 2 [0140.454] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml" [0140.454] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml" [0140.454] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml", lpString2=".F294BAB096A7C123C1038CB7B9DE0A471E5492E0C1B2EB723DB9503D470F1A20" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml.F294BAB096A7C123C1038CB7B9DE0A471E5492E0C1B2EB723DB9503D470F1A20") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml.F294BAB096A7C123C1038CB7B9DE0A471E5492E0C1B2EB723DB9503D470F1A20" [0140.454] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.455] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0140.455] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52878dd0, ftLastWriteTime.dwHighDateTime=0x1d2faf3, nFileSizeHigh=0x0, nFileSizeLow=0x344, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="www.msn[1].xml", cAlternateFileName="WWWMSN~1.XML")) returned 0 [0140.458] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0140.458] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\PUSSY.TXT") returned 106 [0140.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0140.461] lstrlenA (lpString="abcd") returned 4 [0140.462] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0140.462] CloseHandle (hObject=0x1d0) returned 1 [0140.462] GetProcessHeap () returned 0x4c0000 [0140.463] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0140.466] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="VGMTOI09", cAlternateFileName="")) returned 0 [0140.466] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0140.466] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\PUSSY.TXT") returned 97 [0140.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0140.467] lstrlenA (lpString="abcd") returned 4 [0140.467] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0140.468] CloseHandle (hObject=0x180) returned 1 [0140.468] GetProcessHeap () returned 0x4c0000 [0140.468] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0140.468] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5616fca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bf7e690, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bf7e690, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="Services", cAlternateFileName="")) returned 1 [0140.468] lstrcmpiW (lpString1="Services", lpString2="Windows") returned -1 [0140.469] lstrcmpiW (lpString1="Services", lpString2="Program Files") returned 1 [0140.469] lstrcmpiW (lpString1="Services", lpString2="Program Files (x86)") returned 1 [0140.469] lstrcmpiW (lpString1="Services", lpString2="$Recycle.bin") returned 1 [0140.469] lstrcmpiW (lpString1="Services", lpString2="System Volume Information") returned -1 [0140.469] lstrcmpiW (lpString1="Services", lpString2=".") returned 1 [0140.469] lstrcmpiW (lpString1="Services", lpString2="..") returned 1 [0140.469] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services") returned 87 [0140.469] GetProcessHeap () returned 0x4c0000 [0140.469] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0140.469] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services" [0140.469] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*" [0140.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5616fca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bf7e690, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bf7e690, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0140.469] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.469] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.469] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.469] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.469] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.469] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.469] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5616fca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bf7e690, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bf7e690, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0140.470] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.470] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.470] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.470] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.470] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.470] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.470] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.470] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5616fca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bf7e690, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bf7e690, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0140.470] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0140.470] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\PUSSY.TXT") returned 97 [0140.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\services\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0140.471] lstrlenA (lpString="abcd") returned 4 [0140.471] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0140.472] CloseHandle (hObject=0x180) returned 1 [0140.472] GetProcessHeap () returned 0x4c0000 [0140.472] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0140.472] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5616fca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bf7e690, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bf7e690, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="Services", cAlternateFileName="")) returned 0 [0140.472] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0140.472] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\PUSSY.TXT") returned 88 [0140.472] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0140.473] lstrlenA (lpString="abcd") returned 4 [0140.473] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0140.474] CloseHandle (hObject=0x1b8) returned 1 [0140.474] GetProcessHeap () returned 0x4c0000 [0140.474] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0140.475] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5616fca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x5616fca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 0 [0140.476] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0140.476] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\PUSSY.TXT") returned 70 [0140.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0140.476] lstrlenA (lpString="abcd") returned 4 [0140.476] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0140.477] CloseHandle (hObject=0x124) returned 1 [0140.477] GetProcessHeap () returned 0x4c0000 [0140.477] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0140.478] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Sun", cAlternateFileName="")) returned 1 [0140.478] lstrcmpiW (lpString1="Sun", lpString2="Windows") returned -1 [0140.478] lstrcmpiW (lpString1="Sun", lpString2="Program Files") returned 1 [0140.478] lstrcmpiW (lpString1="Sun", lpString2="Program Files (x86)") returned 1 [0140.478] lstrcmpiW (lpString1="Sun", lpString2="$Recycle.bin") returned 1 [0140.478] lstrcmpiW (lpString1="Sun", lpString2="System Volume Information") returned -1 [0140.478] lstrcmpiW (lpString1="Sun", lpString2=".") returned 1 [0140.478] lstrcmpiW (lpString1="Sun", lpString2="..") returned 1 [0140.478] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun") returned 54 [0140.478] GetProcessHeap () returned 0x4c0000 [0140.478] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0140.478] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun" [0140.478] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*" [0140.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0140.479] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.479] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.479] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.479] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.479] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.480] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.480] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0140.480] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.480] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.480] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.480] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.480] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.480] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.480] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.480] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1dc2570, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1dc2570, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Java", cAlternateFileName="")) returned 1 [0140.480] lstrcmpiW (lpString1="Java", lpString2="Windows") returned -1 [0140.480] lstrcmpiW (lpString1="Java", lpString2="Program Files") returned -1 [0140.480] lstrcmpiW (lpString1="Java", lpString2="Program Files (x86)") returned -1 [0140.480] lstrcmpiW (lpString1="Java", lpString2="$Recycle.bin") returned 1 [0140.480] lstrcmpiW (lpString1="Java", lpString2="System Volume Information") returned -1 [0140.480] lstrcmpiW (lpString1="Java", lpString2=".") returned 1 [0140.480] lstrcmpiW (lpString1="Java", lpString2="..") returned 1 [0140.480] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java") returned 59 [0140.480] GetProcessHeap () returned 0x4c0000 [0140.480] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0140.481] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java" [0140.481] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*" [0140.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1dc2570, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1dc2570, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0140.482] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.482] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.482] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.482] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.482] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.482] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.482] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1dc2570, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1dc2570, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0140.482] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.482] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.482] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.482] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.482] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.482] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.482] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.482] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7eea3160, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7eec92c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eec92c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="AU", cAlternateFileName="")) returned 1 [0140.482] lstrcmpiW (lpString1="AU", lpString2="Windows") returned -1 [0140.482] lstrcmpiW (lpString1="AU", lpString2="Program Files") returned -1 [0140.482] lstrcmpiW (lpString1="AU", lpString2="Program Files (x86)") returned -1 [0140.482] lstrcmpiW (lpString1="AU", lpString2="$Recycle.bin") returned 1 [0140.482] lstrcmpiW (lpString1="AU", lpString2="System Volume Information") returned -1 [0140.482] lstrcmpiW (lpString1="AU", lpString2=".") returned 1 [0140.482] lstrcmpiW (lpString1="AU", lpString2="..") returned 1 [0140.482] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU") returned 62 [0140.482] GetProcessHeap () returned 0x4c0000 [0140.482] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0140.483] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU" [0140.483] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*" [0140.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7eea3160, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7eec92c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eec92c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0140.484] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.484] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.484] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.484] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.484] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.485] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.485] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7eea3160, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7eec92c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eec92c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0140.485] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.485] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.485] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.485] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.485] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.485] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.485] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.485] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7eec92c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7eec92c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eec92c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x8e062, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="au.cab", cAlternateFileName="")) returned 1 [0140.485] lstrcmpiW (lpString1="au.cab", lpString2="Windows") returned -1 [0140.485] lstrcmpiW (lpString1="au.cab", lpString2="Program Files") returned -1 [0140.485] lstrcmpiW (lpString1="au.cab", lpString2="Program Files (x86)") returned -1 [0140.485] lstrcmpiW (lpString1="au.cab", lpString2="$Recycle.bin") returned 1 [0140.485] lstrcmpiW (lpString1="au.cab", lpString2="System Volume Information") returned -1 [0140.485] lstrcmpiW (lpString1="au.cab", lpString2=".") returned 1 [0140.485] lstrcmpiW (lpString1="au.cab", lpString2="..") returned 1 [0140.486] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab") returned 69 [0140.486] lstrcmpW (lpString1="au.cab", lpString2="PUSSY.TXT") returned -1 [0140.486] PathFindExtensionW (pszPath="au.cab") returned=".cab" [0140.486] lstrlenW (lpString=".cab") returned 4 [0140.486] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0140.487] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=581730) returned 1 [0140.487] GetProcessHeap () returned 0x4c0000 [0140.487] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0140.497] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="54") returned 2 [0140.497] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="2A") returned 2 [0140.497] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="8A") returned 2 [0140.497] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="A5") returned 2 [0140.497] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="89") returned 2 [0140.497] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="D7") returned 2 [0140.497] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="76") returned 2 [0140.497] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="4F") returned 2 [0140.497] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="3C") returned 2 [0140.497] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="7D") returned 2 [0140.498] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="20") returned 2 [0140.498] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="9F") returned 2 [0140.498] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="55") returned 2 [0140.498] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="7F") returned 2 [0140.498] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="C5") returned 2 [0140.498] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="95") returned 2 [0140.498] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="9D") returned 2 [0140.498] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="CA") returned 2 [0140.498] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="B7") returned 2 [0140.498] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="57") returned 2 [0140.498] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="D9") returned 2 [0140.498] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="F1") returned 2 [0140.498] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="AE") returned 2 [0140.498] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="F9") returned 2 [0140.498] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="91") returned 2 [0140.498] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="49") returned 2 [0140.498] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="11") returned 2 [0140.498] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="22") returned 2 [0140.498] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="5A") returned 2 [0140.498] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="57") returned 2 [0140.498] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="1D") returned 2 [0140.498] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="5E") returned 2 [0140.507] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" [0140.507] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" [0140.507] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab", lpString2=".542A8AA589D7764F3C7D209F557FC5959DCAB757D9F1AEF9914911225A571D5E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab.542A8AA589D7764F3C7D209F557FC5959DCAB757D9F1AEF9914911225A571D5E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab.542A8AA589D7764F3C7D209F557FC5959DCAB757D9F1AEF9914911225A571D5E" [0140.507] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.507] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0140.507] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7eec92c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7eec92c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eec92c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2d400, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="au.msi", cAlternateFileName="")) returned 1 [0140.507] lstrcmpiW (lpString1="au.msi", lpString2="Windows") returned -1 [0140.507] lstrcmpiW (lpString1="au.msi", lpString2="Program Files") returned -1 [0140.507] lstrcmpiW (lpString1="au.msi", lpString2="Program Files (x86)") returned -1 [0140.507] lstrcmpiW (lpString1="au.msi", lpString2="$Recycle.bin") returned 1 [0140.507] lstrcmpiW (lpString1="au.msi", lpString2="System Volume Information") returned -1 [0140.507] lstrcmpiW (lpString1="au.msi", lpString2=".") returned 1 [0140.507] lstrcmpiW (lpString1="au.msi", lpString2="..") returned 1 [0140.507] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi") returned 69 [0140.507] lstrcmpW (lpString1="au.msi", lpString2="PUSSY.TXT") returned -1 [0140.507] PathFindExtensionW (pszPath="au.msi") returned=".msi" [0140.508] lstrlenW (lpString=".msi") returned 4 [0140.508] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.508] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0140.509] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=185344) returned 1 [0140.509] GetProcessHeap () returned 0x4c0000 [0140.509] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0140.519] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="CE") returned 2 [0140.519] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="59") returned 2 [0140.519] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="D0") returned 2 [0140.519] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="27") returned 2 [0140.519] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="05") returned 2 [0140.519] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="5D") returned 2 [0140.519] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="5D") returned 2 [0140.519] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="72") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="D5") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="2E") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="0E") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="7B") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="CE") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="94") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="EF") returned 2 [0140.520] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="74") returned 2 [0140.520] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="E3") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="31") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="27") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="C8") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="0E") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="31") returned 2 [0140.520] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="1F") returned 2 [0140.520] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="98") returned 2 [0140.520] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="6C") returned 2 [0140.520] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="ED") returned 2 [0140.520] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="72") returned 2 [0140.520] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="38") returned 2 [0140.520] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="CD") returned 2 [0140.520] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="D1") returned 2 [0140.520] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="D6") returned 2 [0140.520] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="3F") returned 2 [0140.528] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi" [0140.528] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi" [0140.528] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi", lpString2=".CE59D027055D5D72D52E0E7BCE94EF74E33127C80E311F986CED7238CDD1D63F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi.CE59D027055D5D72D52E0E7BCE94EF74E33127C80E311F986CED7238CDD1D63F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi.CE59D027055D5D72D52E0E7BCE94EF74E33127C80E311F986CED7238CDD1D63F" [0140.529] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.529] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0140.561] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7eec92c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7eec92c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eec92c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2d400, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="au.msi", cAlternateFileName="")) returned 0 [0140.561] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0140.561] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\PUSSY.TXT") returned 72 [0140.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0140.562] lstrlenA (lpString="abcd") returned 4 [0140.562] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0140.563] CloseHandle (hObject=0x180) returned 1 [0140.563] GetProcessHeap () returned 0x4c0000 [0140.563] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0140.563] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1ea6db0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1ea6db0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 1 [0140.563] lstrcmpiW (lpString1="Deployment", lpString2="Windows") returned -1 [0140.563] lstrcmpiW (lpString1="Deployment", lpString2="Program Files") returned -1 [0140.563] lstrcmpiW (lpString1="Deployment", lpString2="Program Files (x86)") returned -1 [0140.564] lstrcmpiW (lpString1="Deployment", lpString2="$Recycle.bin") returned 1 [0140.564] lstrcmpiW (lpString1="Deployment", lpString2="System Volume Information") returned -1 [0140.564] lstrcmpiW (lpString1="Deployment", lpString2=".") returned 1 [0140.564] lstrcmpiW (lpString1="Deployment", lpString2="..") returned 1 [0140.564] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment") returned 70 [0140.564] GetProcessHeap () returned 0x4c0000 [0140.564] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0140.564] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment" [0140.564] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*" [0140.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1ea6db0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1ea6db0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0140.564] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.564] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.564] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.564] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.564] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.564] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.564] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1ea6db0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1ea6db0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0140.564] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.564] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.564] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.565] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.565] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.565] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.565] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.565] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa1ea6db0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1ea6db0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xfec5c570, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="deployment.properties", cAlternateFileName="DEPLOY~1.PRO")) returned 1 [0140.565] lstrcmpiW (lpString1="deployment.properties", lpString2="Windows") returned -1 [0140.565] lstrcmpiW (lpString1="deployment.properties", lpString2="Program Files") returned -1 [0140.565] lstrcmpiW (lpString1="deployment.properties", lpString2="Program Files (x86)") returned -1 [0140.565] lstrcmpiW (lpString1="deployment.properties", lpString2="$Recycle.bin") returned 1 [0140.565] lstrcmpiW (lpString1="deployment.properties", lpString2="System Volume Information") returned -1 [0140.565] lstrcmpiW (lpString1="deployment.properties", lpString2=".") returned 1 [0140.565] lstrcmpiW (lpString1="deployment.properties", lpString2="..") returned 1 [0140.565] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties") returned 92 [0140.565] lstrcmpW (lpString1="deployment.properties", lpString2="PUSSY.TXT") returned -1 [0140.565] PathFindExtensionW (pszPath="deployment.properties") returned=".properties" [0140.565] lstrlenW (lpString=".properties") returned 11 [0140.565] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.566] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=719) returned 1 [0140.566] GetProcessHeap () returned 0x4c0000 [0140.566] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0140.575] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="97") returned 2 [0140.575] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="9A") returned 2 [0140.575] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="47") returned 2 [0140.575] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="A8") returned 2 [0140.575] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="DB") returned 2 [0140.575] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="44") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="74") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="0B") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="73") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="E2") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="97") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="C5") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="CC") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="B5") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="CF") returned 2 [0140.576] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="7B") returned 2 [0140.576] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="62") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="58") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="3E") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="72") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="A9") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="76") returned 2 [0140.576] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="6C") returned 2 [0140.576] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="A9") returned 2 [0140.576] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="0D") returned 2 [0140.576] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="F2") returned 2 [0140.576] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="9A") returned 2 [0140.576] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="33") returned 2 [0140.576] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="C4") returned 2 [0140.576] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="4C") returned 2 [0140.576] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="CA") returned 2 [0140.576] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="4B") returned 2 [0140.624] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" [0140.624] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" [0140.624] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties", lpString2=".979A47A8DB44740B73E297C5CCB5CF7B62583E72A9766CA90DF29A33C44CCA4B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.979A47A8DB44740B73E297C5CCB5CF7B62583E72A9766CA90DF29A33C44CCA4B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.979A47A8DB44740B73E297C5CCB5CF7B62583E72A9766CA90DF29A33C44CCA4B" [0140.624] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.624] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0140.624] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1e5aaf0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1e5aaf0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1e5aaf0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="security", cAlternateFileName="")) returned 1 [0140.624] lstrcmpiW (lpString1="security", lpString2="Windows") returned -1 [0140.624] lstrcmpiW (lpString1="security", lpString2="Program Files") returned 1 [0140.624] lstrcmpiW (lpString1="security", lpString2="Program Files (x86)") returned 1 [0140.625] lstrcmpiW (lpString1="security", lpString2="$Recycle.bin") returned 1 [0140.625] lstrcmpiW (lpString1="security", lpString2="System Volume Information") returned -1 [0140.625] lstrcmpiW (lpString1="security", lpString2=".") returned 1 [0140.625] lstrcmpiW (lpString1="security", lpString2="..") returned 1 [0140.625] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security") returned 79 [0140.625] GetProcessHeap () returned 0x4c0000 [0140.625] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x57bb80 [0140.625] lstrcpyW (in: lpString1=0x57bb80, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security" [0140.625] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\*" [0140.625] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1e5aaf0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1e5aaf0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1e5aaf0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0140.626] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.626] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.626] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.626] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.626] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.626] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.626] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1e5aaf0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1e5aaf0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1e5aaf0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0140.626] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.626] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.626] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.626] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.626] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.626] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.626] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.626] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1e5aaf0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1e5aaf0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1e5aaf0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0140.626] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0140.626] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\PUSSY.TXT") returned 89 [0140.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\security\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0140.627] lstrlenA (lpString="abcd") returned 4 [0140.627] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0140.631] CloseHandle (hObject=0x1d4) returned 1 [0140.631] GetProcessHeap () returned 0x4c0000 [0140.631] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57bb80 | out: hHeap=0x4c0000) returned 1 [0140.633] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1dc2570, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1dc2570, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="tmp", cAlternateFileName="")) returned 1 [0140.633] lstrcmpiW (lpString1="tmp", lpString2="Windows") returned -1 [0140.633] lstrcmpiW (lpString1="tmp", lpString2="Program Files") returned 1 [0140.633] lstrcmpiW (lpString1="tmp", lpString2="Program Files (x86)") returned 1 [0140.633] lstrcmpiW (lpString1="tmp", lpString2="$Recycle.bin") returned 1 [0140.633] lstrcmpiW (lpString1="tmp", lpString2="System Volume Information") returned 1 [0140.633] lstrcmpiW (lpString1="tmp", lpString2=".") returned 1 [0140.633] lstrcmpiW (lpString1="tmp", lpString2="..") returned 1 [0140.633] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp") returned 74 [0140.633] GetProcessHeap () returned 0x4c0000 [0140.633] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0140.634] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp" [0140.634] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\*" [0140.634] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1dc2570, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1dc2570, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0140.634] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.634] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.634] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.634] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.634] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.634] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.634] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1dc2570, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1dc2570, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0140.634] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.635] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.635] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.635] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.635] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.635] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.635] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.635] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xfaeead90, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xfaeead90, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="si", cAlternateFileName="")) returned 1 [0140.635] lstrcmpiW (lpString1="si", lpString2="Windows") returned -1 [0140.635] lstrcmpiW (lpString1="si", lpString2="Program Files") returned 1 [0140.635] lstrcmpiW (lpString1="si", lpString2="Program Files (x86)") returned 1 [0140.635] lstrcmpiW (lpString1="si", lpString2="$Recycle.bin") returned 1 [0140.635] lstrcmpiW (lpString1="si", lpString2="System Volume Information") returned -1 [0140.635] lstrcmpiW (lpString1="si", lpString2=".") returned 1 [0140.635] lstrcmpiW (lpString1="si", lpString2="..") returned 1 [0140.635] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si") returned 77 [0140.635] GetProcessHeap () returned 0x4c0000 [0140.635] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x553b30 [0140.635] lstrcpyW (in: lpString1=0x553b30, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si" [0140.635] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\*" [0140.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xfaeead90, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xfeca8830, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0140.635] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.636] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.636] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.636] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.636] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.636] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.636] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xfaeead90, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xfeca8830, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0140.636] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.636] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.636] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.636] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.636] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.636] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.636] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.636] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xfaeead90, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xfeca8830, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0140.636] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0140.636] wnsprintfW (in: pszDest=0x553b30, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\PUSSY.TXT") returned 87 [0140.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\tmp\\si\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0140.637] lstrlenA (lpString="abcd") returned 4 [0140.637] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0140.638] CloseHandle (hObject=0x1d4) returned 1 [0140.638] GetProcessHeap () returned 0x4c0000 [0140.638] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0140.638] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xfaeead90, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xfaeead90, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="si", cAlternateFileName="")) returned 0 [0140.638] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0140.638] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\PUSSY.TXT") returned 84 [0140.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\tmp\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0140.639] lstrlenA (lpString="abcd") returned 4 [0140.639] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0140.640] CloseHandle (hObject=0x178) returned 1 [0140.640] GetProcessHeap () returned 0x4c0000 [0140.640] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0140.642] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1dc2570, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1dc2570, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="tmp", cAlternateFileName="")) returned 0 [0140.642] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0140.642] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\PUSSY.TXT") returned 80 [0140.643] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0140.645] lstrlenA (lpString="abcd") returned 4 [0140.645] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0140.646] CloseHandle (hObject=0x180) returned 1 [0140.646] GetProcessHeap () returned 0x4c0000 [0140.646] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0140.649] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68d26e60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68d26e60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="jre1.7.0_45", cAlternateFileName="JRE17~1.0_4")) returned 1 [0140.649] lstrcmpiW (lpString1="jre1.7.0_45", lpString2="Windows") returned -1 [0140.649] lstrcmpiW (lpString1="jre1.7.0_45", lpString2="Program Files") returned -1 [0140.649] lstrcmpiW (lpString1="jre1.7.0_45", lpString2="Program Files (x86)") returned -1 [0140.649] lstrcmpiW (lpString1="jre1.7.0_45", lpString2="$Recycle.bin") returned 1 [0140.649] lstrcmpiW (lpString1="jre1.7.0_45", lpString2="System Volume Information") returned -1 [0140.649] lstrcmpiW (lpString1="jre1.7.0_45", lpString2=".") returned 1 [0140.649] lstrcmpiW (lpString1="jre1.7.0_45", lpString2="..") returned 1 [0140.649] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45") returned 71 [0140.649] GetProcessHeap () returned 0x4c0000 [0140.649] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0140.649] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45" [0140.650] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*" [0140.650] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68d26e60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68d26e60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0140.650] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.650] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.650] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.650] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.650] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.650] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.650] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68d26e60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68d26e60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0140.650] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.650] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.650] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.650] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.650] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.650] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.650] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.651] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68d26e60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x182ac2a, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Data1.cab", cAlternateFileName="")) returned 1 [0140.651] lstrcmpiW (lpString1="Data1.cab", lpString2="Windows") returned -1 [0140.651] lstrcmpiW (lpString1="Data1.cab", lpString2="Program Files") returned -1 [0140.651] lstrcmpiW (lpString1="Data1.cab", lpString2="Program Files (x86)") returned -1 [0140.651] lstrcmpiW (lpString1="Data1.cab", lpString2="$Recycle.bin") returned 1 [0140.651] lstrcmpiW (lpString1="Data1.cab", lpString2="System Volume Information") returned -1 [0140.651] lstrcmpiW (lpString1="Data1.cab", lpString2=".") returned 1 [0140.651] lstrcmpiW (lpString1="Data1.cab", lpString2="..") returned 1 [0140.651] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab") returned 81 [0140.651] lstrcmpW (lpString1="Data1.cab", lpString2="PUSSY.TXT") returned -1 [0140.651] PathFindExtensionW (pszPath="Data1.cab") returned=".cab" [0140.651] lstrlenW (lpString=".cab") returned 4 [0140.651] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0140.654] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=25340970) returned 1 [0140.654] GetProcessHeap () returned 0x4c0000 [0140.654] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0140.668] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="EF") returned 2 [0140.668] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="B9") returned 2 [0140.668] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="CE") returned 2 [0140.668] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="CE") returned 2 [0140.668] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="15") returned 2 [0140.668] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="8C") returned 2 [0140.668] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="3A") returned 2 [0140.668] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="5C") returned 2 [0140.668] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="05") returned 2 [0140.668] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="56") returned 2 [0140.668] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="84") returned 2 [0140.669] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="8E") returned 2 [0140.669] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="B8") returned 2 [0140.669] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="0C") returned 2 [0140.669] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="19") returned 2 [0140.669] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="DC") returned 2 [0140.669] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="B4") returned 2 [0140.669] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="F5") returned 2 [0140.669] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="BB") returned 2 [0140.669] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="2D") returned 2 [0140.669] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="C9") returned 2 [0140.669] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="46") returned 2 [0140.669] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="28") returned 2 [0140.669] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="77") returned 2 [0140.669] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="19") returned 2 [0140.669] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="59") returned 2 [0140.669] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="E1") returned 2 [0140.669] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="9C") returned 2 [0140.669] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="E9") returned 2 [0140.669] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="54") returned 2 [0140.669] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="6E") returned 2 [0140.669] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="51") returned 2 [0140.681] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" [0140.681] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" [0140.681] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab", lpString2=".EFB9CECE158C3A5C0556848EB80C19DCB4F5BB2DC94628771959E19CE9546E51" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab.EFB9CECE158C3A5C0556848EB80C19DCB4F5BB2DC94628771959E19CE9546E51") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab.EFB9CECE158C3A5C0556848EB80C19DCB4F5BB2DC94628771959E19CE9546E51" [0140.681] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.681] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0140.681] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x68d26e60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68d26e60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68d26e60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xdd600, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="jre1.7.0_45.msi", cAlternateFileName="JRE170~1.MSI")) returned 1 [0140.681] lstrcmpiW (lpString1="jre1.7.0_45.msi", lpString2="Windows") returned -1 [0140.681] lstrcmpiW (lpString1="jre1.7.0_45.msi", lpString2="Program Files") returned -1 [0140.681] lstrcmpiW (lpString1="jre1.7.0_45.msi", lpString2="Program Files (x86)") returned -1 [0140.681] lstrcmpiW (lpString1="jre1.7.0_45.msi", lpString2="$Recycle.bin") returned 1 [0140.681] lstrcmpiW (lpString1="jre1.7.0_45.msi", lpString2="System Volume Information") returned -1 [0140.681] lstrcmpiW (lpString1="jre1.7.0_45.msi", lpString2=".") returned 1 [0140.681] lstrcmpiW (lpString1="jre1.7.0_45.msi", lpString2="..") returned 1 [0140.681] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi") returned 87 [0140.681] lstrcmpW (lpString1="jre1.7.0_45.msi", lpString2="PUSSY.TXT") returned -1 [0140.681] PathFindExtensionW (pszPath="jre1.7.0_45.msi") returned=".msi" [0140.682] lstrlenW (lpString=".msi") returned 4 [0140.682] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0140.682] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\jre1.7.0_45.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0140.684] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=906752) returned 1 [0140.684] GetProcessHeap () returned 0x4c0000 [0140.684] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0140.699] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="2C") returned 2 [0140.699] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="36") returned 2 [0140.699] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="76") returned 2 [0140.699] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="E4") returned 2 [0140.699] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="BD") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="27") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="E2") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="8C") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="E6") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="64") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="8B") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="51") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="12") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="4A") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="55") returned 2 [0140.734] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="1F") returned 2 [0140.734] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="23") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="BD") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="24") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="25") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="7E") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="67") returned 2 [0140.734] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="9A") returned 2 [0140.734] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="10") returned 2 [0140.734] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="E0") returned 2 [0140.734] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="07") returned 2 [0140.735] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="48") returned 2 [0140.735] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="53") returned 2 [0140.735] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="2E") returned 2 [0140.735] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="A6") returned 2 [0140.735] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="95") returned 2 [0140.735] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="76") returned 2 [0140.743] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi" [0140.743] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi" [0140.743] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi", lpString2=".2C3676E4BD27E28CE6648B51124A551F23BD24257E679A10E00748532EA69576" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi.2C3676E4BD27E28CE6648B51124A551F23BD24257E679A10E00748532EA69576") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi.2C3676E4BD27E28CE6648B51124A551F23BD24257E679A10E00748532EA69576" [0140.743] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.743] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0140.744] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x68d26e60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68d26e60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68d26e60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xdd600, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="jre1.7.0_45.msi", cAlternateFileName="JRE170~1.MSI")) returned 0 [0140.744] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0140.744] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\PUSSY.TXT") returned 81 [0140.789] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0140.790] lstrlenA (lpString="abcd") returned 4 [0140.790] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0140.791] CloseHandle (hObject=0x180) returned 1 [0140.791] GetProcessHeap () returned 0x4c0000 [0140.791] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0140.791] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68d26e60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68d26e60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="jre1.7.0_45", cAlternateFileName="JRE17~1.0_4")) returned 0 [0140.791] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0140.791] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\PUSSY.TXT") returned 69 [0140.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0140.792] lstrlenA (lpString="abcd") returned 4 [0140.792] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0140.793] CloseHandle (hObject=0x1b8) returned 1 [0140.793] GetProcessHeap () returned 0x4c0000 [0140.793] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0140.798] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1dc2570, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1dc2570, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Java", cAlternateFileName="")) returned 0 [0140.798] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0140.798] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\PUSSY.TXT") returned 64 [0140.798] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0140.802] lstrlenA (lpString="abcd") returned 4 [0140.802] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0140.803] CloseHandle (hObject=0x1d4) returned 1 [0140.803] GetProcessHeap () returned 0x4c0000 [0140.803] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0140.806] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Sun", cAlternateFileName="")) returned 0 [0140.806] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0140.807] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\PUSSY.TXT") returned 60 [0140.807] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0140.808] lstrlenA (lpString="abcd") returned 4 [0140.808] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0140.809] CloseHandle (hObject=0x19c) returned 1 [0140.809] GetProcessHeap () returned 0x4c0000 [0140.809] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0140.809] FindNextFileW (in: hFindFile=0x4ddc08, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbe53600, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbe53600, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="Roaming", cAlternateFileName="")) returned 1 [0140.809] lstrcmpiW (lpString1="Roaming", lpString2="Windows") returned -1 [0140.809] lstrcmpiW (lpString1="Roaming", lpString2="Program Files") returned 1 [0140.809] lstrcmpiW (lpString1="Roaming", lpString2="Program Files (x86)") returned 1 [0140.809] lstrcmpiW (lpString1="Roaming", lpString2="$Recycle.bin") returned 1 [0140.809] lstrcmpiW (lpString1="Roaming", lpString2="System Volume Information") returned -1 [0140.809] lstrcmpiW (lpString1="Roaming", lpString2=".") returned 1 [0140.809] lstrcmpiW (lpString1="Roaming", lpString2="..") returned 1 [0140.809] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 49 [0140.809] GetProcessHeap () returned 0x4c0000 [0140.809] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x57bb80 [0140.810] lstrcpyW (in: lpString1=0x57bb80, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming" [0140.810] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*" [0140.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbe53600, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbe53600, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0140.811] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0140.811] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0140.811] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0140.811] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0140.811] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0140.811] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.811] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbe53600, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbe53600, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0140.811] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0140.811] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0140.811] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0140.811] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0140.811] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0140.811] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.811] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.811] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac099960, ftCreationTime.dwHighDateTime=0x1d5d97c, ftLastAccessTime.dwLowDateTime=0xb7051420, ftLastAccessTime.dwHighDateTime=0x1d5e552, ftLastWriteTime.dwLowDateTime=0xb7051420, ftLastWriteTime.dwHighDateTime=0x1d5e552, nFileSizeHigh=0x0, nFileSizeLow=0xb362, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="-7CYgLu.mkv", cAlternateFileName="")) returned 1 [0140.811] lstrcmpiW (lpString1="-7CYgLu.mkv", lpString2="Windows") returned -1 [0140.811] lstrcmpiW (lpString1="-7CYgLu.mkv", lpString2="Program Files") returned -1 [0140.811] lstrcmpiW (lpString1="-7CYgLu.mkv", lpString2="Program Files (x86)") returned -1 [0140.811] lstrcmpiW (lpString1="-7CYgLu.mkv", lpString2="$Recycle.bin") returned 1 [0140.811] lstrcmpiW (lpString1="-7CYgLu.mkv", lpString2="System Volume Information") returned -1 [0140.811] lstrcmpiW (lpString1="-7CYgLu.mkv", lpString2=".") returned 1 [0140.812] lstrcmpiW (lpString1="-7CYgLu.mkv", lpString2="..") returned 1 [0140.812] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv") returned 61 [0140.812] lstrcmpW (lpString1="-7CYgLu.mkv", lpString2="PUSSY.TXT") returned -1 [0140.812] PathFindExtensionW (pszPath="-7CYgLu.mkv") returned=".mkv" [0140.812] lstrlenW (lpString=".mkv") returned 4 [0140.812] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0140.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-7cyglu.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0140.813] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=45922) returned 1 [0140.813] GetProcessHeap () returned 0x4c0000 [0140.813] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0140.828] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="40") returned 2 [0140.828] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="89") returned 2 [0140.828] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="12") returned 2 [0140.828] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="06") returned 2 [0140.828] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="01") returned 2 [0140.828] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="70") returned 2 [0140.828] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="79") returned 2 [0140.828] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="CA") returned 2 [0140.828] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="A6") returned 2 [0140.828] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="C9") returned 2 [0140.828] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="E3") returned 2 [0140.828] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="7E") returned 2 [0140.828] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="F2") returned 2 [0140.828] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="34") returned 2 [0140.828] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="EF") returned 2 [0140.828] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="EE") returned 2 [0140.828] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="E9") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="5A") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="CF") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="FC") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="7F") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="18") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="A0") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="BB") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="66") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="B1") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="D4") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="3D") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="42") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="17") returned 2 [0140.829] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="E9") returned 2 [0140.829] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="4C") returned 2 [0140.855] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv" [0140.855] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv" [0140.855] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv", lpString2=".40891206017079CAA6C9E37EF234EFEEE95ACFFC7F18A0BB66B1D43D4217E94C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv.40891206017079CAA6C9E37EF234EFEEE95ACFFC7F18A0BB66B1D43D4217E94C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv.40891206017079CAA6C9E37EF234EFEEE95ACFFC7F18A0BB66B1D43D4217E94C" [0140.855] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.855] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0140.855] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x20202e90, ftCreationTime.dwHighDateTime=0x1d5d987, ftLastAccessTime.dwLowDateTime=0x3a021930, ftLastAccessTime.dwHighDateTime=0x1d5e135, ftLastWriteTime.dwLowDateTime=0x3a021930, ftLastWriteTime.dwHighDateTime=0x1d5e135, nFileSizeHigh=0x0, nFileSizeLow=0x163d8, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="2 I3B1uwJE_rUPq.docx", cAlternateFileName="2I3B1U~1.DOC")) returned 1 [0140.855] lstrcmpiW (lpString1="2 I3B1uwJE_rUPq.docx", lpString2="Windows") returned -1 [0140.855] lstrcmpiW (lpString1="2 I3B1uwJE_rUPq.docx", lpString2="Program Files") returned -1 [0140.855] lstrcmpiW (lpString1="2 I3B1uwJE_rUPq.docx", lpString2="Program Files (x86)") returned -1 [0140.855] lstrcmpiW (lpString1="2 I3B1uwJE_rUPq.docx", lpString2="$Recycle.bin") returned 1 [0140.855] lstrcmpiW (lpString1="2 I3B1uwJE_rUPq.docx", lpString2="System Volume Information") returned -1 [0140.855] lstrcmpiW (lpString1="2 I3B1uwJE_rUPq.docx", lpString2=".") returned 1 [0140.855] lstrcmpiW (lpString1="2 I3B1uwJE_rUPq.docx", lpString2="..") returned 1 [0140.855] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx") returned 70 [0140.855] lstrcmpW (lpString1="2 I3B1uwJE_rUPq.docx", lpString2="PUSSY.TXT") returned -1 [0140.855] PathFindExtensionW (pszPath="2 I3B1uwJE_rUPq.docx") returned=".docx" [0140.855] lstrlenW (lpString=".docx") returned 5 [0140.856] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0140.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\2 i3b1uwje_rupq.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0140.857] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=91096) returned 1 [0140.857] GetProcessHeap () returned 0x4c0000 [0140.857] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0140.870] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="BE") returned 2 [0140.870] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="24") returned 2 [0140.870] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="02") returned 2 [0140.870] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="FD") returned 2 [0140.870] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="57") returned 2 [0140.870] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="35") returned 2 [0140.870] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="EF") returned 2 [0140.870] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="E6") returned 2 [0140.870] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="3E") returned 2 [0140.870] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="38") returned 2 [0140.870] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="DB") returned 2 [0140.870] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="7A") returned 2 [0140.870] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="03") returned 2 [0140.870] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="E6") returned 2 [0140.870] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="6C") returned 2 [0140.870] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="3B") returned 2 [0140.870] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="77") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="27") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="07") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="D9") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="BC") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="18") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="4D") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="D0") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="86") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="B3") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="3B") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="C4") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="D2") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="C7") returned 2 [0140.871] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="64") returned 2 [0140.871] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="4C") returned 2 [0140.884] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx" [0140.884] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx" [0140.884] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx", lpString2=".BE2402FD5735EFE63E38DB7A03E66C3B772707D9BC184DD086B33BC4D2C7644C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx.BE2402FD5735EFE63E38DB7A03E66C3B772707D9BC184DD086B33BC4D2C7644C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx.BE2402FD5735EFE63E38DB7A03E66C3B772707D9BC184DD086B33BC4D2C7644C" [0140.884] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.884] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0140.884] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe0b05690, ftCreationTime.dwHighDateTime=0x1d5defe, ftLastAccessTime.dwLowDateTime=0xaba87d40, ftLastAccessTime.dwHighDateTime=0x1d5d9e2, ftLastWriteTime.dwLowDateTime=0xaba87d40, ftLastWriteTime.dwHighDateTime=0x1d5d9e2, nFileSizeHigh=0x0, nFileSizeLow=0x3ec5, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="2JwjzcIn97nec8pS.flv", cAlternateFileName="2JWJZC~1.FLV")) returned 1 [0140.884] lstrcmpiW (lpString1="2JwjzcIn97nec8pS.flv", lpString2="Windows") returned -1 [0140.884] lstrcmpiW (lpString1="2JwjzcIn97nec8pS.flv", lpString2="Program Files") returned -1 [0140.884] lstrcmpiW (lpString1="2JwjzcIn97nec8pS.flv", lpString2="Program Files (x86)") returned -1 [0140.884] lstrcmpiW (lpString1="2JwjzcIn97nec8pS.flv", lpString2="$Recycle.bin") returned 1 [0140.884] lstrcmpiW (lpString1="2JwjzcIn97nec8pS.flv", lpString2="System Volume Information") returned -1 [0140.884] lstrcmpiW (lpString1="2JwjzcIn97nec8pS.flv", lpString2=".") returned 1 [0140.884] lstrcmpiW (lpString1="2JwjzcIn97nec8pS.flv", lpString2="..") returned 1 [0140.884] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv") returned 70 [0140.884] lstrcmpW (lpString1="2JwjzcIn97nec8pS.flv", lpString2="PUSSY.TXT") returned -1 [0140.884] PathFindExtensionW (pszPath="2JwjzcIn97nec8pS.flv") returned=".flv" [0140.884] lstrlenW (lpString=".flv") returned 4 [0140.884] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0140.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\2jwjzcin97nec8ps.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0140.886] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=16069) returned 1 [0140.886] GetProcessHeap () returned 0x4c0000 [0140.886] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0140.903] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="EB") returned 2 [0140.903] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="C5") returned 2 [0140.903] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="F8") returned 2 [0140.903] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="18") returned 2 [0140.903] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="19") returned 2 [0140.903] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="10") returned 2 [0140.903] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="20") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="1E") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="DF") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="81") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="84") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="B0") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="92") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="54") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="64") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="64") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="C6") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="21") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="65") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="80") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="09") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="70") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="78") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="49") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="A7") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="A5") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="9D") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="61") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="87") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="CE") returned 2 [0140.904] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="61") returned 2 [0140.904] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="6D") returned 2 [0140.917] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv" [0140.917] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv" [0140.917] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv", lpString2=".EBC5F8181910201EDF8184B092546464C621658009707849A7A59D6187CE616D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv.EBC5F8181910201EDF8184B092546464C621658009707849A7A59D6187CE616D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv.EBC5F8181910201EDF8184B092546464C621658009707849A7A59D6187CE616D" [0140.917] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0140.917] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0140.937] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d37f400, ftCreationTime.dwHighDateTime=0x1d5dcc1, ftLastAccessTime.dwLowDateTime=0x882d0630, ftLastAccessTime.dwHighDateTime=0x1d5e0a7, ftLastWriteTime.dwLowDateTime=0x882d0630, ftLastWriteTime.dwHighDateTime=0x1d5e0a7, nFileSizeHigh=0x0, nFileSizeLow=0xa28b, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="4a JZfmG1mKVhGBJS7O.m4a", cAlternateFileName="4AJZFM~1.M4A")) returned 1 [0140.937] lstrcmpiW (lpString1="4a JZfmG1mKVhGBJS7O.m4a", lpString2="Windows") returned -1 [0140.937] lstrcmpiW (lpString1="4a JZfmG1mKVhGBJS7O.m4a", lpString2="Program Files") returned -1 [0140.937] lstrcmpiW (lpString1="4a JZfmG1mKVhGBJS7O.m4a", lpString2="Program Files (x86)") returned -1 [0140.937] lstrcmpiW (lpString1="4a JZfmG1mKVhGBJS7O.m4a", lpString2="$Recycle.bin") returned 1 [0140.937] lstrcmpiW (lpString1="4a JZfmG1mKVhGBJS7O.m4a", lpString2="System Volume Information") returned -1 [0140.937] lstrcmpiW (lpString1="4a JZfmG1mKVhGBJS7O.m4a", lpString2=".") returned 1 [0140.937] lstrcmpiW (lpString1="4a JZfmG1mKVhGBJS7O.m4a", lpString2="..") returned 1 [0140.937] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a") returned 73 [0140.937] lstrcmpW (lpString1="4a JZfmG1mKVhGBJS7O.m4a", lpString2="PUSSY.TXT") returned -1 [0140.937] PathFindExtensionW (pszPath="4a JZfmG1mKVhGBJS7O.m4a") returned=".m4a" [0140.937] lstrlenW (lpString=".m4a") returned 4 [0140.937] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0140.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\4a jzfmg1mkvhgbjs7o.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0140.938] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=41611) returned 1 [0140.938] GetProcessHeap () returned 0x4c0000 [0140.938] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0141.044] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="9E") returned 2 [0141.044] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="CE") returned 2 [0141.044] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="CC") returned 2 [0141.044] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="BE") returned 2 [0141.044] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="67") returned 2 [0141.044] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="96") returned 2 [0141.044] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="FF") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="48") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="3B") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="FD") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="19") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="04") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="F6") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="3E") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="BB") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="CE") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="76") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="D6") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="48") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="FB") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="D1") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="E2") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="1F") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="DA") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="06") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="BB") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="11") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="8A") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="39") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="C0") returned 2 [0141.045] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="B9") returned 2 [0141.045] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="1A") returned 2 [0141.053] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a" [0141.054] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a" [0141.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a", lpString2=".9ECECCBE6796FF483BFD1904F63EBBCE76D648FBD1E21FDA06BB118A39C0B91A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a.9ECECCBE6796FF483BFD1904F63EBBCE76D648FBD1E21FDA06BB118A39C0B91A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a.9ECECCBE6796FF483BFD1904F63EBBCE76D648FBD1E21FDA06BB118A39C0B91A" [0141.054] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.054] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0141.088] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x785adc80, ftCreationTime.dwHighDateTime=0x1d5ddd9, ftLastAccessTime.dwLowDateTime=0x40b512c0, ftLastAccessTime.dwHighDateTime=0x1d5dcce, ftLastWriteTime.dwLowDateTime=0x40b512c0, ftLastWriteTime.dwHighDateTime=0x1d5dcce, nFileSizeHigh=0x0, nFileSizeLow=0x33c0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="6Tcu1PZ2f1_r.swf", cAlternateFileName="6TCU1P~1.SWF")) returned 1 [0141.088] lstrcmpiW (lpString1="6Tcu1PZ2f1_r.swf", lpString2="Windows") returned -1 [0141.088] lstrcmpiW (lpString1="6Tcu1PZ2f1_r.swf", lpString2="Program Files") returned -1 [0141.088] lstrcmpiW (lpString1="6Tcu1PZ2f1_r.swf", lpString2="Program Files (x86)") returned -1 [0141.088] lstrcmpiW (lpString1="6Tcu1PZ2f1_r.swf", lpString2="$Recycle.bin") returned 1 [0141.088] lstrcmpiW (lpString1="6Tcu1PZ2f1_r.swf", lpString2="System Volume Information") returned -1 [0141.088] lstrcmpiW (lpString1="6Tcu1PZ2f1_r.swf", lpString2=".") returned 1 [0141.088] lstrcmpiW (lpString1="6Tcu1PZ2f1_r.swf", lpString2="..") returned 1 [0141.088] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf") returned 66 [0141.088] lstrcmpW (lpString1="6Tcu1PZ2f1_r.swf", lpString2="PUSSY.TXT") returned -1 [0141.088] PathFindExtensionW (pszPath="6Tcu1PZ2f1_r.swf") returned=".swf" [0141.088] lstrlenW (lpString=".swf") returned 4 [0141.088] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0141.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\6tcu1pz2f1_r.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0141.089] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=13248) returned 1 [0141.089] GetProcessHeap () returned 0x4c0000 [0141.089] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0141.098] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="9F") returned 2 [0141.098] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="1E") returned 2 [0141.098] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="F0") returned 2 [0141.098] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="D5") returned 2 [0141.098] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="91") returned 2 [0141.098] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="22") returned 2 [0141.098] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="8F") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="47") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="F2") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="D1") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="31") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="9D") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="4E") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="3B") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="07") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="28") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="74") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="C9") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="4D") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="0F") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="C6") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="BE") returned 2 [0141.098] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="98") returned 2 [0141.099] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="21") returned 2 [0141.099] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="96") returned 2 [0141.099] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="04") returned 2 [0141.099] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="52") returned 2 [0141.099] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="AC") returned 2 [0141.099] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="16") returned 2 [0141.099] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="C6") returned 2 [0141.099] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="CA") returned 2 [0141.099] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="3E") returned 2 [0141.108] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf" [0141.108] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf" [0141.108] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf", lpString2=".9F1EF0D591228F47F2D1319D4E3B072874C94D0FC6BE9821960452AC16C6CA3E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf.9F1EF0D591228F47F2D1319D4E3B072874C94D0FC6BE9821960452AC16C6CA3E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf.9F1EF0D591228F47F2D1319D4E3B072874C94D0FC6BE9821960452AC16C6CA3E" [0141.108] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.108] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0141.124] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf7646c80, ftCreationTime.dwHighDateTime=0x1d5dfeb, ftLastAccessTime.dwLowDateTime=0x60b7f8e0, ftLastAccessTime.dwHighDateTime=0x1d5db6f, ftLastWriteTime.dwLowDateTime=0x60b7f8e0, ftLastWriteTime.dwHighDateTime=0x1d5db6f, nFileSizeHigh=0x0, nFileSizeLow=0xcb4d, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="7gJ9.m4a", cAlternateFileName="")) returned 1 [0141.124] lstrcmpiW (lpString1="7gJ9.m4a", lpString2="Windows") returned -1 [0141.124] lstrcmpiW (lpString1="7gJ9.m4a", lpString2="Program Files") returned -1 [0141.124] lstrcmpiW (lpString1="7gJ9.m4a", lpString2="Program Files (x86)") returned -1 [0141.124] lstrcmpiW (lpString1="7gJ9.m4a", lpString2="$Recycle.bin") returned 1 [0141.124] lstrcmpiW (lpString1="7gJ9.m4a", lpString2="System Volume Information") returned -1 [0141.124] lstrcmpiW (lpString1="7gJ9.m4a", lpString2=".") returned 1 [0141.124] lstrcmpiW (lpString1="7gJ9.m4a", lpString2="..") returned 1 [0141.124] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a") returned 58 [0141.124] lstrcmpW (lpString1="7gJ9.m4a", lpString2="PUSSY.TXT") returned -1 [0141.124] PathFindExtensionW (pszPath="7gJ9.m4a") returned=".m4a" [0141.124] lstrlenW (lpString=".m4a") returned 4 [0141.124] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0141.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\7gj9.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0141.125] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=52045) returned 1 [0141.125] GetProcessHeap () returned 0x4c0000 [0141.125] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0141.133] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="CB") returned 2 [0141.133] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="6E") returned 2 [0141.133] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="49") returned 2 [0141.133] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="26") returned 2 [0141.133] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="DE") returned 2 [0141.133] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="88") returned 2 [0141.133] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="AF") returned 2 [0141.133] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="DC") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="B6") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="6B") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="22") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="24") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="E5") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="AB") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="52") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="88") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="F7") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="76") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="F3") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="45") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="53") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="39") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="3D") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="F8") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="D4") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="8A") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="3A") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="B3") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="CF") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="06") returned 2 [0141.134] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="C0") returned 2 [0141.134] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="2A") returned 2 [0141.143] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a" [0141.143] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a" [0141.143] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a", lpString2=".CB6E4926DE88AFDCB66B2224E5AB5288F776F34553393DF8D48A3AB3CF06C02A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a.CB6E4926DE88AFDCB66B2224E5AB5288F776F34553393DF8D48A3AB3CF06C02A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a.CB6E4926DE88AFDCB66B2224E5AB5288F776F34553393DF8D48A3AB3CF06C02A" [0141.143] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.143] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0141.189] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xef3395e0, ftCreationTime.dwHighDateTime=0x1d5da28, ftLastAccessTime.dwLowDateTime=0x18b939f0, ftLastAccessTime.dwHighDateTime=0x1d5e0f1, ftLastWriteTime.dwLowDateTime=0x18b939f0, ftLastWriteTime.dwHighDateTime=0x1d5e0f1, nFileSizeHigh=0x0, nFileSizeLow=0x16e5a, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="9jYSyYhY-O.flv", cAlternateFileName="9JYSYY~1.FLV")) returned 1 [0141.189] lstrcmpiW (lpString1="9jYSyYhY-O.flv", lpString2="Windows") returned -1 [0141.189] lstrcmpiW (lpString1="9jYSyYhY-O.flv", lpString2="Program Files") returned -1 [0141.189] lstrcmpiW (lpString1="9jYSyYhY-O.flv", lpString2="Program Files (x86)") returned -1 [0141.189] lstrcmpiW (lpString1="9jYSyYhY-O.flv", lpString2="$Recycle.bin") returned 1 [0141.189] lstrcmpiW (lpString1="9jYSyYhY-O.flv", lpString2="System Volume Information") returned -1 [0141.189] lstrcmpiW (lpString1="9jYSyYhY-O.flv", lpString2=".") returned 1 [0141.189] lstrcmpiW (lpString1="9jYSyYhY-O.flv", lpString2="..") returned 1 [0141.189] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv") returned 64 [0141.189] lstrcmpW (lpString1="9jYSyYhY-O.flv", lpString2="PUSSY.TXT") returned -1 [0141.190] PathFindExtensionW (pszPath="9jYSyYhY-O.flv") returned=".flv" [0141.190] lstrlenW (lpString=".flv") returned 4 [0141.190] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0141.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9jysyyhy-o.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0141.191] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=93786) returned 1 [0141.191] GetProcessHeap () returned 0x4c0000 [0141.191] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0141.203] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="0F") returned 2 [0141.203] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="C1") returned 2 [0141.203] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="0D") returned 2 [0141.203] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="5E") returned 2 [0141.203] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="43") returned 2 [0141.204] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="93") returned 2 [0141.204] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="EE") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="70") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="B6") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="10") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="4D") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="30") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="C2") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="54") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="06") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="58") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="C0") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="73") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="71") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="81") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="FA") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="98") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="6C") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="62") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="D9") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="4D") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="79") returned 2 [0141.204] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="60") returned 2 [0141.205] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="C3") returned 2 [0141.205] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="A6") returned 2 [0141.205] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="67") returned 2 [0141.205] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="20") returned 2 [0141.217] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv" [0141.218] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv" [0141.218] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv", lpString2=".0FC10D5E4393EE70B6104D30C2540658C0737181FA986C62D94D7960C3A66720" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv.0FC10D5E4393EE70B6104D30C2540658C0737181FA986C62D94D7960C3A66720") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv.0FC10D5E4393EE70B6104D30C2540658C0737181FA986C62D94D7960C3A66720" [0141.218] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.218] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0141.266] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Adobe", cAlternateFileName="")) returned 1 [0141.266] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0141.266] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0141.266] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0141.266] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0141.266] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0141.266] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0141.267] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0141.267] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe") returned 55 [0141.267] GetProcessHeap () returned 0x4c0000 [0141.267] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0141.268] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe" [0141.268] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*" [0141.268] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0141.270] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.270] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.270] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.270] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.270] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.270] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.270] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0141.270] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.270] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.270] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.271] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.271] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.271] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.271] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.271] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0141.271] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0141.271] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0141.271] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0141.271] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0141.271] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0141.271] lstrcmpiW (lpString1="Acrobat", lpString2=".") returned 1 [0141.271] lstrcmpiW (lpString1="Acrobat", lpString2="..") returned 1 [0141.271] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat") returned 63 [0141.271] GetProcessHeap () returned 0x4c0000 [0141.271] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0141.272] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat" [0141.273] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*" [0141.273] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0141.273] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.273] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.273] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.273] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.273] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.273] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.273] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0141.273] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.273] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.273] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.273] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.273] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.273] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.273] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.274] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="10.0", cAlternateFileName="")) returned 1 [0141.274] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0141.274] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0141.274] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0141.274] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0141.274] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0141.274] lstrcmpiW (lpString1="10.0", lpString2=".") returned 1 [0141.274] lstrcmpiW (lpString1="10.0", lpString2="..") returned 1 [0141.274] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned 68 [0141.274] GetProcessHeap () returned 0x4c0000 [0141.274] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0141.274] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" [0141.274] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*" [0141.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0141.275] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.275] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.275] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.275] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.275] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.275] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.275] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName="..", cAlternateFileName="")) returned 1 [0141.276] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.276] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.276] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.276] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.276] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.276] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.276] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.276] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9f48400, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9f48400, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9f48400, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName="Collab", cAlternateFileName="")) returned 1 [0141.276] lstrcmpiW (lpString1="Collab", lpString2="Windows") returned -1 [0141.276] lstrcmpiW (lpString1="Collab", lpString2="Program Files") returned -1 [0141.276] lstrcmpiW (lpString1="Collab", lpString2="Program Files (x86)") returned -1 [0141.276] lstrcmpiW (lpString1="Collab", lpString2="$Recycle.bin") returned 1 [0141.276] lstrcmpiW (lpString1="Collab", lpString2="System Volume Information") returned -1 [0141.276] lstrcmpiW (lpString1="Collab", lpString2=".") returned 1 [0141.276] lstrcmpiW (lpString1="Collab", lpString2="..") returned 1 [0141.276] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned 75 [0141.276] GetProcessHeap () returned 0x4c0000 [0141.276] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0141.277] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab" [0141.277] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*" [0141.277] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9f48400, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9f48400, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9f48400, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0141.278] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.278] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.278] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.278] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.278] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.278] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.278] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9f48400, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9f48400, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9f48400, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="..", cAlternateFileName="")) returned 1 [0141.278] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.278] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.278] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.278] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.278] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.278] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.278] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.278] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9f48400, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9f48400, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9f48400, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="..", cAlternateFileName="")) returned 0 [0141.279] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0141.284] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\PUSSY.TXT") returned 85 [0141.285] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\collab\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0141.286] lstrlenA (lpString="abcd") returned 4 [0141.286] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0141.335] CloseHandle (hObject=0x124) returned 1 [0141.335] GetProcessHeap () returned 0x4c0000 [0141.335] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0141.336] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9df17a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9df17a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9df17a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName="Forms", cAlternateFileName="")) returned 1 [0141.336] lstrcmpiW (lpString1="Forms", lpString2="Windows") returned -1 [0141.336] lstrcmpiW (lpString1="Forms", lpString2="Program Files") returned -1 [0141.336] lstrcmpiW (lpString1="Forms", lpString2="Program Files (x86)") returned -1 [0141.336] lstrcmpiW (lpString1="Forms", lpString2="$Recycle.bin") returned 1 [0141.336] lstrcmpiW (lpString1="Forms", lpString2="System Volume Information") returned -1 [0141.336] lstrcmpiW (lpString1="Forms", lpString2=".") returned 1 [0141.336] lstrcmpiW (lpString1="Forms", lpString2="..") returned 1 [0141.336] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned 74 [0141.337] GetProcessHeap () returned 0x4c0000 [0141.337] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0141.337] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms" [0141.337] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*" [0141.337] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9df17a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9df17a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9df17a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0141.337] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.337] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.337] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.337] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.337] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.337] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.337] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9df17a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9df17a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9df17a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="..", cAlternateFileName="")) returned 1 [0141.338] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.338] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.338] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.338] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.338] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.338] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.338] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.338] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd9df17a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9df17a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9df17a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="..", cAlternateFileName="")) returned 0 [0141.338] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0141.340] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\PUSSY.TXT") returned 84 [0141.340] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\forms\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0141.341] lstrlenA (lpString="abcd") returned 4 [0141.342] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0141.343] CloseHandle (hObject=0x124) returned 1 [0141.343] GetProcessHeap () returned 0x4c0000 [0141.343] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0141.343] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec7c9cd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName="JavaScripts", cAlternateFileName="JAVASC~1")) returned 1 [0141.343] lstrcmpiW (lpString1="JavaScripts", lpString2="Windows") returned -1 [0141.343] lstrcmpiW (lpString1="JavaScripts", lpString2="Program Files") returned -1 [0141.344] lstrcmpiW (lpString1="JavaScripts", lpString2="Program Files (x86)") returned -1 [0141.344] lstrcmpiW (lpString1="JavaScripts", lpString2="$Recycle.bin") returned 1 [0141.344] lstrcmpiW (lpString1="JavaScripts", lpString2="System Volume Information") returned -1 [0141.344] lstrcmpiW (lpString1="JavaScripts", lpString2=".") returned 1 [0141.344] lstrcmpiW (lpString1="JavaScripts", lpString2="..") returned 1 [0141.344] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned 80 [0141.344] GetProcessHeap () returned 0x4c0000 [0141.344] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0141.344] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts" [0141.344] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*" [0141.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec7c9cd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0141.344] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.344] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.344] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.344] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.344] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.344] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.345] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec7c9cd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="..", cAlternateFileName="")) returned 1 [0141.345] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.345] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.345] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.345] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.345] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.345] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.345] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.345] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec7c9cd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xedc00b50, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="glob.js", cAlternateFileName="")) returned 1 [0141.345] lstrcmpiW (lpString1="glob.js", lpString2="Windows") returned -1 [0141.345] lstrcmpiW (lpString1="glob.js", lpString2="Program Files") returned -1 [0141.345] lstrcmpiW (lpString1="glob.js", lpString2="Program Files (x86)") returned -1 [0141.345] lstrcmpiW (lpString1="glob.js", lpString2="$Recycle.bin") returned 1 [0141.345] lstrcmpiW (lpString1="glob.js", lpString2="System Volume Information") returned -1 [0141.345] lstrcmpiW (lpString1="glob.js", lpString2=".") returned 1 [0141.345] lstrcmpiW (lpString1="glob.js", lpString2="..") returned 1 [0141.345] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js") returned 88 [0141.346] lstrcmpW (lpString1="glob.js", lpString2="PUSSY.TXT") returned -1 [0141.346] PathFindExtensionW (pszPath="glob.js") returned=".js" [0141.346] lstrlenW (lpString=".js") returned 3 [0141.346] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0141.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0141.347] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0141.347] CloseHandle (hObject=0x178) returned 1 [0141.347] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec7c9cd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xedc00b50, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="glob.settings.js", cAlternateFileName="GLOBSE~1.JS")) returned 1 [0141.347] lstrcmpiW (lpString1="glob.settings.js", lpString2="Windows") returned -1 [0141.347] lstrcmpiW (lpString1="glob.settings.js", lpString2="Program Files") returned -1 [0141.347] lstrcmpiW (lpString1="glob.settings.js", lpString2="Program Files (x86)") returned -1 [0141.347] lstrcmpiW (lpString1="glob.settings.js", lpString2="$Recycle.bin") returned 1 [0141.347] lstrcmpiW (lpString1="glob.settings.js", lpString2="System Volume Information") returned -1 [0141.347] lstrcmpiW (lpString1="glob.settings.js", lpString2=".") returned 1 [0141.347] lstrcmpiW (lpString1="glob.settings.js", lpString2="..") returned 1 [0141.347] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js") returned 97 [0141.347] lstrcmpW (lpString1="glob.settings.js", lpString2="PUSSY.TXT") returned -1 [0141.347] PathFindExtensionW (pszPath="glob.settings.js") returned=".js" [0141.347] lstrlenW (lpString=".js") returned 3 [0141.347] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0141.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.settings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0141.348] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=10) returned 1 [0141.348] CloseHandle (hObject=0x178) returned 1 [0141.348] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec7c9cd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xedc00b50, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="glob.settings.js", cAlternateFileName="GLOBSE~1.JS")) returned 0 [0141.348] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0141.348] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\PUSSY.TXT") returned 90 [0141.348] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0141.349] lstrlenA (lpString="abcd") returned 4 [0141.349] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0141.350] CloseHandle (hObject=0x124) returned 1 [0141.350] GetProcessHeap () returned 0x4c0000 [0141.350] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0141.350] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda28e240, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda8cdc00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda8cdc00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName="Security", cAlternateFileName="")) returned 1 [0141.350] lstrcmpiW (lpString1="Security", lpString2="Windows") returned -1 [0141.350] lstrcmpiW (lpString1="Security", lpString2="Program Files") returned 1 [0141.350] lstrcmpiW (lpString1="Security", lpString2="Program Files (x86)") returned 1 [0141.350] lstrcmpiW (lpString1="Security", lpString2="$Recycle.bin") returned 1 [0141.350] lstrcmpiW (lpString1="Security", lpString2="System Volume Information") returned -1 [0141.350] lstrcmpiW (lpString1="Security", lpString2=".") returned 1 [0141.350] lstrcmpiW (lpString1="Security", lpString2="..") returned 1 [0141.351] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned 77 [0141.351] GetProcessHeap () returned 0x4c0000 [0141.351] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0141.351] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security" [0141.351] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*" [0141.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda28e240, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda8cdc00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda8cdc00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0141.351] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.351] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.351] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.351] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.351] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.351] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.351] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda28e240, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda8cdc00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda8cdc00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="..", cAlternateFileName="")) returned 1 [0141.351] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.351] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.351] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.351] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.351] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.352] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.352] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.352] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda8cdc00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda8cdc00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda8f3d60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x1517, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="addressbook.acrodata", cAlternateFileName="ADDRES~1.ACR")) returned 1 [0141.352] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="Windows") returned -1 [0141.352] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="Program Files") returned -1 [0141.352] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="Program Files (x86)") returned -1 [0141.352] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="$Recycle.bin") returned 1 [0141.352] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="System Volume Information") returned -1 [0141.352] lstrcmpiW (lpString1="addressbook.acrodata", lpString2=".") returned 1 [0141.352] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="..") returned 1 [0141.352] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata") returned 98 [0141.352] lstrcmpW (lpString1="addressbook.acrodata", lpString2="PUSSY.TXT") returned -1 [0141.352] PathFindExtensionW (pszPath="addressbook.acrodata") returned=".acrodata" [0141.352] lstrlenW (lpString=".acrodata") returned 9 [0141.352] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0141.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0141.353] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=5399) returned 1 [0141.354] GetProcessHeap () returned 0x4c0000 [0141.354] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0141.368] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="F2") returned 2 [0141.368] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="58") returned 2 [0141.368] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="3D") returned 2 [0141.368] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="BD") returned 2 [0141.368] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="A0") returned 2 [0141.368] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="E6") returned 2 [0141.368] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="77") returned 2 [0141.368] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="49") returned 2 [0141.368] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="87") returned 2 [0141.368] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="A5") returned 2 [0141.368] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="8B") returned 2 [0141.368] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="DA") returned 2 [0141.368] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="68") returned 2 [0141.368] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="84") returned 2 [0141.368] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="84") returned 2 [0141.368] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="52") returned 2 [0141.369] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="CC") returned 2 [0141.369] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="61") returned 2 [0141.369] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="7B") returned 2 [0141.369] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="CD") returned 2 [0141.369] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="EF") returned 2 [0141.369] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="53") returned 2 [0141.369] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="E7") returned 2 [0141.369] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="D4") returned 2 [0141.369] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="5A") returned 2 [0141.369] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="B9") returned 2 [0141.369] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="0F") returned 2 [0141.369] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="E3") returned 2 [0141.369] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="27") returned 2 [0141.369] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="02") returned 2 [0141.369] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="38") returned 2 [0141.369] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="58") returned 2 [0141.382] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" [0141.382] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" [0141.382] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata", lpString2=".F2583DBDA0E6774987A58BDA68848452CC617BCDEF53E7D45AB90FE327023858" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata.F2583DBDA0E6774987A58BDA68848452CC617BCDEF53E7D45AB90FE327023858") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata.F2583DBDA0E6774987A58BDA68848452CC617BCDEF53E7D45AB90FE327023858" [0141.382] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.382] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0141.382] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda2b43a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda5adf20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda5adf20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="CRLCache", cAlternateFileName="")) returned 1 [0141.382] lstrcmpiW (lpString1="CRLCache", lpString2="Windows") returned -1 [0141.382] lstrcmpiW (lpString1="CRLCache", lpString2="Program Files") returned -1 [0141.382] lstrcmpiW (lpString1="CRLCache", lpString2="Program Files (x86)") returned -1 [0141.382] lstrcmpiW (lpString1="CRLCache", lpString2="$Recycle.bin") returned 1 [0141.382] lstrcmpiW (lpString1="CRLCache", lpString2="System Volume Information") returned -1 [0141.382] lstrcmpiW (lpString1="CRLCache", lpString2=".") returned 1 [0141.382] lstrcmpiW (lpString1="CRLCache", lpString2="..") returned 1 [0141.382] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned 86 [0141.382] GetProcessHeap () returned 0x4c0000 [0141.382] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0141.383] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache" [0141.383] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*" [0141.383] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda2b43a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda5adf20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda5adf20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0141.384] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.384] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.384] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.384] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.384] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.384] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.384] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda2b43a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda5adf20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda5adf20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0141.384] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.384] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.384] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.384] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.384] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.384] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.384] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.384] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda5adf20, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda5adf20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xdefc97c0, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0x3a5, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", cAlternateFileName="48B764~1.CRL")) returned 1 [0141.384] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="Windows") returned -1 [0141.384] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="Program Files") returned -1 [0141.384] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="Program Files (x86)") returned -1 [0141.384] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="$Recycle.bin") returned 1 [0141.384] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="System Volume Information") returned -1 [0141.384] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2=".") returned 1 [0141.384] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="..") returned 1 [0141.384] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl") returned 131 [0141.384] lstrcmpW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="PUSSY.TXT") returned -1 [0141.385] PathFindExtensionW (pszPath="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl") returned=".crl" [0141.385] lstrlenW (lpString=".crl") returned 4 [0141.385] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0141.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0141.386] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=933) returned 1 [0141.386] GetProcessHeap () returned 0x4c0000 [0141.386] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0141.401] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="57") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="9F") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="C9") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="8F") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="4A") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="EF") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="D8") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="F7") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="E2") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="2B") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="0B") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="EF") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="D5") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="4A") returned 2 [0141.401] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="6D") returned 2 [0141.401] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="2D") returned 2 [0141.401] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="48") returned 2 [0141.401] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="F6") returned 2 [0141.401] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="91") returned 2 [0141.401] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="00") returned 2 [0141.401] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="61") returned 2 [0141.401] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="C2") returned 2 [0141.401] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="35") returned 2 [0141.401] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="30") returned 2 [0141.401] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="F4") returned 2 [0141.402] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="F7") returned 2 [0141.402] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="9C") returned 2 [0141.402] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="C8") returned 2 [0141.402] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="49") returned 2 [0141.402] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="97") returned 2 [0141.402] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="5B") returned 2 [0141.402] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="3D") returned 2 [0141.415] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" [0141.415] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" [0141.415] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2=".579FC98F4AEFD8F7E22B0BEFD54A6D2D48F6910061C23530F4F79CC849975B3D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.579FC98F4AEFD8F7E22B0BEFD54A6D2D48F6910061C23530F4F79CC849975B3D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.579FC98F4AEFD8F7E22B0BEFD54A6D2D48F6910061C23530F4F79CC849975B3D" [0141.415] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.415] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0141.415] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda3e4ea0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda3e4ea0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xdefa3660, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0x9347, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", cAlternateFileName="A9B821~1.CRL")) returned 1 [0141.415] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="Windows") returned -1 [0141.415] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="Program Files") returned -1 [0141.415] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="Program Files (x86)") returned -1 [0141.415] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="$Recycle.bin") returned 1 [0141.415] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="System Volume Information") returned -1 [0141.415] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2=".") returned 1 [0141.415] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="..") returned 1 [0141.415] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl") returned 131 [0141.416] lstrcmpW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="PUSSY.TXT") returned -1 [0141.416] PathFindExtensionW (pszPath="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl") returned=".crl" [0141.416] lstrlenW (lpString=".crl") returned 4 [0141.416] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0141.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\a9b8213768adc68af64fcc6409e8be414726687f.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0141.417] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=37703) returned 1 [0141.417] GetProcessHeap () returned 0x4c0000 [0141.417] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0141.466] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="36") returned 2 [0141.466] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="3A") returned 2 [0141.466] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="64") returned 2 [0141.466] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="9E") returned 2 [0141.466] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="1E") returned 2 [0141.466] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="7B") returned 2 [0141.466] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="A0") returned 2 [0141.466] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="4C") returned 2 [0141.466] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="CB") returned 2 [0141.466] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="7C") returned 2 [0141.466] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="40") returned 2 [0141.467] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="A3") returned 2 [0141.467] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="1A") returned 2 [0141.467] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="8B") returned 2 [0141.467] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="86") returned 2 [0141.467] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="8D") returned 2 [0141.467] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="43") returned 2 [0141.467] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="BA") returned 2 [0141.467] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="EC") returned 2 [0141.467] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="2A") returned 2 [0141.467] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="DD") returned 2 [0141.467] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="8F") returned 2 [0141.467] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="15") returned 2 [0141.467] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="6F") returned 2 [0141.467] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="AD") returned 2 [0141.467] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="8E") returned 2 [0141.467] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="8D") returned 2 [0141.467] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="57") returned 2 [0141.467] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="99") returned 2 [0141.467] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="FE") returned 2 [0141.467] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="6D") returned 2 [0141.467] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="50") returned 2 [0141.479] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" [0141.479] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" [0141.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2=".363A649E1E7BA04CCB7C40A31A8B868D43BAEC2ADD8F156FAD8E8D5799FE6D50" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.363A649E1E7BA04CCB7C40A31A8B868D43BAEC2ADD8F156FAD8E8D5799FE6D50") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.363A649E1E7BA04CCB7C40A31A8B868D43BAEC2ADD8F156FAD8E8D5799FE6D50" [0141.480] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.480] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0141.480] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda3e4ea0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda3e4ea0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xdefa3660, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0x9347, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", cAlternateFileName="A9B821~1.CRL")) returned 0 [0141.480] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0141.480] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\PUSSY.TXT") returned 96 [0141.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0141.482] lstrlenA (lpString="abcd") returned 4 [0141.482] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0141.483] CloseHandle (hObject=0x1d4) returned 1 [0141.483] GetProcessHeap () returned 0x4c0000 [0141.483] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0141.483] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda2b43a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda5adf20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda5adf20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="CRLCache", cAlternateFileName="")) returned 0 [0141.483] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0141.483] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\PUSSY.TXT") returned 87 [0141.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0141.484] lstrlenA (lpString="abcd") returned 4 [0141.484] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0141.486] CloseHandle (hObject=0x124) returned 1 [0141.486] GetProcessHeap () returned 0x4c0000 [0141.486] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0141.486] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda28e240, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xda8cdc00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xda8cdc00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName="Security", cAlternateFileName="")) returned 0 [0141.486] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0141.486] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\PUSSY.TXT") returned 78 [0141.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0141.487] lstrlenA (lpString="abcd") returned 4 [0141.487] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0141.488] CloseHandle (hObject=0x18c) returned 1 [0141.488] GetProcessHeap () returned 0x4c0000 [0141.488] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0141.490] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="10.0", cAlternateFileName="")) returned 0 [0141.490] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0141.490] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\PUSSY.TXT") returned 73 [0141.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0141.491] lstrlenA (lpString="abcd") returned 4 [0141.491] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0141.492] CloseHandle (hObject=0x1d0) returned 1 [0141.492] GetProcessHeap () returned 0x4c0000 [0141.492] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0141.492] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0141.492] lstrcmpiW (lpString1="Flash Player", lpString2="Windows") returned -1 [0141.492] lstrcmpiW (lpString1="Flash Player", lpString2="Program Files") returned -1 [0141.492] lstrcmpiW (lpString1="Flash Player", lpString2="Program Files (x86)") returned -1 [0141.492] lstrcmpiW (lpString1="Flash Player", lpString2="$Recycle.bin") returned 1 [0141.493] lstrcmpiW (lpString1="Flash Player", lpString2="System Volume Information") returned -1 [0141.493] lstrcmpiW (lpString1="Flash Player", lpString2=".") returned 1 [0141.493] lstrcmpiW (lpString1="Flash Player", lpString2="..") returned 1 [0141.493] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player") returned 68 [0141.493] GetProcessHeap () returned 0x4c0000 [0141.493] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0141.493] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player" [0141.493] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0141.493] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0141.495] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.495] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.495] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.495] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.495] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.495] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.495] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0141.495] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.495] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.496] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.496] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.496] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.496] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.496] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.496] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="AssetCache", cAlternateFileName="ASSETC~1")) returned 1 [0141.496] lstrcmpiW (lpString1="AssetCache", lpString2="Windows") returned -1 [0141.496] lstrcmpiW (lpString1="AssetCache", lpString2="Program Files") returned -1 [0141.496] lstrcmpiW (lpString1="AssetCache", lpString2="Program Files (x86)") returned -1 [0141.496] lstrcmpiW (lpString1="AssetCache", lpString2="$Recycle.bin") returned 1 [0141.496] lstrcmpiW (lpString1="AssetCache", lpString2="System Volume Information") returned -1 [0141.496] lstrcmpiW (lpString1="AssetCache", lpString2=".") returned 1 [0141.496] lstrcmpiW (lpString1="AssetCache", lpString2="..") returned 1 [0141.496] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned 79 [0141.496] GetProcessHeap () returned 0x4c0000 [0141.496] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0141.497] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0141.497] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" [0141.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0141.497] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.497] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.497] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.497] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.497] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.497] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.497] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName="..", cAlternateFileName="")) returned 1 [0141.498] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.498] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.498] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.498] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.498] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.498] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.498] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.498] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d40bff0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName="D5NTRC6R", cAlternateFileName="")) returned 1 [0141.498] lstrcmpiW (lpString1="D5NTRC6R", lpString2="Windows") returned -1 [0141.498] lstrcmpiW (lpString1="D5NTRC6R", lpString2="Program Files") returned -1 [0141.498] lstrcmpiW (lpString1="D5NTRC6R", lpString2="Program Files (x86)") returned -1 [0141.498] lstrcmpiW (lpString1="D5NTRC6R", lpString2="$Recycle.bin") returned 1 [0141.498] lstrcmpiW (lpString1="D5NTRC6R", lpString2="System Volume Information") returned -1 [0141.498] lstrcmpiW (lpString1="D5NTRC6R", lpString2=".") returned 1 [0141.498] lstrcmpiW (lpString1="D5NTRC6R", lpString2="..") returned 1 [0141.498] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R") returned 88 [0141.498] GetProcessHeap () returned 0x4c0000 [0141.498] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0141.499] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R" [0141.499] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\*" [0141.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d40bff0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0141.562] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.566] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.566] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.566] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.566] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.566] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.566] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d40bff0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="..", cAlternateFileName="")) returned 1 [0141.566] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.566] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.566] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.566] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.566] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.566] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.566] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.567] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d40bff0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfda25535, cFileName="..", cAlternateFileName="")) returned 0 [0141.567] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0141.569] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\PUSSY.TXT") returned 98 [0141.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\flash player\\assetcache\\d5ntrc6r\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0141.570] lstrlenA (lpString="abcd") returned 4 [0141.570] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0141.571] CloseHandle (hObject=0x124) returned 1 [0141.572] GetProcessHeap () returned 0x4c0000 [0141.572] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0141.572] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d40bff0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName="D5NTRC6R", cAlternateFileName="")) returned 0 [0141.572] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0141.574] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\PUSSY.TXT") returned 89 [0141.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\flash player\\assetcache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0141.575] lstrlenA (lpString="abcd") returned 4 [0141.575] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0141.576] CloseHandle (hObject=0x18c) returned 1 [0141.576] GetProcessHeap () returned 0x4c0000 [0141.576] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0141.576] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="AssetCache", cAlternateFileName="ASSETC~1")) returned 0 [0141.576] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0141.576] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\PUSSY.TXT") returned 78 [0141.576] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\flash player\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0141.577] lstrlenA (lpString="abcd") returned 4 [0141.577] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0141.578] CloseHandle (hObject=0x1d0) returned 1 [0141.578] GetProcessHeap () returned 0x4c0000 [0141.578] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0141.578] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Headlights", cAlternateFileName="HEADLI~1")) returned 1 [0141.578] lstrcmpiW (lpString1="Headlights", lpString2="Windows") returned -1 [0141.578] lstrcmpiW (lpString1="Headlights", lpString2="Program Files") returned -1 [0141.578] lstrcmpiW (lpString1="Headlights", lpString2="Program Files (x86)") returned -1 [0141.578] lstrcmpiW (lpString1="Headlights", lpString2="$Recycle.bin") returned 1 [0141.578] lstrcmpiW (lpString1="Headlights", lpString2="System Volume Information") returned -1 [0141.578] lstrcmpiW (lpString1="Headlights", lpString2=".") returned 1 [0141.579] lstrcmpiW (lpString1="Headlights", lpString2="..") returned 1 [0141.579] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights") returned 66 [0141.579] GetProcessHeap () returned 0x4c0000 [0141.579] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0141.579] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights" [0141.579] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\*" [0141.579] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0141.579] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.579] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.579] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.579] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.579] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.579] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.579] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0141.579] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.579] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.579] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.579] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.580] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.580] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.580] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.580] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0141.580] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0141.580] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\PUSSY.TXT") returned 76 [0141.580] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\headlights\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0141.581] lstrlenA (lpString="abcd") returned 4 [0141.581] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0141.582] CloseHandle (hObject=0x1d0) returned 1 [0141.582] GetProcessHeap () returned 0x4c0000 [0141.582] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0141.582] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 1 [0141.582] lstrcmpiW (lpString1="Linguistics", lpString2="Windows") returned -1 [0141.582] lstrcmpiW (lpString1="Linguistics", lpString2="Program Files") returned -1 [0141.582] lstrcmpiW (lpString1="Linguistics", lpString2="Program Files (x86)") returned -1 [0141.582] lstrcmpiW (lpString1="Linguistics", lpString2="$Recycle.bin") returned 1 [0141.582] lstrcmpiW (lpString1="Linguistics", lpString2="System Volume Information") returned -1 [0141.582] lstrcmpiW (lpString1="Linguistics", lpString2=".") returned 1 [0141.582] lstrcmpiW (lpString1="Linguistics", lpString2="..") returned 1 [0141.582] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics") returned 67 [0141.582] GetProcessHeap () returned 0x4c0000 [0141.582] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0141.582] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics" [0141.582] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*" [0141.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0141.583] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.583] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.583] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.583] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.583] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.583] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.583] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0141.583] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.583] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.583] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.583] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.583] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.583] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.583] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.584] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 1 [0141.584] lstrcmpiW (lpString1="Dictionaries", lpString2="Windows") returned -1 [0141.584] lstrcmpiW (lpString1="Dictionaries", lpString2="Program Files") returned -1 [0141.584] lstrcmpiW (lpString1="Dictionaries", lpString2="Program Files (x86)") returned -1 [0141.584] lstrcmpiW (lpString1="Dictionaries", lpString2="$Recycle.bin") returned 1 [0141.584] lstrcmpiW (lpString1="Dictionaries", lpString2="System Volume Information") returned -1 [0141.584] lstrcmpiW (lpString1="Dictionaries", lpString2=".") returned 1 [0141.584] lstrcmpiW (lpString1="Dictionaries", lpString2="..") returned 1 [0141.584] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned 80 [0141.584] GetProcessHeap () returned 0x4c0000 [0141.584] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0141.584] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries" [0141.584] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*" [0141.584] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0141.584] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.584] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.585] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.585] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.585] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.585] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.585] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName="..", cAlternateFileName="")) returned 1 [0141.585] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.585] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.585] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.585] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.585] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.585] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.585] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.585] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2cab4ad1, cFileName="..", cAlternateFileName="")) returned 0 [0141.585] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0141.586] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\PUSSY.TXT") returned 90 [0141.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\linguistics\\dictionaries\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0141.586] lstrlenA (lpString="abcd") returned 4 [0141.586] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0141.588] CloseHandle (hObject=0x18c) returned 1 [0141.588] GetProcessHeap () returned 0x4c0000 [0141.588] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0141.588] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 0 [0141.588] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0141.588] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\PUSSY.TXT") returned 77 [0141.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\linguistics\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0141.589] lstrlenA (lpString="abcd") returned 4 [0141.589] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0141.590] CloseHandle (hObject=0x1d0) returned 1 [0141.590] GetProcessHeap () returned 0x4c0000 [0141.590] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0141.590] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="LogTransport2", cAlternateFileName="LOGTRA~1")) returned 1 [0141.590] lstrcmpiW (lpString1="LogTransport2", lpString2="Windows") returned -1 [0141.590] lstrcmpiW (lpString1="LogTransport2", lpString2="Program Files") returned -1 [0141.590] lstrcmpiW (lpString1="LogTransport2", lpString2="Program Files (x86)") returned -1 [0141.590] lstrcmpiW (lpString1="LogTransport2", lpString2="$Recycle.bin") returned 1 [0141.590] lstrcmpiW (lpString1="LogTransport2", lpString2="System Volume Information") returned -1 [0141.590] lstrcmpiW (lpString1="LogTransport2", lpString2=".") returned 1 [0141.590] lstrcmpiW (lpString1="LogTransport2", lpString2="..") returned 1 [0141.590] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2") returned 69 [0141.590] GetProcessHeap () returned 0x4c0000 [0141.590] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0141.590] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2" [0141.590] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\*" [0141.590] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0141.591] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.591] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.591] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.591] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.591] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.591] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.591] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0141.591] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.591] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.591] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.591] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.591] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.591] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.591] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.591] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe1215ab, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0141.591] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0141.592] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\PUSSY.TXT") returned 79 [0141.592] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\logtransport2\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0141.592] lstrlenA (lpString="abcd") returned 4 [0141.592] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0141.593] CloseHandle (hObject=0x1d0) returned 1 [0141.596] GetProcessHeap () returned 0x4c0000 [0141.596] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0141.596] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="LogTransport2", cAlternateFileName="LOGTRA~1")) returned 0 [0141.596] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0141.596] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\PUSSY.TXT") returned 65 [0141.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0141.597] lstrlenA (lpString="abcd") returned 4 [0141.597] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0141.598] CloseHandle (hObject=0x1b8) returned 1 [0141.598] GetProcessHeap () returned 0x4c0000 [0141.598] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0141.600] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd947f550, ftCreationTime.dwHighDateTime=0x1d5ddf7, ftLastAccessTime.dwLowDateTime=0x153107b0, ftLastAccessTime.dwHighDateTime=0x1d5e64e, ftLastWriteTime.dwLowDateTime=0x153107b0, ftLastWriteTime.dwHighDateTime=0x1d5e64e, nFileSizeHigh=0x0, nFileSizeLow=0xdd11, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="ATxH3uC6VdsCscrBd.mkv", cAlternateFileName="ATXH3U~1.MKV")) returned 1 [0141.600] lstrcmpiW (lpString1="ATxH3uC6VdsCscrBd.mkv", lpString2="Windows") returned -1 [0141.600] lstrcmpiW (lpString1="ATxH3uC6VdsCscrBd.mkv", lpString2="Program Files") returned -1 [0141.600] lstrcmpiW (lpString1="ATxH3uC6VdsCscrBd.mkv", lpString2="Program Files (x86)") returned -1 [0141.600] lstrcmpiW (lpString1="ATxH3uC6VdsCscrBd.mkv", lpString2="$Recycle.bin") returned 1 [0141.600] lstrcmpiW (lpString1="ATxH3uC6VdsCscrBd.mkv", lpString2="System Volume Information") returned -1 [0141.600] lstrcmpiW (lpString1="ATxH3uC6VdsCscrBd.mkv", lpString2=".") returned 1 [0141.600] lstrcmpiW (lpString1="ATxH3uC6VdsCscrBd.mkv", lpString2="..") returned 1 [0141.600] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv") returned 71 [0141.601] lstrcmpW (lpString1="ATxH3uC6VdsCscrBd.mkv", lpString2="PUSSY.TXT") returned -1 [0141.601] PathFindExtensionW (pszPath="ATxH3uC6VdsCscrBd.mkv") returned=".mkv" [0141.601] lstrlenW (lpString=".mkv") returned 4 [0141.601] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0141.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\atxh3uc6vdscscrbd.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0141.601] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=56593) returned 1 [0141.602] GetProcessHeap () returned 0x4c0000 [0141.602] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0141.616] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="67") returned 2 [0141.616] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="DF") returned 2 [0141.616] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="D7") returned 2 [0141.616] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="AB") returned 2 [0141.616] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="1E") returned 2 [0141.616] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="16") returned 2 [0141.616] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="12") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="DA") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="04") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="82") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="7F") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="3A") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="D7") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="DF") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="8A") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="91") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="6B") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="3B") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="FC") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="E3") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="08") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="32") returned 2 [0141.616] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="ED") returned 2 [0141.617] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="B8") returned 2 [0141.617] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="DE") returned 2 [0141.617] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="D1") returned 2 [0141.617] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="80") returned 2 [0141.617] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="8E") returned 2 [0141.617] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="2A") returned 2 [0141.617] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="E9") returned 2 [0141.617] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="7C") returned 2 [0141.617] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="5A") returned 2 [0141.630] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv" [0141.659] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv" [0141.659] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv", lpString2=".67DFD7AB1E1612DA04827F3AD7DF8A916B3BFCE30832EDB8DED1808E2AE97C5A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv.67DFD7AB1E1612DA04827F3AD7DF8A916B3BFCE30832EDB8DED1808E2AE97C5A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv.67DFD7AB1E1612DA04827F3AD7DF8A916B3BFCE30832EDB8DED1808E2AE97C5A" [0141.659] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.659] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0141.703] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc377fd70, ftCreationTime.dwHighDateTime=0x1d5e1a2, ftLastAccessTime.dwLowDateTime=0xb8849490, ftLastAccessTime.dwHighDateTime=0x1d5e2a7, ftLastWriteTime.dwLowDateTime=0xb8849490, ftLastWriteTime.dwHighDateTime=0x1d5e2a7, nFileSizeHigh=0x0, nFileSizeLow=0x166db, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="bpobfvAL-zRZM_.mp3", cAlternateFileName="BPOBFV~1.MP3")) returned 1 [0141.703] lstrcmpiW (lpString1="bpobfvAL-zRZM_.mp3", lpString2="Windows") returned -1 [0141.703] lstrcmpiW (lpString1="bpobfvAL-zRZM_.mp3", lpString2="Program Files") returned -1 [0141.703] lstrcmpiW (lpString1="bpobfvAL-zRZM_.mp3", lpString2="Program Files (x86)") returned -1 [0141.703] lstrcmpiW (lpString1="bpobfvAL-zRZM_.mp3", lpString2="$Recycle.bin") returned 1 [0141.703] lstrcmpiW (lpString1="bpobfvAL-zRZM_.mp3", lpString2="System Volume Information") returned -1 [0141.703] lstrcmpiW (lpString1="bpobfvAL-zRZM_.mp3", lpString2=".") returned 1 [0141.703] lstrcmpiW (lpString1="bpobfvAL-zRZM_.mp3", lpString2="..") returned 1 [0141.703] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3") returned 68 [0141.708] lstrcmpW (lpString1="bpobfvAL-zRZM_.mp3", lpString2="PUSSY.TXT") returned -1 [0141.708] PathFindExtensionW (pszPath="bpobfvAL-zRZM_.mp3") returned=".mp3" [0141.708] lstrlenW (lpString=".mp3") returned 4 [0141.708] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0141.708] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bpobfval-zrzm_.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0141.709] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=91867) returned 1 [0141.709] GetProcessHeap () returned 0x4c0000 [0141.709] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0141.721] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="AA") returned 2 [0141.721] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="3A") returned 2 [0141.721] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="1C") returned 2 [0141.721] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="98") returned 2 [0141.722] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="7B") returned 2 [0141.722] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="E1") returned 2 [0141.722] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="34") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="DB") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="53") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="67") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="44") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="26") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="88") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="99") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="5E") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="93") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="FE") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="48") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="F3") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="4A") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="81") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="23") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="F1") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="0A") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="3E") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="29") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="9A") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="FE") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="93") returned 2 [0141.722] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="46") returned 2 [0141.723] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="54") returned 2 [0141.723] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="49") returned 2 [0141.735] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3" [0141.735] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3" [0141.735] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3", lpString2=".AA3A1C987BE134DB5367442688995E93FE48F34A8123F10A3E299AFE93465449" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3.AA3A1C987BE134DB5367442688995E93FE48F34A8123F10A3E299AFE93465449") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3.AA3A1C987BE134DB5367442688995E93FE48F34A8123F10A3E299AFE93465449" [0141.735] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.735] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0141.803] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7be6eb0, ftCreationTime.dwHighDateTime=0x1d5e06d, ftLastAccessTime.dwLowDateTime=0xfe658650, ftLastAccessTime.dwHighDateTime=0x1d5dae5, ftLastWriteTime.dwLowDateTime=0xfe658650, ftLastWriteTime.dwHighDateTime=0x1d5dae5, nFileSizeHigh=0x0, nFileSizeLow=0x1db7, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="e1Nd5MWqD 1Nl8rr1pgw.mp3", cAlternateFileName="E1ND5M~1.MP3")) returned 1 [0141.803] lstrcmpiW (lpString1="e1Nd5MWqD 1Nl8rr1pgw.mp3", lpString2="Windows") returned -1 [0141.803] lstrcmpiW (lpString1="e1Nd5MWqD 1Nl8rr1pgw.mp3", lpString2="Program Files") returned -1 [0141.803] lstrcmpiW (lpString1="e1Nd5MWqD 1Nl8rr1pgw.mp3", lpString2="Program Files (x86)") returned -1 [0141.803] lstrcmpiW (lpString1="e1Nd5MWqD 1Nl8rr1pgw.mp3", lpString2="$Recycle.bin") returned 1 [0141.803] lstrcmpiW (lpString1="e1Nd5MWqD 1Nl8rr1pgw.mp3", lpString2="System Volume Information") returned -1 [0141.803] lstrcmpiW (lpString1="e1Nd5MWqD 1Nl8rr1pgw.mp3", lpString2=".") returned 1 [0141.803] lstrcmpiW (lpString1="e1Nd5MWqD 1Nl8rr1pgw.mp3", lpString2="..") returned 1 [0141.803] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3") returned 74 [0141.803] lstrcmpW (lpString1="e1Nd5MWqD 1Nl8rr1pgw.mp3", lpString2="PUSSY.TXT") returned -1 [0141.803] PathFindExtensionW (pszPath="e1Nd5MWqD 1Nl8rr1pgw.mp3") returned=".mp3" [0141.803] lstrlenW (lpString=".mp3") returned 4 [0141.803] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0141.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\e1nd5mwqd 1nl8rr1pgw.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0141.804] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=7607) returned 1 [0141.804] GetProcessHeap () returned 0x4c0000 [0141.804] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0141.816] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="7D") returned 2 [0141.816] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="0F") returned 2 [0141.816] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="78") returned 2 [0141.816] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="D1") returned 2 [0141.817] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="A7") returned 2 [0141.817] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="6A") returned 2 [0141.817] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="EA") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="97") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="CE") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="77") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="1B") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="D4") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="8E") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="EC") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="B6") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="BA") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="13") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="B7") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="8B") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="33") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="08") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="AF") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="DA") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="40") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="14") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="4A") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="B7") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="CC") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="E1") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="BD") returned 2 [0141.817] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="E6") returned 2 [0141.817] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="52") returned 2 [0141.826] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3" [0141.826] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3" [0141.826] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3", lpString2=".7D0F78D1A76AEA97CE771BD48EECB6BA13B78B3308AFDA40144AB7CCE1BDE652" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3.7D0F78D1A76AEA97CE771BD48EECB6BA13B78B3308AFDA40144AB7CCE1BDE652") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3.7D0F78D1A76AEA97CE771BD48EECB6BA13B78B3308AFDA40144AB7CCE1BDE652" [0141.826] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.826] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0141.849] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x389f9650, ftCreationTime.dwHighDateTime=0x1d5db7f, ftLastAccessTime.dwLowDateTime=0xa5b8a680, ftLastAccessTime.dwHighDateTime=0x1d5e013, ftLastWriteTime.dwLowDateTime=0xa5b8a680, ftLastWriteTime.dwHighDateTime=0x1d5e013, nFileSizeHigh=0x0, nFileSizeLow=0xbe12, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="FM9lgZyGvaxn0VzUJDMT.gif", cAlternateFileName="FM9LGZ~1.GIF")) returned 1 [0141.849] lstrcmpiW (lpString1="FM9lgZyGvaxn0VzUJDMT.gif", lpString2="Windows") returned -1 [0141.849] lstrcmpiW (lpString1="FM9lgZyGvaxn0VzUJDMT.gif", lpString2="Program Files") returned -1 [0141.849] lstrcmpiW (lpString1="FM9lgZyGvaxn0VzUJDMT.gif", lpString2="Program Files (x86)") returned -1 [0141.849] lstrcmpiW (lpString1="FM9lgZyGvaxn0VzUJDMT.gif", lpString2="$Recycle.bin") returned 1 [0141.849] lstrcmpiW (lpString1="FM9lgZyGvaxn0VzUJDMT.gif", lpString2="System Volume Information") returned -1 [0141.849] lstrcmpiW (lpString1="FM9lgZyGvaxn0VzUJDMT.gif", lpString2=".") returned 1 [0141.849] lstrcmpiW (lpString1="FM9lgZyGvaxn0VzUJDMT.gif", lpString2="..") returned 1 [0141.850] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif") returned 74 [0141.850] lstrcmpW (lpString1="FM9lgZyGvaxn0VzUJDMT.gif", lpString2="PUSSY.TXT") returned -1 [0141.850] PathFindExtensionW (pszPath="FM9lgZyGvaxn0VzUJDMT.gif") returned=".gif" [0141.850] lstrlenW (lpString=".gif") returned 4 [0141.850] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0141.850] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fm9lgzygvaxn0vzujdmt.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0141.850] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=48658) returned 1 [0141.850] GetProcessHeap () returned 0x4c0000 [0141.850] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0141.859] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="4D") returned 2 [0141.859] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="B5") returned 2 [0141.859] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="EB") returned 2 [0141.859] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="2F") returned 2 [0141.859] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="44") returned 2 [0141.859] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="50") returned 2 [0141.859] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="B6") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="72") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="BA") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="2E") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="C8") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="99") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="F3") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="58") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="74") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="04") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="86") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="51") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="E2") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="A7") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="FF") returned 2 [0141.859] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="DA") returned 2 [0141.860] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="C2") returned 2 [0141.860] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="4B") returned 2 [0141.860] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="A6") returned 2 [0141.860] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="2C") returned 2 [0141.860] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="BE") returned 2 [0141.860] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="BF") returned 2 [0141.860] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="0B") returned 2 [0141.860] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="04") returned 2 [0141.860] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="87") returned 2 [0141.860] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="27") returned 2 [0141.869] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif" [0141.869] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif" [0141.869] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif", lpString2=".4DB5EB2F4450B672BA2EC899F35874048651E2A7FFDAC24BA62CBEBF0B048727" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif.4DB5EB2F4450B672BA2EC899F35874048651E2A7FFDAC24BA62CBEBF0B048727") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif.4DB5EB2F4450B672BA2EC899F35874048651E2A7FFDAC24BA62CBEBF0B048727" [0141.869] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.869] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0141.902] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8bd67720, ftCreationTime.dwHighDateTime=0x1d5d84c, ftLastAccessTime.dwLowDateTime=0x3c54e670, ftLastAccessTime.dwHighDateTime=0x1d5d96c, ftLastWriteTime.dwLowDateTime=0x3c54e670, ftLastWriteTime.dwHighDateTime=0x1d5d96c, nFileSizeHigh=0x0, nFileSizeLow=0x17fec, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="hKK1UUtbMRFhy.mp3", cAlternateFileName="HKK1UU~1.MP3")) returned 1 [0141.902] lstrcmpiW (lpString1="hKK1UUtbMRFhy.mp3", lpString2="Windows") returned -1 [0141.902] lstrcmpiW (lpString1="hKK1UUtbMRFhy.mp3", lpString2="Program Files") returned -1 [0141.902] lstrcmpiW (lpString1="hKK1UUtbMRFhy.mp3", lpString2="Program Files (x86)") returned -1 [0141.902] lstrcmpiW (lpString1="hKK1UUtbMRFhy.mp3", lpString2="$Recycle.bin") returned 1 [0141.902] lstrcmpiW (lpString1="hKK1UUtbMRFhy.mp3", lpString2="System Volume Information") returned -1 [0141.902] lstrcmpiW (lpString1="hKK1UUtbMRFhy.mp3", lpString2=".") returned 1 [0141.902] lstrcmpiW (lpString1="hKK1UUtbMRFhy.mp3", lpString2="..") returned 1 [0141.902] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3") returned 67 [0141.902] lstrcmpW (lpString1="hKK1UUtbMRFhy.mp3", lpString2="PUSSY.TXT") returned -1 [0141.902] PathFindExtensionW (pszPath="hKK1UUtbMRFhy.mp3") returned=".mp3" [0141.902] lstrlenW (lpString=".mp3") returned 4 [0141.902] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0141.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\hkk1uutbmrfhy.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0141.903] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=98284) returned 1 [0141.903] GetProcessHeap () returned 0x4c0000 [0141.903] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0141.913] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="C8") returned 2 [0141.913] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="2E") returned 2 [0141.913] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="3E") returned 2 [0141.913] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="CB") returned 2 [0141.913] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="2E") returned 2 [0141.913] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="CF") returned 2 [0141.913] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="59") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="BF") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="7E") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="9D") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="CF") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="07") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="8A") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="91") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="36") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="87") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="01") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="59") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="18") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="0F") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="3D") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="C2") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="71") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="1E") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="FE") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="9D") returned 2 [0141.913] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="A4") returned 2 [0141.914] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="F7") returned 2 [0141.914] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="03") returned 2 [0141.914] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="7C") returned 2 [0141.914] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="0A") returned 2 [0141.914] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="55") returned 2 [0141.923] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3" [0141.923] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3" [0141.923] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3", lpString2=".C82E3ECB2ECF59BF7E9DCF078A9136870159180F3DC2711EFE9DA4F7037C0A55" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3.C82E3ECB2ECF59BF7E9DCF078A9136870159180F3DC2711EFE9DA4F7037C0A55") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3.C82E3ECB2ECF59BF7E9DCF078A9136870159180F3DC2711EFE9DA4F7037C0A55" [0141.923] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.923] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0141.959] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe14be270, ftCreationTime.dwHighDateTime=0x1d5e5d1, ftLastAccessTime.dwLowDateTime=0xacb4f080, ftLastAccessTime.dwHighDateTime=0x1d5dcdd, ftLastWriteTime.dwLowDateTime=0xacb4f080, ftLastWriteTime.dwHighDateTime=0x1d5dcdd, nFileSizeHigh=0x0, nFileSizeLow=0x202f, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="h_YDWgh6.xls", cAlternateFileName="")) returned 1 [0141.959] lstrcmpiW (lpString1="h_YDWgh6.xls", lpString2="Windows") returned -1 [0141.959] lstrcmpiW (lpString1="h_YDWgh6.xls", lpString2="Program Files") returned -1 [0141.959] lstrcmpiW (lpString1="h_YDWgh6.xls", lpString2="Program Files (x86)") returned -1 [0141.959] lstrcmpiW (lpString1="h_YDWgh6.xls", lpString2="$Recycle.bin") returned 1 [0141.959] lstrcmpiW (lpString1="h_YDWgh6.xls", lpString2="System Volume Information") returned -1 [0141.959] lstrcmpiW (lpString1="h_YDWgh6.xls", lpString2=".") returned 1 [0141.959] lstrcmpiW (lpString1="h_YDWgh6.xls", lpString2="..") returned 1 [0141.959] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls") returned 62 [0141.959] lstrcmpW (lpString1="h_YDWgh6.xls", lpString2="PUSSY.TXT") returned -1 [0141.959] PathFindExtensionW (pszPath="h_YDWgh6.xls") returned=".xls" [0141.959] lstrlenW (lpString=".xls") returned 4 [0141.959] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0141.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\h_ydwgh6.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0141.960] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=8239) returned 1 [0141.960] GetProcessHeap () returned 0x4c0000 [0141.960] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0141.969] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="AD") returned 2 [0141.969] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="42") returned 2 [0141.969] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="E9") returned 2 [0141.969] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="08") returned 2 [0141.970] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="77") returned 2 [0141.970] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="D2") returned 2 [0141.970] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="5A") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="EC") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="36") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="FB") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="F8") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="00") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="A0") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="90") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="10") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="60") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="91") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="74") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="7E") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="AF") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="FD") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="1A") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="D2") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="FF") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="31") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="39") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="BB") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="2C") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="A2") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="FD") returned 2 [0141.970] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="0A") returned 2 [0141.970] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="11") returned 2 [0141.984] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls" [0141.985] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls" [0141.985] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls", lpString2=".AD42E90877D25AEC36FBF800A090106091747EAFFD1AD2FF3139BB2CA2FD0A11" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls.AD42E90877D25AEC36FBF800A090106091747EAFFD1AD2FF3139BB2CA2FD0A11") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls.AD42E90877D25AEC36FBF800A090106091747EAFFD1AD2FF3139BB2CA2FD0A11" [0141.985] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0141.985] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0141.997] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Identities", cAlternateFileName="IDENTI~1")) returned 1 [0141.997] lstrcmpiW (lpString1="Identities", lpString2="Windows") returned -1 [0141.997] lstrcmpiW (lpString1="Identities", lpString2="Program Files") returned -1 [0141.997] lstrcmpiW (lpString1="Identities", lpString2="Program Files (x86)") returned -1 [0141.997] lstrcmpiW (lpString1="Identities", lpString2="$Recycle.bin") returned 1 [0141.997] lstrcmpiW (lpString1="Identities", lpString2="System Volume Information") returned -1 [0141.997] lstrcmpiW (lpString1="Identities", lpString2=".") returned 1 [0141.997] lstrcmpiW (lpString1="Identities", lpString2="..") returned 1 [0141.997] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities") returned 60 [0141.997] GetProcessHeap () returned 0x4c0000 [0141.997] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0141.998] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities" [0141.998] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\*" [0141.998] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0141.999] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0141.999] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0141.999] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0141.999] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0141.999] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0141.999] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0141.999] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0141.999] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0141.999] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0141.999] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0141.999] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0141.999] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0141.999] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0141.999] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0141.999] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 1 [0141.999] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="Windows") returned -1 [0142.000] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="Program Files") returned -1 [0142.000] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="Program Files (x86)") returned -1 [0142.000] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="$Recycle.bin") returned 1 [0142.000] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="System Volume Information") returned -1 [0142.000] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2=".") returned 1 [0142.000] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="..") returned 1 [0142.000] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned 99 [0142.000] GetProcessHeap () returned 0x4c0000 [0142.000] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.001] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" [0142.001] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*" [0142.001] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.001] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.001] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.001] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.001] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.001] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.001] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.001] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.002] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.002] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.002] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.002] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.002] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.002] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.002] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.002] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0142.002] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.002] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\PUSSY.TXT") returned 109 [0142.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\identities\\{31810c36-5d23-4cce-a3b4-316ded195c38}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.003] lstrlenA (lpString="abcd") returned 4 [0142.003] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.004] CloseHandle (hObject=0x1d0) returned 1 [0142.004] GetProcessHeap () returned 0x4c0000 [0142.004] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.004] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 0 [0142.004] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0142.005] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\PUSSY.TXT") returned 70 [0142.005] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\identities\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0142.005] lstrlenA (lpString="abcd") returned 4 [0142.005] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0142.006] CloseHandle (hObject=0x1b8) returned 1 [0142.006] GetProcessHeap () returned 0x4c0000 [0142.006] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0142.008] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcc2196c0, ftCreationTime.dwHighDateTime=0x1d5dec3, ftLastAccessTime.dwLowDateTime=0x29888220, ftLastAccessTime.dwHighDateTime=0x1d5dc89, ftLastWriteTime.dwLowDateTime=0x29888220, ftLastWriteTime.dwHighDateTime=0x1d5dc89, nFileSizeHigh=0x0, nFileSizeLow=0x1c24, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="J5L_SG5VSuJSQb.mp3", cAlternateFileName="J5L_SG~1.MP3")) returned 1 [0142.008] lstrcmpiW (lpString1="J5L_SG5VSuJSQb.mp3", lpString2="Windows") returned -1 [0142.008] lstrcmpiW (lpString1="J5L_SG5VSuJSQb.mp3", lpString2="Program Files") returned -1 [0142.008] lstrcmpiW (lpString1="J5L_SG5VSuJSQb.mp3", lpString2="Program Files (x86)") returned -1 [0142.009] lstrcmpiW (lpString1="J5L_SG5VSuJSQb.mp3", lpString2="$Recycle.bin") returned 1 [0142.009] lstrcmpiW (lpString1="J5L_SG5VSuJSQb.mp3", lpString2="System Volume Information") returned -1 [0142.009] lstrcmpiW (lpString1="J5L_SG5VSuJSQb.mp3", lpString2=".") returned 1 [0142.009] lstrcmpiW (lpString1="J5L_SG5VSuJSQb.mp3", lpString2="..") returned 1 [0142.009] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3") returned 68 [0142.009] lstrcmpW (lpString1="J5L_SG5VSuJSQb.mp3", lpString2="PUSSY.TXT") returned -1 [0142.009] PathFindExtensionW (pszPath="J5L_SG5VSuJSQb.mp3") returned=".mp3" [0142.009] lstrlenW (lpString=".mp3") returned 4 [0142.009] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0142.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\j5l_sg5vsujsqb.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0142.010] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=7204) returned 1 [0142.010] GetProcessHeap () returned 0x4c0000 [0142.010] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0142.026] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="AE") returned 2 [0142.026] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="70") returned 2 [0142.027] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="ED") returned 2 [0142.027] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="8B") returned 2 [0142.027] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="45") returned 2 [0142.027] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="6A") returned 2 [0142.027] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="C4") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="32") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="9A") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="F0") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="F4") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="46") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="47") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="BE") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="CD") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="D6") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="B5") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="D6") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="C5") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="DA") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="7A") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="5F") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="6F") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="A7") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="6A") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="1D") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="24") returned 2 [0142.027] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="5A") returned 2 [0142.028] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="F0") returned 2 [0142.028] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="43") returned 2 [0142.028] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="60") returned 2 [0142.028] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="7E") returned 2 [0142.042] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3" [0142.042] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3" [0142.042] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3", lpString2=".AE70ED8B456AC4329AF0F44647BECDD6B5D6C5DA7A5F6FA76A1D245AF043607E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3.AE70ED8B456AC4329AF0F44647BECDD6B5D6C5DA7A5F6FA76A1D245AF043607E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3.AE70ED8B456AC4329AF0F44647BECDD6B5D6C5DA7A5F6FA76A1D245AF043607E" [0142.042] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.042] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0142.059] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3793d7a0, ftCreationTime.dwHighDateTime=0x1d5e4bf, ftLastAccessTime.dwLowDateTime=0x2e58bd10, ftLastAccessTime.dwHighDateTime=0x1d5e4c7, ftLastWriteTime.dwLowDateTime=0x2e58bd10, ftLastWriteTime.dwHighDateTime=0x1d5e4c7, nFileSizeHigh=0x0, nFileSizeLow=0x165a5, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="kBXqRBAEu.mp4", cAlternateFileName="KBXQRB~1.MP4")) returned 1 [0142.059] lstrcmpiW (lpString1="kBXqRBAEu.mp4", lpString2="Windows") returned -1 [0142.059] lstrcmpiW (lpString1="kBXqRBAEu.mp4", lpString2="Program Files") returned -1 [0142.059] lstrcmpiW (lpString1="kBXqRBAEu.mp4", lpString2="Program Files (x86)") returned -1 [0142.059] lstrcmpiW (lpString1="kBXqRBAEu.mp4", lpString2="$Recycle.bin") returned 1 [0142.059] lstrcmpiW (lpString1="kBXqRBAEu.mp4", lpString2="System Volume Information") returned -1 [0142.060] lstrcmpiW (lpString1="kBXqRBAEu.mp4", lpString2=".") returned 1 [0142.060] lstrcmpiW (lpString1="kBXqRBAEu.mp4", lpString2="..") returned 1 [0142.060] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4") returned 63 [0142.060] lstrcmpW (lpString1="kBXqRBAEu.mp4", lpString2="PUSSY.TXT") returned -1 [0142.060] PathFindExtensionW (pszPath="kBXqRBAEu.mp4") returned=".mp4" [0142.060] lstrlenW (lpString=".mp4") returned 4 [0142.060] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0142.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kbxqrbaeu.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0142.061] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=91557) returned 1 [0142.061] GetProcessHeap () returned 0x4c0000 [0142.061] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0142.075] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="10") returned 2 [0142.076] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="41") returned 2 [0142.076] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="E7") returned 2 [0142.076] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="93") returned 2 [0142.076] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="87") returned 2 [0142.076] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="5B") returned 2 [0142.076] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="52") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="FF") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="08") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="18") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="9B") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="E1") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="8A") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="AC") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="F8") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="28") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="FB") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="DC") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="39") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="62") returned 2 [0142.076] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="AD") returned 2 [0142.077] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="10") returned 2 [0142.077] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="48") returned 2 [0142.077] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="1C") returned 2 [0142.077] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="8E") returned 2 [0142.077] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="20") returned 2 [0142.077] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="38") returned 2 [0142.077] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="F3") returned 2 [0142.077] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="C6") returned 2 [0142.077] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="5F") returned 2 [0142.077] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="0F") returned 2 [0142.077] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="32") returned 2 [0142.092] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4" [0142.092] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4" [0142.092] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4", lpString2=".1041E793875B52FF08189BE18AACF828FBDC3962AD10481C8E2038F3C65F0F32" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4.1041E793875B52FF08189BE18AACF828FBDC3962AD10481C8E2038F3C65F0F32") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4.1041E793875B52FF08189BE18AACF828FBDC3962AD10481C8E2038F3C65F0F32" [0142.092] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.092] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0142.140] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x148abd10, ftCreationTime.dwHighDateTime=0x1d5d88e, ftLastAccessTime.dwLowDateTime=0xb63a4430, ftLastAccessTime.dwHighDateTime=0x1d5da48, ftLastWriteTime.dwLowDateTime=0xb63a4430, ftLastWriteTime.dwHighDateTime=0x1d5da48, nFileSizeHigh=0x0, nFileSizeLow=0xaa9e, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="kVn3FL-ALv.wav", cAlternateFileName="KVN3FL~1.WAV")) returned 1 [0142.140] lstrcmpiW (lpString1="kVn3FL-ALv.wav", lpString2="Windows") returned -1 [0142.140] lstrcmpiW (lpString1="kVn3FL-ALv.wav", lpString2="Program Files") returned -1 [0142.140] lstrcmpiW (lpString1="kVn3FL-ALv.wav", lpString2="Program Files (x86)") returned -1 [0142.140] lstrcmpiW (lpString1="kVn3FL-ALv.wav", lpString2="$Recycle.bin") returned 1 [0142.140] lstrcmpiW (lpString1="kVn3FL-ALv.wav", lpString2="System Volume Information") returned -1 [0142.140] lstrcmpiW (lpString1="kVn3FL-ALv.wav", lpString2=".") returned 1 [0142.140] lstrcmpiW (lpString1="kVn3FL-ALv.wav", lpString2="..") returned 1 [0142.140] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav") returned 64 [0142.140] lstrcmpW (lpString1="kVn3FL-ALv.wav", lpString2="PUSSY.TXT") returned -1 [0142.140] PathFindExtensionW (pszPath="kVn3FL-ALv.wav") returned=".wav" [0142.140] lstrlenW (lpString=".wav") returned 4 [0142.140] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0142.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kvn3fl-alv.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0142.141] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=43678) returned 1 [0142.141] GetProcessHeap () returned 0x4c0000 [0142.141] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0142.153] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="1B") returned 2 [0142.154] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="E0") returned 2 [0142.154] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="B9") returned 2 [0142.154] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="AD") returned 2 [0142.154] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="DB") returned 2 [0142.154] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="20") returned 2 [0142.154] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="25") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="18") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="03") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="2D") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="85") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="A4") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="8B") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="60") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="F5") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="31") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="51") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="FF") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="E8") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="45") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="03") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="1C") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="E9") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="86") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="41") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="F4") returned 2 [0142.154] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="3A") returned 2 [0142.155] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="80") returned 2 [0142.155] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="7A") returned 2 [0142.155] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="70") returned 2 [0142.155] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="EE") returned 2 [0142.155] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="33") returned 2 [0142.170] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav" [0142.170] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav" [0142.170] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav", lpString2=".1BE0B9ADDB202518032D85A48B60F53151FFE845031CE98641F43A807A70EE33" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav.1BE0B9ADDB202518032D85A48B60F53151FFE845031CE98641F43A807A70EE33") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav.1BE0B9ADDB202518032D85A48B60F53151FFE845031CE98641F43A807A70EE33" [0142.170] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.170] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0142.201] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x117035c0, ftCreationTime.dwHighDateTime=0x1d5e828, ftLastAccessTime.dwLowDateTime=0x1d059260, ftLastAccessTime.dwHighDateTime=0x1d5dc4b, ftLastWriteTime.dwLowDateTime=0x1d059260, ftLastWriteTime.dwHighDateTime=0x1d5dc4b, nFileSizeHigh=0x0, nFileSizeLow=0xc5f2, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="LNRc00f10XCfd0x9.jpg", cAlternateFileName="LNRC00~1.JPG")) returned 1 [0142.201] lstrcmpiW (lpString1="LNRc00f10XCfd0x9.jpg", lpString2="Windows") returned -1 [0142.201] lstrcmpiW (lpString1="LNRc00f10XCfd0x9.jpg", lpString2="Program Files") returned -1 [0142.201] lstrcmpiW (lpString1="LNRc00f10XCfd0x9.jpg", lpString2="Program Files (x86)") returned -1 [0142.201] lstrcmpiW (lpString1="LNRc00f10XCfd0x9.jpg", lpString2="$Recycle.bin") returned 1 [0142.201] lstrcmpiW (lpString1="LNRc00f10XCfd0x9.jpg", lpString2="System Volume Information") returned -1 [0142.201] lstrcmpiW (lpString1="LNRc00f10XCfd0x9.jpg", lpString2=".") returned 1 [0142.201] lstrcmpiW (lpString1="LNRc00f10XCfd0x9.jpg", lpString2="..") returned 1 [0142.201] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg") returned 70 [0142.204] lstrcmpW (lpString1="LNRc00f10XCfd0x9.jpg", lpString2="PUSSY.TXT") returned -1 [0142.204] PathFindExtensionW (pszPath="LNRc00f10XCfd0x9.jpg") returned=".jpg" [0142.204] lstrlenW (lpString=".jpg") returned 4 [0142.204] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0142.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lnrc00f10xcfd0x9.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0142.205] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=50674) returned 1 [0142.205] GetProcessHeap () returned 0x4c0000 [0142.205] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0142.213] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="8F") returned 2 [0142.213] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="DA") returned 2 [0142.213] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="F4") returned 2 [0142.213] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="DB") returned 2 [0142.213] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="DD") returned 2 [0142.213] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="B6") returned 2 [0142.213] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="EB") returned 2 [0142.213] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="23") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="05") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="87") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="D4") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="6E") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="0D") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="C3") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="A9") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="BF") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="66") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="64") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="C5") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="D9") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="C0") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="78") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="78") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="02") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="4F") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="DD") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="34") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="2C") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="4C") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="8A") returned 2 [0142.214] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="A6") returned 2 [0142.214] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="51") returned 2 [0142.222] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg" [0142.222] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg" [0142.222] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg", lpString2=".8FDAF4DBDDB6EB230587D46E0DC3A9BF6664C5D9C07878024FDD342C4C8AA651" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg.8FDAF4DBDDB6EB230587D46E0DC3A9BF6664C5D9C07878024FDD342C4C8AA651") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg.8FDAF4DBDDB6EB230587D46E0DC3A9BF6664C5D9C07878024FDD342C4C8AA651" [0142.222] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.222] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0142.257] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9a6bb3e0, ftCreationTime.dwHighDateTime=0x1d5e3f5, ftLastAccessTime.dwLowDateTime=0xe0996470, ftLastAccessTime.dwHighDateTime=0x1d5da22, ftLastWriteTime.dwLowDateTime=0xe0996470, ftLastWriteTime.dwHighDateTime=0x1d5da22, nFileSizeHigh=0x0, nFileSizeLow=0xf21a, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="lSxsrJmkVT068pT.flv", cAlternateFileName="LSXSRJ~1.FLV")) returned 1 [0142.257] lstrcmpiW (lpString1="lSxsrJmkVT068pT.flv", lpString2="Windows") returned -1 [0142.257] lstrcmpiW (lpString1="lSxsrJmkVT068pT.flv", lpString2="Program Files") returned -1 [0142.257] lstrcmpiW (lpString1="lSxsrJmkVT068pT.flv", lpString2="Program Files (x86)") returned -1 [0142.257] lstrcmpiW (lpString1="lSxsrJmkVT068pT.flv", lpString2="$Recycle.bin") returned 1 [0142.257] lstrcmpiW (lpString1="lSxsrJmkVT068pT.flv", lpString2="System Volume Information") returned -1 [0142.257] lstrcmpiW (lpString1="lSxsrJmkVT068pT.flv", lpString2=".") returned 1 [0142.257] lstrcmpiW (lpString1="lSxsrJmkVT068pT.flv", lpString2="..") returned 1 [0142.257] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv") returned 69 [0142.257] lstrcmpW (lpString1="lSxsrJmkVT068pT.flv", lpString2="PUSSY.TXT") returned -1 [0142.257] PathFindExtensionW (pszPath="lSxsrJmkVT068pT.flv") returned=".flv" [0142.257] lstrlenW (lpString=".flv") returned 4 [0142.257] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0142.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lsxsrjmkvt068pt.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0142.258] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=61978) returned 1 [0142.258] GetProcessHeap () returned 0x4c0000 [0142.258] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0142.266] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="2D") returned 2 [0142.266] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="A6") returned 2 [0142.266] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="A1") returned 2 [0142.266] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="A5") returned 2 [0142.266] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="F3") returned 2 [0142.266] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="16") returned 2 [0142.267] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="A1") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="FE") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="99") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="CA") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="A5") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="48") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="1C") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="B8") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="48") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="B1") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="DA") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="9E") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="D2") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="05") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="D9") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="DC") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="1A") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="51") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="AA") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="C6") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="4B") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="34") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="1E") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="79") returned 2 [0142.267] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="A8") returned 2 [0142.267] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="5F") returned 2 [0142.275] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv" [0142.276] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv" [0142.276] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv", lpString2=".2DA6A1A5F316A1FE99CAA5481CB848B1DA9ED205D9DC1A51AAC64B341E79A85F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv.2DA6A1A5F316A1FE99CAA5481CB848B1DA9ED205D9DC1A51AAC64B341E79A85F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv.2DA6A1A5F316A1FE99CAA5481CB848B1DA9ED205D9DC1A51AAC64B341E79A85F" [0142.276] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.276] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0142.312] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6b695060, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6b695060, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Macromedia", cAlternateFileName="MACROM~1")) returned 1 [0142.312] lstrcmpiW (lpString1="Macromedia", lpString2="Windows") returned -1 [0142.312] lstrcmpiW (lpString1="Macromedia", lpString2="Program Files") returned -1 [0142.312] lstrcmpiW (lpString1="Macromedia", lpString2="Program Files (x86)") returned -1 [0142.312] lstrcmpiW (lpString1="Macromedia", lpString2="$Recycle.bin") returned 1 [0142.312] lstrcmpiW (lpString1="Macromedia", lpString2="System Volume Information") returned -1 [0142.312] lstrcmpiW (lpString1="Macromedia", lpString2=".") returned 1 [0142.312] lstrcmpiW (lpString1="Macromedia", lpString2="..") returned 1 [0142.312] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia") returned 60 [0142.312] GetProcessHeap () returned 0x4c0000 [0142.312] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0142.313] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia" [0142.313] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\*" [0142.313] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6b695060, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6b695060, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0142.314] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.314] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.314] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.314] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.314] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.314] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.314] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6b695060, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6b695060, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0142.314] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.314] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.314] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.314] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.314] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.314] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.314] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.314] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0142.314] lstrcmpiW (lpString1="Flash Player", lpString2="Windows") returned -1 [0142.314] lstrcmpiW (lpString1="Flash Player", lpString2="Program Files") returned -1 [0142.314] lstrcmpiW (lpString1="Flash Player", lpString2="Program Files (x86)") returned -1 [0142.314] lstrcmpiW (lpString1="Flash Player", lpString2="$Recycle.bin") returned 1 [0142.314] lstrcmpiW (lpString1="Flash Player", lpString2="System Volume Information") returned -1 [0142.314] lstrcmpiW (lpString1="Flash Player", lpString2=".") returned 1 [0142.314] lstrcmpiW (lpString1="Flash Player", lpString2="..") returned 1 [0142.314] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player") returned 73 [0142.314] GetProcessHeap () returned 0x4c0000 [0142.315] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.315] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player" [0142.315] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\*" [0142.315] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.316] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.316] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.316] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.316] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.316] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.316] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.316] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.316] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.316] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.316] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.316] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.316] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.316] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.316] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.316] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="#SharedObjects", cAlternateFileName="#SHARE~1")) returned 1 [0142.316] lstrcmpiW (lpString1="#SharedObjects", lpString2="Windows") returned -1 [0142.316] lstrcmpiW (lpString1="#SharedObjects", lpString2="Program Files") returned -1 [0142.316] lstrcmpiW (lpString1="#SharedObjects", lpString2="Program Files (x86)") returned -1 [0142.316] lstrcmpiW (lpString1="#SharedObjects", lpString2="$Recycle.bin") returned -1 [0142.317] lstrcmpiW (lpString1="#SharedObjects", lpString2="System Volume Information") returned -1 [0142.317] lstrcmpiW (lpString1="#SharedObjects", lpString2=".") returned -1 [0142.317] lstrcmpiW (lpString1="#SharedObjects", lpString2="..") returned -1 [0142.317] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects") returned 88 [0142.317] GetProcessHeap () returned 0x4c0000 [0142.317] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0142.317] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects" [0142.317] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*" [0142.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0142.318] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.318] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.318] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.318] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.318] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.318] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.318] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="..", cAlternateFileName="")) returned 1 [0142.318] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.318] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.318] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.318] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.319] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.319] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.319] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.319] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="P7Y3F7QB", cAlternateFileName="")) returned 1 [0142.319] lstrcmpiW (lpString1="P7Y3F7QB", lpString2="Windows") returned -1 [0142.319] lstrcmpiW (lpString1="P7Y3F7QB", lpString2="Program Files") returned -1 [0142.319] lstrcmpiW (lpString1="P7Y3F7QB", lpString2="Program Files (x86)") returned -1 [0142.319] lstrcmpiW (lpString1="P7Y3F7QB", lpString2="$Recycle.bin") returned 1 [0142.319] lstrcmpiW (lpString1="P7Y3F7QB", lpString2="System Volume Information") returned -1 [0142.319] lstrcmpiW (lpString1="P7Y3F7QB", lpString2=".") returned 1 [0142.319] lstrcmpiW (lpString1="P7Y3F7QB", lpString2="..") returned 1 [0142.319] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB") returned 97 [0142.319] GetProcessHeap () returned 0x4c0000 [0142.319] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0142.320] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB" [0142.320] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\*" [0142.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfdbd9ade, dwReserved1=0xfd4f7418, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0142.321] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.321] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.321] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.321] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.321] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.321] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.321] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfdbd9ade, dwReserved1=0xfd4f7418, cFileName="..", cAlternateFileName="")) returned 1 [0142.321] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.321] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.321] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.321] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.321] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.321] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.321] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.321] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfdbd9ade, dwReserved1=0xfd4f7418, cFileName="..", cAlternateFileName="")) returned 0 [0142.321] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0142.321] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\PUSSY.TXT") returned 107 [0142.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\p7y3f7qb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0142.322] lstrlenA (lpString="abcd") returned 4 [0142.322] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0142.323] CloseHandle (hObject=0x124) returned 1 [0142.323] GetProcessHeap () returned 0x4c0000 [0142.323] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0142.323] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d4582b0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="P7Y3F7QB", cAlternateFileName="")) returned 0 [0142.323] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0142.325] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\PUSSY.TXT") returned 98 [0142.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0142.326] lstrlenA (lpString="abcd") returned 4 [0142.326] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0142.327] CloseHandle (hObject=0x18c) returned 1 [0142.327] GetProcessHeap () returned 0x4c0000 [0142.327] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0142.327] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d241020, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d241020, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="macromedia.com", cAlternateFileName="MACROM~1.COM")) returned 1 [0142.327] lstrcmpiW (lpString1="macromedia.com", lpString2="Windows") returned -1 [0142.327] lstrcmpiW (lpString1="macromedia.com", lpString2="Program Files") returned -1 [0142.327] lstrcmpiW (lpString1="macromedia.com", lpString2="Program Files (x86)") returned -1 [0142.327] lstrcmpiW (lpString1="macromedia.com", lpString2="$Recycle.bin") returned 1 [0142.327] lstrcmpiW (lpString1="macromedia.com", lpString2="System Volume Information") returned -1 [0142.327] lstrcmpiW (lpString1="macromedia.com", lpString2=".") returned 1 [0142.327] lstrcmpiW (lpString1="macromedia.com", lpString2="..") returned 1 [0142.327] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned 88 [0142.327] GetProcessHeap () returned 0x4c0000 [0142.327] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0142.327] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0142.327] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*" [0142.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d241020, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d241020, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0142.327] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.327] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.327] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.327] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.327] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.328] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.328] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d241020, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d241020, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="..", cAlternateFileName="")) returned 1 [0142.328] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.328] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.328] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.328] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.328] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.328] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.328] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.328] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d241020, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d9d7640, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d9d7640, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="support", cAlternateFileName="")) returned 1 [0142.328] lstrcmpiW (lpString1="support", lpString2="Windows") returned -1 [0142.328] lstrcmpiW (lpString1="support", lpString2="Program Files") returned 1 [0142.328] lstrcmpiW (lpString1="support", lpString2="Program Files (x86)") returned 1 [0142.328] lstrcmpiW (lpString1="support", lpString2="$Recycle.bin") returned 1 [0142.328] lstrcmpiW (lpString1="support", lpString2="System Volume Information") returned -1 [0142.328] lstrcmpiW (lpString1="support", lpString2=".") returned 1 [0142.328] lstrcmpiW (lpString1="support", lpString2="..") returned 1 [0142.328] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned 96 [0142.328] GetProcessHeap () returned 0x4c0000 [0142.328] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0142.329] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0142.329] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*" [0142.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d241020, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d9d7640, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d9d7640, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfdbd9ade, dwReserved1=0xfd4f7418, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0142.330] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.330] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.330] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.330] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.330] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.330] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.330] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d241020, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d9d7640, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d9d7640, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfdbd9ade, dwReserved1=0xfd4f7418, cFileName="..", cAlternateFileName="")) returned 1 [0142.330] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.330] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.330] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.330] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.330] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.330] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.330] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.330] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d9d7640, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d9d7640, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfdbd9ade, dwReserved1=0xfd4f7418, cFileName="flashplayer", cAlternateFileName="FLASHP~1")) returned 1 [0142.330] lstrcmpiW (lpString1="flashplayer", lpString2="Windows") returned -1 [0142.330] lstrcmpiW (lpString1="flashplayer", lpString2="Program Files") returned -1 [0142.330] lstrcmpiW (lpString1="flashplayer", lpString2="Program Files (x86)") returned -1 [0142.330] lstrcmpiW (lpString1="flashplayer", lpString2="$Recycle.bin") returned 1 [0142.330] lstrcmpiW (lpString1="flashplayer", lpString2="System Volume Information") returned -1 [0142.330] lstrcmpiW (lpString1="flashplayer", lpString2=".") returned 1 [0142.330] lstrcmpiW (lpString1="flashplayer", lpString2="..") returned 1 [0142.330] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned 108 [0142.330] GetProcessHeap () returned 0x4c0000 [0142.330] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0142.331] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0142.331] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*" [0142.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d9d7640, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d9d7640, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0142.332] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.332] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.332] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.332] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.332] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.332] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.332] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d9d7640, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d9d7640, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0142.332] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.332] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.332] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.332] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.332] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.332] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.332] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.332] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName="sys", cAlternateFileName="")) returned 1 [0142.332] lstrcmpiW (lpString1="sys", lpString2="Windows") returned -1 [0142.332] lstrcmpiW (lpString1="sys", lpString2="Program Files") returned 1 [0142.332] lstrcmpiW (lpString1="sys", lpString2="Program Files (x86)") returned 1 [0142.332] lstrcmpiW (lpString1="sys", lpString2="$Recycle.bin") returned 1 [0142.332] lstrcmpiW (lpString1="sys", lpString2="System Volume Information") returned -1 [0142.332] lstrcmpiW (lpString1="sys", lpString2=".") returned 1 [0142.332] lstrcmpiW (lpString1="sys", lpString2="..") returned 1 [0142.332] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 112 [0142.332] GetProcessHeap () returned 0x4c0000 [0142.332] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0142.333] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0142.333] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*" [0142.333] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28a6d0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0142.334] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.334] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.334] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.334] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.334] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.334] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.334] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28a6d0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0142.334] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.334] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.334] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.334] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.334] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.334] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.334] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.334] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1d6, dwReserved0=0x28a6d0, dwReserved1=0x77c61b06, cFileName="settings.sol", cAlternateFileName="")) returned 1 [0142.334] lstrcmpiW (lpString1="settings.sol", lpString2="Windows") returned -1 [0142.334] lstrcmpiW (lpString1="settings.sol", lpString2="Program Files") returned 1 [0142.334] lstrcmpiW (lpString1="settings.sol", lpString2="Program Files (x86)") returned 1 [0142.334] lstrcmpiW (lpString1="settings.sol", lpString2="$Recycle.bin") returned 1 [0142.334] lstrcmpiW (lpString1="settings.sol", lpString2="System Volume Information") returned -1 [0142.334] lstrcmpiW (lpString1="settings.sol", lpString2=".") returned 1 [0142.334] lstrcmpiW (lpString1="settings.sol", lpString2="..") returned 1 [0142.334] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 125 [0142.334] lstrcmpW (lpString1="settings.sol", lpString2="PUSSY.TXT") returned 1 [0142.334] PathFindExtensionW (pszPath="settings.sol") returned=".sol" [0142.334] lstrlenW (lpString=".sol") returned 4 [0142.334] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0142.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0142.336] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=470) returned 1 [0142.336] CloseHandle (hObject=0x178) returned 1 [0142.336] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x1d6, dwReserved0=0x28a6d0, dwReserved1=0x77c61b06, cFileName="settings.sol", cAlternateFileName="")) returned 0 [0142.336] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0142.336] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\PUSSY.TXT") returned 122 [0142.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0142.337] lstrlenA (lpString="abcd") returned 4 [0142.337] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0142.338] CloseHandle (hObject=0x1d4) returned 1 [0142.338] GetProcessHeap () returned 0x4c0000 [0142.338] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0142.338] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName="sys", cAlternateFileName="")) returned 0 [0142.338] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0142.338] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\PUSSY.TXT") returned 118 [0142.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0142.338] lstrlenA (lpString="abcd") returned 4 [0142.338] WriteFile (in: hFile=0x128, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0142.339] CloseHandle (hObject=0x128) returned 1 [0142.339] GetProcessHeap () returned 0x4c0000 [0142.339] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0142.341] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d9d7640, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d9d7640, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d9d7640, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfdbd9ade, dwReserved1=0xfd4f7418, cFileName="flashplayer", cAlternateFileName="FLASHP~1")) returned 0 [0142.341] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0142.341] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\PUSSY.TXT") returned 106 [0142.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0142.341] lstrlenA (lpString="abcd") returned 4 [0142.341] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0142.342] CloseHandle (hObject=0x124) returned 1 [0142.342] GetProcessHeap () returned 0x4c0000 [0142.342] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0142.343] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6d241020, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d9d7640, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d9d7640, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="support", cAlternateFileName="")) returned 0 [0142.343] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0142.344] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\PUSSY.TXT") returned 98 [0142.344] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0142.345] lstrlenA (lpString="abcd") returned 4 [0142.345] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0142.346] CloseHandle (hObject=0x18c) returned 1 [0142.346] GetProcessHeap () returned 0x4c0000 [0142.346] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0142.346] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6d241020, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6d241020, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="macromedia.com", cAlternateFileName="MACROM~1.COM")) returned 0 [0142.346] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.346] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\PUSSY.TXT") returned 83 [0142.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.346] lstrlenA (lpString="abcd") returned 4 [0142.346] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.347] CloseHandle (hObject=0x1d0) returned 1 [0142.347] GetProcessHeap () returned 0x4c0000 [0142.347] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.347] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x1d4582b0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d4582b0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 0 [0142.347] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0142.347] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\PUSSY.TXT") returned 70 [0142.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0142.348] lstrlenA (lpString="abcd") returned 4 [0142.348] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0142.349] CloseHandle (hObject=0x1b8) returned 1 [0142.349] GetProcessHeap () returned 0x4c0000 [0142.349] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0142.350] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0142.350] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0142.350] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0142.350] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0142.350] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0142.350] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0142.350] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0142.350] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0142.350] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 59 [0142.350] GetProcessHeap () returned 0x4c0000 [0142.350] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0142.351] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft" [0142.351] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\*" [0142.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0142.351] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.351] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.351] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.351] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.351] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.351] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.351] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0142.351] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.351] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.351] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.351] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.351] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.351] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.351] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.351] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c36290, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x7c36290, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x7c36290, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="AddIns", cAlternateFileName="")) returned 1 [0142.352] lstrcmpiW (lpString1="AddIns", lpString2="Windows") returned -1 [0142.352] lstrcmpiW (lpString1="AddIns", lpString2="Program Files") returned -1 [0142.352] lstrcmpiW (lpString1="AddIns", lpString2="Program Files (x86)") returned -1 [0142.352] lstrcmpiW (lpString1="AddIns", lpString2="$Recycle.bin") returned 1 [0142.352] lstrcmpiW (lpString1="AddIns", lpString2="System Volume Information") returned -1 [0142.352] lstrcmpiW (lpString1="AddIns", lpString2=".") returned 1 [0142.352] lstrcmpiW (lpString1="AddIns", lpString2="..") returned 1 [0142.352] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns") returned 66 [0142.352] GetProcessHeap () returned 0x4c0000 [0142.352] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.353] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns" [0142.353] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\*" [0142.353] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c36290, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x7c36290, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x7c36290, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.354] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.354] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.354] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.354] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.354] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.354] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.354] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c36290, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x7c36290, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x7c36290, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.354] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.354] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.354] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.354] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.354] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.354] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.354] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.354] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c36290, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x7c36290, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x7c36290, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0142.355] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.355] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\PUSSY.TXT") returned 76 [0142.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\addins\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.355] lstrlenA (lpString="abcd") returned 4 [0142.355] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.356] CloseHandle (hObject=0x1d0) returned 1 [0142.356] GetProcessHeap () returned 0x4c0000 [0142.356] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.356] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0142.356] lstrcmpiW (lpString1="Credentials", lpString2="Windows") returned -1 [0142.356] lstrcmpiW (lpString1="Credentials", lpString2="Program Files") returned -1 [0142.356] lstrcmpiW (lpString1="Credentials", lpString2="Program Files (x86)") returned -1 [0142.356] lstrcmpiW (lpString1="Credentials", lpString2="$Recycle.bin") returned 1 [0142.356] lstrcmpiW (lpString1="Credentials", lpString2="System Volume Information") returned -1 [0142.357] lstrcmpiW (lpString1="Credentials", lpString2=".") returned 1 [0142.357] lstrcmpiW (lpString1="Credentials", lpString2="..") returned 1 [0142.357] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials") returned 71 [0142.357] GetProcessHeap () returned 0x4c0000 [0142.357] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.357] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials" [0142.357] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0142.357] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.357] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.357] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.357] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.357] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.357] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.357] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.357] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.357] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.357] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.357] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.357] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.357] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.357] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.357] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.357] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0142.357] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.357] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\PUSSY.TXT") returned 81 [0142.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\credentials\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.358] lstrlenA (lpString="abcd") returned 4 [0142.358] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.359] CloseHandle (hObject=0x1d0) returned 1 [0142.360] GetProcessHeap () returned 0x4c0000 [0142.360] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.360] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Crypto", cAlternateFileName="")) returned 1 [0142.360] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0142.360] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0142.360] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0142.360] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0142.360] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0142.360] lstrcmpiW (lpString1="Crypto", lpString2=".") returned 1 [0142.360] lstrcmpiW (lpString1="Crypto", lpString2="..") returned 1 [0142.360] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto") returned 66 [0142.360] GetProcessHeap () returned 0x4c0000 [0142.360] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.360] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto" [0142.360] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0142.360] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.360] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.360] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.361] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.361] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.361] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.361] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.361] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.361] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.361] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.361] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.361] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.361] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.361] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.361] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.361] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x681f1360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x681f1360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="RSA", cAlternateFileName="")) returned 1 [0142.361] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0142.361] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0142.361] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0142.361] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0142.361] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0142.361] lstrcmpiW (lpString1="RSA", lpString2=".") returned 1 [0142.361] lstrcmpiW (lpString1="RSA", lpString2="..") returned 1 [0142.361] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned 70 [0142.361] GetProcessHeap () returned 0x4c0000 [0142.361] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0142.362] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0142.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0142.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x681f1360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x681f1360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0142.362] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.362] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.362] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.362] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.362] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.362] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.362] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x681f1360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x681f1360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="..", cAlternateFileName="")) returned 1 [0142.362] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.362] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.362] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.362] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.362] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.363] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.363] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.363] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x681f1360, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xa1e34990, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1e34990, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0142.363] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Windows") returned -1 [0142.363] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Program Files") returned 1 [0142.363] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Program Files (x86)") returned 1 [0142.363] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="$Recycle.bin") returned 1 [0142.363] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="System Volume Information") returned -1 [0142.363] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2=".") returned 1 [0142.363] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="..") returned 1 [0142.363] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 117 [0142.363] GetProcessHeap () returned 0x4c0000 [0142.363] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0142.373] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000" [0142.373] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*" [0142.373] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x681f1360, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xa1e34990, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1e34990, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfd4f7418, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0142.382] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.382] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.382] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.382] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.382] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.382] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.382] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x681f1360, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xa1e34990, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1e34990, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfd4f7418, cFileName="..", cAlternateFileName="")) returned 1 [0142.382] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.382] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.382] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.382] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.382] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.383] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.383] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.383] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xa1e34990, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1e34990, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1e34990, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2d, dwReserved0=0x4e29d8, dwReserved1=0xfd4f7418, cFileName="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="83AA4C~1")) returned 1 [0142.383] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0142.383] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0142.383] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0142.383] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0142.383] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0142.383] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".") returned 1 [0142.383] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="..") returned 1 [0142.383] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0142.383] lstrcmpW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="PUSSY.TXT") returned -1 [0142.383] PathFindExtensionW (pszPath="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="" [0142.383] lstrlenW (lpString="") returned 0 [0142.383] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0142.383] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0142.384] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=45) returned 1 [0142.384] CloseHandle (hObject=0x128) returned 1 [0142.384] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x681f1360, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x681f1360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x681f1360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x57, dwReserved0=0x4e29d8, dwReserved1=0xfd4f7418, cFileName="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="932A2D~1")) returned 1 [0142.384] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0142.384] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0142.384] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0142.385] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0142.385] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0142.385] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".") returned 1 [0142.385] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="..") returned 1 [0142.385] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0142.385] lstrcmpW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="PUSSY.TXT") returned -1 [0142.385] PathFindExtensionW (pszPath="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="" [0142.385] lstrlenW (lpString="") returned 0 [0142.385] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0142.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0142.386] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=87) returned 1 [0142.386] CloseHandle (hObject=0x128) returned 1 [0142.386] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xb0aa1fc0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0aa1fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0aa1fc0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x3d, dwReserved0=0x4e29d8, dwReserved1=0xfd4f7418, cFileName="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="FDA992~1")) returned 1 [0142.386] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0142.386] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0142.386] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0142.386] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0142.386] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0142.386] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".") returned 1 [0142.386] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="..") returned 1 [0142.386] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0142.387] lstrcmpW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="PUSSY.TXT") returned -1 [0142.387] PathFindExtensionW (pszPath="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="" [0142.387] lstrlenW (lpString="") returned 0 [0142.387] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0142.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0142.387] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=61) returned 1 [0142.387] CloseHandle (hObject=0x128) returned 1 [0142.387] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xb0aa1fc0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0aa1fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0aa1fc0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x3d, dwReserved0=0x4e29d8, dwReserved1=0xfd4f7418, cFileName="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="FDA992~1")) returned 0 [0142.387] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0142.387] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\PUSSY.TXT") returned 127 [0142.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0142.388] lstrlenA (lpString="abcd") returned 4 [0142.388] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0142.389] CloseHandle (hObject=0x124) returned 1 [0142.389] GetProcessHeap () returned 0x4c0000 [0142.389] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0142.389] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x681f1360, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xa1e34990, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1e34990, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0142.389] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0142.389] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\PUSSY.TXT") returned 80 [0142.389] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0142.390] lstrlenA (lpString="abcd") returned 4 [0142.390] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0142.391] CloseHandle (hObject=0x18c) returned 1 [0142.391] GetProcessHeap () returned 0x4c0000 [0142.391] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0142.392] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x681f1360, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x681f1360, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="RSA", cAlternateFileName="")) returned 0 [0142.392] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.392] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\PUSSY.TXT") returned 76 [0142.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.393] lstrlenA (lpString="abcd") returned 4 [0142.393] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.393] CloseHandle (hObject=0x1d0) returned 1 [0142.393] GetProcessHeap () returned 0x4c0000 [0142.394] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.394] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Document Building Blocks", cAlternateFileName="DOCUME~1")) returned 1 [0142.394] lstrcmpiW (lpString1="Document Building Blocks", lpString2="Windows") returned -1 [0142.394] lstrcmpiW (lpString1="Document Building Blocks", lpString2="Program Files") returned -1 [0142.394] lstrcmpiW (lpString1="Document Building Blocks", lpString2="Program Files (x86)") returned -1 [0142.394] lstrcmpiW (lpString1="Document Building Blocks", lpString2="$Recycle.bin") returned 1 [0142.394] lstrcmpiW (lpString1="Document Building Blocks", lpString2="System Volume Information") returned -1 [0142.394] lstrcmpiW (lpString1="Document Building Blocks", lpString2=".") returned 1 [0142.394] lstrcmpiW (lpString1="Document Building Blocks", lpString2="..") returned 1 [0142.394] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned 84 [0142.394] GetProcessHeap () returned 0x4c0000 [0142.394] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.394] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0142.394] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*" [0142.394] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.395] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.395] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.395] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.395] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.395] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.395] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.395] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.395] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.395] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.395] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.395] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.395] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.395] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.395] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.395] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="1033", cAlternateFileName="")) returned 1 [0142.395] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0142.395] lstrcmpiW (lpString1="1033", lpString2="Program Files") returned -1 [0142.395] lstrcmpiW (lpString1="1033", lpString2="Program Files (x86)") returned -1 [0142.395] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0142.395] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0142.395] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0142.395] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0142.396] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned 89 [0142.396] GetProcessHeap () returned 0x4c0000 [0142.396] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0142.396] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0142.396] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*" [0142.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0142.396] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.396] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.396] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.396] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.396] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.396] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.396] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="..", cAlternateFileName="")) returned 1 [0142.396] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.396] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.397] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.397] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.397] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.397] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.397] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.397] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="14", cAlternateFileName="")) returned 1 [0142.397] lstrcmpiW (lpString1="14", lpString2="Windows") returned -1 [0142.397] lstrcmpiW (lpString1="14", lpString2="Program Files") returned -1 [0142.397] lstrcmpiW (lpString1="14", lpString2="Program Files (x86)") returned -1 [0142.397] lstrcmpiW (lpString1="14", lpString2="$Recycle.bin") returned 1 [0142.397] lstrcmpiW (lpString1="14", lpString2="System Volume Information") returned -1 [0142.397] lstrcmpiW (lpString1="14", lpString2=".") returned 1 [0142.397] lstrcmpiW (lpString1="14", lpString2="..") returned 1 [0142.397] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14") returned 92 [0142.397] GetProcessHeap () returned 0x4c0000 [0142.397] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0142.398] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14" [0142.398] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\*" [0142.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfd4f7418, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0142.398] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.398] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.398] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.398] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.398] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.398] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.398] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfd4f7418, cFileName="..", cAlternateFileName="")) returned 1 [0142.398] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.398] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.399] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.399] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.399] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.399] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.399] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.399] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4e2b7e00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x3fe4ab, dwReserved0=0x4e29d8, dwReserved1=0xfd4f7418, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 1 [0142.399] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="Windows") returned -1 [0142.399] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="Program Files") returned -1 [0142.399] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="Program Files (x86)") returned -1 [0142.399] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="$Recycle.bin") returned 1 [0142.399] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="System Volume Information") returned -1 [0142.399] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2=".") returned 1 [0142.399] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="..") returned 1 [0142.399] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx") returned 122 [0142.399] lstrcmpW (lpString1="Built-In Building Blocks.dotx", lpString2="PUSSY.TXT") returned -1 [0142.399] PathFindExtensionW (pszPath="Built-In Building Blocks.dotx") returned=".dotx" [0142.399] lstrlenW (lpString=".dotx") returned 5 [0142.399] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0142.399] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0142.400] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=4187307) returned 1 [0142.400] GetProcessHeap () returned 0x4c0000 [0142.400] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0142.410] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="18") returned 2 [0142.410] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="7E") returned 2 [0142.410] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="D9") returned 2 [0142.410] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="B6") returned 2 [0142.410] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="CD") returned 2 [0142.410] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="6E") returned 2 [0142.410] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="83") returned 2 [0142.410] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="98") returned 2 [0142.410] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="20") returned 2 [0142.410] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="1B") returned 2 [0142.410] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="7A") returned 2 [0142.410] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="A4") returned 2 [0142.410] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="00") returned 2 [0142.410] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="DD") returned 2 [0142.410] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="80") returned 2 [0142.410] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="5A") returned 2 [0142.410] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="B7") returned 2 [0142.410] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="12") returned 2 [0142.410] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="97") returned 2 [0142.410] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="CE") returned 2 [0142.410] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="D6") returned 2 [0142.410] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="A7") returned 2 [0142.410] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="CE") returned 2 [0142.410] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="86") returned 2 [0142.410] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="E2") returned 2 [0142.410] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="F4") returned 2 [0142.410] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="28") returned 2 [0142.410] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="42") returned 2 [0142.410] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="9E") returned 2 [0142.411] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="44") returned 2 [0142.411] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="14") returned 2 [0142.411] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="28") returned 2 [0142.419] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" [0142.419] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" [0142.419] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx", lpString2=".187ED9B6CD6E8398201B7AA400DD805AB71297CED6A7CE86E2F428429E441428" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx.187ED9B6CD6E8398201B7AA400DD805AB71297CED6A7CE86E2F428429E441428") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx.187ED9B6CD6E8398201B7AA400DD805AB71297CED6A7CE86E2F428429E441428" [0142.419] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.419] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0142.419] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4e2b7e00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x3fe4ab, dwReserved0=0x4e29d8, dwReserved1=0xfd4f7418, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 0 [0142.419] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0142.419] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\PUSSY.TXT") returned 102 [0142.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0142.420] lstrlenA (lpString="abcd") returned 4 [0142.420] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0142.421] CloseHandle (hObject=0x124) returned 1 [0142.421] GetProcessHeap () returned 0x4c0000 [0142.421] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0142.421] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="14", cAlternateFileName="")) returned 0 [0142.421] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0142.421] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\PUSSY.TXT") returned 99 [0142.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0142.422] lstrlenA (lpString="abcd") returned 4 [0142.422] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0142.423] CloseHandle (hObject=0x18c) returned 1 [0142.423] GetProcessHeap () returned 0x4c0000 [0142.423] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0142.425] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f766d30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f766d30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f766d30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="1033", cAlternateFileName="")) returned 0 [0142.425] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.425] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\PUSSY.TXT") returned 94 [0142.425] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.426] lstrlenA (lpString="abcd") returned 4 [0142.426] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.427] CloseHandle (hObject=0x1d0) returned 1 [0142.427] GetProcessHeap () returned 0x4c0000 [0142.427] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.427] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c1e0470, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Excel", cAlternateFileName="")) returned 1 [0142.427] lstrcmpiW (lpString1="Excel", lpString2="Windows") returned -1 [0142.427] lstrcmpiW (lpString1="Excel", lpString2="Program Files") returned -1 [0142.427] lstrcmpiW (lpString1="Excel", lpString2="Program Files (x86)") returned -1 [0142.427] lstrcmpiW (lpString1="Excel", lpString2="$Recycle.bin") returned 1 [0142.427] lstrcmpiW (lpString1="Excel", lpString2="System Volume Information") returned -1 [0142.427] lstrcmpiW (lpString1="Excel", lpString2=".") returned 1 [0142.427] lstrcmpiW (lpString1="Excel", lpString2="..") returned 1 [0142.427] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel") returned 65 [0142.427] GetProcessHeap () returned 0x4c0000 [0142.427] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.428] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel" [0142.428] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\*" [0142.428] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c1e0470, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.428] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.428] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.428] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.428] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.428] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.428] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.428] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c1e0470, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.429] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.429] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.429] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.429] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.429] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.429] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.429] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.429] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd01394e0, ftCreationTime.dwHighDateTime=0x1d301bc, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="XLSTART", cAlternateFileName="")) returned 1 [0142.429] lstrcmpiW (lpString1="XLSTART", lpString2="Windows") returned 1 [0142.429] lstrcmpiW (lpString1="XLSTART", lpString2="Program Files") returned 1 [0142.429] lstrcmpiW (lpString1="XLSTART", lpString2="Program Files (x86)") returned 1 [0142.429] lstrcmpiW (lpString1="XLSTART", lpString2="$Recycle.bin") returned 1 [0142.429] lstrcmpiW (lpString1="XLSTART", lpString2="System Volume Information") returned 1 [0142.429] lstrcmpiW (lpString1="XLSTART", lpString2=".") returned 1 [0142.429] lstrcmpiW (lpString1="XLSTART", lpString2="..") returned 1 [0142.429] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned 73 [0142.429] GetProcessHeap () returned 0x4c0000 [0142.429] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0142.430] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0142.430] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" [0142.430] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd01394e0, ftCreationTime.dwHighDateTime=0x1d301bc, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0142.430] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.430] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.430] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.430] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.430] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.430] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.430] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd01394e0, ftCreationTime.dwHighDateTime=0x1d301bc, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="..", cAlternateFileName="")) returned 1 [0142.430] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.430] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.430] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.431] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.431] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.431] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.431] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.431] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd01394e0, ftCreationTime.dwHighDateTime=0x1d301bc, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="..", cAlternateFileName="")) returned 0 [0142.431] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0142.431] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PUSSY.TXT") returned 83 [0142.431] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\excel\\xlstart\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0142.432] lstrlenA (lpString="abcd") returned 4 [0142.432] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0142.433] CloseHandle (hObject=0x18c) returned 1 [0142.433] GetProcessHeap () returned 0x4c0000 [0142.433] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0142.433] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd01394e0, ftCreationTime.dwHighDateTime=0x1d301bc, ftLastAccessTime.dwLowDateTime=0xd01394e0, ftLastAccessTime.dwHighDateTime=0x1d301bc, ftLastWriteTime.dwLowDateTime=0xd01394e0, ftLastWriteTime.dwHighDateTime=0x1d301bc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="XLSTART", cAlternateFileName="")) returned 0 [0142.433] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.433] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\PUSSY.TXT") returned 75 [0142.433] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\excel\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.433] lstrlenA (lpString="abcd") returned 4 [0142.433] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.434] CloseHandle (hObject=0x1d0) returned 1 [0142.434] GetProcessHeap () returned 0x4c0000 [0142.434] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.434] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IME12", cAlternateFileName="")) returned 1 [0142.434] lstrcmpiW (lpString1="IME12", lpString2="Windows") returned -1 [0142.434] lstrcmpiW (lpString1="IME12", lpString2="Program Files") returned -1 [0142.435] lstrcmpiW (lpString1="IME12", lpString2="Program Files (x86)") returned -1 [0142.435] lstrcmpiW (lpString1="IME12", lpString2="$Recycle.bin") returned 1 [0142.435] lstrcmpiW (lpString1="IME12", lpString2="System Volume Information") returned -1 [0142.435] lstrcmpiW (lpString1="IME12", lpString2=".") returned 1 [0142.435] lstrcmpiW (lpString1="IME12", lpString2="..") returned 1 [0142.435] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12") returned 65 [0142.435] GetProcessHeap () returned 0x4c0000 [0142.435] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.435] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12" [0142.435] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\*" [0142.435] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.435] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.435] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.435] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.435] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.435] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.435] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.435] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.436] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.436] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.436] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.436] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.436] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.436] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.436] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.436] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0142.436] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.436] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\PUSSY.TXT") returned 75 [0142.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ime12\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.436] lstrlenA (lpString="abcd") returned 4 [0142.436] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.437] CloseHandle (hObject=0x1d0) returned 1 [0142.438] GetProcessHeap () returned 0x4c0000 [0142.438] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.438] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IMJP12", cAlternateFileName="")) returned 1 [0142.438] lstrcmpiW (lpString1="IMJP12", lpString2="Windows") returned -1 [0142.438] lstrcmpiW (lpString1="IMJP12", lpString2="Program Files") returned -1 [0142.438] lstrcmpiW (lpString1="IMJP12", lpString2="Program Files (x86)") returned -1 [0142.438] lstrcmpiW (lpString1="IMJP12", lpString2="$Recycle.bin") returned 1 [0142.438] lstrcmpiW (lpString1="IMJP12", lpString2="System Volume Information") returned -1 [0142.438] lstrcmpiW (lpString1="IMJP12", lpString2=".") returned 1 [0142.438] lstrcmpiW (lpString1="IMJP12", lpString2="..") returned 1 [0142.438] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12") returned 66 [0142.438] GetProcessHeap () returned 0x4c0000 [0142.438] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.438] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12" [0142.438] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\*" [0142.438] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.439] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.439] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.439] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.439] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.439] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.439] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.439] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.439] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.439] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.439] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.439] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.439] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.439] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.439] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.439] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0142.439] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.439] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\PUSSY.TXT") returned 76 [0142.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\imjp12\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.440] lstrlenA (lpString="abcd") returned 4 [0142.440] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.441] CloseHandle (hObject=0x1d0) returned 1 [0142.441] GetProcessHeap () returned 0x4c0000 [0142.441] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.441] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IMJP8_1", cAlternateFileName="")) returned 1 [0142.441] lstrcmpiW (lpString1="IMJP8_1", lpString2="Windows") returned -1 [0142.441] lstrcmpiW (lpString1="IMJP8_1", lpString2="Program Files") returned -1 [0142.441] lstrcmpiW (lpString1="IMJP8_1", lpString2="Program Files (x86)") returned -1 [0142.441] lstrcmpiW (lpString1="IMJP8_1", lpString2="$Recycle.bin") returned 1 [0142.441] lstrcmpiW (lpString1="IMJP8_1", lpString2="System Volume Information") returned -1 [0142.441] lstrcmpiW (lpString1="IMJP8_1", lpString2=".") returned 1 [0142.441] lstrcmpiW (lpString1="IMJP8_1", lpString2="..") returned 1 [0142.441] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1") returned 67 [0142.441] GetProcessHeap () returned 0x4c0000 [0142.441] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.441] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1" [0142.441] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*" [0142.441] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.442] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.442] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.442] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.442] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.442] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.442] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.442] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.442] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.442] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.442] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.442] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.442] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.442] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.442] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.442] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0142.442] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.443] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\PUSSY.TXT") returned 77 [0142.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\imjp8_1\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.444] lstrlenA (lpString="abcd") returned 4 [0142.444] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.445] CloseHandle (hObject=0x1d0) returned 1 [0142.445] GetProcessHeap () returned 0x4c0000 [0142.445] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.445] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IMJP9_0", cAlternateFileName="")) returned 1 [0142.445] lstrcmpiW (lpString1="IMJP9_0", lpString2="Windows") returned -1 [0142.445] lstrcmpiW (lpString1="IMJP9_0", lpString2="Program Files") returned -1 [0142.445] lstrcmpiW (lpString1="IMJP9_0", lpString2="Program Files (x86)") returned -1 [0142.445] lstrcmpiW (lpString1="IMJP9_0", lpString2="$Recycle.bin") returned 1 [0142.445] lstrcmpiW (lpString1="IMJP9_0", lpString2="System Volume Information") returned -1 [0142.445] lstrcmpiW (lpString1="IMJP9_0", lpString2=".") returned 1 [0142.445] lstrcmpiW (lpString1="IMJP9_0", lpString2="..") returned 1 [0142.445] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0") returned 67 [0142.445] GetProcessHeap () returned 0x4c0000 [0142.445] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.445] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0" [0142.445] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*" [0142.445] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.446] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.446] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.446] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.446] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.446] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.446] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.446] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.446] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.446] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.446] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.446] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.446] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.446] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.446] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.446] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0142.446] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.446] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\PUSSY.TXT") returned 77 [0142.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\imjp9_0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.447] lstrlenA (lpString="abcd") returned 4 [0142.447] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.448] CloseHandle (hObject=0x1d0) returned 1 [0142.448] GetProcessHeap () returned 0x4c0000 [0142.448] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.448] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x54b77470, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b77470, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0142.448] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0142.448] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files") returned -1 [0142.448] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files (x86)") returned -1 [0142.448] lstrcmpiW (lpString1="Internet Explorer", lpString2="$Recycle.bin") returned 1 [0142.448] lstrcmpiW (lpString1="Internet Explorer", lpString2="System Volume Information") returned -1 [0142.448] lstrcmpiW (lpString1="Internet Explorer", lpString2=".") returned 1 [0142.448] lstrcmpiW (lpString1="Internet Explorer", lpString2="..") returned 1 [0142.448] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned 77 [0142.448] GetProcessHeap () returned 0x4c0000 [0142.448] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.448] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0142.448] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0142.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x54b77470, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b77470, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.448] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.448] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.448] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.448] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.448] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.448] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.448] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x54b77470, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b77470, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.448] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.448] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.448] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.448] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.449] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.449] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.449] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.449] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xbda554a0, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0xbda554a0, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0142.449] lstrcmpiW (lpString1="Quick Launch", lpString2="Windows") returned -1 [0142.449] lstrcmpiW (lpString1="Quick Launch", lpString2="Program Files") returned 1 [0142.449] lstrcmpiW (lpString1="Quick Launch", lpString2="Program Files (x86)") returned 1 [0142.449] lstrcmpiW (lpString1="Quick Launch", lpString2="$Recycle.bin") returned 1 [0142.449] lstrcmpiW (lpString1="Quick Launch", lpString2="System Volume Information") returned -1 [0142.449] lstrcmpiW (lpString1="Quick Launch", lpString2=".") returned 1 [0142.449] lstrcmpiW (lpString1="Quick Launch", lpString2="..") returned 1 [0142.449] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned 90 [0142.449] GetProcessHeap () returned 0x4c0000 [0142.449] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0142.449] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0142.449] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0142.449] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xbda554a0, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0xbda554a0, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0142.449] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.449] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.449] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.449] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.449] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.449] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.449] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xbda554a0, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0xbda554a0, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="..", cAlternateFileName="")) returned 1 [0142.449] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.449] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.449] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.449] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.449] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.449] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.450] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.450] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x4eb35ad0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0142.450] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0142.450] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0142.450] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0142.450] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0142.450] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0142.450] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0142.450] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0142.450] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 102 [0142.450] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0142.450] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0142.450] lstrlenW (lpString=".ini") returned 4 [0142.450] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0142.450] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0142.451] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=221) returned 1 [0142.451] CloseHandle (hObject=0x124) returned 1 [0142.451] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7df47e00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7df47e00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x3a683760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x8e9, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0142.451] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Windows") returned -1 [0142.451] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Program Files") returned -1 [0142.451] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Program Files (x86)") returned -1 [0142.451] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="$Recycle.bin") returned 1 [0142.451] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="System Volume Information") returned -1 [0142.451] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0142.451] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0142.451] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned 108 [0142.451] lstrcmpW (lpString1="Google Chrome.lnk", lpString2="PUSSY.TXT") returned -1 [0142.451] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0142.451] lstrlenW (lpString=".lnk") returned 4 [0142.451] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0142.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\google chrome.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0142.452] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=2281) returned 1 [0142.452] GetProcessHeap () returned 0x4c0000 [0142.452] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0142.463] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="CF") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="36") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="4D") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="7E") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="32") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="9E") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="BE") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="B7") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="E7") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="9E") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="16") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="7C") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="0B") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="17") returned 2 [0142.463] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="A3") returned 2 [0142.463] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="EF") returned 2 [0142.464] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="EE") returned 2 [0142.464] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="00") returned 2 [0142.464] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="C2") returned 2 [0142.464] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="AA") returned 2 [0142.464] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="0A") returned 2 [0142.464] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="76") returned 2 [0142.464] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="56") returned 2 [0142.464] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="B8") returned 2 [0142.464] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="21") returned 2 [0142.464] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="35") returned 2 [0142.464] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="93") returned 2 [0142.464] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="74") returned 2 [0142.464] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="F4") returned 2 [0142.464] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="F4") returned 2 [0142.464] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="1D") returned 2 [0142.464] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="70") returned 2 [0142.472] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" [0142.472] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" [0142.472] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk", lpString2=".CF364D7E329EBEB7E79E167C0B17A3EFEE00C2AA0A7656B821359374F4F41D70" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk.CF364D7E329EBEB7E79E167C0B17A3EFEE00C2AA0A7656B821359374F4F41D70") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk.CF364D7E329EBEB7E79E167C0B17A3EFEE00C2AA0A7656B821359374F4F41D70" [0142.472] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.472] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0142.472] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eb0f970, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x4eb0f970, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x4eb0f970, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x5a7, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="Launch Internet Explorer Browser.lnk", cAlternateFileName="LAUNCH~1.LNK")) returned 1 [0142.472] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="Windows") returned -1 [0142.472] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="Program Files") returned -1 [0142.473] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="Program Files (x86)") returned -1 [0142.473] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="$Recycle.bin") returned 1 [0142.473] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="System Volume Information") returned -1 [0142.473] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2=".") returned 1 [0142.473] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="..") returned 1 [0142.473] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk") returned 127 [0142.473] lstrcmpW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="PUSSY.TXT") returned -1 [0142.473] PathFindExtensionW (pszPath="Launch Internet Explorer Browser.lnk") returned=".lnk" [0142.473] lstrlenW (lpString=".lnk") returned 4 [0142.473] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0142.473] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\launch internet explorer browser.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0142.474] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1447) returned 1 [0142.474] GetProcessHeap () returned 0x4c0000 [0142.474] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0142.483] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="3A") returned 2 [0142.483] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="3B") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="3C") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="88") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="C8") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="D0") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="5D") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="D3") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="50") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="7D") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="10") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="BB") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="41") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="35") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="42") returned 2 [0142.484] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="65") returned 2 [0142.484] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="43") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="6F") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="44") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="62") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="71") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="F1") returned 2 [0142.484] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="94") returned 2 [0142.484] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="1E") returned 2 [0142.484] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="4B") returned 2 [0142.484] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="0E") returned 2 [0142.484] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="43") returned 2 [0142.484] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="07") returned 2 [0142.484] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="F9") returned 2 [0142.484] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="50") returned 2 [0142.484] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="AB") returned 2 [0142.484] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="42") returned 2 [0142.540] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk" [0142.540] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk" [0142.540] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk", lpString2=".3A3B3C88C8D05DD3507D10BB41354265436F446271F1941E4B0E4307F950AB42" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk.3A3B3C88C8D05DD3507D10BB41354265436F446271F1941E4B0E4307F950AB42") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk.3A3B3C88C8D05DD3507D10BB41354265436F446271F1941E4B0E4307F950AB42" [0142.541] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.541] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0142.541] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e11d030, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="Shows Desktop.lnk", cAlternateFileName="SHOWSD~1.LNK")) returned 1 [0142.541] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Windows") returned -1 [0142.541] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Program Files") returned 1 [0142.541] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Program Files (x86)") returned 1 [0142.541] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="$Recycle.bin") returned 1 [0142.541] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="System Volume Information") returned -1 [0142.541] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2=".") returned 1 [0142.541] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="..") returned 1 [0142.541] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 108 [0142.541] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="PUSSY.TXT") returned 1 [0142.541] PathFindExtensionW (pszPath="Shows Desktop.lnk") returned=".lnk" [0142.542] lstrlenW (lpString=".lnk") returned 4 [0142.542] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0142.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0142.543] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=290) returned 1 [0142.543] CloseHandle (hObject=0x124) returned 1 [0142.543] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x119ccee, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="User Pinned", cAlternateFileName="USERPI~1")) returned 1 [0142.543] lstrcmpiW (lpString1="User Pinned", lpString2="Windows") returned -1 [0142.543] lstrcmpiW (lpString1="User Pinned", lpString2="Program Files") returned 1 [0142.543] lstrcmpiW (lpString1="User Pinned", lpString2="Program Files (x86)") returned 1 [0142.543] lstrcmpiW (lpString1="User Pinned", lpString2="$Recycle.bin") returned 1 [0142.543] lstrcmpiW (lpString1="User Pinned", lpString2="System Volume Information") returned 1 [0142.543] lstrcmpiW (lpString1="User Pinned", lpString2=".") returned 1 [0142.543] lstrcmpiW (lpString1="User Pinned", lpString2="..") returned 1 [0142.543] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned 102 [0142.543] GetProcessHeap () returned 0x4c0000 [0142.543] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0142.544] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0142.544] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0142.545] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x119ccee, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0142.545] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.545] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.545] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.545] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.545] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.545] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.545] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x119ccee, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0142.545] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.545] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.545] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.545] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.545] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.545] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.545] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.545] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ImplicitAppShortcuts", cAlternateFileName="IMPLIC~1")) returned 1 [0142.545] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Windows") returned -1 [0142.545] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Program Files") returned -1 [0142.546] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Program Files (x86)") returned -1 [0142.546] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="$Recycle.bin") returned 1 [0142.546] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="System Volume Information") returned -1 [0142.546] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2=".") returned 1 [0142.546] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="..") returned 1 [0142.546] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned 123 [0142.546] GetProcessHeap () returned 0x4c0000 [0142.546] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0142.546] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0142.546] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0142.546] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0142.547] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.547] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.547] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.547] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.547] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.547] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.547] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.547] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.547] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.547] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.547] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.547] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.547] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.547] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.548] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0142.548] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0142.548] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\PUSSY.TXT") returned 133 [0142.548] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0142.550] lstrlenA (lpString="abcd") returned 4 [0142.550] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0142.551] CloseHandle (hObject=0x178) returned 1 [0142.551] GetProcessHeap () returned 0x4c0000 [0142.551] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0142.551] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb65d71b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb65d71b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="TaskBar", cAlternateFileName="")) returned 1 [0142.552] lstrcmpiW (lpString1="TaskBar", lpString2="Windows") returned -1 [0142.552] lstrcmpiW (lpString1="TaskBar", lpString2="Program Files") returned 1 [0142.552] lstrcmpiW (lpString1="TaskBar", lpString2="Program Files (x86)") returned 1 [0142.552] lstrcmpiW (lpString1="TaskBar", lpString2="$Recycle.bin") returned 1 [0142.552] lstrcmpiW (lpString1="TaskBar", lpString2="System Volume Information") returned 1 [0142.552] lstrcmpiW (lpString1="TaskBar", lpString2=".") returned 1 [0142.552] lstrcmpiW (lpString1="TaskBar", lpString2="..") returned 1 [0142.552] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned 110 [0142.552] GetProcessHeap () returned 0x4c0000 [0142.552] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0142.552] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0142.552] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0142.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb65d71b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb65d71b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0142.552] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.552] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.552] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.552] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.552] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.552] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.552] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb65d71b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb65d71b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.552] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.552] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.552] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.552] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.553] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.553] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.553] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.553] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dc4b320, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0142.553] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0142.553] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0142.553] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0142.553] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0142.553] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0142.553] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0142.553] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0142.553] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 122 [0142.553] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0142.553] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0142.553] lstrlenW (lpString=".ini") returned 4 [0142.553] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0142.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0142.554] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=412) returned 1 [0142.554] CloseHandle (hObject=0x180) returned 1 [0142.554] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e02c640, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7e02c640, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7df47e00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x8dd, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0142.554] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Windows") returned -1 [0142.554] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Program Files") returned -1 [0142.554] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Program Files (x86)") returned -1 [0142.554] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="$Recycle.bin") returned 1 [0142.554] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="System Volume Information") returned -1 [0142.554] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0142.554] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0142.554] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk") returned 128 [0142.554] lstrcmpW (lpString1="Google Chrome.lnk", lpString2="PUSSY.TXT") returned -1 [0142.554] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0142.554] lstrlenW (lpString=".lnk") returned 4 [0142.554] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0142.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\google chrome.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0142.555] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=2269) returned 1 [0142.555] GetProcessHeap () returned 0x4c0000 [0142.555] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0142.566] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="20") returned 2 [0142.566] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="F9") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="7A") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="29") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="CA") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="19") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="90") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="06") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="5A") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="FF") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="F0") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="3C") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="45") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="2F") returned 2 [0142.567] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="9B") returned 2 [0142.567] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="CF") returned 2 [0142.567] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="10") returned 2 [0142.567] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="DF") returned 2 [0142.567] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="E6") returned 2 [0142.567] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="C0") returned 2 [0142.567] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="EF") returned 2 [0142.567] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="CD") returned 2 [0142.567] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="15") returned 2 [0142.567] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="7C") returned 2 [0142.567] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="A3") returned 2 [0142.568] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="F6") returned 2 [0142.568] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="BC") returned 2 [0142.568] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="00") returned 2 [0142.568] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="B2") returned 2 [0142.568] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="4C") returned 2 [0142.568] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="D1") returned 2 [0142.568] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="36") returned 2 [0142.578] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk" [0142.578] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk" [0142.578] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk", lpString2=".20F97A29CA1990065AFFF03C452F9BCF10DFE6C0EFCD157CA3F6BC00B24CD136" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk.20F97A29CA1990065AFFF03C452F9BCF10DFE6C0EFCD157CA3F6BC00B24CD136") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk.20F97A29CA1990065AFFF03C452F9BCF10DFE6C0EFCD157CA3F6BC00B24CD136" [0142.578] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.578] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0142.579] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dc251c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dc251c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d7ae880, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x5ad, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="Internet Explorer (2).lnk", cAlternateFileName="INTERN~2.LNK")) returned 1 [0142.579] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="Windows") returned -1 [0142.582] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="Program Files") returned -1 [0142.582] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="Program Files (x86)") returned -1 [0142.582] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="$Recycle.bin") returned 1 [0142.582] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="System Volume Information") returned -1 [0142.582] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2=".") returned 1 [0142.582] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="..") returned 1 [0142.582] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk") returned 136 [0142.582] lstrcmpW (lpString1="Internet Explorer (2).lnk", lpString2="PUSSY.TXT") returned -1 [0142.582] PathFindExtensionW (pszPath="Internet Explorer (2).lnk") returned=".lnk" [0142.582] lstrlenW (lpString=".lnk") returned 4 [0142.582] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0142.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer (2).lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0142.583] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1453) returned 1 [0142.583] GetProcessHeap () returned 0x4c0000 [0142.584] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0142.594] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="6E") returned 2 [0142.594] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="00") returned 2 [0142.594] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="02") returned 2 [0142.594] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="0A") returned 2 [0142.595] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="45") returned 2 [0142.595] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="9D") returned 2 [0142.595] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="99") returned 2 [0142.595] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="D4") returned 2 [0142.595] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="78") returned 2 [0142.595] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="EB") returned 2 [0142.595] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="7B") returned 2 [0142.595] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="F8") returned 2 [0142.595] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="3B") returned 2 [0142.595] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="D9") returned 2 [0142.595] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="A6") returned 2 [0142.595] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="26") returned 2 [0142.595] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="3F") returned 2 [0142.595] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="81") returned 2 [0142.595] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="96") returned 2 [0142.595] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="BC") returned 2 [0142.595] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="6B") returned 2 [0142.595] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="58") returned 2 [0142.595] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="BA") returned 2 [0142.595] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="2D") returned 2 [0142.595] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="5D") returned 2 [0142.595] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="9F") returned 2 [0142.595] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="E4") returned 2 [0142.595] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="80") returned 2 [0142.595] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="2C") returned 2 [0142.595] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="03") returned 2 [0142.596] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="94") returned 2 [0142.596] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="71") returned 2 [0142.604] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk" [0142.604] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk" [0142.604] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk", lpString2=".6E00020A459D99D478EB7BF83BD9A6263F8196BC6B58BA2D5D9FE4802C039471" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk.6E00020A459D99D478EB7BF83BD9A6263F8196BC6B58BA2D5D9FE4802C039471") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk.6E00020A459D99D478EB7BF83BD9A6263F8196BC6B58BA2D5D9FE4802C039471" [0142.604] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.604] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0142.605] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x921e7f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x5a9, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="Internet Explorer.lnk", cAlternateFileName="INTERN~1.LNK")) returned 1 [0142.608] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Windows") returned -1 [0142.608] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Program Files") returned -1 [0142.608] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Program Files (x86)") returned -1 [0142.608] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="$Recycle.bin") returned 1 [0142.611] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="System Volume Information") returned -1 [0142.611] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2=".") returned 1 [0142.611] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="..") returned 1 [0142.611] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 132 [0142.611] lstrcmpW (lpString1="Internet Explorer.lnk", lpString2="PUSSY.TXT") returned -1 [0142.611] PathFindExtensionW (pszPath="Internet Explorer.lnk") returned=".lnk" [0142.612] lstrlenW (lpString=".lnk") returned 4 [0142.612] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0142.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0142.613] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1449) returned 1 [0142.613] GetProcessHeap () returned 0x4c0000 [0142.613] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0142.622] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="A3") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="1A") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="98") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="49") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="94") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="FA") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="1E") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="0F") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="77") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="48") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="F7") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="C0") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="23") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="2C") returned 2 [0142.622] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="3B") returned 2 [0142.622] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="5D") returned 2 [0142.623] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="5A") returned 2 [0142.623] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="88") returned 2 [0142.623] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="99") returned 2 [0142.623] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="FD") returned 2 [0142.623] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="83") returned 2 [0142.623] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="32") returned 2 [0142.623] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="45") returned 2 [0142.623] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="73") returned 2 [0142.623] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="F4") returned 2 [0142.623] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="9A") returned 2 [0142.623] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="50") returned 2 [0142.623] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="60") returned 2 [0142.623] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="33") returned 2 [0142.623] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="EE") returned 2 [0142.623] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="A5") returned 2 [0142.623] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="5D") returned 2 [0142.632] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" [0142.632] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" [0142.632] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk", lpString2=".A31A984994FA1E0F7748F7C0232C3B5D5A8899FD83324573F49A506033EEA55D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.A31A984994FA1E0F7748F7C0232C3B5D5A8899FD83324573F49A506033EEA55D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.A31A984994FA1E0F7748F7C0232C3B5D5A8899FD83324573F49A506033EEA55D" [0142.632] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.632] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0142.633] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0de7e00, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb65d71b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb65d71b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x491, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0142.633] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Windows") returned -1 [0142.633] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Program Files") returned -1 [0142.635] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Program Files (x86)") returned -1 [0142.636] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="$Recycle.bin") returned 1 [0142.636] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="System Volume Information") returned -1 [0142.636] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0142.636] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0142.639] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned 130 [0142.639] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2="PUSSY.TXT") returned -1 [0142.639] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0142.639] lstrlenW (lpString=".lnk") returned 4 [0142.639] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0142.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\mozilla firefox.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0142.640] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1169) returned 1 [0142.640] GetProcessHeap () returned 0x4c0000 [0142.640] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0142.648] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="59") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="B0") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="B3") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="BB") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="06") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="89") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="06") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="10") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="01") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="E4") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="58") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="16") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="D4") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="5C") returned 2 [0142.648] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="8E") returned 2 [0142.648] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="02") returned 2 [0142.648] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="CE") returned 2 [0142.649] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="D8") returned 2 [0142.649] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="4B") returned 2 [0142.649] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="20") returned 2 [0142.649] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="43") returned 2 [0142.649] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="F1") returned 2 [0142.649] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="28") returned 2 [0142.649] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="50") returned 2 [0142.649] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="48") returned 2 [0142.649] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="90") returned 2 [0142.649] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="9A") returned 2 [0142.649] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="7F") returned 2 [0142.649] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="25") returned 2 [0142.649] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="D7") returned 2 [0142.649] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="FD") returned 2 [0142.649] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="42") returned 2 [0142.658] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" [0142.658] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" [0142.658] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk", lpString2=".59B0B3BB0689061001E45816D45C8E02CED84B2043F1285048909A7F25D7FD42" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk.59B0B3BB0689061001E45816D45C8E02CED84B2043F1285048909A7F25D7FD42") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk.59B0B3BB0689061001E45816D45C8E02CED84B2043F1285048909A7F25D7FD42" [0142.658] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.658] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0142.684] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dc4b320, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dc4b320, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7dfa026d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x4cc, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="Windows Explorer (2).lnk", cAlternateFileName="WINDOW~3.LNK")) returned 1 [0142.684] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="Windows") returned 1 [0142.684] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="Program Files") returned 1 [0142.684] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="Program Files (x86)") returned 1 [0142.684] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="$Recycle.bin") returned 1 [0142.684] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="System Volume Information") returned 1 [0142.684] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2=".") returned 1 [0142.684] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="..") returned 1 [0142.685] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk") returned 135 [0142.685] lstrcmpW (lpString1="Windows Explorer (2).lnk", lpString2="PUSSY.TXT") returned 1 [0142.685] PathFindExtensionW (pszPath="Windows Explorer (2).lnk") returned=".lnk" [0142.685] lstrlenW (lpString=".lnk") returned 4 [0142.685] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0142.685] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer (2).lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0142.686] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1228) returned 1 [0142.686] GetProcessHeap () returned 0x4c0000 [0142.686] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0142.697] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="F4") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="2B") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="FB") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="D1") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="8F") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="AE") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="15") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="A6") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="06") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="13") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="9C") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="5B") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="33") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="BA") returned 2 [0142.697] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="0C") returned 2 [0142.697] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="17") returned 2 [0142.697] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="05") returned 2 [0142.697] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="F9") returned 2 [0142.698] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="C1") returned 2 [0142.698] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="E8") returned 2 [0142.698] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="8B") returned 2 [0142.698] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="F6") returned 2 [0142.698] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="BF") returned 2 [0142.698] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="59") returned 2 [0142.698] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="CB") returned 2 [0142.698] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="93") returned 2 [0142.698] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="54") returned 2 [0142.698] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="44") returned 2 [0142.698] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="BF") returned 2 [0142.698] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="8D") returned 2 [0142.698] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="B2") returned 2 [0142.698] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="62") returned 2 [0142.706] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk" [0142.706] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk" [0142.706] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk", lpString2=".F42BFBD18FAE15A606139C5B33BA0C1705F9C1E88BF6BF59CB935444BF8DB262" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk.F42BFBD18FAE15A606139C5B33BA0C1705F9C1E88BF6BF59CB935444BF8DB262") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk.F42BFBD18FAE15A606139C5B33BA0C1705F9C1E88BF6BF59CB935444BF8DB262" [0142.706] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.706] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0142.707] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7dfa026d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x4cc, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="Windows Explorer.lnk", cAlternateFileName="WINDOW~2.LNK")) returned 1 [0142.711] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Windows") returned 1 [0142.711] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Program Files") returned 1 [0142.711] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Program Files (x86)") returned 1 [0142.711] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="$Recycle.bin") returned 1 [0142.711] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="System Volume Information") returned 1 [0142.711] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2=".") returned 1 [0142.711] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="..") returned 1 [0142.717] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 131 [0142.717] lstrcmpW (lpString1="Windows Explorer.lnk", lpString2="PUSSY.TXT") returned 1 [0142.717] PathFindExtensionW (pszPath="Windows Explorer.lnk") returned=".lnk" [0142.717] lstrlenW (lpString=".lnk") returned 4 [0142.717] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0142.717] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0142.718] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1228) returned 1 [0142.718] GetProcessHeap () returned 0x4c0000 [0142.718] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0142.729] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="6A") returned 2 [0142.729] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="9E") returned 2 [0142.729] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="11") returned 2 [0142.729] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="40") returned 2 [0142.729] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="E3") returned 2 [0142.729] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="01") returned 2 [0142.730] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="D3") returned 2 [0142.730] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="51") returned 2 [0142.730] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="3A") returned 2 [0142.730] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="8B") returned 2 [0142.730] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="AA") returned 2 [0142.730] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="03") returned 2 [0142.730] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="35") returned 2 [0142.730] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="A3") returned 2 [0142.730] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="33") returned 2 [0142.730] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="C0") returned 2 [0142.730] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="95") returned 2 [0142.730] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="8C") returned 2 [0142.730] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="BF") returned 2 [0142.730] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="BC") returned 2 [0142.730] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="EF") returned 2 [0142.730] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="48") returned 2 [0142.730] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="58") returned 2 [0142.730] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="29") returned 2 [0142.730] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="35") returned 2 [0142.730] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="AC") returned 2 [0142.730] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="3D") returned 2 [0142.730] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="83") returned 2 [0142.730] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="13") returned 2 [0142.730] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="07") returned 2 [0142.730] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="06") returned 2 [0142.730] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="5D") returned 2 [0142.739] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" [0142.739] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" [0142.739] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk", lpString2=".6A9E1140E301D3513A8BAA0335A333C0958CBFBCEF48582935AC3D831307065D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.6A9E1140E301D3513A8BAA0335A333C0958CBFBCEF48582935AC3D831307065D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.6A9E1140E301D3513A8BAA0335A333C0958CBFBCEF48582935AC3D831307065D" [0142.739] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.739] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0142.746] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dc4b320, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dc4b320, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd869fe87, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x60b, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="Windows Media Player (2).lnk", cAlternateFileName="WINDOW~4.LNK")) returned 1 [0142.746] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="Windows") returned 1 [0142.746] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="Program Files") returned 1 [0142.746] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="Program Files (x86)") returned 1 [0142.746] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="$Recycle.bin") returned 1 [0142.746] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="System Volume Information") returned 1 [0142.746] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2=".") returned 1 [0142.746] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="..") returned 1 [0142.746] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk") returned 139 [0142.746] lstrcmpW (lpString1="Windows Media Player (2).lnk", lpString2="PUSSY.TXT") returned 1 [0142.746] PathFindExtensionW (pszPath="Windows Media Player (2).lnk") returned=".lnk" [0142.746] lstrlenW (lpString=".lnk") returned 4 [0142.746] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0142.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player (2).lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0142.747] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1547) returned 1 [0142.747] GetProcessHeap () returned 0x4c0000 [0142.747] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0142.756] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="76") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="F1") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="25") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="7D") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="89") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="19") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="9D") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="A0") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="F2") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="21") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="0F") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="08") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="07") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="BD") returned 2 [0142.756] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="B6") returned 2 [0142.756] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="7C") returned 2 [0142.756] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="78") returned 2 [0142.756] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="74") returned 2 [0142.756] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="C1") returned 2 [0142.756] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="8E") returned 2 [0142.756] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="F1") returned 2 [0142.756] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="77") returned 2 [0142.756] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="96") returned 2 [0142.756] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="3A") returned 2 [0142.756] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="68") returned 2 [0142.756] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="A2") returned 2 [0142.756] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="F6") returned 2 [0142.756] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="50") returned 2 [0142.756] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="5A") returned 2 [0142.756] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="A2") returned 2 [0142.756] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="9C") returned 2 [0142.756] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="15") returned 2 [0142.766] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk" [0142.766] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk" [0142.766] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk", lpString2=".76F1257D89199DA0F2210F0807BDB67C7874C18EF177963A68A2F6505AA29C15" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk.76F1257D89199DA0F2210F0807BDB67C7874C18EF177963A68A2F6505AA29C15") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk.76F1257D89199DA0F2210F0807BDB67C7874C18EF177963A68A2F6505AA29C15" [0142.766] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.766] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0142.766] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2e24b3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x60b, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="Windows Media Player.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0142.766] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Windows") returned 1 [0142.766] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Program Files") returned 1 [0142.766] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Program Files (x86)") returned 1 [0142.766] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="$Recycle.bin") returned 1 [0142.767] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="System Volume Information") returned 1 [0142.767] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2=".") returned 1 [0142.767] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="..") returned 1 [0142.767] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 135 [0142.767] lstrcmpW (lpString1="Windows Media Player.lnk", lpString2="PUSSY.TXT") returned 1 [0142.767] PathFindExtensionW (pszPath="Windows Media Player.lnk") returned=".lnk" [0142.767] lstrlenW (lpString=".lnk") returned 4 [0142.767] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0142.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0142.768] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1547) returned 1 [0142.768] GetProcessHeap () returned 0x4c0000 [0142.768] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0142.783] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="2F") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="4E") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="55") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="1F") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="AC") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="7F") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="C9") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="2B") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="C5") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="0F") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="67") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="80") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="C9") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="FC") returned 2 [0142.783] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="2A") returned 2 [0142.783] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="79") returned 2 [0142.783] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="DE") returned 2 [0142.783] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="3B") returned 2 [0142.783] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="33") returned 2 [0142.783] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="44") returned 2 [0142.784] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="8D") returned 2 [0142.784] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="83") returned 2 [0142.784] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="15") returned 2 [0142.784] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="EB") returned 2 [0142.784] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="A3") returned 2 [0142.784] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="8A") returned 2 [0142.784] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="8F") returned 2 [0142.784] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="61") returned 2 [0142.784] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="8E") returned 2 [0142.784] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="09") returned 2 [0142.784] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="AD") returned 2 [0142.784] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="55") returned 2 [0142.793] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" [0142.793] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" [0142.793] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk", lpString2=".2F4E551FAC7FC92BC50F6780C9FC2A79DE3B33448D8315EBA38A8F618E09AD55" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.2F4E551FAC7FC92BC50F6780C9FC2A79DE3B33448D8315EBA38A8F618E09AD55") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.2F4E551FAC7FC92BC50F6780C9FC2A79DE3B33448D8315EBA38A8F618E09AD55" [0142.793] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.793] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0142.811] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2e24b3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x60b, dwReserved0=0xff8dec9a, dwReserved1=0xfe000000, cFileName="Windows Media Player.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0142.811] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0142.811] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PUSSY.TXT") returned 120 [0142.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0142.813] lstrlenA (lpString="abcd") returned 4 [0142.813] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0142.814] CloseHandle (hObject=0x178) returned 1 [0142.814] GetProcessHeap () returned 0x4c0000 [0142.814] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0142.814] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb65d71b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb65d71b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="TaskBar", cAlternateFileName="")) returned 0 [0142.814] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0142.814] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\PUSSY.TXT") returned 112 [0142.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0142.819] lstrlenA (lpString="abcd") returned 4 [0142.819] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0142.820] CloseHandle (hObject=0x124) returned 1 [0142.820] GetProcessHeap () returned 0x4c0000 [0142.820] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0142.820] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e143190, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0142.820] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Windows") returned -1 [0142.820] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Program Files") returned 1 [0142.820] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Program Files (x86)") returned 1 [0142.820] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="$Recycle.bin") returned 1 [0142.820] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="System Volume Information") returned 1 [0142.820] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2=".") returned 1 [0142.820] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="..") returned 1 [0142.820] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 110 [0142.821] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="PUSSY.TXT") returned 1 [0142.821] PathFindExtensionW (pszPath="Window Switcher.lnk") returned=".lnk" [0142.821] lstrlenW (lpString=".lnk") returned 4 [0142.821] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0142.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0142.822] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=272) returned 1 [0142.822] CloseHandle (hObject=0x124) returned 1 [0142.822] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e143190, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0142.822] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0142.822] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\PUSSY.TXT") returned 100 [0142.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0142.823] lstrlenA (lpString="abcd") returned 4 [0142.823] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0142.824] CloseHandle (hObject=0x18c) returned 1 [0142.824] GetProcessHeap () returned 0x4c0000 [0142.824] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0142.826] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54b77470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b77470, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b77470, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="UserData", cAlternateFileName="")) returned 1 [0142.826] lstrcmpiW (lpString1="UserData", lpString2="Windows") returned -1 [0142.826] lstrcmpiW (lpString1="UserData", lpString2="Program Files") returned 1 [0142.826] lstrcmpiW (lpString1="UserData", lpString2="Program Files (x86)") returned 1 [0142.826] lstrcmpiW (lpString1="UserData", lpString2="$Recycle.bin") returned 1 [0142.826] lstrcmpiW (lpString1="UserData", lpString2="System Volume Information") returned 1 [0142.826] lstrcmpiW (lpString1="UserData", lpString2=".") returned 1 [0142.827] lstrcmpiW (lpString1="UserData", lpString2="..") returned 1 [0142.845] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned 86 [0142.845] GetProcessHeap () returned 0x4c0000 [0142.845] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0142.846] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0142.846] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*" [0142.846] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54b77470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b77470, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b77470, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0142.847] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.847] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.847] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.847] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.847] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.847] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.847] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54b77470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b77470, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b77470, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="..", cAlternateFileName="")) returned 1 [0142.847] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.847] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.847] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.847] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.847] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.847] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.847] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.847] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b77470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="Low", cAlternateFileName="")) returned 1 [0142.847] lstrcmpiW (lpString1="Low", lpString2="Windows") returned -1 [0142.847] lstrcmpiW (lpString1="Low", lpString2="Program Files") returned -1 [0142.847] lstrcmpiW (lpString1="Low", lpString2="Program Files (x86)") returned -1 [0142.847] lstrcmpiW (lpString1="Low", lpString2="$Recycle.bin") returned 1 [0142.848] lstrcmpiW (lpString1="Low", lpString2="System Volume Information") returned -1 [0142.848] lstrcmpiW (lpString1="Low", lpString2=".") returned 1 [0142.848] lstrcmpiW (lpString1="Low", lpString2="..") returned 1 [0142.848] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned 90 [0142.848] GetProcessHeap () returned 0x4c0000 [0142.848] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0142.852] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0142.852] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*" [0142.852] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b77470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0142.853] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.853] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.853] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.853] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.853] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.853] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.853] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b77470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0142.853] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.853] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.853] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.853] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.853] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.853] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.853] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.853] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="65UX3YG0", cAlternateFileName="")) returned 1 [0142.853] lstrcmpiW (lpString1="65UX3YG0", lpString2="Windows") returned -1 [0142.853] lstrcmpiW (lpString1="65UX3YG0", lpString2="Program Files") returned -1 [0142.853] lstrcmpiW (lpString1="65UX3YG0", lpString2="Program Files (x86)") returned -1 [0142.853] lstrcmpiW (lpString1="65UX3YG0", lpString2="$Recycle.bin") returned 1 [0142.854] lstrcmpiW (lpString1="65UX3YG0", lpString2="System Volume Information") returned -1 [0142.854] lstrcmpiW (lpString1="65UX3YG0", lpString2=".") returned 1 [0142.854] lstrcmpiW (lpString1="65UX3YG0", lpString2="..") returned 1 [0142.854] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0") returned 99 [0142.854] GetProcessHeap () returned 0x4c0000 [0142.854] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0142.854] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0" [0142.854] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\*" [0142.854] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0142.855] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.855] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.855] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.855] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.855] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.855] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.855] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.855] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.855] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.855] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.855] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.855] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.855] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.855] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.855] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0142.855] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0142.855] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\PUSSY.TXT") returned 109 [0142.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\65ux3yg0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0142.856] lstrlenA (lpString="abcd") returned 4 [0142.856] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0142.857] CloseHandle (hObject=0x18c) returned 1 [0142.857] GetProcessHeap () returned 0x4c0000 [0142.857] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0142.860] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="AY721QDR", cAlternateFileName="")) returned 1 [0142.860] lstrcmpiW (lpString1="AY721QDR", lpString2="Windows") returned -1 [0142.860] lstrcmpiW (lpString1="AY721QDR", lpString2="Program Files") returned -1 [0142.860] lstrcmpiW (lpString1="AY721QDR", lpString2="Program Files (x86)") returned -1 [0142.860] lstrcmpiW (lpString1="AY721QDR", lpString2="$Recycle.bin") returned 1 [0142.860] lstrcmpiW (lpString1="AY721QDR", lpString2="System Volume Information") returned -1 [0142.860] lstrcmpiW (lpString1="AY721QDR", lpString2=".") returned 1 [0142.860] lstrcmpiW (lpString1="AY721QDR", lpString2="..") returned 1 [0142.860] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR") returned 99 [0142.860] GetProcessHeap () returned 0x4c0000 [0142.860] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0142.861] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR" [0142.861] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\*" [0142.861] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0142.862] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.862] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.862] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.862] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.862] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.862] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.862] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.862] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.862] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.862] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.862] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.862] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.862] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.862] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.862] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0142.862] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0142.862] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\PUSSY.TXT") returned 109 [0142.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\ay721qdr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0142.863] lstrlenA (lpString="abcd") returned 4 [0142.863] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0142.866] CloseHandle (hObject=0x18c) returned 1 [0142.866] GetProcessHeap () returned 0x4c0000 [0142.866] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0142.866] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="DZBKZBIC", cAlternateFileName="")) returned 1 [0142.866] lstrcmpiW (lpString1="DZBKZBIC", lpString2="Windows") returned -1 [0142.866] lstrcmpiW (lpString1="DZBKZBIC", lpString2="Program Files") returned -1 [0142.866] lstrcmpiW (lpString1="DZBKZBIC", lpString2="Program Files (x86)") returned -1 [0142.867] lstrcmpiW (lpString1="DZBKZBIC", lpString2="$Recycle.bin") returned 1 [0142.867] lstrcmpiW (lpString1="DZBKZBIC", lpString2="System Volume Information") returned -1 [0142.867] lstrcmpiW (lpString1="DZBKZBIC", lpString2=".") returned 1 [0142.867] lstrcmpiW (lpString1="DZBKZBIC", lpString2="..") returned 1 [0142.867] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC") returned 99 [0142.867] GetProcessHeap () returned 0x4c0000 [0142.867] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0142.867] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC" [0142.867] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\*" [0142.867] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0142.867] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.867] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.867] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.867] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.867] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.867] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.867] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.867] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.867] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.867] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.867] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.867] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.867] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.868] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.868] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0142.868] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0142.868] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\PUSSY.TXT") returned 109 [0142.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\dzbkzbic\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0142.868] lstrlenA (lpString="abcd") returned 4 [0142.868] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0142.869] CloseHandle (hObject=0x18c) returned 1 [0142.869] GetProcessHeap () returned 0x4c0000 [0142.869] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0142.869] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbaf619f0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="index.dat", cAlternateFileName="")) returned 1 [0142.870] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0142.870] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0142.870] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0142.870] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0142.870] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0142.870] lstrcmpiW (lpString1="index.dat", lpString2=".") returned 1 [0142.870] lstrcmpiW (lpString1="index.dat", lpString2="..") returned 1 [0142.870] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat") returned 100 [0142.870] lstrcmpW (lpString1="index.dat", lpString2="PUSSY.TXT") returned -1 [0142.870] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0142.870] lstrlenW (lpString=".dat") returned 4 [0142.870] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0142.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0142.871] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=32768) returned 1 [0142.871] GetProcessHeap () returned 0x4c0000 [0142.871] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0142.882] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="36") returned 2 [0142.882] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="92") returned 2 [0142.882] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="0C") returned 2 [0142.882] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="E3") returned 2 [0142.882] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="F7") returned 2 [0142.882] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="FF") returned 2 [0142.882] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="57") returned 2 [0142.882] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="CE") returned 2 [0142.882] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="65") returned 2 [0142.882] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="42") returned 2 [0142.882] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="26") returned 2 [0142.882] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="09") returned 2 [0142.882] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="14") returned 2 [0142.882] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="8E") returned 2 [0142.882] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="EA") returned 2 [0142.882] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="10") returned 2 [0142.882] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="BE") returned 2 [0142.882] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="F2") returned 2 [0142.882] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="F0") returned 2 [0142.882] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="9C") returned 2 [0142.882] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="1A") returned 2 [0142.882] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="A5") returned 2 [0142.882] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="B2") returned 2 [0142.882] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="82") returned 2 [0142.882] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="80") returned 2 [0142.883] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="A7") returned 2 [0142.883] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="CF") returned 2 [0142.883] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="3A") returned 2 [0142.883] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="E7") returned 2 [0142.883] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="5B") returned 2 [0142.883] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="41") returned 2 [0142.883] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="3E") returned 2 [0142.892] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat" [0142.892] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat" [0142.892] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat", lpString2=".36920CE3F7FF57CE65422609148EEA10BEF2F09C1AA5B28280A7CF3AE75B413E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat.36920CE3F7FF57CE65422609148EEA10BEF2F09C1AA5B28280A7CF3AE75B413E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat.36920CE3F7FF57CE65422609148EEA10BEF2F09C1AA5B28280A7CF3AE75B413E" [0142.892] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.892] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0142.892] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="VRLZOZ0E", cAlternateFileName="")) returned 1 [0142.892] lstrcmpiW (lpString1="VRLZOZ0E", lpString2="Windows") returned -1 [0142.893] lstrcmpiW (lpString1="VRLZOZ0E", lpString2="Program Files") returned 1 [0142.893] lstrcmpiW (lpString1="VRLZOZ0E", lpString2="Program Files (x86)") returned 1 [0142.893] lstrcmpiW (lpString1="VRLZOZ0E", lpString2="$Recycle.bin") returned 1 [0142.893] lstrcmpiW (lpString1="VRLZOZ0E", lpString2="System Volume Information") returned 1 [0142.893] lstrcmpiW (lpString1="VRLZOZ0E", lpString2=".") returned 1 [0142.893] lstrcmpiW (lpString1="VRLZOZ0E", lpString2="..") returned 1 [0142.893] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E") returned 99 [0142.893] GetProcessHeap () returned 0x4c0000 [0142.893] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0142.893] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E" [0142.893] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\*" [0142.893] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0142.893] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.893] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.893] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.893] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.893] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.893] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.893] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0142.894] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.894] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.894] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.894] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.894] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.894] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.894] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.894] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0142.894] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0142.894] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\PUSSY.TXT") returned 109 [0142.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\vrlzoz0e\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0142.895] lstrlenA (lpString="abcd") returned 4 [0142.895] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0142.896] CloseHandle (hObject=0x124) returned 1 [0142.896] GetProcessHeap () returned 0x4c0000 [0142.896] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0142.896] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b9d5d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="VRLZOZ0E", cAlternateFileName="")) returned 0 [0142.896] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0142.896] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\PUSSY.TXT") returned 100 [0142.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0142.897] lstrlenA (lpString="abcd") returned 4 [0142.897] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0142.898] CloseHandle (hObject=0x1d4) returned 1 [0142.898] GetProcessHeap () returned 0x4c0000 [0142.898] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0142.898] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x54b77470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b9d5d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b9d5d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="Low", cAlternateFileName="")) returned 0 [0142.898] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0142.898] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\PUSSY.TXT") returned 96 [0142.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0142.899] lstrlenA (lpString="abcd") returned 4 [0142.899] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0142.899] CloseHandle (hObject=0x184) returned 1 [0142.899] GetProcessHeap () returned 0x4c0000 [0142.899] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0142.901] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54b77470, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b77470, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b77470, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="UserData", cAlternateFileName="")) returned 0 [0142.901] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.901] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\PUSSY.TXT") returned 87 [0142.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.902] lstrlenA (lpString="abcd") returned 4 [0142.902] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.903] CloseHandle (hObject=0x1d0) returned 1 [0142.903] GetProcessHeap () returned 0x4c0000 [0142.903] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.903] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f5d6350, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x2f5d6350, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x2f5d6350, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="MMC", cAlternateFileName="")) returned 1 [0142.903] lstrcmpiW (lpString1="MMC", lpString2="Windows") returned -1 [0142.904] lstrcmpiW (lpString1="MMC", lpString2="Program Files") returned -1 [0142.904] lstrcmpiW (lpString1="MMC", lpString2="Program Files (x86)") returned -1 [0142.904] lstrcmpiW (lpString1="MMC", lpString2="$Recycle.bin") returned 1 [0142.904] lstrcmpiW (lpString1="MMC", lpString2="System Volume Information") returned -1 [0142.904] lstrcmpiW (lpString1="MMC", lpString2=".") returned 1 [0142.904] lstrcmpiW (lpString1="MMC", lpString2="..") returned 1 [0142.904] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC") returned 63 [0142.904] GetProcessHeap () returned 0x4c0000 [0142.904] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.904] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC" [0142.904] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\*" [0142.904] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f5d6350, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x2f5d6350, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x2f5d6350, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.904] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.904] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.904] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.905] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.905] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.905] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.905] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f5d6350, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x2f5d6350, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x2f5d6350, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.905] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.905] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.905] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.905] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.905] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.905] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.905] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.905] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f5d6350, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x2f5d6350, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x2f5d6350, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0142.905] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.905] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\PUSSY.TXT") returned 73 [0142.905] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\mmc\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.906] lstrlenA (lpString="abcd") returned 4 [0142.906] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.907] CloseHandle (hObject=0x1d0) returned 1 [0142.907] GetProcessHeap () returned 0x4c0000 [0142.907] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.907] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="MS Project", cAlternateFileName="MSPROJ~1")) returned 1 [0142.907] lstrcmpiW (lpString1="MS Project", lpString2="Windows") returned -1 [0142.907] lstrcmpiW (lpString1="MS Project", lpString2="Program Files") returned -1 [0142.907] lstrcmpiW (lpString1="MS Project", lpString2="Program Files (x86)") returned -1 [0142.907] lstrcmpiW (lpString1="MS Project", lpString2="$Recycle.bin") returned 1 [0142.907] lstrcmpiW (lpString1="MS Project", lpString2="System Volume Information") returned -1 [0142.907] lstrcmpiW (lpString1="MS Project", lpString2=".") returned 1 [0142.907] lstrcmpiW (lpString1="MS Project", lpString2="..") returned 1 [0142.907] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project") returned 70 [0142.907] GetProcessHeap () returned 0x4c0000 [0142.907] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.907] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project" [0142.907] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\*" [0142.907] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.908] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.908] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.908] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.908] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.908] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.908] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.909] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.909] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.909] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.909] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.909] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.909] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.909] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.909] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.909] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="14", cAlternateFileName="")) returned 1 [0142.909] lstrcmpiW (lpString1="14", lpString2="Windows") returned -1 [0142.909] lstrcmpiW (lpString1="14", lpString2="Program Files") returned -1 [0142.909] lstrcmpiW (lpString1="14", lpString2="Program Files (x86)") returned -1 [0142.909] lstrcmpiW (lpString1="14", lpString2="$Recycle.bin") returned 1 [0142.909] lstrcmpiW (lpString1="14", lpString2="System Volume Information") returned -1 [0142.909] lstrcmpiW (lpString1="14", lpString2=".") returned 1 [0142.909] lstrcmpiW (lpString1="14", lpString2="..") returned 1 [0142.909] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14") returned 73 [0142.909] GetProcessHeap () returned 0x4c0000 [0142.909] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0142.910] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14" [0142.910] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\*" [0142.910] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0142.911] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.911] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.911] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.911] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.911] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.911] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.911] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="..", cAlternateFileName="")) returned 1 [0142.911] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.911] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.911] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.911] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.911] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.911] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.911] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.911] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8e064c0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8e064c0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="1033", cAlternateFileName="")) returned 1 [0142.911] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0142.911] lstrcmpiW (lpString1="1033", lpString2="Program Files") returned -1 [0142.911] lstrcmpiW (lpString1="1033", lpString2="Program Files (x86)") returned -1 [0142.911] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0142.911] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0142.911] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0142.911] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0142.911] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033") returned 78 [0142.911] GetProcessHeap () returned 0x4c0000 [0142.911] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0142.944] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033" [0142.944] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\*" [0142.944] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8e064c0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8e064c0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0142.945] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.945] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.945] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.945] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.946] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.946] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.946] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8e064c0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8e064c0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0142.946] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.946] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.946] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.946] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.946] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.946] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.946] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.946] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8e064c0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8e064c0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0xfee79d60, ftLastWriteTime.dwHighDateTime=0x1d3aab9, nFileSizeHigh=0x0, nFileSizeLow=0x5f600, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="Global.MPT", cAlternateFileName="")) returned 1 [0142.946] lstrcmpiW (lpString1="Global.MPT", lpString2="Windows") returned -1 [0142.946] lstrcmpiW (lpString1="Global.MPT", lpString2="Program Files") returned -1 [0142.946] lstrcmpiW (lpString1="Global.MPT", lpString2="Program Files (x86)") returned -1 [0142.946] lstrcmpiW (lpString1="Global.MPT", lpString2="$Recycle.bin") returned 1 [0142.946] lstrcmpiW (lpString1="Global.MPT", lpString2="System Volume Information") returned -1 [0142.947] lstrcmpiW (lpString1="Global.MPT", lpString2=".") returned 1 [0142.947] lstrcmpiW (lpString1="Global.MPT", lpString2="..") returned 1 [0142.947] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT") returned 89 [0142.947] lstrcmpW (lpString1="Global.MPT", lpString2="PUSSY.TXT") returned -1 [0142.947] PathFindExtensionW (pszPath="Global.MPT") returned=".MPT" [0142.947] lstrlenW (lpString=".MPT") returned 4 [0142.947] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0142.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0142.948] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=390656) returned 1 [0142.948] GetProcessHeap () returned 0x4c0000 [0142.948] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0142.960] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="27") returned 2 [0142.960] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="A7") returned 2 [0142.960] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="3D") returned 2 [0142.960] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="5D") returned 2 [0142.960] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="1A") returned 2 [0142.960] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="38") returned 2 [0142.960] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="4F") returned 2 [0142.960] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="47") returned 2 [0142.960] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="CF") returned 2 [0142.960] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="97") returned 2 [0142.960] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="EE") returned 2 [0142.960] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="77") returned 2 [0142.961] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="F5") returned 2 [0142.961] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="3A") returned 2 [0142.961] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="90") returned 2 [0142.961] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="34") returned 2 [0142.961] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="58") returned 2 [0142.961] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="8F") returned 2 [0142.961] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="0B") returned 2 [0142.961] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="66") returned 2 [0142.961] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="46") returned 2 [0142.961] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="86") returned 2 [0142.961] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="D7") returned 2 [0142.961] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="AB") returned 2 [0142.961] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="DC") returned 2 [0142.961] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="06") returned 2 [0142.961] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="C2") returned 2 [0142.961] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="1A") returned 2 [0142.961] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="E4") returned 2 [0142.961] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="82") returned 2 [0142.961] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="D5") returned 2 [0142.961] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="4A") returned 2 [0142.970] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" [0142.970] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" [0142.970] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT", lpString2=".27A73D5D1A384F47CF97EE77F53A9034588F0B664686D7ABDC06C21AE482D54A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT.27A73D5D1A384F47CF97EE77F53A9034588F0B664686D7ABDC06C21AE482D54A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT.27A73D5D1A384F47CF97EE77F53A9034588F0B664686D7ABDC06C21AE482D54A" [0142.970] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0142.970] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0142.970] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8e064c0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8e064c0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0xfee79d60, ftLastWriteTime.dwHighDateTime=0x1d3aab9, nFileSizeHigh=0x0, nFileSizeLow=0x5f600, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="Global.MPT", cAlternateFileName="")) returned 0 [0142.970] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0142.971] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\PUSSY.TXT") returned 88 [0142.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0142.972] lstrlenA (lpString="abcd") returned 4 [0142.972] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0142.973] CloseHandle (hObject=0x1d4) returned 1 [0142.973] GetProcessHeap () returned 0x4c0000 [0142.973] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0142.973] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8e064c0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8e064c0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="1033", cAlternateFileName="")) returned 0 [0142.973] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0142.973] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\PUSSY.TXT") returned 83 [0142.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0142.974] lstrlenA (lpString="abcd") returned 4 [0142.974] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0142.975] CloseHandle (hObject=0x184) returned 1 [0142.975] GetProcessHeap () returned 0x4c0000 [0142.975] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0142.976] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8d940a0, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="14", cAlternateFileName="")) returned 0 [0142.977] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.977] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\PUSSY.TXT") returned 80 [0142.977] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.977] lstrlenA (lpString="abcd") returned 4 [0142.977] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.978] CloseHandle (hObject=0x1d0) returned 1 [0142.978] GetProcessHeap () returned 0x4c0000 [0142.978] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.979] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Network", cAlternateFileName="")) returned 1 [0142.979] lstrcmpiW (lpString1="Network", lpString2="Windows") returned -1 [0142.979] lstrcmpiW (lpString1="Network", lpString2="Program Files") returned -1 [0142.979] lstrcmpiW (lpString1="Network", lpString2="Program Files (x86)") returned -1 [0142.979] lstrcmpiW (lpString1="Network", lpString2="$Recycle.bin") returned 1 [0142.979] lstrcmpiW (lpString1="Network", lpString2="System Volume Information") returned -1 [0142.979] lstrcmpiW (lpString1="Network", lpString2=".") returned 1 [0142.979] lstrcmpiW (lpString1="Network", lpString2="..") returned 1 [0142.979] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network") returned 67 [0142.979] GetProcessHeap () returned 0x4c0000 [0142.979] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.979] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network" [0142.979] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\*" [0142.979] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0142.980] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.980] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.980] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.980] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.980] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.980] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.980] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0142.980] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.980] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.980] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.980] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.980] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.980] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.980] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.980] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0142.980] lstrcmpiW (lpString1="Connections", lpString2="Windows") returned -1 [0142.980] lstrcmpiW (lpString1="Connections", lpString2="Program Files") returned -1 [0142.980] lstrcmpiW (lpString1="Connections", lpString2="Program Files (x86)") returned -1 [0142.980] lstrcmpiW (lpString1="Connections", lpString2="$Recycle.bin") returned 1 [0142.980] lstrcmpiW (lpString1="Connections", lpString2="System Volume Information") returned -1 [0142.980] lstrcmpiW (lpString1="Connections", lpString2=".") returned 1 [0142.980] lstrcmpiW (lpString1="Connections", lpString2="..") returned 1 [0142.980] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned 79 [0142.980] GetProcessHeap () returned 0x4c0000 [0142.981] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0142.981] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0142.981] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0142.981] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0142.981] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.981] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.981] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.981] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.981] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.981] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.981] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="..", cAlternateFileName="")) returned 1 [0142.982] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.982] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.982] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.982] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.982] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.982] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.982] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.982] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="Pbk", cAlternateFileName="")) returned 1 [0142.982] lstrcmpiW (lpString1="Pbk", lpString2="Windows") returned -1 [0142.982] lstrcmpiW (lpString1="Pbk", lpString2="Program Files") returned -1 [0142.982] lstrcmpiW (lpString1="Pbk", lpString2="Program Files (x86)") returned -1 [0142.982] lstrcmpiW (lpString1="Pbk", lpString2="$Recycle.bin") returned 1 [0142.982] lstrcmpiW (lpString1="Pbk", lpString2="System Volume Information") returned -1 [0142.982] lstrcmpiW (lpString1="Pbk", lpString2=".") returned 1 [0142.982] lstrcmpiW (lpString1="Pbk", lpString2="..") returned 1 [0142.982] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned 83 [0142.982] GetProcessHeap () returned 0x4c0000 [0142.982] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0142.983] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0142.983] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0142.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0142.983] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.983] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.983] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.983] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.984] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.984] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.984] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0142.984] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.984] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.984] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.984] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.984] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.984] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.984] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.984] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="_hiddenPbk", cAlternateFileName="_HIDDE~1")) returned 1 [0142.984] lstrcmpiW (lpString1="_hiddenPbk", lpString2="Windows") returned -1 [0142.984] lstrcmpiW (lpString1="_hiddenPbk", lpString2="Program Files") returned -1 [0142.984] lstrcmpiW (lpString1="_hiddenPbk", lpString2="Program Files (x86)") returned -1 [0142.984] lstrcmpiW (lpString1="_hiddenPbk", lpString2="$Recycle.bin") returned 1 [0142.984] lstrcmpiW (lpString1="_hiddenPbk", lpString2="System Volume Information") returned -1 [0142.984] lstrcmpiW (lpString1="_hiddenPbk", lpString2=".") returned 1 [0142.984] lstrcmpiW (lpString1="_hiddenPbk", lpString2="..") returned 1 [0142.984] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned 94 [0142.984] GetProcessHeap () returned 0x4c0000 [0142.984] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0142.985] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0142.985] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0142.985] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0142.985] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0142.985] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0142.985] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0142.985] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0142.985] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0142.985] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0142.985] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0142.985] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0142.985] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0142.986] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0142.986] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0142.986] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0142.986] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0142.986] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0142.986] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="rasphone.pbk", cAlternateFileName="")) returned 1 [0142.986] lstrcmpiW (lpString1="rasphone.pbk", lpString2="Windows") returned -1 [0142.986] lstrcmpiW (lpString1="rasphone.pbk", lpString2="Program Files") returned 1 [0142.986] lstrcmpiW (lpString1="rasphone.pbk", lpString2="Program Files (x86)") returned 1 [0142.986] lstrcmpiW (lpString1="rasphone.pbk", lpString2="$Recycle.bin") returned 1 [0142.986] lstrcmpiW (lpString1="rasphone.pbk", lpString2="System Volume Information") returned -1 [0142.986] lstrcmpiW (lpString1="rasphone.pbk", lpString2=".") returned 1 [0142.986] lstrcmpiW (lpString1="rasphone.pbk", lpString2="..") returned 1 [0142.986] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 107 [0142.986] lstrcmpW (lpString1="rasphone.pbk", lpString2="PUSSY.TXT") returned 1 [0142.986] PathFindExtensionW (pszPath="rasphone.pbk") returned=".pbk" [0142.986] lstrlenW (lpString=".pbk") returned 4 [0142.986] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0142.986] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\rasphone.pbk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0142.987] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=0) returned 1 [0142.987] CloseHandle (hObject=0x128) returned 1 [0142.987] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="rasphone.pbk", cAlternateFileName="")) returned 0 [0142.987] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0142.987] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\PUSSY.TXT") returned 104 [0142.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0142.988] lstrlenA (lpString="abcd") returned 4 [0142.988] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0142.989] CloseHandle (hObject=0x178) returned 1 [0142.989] GetProcessHeap () returned 0x4c0000 [0142.989] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0142.989] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="_hiddenPbk", cAlternateFileName="_HIDDE~1")) returned 0 [0142.989] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0142.989] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\PUSSY.TXT") returned 93 [0142.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0142.990] lstrlenA (lpString="abcd") returned 4 [0142.990] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0142.991] CloseHandle (hObject=0x1d4) returned 1 [0142.991] GetProcessHeap () returned 0x4c0000 [0142.991] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0142.991] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3b2ad8, cFileName="Pbk", cAlternateFileName="")) returned 0 [0142.991] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0142.991] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\PUSSY.TXT") returned 89 [0142.991] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0142.992] lstrlenA (lpString="abcd") returned 4 [0142.992] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0142.993] CloseHandle (hObject=0x184) returned 1 [0142.993] GetProcessHeap () returned 0x4c0000 [0142.993] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0142.995] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31a325d0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x31a325d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x31a325d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 0 [0142.995] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0142.995] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\PUSSY.TXT") returned 77 [0142.995] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0142.995] lstrlenA (lpString="abcd") returned 4 [0142.995] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0142.996] CloseHandle (hObject=0x1d0) returned 1 [0142.997] GetProcessHeap () returned 0x4c0000 [0142.997] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0142.997] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43c8ae30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5dae0390, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5dae0390, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Office", cAlternateFileName="")) returned 1 [0142.997] lstrcmpiW (lpString1="Office", lpString2="Windows") returned -1 [0142.997] lstrcmpiW (lpString1="Office", lpString2="Program Files") returned -1 [0142.997] lstrcmpiW (lpString1="Office", lpString2="Program Files (x86)") returned -1 [0142.997] lstrcmpiW (lpString1="Office", lpString2="$Recycle.bin") returned 1 [0142.997] lstrcmpiW (lpString1="Office", lpString2="System Volume Information") returned -1 [0142.997] lstrcmpiW (lpString1="Office", lpString2=".") returned 1 [0142.997] lstrcmpiW (lpString1="Office", lpString2="..") returned 1 [0142.997] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office") returned 66 [0142.997] GetProcessHeap () returned 0x4c0000 [0142.997] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0142.998] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office" [0142.998] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\*" [0142.998] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43c8ae30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5dae0390, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5dae0390, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.048] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.048] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.048] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.048] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.048] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.048] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.048] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43c8ae30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5dae0390, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5dae0390, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.049] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.049] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.049] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.049] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.049] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.049] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.049] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.049] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4f6ce7b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4f6ce7b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4f6ce7b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x9382, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="MSO1033.acl", cAlternateFileName="")) returned 1 [0143.049] lstrcmpiW (lpString1="MSO1033.acl", lpString2="Windows") returned -1 [0143.049] lstrcmpiW (lpString1="MSO1033.acl", lpString2="Program Files") returned -1 [0143.049] lstrcmpiW (lpString1="MSO1033.acl", lpString2="Program Files (x86)") returned -1 [0143.049] lstrcmpiW (lpString1="MSO1033.acl", lpString2="$Recycle.bin") returned 1 [0143.049] lstrcmpiW (lpString1="MSO1033.acl", lpString2="System Volume Information") returned -1 [0143.049] lstrcmpiW (lpString1="MSO1033.acl", lpString2=".") returned 1 [0143.049] lstrcmpiW (lpString1="MSO1033.acl", lpString2="..") returned 1 [0143.049] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 78 [0143.049] lstrcmpW (lpString1="MSO1033.acl", lpString2="PUSSY.TXT") returned -1 [0143.049] PathFindExtensionW (pszPath="MSO1033.acl") returned=".acl" [0143.049] lstrlenW (lpString=".acl") returned 4 [0143.049] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0143.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0143.053] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=37762) returned 1 [0143.053] GetProcessHeap () returned 0x4c0000 [0143.053] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0143.062] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="2D") returned 2 [0143.062] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="C5") returned 2 [0143.062] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="8A") returned 2 [0143.062] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="9D") returned 2 [0143.062] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="59") returned 2 [0143.062] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="8A") returned 2 [0143.062] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="50") returned 2 [0143.062] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="41") returned 2 [0143.062] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="08") returned 2 [0143.063] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="67") returned 2 [0143.063] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="5F") returned 2 [0143.063] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="E5") returned 2 [0143.063] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="75") returned 2 [0143.063] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="A3") returned 2 [0143.063] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="66") returned 2 [0143.063] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="8D") returned 2 [0143.063] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="35") returned 2 [0143.063] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="FF") returned 2 [0143.063] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="41") returned 2 [0143.063] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="93") returned 2 [0143.063] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="19") returned 2 [0143.063] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="66") returned 2 [0143.063] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="40") returned 2 [0143.063] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="53") returned 2 [0143.063] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="21") returned 2 [0143.063] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="98") returned 2 [0143.063] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="6C") returned 2 [0143.063] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="89") returned 2 [0143.063] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="DA") returned 2 [0143.063] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="96") returned 2 [0143.063] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="55") returned 2 [0143.063] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="44") returned 2 [0143.071] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" [0143.071] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" [0143.071] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl", lpString2=".2DC58A9D598A504108675FE575A3668D35FF41931966405321986C89DA965544" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.2DC58A9D598A504108675FE575A3668D35FF41931966405321986C89DA965544") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.2DC58A9D598A504108675FE575A3668D35FF41931966405321986C89DA965544" [0143.071] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0143.072] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0143.072] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dae0390, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x90b3d80, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x90b3d80, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Recent", cAlternateFileName="")) returned 1 [0143.072] lstrcmpiW (lpString1="Recent", lpString2="Windows") returned -1 [0143.072] lstrcmpiW (lpString1="Recent", lpString2="Program Files") returned 1 [0143.072] lstrcmpiW (lpString1="Recent", lpString2="Program Files (x86)") returned 1 [0143.072] lstrcmpiW (lpString1="Recent", lpString2="$Recycle.bin") returned 1 [0143.072] lstrcmpiW (lpString1="Recent", lpString2="System Volume Information") returned -1 [0143.072] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0143.072] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0143.072] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned 73 [0143.072] GetProcessHeap () returned 0x4c0000 [0143.072] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0143.072] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0143.072] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*" [0143.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dae0390, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x90b3d80, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x90b3d80, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0143.074] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.074] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.074] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.074] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.074] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.074] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.074] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dae0390, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x90b3d80, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x90b3d80, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0143.115] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.115] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.115] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.115] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.115] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.115] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.115] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.115] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x90b3d80, ftCreationTime.dwHighDateTime=0x1d305fe, ftLastAccessTime.dwLowDateTime=0x90b3d80, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x90d9ee0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x59a, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="Global.LNK", cAlternateFileName="")) returned 1 [0143.115] lstrcmpiW (lpString1="Global.LNK", lpString2="Windows") returned -1 [0143.115] lstrcmpiW (lpString1="Global.LNK", lpString2="Program Files") returned -1 [0143.117] lstrcmpiW (lpString1="Global.LNK", lpString2="Program Files (x86)") returned -1 [0143.117] lstrcmpiW (lpString1="Global.LNK", lpString2="$Recycle.bin") returned 1 [0143.117] lstrcmpiW (lpString1="Global.LNK", lpString2="System Volume Information") returned -1 [0143.117] lstrcmpiW (lpString1="Global.LNK", lpString2=".") returned 1 [0143.117] lstrcmpiW (lpString1="Global.LNK", lpString2="..") returned 1 [0143.117] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned 84 [0143.117] lstrcmpW (lpString1="Global.LNK", lpString2="PUSSY.TXT") returned -1 [0143.117] PathFindExtensionW (pszPath="Global.LNK") returned=".LNK" [0143.117] lstrlenW (lpString=".LNK") returned 4 [0143.117] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0143.118] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1434) returned 1 [0143.119] GetProcessHeap () returned 0x4c0000 [0143.119] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0143.134] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="E1") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="72") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="69") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="26") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="7E") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="04") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="64") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="20") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="9C") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="16") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="2A") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="68") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="C2") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="32") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="C0") returned 2 [0143.134] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="B2") returned 2 [0143.134] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="38") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="41") returned 2 [0143.134] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="33") returned 2 [0143.135] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="80") returned 2 [0143.135] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="BE") returned 2 [0143.135] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="6E") returned 2 [0143.135] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="12") returned 2 [0143.135] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="AC") returned 2 [0143.135] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="D4") returned 2 [0143.135] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="8E") returned 2 [0143.135] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="E8") returned 2 [0143.135] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="83") returned 2 [0143.135] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="58") returned 2 [0143.135] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="70") returned 2 [0143.135] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="DF") returned 2 [0143.135] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="63") returned 2 [0143.147] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" [0143.147] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" [0143.147] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK", lpString2=".E17269267E0464209C162A68C232C0B238413380BE6E12ACD48EE8835870DF63" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK.E17269267E0464209C162A68C232C0B238413380BE6E12ACD48EE8835870DF63") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK.E17269267E0464209C162A68C232C0B238413380BE6E12ACD48EE8835870DF63" [0143.147] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0143.147] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0143.148] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x5dc5d150, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5dc5d150, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x90d9ee0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x34, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="index.dat", cAlternateFileName="")) returned 1 [0143.148] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0143.148] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0143.148] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0143.148] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0143.148] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0143.148] lstrcmpiW (lpString1="index.dat", lpString2=".") returned 1 [0143.148] lstrcmpiW (lpString1="index.dat", lpString2="..") returned 1 [0143.148] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 83 [0143.148] lstrcmpW (lpString1="index.dat", lpString2="PUSSY.TXT") returned -1 [0143.148] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0143.148] lstrlenW (lpString=".dat") returned 4 [0143.148] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0143.153] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=52) returned 1 [0143.153] CloseHandle (hObject=0x184) returned 1 [0143.154] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5dc5d150, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5dc5d150, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5dc5d150, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 1 [0143.154] lstrcmpiW (lpString1="Templates.LNK", lpString2="Windows") returned -1 [0143.154] lstrcmpiW (lpString1="Templates.LNK", lpString2="Program Files") returned 1 [0143.154] lstrcmpiW (lpString1="Templates.LNK", lpString2="Program Files (x86)") returned 1 [0143.154] lstrcmpiW (lpString1="Templates.LNK", lpString2="$Recycle.bin") returned 1 [0143.154] lstrcmpiW (lpString1="Templates.LNK", lpString2="System Volume Information") returned 1 [0143.154] lstrcmpiW (lpString1="Templates.LNK", lpString2=".") returned 1 [0143.154] lstrcmpiW (lpString1="Templates.LNK", lpString2="..") returned 1 [0143.154] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 87 [0143.154] lstrcmpW (lpString1="Templates.LNK", lpString2="PUSSY.TXT") returned 1 [0143.154] PathFindExtensionW (pszPath="Templates.LNK") returned=".LNK" [0143.154] lstrlenW (lpString=".LNK") returned 4 [0143.154] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0143.155] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1138) returned 1 [0143.155] GetProcessHeap () returned 0x4c0000 [0143.155] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0143.188] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="48") returned 2 [0143.188] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="89") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="B6") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="2B") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="CF") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="30") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="17") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="F2") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="EE") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="B8") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="3C") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="81") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="E5") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="EA") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="95") returned 2 [0143.189] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="BD") returned 2 [0143.189] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="90") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="CB") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="E2") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="6A") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="C5") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="A5") returned 2 [0143.189] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="35") returned 2 [0143.189] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="BC") returned 2 [0143.189] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="71") returned 2 [0143.190] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="95") returned 2 [0143.190] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="70") returned 2 [0143.190] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="90") returned 2 [0143.190] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="27") returned 2 [0143.190] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="2E") returned 2 [0143.190] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="22") returned 2 [0143.190] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="1E") returned 2 [0143.203] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" [0143.203] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" [0143.203] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK", lpString2=".4889B62BCF3017F2EEB83C81E5EA95BD90CBE26AC5A535BC71957090272E221E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK.4889B62BCF3017F2EEB83C81E5EA95BD90CBE26AC5A535BC71957090272E221E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK.4889B62BCF3017F2EEB83C81E5EA95BD90CBE26AC5A535BC71957090272E221E" [0143.203] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0143.203] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0143.203] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5dc5d150, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5dc5d150, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5dc5d150, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 0 [0143.203] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0143.204] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\PUSSY.TXT") returned 83 [0143.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0143.242] lstrlenA (lpString="abcd") returned 4 [0143.242] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0143.243] CloseHandle (hObject=0x124) returned 1 [0143.243] GetProcessHeap () returned 0x4c0000 [0143.243] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0143.244] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dae0390, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x90b3d80, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x90b3d80, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Recent", cAlternateFileName="")) returned 0 [0143.245] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.245] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\PUSSY.TXT") returned 76 [0143.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0143.245] lstrlenA (lpString="abcd") returned 4 [0143.245] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.246] CloseHandle (hObject=0x180) returned 1 [0143.246] GetProcessHeap () returned 0x4c0000 [0143.246] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.247] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5c734300, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x6215c440, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x6215c440, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Outlook", cAlternateFileName="")) returned 1 [0143.247] lstrcmpiW (lpString1="Outlook", lpString2="Windows") returned -1 [0143.247] lstrcmpiW (lpString1="Outlook", lpString2="Program Files") returned -1 [0143.247] lstrcmpiW (lpString1="Outlook", lpString2="Program Files (x86)") returned -1 [0143.247] lstrcmpiW (lpString1="Outlook", lpString2="$Recycle.bin") returned 1 [0143.247] lstrcmpiW (lpString1="Outlook", lpString2="System Volume Information") returned -1 [0143.247] lstrcmpiW (lpString1="Outlook", lpString2=".") returned 1 [0143.247] lstrcmpiW (lpString1="Outlook", lpString2="..") returned 1 [0143.247] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook") returned 67 [0143.247] GetProcessHeap () returned 0x4c0000 [0143.247] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.247] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook" [0143.247] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\*" [0143.247] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5c734300, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x6215c440, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x6215c440, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.248] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.248] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.249] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.249] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.249] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.249] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.249] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5c734300, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x6215c440, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x6215c440, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.249] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.249] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.249] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.249] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.249] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.249] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.249] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.249] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5de69980, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5de69980, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x5e0c9040, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Outlook.srs", cAlternateFileName="")) returned 1 [0143.249] lstrcmpiW (lpString1="Outlook.srs", lpString2="Windows") returned -1 [0143.249] lstrcmpiW (lpString1="Outlook.srs", lpString2="Program Files") returned -1 [0143.249] lstrcmpiW (lpString1="Outlook.srs", lpString2="Program Files (x86)") returned -1 [0143.249] lstrcmpiW (lpString1="Outlook.srs", lpString2="$Recycle.bin") returned 1 [0143.249] lstrcmpiW (lpString1="Outlook.srs", lpString2="System Volume Information") returned -1 [0143.249] lstrcmpiW (lpString1="Outlook.srs", lpString2=".") returned 1 [0143.249] lstrcmpiW (lpString1="Outlook.srs", lpString2="..") returned 1 [0143.249] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 79 [0143.249] lstrcmpW (lpString1="Outlook.srs", lpString2="PUSSY.TXT") returned -1 [0143.249] PathFindExtensionW (pszPath="Outlook.srs") returned=".srs" [0143.249] lstrlenW (lpString=".srs") returned 4 [0143.249] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0143.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0143.251] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2560) returned 1 [0143.251] GetProcessHeap () returned 0x4c0000 [0143.251] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0143.261] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="7F") returned 2 [0143.261] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="FA") returned 2 [0143.261] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="CE") returned 2 [0143.261] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="9A") returned 2 [0143.261] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="10") returned 2 [0143.261] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="AA") returned 2 [0143.261] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="C7") returned 2 [0143.261] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="9E") returned 2 [0143.261] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="C8") returned 2 [0143.261] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="AA") returned 2 [0143.261] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="52") returned 2 [0143.261] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="48") returned 2 [0143.261] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="ED") returned 2 [0143.261] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="46") returned 2 [0143.261] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="07") returned 2 [0143.261] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="A4") returned 2 [0143.261] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="3E") returned 2 [0143.261] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="32") returned 2 [0143.261] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="E1") returned 2 [0143.261] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="52") returned 2 [0143.261] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="4D") returned 2 [0143.261] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="43") returned 2 [0143.261] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="FA") returned 2 [0143.262] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="53") returned 2 [0143.262] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="F1") returned 2 [0143.262] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="2E") returned 2 [0143.262] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="E1") returned 2 [0143.262] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="FA") returned 2 [0143.262] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="A2") returned 2 [0143.262] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="EA") returned 2 [0143.262] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="F5") returned 2 [0143.262] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="4A") returned 2 [0143.270] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" [0143.270] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" [0143.270] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs", lpString2=".7FFACE9A10AAC79EC8AA5248ED4607A43E32E1524D43FA53F12EE1FAA2EAF54A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.7FFACE9A10AAC79EC8AA5248ED4607A43E32E1524D43FA53F12EE1FAA2EAF54A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.7FFACE9A10AAC79EC8AA5248ED4607A43E32E1524D43FA53F12EE1FAA2EAF54A" [0143.271] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0143.271] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0143.271] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6215c440, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x6215c440, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x6215c440, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x9a2, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Outlook.xml", cAlternateFileName="")) returned 1 [0143.271] lstrcmpiW (lpString1="Outlook.xml", lpString2="Windows") returned -1 [0143.271] lstrcmpiW (lpString1="Outlook.xml", lpString2="Program Files") returned -1 [0143.271] lstrcmpiW (lpString1="Outlook.xml", lpString2="Program Files (x86)") returned -1 [0143.271] lstrcmpiW (lpString1="Outlook.xml", lpString2="$Recycle.bin") returned 1 [0143.271] lstrcmpiW (lpString1="Outlook.xml", lpString2="System Volume Information") returned -1 [0143.271] lstrcmpiW (lpString1="Outlook.xml", lpString2=".") returned 1 [0143.271] lstrcmpiW (lpString1="Outlook.xml", lpString2="..") returned 1 [0143.271] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 79 [0143.271] lstrcmpW (lpString1="Outlook.xml", lpString2="PUSSY.TXT") returned -1 [0143.271] PathFindExtensionW (pszPath="Outlook.xml") returned=".xml" [0143.271] lstrlenW (lpString=".xml") returned 4 [0143.271] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0143.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.272] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2466) returned 1 [0143.272] GetProcessHeap () returned 0x4c0000 [0143.272] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0143.282] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="4E") returned 2 [0143.282] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="CD") returned 2 [0143.282] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="34") returned 2 [0143.282] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="85") returned 2 [0143.282] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="35") returned 2 [0143.282] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="F7") returned 2 [0143.282] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="E6") returned 2 [0143.282] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="23") returned 2 [0143.282] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="48") returned 2 [0143.282] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="67") returned 2 [0143.282] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="B0") returned 2 [0143.282] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="99") returned 2 [0143.282] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="E2") returned 2 [0143.282] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="DC") returned 2 [0143.282] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="53") returned 2 [0143.282] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="0B") returned 2 [0143.282] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="3A") returned 2 [0143.282] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="B3") returned 2 [0143.282] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="07") returned 2 [0143.283] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="5A") returned 2 [0143.283] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="D7") returned 2 [0143.283] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="79") returned 2 [0143.283] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="7D") returned 2 [0143.283] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="09") returned 2 [0143.283] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="28") returned 2 [0143.283] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="FC") returned 2 [0143.283] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="62") returned 2 [0143.283] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="7C") returned 2 [0143.283] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="31") returned 2 [0143.283] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="E6") returned 2 [0143.283] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="53") returned 2 [0143.283] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="21") returned 2 [0143.292] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" [0143.292] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" [0143.292] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml", lpString2=".4ECD348535F7E6234867B099E2DC530B3AB3075AD7797D0928FC627C31E65321" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.4ECD348535F7E6234867B099E2DC530B3AB3075AD7797D0928FC627C31E65321") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.4ECD348535F7E6234867B099E2DC530B3AB3075AD7797D0928FC627C31E65321" [0143.292] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0143.292] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0143.292] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6215c440, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x6215c440, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x6215c440, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x9a2, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Outlook.xml", cAlternateFileName="")) returned 0 [0143.292] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.292] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\PUSSY.TXT") returned 77 [0143.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0143.294] lstrlenA (lpString="abcd") returned 4 [0143.294] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.295] CloseHandle (hObject=0x180) returned 1 [0143.295] GetProcessHeap () returned 0x4c0000 [0143.295] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.295] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33c0ebb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x33c0ebb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x33c0ebb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="PowerPoint", cAlternateFileName="POWERP~1")) returned 1 [0143.295] lstrcmpiW (lpString1="PowerPoint", lpString2="Windows") returned -1 [0143.295] lstrcmpiW (lpString1="PowerPoint", lpString2="Program Files") returned -1 [0143.295] lstrcmpiW (lpString1="PowerPoint", lpString2="Program Files (x86)") returned -1 [0143.295] lstrcmpiW (lpString1="PowerPoint", lpString2="$Recycle.bin") returned 1 [0143.295] lstrcmpiW (lpString1="PowerPoint", lpString2="System Volume Information") returned -1 [0143.295] lstrcmpiW (lpString1="PowerPoint", lpString2=".") returned 1 [0143.295] lstrcmpiW (lpString1="PowerPoint", lpString2="..") returned 1 [0143.295] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint") returned 70 [0143.295] GetProcessHeap () returned 0x4c0000 [0143.295] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.295] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint" [0143.295] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*" [0143.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33c0ebb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x33c0ebb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x33c0ebb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.303] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.303] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.303] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.303] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.305] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.305] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.305] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33c0ebb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x33c0ebb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x33c0ebb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.305] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.305] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.305] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.305] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.305] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.305] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.305] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.305] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33c0ebb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x33c0ebb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x33c0ebb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0143.305] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.305] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\PUSSY.TXT") returned 80 [0143.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\powerpoint\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0143.313] lstrlenA (lpString="abcd") returned 4 [0143.313] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.314] CloseHandle (hObject=0x124) returned 1 [0143.314] GetProcessHeap () returned 0x4c0000 [0143.314] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.316] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x510b16f0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x510b16f0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x510b16f0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Proof", cAlternateFileName="")) returned 1 [0143.316] lstrcmpiW (lpString1="Proof", lpString2="Windows") returned -1 [0143.316] lstrcmpiW (lpString1="Proof", lpString2="Program Files") returned 1 [0143.316] lstrcmpiW (lpString1="Proof", lpString2="Program Files (x86)") returned 1 [0143.316] lstrcmpiW (lpString1="Proof", lpString2="$Recycle.bin") returned 1 [0143.316] lstrcmpiW (lpString1="Proof", lpString2="System Volume Information") returned -1 [0143.316] lstrcmpiW (lpString1="Proof", lpString2=".") returned 1 [0143.316] lstrcmpiW (lpString1="Proof", lpString2="..") returned 1 [0143.316] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof") returned 65 [0143.317] GetProcessHeap () returned 0x4c0000 [0143.317] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.317] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof" [0143.317] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\*" [0143.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x510b16f0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x510b16f0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x510b16f0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.323] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.323] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.323] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.323] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.323] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.323] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.323] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x510b16f0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x510b16f0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x510b16f0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.323] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.323] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.323] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.323] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.323] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.323] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.323] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.323] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x510b16f0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x510b16f0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x510b16f0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0143.323] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.323] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\PUSSY.TXT") returned 75 [0143.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\proof\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0143.324] lstrlenA (lpString="abcd") returned 4 [0143.324] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.325] CloseHandle (hObject=0x124) returned 1 [0143.325] GetProcessHeap () returned 0x4c0000 [0143.325] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.325] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x541f1c70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x541f1c70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Protect", cAlternateFileName="")) returned 1 [0143.325] lstrcmpiW (lpString1="Protect", lpString2="Windows") returned -1 [0143.325] lstrcmpiW (lpString1="Protect", lpString2="Program Files") returned 1 [0143.325] lstrcmpiW (lpString1="Protect", lpString2="Program Files (x86)") returned 1 [0143.326] lstrcmpiW (lpString1="Protect", lpString2="$Recycle.bin") returned 1 [0143.326] lstrcmpiW (lpString1="Protect", lpString2="System Volume Information") returned -1 [0143.326] lstrcmpiW (lpString1="Protect", lpString2=".") returned 1 [0143.326] lstrcmpiW (lpString1="Protect", lpString2="..") returned 1 [0143.326] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect") returned 67 [0143.326] GetProcessHeap () returned 0x4c0000 [0143.326] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.326] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect" [0143.326] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\*" [0143.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x541f1c70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x541f1c70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.326] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.326] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.326] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.326] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.326] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.326] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.326] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x541f1c70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x541f1c70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.326] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.326] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.326] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.326] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.327] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.327] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.327] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.327] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x138, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0143.327] lstrcmpiW (lpString1="CREDHIST", lpString2="Windows") returned -1 [0143.327] lstrcmpiW (lpString1="CREDHIST", lpString2="Program Files") returned -1 [0143.327] lstrcmpiW (lpString1="CREDHIST", lpString2="Program Files (x86)") returned -1 [0143.327] lstrcmpiW (lpString1="CREDHIST", lpString2="$Recycle.bin") returned 1 [0143.327] lstrcmpiW (lpString1="CREDHIST", lpString2="System Volume Information") returned -1 [0143.327] lstrcmpiW (lpString1="CREDHIST", lpString2=".") returned 1 [0143.327] lstrcmpiW (lpString1="CREDHIST", lpString2="..") returned 1 [0143.327] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 76 [0143.327] lstrcmpW (lpString1="CREDHIST", lpString2="PUSSY.TXT") returned -1 [0143.327] PathFindExtensionW (pszPath="CREDHIST") returned="" [0143.327] lstrlenW (lpString="") returned 0 [0143.327] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0143.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0143.328] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=312) returned 1 [0143.328] CloseHandle (hObject=0x180) returned 1 [0143.328] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="S-1-5-21-3111613574-2524581245-2586426736-500", cAlternateFileName="S-1-5-~1")) returned 1 [0143.328] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="Windows") returned -1 [0143.328] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="Program Files") returned 1 [0143.328] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="Program Files (x86)") returned 1 [0143.328] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="$Recycle.bin") returned 1 [0143.329] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="System Volume Information") returned -1 [0143.329] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2=".") returned 1 [0143.329] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="..") returned 1 [0143.329] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500") returned 113 [0143.329] GetProcessHeap () returned 0x4c0000 [0143.329] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0143.329] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500" [0143.329] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*" [0143.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0143.360] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.360] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.360] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.360] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.360] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.360] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.360] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0143.360] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.360] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.360] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.361] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.361] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.361] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.361] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.361] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2b9bd87, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", cAlternateFileName="BE5B4F~1")) returned 1 [0143.361] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Windows") returned -1 [0143.361] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Program Files") returned -1 [0143.361] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Program Files (x86)") returned -1 [0143.361] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="$Recycle.bin") returned 1 [0143.361] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="System Volume Information") returned -1 [0143.361] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2=".") returned 1 [0143.361] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="..") returned 1 [0143.361] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned 150 [0143.361] lstrcmpW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="PUSSY.TXT") returned -1 [0143.361] PathFindExtensionW (pszPath="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned="" [0143.361] lstrlenW (lpString="") returned 0 [0143.361] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.362] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=468) returned 1 [0143.362] CloseHandle (hObject=0x18c) returned 1 [0143.363] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0143.363] lstrcmpiW (lpString1="Preferred", lpString2="Windows") returned -1 [0143.363] lstrcmpiW (lpString1="Preferred", lpString2="Program Files") returned -1 [0143.363] lstrcmpiW (lpString1="Preferred", lpString2="Program Files (x86)") returned -1 [0143.363] lstrcmpiW (lpString1="Preferred", lpString2="$Recycle.bin") returned 1 [0143.363] lstrcmpiW (lpString1="Preferred", lpString2="System Volume Information") returned -1 [0143.363] lstrcmpiW (lpString1="Preferred", lpString2=".") returned 1 [0143.363] lstrcmpiW (lpString1="Preferred", lpString2="..") returned 1 [0143.363] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred") returned 123 [0143.363] lstrcmpW (lpString1="Preferred", lpString2="PUSSY.TXT") returned -1 [0143.363] PathFindExtensionW (pszPath="Preferred") returned="" [0143.363] lstrlenW (lpString="") returned 0 [0143.363] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.364] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=24) returned 1 [0143.364] CloseHandle (hObject=0x18c) returned 1 [0143.364] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28de3e80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 0 [0143.364] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0143.364] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\PUSSY.TXT") returned 123 [0143.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0143.365] lstrlenA (lpString="abcd") returned 4 [0143.365] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0143.366] CloseHandle (hObject=0x180) returned 1 [0143.366] GetProcessHeap () returned 0x4c0000 [0143.366] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0143.368] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x541f1c70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xb919f140, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xb919f140, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~2")) returned 1 [0143.368] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Windows") returned -1 [0143.368] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Program Files") returned 1 [0143.368] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Program Files (x86)") returned 1 [0143.368] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="$Recycle.bin") returned 1 [0143.368] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="System Volume Information") returned -1 [0143.368] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2=".") returned 1 [0143.368] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="..") returned 1 [0143.368] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 114 [0143.368] GetProcessHeap () returned 0x4c0000 [0143.368] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0143.369] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000" [0143.369] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*" [0143.369] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x541f1c70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xb919f140, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xb919f140, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0143.369] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.369] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.369] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.369] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.369] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.369] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.369] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x541f1c70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xb919f140, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xb919f140, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0143.369] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.369] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.369] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.369] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.369] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.369] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.369] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.369] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xf923e050, ftCreationTime.dwHighDateTime=0x1d3aab9, ftLastAccessTime.dwLowDateTime=0xf923e050, ftLastAccessTime.dwHighDateTime=0x1d3aab9, ftLastWriteTime.dwLowDateTime=0xf923e050, ftLastWriteTime.dwHighDateTime=0x1d3aab9, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="02540a10-7eb7-4b20-a8c7-470f8986389c", cAlternateFileName="02540A~1")) returned 1 [0143.369] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="Windows") returned -1 [0143.369] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="Program Files") returned -1 [0143.369] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="Program Files (x86)") returned -1 [0143.369] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="$Recycle.bin") returned 1 [0143.370] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="System Volume Information") returned -1 [0143.370] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2=".") returned 1 [0143.370] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="..") returned 1 [0143.370] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c") returned 151 [0143.370] lstrcmpW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="PUSSY.TXT") returned -1 [0143.370] PathFindExtensionW (pszPath="02540a10-7eb7-4b20-a8c7-470f8986389c") returned="" [0143.370] lstrlenW (lpString="") returned 0 [0143.370] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.371] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=468) returned 1 [0143.371] CloseHandle (hObject=0x18c) returned 1 [0143.371] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xdc5ea830, ftCreationTime.dwHighDateTime=0x1d41fce, ftLastAccessTime.dwLowDateTime=0xdc5ea830, ftLastAccessTime.dwHighDateTime=0x1d41fce, ftLastWriteTime.dwLowDateTime=0xdc5ea830, ftLastWriteTime.dwHighDateTime=0x1d41fce, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="0e15476d-d8fe-46ca-8099-ebdcf80f637c", cAlternateFileName="0E1547~1")) returned 1 [0143.371] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="Windows") returned -1 [0143.371] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="Program Files") returned -1 [0143.371] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="Program Files (x86)") returned -1 [0143.371] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="$Recycle.bin") returned 1 [0143.371] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="System Volume Information") returned -1 [0143.371] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2=".") returned 1 [0143.371] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="..") returned 1 [0143.371] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c") returned 151 [0143.371] lstrcmpW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="PUSSY.TXT") returned -1 [0143.371] PathFindExtensionW (pszPath="0e15476d-d8fe-46ca-8099-ebdcf80f637c") returned="" [0143.371] lstrlenW (lpString="") returned 0 [0143.371] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.372] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=468) returned 1 [0143.372] CloseHandle (hObject=0x18c) returned 1 [0143.372] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xf6409280, ftCreationTime.dwHighDateTime=0x1d4ae2c, ftLastAccessTime.dwLowDateTime=0xf6409280, ftLastAccessTime.dwHighDateTime=0x1d4ae2c, ftLastWriteTime.dwLowDateTime=0xf6409280, ftLastWriteTime.dwHighDateTime=0x1d4ae2c, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="102a7bc8-3f85-4bb4-840a-38257d2965d2", cAlternateFileName="102A7B~1")) returned 1 [0143.372] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="Windows") returned -1 [0143.372] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="Program Files") returned -1 [0143.372] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="Program Files (x86)") returned -1 [0143.372] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="$Recycle.bin") returned 1 [0143.372] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="System Volume Information") returned -1 [0143.372] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2=".") returned 1 [0143.372] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="..") returned 1 [0143.372] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2") returned 151 [0143.372] lstrcmpW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="PUSSY.TXT") returned -1 [0143.372] PathFindExtensionW (pszPath="102a7bc8-3f85-4bb4-840a-38257d2965d2") returned="" [0143.372] lstrlenW (lpString="") returned 0 [0143.372] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.373] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=468) returned 1 [0143.373] CloseHandle (hObject=0x18c) returned 1 [0143.373] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x542b0350, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x542b0350, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x542b0350, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="2be989a0-16a1-424b-9211-51aa3bb43e5d", cAlternateFileName="2BE989~1")) returned 1 [0143.373] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="Windows") returned -1 [0143.373] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="Program Files") returned -1 [0143.373] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="Program Files (x86)") returned -1 [0143.373] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="$Recycle.bin") returned 1 [0143.373] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="System Volume Information") returned -1 [0143.373] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2=".") returned 1 [0143.373] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="..") returned 1 [0143.373] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d") returned 151 [0143.373] lstrcmpW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="PUSSY.TXT") returned -1 [0143.373] PathFindExtensionW (pszPath="2be989a0-16a1-424b-9211-51aa3bb43e5d") returned="" [0143.373] lstrlenW (lpString="") returned 0 [0143.373] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.374] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=468) returned 1 [0143.374] CloseHandle (hObject=0x18c) returned 1 [0143.374] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xb919f140, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xb919f140, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xb919f140, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="83d52e24-a470-446e-9536-a33de56df8a1", cAlternateFileName="83D52E~1")) returned 1 [0143.374] lstrcmpiW (lpString1="83d52e24-a470-446e-9536-a33de56df8a1", lpString2="Windows") returned -1 [0143.374] lstrcmpiW (lpString1="83d52e24-a470-446e-9536-a33de56df8a1", lpString2="Program Files") returned -1 [0143.374] lstrcmpiW (lpString1="83d52e24-a470-446e-9536-a33de56df8a1", lpString2="Program Files (x86)") returned -1 [0143.374] lstrcmpiW (lpString1="83d52e24-a470-446e-9536-a33de56df8a1", lpString2="$Recycle.bin") returned 1 [0143.374] lstrcmpiW (lpString1="83d52e24-a470-446e-9536-a33de56df8a1", lpString2="System Volume Information") returned -1 [0143.374] lstrcmpiW (lpString1="83d52e24-a470-446e-9536-a33de56df8a1", lpString2=".") returned 1 [0143.374] lstrcmpiW (lpString1="83d52e24-a470-446e-9536-a33de56df8a1", lpString2="..") returned 1 [0143.374] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83d52e24-a470-446e-9536-a33de56df8a1") returned 151 [0143.374] lstrcmpW (lpString1="83d52e24-a470-446e-9536-a33de56df8a1", lpString2="PUSSY.TXT") returned -1 [0143.374] PathFindExtensionW (pszPath="83d52e24-a470-446e-9536-a33de56df8a1") returned="" [0143.374] lstrlenW (lpString="") returned 0 [0143.374] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.374] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83d52e24-a470-446e-9536-a33de56df8a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\83d52e24-a470-446e-9536-a33de56df8a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.375] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=468) returned 1 [0143.375] CloseHandle (hObject=0x18c) returned 1 [0143.377] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x89f07f80, ftCreationTime.dwHighDateTime=0x1d5e82a, ftLastAccessTime.dwLowDateTime=0x89f07f80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x89f07f80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", cAlternateFileName="915F9E~1")) returned 1 [0143.377] lstrcmpiW (lpString1="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", lpString2="Windows") returned -1 [0143.377] lstrcmpiW (lpString1="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", lpString2="Program Files") returned -1 [0143.377] lstrcmpiW (lpString1="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", lpString2="Program Files (x86)") returned -1 [0143.377] lstrcmpiW (lpString1="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", lpString2="$Recycle.bin") returned 1 [0143.377] lstrcmpiW (lpString1="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", lpString2="System Volume Information") returned -1 [0143.377] lstrcmpiW (lpString1="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", lpString2=".") returned 1 [0143.377] lstrcmpiW (lpString1="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", lpString2="..") returned 1 [0143.377] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\915f9e3b-485d-4f89-a291-82a5ad3b0ee7") returned 151 [0143.377] lstrcmpW (lpString1="915f9e3b-485d-4f89-a291-82a5ad3b0ee7", lpString2="PUSSY.TXT") returned -1 [0143.377] PathFindExtensionW (pszPath="915f9e3b-485d-4f89-a291-82a5ad3b0ee7") returned="" [0143.378] lstrlenW (lpString="") returned 0 [0143.378] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\915f9e3b-485d-4f89-a291-82a5ad3b0ee7" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\915f9e3b-485d-4f89-a291-82a5ad3b0ee7"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.379] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=468) returned 1 [0143.379] CloseHandle (hObject=0x18c) returned 1 [0143.379] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x17ffec90, ftCreationTime.dwHighDateTime=0x1d3373c, ftLastAccessTime.dwLowDateTime=0x17ffec90, ftLastAccessTime.dwHighDateTime=0x1d3373c, ftLastWriteTime.dwLowDateTime=0x18024df0, ftLastWriteTime.dwHighDateTime=0x1d3373c, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="fbbe72db-afd8-443b-88dd-64b20388700d", cAlternateFileName="FBBE72~1")) returned 1 [0143.379] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="Windows") returned -1 [0143.379] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="Program Files") returned -1 [0143.379] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="Program Files (x86)") returned -1 [0143.379] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="$Recycle.bin") returned 1 [0143.379] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="System Volume Information") returned -1 [0143.379] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2=".") returned 1 [0143.379] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="..") returned 1 [0143.379] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d") returned 151 [0143.379] lstrcmpW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="PUSSY.TXT") returned -1 [0143.379] PathFindExtensionW (pszPath="fbbe72db-afd8-443b-88dd-64b20388700d") returned="" [0143.379] lstrlenW (lpString="") returned 0 [0143.379] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.379] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.380] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=468) returned 1 [0143.380] CloseHandle (hObject=0x18c) returned 1 [0143.380] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x542fc610, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x542fc610, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb92376c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0143.380] lstrcmpiW (lpString1="Preferred", lpString2="Windows") returned -1 [0143.380] lstrcmpiW (lpString1="Preferred", lpString2="Program Files") returned -1 [0143.380] lstrcmpiW (lpString1="Preferred", lpString2="Program Files (x86)") returned -1 [0143.380] lstrcmpiW (lpString1="Preferred", lpString2="$Recycle.bin") returned 1 [0143.380] lstrcmpiW (lpString1="Preferred", lpString2="System Volume Information") returned -1 [0143.380] lstrcmpiW (lpString1="Preferred", lpString2=".") returned 1 [0143.380] lstrcmpiW (lpString1="Preferred", lpString2="..") returned 1 [0143.380] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred") returned 124 [0143.380] lstrcmpW (lpString1="Preferred", lpString2="PUSSY.TXT") returned -1 [0143.380] PathFindExtensionW (pszPath="Preferred") returned="" [0143.380] lstrlenW (lpString="") returned 0 [0143.380] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.381] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=24) returned 1 [0143.381] CloseHandle (hObject=0x18c) returned 1 [0143.381] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x542fc610, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x542fc610, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb92376c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 0 [0143.381] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0143.381] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\PUSSY.TXT") returned 124 [0143.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0143.382] lstrlenA (lpString="abcd") returned 4 [0143.382] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0143.383] CloseHandle (hObject=0x180) returned 1 [0143.383] GetProcessHeap () returned 0x4c0000 [0143.383] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0143.383] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x2b1e4b40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2b1e4b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x36031920, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="SYNCHIST", cAlternateFileName="")) returned 1 [0143.383] lstrcmpiW (lpString1="SYNCHIST", lpString2="Windows") returned -1 [0143.383] lstrcmpiW (lpString1="SYNCHIST", lpString2="Program Files") returned 1 [0143.383] lstrcmpiW (lpString1="SYNCHIST", lpString2="Program Files (x86)") returned 1 [0143.383] lstrcmpiW (lpString1="SYNCHIST", lpString2="$Recycle.bin") returned 1 [0143.383] lstrcmpiW (lpString1="SYNCHIST", lpString2="System Volume Information") returned -1 [0143.383] lstrcmpiW (lpString1="SYNCHIST", lpString2=".") returned 1 [0143.383] lstrcmpiW (lpString1="SYNCHIST", lpString2="..") returned 1 [0143.383] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 76 [0143.383] lstrcmpW (lpString1="SYNCHIST", lpString2="PUSSY.TXT") returned 1 [0143.383] PathFindExtensionW (pszPath="SYNCHIST") returned="" [0143.383] lstrlenW (lpString="") returned 0 [0143.383] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0143.383] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\synchist"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0143.384] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=76) returned 1 [0143.384] CloseHandle (hObject=0x180) returned 1 [0143.384] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x2b1e4b40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2b1e4b40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x36031920, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="SYNCHIST", cAlternateFileName="")) returned 0 [0143.384] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.384] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\PUSSY.TXT") returned 77 [0143.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0143.385] lstrlenA (lpString="abcd") returned 4 [0143.385] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.386] CloseHandle (hObject=0x124) returned 1 [0143.386] GetProcessHeap () returned 0x4c0000 [0143.386] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.386] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43bcc750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x43bcc750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x43bcc750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0143.386] lstrcmpiW (lpString1="Publisher", lpString2="Windows") returned -1 [0143.386] lstrcmpiW (lpString1="Publisher", lpString2="Program Files") returned 1 [0143.386] lstrcmpiW (lpString1="Publisher", lpString2="Program Files (x86)") returned 1 [0143.386] lstrcmpiW (lpString1="Publisher", lpString2="$Recycle.bin") returned 1 [0143.386] lstrcmpiW (lpString1="Publisher", lpString2="System Volume Information") returned -1 [0143.386] lstrcmpiW (lpString1="Publisher", lpString2=".") returned 1 [0143.386] lstrcmpiW (lpString1="Publisher", lpString2="..") returned 1 [0143.386] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher") returned 69 [0143.386] GetProcessHeap () returned 0x4c0000 [0143.386] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.386] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher" [0143.386] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\*" [0143.386] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43bcc750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x43bcc750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x43bcc750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.451] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.451] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.451] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.451] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.451] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.451] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.452] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43bcc750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x43bcc750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x43bcc750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.452] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.452] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.452] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.452] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.452] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.452] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.452] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.452] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43bcc750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x43bcc750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x43bcc750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0143.452] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.452] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\PUSSY.TXT") returned 79 [0143.452] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0143.453] lstrlenA (lpString="abcd") returned 4 [0143.453] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.454] CloseHandle (hObject=0x184) returned 1 [0143.454] GetProcessHeap () returned 0x4c0000 [0143.454] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.454] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbec39d0, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0xbec39d0, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Publisher Building Blocks", cAlternateFileName="PUBLIS~2")) returned 1 [0143.454] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="Windows") returned -1 [0143.454] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="Program Files") returned 1 [0143.454] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="Program Files (x86)") returned 1 [0143.454] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="$Recycle.bin") returned 1 [0143.454] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="System Volume Information") returned -1 [0143.454] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2=".") returned 1 [0143.454] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="..") returned 1 [0143.454] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned 85 [0143.454] GetProcessHeap () returned 0x4c0000 [0143.454] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.454] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" [0143.455] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*" [0143.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbec39d0, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0xbec39d0, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.460] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.460] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.460] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.460] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.460] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.460] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.460] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbec39d0, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0xbec39d0, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.460] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.460] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.460] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.460] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.460] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.460] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.460] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.460] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4bb4c1b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbec39d0, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="ContentStore.xml", cAlternateFileName="CONTEN~1.XML")) returned 1 [0143.460] lstrcmpiW (lpString1="ContentStore.xml", lpString2="Windows") returned -1 [0143.460] lstrcmpiW (lpString1="ContentStore.xml", lpString2="Program Files") returned -1 [0143.460] lstrcmpiW (lpString1="ContentStore.xml", lpString2="Program Files (x86)") returned -1 [0143.460] lstrcmpiW (lpString1="ContentStore.xml", lpString2="$Recycle.bin") returned 1 [0143.460] lstrcmpiW (lpString1="ContentStore.xml", lpString2="System Volume Information") returned -1 [0143.461] lstrcmpiW (lpString1="ContentStore.xml", lpString2=".") returned 1 [0143.461] lstrcmpiW (lpString1="ContentStore.xml", lpString2="..") returned 1 [0143.461] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 102 [0143.461] lstrcmpW (lpString1="ContentStore.xml", lpString2="PUSSY.TXT") returned -1 [0143.461] PathFindExtensionW (pszPath="ContentStore.xml") returned=".xml" [0143.461] lstrlenW (lpString=".xml") returned 4 [0143.461] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0143.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0143.473] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=168) returned 1 [0143.473] CloseHandle (hObject=0x124) returned 1 [0143.473] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4bb4c1b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbec39d0, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="ContentStore.xml", cAlternateFileName="CONTEN~1.XML")) returned 0 [0143.473] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.473] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\PUSSY.TXT") returned 95 [0143.473] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0143.474] lstrlenA (lpString="abcd") returned 4 [0143.474] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.475] CloseHandle (hObject=0x184) returned 1 [0143.475] GetProcessHeap () returned 0x4c0000 [0143.475] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.475] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Speech", cAlternateFileName="")) returned 1 [0143.475] lstrcmpiW (lpString1="Speech", lpString2="Windows") returned -1 [0143.475] lstrcmpiW (lpString1="Speech", lpString2="Program Files") returned 1 [0143.475] lstrcmpiW (lpString1="Speech", lpString2="Program Files (x86)") returned 1 [0143.475] lstrcmpiW (lpString1="Speech", lpString2="$Recycle.bin") returned 1 [0143.475] lstrcmpiW (lpString1="Speech", lpString2="System Volume Information") returned -1 [0143.475] lstrcmpiW (lpString1="Speech", lpString2=".") returned 1 [0143.475] lstrcmpiW (lpString1="Speech", lpString2="..") returned 1 [0143.475] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech") returned 66 [0143.475] GetProcessHeap () returned 0x4c0000 [0143.475] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.475] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech" [0143.476] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\*" [0143.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.476] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.476] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.476] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.476] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.476] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.476] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.476] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.476] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.476] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.476] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.476] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.477] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.477] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.477] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.477] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0143.477] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.477] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\PUSSY.TXT") returned 76 [0143.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\speech\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0143.477] lstrlenA (lpString="abcd") returned 4 [0143.477] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.478] CloseHandle (hObject=0x184) returned 1 [0143.478] GetProcessHeap () returned 0x4c0000 [0143.478] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.478] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0143.479] lstrcmpiW (lpString1="SystemCertificates", lpString2="Windows") returned -1 [0143.479] lstrcmpiW (lpString1="SystemCertificates", lpString2="Program Files") returned 1 [0143.479] lstrcmpiW (lpString1="SystemCertificates", lpString2="Program Files (x86)") returned 1 [0143.479] lstrcmpiW (lpString1="SystemCertificates", lpString2="$Recycle.bin") returned 1 [0143.479] lstrcmpiW (lpString1="SystemCertificates", lpString2="System Volume Information") returned 1 [0143.479] lstrcmpiW (lpString1="SystemCertificates", lpString2=".") returned 1 [0143.479] lstrcmpiW (lpString1="SystemCertificates", lpString2="..") returned 1 [0143.479] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned 78 [0143.479] GetProcessHeap () returned 0x4c0000 [0143.479] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.479] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0143.479] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0143.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.479] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.479] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.479] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.479] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.479] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.480] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.480] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.480] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.480] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.480] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.480] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.480] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.480] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.480] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.480] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="My", cAlternateFileName="")) returned 1 [0143.480] lstrcmpiW (lpString1="My", lpString2="Windows") returned -1 [0143.480] lstrcmpiW (lpString1="My", lpString2="Program Files") returned -1 [0143.480] lstrcmpiW (lpString1="My", lpString2="Program Files (x86)") returned -1 [0143.480] lstrcmpiW (lpString1="My", lpString2="$Recycle.bin") returned 1 [0143.480] lstrcmpiW (lpString1="My", lpString2="System Volume Information") returned -1 [0143.480] lstrcmpiW (lpString1="My", lpString2=".") returned 1 [0143.480] lstrcmpiW (lpString1="My", lpString2="..") returned 1 [0143.480] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned 81 [0143.480] GetProcessHeap () returned 0x4c0000 [0143.480] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0143.480] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0143.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0143.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0143.480] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.480] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.480] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.480] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.481] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.481] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.481] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0143.481] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.481] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.481] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.481] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.481] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.481] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.481] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.481] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0143.481] lstrcmpiW (lpString1="Certificates", lpString2="Windows") returned -1 [0143.481] lstrcmpiW (lpString1="Certificates", lpString2="Program Files") returned -1 [0143.481] lstrcmpiW (lpString1="Certificates", lpString2="Program Files (x86)") returned -1 [0143.481] lstrcmpiW (lpString1="Certificates", lpString2="$Recycle.bin") returned 1 [0143.481] lstrcmpiW (lpString1="Certificates", lpString2="System Volume Information") returned -1 [0143.481] lstrcmpiW (lpString1="Certificates", lpString2=".") returned 1 [0143.481] lstrcmpiW (lpString1="Certificates", lpString2="..") returned 1 [0143.481] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned 94 [0143.481] GetProcessHeap () returned 0x4c0000 [0143.481] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0143.482] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0143.482] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0143.482] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0143.482] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.482] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.482] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.482] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.482] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.482] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.483] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0143.483] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.483] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.483] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.483] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.483] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.483] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.483] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.483] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0143.483] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0143.483] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\PUSSY.TXT") returned 104 [0143.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0143.484] lstrlenA (lpString="abcd") returned 4 [0143.484] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0143.485] CloseHandle (hObject=0x180) returned 1 [0143.485] GetProcessHeap () returned 0x4c0000 [0143.485] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0143.485] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="CRLs", cAlternateFileName="")) returned 1 [0143.485] lstrcmpiW (lpString1="CRLs", lpString2="Windows") returned -1 [0143.485] lstrcmpiW (lpString1="CRLs", lpString2="Program Files") returned -1 [0143.485] lstrcmpiW (lpString1="CRLs", lpString2="Program Files (x86)") returned -1 [0143.485] lstrcmpiW (lpString1="CRLs", lpString2="$Recycle.bin") returned 1 [0143.485] lstrcmpiW (lpString1="CRLs", lpString2="System Volume Information") returned -1 [0143.485] lstrcmpiW (lpString1="CRLs", lpString2=".") returned 1 [0143.485] lstrcmpiW (lpString1="CRLs", lpString2="..") returned 1 [0143.485] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned 86 [0143.485] GetProcessHeap () returned 0x4c0000 [0143.485] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0143.485] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0143.485] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0143.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0143.486] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.486] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.486] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.486] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.486] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.486] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.486] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0143.486] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.486] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.486] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.486] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.486] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.486] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.486] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.486] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0143.486] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0143.486] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\PUSSY.TXT") returned 96 [0143.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0143.487] lstrlenA (lpString="abcd") returned 4 [0143.487] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0143.488] CloseHandle (hObject=0x180) returned 1 [0143.488] GetProcessHeap () returned 0x4c0000 [0143.488] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0143.488] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="CTLs", cAlternateFileName="")) returned 1 [0143.488] lstrcmpiW (lpString1="CTLs", lpString2="Windows") returned -1 [0143.488] lstrcmpiW (lpString1="CTLs", lpString2="Program Files") returned -1 [0143.488] lstrcmpiW (lpString1="CTLs", lpString2="Program Files (x86)") returned -1 [0143.488] lstrcmpiW (lpString1="CTLs", lpString2="$Recycle.bin") returned 1 [0143.488] lstrcmpiW (lpString1="CTLs", lpString2="System Volume Information") returned -1 [0143.488] lstrcmpiW (lpString1="CTLs", lpString2=".") returned 1 [0143.488] lstrcmpiW (lpString1="CTLs", lpString2="..") returned 1 [0143.488] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned 86 [0143.488] GetProcessHeap () returned 0x4c0000 [0143.488] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0143.488] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0143.488] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0143.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0143.488] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.488] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.488] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.488] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.488] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.489] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.489] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0143.489] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.489] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.489] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.489] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.489] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.489] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.489] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.489] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0143.489] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0143.489] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\PUSSY.TXT") returned 96 [0143.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0143.489] lstrlenA (lpString="abcd") returned 4 [0143.490] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0143.490] CloseHandle (hObject=0x180) returned 1 [0143.491] GetProcessHeap () returned 0x4c0000 [0143.491] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0143.491] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="CTLs", cAlternateFileName="")) returned 0 [0143.491] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0143.491] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\PUSSY.TXT") returned 91 [0143.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0143.491] lstrlenA (lpString="abcd") returned 4 [0143.491] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0143.493] CloseHandle (hObject=0x124) returned 1 [0143.493] GetProcessHeap () returned 0x4c0000 [0143.493] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0143.496] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="My", cAlternateFileName="")) returned 0 [0143.496] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.496] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\PUSSY.TXT") returned 88 [0143.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0143.496] lstrlenA (lpString="abcd") returned 4 [0143.496] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.497] CloseHandle (hObject=0x184) returned 1 [0143.497] GetProcessHeap () returned 0x4c0000 [0143.497] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.498] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31d42f10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x2795d470, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x2795d470, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0143.498] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0143.498] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0143.498] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0143.498] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0143.498] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0143.498] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0143.498] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0143.498] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates") returned 69 [0143.498] GetProcessHeap () returned 0x4c0000 [0143.498] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.498] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates" [0143.498] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\*" [0143.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31d42f10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x2795d470, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x2795d470, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.499] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.499] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.499] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.499] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.499] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.499] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.500] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x31d42f10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x2795d470, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x2795d470, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.500] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.500] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.500] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.500] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.500] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.500] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.500] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.500] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5db2c650, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5db2c650, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5db78910, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x509b, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Normal.dotm", cAlternateFileName="NORMAL~1.DOT")) returned 1 [0143.500] lstrcmpiW (lpString1="Normal.dotm", lpString2="Windows") returned -1 [0143.500] lstrcmpiW (lpString1="Normal.dotm", lpString2="Program Files") returned -1 [0143.500] lstrcmpiW (lpString1="Normal.dotm", lpString2="Program Files (x86)") returned -1 [0143.500] lstrcmpiW (lpString1="Normal.dotm", lpString2="$Recycle.bin") returned 1 [0143.500] lstrcmpiW (lpString1="Normal.dotm", lpString2="System Volume Information") returned -1 [0143.500] lstrcmpiW (lpString1="Normal.dotm", lpString2=".") returned 1 [0143.500] lstrcmpiW (lpString1="Normal.dotm", lpString2="..") returned 1 [0143.500] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 81 [0143.500] lstrcmpW (lpString1="Normal.dotm", lpString2="PUSSY.TXT") returned -1 [0143.500] PathFindExtensionW (pszPath="Normal.dotm") returned=".dotm" [0143.500] lstrlenW (lpString=".dotm") returned 5 [0143.500] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0143.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0143.501] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=20635) returned 1 [0143.501] GetProcessHeap () returned 0x4c0000 [0143.501] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0143.511] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="1C") returned 2 [0143.511] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="44") returned 2 [0143.511] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="1D") returned 2 [0143.511] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="62") returned 2 [0143.511] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="79") returned 2 [0143.511] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="1A") returned 2 [0143.511] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="A6") returned 2 [0143.511] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="84") returned 2 [0143.511] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="F9") returned 2 [0143.511] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="81") returned 2 [0143.511] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="B6") returned 2 [0143.511] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="9E") returned 2 [0143.511] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="33") returned 2 [0143.511] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="D0") returned 2 [0143.511] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="2C") returned 2 [0143.511] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="82") returned 2 [0143.511] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="73") returned 2 [0143.511] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="AF") returned 2 [0143.511] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="40") returned 2 [0143.511] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="88") returned 2 [0143.511] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="3B") returned 2 [0143.511] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="91") returned 2 [0143.511] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="58") returned 2 [0143.512] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="8B") returned 2 [0143.512] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="2B") returned 2 [0143.512] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="A9") returned 2 [0143.512] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="8A") returned 2 [0143.512] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="72") returned 2 [0143.512] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="36") returned 2 [0143.512] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="19") returned 2 [0143.512] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="DC") returned 2 [0143.512] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="2A") returned 2 [0143.520] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" [0143.520] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" [0143.520] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm", lpString2=".1C441D62791AA684F981B69E33D02C8273AF40883B91588B2BA98A723619DC2A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.1C441D62791AA684F981B69E33D02C8273AF40883B91588B2BA98A723619DC2A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.1C441D62791AA684F981B69E33D02C8273AF40883B91588B2BA98A723619DC2A" [0143.520] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0143.521] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0143.521] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5db2c650, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5db2c650, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5db78910, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x509b, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Normal.dotm", cAlternateFileName="NORMAL~1.DOT")) returned 0 [0143.521] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.521] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\PUSSY.TXT") returned 79 [0143.521] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0143.522] lstrlenA (lpString="abcd") returned 4 [0143.522] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.523] CloseHandle (hObject=0x184) returned 1 [0143.523] GetProcessHeap () returned 0x4c0000 [0143.523] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.523] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbab2410, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbab2410, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbab2410, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="UProof", cAlternateFileName="")) returned 1 [0143.523] lstrcmpiW (lpString1="UProof", lpString2="Windows") returned -1 [0143.523] lstrcmpiW (lpString1="UProof", lpString2="Program Files") returned 1 [0143.523] lstrcmpiW (lpString1="UProof", lpString2="Program Files (x86)") returned 1 [0143.523] lstrcmpiW (lpString1="UProof", lpString2="$Recycle.bin") returned 1 [0143.523] lstrcmpiW (lpString1="UProof", lpString2="System Volume Information") returned 1 [0143.523] lstrcmpiW (lpString1="UProof", lpString2=".") returned 1 [0143.523] lstrcmpiW (lpString1="UProof", lpString2="..") returned 1 [0143.523] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof") returned 66 [0143.523] GetProcessHeap () returned 0x4c0000 [0143.523] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.523] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof" [0143.523] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\*" [0143.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbab2410, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbab2410, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbab2410, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.525] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.525] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.525] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.525] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.525] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.525] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.525] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbab2410, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbab2410, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbab2410, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.525] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.525] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.525] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.525] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.525] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.525] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.525] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.525] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbab2410, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbab2410, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbab2410, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="CUSTOM.DIC", cAlternateFileName="")) returned 1 [0143.525] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="Windows") returned -1 [0143.525] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="Program Files") returned -1 [0143.525] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="Program Files (x86)") returned -1 [0143.525] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="$Recycle.bin") returned 1 [0143.525] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="System Volume Information") returned -1 [0143.525] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2=".") returned 1 [0143.525] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="..") returned 1 [0143.525] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 77 [0143.525] lstrcmpW (lpString1="CUSTOM.DIC", lpString2="PUSSY.TXT") returned -1 [0143.525] PathFindExtensionW (pszPath="CUSTOM.DIC") returned=".DIC" [0143.526] lstrlenW (lpString=".DIC") returned 4 [0143.526] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0143.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0143.527] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2) returned 1 [0143.527] CloseHandle (hObject=0x180) returned 1 [0143.527] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbab2410, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbab2410, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbab2410, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="CUSTOM.DIC", cAlternateFileName="")) returned 0 [0143.527] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.527] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\PUSSY.TXT") returned 76 [0143.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0143.528] lstrlenA (lpString="abcd") returned 4 [0143.528] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.529] CloseHandle (hObject=0x184) returned 1 [0143.529] GetProcessHeap () returned 0x4c0000 [0143.529] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.529] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows", cAlternateFileName="")) returned 1 [0143.529] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0143.529] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f71aa70, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Word", cAlternateFileName="")) returned 1 [0143.529] lstrcmpiW (lpString1="Word", lpString2="Windows") returned 1 [0143.529] lstrcmpiW (lpString1="Word", lpString2="Program Files") returned 1 [0143.529] lstrcmpiW (lpString1="Word", lpString2="Program Files (x86)") returned 1 [0143.529] lstrcmpiW (lpString1="Word", lpString2="$Recycle.bin") returned 1 [0143.529] lstrcmpiW (lpString1="Word", lpString2="System Volume Information") returned 1 [0143.529] lstrcmpiW (lpString1="Word", lpString2=".") returned 1 [0143.529] lstrcmpiW (lpString1="Word", lpString2="..") returned 1 [0143.529] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word") returned 64 [0143.529] GetProcessHeap () returned 0x4c0000 [0143.529] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.529] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word" [0143.529] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\*" [0143.529] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f71aa70, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.550] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.550] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.550] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.550] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.550] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.550] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.550] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f71aa70, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.550] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.550] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.550] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.550] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.550] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.552] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.552] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.552] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27c7d150, ftCreationTime.dwHighDateTime=0x1d3aaba, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="STARTUP", cAlternateFileName="")) returned 1 [0143.553] lstrcmpiW (lpString1="STARTUP", lpString2="Windows") returned -1 [0143.553] lstrcmpiW (lpString1="STARTUP", lpString2="Program Files") returned 1 [0143.553] lstrcmpiW (lpString1="STARTUP", lpString2="Program Files (x86)") returned 1 [0143.553] lstrcmpiW (lpString1="STARTUP", lpString2="$Recycle.bin") returned 1 [0143.553] lstrcmpiW (lpString1="STARTUP", lpString2="System Volume Information") returned -1 [0143.553] lstrcmpiW (lpString1="STARTUP", lpString2=".") returned 1 [0143.553] lstrcmpiW (lpString1="STARTUP", lpString2="..") returned 1 [0143.553] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned 72 [0143.553] GetProcessHeap () returned 0x4c0000 [0143.553] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0143.553] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0143.553] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*" [0143.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27c7d150, ftCreationTime.dwHighDateTime=0x1d3aaba, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0143.553] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.554] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.554] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.554] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.554] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.554] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.554] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27c7d150, ftCreationTime.dwHighDateTime=0x1d3aaba, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0143.554] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.554] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.554] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.554] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.554] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.554] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.554] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.554] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27c7d150, ftCreationTime.dwHighDateTime=0x1d3aaba, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0143.554] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0143.554] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\PUSSY.TXT") returned 82 [0143.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\word\\startup\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0143.555] lstrlenA (lpString="abcd") returned 4 [0143.555] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0143.556] CloseHandle (hObject=0x124) returned 1 [0143.556] GetProcessHeap () returned 0x4c0000 [0143.556] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0143.557] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27c7d150, ftCreationTime.dwHighDateTime=0x1d3aaba, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="STARTUP", cAlternateFileName="")) returned 0 [0143.557] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.557] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\PUSSY.TXT") returned 74 [0143.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\word\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0143.558] lstrlenA (lpString="abcd") returned 4 [0143.558] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.559] CloseHandle (hObject=0x184) returned 1 [0143.559] GetProcessHeap () returned 0x4c0000 [0143.559] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.560] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f71aa70, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x27c7d150, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x27c7d150, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Word", cAlternateFileName="")) returned 0 [0143.560] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0143.560] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PUSSY.TXT") returned 69 [0143.560] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0143.569] lstrlenA (lpString="abcd") returned 4 [0143.569] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0143.570] CloseHandle (hObject=0x1b8) returned 1 [0143.570] GetProcessHeap () returned 0x4c0000 [0143.570] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0143.571] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0143.571] lstrcmpiW (lpString1="Mozilla", lpString2="Windows") returned -1 [0143.571] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files") returned -1 [0143.572] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files (x86)") returned -1 [0143.572] lstrcmpiW (lpString1="Mozilla", lpString2="$Recycle.bin") returned 1 [0143.572] lstrcmpiW (lpString1="Mozilla", lpString2="System Volume Information") returned -1 [0143.572] lstrcmpiW (lpString1="Mozilla", lpString2=".") returned 1 [0143.572] lstrcmpiW (lpString1="Mozilla", lpString2="..") returned 1 [0143.572] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla") returned 57 [0143.572] GetProcessHeap () returned 0x4c0000 [0143.572] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0143.572] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla" [0143.572] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\*" [0143.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0143.573] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.573] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.573] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.573] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.573] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.573] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.573] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0143.573] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.573] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.573] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.573] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.573] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.573] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.573] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.573] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb458e750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Extensions", cAlternateFileName="EXTENS~1")) returned 1 [0143.573] lstrcmpiW (lpString1="Extensions", lpString2="Windows") returned -1 [0143.573] lstrcmpiW (lpString1="Extensions", lpString2="Program Files") returned -1 [0143.573] lstrcmpiW (lpString1="Extensions", lpString2="Program Files (x86)") returned -1 [0143.573] lstrcmpiW (lpString1="Extensions", lpString2="$Recycle.bin") returned 1 [0143.573] lstrcmpiW (lpString1="Extensions", lpString2="System Volume Information") returned -1 [0143.574] lstrcmpiW (lpString1="Extensions", lpString2=".") returned 1 [0143.574] lstrcmpiW (lpString1="Extensions", lpString2="..") returned 1 [0143.574] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions") returned 68 [0143.574] GetProcessHeap () returned 0x4c0000 [0143.574] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.574] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions" [0143.574] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\*" [0143.575] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb458e750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.585] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.585] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.585] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.585] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.585] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.585] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.585] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb458e750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.585] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.585] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.585] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.585] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.585] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.585] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.586] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.586] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb458e750, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0143.586] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0143.586] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\PUSSY.TXT") returned 78 [0143.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\extensions\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0143.587] lstrlenA (lpString="abcd") returned 4 [0143.587] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0143.587] CloseHandle (hObject=0x184) returned 1 [0143.588] GetProcessHeap () returned 0x4c0000 [0143.588] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0143.588] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb26740e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Firefox", cAlternateFileName="")) returned 1 [0143.588] lstrcmpiW (lpString1="Firefox", lpString2="Windows") returned -1 [0143.588] lstrcmpiW (lpString1="Firefox", lpString2="Program Files") returned -1 [0143.588] lstrcmpiW (lpString1="Firefox", lpString2="Program Files (x86)") returned -1 [0143.588] lstrcmpiW (lpString1="Firefox", lpString2="$Recycle.bin") returned 1 [0143.588] lstrcmpiW (lpString1="Firefox", lpString2="System Volume Information") returned -1 [0143.588] lstrcmpiW (lpString1="Firefox", lpString2=".") returned 1 [0143.588] lstrcmpiW (lpString1="Firefox", lpString2="..") returned 1 [0143.588] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox") returned 65 [0143.588] GetProcessHeap () returned 0x4c0000 [0143.588] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0143.588] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox" [0143.588] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\*" [0143.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb26740e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0143.589] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.589] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.589] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.589] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.589] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.589] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.589] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb26740e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0143.589] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.589] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.589] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.589] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.589] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.589] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.589] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.589] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Crash Reports", cAlternateFileName="CRASHR~1")) returned 1 [0143.589] lstrcmpiW (lpString1="Crash Reports", lpString2="Windows") returned -1 [0143.589] lstrcmpiW (lpString1="Crash Reports", lpString2="Program Files") returned -1 [0143.589] lstrcmpiW (lpString1="Crash Reports", lpString2="Program Files (x86)") returned -1 [0143.589] lstrcmpiW (lpString1="Crash Reports", lpString2="$Recycle.bin") returned 1 [0143.589] lstrcmpiW (lpString1="Crash Reports", lpString2="System Volume Information") returned -1 [0143.589] lstrcmpiW (lpString1="Crash Reports", lpString2=".") returned 1 [0143.589] lstrcmpiW (lpString1="Crash Reports", lpString2="..") returned 1 [0143.589] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 79 [0143.590] GetProcessHeap () returned 0x4c0000 [0143.590] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0143.590] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" [0143.590] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*" [0143.590] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0143.591] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.591] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.591] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.591] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.591] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.591] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.591] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0143.591] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.591] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.591] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.591] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.591] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.591] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.591] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.591] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="InstallTime20131025151332", cAlternateFileName="INSTAL~1")) returned 1 [0143.591] lstrcmpiW (lpString1="InstallTime20131025151332", lpString2="Windows") returned -1 [0143.591] lstrcmpiW (lpString1="InstallTime20131025151332", lpString2="Program Files") returned -1 [0143.591] lstrcmpiW (lpString1="InstallTime20131025151332", lpString2="Program Files (x86)") returned -1 [0143.591] lstrcmpiW (lpString1="InstallTime20131025151332", lpString2="$Recycle.bin") returned 1 [0143.591] lstrcmpiW (lpString1="InstallTime20131025151332", lpString2="System Volume Information") returned -1 [0143.591] lstrcmpiW (lpString1="InstallTime20131025151332", lpString2=".") returned 1 [0143.591] lstrcmpiW (lpString1="InstallTime20131025151332", lpString2="..") returned 1 [0143.591] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332") returned 105 [0143.591] lstrcmpW (lpString1="InstallTime20131025151332", lpString2="PUSSY.TXT") returned -1 [0143.591] PathFindExtensionW (pszPath="InstallTime20131025151332") returned="" [0143.591] lstrlenW (lpString="") returned 0 [0143.591] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0143.592] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0143.593] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=10) returned 1 [0143.593] CloseHandle (hObject=0x180) returned 1 [0143.593] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="InstallTime20131025151332", cAlternateFileName="INSTAL~1")) returned 0 [0143.593] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0143.593] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\PUSSY.TXT") returned 89 [0143.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0143.594] lstrlenA (lpString="abcd") returned 4 [0143.594] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0143.595] CloseHandle (hObject=0x124) returned 1 [0143.595] GetProcessHeap () returned 0x4c0000 [0143.595] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0143.595] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Profiles", cAlternateFileName="")) returned 1 [0143.595] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0143.595] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0143.595] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0143.595] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0143.595] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0143.595] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0143.595] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0143.595] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 74 [0143.595] GetProcessHeap () returned 0x4c0000 [0143.595] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0143.595] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0143.595] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*" [0143.595] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0143.643] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.643] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.643] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.643] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.643] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.643] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.643] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0143.643] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.643] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.643] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.643] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.643] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.643] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.643] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.643] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x85442390, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x85442390, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="silmbjec.default", cAlternateFileName="SILMBJ~1.DEF")) returned 1 [0143.643] lstrcmpiW (lpString1="silmbjec.default", lpString2="Windows") returned -1 [0143.643] lstrcmpiW (lpString1="silmbjec.default", lpString2="Program Files") returned 1 [0143.643] lstrcmpiW (lpString1="silmbjec.default", lpString2="Program Files (x86)") returned 1 [0143.644] lstrcmpiW (lpString1="silmbjec.default", lpString2="$Recycle.bin") returned 1 [0143.644] lstrcmpiW (lpString1="silmbjec.default", lpString2="System Volume Information") returned -1 [0143.644] lstrcmpiW (lpString1="silmbjec.default", lpString2=".") returned 1 [0143.644] lstrcmpiW (lpString1="silmbjec.default", lpString2="..") returned 1 [0143.644] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default") returned 91 [0143.644] GetProcessHeap () returned 0x4c0000 [0143.644] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0143.645] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default" [0143.645] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\*" [0143.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x85442390, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x85442390, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0143.647] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.647] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.647] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.647] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.647] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.647] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.647] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x85442390, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x85442390, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0143.648] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.648] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.648] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.648] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.648] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.648] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.649] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.649] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb76a6d10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb76a6d10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb76a6d10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="addons.json", cAlternateFileName="ADDONS~1.JSO")) returned 1 [0143.649] lstrcmpiW (lpString1="addons.json", lpString2="Windows") returned -1 [0143.649] lstrcmpiW (lpString1="addons.json", lpString2="Program Files") returned -1 [0143.649] lstrcmpiW (lpString1="addons.json", lpString2="Program Files (x86)") returned -1 [0143.649] lstrcmpiW (lpString1="addons.json", lpString2="$Recycle.bin") returned 1 [0143.649] lstrcmpiW (lpString1="addons.json", lpString2="System Volume Information") returned -1 [0143.649] lstrcmpiW (lpString1="addons.json", lpString2=".") returned 1 [0143.649] lstrcmpiW (lpString1="addons.json", lpString2="..") returned 1 [0143.649] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json") returned 103 [0143.649] lstrcmpW (lpString1="addons.json", lpString2="PUSSY.TXT") returned -1 [0143.649] PathFindExtensionW (pszPath="addons.json") returned=".json" [0143.649] lstrlenW (lpString=".json") returned 5 [0143.649] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0143.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\addons.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.650] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=24) returned 1 [0143.650] CloseHandle (hObject=0x18c) returned 1 [0143.650] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb5233c30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x8503de70, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x8503de70, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="bookmarkbackups", cAlternateFileName="BOOKMA~1")) returned 1 [0143.650] lstrcmpiW (lpString1="bookmarkbackups", lpString2="Windows") returned -1 [0143.650] lstrcmpiW (lpString1="bookmarkbackups", lpString2="Program Files") returned -1 [0143.650] lstrcmpiW (lpString1="bookmarkbackups", lpString2="Program Files (x86)") returned -1 [0143.650] lstrcmpiW (lpString1="bookmarkbackups", lpString2="$Recycle.bin") returned 1 [0143.650] lstrcmpiW (lpString1="bookmarkbackups", lpString2="System Volume Information") returned -1 [0143.650] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0143.650] lstrcmpiW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0143.650] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups") returned 107 [0143.650] GetProcessHeap () returned 0x4c0000 [0143.650] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0143.651] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups" [0143.651] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\*" [0143.651] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb5233c30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x8503de70, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x8503de70, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0143.654] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.654] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0143.654] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0143.654] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0143.654] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0143.654] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.654] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb5233c30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x8503de70, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x8503de70, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0143.654] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.654] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0143.654] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0143.654] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0143.654] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0143.654] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.654] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.654] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc37c9330, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xc37c9330, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xc37df2c0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xbdb, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="bookmarks-2017-06-05_5.json", cAlternateFileName="BOOKMA~1.JSO")) returned 1 [0143.654] lstrcmpiW (lpString1="bookmarks-2017-06-05_5.json", lpString2="Windows") returned -1 [0143.654] lstrcmpiW (lpString1="bookmarks-2017-06-05_5.json", lpString2="Program Files") returned -1 [0143.654] lstrcmpiW (lpString1="bookmarks-2017-06-05_5.json", lpString2="Program Files (x86)") returned -1 [0143.654] lstrcmpiW (lpString1="bookmarks-2017-06-05_5.json", lpString2="$Recycle.bin") returned 1 [0143.654] lstrcmpiW (lpString1="bookmarks-2017-06-05_5.json", lpString2="System Volume Information") returned -1 [0143.654] lstrcmpiW (lpString1="bookmarks-2017-06-05_5.json", lpString2=".") returned 1 [0143.654] lstrcmpiW (lpString1="bookmarks-2017-06-05_5.json", lpString2="..") returned 1 [0143.654] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json") returned 135 [0143.654] lstrcmpW (lpString1="bookmarks-2017-06-05_5.json", lpString2="PUSSY.TXT") returned -1 [0143.654] PathFindExtensionW (pszPath="bookmarks-2017-06-05_5.json") returned=".json" [0143.655] lstrlenW (lpString=".json") returned 5 [0143.655] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0143.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0143.656] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=3035) returned 1 [0143.656] GetProcessHeap () returned 0x4c0000 [0143.656] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0143.667] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="2E") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="60") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="21") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="69") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="D9") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="F9") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="C6") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="DA") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="CB") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="C7") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="4D") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="8C") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="B9") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="2A") returned 2 [0143.667] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="A7") returned 2 [0143.667] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="27") returned 2 [0143.667] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="B6") returned 2 [0143.667] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="7B") returned 2 [0143.667] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="77") returned 2 [0143.667] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="E1") returned 2 [0143.667] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="DF") returned 2 [0143.667] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="E7") returned 2 [0143.668] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="2A") returned 2 [0143.668] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="90") returned 2 [0143.668] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="AB") returned 2 [0143.668] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="6E") returned 2 [0143.668] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="3E") returned 2 [0143.668] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="B8") returned 2 [0143.668] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="AF") returned 2 [0143.668] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="DB") returned 2 [0143.668] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="F2") returned 2 [0143.668] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="47") returned 2 [0143.676] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json" [0143.676] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json" [0143.676] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json", lpString2=".2E602169D9F9C6DACBC74D8CB92AA727B67B77E1DFE72A90AB6E3EB8AFDBF247" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json.2E602169D9F9C6DACBC74D8CB92AA727B67B77E1DFE72A90AB6E3EB8AFDBF247") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json.2E602169D9F9C6DACBC74D8CB92AA727B67B77E1DFE72A90AB6E3EB8AFDBF247" [0143.676] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0143.676] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0143.676] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85017d10, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x85017d10, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x85017d10, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xbdb, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="bookmarks-2017-06-16_5.json", cAlternateFileName="BOOKMA~2.JSO")) returned 1 [0143.676] lstrcmpiW (lpString1="bookmarks-2017-06-16_5.json", lpString2="Windows") returned -1 [0143.676] lstrcmpiW (lpString1="bookmarks-2017-06-16_5.json", lpString2="Program Files") returned -1 [0143.676] lstrcmpiW (lpString1="bookmarks-2017-06-16_5.json", lpString2="Program Files (x86)") returned -1 [0143.676] lstrcmpiW (lpString1="bookmarks-2017-06-16_5.json", lpString2="$Recycle.bin") returned 1 [0143.676] lstrcmpiW (lpString1="bookmarks-2017-06-16_5.json", lpString2="System Volume Information") returned -1 [0143.676] lstrcmpiW (lpString1="bookmarks-2017-06-16_5.json", lpString2=".") returned 1 [0143.676] lstrcmpiW (lpString1="bookmarks-2017-06-16_5.json", lpString2="..") returned 1 [0143.676] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json") returned 135 [0143.676] lstrcmpW (lpString1="bookmarks-2017-06-16_5.json", lpString2="PUSSY.TXT") returned -1 [0143.676] PathFindExtensionW (pszPath="bookmarks-2017-06-16_5.json") returned=".json" [0143.676] lstrlenW (lpString=".json") returned 5 [0143.676] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0143.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0143.679] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=3035) returned 1 [0143.679] GetProcessHeap () returned 0x4c0000 [0143.679] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0143.689] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="25") returned 2 [0143.689] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="48") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="47") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="39") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="08") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="9A") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="F3") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="D8") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="13") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="48") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="98") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="57") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="34") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="E5") returned 2 [0143.690] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="17") returned 2 [0143.690] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="2E") returned 2 [0143.690] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="EB") returned 2 [0143.690] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="AC") returned 2 [0143.690] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="3B") returned 2 [0143.690] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="99") returned 2 [0143.690] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="3D") returned 2 [0143.690] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="3A") returned 2 [0143.690] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="3C") returned 2 [0143.690] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="D3") returned 2 [0143.690] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="6D") returned 2 [0143.690] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="AA") returned 2 [0143.690] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="16") returned 2 [0143.690] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="56") returned 2 [0143.690] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="E2") returned 2 [0143.690] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="DA") returned 2 [0143.690] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="01") returned 2 [0143.690] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="10") returned 2 [0143.704] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json" [0143.704] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json" [0143.704] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json", lpString2=".25484739089AF3D81348985734E5172EEBAC3B993D3A3CD36DAA1656E2DA0110" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json.25484739089AF3D81348985734E5172EEBAC3B993D3A3CD36DAA1656E2DA0110") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json.25484739089AF3D81348985734E5172EEBAC3B993D3A3CD36DAA1656E2DA0110" [0143.705] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0143.705] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0143.705] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85017d10, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x85017d10, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x85017d10, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xbdb, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="bookmarks-2017-06-16_5.json", cAlternateFileName="BOOKMA~2.JSO")) returned 0 [0143.712] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0143.712] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\PUSSY.TXT") returned 117 [0143.712] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0143.715] lstrlenA (lpString="abcd") returned 4 [0143.715] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0143.716] CloseHandle (hObject=0x1d4) returned 1 [0143.716] GetProcessHeap () returned 0x4c0000 [0143.716] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0143.719] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb47c9bf0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb47c9bf0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x853f60d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="cert8.db", cAlternateFileName="")) returned 1 [0143.719] lstrcmpiW (lpString1="cert8.db", lpString2="Windows") returned -1 [0143.719] lstrcmpiW (lpString1="cert8.db", lpString2="Program Files") returned -1 [0143.719] lstrcmpiW (lpString1="cert8.db", lpString2="Program Files (x86)") returned -1 [0143.719] lstrcmpiW (lpString1="cert8.db", lpString2="$Recycle.bin") returned 1 [0143.719] lstrcmpiW (lpString1="cert8.db", lpString2="System Volume Information") returned -1 [0143.719] lstrcmpiW (lpString1="cert8.db", lpString2=".") returned 1 [0143.719] lstrcmpiW (lpString1="cert8.db", lpString2="..") returned 1 [0143.719] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db") returned 100 [0143.719] lstrcmpW (lpString1="cert8.db", lpString2="PUSSY.TXT") returned -1 [0143.719] PathFindExtensionW (pszPath="cert8.db") returned=".db" [0143.719] lstrlenW (lpString=".db") returned 3 [0143.719] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0143.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0143.720] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=65536) returned 1 [0143.721] GetProcessHeap () returned 0x4c0000 [0143.721] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0143.731] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="8D") returned 2 [0143.731] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="64") returned 2 [0143.731] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="AF") returned 2 [0143.731] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="9B") returned 2 [0143.731] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="7B") returned 2 [0143.732] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="24") returned 2 [0143.732] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="F3") returned 2 [0143.732] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="7F") returned 2 [0143.732] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="C8") returned 2 [0143.732] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="BC") returned 2 [0143.732] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="D3") returned 2 [0143.732] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="08") returned 2 [0143.732] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="0D") returned 2 [0143.732] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="99") returned 2 [0143.732] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="3F") returned 2 [0143.732] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="E2") returned 2 [0143.732] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="23") returned 2 [0143.732] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="2A") returned 2 [0143.732] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="FE") returned 2 [0143.732] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="79") returned 2 [0143.732] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="3A") returned 2 [0143.732] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="07") returned 2 [0143.732] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="F4") returned 2 [0143.732] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="53") returned 2 [0143.732] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="BD") returned 2 [0143.732] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="E0") returned 2 [0143.732] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="BE") returned 2 [0143.732] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="2C") returned 2 [0143.732] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="34") returned 2 [0143.732] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="8D") returned 2 [0143.732] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="73") returned 2 [0143.732] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="02") returned 2 [0143.741] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" [0143.741] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" [0143.741] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db", lpString2=".8D64AF9B7B24F37FC8BCD3080D993FE2232AFE793A07F453BDE0BE2C348D7302" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db.8D64AF9B7B24F37FC8BCD3080D993FE2232AFE793A07F453BDE0BE2C348D7302") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db.8D64AF9B7B24F37FC8BCD3080D993FE2232AFE793A07F453BDE0BE2C348D7302" [0143.741] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0143.741] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0143.741] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb26740e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x80696ec0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="compatibility.ini", cAlternateFileName="COMPAT~1.INI")) returned 1 [0143.741] lstrcmpiW (lpString1="compatibility.ini", lpString2="Windows") returned -1 [0143.741] lstrcmpiW (lpString1="compatibility.ini", lpString2="Program Files") returned -1 [0143.741] lstrcmpiW (lpString1="compatibility.ini", lpString2="Program Files (x86)") returned -1 [0143.741] lstrcmpiW (lpString1="compatibility.ini", lpString2="$Recycle.bin") returned 1 [0143.741] lstrcmpiW (lpString1="compatibility.ini", lpString2="System Volume Information") returned -1 [0143.741] lstrcmpiW (lpString1="compatibility.ini", lpString2=".") returned 1 [0143.741] lstrcmpiW (lpString1="compatibility.ini", lpString2="..") returned 1 [0143.741] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini") returned 109 [0143.741] lstrcmpW (lpString1="compatibility.ini", lpString2="PUSSY.TXT") returned -1 [0143.741] PathFindExtensionW (pszPath="compatibility.ini") returned=".ini" [0143.741] lstrlenW (lpString=".ini") returned 4 [0143.741] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0143.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\compatibility.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.743] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=206) returned 1 [0143.743] CloseHandle (hObject=0x18c) returned 1 [0143.743] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb5e8ce50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb5e8ce50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb639bd10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x38000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="content-prefs.sqlite", cAlternateFileName="CONTEN~1.SQL")) returned 1 [0143.743] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="Windows") returned -1 [0143.743] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="Program Files") returned -1 [0143.743] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="Program Files (x86)") returned -1 [0143.743] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="$Recycle.bin") returned 1 [0143.743] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="System Volume Information") returned -1 [0143.743] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2=".") returned 1 [0143.743] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="..") returned 1 [0143.743] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite") returned 112 [0143.743] lstrcmpW (lpString1="content-prefs.sqlite", lpString2="PUSSY.TXT") returned -1 [0143.743] PathFindExtensionW (pszPath="content-prefs.sqlite") returned=".sqlite" [0143.743] lstrlenW (lpString=".sqlite") returned 7 [0143.743] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0143.743] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.744] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=229376) returned 1 [0143.744] GetProcessHeap () returned 0x4c0000 [0143.744] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0143.754] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="97") returned 2 [0143.754] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="0F") returned 2 [0143.754] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="1E") returned 2 [0143.754] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="EE") returned 2 [0143.754] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="CF") returned 2 [0143.755] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="DB") returned 2 [0143.755] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="73") returned 2 [0143.755] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="FF") returned 2 [0143.755] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="42") returned 2 [0143.755] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="96") returned 2 [0143.755] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="55") returned 2 [0143.755] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="94") returned 2 [0143.755] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="DB") returned 2 [0143.755] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="D6") returned 2 [0143.755] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="25") returned 2 [0143.755] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="01") returned 2 [0143.755] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="B8") returned 2 [0143.755] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="28") returned 2 [0143.755] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="B8") returned 2 [0143.755] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="23") returned 2 [0143.755] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="19") returned 2 [0143.755] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="B9") returned 2 [0143.755] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="4A") returned 2 [0143.755] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="D1") returned 2 [0143.755] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="AA") returned 2 [0143.755] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="A5") returned 2 [0143.755] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="38") returned 2 [0143.755] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="51") returned 2 [0143.755] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="55") returned 2 [0143.755] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="F8") returned 2 [0143.755] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="2A") returned 2 [0143.755] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="24") returned 2 [0143.763] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" [0143.763] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" [0143.763] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite", lpString2=".970F1EEECFDB73FF42965594DBD62501B828B82319B94AD1AAA5385155F82A24" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite.970F1EEECFDB73FF42965594DBD62501B828B82319B94AD1AAA5385155F82A24") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite.970F1EEECFDB73FF42965594DBD62501B828B82319B94AD1AAA5385155F82A24" [0143.763] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0143.763] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0143.763] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb5ad4bf0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb5ad4bf0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x83256a10, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="cookies.sqlite", cAlternateFileName="COOKIE~1.SQL")) returned 1 [0143.764] lstrcmpiW (lpString1="cookies.sqlite", lpString2="Windows") returned -1 [0143.764] lstrcmpiW (lpString1="cookies.sqlite", lpString2="Program Files") returned -1 [0143.764] lstrcmpiW (lpString1="cookies.sqlite", lpString2="Program Files (x86)") returned -1 [0143.764] lstrcmpiW (lpString1="cookies.sqlite", lpString2="$Recycle.bin") returned 1 [0143.764] lstrcmpiW (lpString1="cookies.sqlite", lpString2="System Volume Information") returned -1 [0143.764] lstrcmpiW (lpString1="cookies.sqlite", lpString2=".") returned 1 [0143.764] lstrcmpiW (lpString1="cookies.sqlite", lpString2="..") returned 1 [0143.764] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite") returned 106 [0143.764] lstrcmpW (lpString1="cookies.sqlite", lpString2="PUSSY.TXT") returned -1 [0143.764] PathFindExtensionW (pszPath="cookies.sqlite") returned=".sqlite" [0143.764] lstrlenW (lpString=".sqlite") returned 7 [0143.764] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0143.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0143.765] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=524288) returned 1 [0143.765] GetProcessHeap () returned 0x4c0000 [0143.765] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0143.951] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="AA") returned 2 [0143.951] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="0C") returned 2 [0143.951] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="7E") returned 2 [0143.951] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="44") returned 2 [0143.952] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="DC") returned 2 [0143.952] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="67") returned 2 [0143.952] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="47") returned 2 [0143.952] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="66") returned 2 [0143.952] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="10") returned 2 [0143.952] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="BF") returned 2 [0143.952] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="45") returned 2 [0143.952] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="62") returned 2 [0143.952] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="7E") returned 2 [0143.952] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="69") returned 2 [0143.952] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="FB") returned 2 [0143.952] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="E5") returned 2 [0143.952] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="D4") returned 2 [0143.952] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="7F") returned 2 [0143.952] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="70") returned 2 [0143.952] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="02") returned 2 [0143.952] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="37") returned 2 [0143.952] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="3F") returned 2 [0143.952] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="55") returned 2 [0143.952] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="0A") returned 2 [0143.952] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="4B") returned 2 [0143.952] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="02") returned 2 [0143.952] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="B9") returned 2 [0143.952] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="6F") returned 2 [0143.952] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="51") returned 2 [0143.952] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="C2") returned 2 [0143.952] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="CC") returned 2 [0143.952] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="21") returned 2 [0143.960] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" [0143.961] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" [0143.961] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite", lpString2=".AA0C7E44DC67476610BF45627E69FBE5D47F7002373F550A4B02B96F51C2CC21" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite.AA0C7E44DC67476610BF45627E69FBE5D47F7002373F550A4B02B96F51C2CC21") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite.AA0C7E44DC67476610BF45627E69FBE5D47F7002373F550A4B02B96F51C2CC21" [0143.961] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0143.961] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0143.961] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbc374ed0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xbc374ed0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xbc555e20, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="downloads.sqlite", cAlternateFileName="DOWNLO~1.SQL")) returned 1 [0143.961] lstrcmpiW (lpString1="downloads.sqlite", lpString2="Windows") returned -1 [0143.961] lstrcmpiW (lpString1="downloads.sqlite", lpString2="Program Files") returned -1 [0143.961] lstrcmpiW (lpString1="downloads.sqlite", lpString2="Program Files (x86)") returned -1 [0143.961] lstrcmpiW (lpString1="downloads.sqlite", lpString2="$Recycle.bin") returned 1 [0143.961] lstrcmpiW (lpString1="downloads.sqlite", lpString2="System Volume Information") returned -1 [0143.961] lstrcmpiW (lpString1="downloads.sqlite", lpString2=".") returned 1 [0143.961] lstrcmpiW (lpString1="downloads.sqlite", lpString2="..") returned 1 [0143.961] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite") returned 108 [0143.962] lstrcmpW (lpString1="downloads.sqlite", lpString2="PUSSY.TXT") returned -1 [0143.962] PathFindExtensionW (pszPath="downloads.sqlite") returned=".sqlite" [0143.962] lstrlenW (lpString=".sqlite") returned 7 [0143.962] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0143.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0143.963] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=98304) returned 1 [0143.964] GetProcessHeap () returned 0x4c0000 [0143.964] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0143.972] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="9D") returned 2 [0143.972] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="E6") returned 2 [0143.972] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="BD") returned 2 [0143.972] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="F6") returned 2 [0143.972] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="EE") returned 2 [0143.972] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="5F") returned 2 [0143.972] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="E3") returned 2 [0143.972] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="CD") returned 2 [0143.972] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="F8") returned 2 [0143.972] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="06") returned 2 [0143.972] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="D2") returned 2 [0143.972] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="65") returned 2 [0143.972] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="C6") returned 2 [0143.972] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="AD") returned 2 [0143.972] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="B8") returned 2 [0143.972] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="B8") returned 2 [0143.972] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="AD") returned 2 [0143.972] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="88") returned 2 [0143.972] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="8C") returned 2 [0143.972] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="3B") returned 2 [0143.973] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="AE") returned 2 [0143.973] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="AF") returned 2 [0143.973] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="0E") returned 2 [0143.973] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="F6") returned 2 [0143.973] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="C7") returned 2 [0143.973] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="05") returned 2 [0143.973] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="F4") returned 2 [0143.973] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="00") returned 2 [0143.973] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="2F") returned 2 [0143.973] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="93") returned 2 [0143.973] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="69") returned 2 [0143.973] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="2A") returned 2 [0143.981] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" [0143.981] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" [0143.981] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite", lpString2=".9DE6BDF6EE5FE3CDF806D265C6ADB8B8AD888C3BAEAF0EF6C705F4002F93692A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite.9DE6BDF6EE5FE3CDF806D265C6ADB8B8AD888C3BAEAF0EF6C705F4002F93692A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite.9DE6BDF6EE5FE3CDF806D265C6ADB8B8AD888C3BAEAF0EF6C705F4002F93692A" [0143.981] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0143.981] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0143.981] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb4b81e50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb4b81e50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb4b81e50, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x8d, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="extensions.ini", cAlternateFileName="EXTENS~1.INI")) returned 1 [0143.981] lstrcmpiW (lpString1="extensions.ini", lpString2="Windows") returned -1 [0143.981] lstrcmpiW (lpString1="extensions.ini", lpString2="Program Files") returned -1 [0143.981] lstrcmpiW (lpString1="extensions.ini", lpString2="Program Files (x86)") returned -1 [0143.981] lstrcmpiW (lpString1="extensions.ini", lpString2="$Recycle.bin") returned 1 [0143.981] lstrcmpiW (lpString1="extensions.ini", lpString2="System Volume Information") returned -1 [0143.982] lstrcmpiW (lpString1="extensions.ini", lpString2=".") returned 1 [0143.982] lstrcmpiW (lpString1="extensions.ini", lpString2="..") returned 1 [0143.982] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini") returned 106 [0143.982] lstrcmpW (lpString1="extensions.ini", lpString2="PUSSY.TXT") returned -1 [0143.982] PathFindExtensionW (pszPath="extensions.ini") returned=".ini" [0143.982] lstrlenW (lpString=".ini") returned 4 [0143.982] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0143.982] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0144.020] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=141) returned 1 [0144.020] CloseHandle (hObject=0x178) returned 1 [0144.020] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb45b48b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb45b48b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb4b0fa30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x70000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="extensions.sqlite", cAlternateFileName="EXTENS~1.SQL")) returned 1 [0144.020] lstrcmpiW (lpString1="extensions.sqlite", lpString2="Windows") returned -1 [0144.020] lstrcmpiW (lpString1="extensions.sqlite", lpString2="Program Files") returned -1 [0144.020] lstrcmpiW (lpString1="extensions.sqlite", lpString2="Program Files (x86)") returned -1 [0144.020] lstrcmpiW (lpString1="extensions.sqlite", lpString2="$Recycle.bin") returned 1 [0144.020] lstrcmpiW (lpString1="extensions.sqlite", lpString2="System Volume Information") returned -1 [0144.020] lstrcmpiW (lpString1="extensions.sqlite", lpString2=".") returned 1 [0144.020] lstrcmpiW (lpString1="extensions.sqlite", lpString2="..") returned 1 [0144.020] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite") returned 109 [0144.020] lstrcmpW (lpString1="extensions.sqlite", lpString2="PUSSY.TXT") returned -1 [0144.020] PathFindExtensionW (pszPath="extensions.sqlite") returned=".sqlite" [0144.020] lstrlenW (lpString=".sqlite") returned 7 [0144.021] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0144.021] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=458752) returned 1 [0144.021] GetProcessHeap () returned 0x4c0000 [0144.021] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0144.031] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="AE") returned 2 [0144.031] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="54") returned 2 [0144.031] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="59") returned 2 [0144.031] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="38") returned 2 [0144.031] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="17") returned 2 [0144.031] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="4A") returned 2 [0144.031] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="9D") returned 2 [0144.031] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="9E") returned 2 [0144.031] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="1A") returned 2 [0144.032] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="A0") returned 2 [0144.032] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="81") returned 2 [0144.032] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="3A") returned 2 [0144.032] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="08") returned 2 [0144.032] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="02") returned 2 [0144.032] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="BE") returned 2 [0144.032] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="36") returned 2 [0144.032] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="C0") returned 2 [0144.032] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="51") returned 2 [0144.032] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="F8") returned 2 [0144.032] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="A2") returned 2 [0144.032] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="5B") returned 2 [0144.032] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="29") returned 2 [0144.032] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="9B") returned 2 [0144.032] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="61") returned 2 [0144.032] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="C8") returned 2 [0144.032] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="25") returned 2 [0144.032] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="C8") returned 2 [0144.032] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="E0") returned 2 [0144.032] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="17") returned 2 [0144.032] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="FE") returned 2 [0144.032] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="7C") returned 2 [0144.032] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="21") returned 2 [0144.040] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" [0144.040] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" [0144.041] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite", lpString2=".AE545938174A9D9E1AA0813A0802BE36C051F8A25B299B61C825C8E017FE7C21" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite.AE545938174A9D9E1AA0813A0802BE36C051F8A25B299B61C825C8E017FE7C21") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite.AE545938174A9D9E1AA0813A0802BE36C051F8A25B299B61C825C8E017FE7C21" [0144.041] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.041] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0144.041] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6ff4f30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb701b090, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb701b090, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="indexedDB", cAlternateFileName="INDEXE~1")) returned 1 [0144.041] lstrcmpiW (lpString1="indexedDB", lpString2="Windows") returned -1 [0144.041] lstrcmpiW (lpString1="indexedDB", lpString2="Program Files") returned -1 [0144.041] lstrcmpiW (lpString1="indexedDB", lpString2="Program Files (x86)") returned -1 [0144.041] lstrcmpiW (lpString1="indexedDB", lpString2="$Recycle.bin") returned 1 [0144.041] lstrcmpiW (lpString1="indexedDB", lpString2="System Volume Information") returned -1 [0144.041] lstrcmpiW (lpString1="indexedDB", lpString2=".") returned 1 [0144.041] lstrcmpiW (lpString1="indexedDB", lpString2="..") returned 1 [0144.041] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB") returned 101 [0144.041] GetProcessHeap () returned 0x4c0000 [0144.041] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0144.042] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB" [0144.042] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\*" [0144.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6ff4f30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb701b090, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb701b090, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0144.043] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0144.044] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0144.044] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0144.044] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0144.044] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0144.044] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.044] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb6ff4f30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb701b090, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb701b090, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0144.044] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0144.044] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0144.044] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0144.044] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0144.044] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0144.044] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.044] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.044] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb701b090, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb701b090, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb701b090, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="moz-safe-about+home", cAlternateFileName="MOZ-SA~1")) returned 1 [0144.044] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="Windows") returned -1 [0144.044] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="Program Files") returned -1 [0144.044] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="Program Files (x86)") returned -1 [0144.044] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="$Recycle.bin") returned 1 [0144.044] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="System Volume Information") returned -1 [0144.044] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0144.044] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0144.044] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home") returned 121 [0144.044] GetProcessHeap () returned 0x4c0000 [0144.044] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c28098 [0144.045] lstrcpyW (in: lpString1=0x3c28098, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home" [0144.045] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\*" [0144.045] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\*", lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb701b090, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb701b090, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb701b090, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe6d75ee, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0144.045] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0144.045] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0144.045] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0144.045] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0144.045] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0144.045] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.045] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb701b090, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb701b090, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb701b090, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe6d75ee, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0144.045] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0144.045] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0144.045] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0144.046] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0144.046] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0144.046] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.046] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.046] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb701b090, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb701b090, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb701b090, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe6d75ee, dwReserved1=0xfe000000, cFileName=".metadata", cAlternateFileName="METADA~1")) returned 1 [0144.046] lstrcmpiW (lpString1=".metadata", lpString2="Windows") returned -1 [0144.046] lstrcmpiW (lpString1=".metadata", lpString2="Program Files") returned -1 [0144.046] lstrcmpiW (lpString1=".metadata", lpString2="Program Files (x86)") returned -1 [0144.046] lstrcmpiW (lpString1=".metadata", lpString2="$Recycle.bin") returned 1 [0144.046] lstrcmpiW (lpString1=".metadata", lpString2="System Volume Information") returned -1 [0144.046] lstrcmpiW (lpString1=".metadata", lpString2=".") returned 1 [0144.046] lstrcmpiW (lpString1=".metadata", lpString2="..") returned 1 [0144.046] wnsprintfW (in: pszDest=0x3c28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 131 [0144.046] lstrcmpW (lpString1=".metadata", lpString2="PUSSY.TXT") returned -1 [0144.046] PathFindExtensionW (pszPath=".metadata") returned=".metadata" [0144.046] lstrlenW (lpString=".metadata") returned 9 [0144.046] SystemFunction036 (in: RandomBuffer=0x28a584, RandomBufferLength=0x20 | out: RandomBuffer=0x28a584) returned 1 [0144.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0144.089] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28a578 | out: lpFileSize=0x28a578*=0) returned 1 [0144.090] CloseHandle (hObject=0x1d4) returned 1 [0144.090] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb701b090, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb8110d50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb8110d50, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe6d75ee, dwReserved1=0xfe000000, cFileName="idb", cAlternateFileName="")) returned 1 [0144.090] lstrcmpiW (lpString1="idb", lpString2="Windows") returned -1 [0144.090] lstrcmpiW (lpString1="idb", lpString2="Program Files") returned -1 [0144.090] lstrcmpiW (lpString1="idb", lpString2="Program Files (x86)") returned -1 [0144.090] lstrcmpiW (lpString1="idb", lpString2="$Recycle.bin") returned 1 [0144.090] lstrcmpiW (lpString1="idb", lpString2="System Volume Information") returned -1 [0144.090] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0144.090] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0144.090] wnsprintfW (in: pszDest=0x3c28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb") returned 125 [0144.090] GetProcessHeap () returned 0x4c0000 [0144.090] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x502a88 [0144.090] lstrcpyW (in: lpString1=0x502a88, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb" [0144.090] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\*" [0144.091] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\*", lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb701b090, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb8110d50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb8110d50, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0144.092] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0144.092] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0144.092] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0144.092] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0144.093] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0144.093] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.093] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb701b090, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb8110d50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb8110d50, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0144.093] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0144.093] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0144.093] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0144.093] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0144.093] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0144.093] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.093] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.093] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb70ff8d0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb70ff8d0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb70ff8d0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="818200132aebmoouht", cAlternateFileName="818200~1")) returned 1 [0144.093] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="Windows") returned -1 [0144.093] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="Program Files") returned -1 [0144.094] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="Program Files (x86)") returned -1 [0144.094] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="$Recycle.bin") returned 1 [0144.094] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="System Volume Information") returned -1 [0144.094] lstrcmpiW (lpString1="818200132aebmoouht", lpString2=".") returned 1 [0144.094] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="..") returned 1 [0144.094] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 144 [0144.094] GetProcessHeap () returned 0x4c0000 [0144.094] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x512a90 [0144.094] lstrcpyW (in: lpString1=0x512a90, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht" [0144.094] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*" [0144.094] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*", lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb70ff8d0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb70ff8d0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb70ff8d0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfdfded11, cFileName=".", cAlternateFileName="")) returned 0x3bb7220 [0144.095] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0144.095] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0144.095] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0144.095] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0144.095] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0144.095] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.095] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb70ff8d0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb70ff8d0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb70ff8d0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfdfded11, cFileName="..", cAlternateFileName="")) returned 1 [0144.095] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0144.095] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0144.095] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0144.095] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0144.095] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0144.096] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.096] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.096] FindNextFileW (in: hFindFile=0x3bb7220, lpFindFileData=0x289758 | out: lpFindFileData=0x289758*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb70ff8d0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb70ff8d0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb70ff8d0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e06f8, dwReserved1=0xfdfded11, cFileName="..", cAlternateFileName="")) returned 0 [0144.096] FindClose (in: hFindFile=0x3bb7220 | out: hFindFile=0x3bb7220) returned 1 [0144.096] wnsprintfW (in: pszDest=0x512a90, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\PUSSY.TXT") returned 154 [0144.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0144.097] lstrlenA (lpString="abcd") returned 4 [0144.097] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2899ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x2899ac*=0x4, lpOverlapped=0x0) returned 1 [0144.098] CloseHandle (hObject=0xec) returned 1 [0144.098] GetProcessHeap () returned 0x4c0000 [0144.098] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0144.098] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb701b090, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb701b090, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb81a92d0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa0000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="818200132aebmoouht.sqlite", cAlternateFileName="818200~1.SQL")) returned 1 [0144.099] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="Windows") returned -1 [0144.099] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="Program Files") returned -1 [0144.099] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="Program Files (x86)") returned -1 [0144.099] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="$Recycle.bin") returned 1 [0144.099] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="System Volume Information") returned -1 [0144.099] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2=".") returned 1 [0144.099] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="..") returned 1 [0144.099] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 151 [0144.099] lstrcmpW (lpString1="818200132aebmoouht.sqlite", lpString2="PUSSY.TXT") returned -1 [0144.099] PathFindExtensionW (pszPath="818200132aebmoouht.sqlite") returned=".sqlite" [0144.099] lstrlenW (lpString=".sqlite") returned 7 [0144.099] SystemFunction036 (in: RandomBuffer=0x289de4, RandomBufferLength=0x20 | out: RandomBuffer=0x289de4) returned 1 [0144.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0144.105] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x289dd8 | out: lpFileSize=0x289dd8*=655360) returned 1 [0144.105] GetProcessHeap () returned 0x4c0000 [0144.105] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c380a0 [0144.239] wsprintfW (in: param_1=0x289e26, param_2="%02X" | out: param_1="35") returned 2 [0144.239] wsprintfW (in: param_1=0x289e2a, param_2="%02X" | out: param_1="74") returned 2 [0144.239] wsprintfW (in: param_1=0x289e2e, param_2="%02X" | out: param_1="9F") returned 2 [0144.239] wsprintfW (in: param_1=0x289e32, param_2="%02X" | out: param_1="AC") returned 2 [0144.239] wsprintfW (in: param_1=0x289e36, param_2="%02X" | out: param_1="48") returned 2 [0144.239] wsprintfW (in: param_1=0x289e3a, param_2="%02X" | out: param_1="4E") returned 2 [0144.239] wsprintfW (in: param_1=0x289e3e, param_2="%02X" | out: param_1="E0") returned 2 [0144.239] wsprintfW (in: param_1=0x289e42, param_2="%02X" | out: param_1="F1") returned 2 [0144.239] wsprintfW (in: param_1=0x289e46, param_2="%02X" | out: param_1="34") returned 2 [0144.239] wsprintfW (in: param_1=0x289e4a, param_2="%02X" | out: param_1="7F") returned 2 [0144.239] wsprintfW (in: param_1=0x289e4e, param_2="%02X" | out: param_1="98") returned 2 [0144.239] wsprintfW (in: param_1=0x289e52, param_2="%02X" | out: param_1="ED") returned 2 [0144.239] wsprintfW (in: param_1=0x289e56, param_2="%02X" | out: param_1="EC") returned 2 [0144.239] wsprintfW (in: param_1=0x289e5a, param_2="%02X" | out: param_1="3A") returned 2 [0144.239] wsprintfW (in: param_1=0x289e5e, param_2="%02X" | out: param_1="9C") returned 2 [0144.239] wsprintfW (in: param_1=0x289e62, param_2="%02X" | out: param_1="32") returned 2 [0144.239] wsprintfW (in: param_1=0x289e66, param_2="%02X" | out: param_1="49") returned 2 [0144.239] wsprintfW (in: param_1=0x289e6a, param_2="%02X" | out: param_1="AF") returned 2 [0144.239] wsprintfW (in: param_1=0x289e6e, param_2="%02X" | out: param_1="2E") returned 2 [0144.239] wsprintfW (in: param_1=0x289e72, param_2="%02X" | out: param_1="B9") returned 2 [0144.239] wsprintfW (in: param_1=0x289e76, param_2="%02X" | out: param_1="A7") returned 2 [0144.240] wsprintfW (in: param_1=0x289e7a, param_2="%02X" | out: param_1="E4") returned 2 [0144.240] wsprintfW (in: param_1=0x289e7e, param_2="%02X" | out: param_1="A5") returned 2 [0144.240] wsprintfW (in: param_1=0x289e82, param_2="%02X" | out: param_1="E1") returned 2 [0144.240] wsprintfW (in: param_1=0x289e86, param_2="%02X" | out: param_1="83") returned 2 [0144.240] wsprintfW (in: param_1=0x289e8a, param_2="%02X" | out: param_1="CB") returned 2 [0144.240] wsprintfW (in: param_1=0x289e8e, param_2="%02X" | out: param_1="19") returned 2 [0144.240] wsprintfW (in: param_1=0x289e92, param_2="%02X" | out: param_1="92") returned 2 [0144.240] wsprintfW (in: param_1=0x289e96, param_2="%02X" | out: param_1="16") returned 2 [0144.240] wsprintfW (in: param_1=0x289e9a, param_2="%02X" | out: param_1="1E") returned 2 [0144.240] wsprintfW (in: param_1=0x289e9e, param_2="%02X" | out: param_1="62") returned 2 [0144.240] wsprintfW (in: param_1=0x289ea2, param_2="%02X" | out: param_1="51") returned 2 [0144.254] lstrcpyW (in: lpString1=0x3c480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" [0144.254] lstrcpyW (in: lpString1=0x3c380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" [0144.254] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpString2=".35749FAC484EE0F1347F98EDEC3A9C3249AF2EB9A7E4A5E183CB1992161E6251" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.35749FAC484EE0F1347F98EDEC3A9C3249AF2EB9A7E4A5E183CB1992161E6251") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.35749FAC484EE0F1347F98EDEC3A9C3249AF2EB9A7E4A5E183CB1992161E6251" [0144.254] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.254] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c380a0, lpOverlapped=0x3c380a0) returned 1 [0144.255] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x289ef8 | out: lpFindFileData=0x289ef8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb701b090, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb701b090, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb81a92d0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa0000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="818200132aebmoouht.sqlite", cAlternateFileName="818200~1.SQL")) returned 0 [0144.255] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0144.255] wnsprintfW (in: pszDest=0x502a88, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\PUSSY.TXT") returned 135 [0144.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0144.256] lstrlenA (lpString="abcd") returned 4 [0144.256] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a14c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a14c*=0x4, lpOverlapped=0x0) returned 1 [0144.257] CloseHandle (hObject=0x1d4) returned 1 [0144.257] GetProcessHeap () returned 0x4c0000 [0144.257] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0144.257] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28a698 | out: lpFindFileData=0x28a698*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb701b090, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb8110d50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb8110d50, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe6d75ee, dwReserved1=0xfe000000, cFileName="idb", cAlternateFileName="")) returned 0 [0144.258] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0144.258] wnsprintfW (in: pszDest=0x3c28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\PUSSY.TXT") returned 131 [0144.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x120 [0144.258] lstrlenA (lpString="abcd") returned 4 [0144.258] WriteFile (in: hFile=0x120, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28a8ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28a8ec*=0x4, lpOverlapped=0x0) returned 1 [0144.259] CloseHandle (hObject=0x120) returned 1 [0144.259] GetProcessHeap () returned 0x4c0000 [0144.259] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0144.260] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb701b090, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb701b090, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb701b090, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="moz-safe-about+home", cAlternateFileName="MOZ-SA~1")) returned 0 [0144.260] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0144.260] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\PUSSY.TXT") returned 111 [0144.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0144.261] lstrlenA (lpString="abcd") returned 4 [0144.261] WriteFile (in: hFile=0x128, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0144.262] CloseHandle (hObject=0x128) returned 1 [0144.262] GetProcessHeap () returned 0x4c0000 [0144.262] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0144.296] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb4815eb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb4815eb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x853f60d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="key3.db", cAlternateFileName="")) returned 1 [0144.296] lstrcmpiW (lpString1="key3.db", lpString2="Windows") returned -1 [0144.296] lstrcmpiW (lpString1="key3.db", lpString2="Program Files") returned -1 [0144.296] lstrcmpiW (lpString1="key3.db", lpString2="Program Files (x86)") returned -1 [0144.296] lstrcmpiW (lpString1="key3.db", lpString2="$Recycle.bin") returned 1 [0144.296] lstrcmpiW (lpString1="key3.db", lpString2="System Volume Information") returned -1 [0144.296] lstrcmpiW (lpString1="key3.db", lpString2=".") returned 1 [0144.296] lstrcmpiW (lpString1="key3.db", lpString2="..") returned 1 [0144.296] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db") returned 99 [0144.296] lstrcmpW (lpString1="key3.db", lpString2="PUSSY.TXT") returned -1 [0144.296] PathFindExtensionW (pszPath="key3.db") returned=".db" [0144.296] lstrlenW (lpString=".db") returned 3 [0144.296] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0144.298] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=16384) returned 1 [0144.299] GetProcessHeap () returned 0x4c0000 [0144.299] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0144.308] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="20") returned 2 [0144.308] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="81") returned 2 [0144.308] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="C7") returned 2 [0144.308] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="65") returned 2 [0144.308] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="CE") returned 2 [0144.308] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="E1") returned 2 [0144.308] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="DF") returned 2 [0144.308] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="36") returned 2 [0144.308] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="F9") returned 2 [0144.308] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="C0") returned 2 [0144.309] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="4A") returned 2 [0144.309] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="3A") returned 2 [0144.309] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="1C") returned 2 [0144.309] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="64") returned 2 [0144.309] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="0B") returned 2 [0144.309] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="11") returned 2 [0144.309] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="D6") returned 2 [0144.309] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="EE") returned 2 [0144.309] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="A8") returned 2 [0144.309] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="D7") returned 2 [0144.309] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="D1") returned 2 [0144.309] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="39") returned 2 [0144.309] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="EB") returned 2 [0144.309] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="3C") returned 2 [0144.309] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="7D") returned 2 [0144.309] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="08") returned 2 [0144.309] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="CF") returned 2 [0144.309] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="B7") returned 2 [0144.309] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="F6") returned 2 [0144.309] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="F7") returned 2 [0144.309] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="43") returned 2 [0144.309] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="15") returned 2 [0144.317] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" [0144.317] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" [0144.318] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db", lpString2=".2081C765CEE1DF36F9C04A3A1C640B11D6EEA8D7D139EB3C7D08CFB7F6F74315" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db.2081C765CEE1DF36F9C04A3A1C640B11D6EEA8D7D139EB3C7D08CFB7F6F74315") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db.2081C765CEE1DF36F9C04A3A1C640B11D6EEA8D7D139EB3C7D08CFB7F6F74315" [0144.318] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.318] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0144.336] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x850d63f0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x850d63f0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x850d63f0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x501, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="localstore.rdf", cAlternateFileName="LOCALS~1.RDF")) returned 1 [0144.336] lstrcmpiW (lpString1="localstore.rdf", lpString2="Windows") returned -1 [0144.336] lstrcmpiW (lpString1="localstore.rdf", lpString2="Program Files") returned -1 [0144.336] lstrcmpiW (lpString1="localstore.rdf", lpString2="Program Files (x86)") returned -1 [0144.336] lstrcmpiW (lpString1="localstore.rdf", lpString2="$Recycle.bin") returned 1 [0144.336] lstrcmpiW (lpString1="localstore.rdf", lpString2="System Volume Information") returned -1 [0144.336] lstrcmpiW (lpString1="localstore.rdf", lpString2=".") returned 1 [0144.336] lstrcmpiW (lpString1="localstore.rdf", lpString2="..") returned 1 [0144.336] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf") returned 106 [0144.336] lstrcmpW (lpString1="localstore.rdf", lpString2="PUSSY.TXT") returned -1 [0144.336] PathFindExtensionW (pszPath="localstore.rdf") returned=".rdf" [0144.336] lstrlenW (lpString=".rdf") returned 4 [0144.336] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\localstore.rdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0144.337] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=1281) returned 1 [0144.338] GetProcessHeap () returned 0x4c0000 [0144.338] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0144.347] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="77") returned 2 [0144.347] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="FD") returned 2 [0144.347] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="D9") returned 2 [0144.347] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="6A") returned 2 [0144.347] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="DF") returned 2 [0144.347] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="5A") returned 2 [0144.347] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="E6") returned 2 [0144.347] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="FD") returned 2 [0144.347] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="D7") returned 2 [0144.347] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="6A") returned 2 [0144.347] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="F6") returned 2 [0144.347] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="45") returned 2 [0144.347] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="66") returned 2 [0144.347] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="35") returned 2 [0144.347] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="A4") returned 2 [0144.347] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="EA") returned 2 [0144.347] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="3F") returned 2 [0144.347] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="00") returned 2 [0144.347] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="97") returned 2 [0144.347] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="9D") returned 2 [0144.347] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="47") returned 2 [0144.347] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="31") returned 2 [0144.347] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="6F") returned 2 [0144.347] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="5F") returned 2 [0144.347] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="B4") returned 2 [0144.347] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="96") returned 2 [0144.347] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="D9") returned 2 [0144.347] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="63") returned 2 [0144.347] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="D1") returned 2 [0144.347] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="87") returned 2 [0144.347] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="BF") returned 2 [0144.348] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="63") returned 2 [0144.356] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf" [0144.356] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf" [0144.356] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf", lpString2=".77FDD96ADF5AE6FDD76AF6456635A4EA3F00979D47316F5FB496D963D187BF63" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf.77FDD96ADF5AE6FDD76AF6456635A4EA3F00979D47316F5FB496D963D187BF63") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf.77FDD96ADF5AE6FDD76AF6456635A4EA3F00979D47316F5FB496D963D187BF63" [0144.356] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.356] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0144.356] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb6518ad0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6518ad0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x85572e90, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x39, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="marionette.log", cAlternateFileName="MARION~1.LOG")) returned 1 [0144.356] lstrcmpiW (lpString1="marionette.log", lpString2="Windows") returned -1 [0144.356] lstrcmpiW (lpString1="marionette.log", lpString2="Program Files") returned -1 [0144.356] lstrcmpiW (lpString1="marionette.log", lpString2="Program Files (x86)") returned -1 [0144.356] lstrcmpiW (lpString1="marionette.log", lpString2="$Recycle.bin") returned 1 [0144.356] lstrcmpiW (lpString1="marionette.log", lpString2="System Volume Information") returned -1 [0144.356] lstrcmpiW (lpString1="marionette.log", lpString2=".") returned 1 [0144.357] lstrcmpiW (lpString1="marionette.log", lpString2="..") returned 1 [0144.357] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log") returned 106 [0144.357] lstrcmpW (lpString1="marionette.log", lpString2="PUSSY.TXT") returned -1 [0144.357] PathFindExtensionW (pszPath="marionette.log") returned=".log" [0144.357] lstrlenW (lpString=".log") returned 4 [0144.357] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\marionette.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0144.358] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=57) returned 1 [0144.358] CloseHandle (hObject=0x120) returned 1 [0144.358] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb50b6e70, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb5175550, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb5175550, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xef3, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="mimeTypes.rdf", cAlternateFileName="MIMETY~1.RDF")) returned 1 [0144.358] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="Windows") returned -1 [0144.358] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="Program Files") returned -1 [0144.358] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="Program Files (x86)") returned -1 [0144.358] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="$Recycle.bin") returned 1 [0144.358] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="System Volume Information") returned -1 [0144.358] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2=".") returned 1 [0144.358] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="..") returned 1 [0144.358] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf") returned 105 [0144.358] lstrcmpW (lpString1="mimeTypes.rdf", lpString2="PUSSY.TXT") returned -1 [0144.358] PathFindExtensionW (pszPath="mimeTypes.rdf") returned=".rdf" [0144.358] lstrlenW (lpString=".rdf") returned 4 [0144.358] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\mimetypes.rdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0144.362] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=3827) returned 1 [0144.362] GetProcessHeap () returned 0x4c0000 [0144.362] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0144.372] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="47") returned 2 [0144.372] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="81") returned 2 [0144.372] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="32") returned 2 [0144.372] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="10") returned 2 [0144.372] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="D5") returned 2 [0144.372] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="2A") returned 2 [0144.372] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="0B") returned 2 [0144.372] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="FC") returned 2 [0144.372] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="B7") returned 2 [0144.372] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="C1") returned 2 [0144.372] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="17") returned 2 [0144.372] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="5E") returned 2 [0144.372] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="24") returned 2 [0144.372] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="76") returned 2 [0144.372] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="8B") returned 2 [0144.372] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="F7") returned 2 [0144.372] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="86") returned 2 [0144.372] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="73") returned 2 [0144.373] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="DE") returned 2 [0144.373] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="97") returned 2 [0144.373] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="CB") returned 2 [0144.373] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="E2") returned 2 [0144.373] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="41") returned 2 [0144.373] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="30") returned 2 [0144.373] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="36") returned 2 [0144.373] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="33") returned 2 [0144.373] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="74") returned 2 [0144.373] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="03") returned 2 [0144.373] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="77") returned 2 [0144.373] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="14") returned 2 [0144.373] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="E4") returned 2 [0144.373] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="69") returned 2 [0144.381] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf" [0144.381] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf" [0144.381] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf", lpString2=".47813210D52A0BFCB7C1175E24768BF78673DE97CBE24130363374037714E469" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf.47813210D52A0BFCB7C1175E24768BF78673DE97CBE24130363374037714E469") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf.47813210D52A0BFCB7C1175E24768BF78673DE97CBE24130363374037714E469" [0144.381] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.381] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0144.381] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb26740e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb26740e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="minidumps", cAlternateFileName="MINIDU~1")) returned 1 [0144.381] lstrcmpiW (lpString1="minidumps", lpString2="Windows") returned -1 [0144.381] lstrcmpiW (lpString1="minidumps", lpString2="Program Files") returned -1 [0144.381] lstrcmpiW (lpString1="minidumps", lpString2="Program Files (x86)") returned -1 [0144.381] lstrcmpiW (lpString1="minidumps", lpString2="$Recycle.bin") returned 1 [0144.381] lstrcmpiW (lpString1="minidumps", lpString2="System Volume Information") returned -1 [0144.381] lstrcmpiW (lpString1="minidumps", lpString2=".") returned 1 [0144.381] lstrcmpiW (lpString1="minidumps", lpString2="..") returned 1 [0144.381] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps") returned 101 [0144.382] GetProcessHeap () returned 0x4c0000 [0144.382] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0144.382] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps" [0144.382] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\*" [0144.382] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb26740e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb26740e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0144.384] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0144.384] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0144.384] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0144.384] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0144.384] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0144.384] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.384] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb26740e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb26740e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0144.384] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0144.384] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0144.384] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0144.384] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0144.384] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0144.384] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.384] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.384] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb26740e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb26740e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ae70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0144.384] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0144.384] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\PUSSY.TXT") returned 111 [0144.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\minidumps\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0144.390] lstrlenA (lpString="abcd") returned 4 [0144.390] WriteFile (in: hFile=0x1d4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0144.391] CloseHandle (hObject=0x1d4) returned 1 [0144.391] GetProcessHeap () returned 0x4c0000 [0144.391] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0144.391] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb26740e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x80696ec0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="parent.lock", cAlternateFileName="PARENT~1.LOC")) returned 1 [0144.391] lstrcmpiW (lpString1="parent.lock", lpString2="Windows") returned -1 [0144.391] lstrcmpiW (lpString1="parent.lock", lpString2="Program Files") returned -1 [0144.391] lstrcmpiW (lpString1="parent.lock", lpString2="Program Files (x86)") returned -1 [0144.391] lstrcmpiW (lpString1="parent.lock", lpString2="$Recycle.bin") returned 1 [0144.391] lstrcmpiW (lpString1="parent.lock", lpString2="System Volume Information") returned -1 [0144.391] lstrcmpiW (lpString1="parent.lock", lpString2=".") returned 1 [0144.391] lstrcmpiW (lpString1="parent.lock", lpString2="..") returned 1 [0144.391] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock") returned 103 [0144.391] lstrcmpW (lpString1="parent.lock", lpString2="PUSSY.TXT") returned -1 [0144.391] PathFindExtensionW (pszPath="parent.lock") returned=".lock" [0144.391] lstrlenW (lpString=".lock") returned 5 [0144.391] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\parent.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0144.454] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=0) returned 1 [0144.454] CloseHandle (hObject=0x120) returned 1 [0144.456] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb43eb830, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb43eb830, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xc3b3f6e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="permissions.sqlite", cAlternateFileName="PERMIS~1.SQL")) returned 1 [0144.456] lstrcmpiW (lpString1="permissions.sqlite", lpString2="Windows") returned -1 [0144.456] lstrcmpiW (lpString1="permissions.sqlite", lpString2="Program Files") returned -1 [0144.456] lstrcmpiW (lpString1="permissions.sqlite", lpString2="Program Files (x86)") returned -1 [0144.456] lstrcmpiW (lpString1="permissions.sqlite", lpString2="$Recycle.bin") returned 1 [0144.456] lstrcmpiW (lpString1="permissions.sqlite", lpString2="System Volume Information") returned -1 [0144.456] lstrcmpiW (lpString1="permissions.sqlite", lpString2=".") returned 1 [0144.456] lstrcmpiW (lpString1="permissions.sqlite", lpString2="..") returned 1 [0144.456] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite") returned 110 [0144.456] lstrcmpW (lpString1="permissions.sqlite", lpString2="PUSSY.TXT") returned -1 [0144.456] PathFindExtensionW (pszPath="permissions.sqlite") returned=".sqlite" [0144.456] lstrlenW (lpString=".sqlite") returned 7 [0144.456] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0144.457] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=65536) returned 1 [0144.457] GetProcessHeap () returned 0x4c0000 [0144.457] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0144.468] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="87") returned 2 [0144.468] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="40") returned 2 [0144.468] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="C1") returned 2 [0144.468] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="37") returned 2 [0144.468] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="26") returned 2 [0144.468] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="6B") returned 2 [0144.468] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="B0") returned 2 [0144.468] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="46") returned 2 [0144.468] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="E4") returned 2 [0144.468] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="23") returned 2 [0144.468] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="C9") returned 2 [0144.468] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="A6") returned 2 [0144.468] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="B2") returned 2 [0144.468] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="18") returned 2 [0144.468] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="A9") returned 2 [0144.468] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="81") returned 2 [0144.468] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="72") returned 2 [0144.468] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="76") returned 2 [0144.468] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="68") returned 2 [0144.468] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="5B") returned 2 [0144.468] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="BE") returned 2 [0144.468] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="1A") returned 2 [0144.468] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="08") returned 2 [0144.469] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="4C") returned 2 [0144.469] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="79") returned 2 [0144.469] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="DB") returned 2 [0144.469] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="51") returned 2 [0144.469] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="53") returned 2 [0144.469] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="0B") returned 2 [0144.469] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="2F") returned 2 [0144.469] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="45") returned 2 [0144.469] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="3F") returned 2 [0144.478] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" [0144.478] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" [0144.478] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite", lpString2=".8740C137266BB046E423C9A6B218A9817276685BBE1A084C79DB51530B2F453F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite.8740C137266BB046E423C9A6B218A9817276685BBE1A084C79DB51530B2F453F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite.8740C137266BB046E423C9A6B218A9817276685BBE1A084C79DB51530B2F453F" [0144.478] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.478] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0144.478] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb4c1a3d0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb4c1a3d0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x82b58970, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xa00000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="places.sqlite", cAlternateFileName="PLACES~1.SQL")) returned 1 [0144.478] lstrcmpiW (lpString1="places.sqlite", lpString2="Windows") returned -1 [0144.479] lstrcmpiW (lpString1="places.sqlite", lpString2="Program Files") returned -1 [0144.479] lstrcmpiW (lpString1="places.sqlite", lpString2="Program Files (x86)") returned -1 [0144.479] lstrcmpiW (lpString1="places.sqlite", lpString2="$Recycle.bin") returned 1 [0144.479] lstrcmpiW (lpString1="places.sqlite", lpString2="System Volume Information") returned -1 [0144.479] lstrcmpiW (lpString1="places.sqlite", lpString2=".") returned 1 [0144.479] lstrcmpiW (lpString1="places.sqlite", lpString2="..") returned 1 [0144.479] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite") returned 105 [0144.479] lstrcmpW (lpString1="places.sqlite", lpString2="PUSSY.TXT") returned -1 [0144.479] PathFindExtensionW (pszPath="places.sqlite") returned=".sqlite" [0144.479] lstrlenW (lpString=".sqlite") returned 7 [0144.479] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0144.510] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=10485760) returned 1 [0144.510] GetProcessHeap () returned 0x4c0000 [0144.510] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0144.522] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="DC") returned 2 [0144.522] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="E5") returned 2 [0144.522] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="E1") returned 2 [0144.522] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="5F") returned 2 [0144.522] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="71") returned 2 [0144.522] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="AF") returned 2 [0144.522] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="BE") returned 2 [0144.522] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="05") returned 2 [0144.522] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="E9") returned 2 [0144.522] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="EC") returned 2 [0144.522] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="5E") returned 2 [0144.522] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="92") returned 2 [0144.522] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="55") returned 2 [0144.522] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="EF") returned 2 [0144.522] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="5F") returned 2 [0144.523] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="5F") returned 2 [0144.523] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="FB") returned 2 [0144.523] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="2F") returned 2 [0144.523] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="A3") returned 2 [0144.523] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="1C") returned 2 [0144.523] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="47") returned 2 [0144.523] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="96") returned 2 [0144.523] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="FD") returned 2 [0144.523] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="25") returned 2 [0144.523] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="03") returned 2 [0144.523] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="56") returned 2 [0144.523] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="DC") returned 2 [0144.523] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="A1") returned 2 [0144.523] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="BB") returned 2 [0144.523] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="A3") returned 2 [0144.523] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="EF") returned 2 [0144.523] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="6B") returned 2 [0144.531] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" [0144.531] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" [0144.531] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite", lpString2=".DCE5E15F71AFBE05E9EC5E9255EF5F5FFB2FA31C4796FD250356DCA1BBA3EF6B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite.DCE5E15F71AFBE05E9EC5E9255EF5F5FFB2FA31C4796FD250356DCA1BBA3EF6B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite.DCE5E15F71AFBE05E9EC5E9255EF5F5FFB2FA31C4796FD250356DCA1BBA3EF6B" [0144.531] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.531] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0144.532] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x81fbde30, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x81fbde30, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x81fbde30, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xe14, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="pluginreg.dat", cAlternateFileName="PLUGIN~1.DAT")) returned 1 [0144.532] lstrcmpiW (lpString1="pluginreg.dat", lpString2="Windows") returned -1 [0144.532] lstrcmpiW (lpString1="pluginreg.dat", lpString2="Program Files") returned -1 [0144.532] lstrcmpiW (lpString1="pluginreg.dat", lpString2="Program Files (x86)") returned -1 [0144.532] lstrcmpiW (lpString1="pluginreg.dat", lpString2="$Recycle.bin") returned 1 [0144.532] lstrcmpiW (lpString1="pluginreg.dat", lpString2="System Volume Information") returned -1 [0144.532] lstrcmpiW (lpString1="pluginreg.dat", lpString2=".") returned 1 [0144.532] lstrcmpiW (lpString1="pluginreg.dat", lpString2="..") returned 1 [0144.532] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat") returned 105 [0144.532] lstrcmpW (lpString1="pluginreg.dat", lpString2="PUSSY.TXT") returned -1 [0144.532] PathFindExtensionW (pszPath="pluginreg.dat") returned=".dat" [0144.532] lstrlenW (lpString=".dat") returned 4 [0144.532] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pluginreg.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0144.533] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=3604) returned 1 [0144.533] GetProcessHeap () returned 0x4c0000 [0144.533] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0144.542] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="E9") returned 2 [0144.542] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="23") returned 2 [0144.542] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="A5") returned 2 [0144.542] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="DB") returned 2 [0144.542] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="9A") returned 2 [0144.542] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="52") returned 2 [0144.542] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="A7") returned 2 [0144.542] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="CB") returned 2 [0144.542] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="5B") returned 2 [0144.542] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="91") returned 2 [0144.542] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="B7") returned 2 [0144.543] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="0A") returned 2 [0144.543] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="0A") returned 2 [0144.543] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="16") returned 2 [0144.543] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="5E") returned 2 [0144.543] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="70") returned 2 [0144.543] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="03") returned 2 [0144.543] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="28") returned 2 [0144.543] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="D0") returned 2 [0144.543] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="C6") returned 2 [0144.543] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="F3") returned 2 [0144.543] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="86") returned 2 [0144.543] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="39") returned 2 [0144.543] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="1C") returned 2 [0144.543] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="A6") returned 2 [0144.543] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="E8") returned 2 [0144.543] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="36") returned 2 [0144.543] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="53") returned 2 [0144.543] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="AC") returned 2 [0144.543] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="9B") returned 2 [0144.543] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="D4") returned 2 [0144.543] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="3C") returned 2 [0144.551] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat" [0144.551] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat" [0144.551] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat", lpString2=".E923A5DB9A52A7CB5B91B70A0A165E700328D0C6F386391CA6E83653AC9BD43C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat.E923A5DB9A52A7CB5B91B70A0A165E700328D0C6F386391CA6E83653AC9BD43C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat.E923A5DB9A52A7CB5B91B70A0A165E700328D0C6F386391CA6E83653AC9BD43C" [0144.551] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.551] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0144.552] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84c85c10, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x853f60d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x12069be0, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0xfde, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="prefs.js", cAlternateFileName="")) returned 1 [0144.552] lstrcmpiW (lpString1="prefs.js", lpString2="Windows") returned -1 [0144.552] lstrcmpiW (lpString1="prefs.js", lpString2="Program Files") returned -1 [0144.552] lstrcmpiW (lpString1="prefs.js", lpString2="Program Files (x86)") returned -1 [0144.552] lstrcmpiW (lpString1="prefs.js", lpString2="$Recycle.bin") returned 1 [0144.552] lstrcmpiW (lpString1="prefs.js", lpString2="System Volume Information") returned -1 [0144.552] lstrcmpiW (lpString1="prefs.js", lpString2=".") returned 1 [0144.552] lstrcmpiW (lpString1="prefs.js", lpString2="..") returned 1 [0144.552] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js") returned 100 [0144.552] lstrcmpW (lpString1="prefs.js", lpString2="PUSSY.TXT") returned -1 [0144.552] PathFindExtensionW (pszPath="prefs.js") returned=".js" [0144.552] lstrlenW (lpString=".js") returned 3 [0144.552] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\prefs.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0144.591] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=4062) returned 1 [0144.592] GetProcessHeap () returned 0x4c0000 [0144.592] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0144.601] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="79") returned 2 [0144.601] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="B6") returned 2 [0144.601] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="78") returned 2 [0144.601] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="27") returned 2 [0144.601] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="2E") returned 2 [0144.601] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="D0") returned 2 [0144.601] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="D7") returned 2 [0144.601] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="B3") returned 2 [0144.601] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="BB") returned 2 [0144.601] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="DD") returned 2 [0144.601] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="63") returned 2 [0144.602] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="AE") returned 2 [0144.602] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="32") returned 2 [0144.602] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="FB") returned 2 [0144.602] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="38") returned 2 [0144.602] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="3C") returned 2 [0144.602] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="22") returned 2 [0144.602] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="CE") returned 2 [0144.602] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="34") returned 2 [0144.602] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="5A") returned 2 [0144.602] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="C0") returned 2 [0144.602] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="B9") returned 2 [0144.602] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="37") returned 2 [0144.602] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="98") returned 2 [0144.602] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="2F") returned 2 [0144.602] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="12") returned 2 [0144.602] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="EE") returned 2 [0144.602] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="49") returned 2 [0144.602] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="B2") returned 2 [0144.602] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="64") returned 2 [0144.602] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="B1") returned 2 [0144.602] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="69") returned 2 [0144.610] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js" [0144.610] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js" [0144.610] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js", lpString2=".79B678272ED0D7B3BBDD63AE32FB383C22CE345AC0B937982F12EE49B264B169" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js.79B678272ED0D7B3BBDD63AE32FB383C22CE345AC0B937982F12EE49B264B169") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js.79B678272ED0D7B3BBDD63AE32FB383C22CE345AC0B937982F12EE49B264B169" [0144.610] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.610] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0144.611] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb6fa8c70, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb6fa8c70, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6fa8c70, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x4183, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="search.json", cAlternateFileName="SEARCH~1.JSO")) returned 1 [0144.611] lstrcmpiW (lpString1="search.json", lpString2="Windows") returned -1 [0144.611] lstrcmpiW (lpString1="search.json", lpString2="Program Files") returned 1 [0144.611] lstrcmpiW (lpString1="search.json", lpString2="Program Files (x86)") returned 1 [0144.611] lstrcmpiW (lpString1="search.json", lpString2="$Recycle.bin") returned 1 [0144.611] lstrcmpiW (lpString1="search.json", lpString2="System Volume Information") returned -1 [0144.611] lstrcmpiW (lpString1="search.json", lpString2=".") returned 1 [0144.611] lstrcmpiW (lpString1="search.json", lpString2="..") returned 1 [0144.611] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json") returned 103 [0144.611] lstrcmpW (lpString1="search.json", lpString2="PUSSY.TXT") returned 1 [0144.611] PathFindExtensionW (pszPath="search.json") returned=".json" [0144.611] lstrlenW (lpString=".json") returned 5 [0144.611] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\search.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0144.620] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=16771) returned 1 [0144.620] GetProcessHeap () returned 0x4c0000 [0144.620] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0144.629] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="69") returned 2 [0144.629] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="19") returned 2 [0144.629] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="FC") returned 2 [0144.629] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="57") returned 2 [0144.629] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="82") returned 2 [0144.629] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="E3") returned 2 [0144.629] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="0B") returned 2 [0144.629] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="92") returned 2 [0144.629] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="58") returned 2 [0144.629] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="3A") returned 2 [0144.629] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="12") returned 2 [0144.629] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="98") returned 2 [0144.629] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="A6") returned 2 [0144.629] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="E3") returned 2 [0144.629] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="4A") returned 2 [0144.629] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="E1") returned 2 [0144.629] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="D4") returned 2 [0144.629] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="67") returned 2 [0144.629] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="9D") returned 2 [0144.629] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="B2") returned 2 [0144.629] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="7F") returned 2 [0144.629] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="EB") returned 2 [0144.629] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="11") returned 2 [0144.629] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="7B") returned 2 [0144.630] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="20") returned 2 [0144.630] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="A6") returned 2 [0144.630] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="B3") returned 2 [0144.630] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="4E") returned 2 [0144.630] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="ED") returned 2 [0144.630] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="23") returned 2 [0144.630] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="D5") returned 2 [0144.630] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="0C") returned 2 [0144.638] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json" [0144.639] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json" [0144.639] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json", lpString2=".6919FC5782E30B92583A1298A6E34AE1D4679DB27FEB117B20A6B34EED23D50C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json.6919FC5782E30B92583A1298A6E34AE1D4679DB27FEB117B20A6B34EED23D50C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json.6919FC5782E30B92583A1298A6E34AE1D4679DB27FEB117B20A6B34EED23D50C" [0144.639] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.639] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0144.655] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb477d930, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb477d930, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb47c9bf0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="secmod.db", cAlternateFileName="")) returned 1 [0144.655] lstrcmpiW (lpString1="secmod.db", lpString2="Windows") returned -1 [0144.655] lstrcmpiW (lpString1="secmod.db", lpString2="Program Files") returned 1 [0144.655] lstrcmpiW (lpString1="secmod.db", lpString2="Program Files (x86)") returned 1 [0144.655] lstrcmpiW (lpString1="secmod.db", lpString2="$Recycle.bin") returned 1 [0144.655] lstrcmpiW (lpString1="secmod.db", lpString2="System Volume Information") returned -1 [0144.655] lstrcmpiW (lpString1="secmod.db", lpString2=".") returned 1 [0144.655] lstrcmpiW (lpString1="secmod.db", lpString2="..") returned 1 [0144.655] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db") returned 101 [0144.655] lstrcmpW (lpString1="secmod.db", lpString2="PUSSY.TXT") returned 1 [0144.655] PathFindExtensionW (pszPath="secmod.db") returned=".db" [0144.655] lstrlenW (lpString=".db") returned 3 [0144.655] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0144.657] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=16384) returned 1 [0144.657] GetProcessHeap () returned 0x4c0000 [0144.657] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0144.666] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="37") returned 2 [0144.666] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="03") returned 2 [0144.666] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="E2") returned 2 [0144.666] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="E5") returned 2 [0144.666] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="99") returned 2 [0144.666] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="9E") returned 2 [0144.666] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="70") returned 2 [0144.666] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="12") returned 2 [0144.666] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="DA") returned 2 [0144.666] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="2D") returned 2 [0144.666] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="D4") returned 2 [0144.666] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="46") returned 2 [0144.666] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="E3") returned 2 [0144.666] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="16") returned 2 [0144.666] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="BC") returned 2 [0144.666] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="4A") returned 2 [0144.666] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="1A") returned 2 [0144.666] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="07") returned 2 [0144.666] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="DF") returned 2 [0144.666] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="EA") returned 2 [0144.666] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="AE") returned 2 [0144.666] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="BA") returned 2 [0144.666] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="9A") returned 2 [0144.666] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="5E") returned 2 [0144.667] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="4D") returned 2 [0144.667] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="DF") returned 2 [0144.667] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="F6") returned 2 [0144.667] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="5A") returned 2 [0144.667] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="4D") returned 2 [0144.667] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="58") returned 2 [0144.667] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="57") returned 2 [0144.667] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="3E") returned 2 [0144.675] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" [0144.675] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" [0144.675] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db", lpString2=".3703E2E5999E7012DA2DD446E316BC4A1A07DFEAAEBA9A5E4DDFF65A4D58573E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db.3703E2E5999E7012DA2DD446E316BC4A1A07DFEAAEBA9A5E4DDFF65A4D58573E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db.3703E2E5999E7012DA2DD446E316BC4A1A07DFEAAEBA9A5E4DDFF65A4D58573E" [0144.675] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.675] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0144.675] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb82fff30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xc3787480, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xc3787480, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x3d6, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="sessionstore.bak", cAlternateFileName="SESSIO~1.BAK")) returned 1 [0144.675] lstrcmpiW (lpString1="sessionstore.bak", lpString2="Windows") returned -1 [0144.675] lstrcmpiW (lpString1="sessionstore.bak", lpString2="Program Files") returned 1 [0144.675] lstrcmpiW (lpString1="sessionstore.bak", lpString2="Program Files (x86)") returned 1 [0144.675] lstrcmpiW (lpString1="sessionstore.bak", lpString2="$Recycle.bin") returned 1 [0144.675] lstrcmpiW (lpString1="sessionstore.bak", lpString2="System Volume Information") returned -1 [0144.675] lstrcmpiW (lpString1="sessionstore.bak", lpString2=".") returned 1 [0144.675] lstrcmpiW (lpString1="sessionstore.bak", lpString2="..") returned 1 [0144.675] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak") returned 108 [0144.675] lstrcmpW (lpString1="sessionstore.bak", lpString2="PUSSY.TXT") returned 1 [0144.675] PathFindExtensionW (pszPath="sessionstore.bak") returned=".bak" [0144.675] lstrlenW (lpString=".bak") returned 4 [0144.675] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0144.676] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=982) returned 1 [0144.677] GetProcessHeap () returned 0x4c0000 [0144.677] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0144.687] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="76") returned 2 [0144.687] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="78") returned 2 [0144.687] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="CA") returned 2 [0144.687] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="3A") returned 2 [0144.687] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="27") returned 2 [0144.687] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="D7") returned 2 [0144.687] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="5C") returned 2 [0144.687] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="BE") returned 2 [0144.687] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="0F") returned 2 [0144.687] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="DB") returned 2 [0144.687] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="2B") returned 2 [0144.687] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="69") returned 2 [0144.687] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="E5") returned 2 [0144.687] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="8D") returned 2 [0144.687] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="D1") returned 2 [0144.687] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="E7") returned 2 [0144.688] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="F2") returned 2 [0144.688] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="AA") returned 2 [0144.688] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="7E") returned 2 [0144.688] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="32") returned 2 [0144.688] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="F4") returned 2 [0144.688] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="FD") returned 2 [0144.688] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="6B") returned 2 [0144.688] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="AB") returned 2 [0144.688] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="18") returned 2 [0144.688] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="3C") returned 2 [0144.688] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="B3") returned 2 [0144.688] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="B0") returned 2 [0144.688] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="8D") returned 2 [0144.688] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="0B") returned 2 [0144.688] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="26") returned 2 [0144.688] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="23") returned 2 [0144.697] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" [0144.697] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" [0144.697] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak", lpString2=".7678CA3A27D75CBE0FDB2B69E58DD1E7F2AA7E32F4FD6BAB183CB3B08D0B2623" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak.7678CA3A27D75CBE0FDB2B69E58DD1E7F2AA7E32F4FD6BAB183CB3B08D0B2623") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak.7678CA3A27D75CBE0FDB2B69E58DD1E7F2AA7E32F4FD6BAB183CB3B08D0B2623" [0144.697] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.697] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0144.697] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb82fff30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x84e029d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x84e029d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xbc5, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="sessionstore.js", cAlternateFileName="SESSIO~1.JS")) returned 1 [0144.697] lstrcmpiW (lpString1="sessionstore.js", lpString2="Windows") returned -1 [0144.697] lstrcmpiW (lpString1="sessionstore.js", lpString2="Program Files") returned 1 [0144.697] lstrcmpiW (lpString1="sessionstore.js", lpString2="Program Files (x86)") returned 1 [0144.697] lstrcmpiW (lpString1="sessionstore.js", lpString2="$Recycle.bin") returned 1 [0144.697] lstrcmpiW (lpString1="sessionstore.js", lpString2="System Volume Information") returned -1 [0144.697] lstrcmpiW (lpString1="sessionstore.js", lpString2=".") returned 1 [0144.697] lstrcmpiW (lpString1="sessionstore.js", lpString2="..") returned 1 [0144.698] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js") returned 107 [0144.698] lstrcmpW (lpString1="sessionstore.js", lpString2="PUSSY.TXT") returned 1 [0144.698] PathFindExtensionW (pszPath="sessionstore.js") returned=".js" [0144.698] lstrlenW (lpString=".js") returned 3 [0144.698] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0144.699] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=3013) returned 1 [0144.699] GetProcessHeap () returned 0x4c0000 [0144.700] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0144.726] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="32") returned 2 [0144.726] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="8A") returned 2 [0144.726] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="88") returned 2 [0144.726] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="B7") returned 2 [0144.726] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="DD") returned 2 [0144.726] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="E1") returned 2 [0144.726] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="B1") returned 2 [0144.726] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="7F") returned 2 [0144.726] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="9E") returned 2 [0144.726] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="47") returned 2 [0144.726] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="47") returned 2 [0144.726] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="90") returned 2 [0144.726] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="30") returned 2 [0144.726] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="AA") returned 2 [0144.726] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="6C") returned 2 [0144.726] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="8A") returned 2 [0144.726] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="E1") returned 2 [0144.726] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="04") returned 2 [0144.726] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="E9") returned 2 [0144.726] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="C1") returned 2 [0144.726] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="22") returned 2 [0144.726] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="BD") returned 2 [0144.726] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="9B") returned 2 [0144.726] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="22") returned 2 [0144.726] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="81") returned 2 [0144.726] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="DD") returned 2 [0144.727] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="24") returned 2 [0144.727] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="C0") returned 2 [0144.727] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="DC") returned 2 [0144.727] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="36") returned 2 [0144.727] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="68") returned 2 [0144.727] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="5A") returned 2 [0144.735] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js" [0144.735] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js" [0144.735] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js", lpString2=".328A88B7DDE1B17F9E47479030AA6C8AE104E9C122BD9B2281DD24C0DC36685A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js.328A88B7DDE1B17F9E47479030AA6C8AE104E9C122BD9B2281DD24C0DC36685A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js.328A88B7DDE1B17F9E47479030AA6C8AE104E9C122BD9B2281DD24C0DC36685A" [0144.735] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.735] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0144.741] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb66495d0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb66495d0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb6f36850, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x50000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="signons.sqlite", cAlternateFileName="SIGNON~1.SQL")) returned 1 [0144.741] lstrcmpiW (lpString1="signons.sqlite", lpString2="Windows") returned -1 [0144.741] lstrcmpiW (lpString1="signons.sqlite", lpString2="Program Files") returned 1 [0144.741] lstrcmpiW (lpString1="signons.sqlite", lpString2="Program Files (x86)") returned 1 [0144.741] lstrcmpiW (lpString1="signons.sqlite", lpString2="$Recycle.bin") returned 1 [0144.741] lstrcmpiW (lpString1="signons.sqlite", lpString2="System Volume Information") returned -1 [0144.741] lstrcmpiW (lpString1="signons.sqlite", lpString2=".") returned 1 [0144.741] lstrcmpiW (lpString1="signons.sqlite", lpString2="..") returned 1 [0144.741] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite") returned 106 [0144.741] lstrcmpW (lpString1="signons.sqlite", lpString2="PUSSY.TXT") returned 1 [0144.741] PathFindExtensionW (pszPath="signons.sqlite") returned=".sqlite" [0144.741] lstrlenW (lpString=".sqlite") returned 7 [0144.741] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0144.742] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=327680) returned 1 [0144.742] GetProcessHeap () returned 0x4c0000 [0144.742] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0144.759] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="C6") returned 2 [0144.759] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="CD") returned 2 [0144.759] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="9C") returned 2 [0144.759] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="B8") returned 2 [0144.759] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="96") returned 2 [0144.759] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="00") returned 2 [0144.759] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="9C") returned 2 [0144.759] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="63") returned 2 [0144.759] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="C5") returned 2 [0144.759] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="A9") returned 2 [0144.759] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="EA") returned 2 [0144.759] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="D9") returned 2 [0144.759] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="FC") returned 2 [0144.759] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="F4") returned 2 [0144.759] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="18") returned 2 [0144.759] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="AC") returned 2 [0144.759] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="BD") returned 2 [0144.759] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="84") returned 2 [0144.759] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="22") returned 2 [0144.759] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="49") returned 2 [0144.759] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="36") returned 2 [0144.759] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="AD") returned 2 [0144.760] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="72") returned 2 [0144.760] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="55") returned 2 [0144.760] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="7F") returned 2 [0144.760] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="20") returned 2 [0144.760] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="20") returned 2 [0144.760] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="7F") returned 2 [0144.760] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="2C") returned 2 [0144.760] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="2C") returned 2 [0144.760] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="BE") returned 2 [0144.760] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="14") returned 2 [0144.769] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" [0144.769] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" [0144.769] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite", lpString2=".C6CD9CB896009C63C5A9EAD9FCF418ACBD84224936AD72557F20207F2C2CBE14" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite.C6CD9CB896009C63C5A9EAD9FCF418ACBD84224936AD72557F20207F2C2CBE14") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite.C6CD9CB896009C63C5A9EAD9FCF418ACBD84224936AD72557F20207F2C2CBE14" [0144.769] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.769] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0144.769] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb26740e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb26740e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x1d, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="times.json", cAlternateFileName="TIMES~1.JSO")) returned 1 [0144.769] lstrcmpiW (lpString1="times.json", lpString2="Windows") returned -1 [0144.769] lstrcmpiW (lpString1="times.json", lpString2="Program Files") returned 1 [0144.770] lstrcmpiW (lpString1="times.json", lpString2="Program Files (x86)") returned 1 [0144.770] lstrcmpiW (lpString1="times.json", lpString2="$Recycle.bin") returned 1 [0144.770] lstrcmpiW (lpString1="times.json", lpString2="System Volume Information") returned 1 [0144.770] lstrcmpiW (lpString1="times.json", lpString2=".") returned 1 [0144.770] lstrcmpiW (lpString1="times.json", lpString2="..") returned 1 [0144.827] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json") returned 102 [0144.827] lstrcmpW (lpString1="times.json", lpString2="PUSSY.TXT") returned 1 [0144.827] PathFindExtensionW (pszPath="times.json") returned=".json" [0144.827] lstrlenW (lpString=".json") returned 5 [0144.827] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\times.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0144.853] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=29) returned 1 [0144.853] CloseHandle (hObject=0x120) returned 1 [0144.853] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb4f60210, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80d71510, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80d71510, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="webapps", cAlternateFileName="")) returned 1 [0144.853] lstrcmpiW (lpString1="webapps", lpString2="Windows") returned -1 [0144.853] lstrcmpiW (lpString1="webapps", lpString2="Program Files") returned 1 [0144.853] lstrcmpiW (lpString1="webapps", lpString2="Program Files (x86)") returned 1 [0144.853] lstrcmpiW (lpString1="webapps", lpString2="$Recycle.bin") returned 1 [0144.853] lstrcmpiW (lpString1="webapps", lpString2="System Volume Information") returned 1 [0144.853] lstrcmpiW (lpString1="webapps", lpString2=".") returned 1 [0144.853] lstrcmpiW (lpString1="webapps", lpString2="..") returned 1 [0144.853] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps") returned 99 [0144.853] GetProcessHeap () returned 0x4c0000 [0144.853] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0144.854] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps" [0144.854] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\*" [0144.854] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb4f60210, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80d71510, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80d71510, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0144.856] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0144.856] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0144.856] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0144.856] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0144.856] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0144.856] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.856] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb4f60210, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80d71510, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80d71510, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0144.856] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0144.856] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0144.856] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0144.856] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0144.856] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0144.856] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.856] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.856] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80cff0f0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x80cff0f0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80cff0f0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="webapps.json", cAlternateFileName="WEBAPP~1.JSO")) returned 1 [0144.856] lstrcmpiW (lpString1="webapps.json", lpString2="Windows") returned -1 [0144.856] lstrcmpiW (lpString1="webapps.json", lpString2="Program Files") returned 1 [0144.856] lstrcmpiW (lpString1="webapps.json", lpString2="Program Files (x86)") returned 1 [0144.856] lstrcmpiW (lpString1="webapps.json", lpString2="$Recycle.bin") returned 1 [0144.856] lstrcmpiW (lpString1="webapps.json", lpString2="System Volume Information") returned 1 [0144.857] lstrcmpiW (lpString1="webapps.json", lpString2=".") returned 1 [0144.857] lstrcmpiW (lpString1="webapps.json", lpString2="..") returned 1 [0144.857] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json") returned 112 [0144.857] lstrcmpW (lpString1="webapps.json", lpString2="PUSSY.TXT") returned 1 [0144.857] PathFindExtensionW (pszPath="webapps.json") returned=".json" [0144.857] lstrlenW (lpString=".json") returned 5 [0144.857] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0144.857] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\webapps.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0144.858] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=2) returned 1 [0144.858] CloseHandle (hObject=0x128) returned 1 [0144.858] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80cff0f0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x80cff0f0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80cff0f0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="webapps.json", cAlternateFileName="WEBAPP~1.JSO")) returned 0 [0144.858] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0144.858] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\PUSSY.TXT") returned 109 [0144.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x120 [0144.859] lstrlenA (lpString="abcd") returned 4 [0144.859] WriteFile (in: hFile=0x120, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0144.860] CloseHandle (hObject=0x120) returned 1 [0144.860] GetProcessHeap () returned 0x4c0000 [0144.860] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0144.860] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb66495d0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb66495d0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xc3a63b40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="webappsstore.sqlite", cAlternateFileName="WEBAPP~1.SQL")) returned 1 [0144.860] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="Windows") returned -1 [0144.860] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="Program Files") returned 1 [0144.860] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="Program Files (x86)") returned 1 [0144.860] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="$Recycle.bin") returned 1 [0144.860] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="System Volume Information") returned 1 [0144.860] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2=".") returned 1 [0144.861] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="..") returned 1 [0144.861] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite") returned 111 [0144.861] lstrcmpW (lpString1="webappsstore.sqlite", lpString2="PUSSY.TXT") returned 1 [0144.861] PathFindExtensionW (pszPath="webappsstore.sqlite") returned=".sqlite" [0144.861] lstrlenW (lpString=".sqlite") returned 7 [0144.861] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0144.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0144.862] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=98304) returned 1 [0144.862] GetProcessHeap () returned 0x4c0000 [0144.862] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0144.951] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="8D") returned 2 [0144.951] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="1F") returned 2 [0144.951] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="C8") returned 2 [0144.951] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="BE") returned 2 [0144.951] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="77") returned 2 [0144.951] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="DB") returned 2 [0144.951] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="48") returned 2 [0144.951] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="EE") returned 2 [0144.951] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="BD") returned 2 [0144.951] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="A2") returned 2 [0144.951] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="38") returned 2 [0144.951] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="9C") returned 2 [0144.951] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="D0") returned 2 [0144.951] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="F7") returned 2 [0144.951] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="DA") returned 2 [0144.951] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="80") returned 2 [0144.951] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="9B") returned 2 [0144.951] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="8E") returned 2 [0144.951] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="D6") returned 2 [0144.951] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="F2") returned 2 [0144.951] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="72") returned 2 [0144.951] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="79") returned 2 [0144.952] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="3A") returned 2 [0144.952] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="9F") returned 2 [0144.952] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="C5") returned 2 [0144.952] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="D4") returned 2 [0144.952] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="0B") returned 2 [0144.952] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="0A") returned 2 [0144.952] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="08") returned 2 [0144.952] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="A1") returned 2 [0144.952] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="54") returned 2 [0144.952] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="66") returned 2 [0144.964] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" [0144.965] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" [0144.965] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite", lpString2=".8D1FC8BE77DB48EEBDA2389CD0F7DA809B8ED6F272793A9FC5D40B0A08A15466" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite.8D1FC8BE77DB48EEBDA2389CD0F7DA809B8ED6F272793A9FC5D40B0A08A15466") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite.8D1FC8BE77DB48EEBDA2389CD0F7DA809B8ED6F272793A9FC5D40B0A08A15466" [0144.965] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0144.965] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0144.965] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb66495d0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb66495d0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xc3a63b40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="webappsstore.sqlite", cAlternateFileName="WEBAPP~1.SQL")) returned 0 [0144.965] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0144.966] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\PUSSY.TXT") returned 101 [0145.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0145.014] lstrlenA (lpString="abcd") returned 4 [0145.014] WriteFile (in: hFile=0x180, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0145.015] CloseHandle (hObject=0x180) returned 1 [0145.016] GetProcessHeap () returned 0x4c0000 [0145.016] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0145.023] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x85442390, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x85442390, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="silmbjec.default", cAlternateFileName="SILMBJ~1.DEF")) returned 0 [0145.023] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0145.023] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\PUSSY.TXT") returned 84 [0145.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0145.024] lstrlenA (lpString="abcd") returned 4 [0145.024] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0145.026] CloseHandle (hObject=0x124) returned 1 [0145.026] GetProcessHeap () returned 0x4c0000 [0145.026] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0145.026] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb26740e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb26740e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x6f, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="profiles.ini", cAlternateFileName="")) returned 1 [0145.026] lstrcmpiW (lpString1="profiles.ini", lpString2="Windows") returned -1 [0145.026] lstrcmpiW (lpString1="profiles.ini", lpString2="Program Files") returned -1 [0145.026] lstrcmpiW (lpString1="profiles.ini", lpString2="Program Files (x86)") returned -1 [0145.026] lstrcmpiW (lpString1="profiles.ini", lpString2="$Recycle.bin") returned 1 [0145.026] lstrcmpiW (lpString1="profiles.ini", lpString2="System Volume Information") returned -1 [0145.026] lstrcmpiW (lpString1="profiles.ini", lpString2=".") returned 1 [0145.026] lstrcmpiW (lpString1="profiles.ini", lpString2="..") returned 1 [0145.026] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 78 [0145.026] lstrcmpW (lpString1="profiles.ini", lpString2="PUSSY.TXT") returned -1 [0145.026] PathFindExtensionW (pszPath="profiles.ini") returned=".ini" [0145.026] lstrlenW (lpString=".ini") returned 4 [0145.026] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0145.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0145.028] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=111) returned 1 [0145.028] CloseHandle (hObject=0x124) returned 1 [0145.028] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb26740e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb26740e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x6f, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="profiles.ini", cAlternateFileName="")) returned 0 [0145.028] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0145.028] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\PUSSY.TXT") returned 75 [0145.028] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0145.029] lstrlenA (lpString="abcd") returned 4 [0145.029] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0145.030] CloseHandle (hObject=0x184) returned 1 [0145.030] GetProcessHeap () returned 0x4c0000 [0145.030] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0145.030] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb26740e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb26740e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Firefox", cAlternateFileName="")) returned 0 [0145.031] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0145.031] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\PUSSY.TXT") returned 67 [0145.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0145.031] lstrlenA (lpString="abcd") returned 4 [0145.032] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0145.032] CloseHandle (hObject=0x1b8) returned 1 [0145.033] GetProcessHeap () returned 0x4c0000 [0145.033] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0145.034] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x822f980, ftCreationTime.dwHighDateTime=0x1d5debe, ftLastAccessTime.dwLowDateTime=0xb5d0caa0, ftLastAccessTime.dwHighDateTime=0x1d5df43, ftLastWriteTime.dwLowDateTime=0xb5d0caa0, ftLastWriteTime.dwHighDateTime=0x1d5df43, nFileSizeHigh=0x0, nFileSizeLow=0x1268b, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Njvdz.mkv", cAlternateFileName="")) returned 1 [0145.034] lstrcmpiW (lpString1="Njvdz.mkv", lpString2="Windows") returned -1 [0145.034] lstrcmpiW (lpString1="Njvdz.mkv", lpString2="Program Files") returned -1 [0145.034] lstrcmpiW (lpString1="Njvdz.mkv", lpString2="Program Files (x86)") returned -1 [0145.034] lstrcmpiW (lpString1="Njvdz.mkv", lpString2="$Recycle.bin") returned 1 [0145.034] lstrcmpiW (lpString1="Njvdz.mkv", lpString2="System Volume Information") returned -1 [0145.034] lstrcmpiW (lpString1="Njvdz.mkv", lpString2=".") returned 1 [0145.034] lstrcmpiW (lpString1="Njvdz.mkv", lpString2="..") returned 1 [0145.034] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv") returned 59 [0145.034] lstrcmpW (lpString1="Njvdz.mkv", lpString2="PUSSY.TXT") returned -1 [0145.034] PathFindExtensionW (pszPath="Njvdz.mkv") returned=".mkv" [0145.034] lstrlenW (lpString=".mkv") returned 4 [0145.034] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0145.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\njvdz.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0145.036] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=75403) returned 1 [0145.036] GetProcessHeap () returned 0x4c0000 [0145.036] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0145.051] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="DA") returned 2 [0145.051] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="FB") returned 2 [0145.051] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="15") returned 2 [0145.051] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="45") returned 2 [0145.051] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="CF") returned 2 [0145.051] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="9A") returned 2 [0145.052] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="08") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="D7") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="B1") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="F6") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="24") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="C1") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="E6") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="D5") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="B5") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="C8") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="72") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="28") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="83") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="50") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="B7") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="CE") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="4B") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="8D") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="A9") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="C1") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="B8") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="DC") returned 2 [0145.052] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="CE") returned 2 [0145.053] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="98") returned 2 [0145.053] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="FC") returned 2 [0145.053] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="6C") returned 2 [0145.065] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv" [0145.065] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv" [0145.065] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv", lpString2=".DAFB1545CF9A08D7B1F624C1E6D5B5C872288350B7CE4B8DA9C1B8DCCE98FC6C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv.DAFB1545CF9A08D7B1F624C1E6D5B5C872288350B7CE4B8DA9C1B8DCCE98FC6C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv.DAFB1545CF9A08D7B1F624C1E6D5B5C872288350B7CE4B8DA9C1B8DCCE98FC6C" [0145.066] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0145.066] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0145.111] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x22c1f460, ftCreationTime.dwHighDateTime=0x1d5dc6d, ftLastAccessTime.dwLowDateTime=0x3c274870, ftLastAccessTime.dwHighDateTime=0x1d5e20c, ftLastWriteTime.dwLowDateTime=0x3c274870, ftLastWriteTime.dwHighDateTime=0x1d5e20c, nFileSizeHigh=0x0, nFileSizeLow=0xd4d2, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="nx8 nCvL3_8XSM.m4a", cAlternateFileName="NX8NCV~1.M4A")) returned 1 [0145.111] lstrcmpiW (lpString1="nx8 nCvL3_8XSM.m4a", lpString2="Windows") returned -1 [0145.111] lstrcmpiW (lpString1="nx8 nCvL3_8XSM.m4a", lpString2="Program Files") returned -1 [0145.111] lstrcmpiW (lpString1="nx8 nCvL3_8XSM.m4a", lpString2="Program Files (x86)") returned -1 [0145.111] lstrcmpiW (lpString1="nx8 nCvL3_8XSM.m4a", lpString2="$Recycle.bin") returned 1 [0145.111] lstrcmpiW (lpString1="nx8 nCvL3_8XSM.m4a", lpString2="System Volume Information") returned -1 [0145.112] lstrcmpiW (lpString1="nx8 nCvL3_8XSM.m4a", lpString2=".") returned 1 [0145.112] lstrcmpiW (lpString1="nx8 nCvL3_8XSM.m4a", lpString2="..") returned 1 [0145.112] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a") returned 68 [0145.112] lstrcmpW (lpString1="nx8 nCvL3_8XSM.m4a", lpString2="PUSSY.TXT") returned -1 [0145.112] PathFindExtensionW (pszPath="nx8 nCvL3_8XSM.m4a") returned=".m4a" [0145.112] lstrlenW (lpString=".m4a") returned 4 [0145.112] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0145.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\nx8 ncvl3_8xsm.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0145.113] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=54482) returned 1 [0145.113] GetProcessHeap () returned 0x4c0000 [0145.113] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b600f0 [0145.126] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="E2") returned 2 [0145.126] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="81") returned 2 [0145.126] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="E5") returned 2 [0145.126] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="B0") returned 2 [0145.126] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="9F") returned 2 [0145.126] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="73") returned 2 [0145.126] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="45") returned 2 [0145.126] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="E8") returned 2 [0145.126] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="31") returned 2 [0145.126] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="8C") returned 2 [0145.126] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="5A") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="90") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="E3") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="19") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="48") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="9F") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="7E") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="46") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="24") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="4F") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="73") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="28") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="23") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="EB") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="DA") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="C6") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="BE") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="E6") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="66") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="6B") returned 2 [0145.127] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="4E") returned 2 [0145.127] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="79") returned 2 [0145.140] lstrcpyW (in: lpString1=0x3b70124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a" [0145.140] lstrcpyW (in: lpString1=0x3b60124, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a" [0145.140] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a", lpString2=".E281E5B09F7345E8318C5A90E319489F7E46244F732823EBDAC6BEE6666B4E79" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a.E281E5B09F7345E8318C5A90E319489F7E46244F732823EBDAC6BEE6666B4E79") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a.E281E5B09F7345E8318C5A90E319489F7E46244F732823EBDAC6BEE6666B4E79" [0145.140] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3b600f0, NumberOfConcurrentThreads=0x0) returned 0x94 [0145.140] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b600f0, lpOverlapped=0x3b600f0) returned 1 [0145.249] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x67bfa080, ftCreationTime.dwHighDateTime=0x1d5e60e, ftLastAccessTime.dwLowDateTime=0x8e12eb80, ftLastAccessTime.dwHighDateTime=0x1d5da6e, ftLastWriteTime.dwLowDateTime=0x8e12eb80, ftLastWriteTime.dwHighDateTime=0x1d5da6e, nFileSizeHigh=0x0, nFileSizeLow=0x106df, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="p4hvEdXOtYB-x oYdAN.m4a", cAlternateFileName="P4HVED~1.M4A")) returned 1 [0145.250] lstrcmpiW (lpString1="p4hvEdXOtYB-x oYdAN.m4a", lpString2="Windows") returned -1 [0145.250] lstrcmpiW (lpString1="p4hvEdXOtYB-x oYdAN.m4a", lpString2="Program Files") returned -1 [0145.250] lstrcmpiW (lpString1="p4hvEdXOtYB-x oYdAN.m4a", lpString2="Program Files (x86)") returned -1 [0145.250] lstrcmpiW (lpString1="p4hvEdXOtYB-x oYdAN.m4a", lpString2="$Recycle.bin") returned 1 [0145.250] lstrcmpiW (lpString1="p4hvEdXOtYB-x oYdAN.m4a", lpString2="System Volume Information") returned -1 [0145.250] lstrcmpiW (lpString1="p4hvEdXOtYB-x oYdAN.m4a", lpString2=".") returned 1 [0145.250] lstrcmpiW (lpString1="p4hvEdXOtYB-x oYdAN.m4a", lpString2="..") returned 1 [0145.250] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a") returned 73 [0145.250] lstrcmpW (lpString1="p4hvEdXOtYB-x oYdAN.m4a", lpString2="PUSSY.TXT") returned -1 [0145.250] PathFindExtensionW (pszPath="p4hvEdXOtYB-x oYdAN.m4a") returned=".m4a" [0145.250] lstrlenW (lpString=".m4a") returned 4 [0145.250] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0145.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\p4hvedxotyb-x oydan.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0145.251] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=67295) returned 1 [0145.251] GetProcessHeap () returned 0x4c0000 [0145.251] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0145.267] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="42") returned 2 [0145.267] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="F8") returned 2 [0145.267] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="93") returned 2 [0145.267] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="A9") returned 2 [0145.267] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="88") returned 2 [0145.267] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="E1") returned 2 [0145.267] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="79") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="CB") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="55") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="E2") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="15") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="FD") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="F5") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="25") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="26") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="1B") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="DF") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="74") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="C2") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="D6") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="95") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="67") returned 2 [0145.267] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="12") returned 2 [0145.268] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="39") returned 2 [0145.268] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="1E") returned 2 [0145.268] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="42") returned 2 [0145.268] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="A5") returned 2 [0145.268] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="24") returned 2 [0145.268] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="0E") returned 2 [0145.268] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="1A") returned 2 [0145.268] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="BB") returned 2 [0145.268] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="69") returned 2 [0145.281] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a" [0145.281] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a" [0145.281] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a", lpString2=".42F893A988E179CB55E215FDF525261BDF74C2D6956712391E42A5240E1ABB69" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a.42F893A988E179CB55E215FDF525261BDF74C2D6956712391E42A5240E1ABB69") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a.42F893A988E179CB55E215FDF525261BDF74C2D6956712391E42A5240E1ABB69" [0145.281] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0145.281] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0145.313] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5369660, ftCreationTime.dwHighDateTime=0x1d5e683, ftLastAccessTime.dwLowDateTime=0x19126b60, ftLastAccessTime.dwHighDateTime=0x1d5e0ce, ftLastWriteTime.dwLowDateTime=0x19126b60, ftLastWriteTime.dwHighDateTime=0x1d5e0ce, nFileSizeHigh=0x0, nFileSizeLow=0x17652, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="pCtsa_FSOttrlc8t8s9.wav", cAlternateFileName="PCTSA_~1.WAV")) returned 1 [0145.313] lstrcmpiW (lpString1="pCtsa_FSOttrlc8t8s9.wav", lpString2="Windows") returned -1 [0145.313] lstrcmpiW (lpString1="pCtsa_FSOttrlc8t8s9.wav", lpString2="Program Files") returned -1 [0145.313] lstrcmpiW (lpString1="pCtsa_FSOttrlc8t8s9.wav", lpString2="Program Files (x86)") returned -1 [0145.313] lstrcmpiW (lpString1="pCtsa_FSOttrlc8t8s9.wav", lpString2="$Recycle.bin") returned 1 [0145.313] lstrcmpiW (lpString1="pCtsa_FSOttrlc8t8s9.wav", lpString2="System Volume Information") returned -1 [0145.313] lstrcmpiW (lpString1="pCtsa_FSOttrlc8t8s9.wav", lpString2=".") returned 1 [0145.313] lstrcmpiW (lpString1="pCtsa_FSOttrlc8t8s9.wav", lpString2="..") returned 1 [0145.313] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav") returned 73 [0145.313] lstrcmpW (lpString1="pCtsa_FSOttrlc8t8s9.wav", lpString2="PUSSY.TXT") returned -1 [0145.313] PathFindExtensionW (pszPath="pCtsa_FSOttrlc8t8s9.wav") returned=".wav" [0145.313] lstrlenW (lpString=".wav") returned 4 [0145.313] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0145.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pctsa_fsottrlc8t8s9.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0145.315] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=95826) returned 1 [0145.315] GetProcessHeap () returned 0x4c0000 [0145.315] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0145.328] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="F3") returned 2 [0145.328] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="BE") returned 2 [0145.328] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="18") returned 2 [0145.328] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="B4") returned 2 [0145.328] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="5E") returned 2 [0145.328] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="F3") returned 2 [0145.328] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="6D") returned 2 [0145.328] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="7D") returned 2 [0145.328] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="FB") returned 2 [0145.328] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="25") returned 2 [0145.328] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="81") returned 2 [0145.328] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="B0") returned 2 [0145.328] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="81") returned 2 [0145.328] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="18") returned 2 [0145.328] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="C6") returned 2 [0145.328] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="57") returned 2 [0145.328] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="7A") returned 2 [0145.328] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="F5") returned 2 [0145.328] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="2A") returned 2 [0145.329] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="52") returned 2 [0145.329] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="DA") returned 2 [0145.329] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="D9") returned 2 [0145.329] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="43") returned 2 [0145.329] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="C0") returned 2 [0145.329] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="50") returned 2 [0145.329] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="92") returned 2 [0145.329] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="FD") returned 2 [0145.329] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="03") returned 2 [0145.329] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="45") returned 2 [0145.329] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="89") returned 2 [0145.329] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="F5") returned 2 [0145.329] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="45") returned 2 [0145.337] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav" [0145.337] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav" [0145.337] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav", lpString2=".F3BE18B45EF36D7DFB2581B08118C6577AF52A52DAD943C05092FD034589F545" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav.F3BE18B45EF36D7DFB2581B08118C6577AF52A52DAD943C05092FD034589F545") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav.F3BE18B45EF36D7DFB2581B08118C6577AF52A52DAD943C05092FD034589F545" [0145.338] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0145.338] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0145.371] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb130b010, ftCreationTime.dwHighDateTime=0x1d5e65e, ftLastAccessTime.dwLowDateTime=0x9bf54820, ftLastAccessTime.dwHighDateTime=0x1d5e026, ftLastWriteTime.dwLowDateTime=0x9bf54820, ftLastWriteTime.dwHighDateTime=0x1d5e026, nFileSizeHigh=0x0, nFileSizeLow=0x13a31, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="PYGzua5OAZBGc.avi", cAlternateFileName="PYGZUA~1.AVI")) returned 1 [0145.371] lstrcmpiW (lpString1="PYGzua5OAZBGc.avi", lpString2="Windows") returned -1 [0145.371] lstrcmpiW (lpString1="PYGzua5OAZBGc.avi", lpString2="Program Files") returned 1 [0145.371] lstrcmpiW (lpString1="PYGzua5OAZBGc.avi", lpString2="Program Files (x86)") returned 1 [0145.371] lstrcmpiW (lpString1="PYGzua5OAZBGc.avi", lpString2="$Recycle.bin") returned 1 [0145.371] lstrcmpiW (lpString1="PYGzua5OAZBGc.avi", lpString2="System Volume Information") returned -1 [0145.371] lstrcmpiW (lpString1="PYGzua5OAZBGc.avi", lpString2=".") returned 1 [0145.371] lstrcmpiW (lpString1="PYGzua5OAZBGc.avi", lpString2="..") returned 1 [0145.371] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi") returned 67 [0145.371] lstrcmpW (lpString1="PYGzua5OAZBGc.avi", lpString2="PUSSY.TXT") returned 1 [0145.371] PathFindExtensionW (pszPath="PYGzua5OAZBGc.avi") returned=".avi" [0145.371] lstrlenW (lpString=".avi") returned 4 [0145.371] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0145.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pygzua5oazbgc.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0145.372] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=80433) returned 1 [0145.372] GetProcessHeap () returned 0x4c0000 [0145.372] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0145.381] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="A2") returned 2 [0145.381] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="6A") returned 2 [0145.381] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="E8") returned 2 [0145.381] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="1A") returned 2 [0145.381] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="77") returned 2 [0145.381] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="CB") returned 2 [0145.381] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="CA") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="9D") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="EA") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="E8") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="7A") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="3D") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="55") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="48") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="13") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="39") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="83") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="7B") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="36") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="0B") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="7E") returned 2 [0145.381] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="16") returned 2 [0145.382] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="23") returned 2 [0145.382] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="D3") returned 2 [0145.382] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="D6") returned 2 [0145.382] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="CF") returned 2 [0145.382] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="DD") returned 2 [0145.382] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="5B") returned 2 [0145.382] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="2F") returned 2 [0145.382] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="A0") returned 2 [0145.382] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="3C") returned 2 [0145.382] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="0E") returned 2 [0145.390] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi" [0145.390] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi" [0145.390] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi", lpString2=".A26AE81A77CBCA9DEAE87A3D55481339837B360B7E1623D3D6CFDD5B2FA03C0E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi.A26AE81A77CBCA9DEAE87A3D55481339837B360B7E1623D3D6CFDD5B2FA03C0E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi.A26AE81A77CBCA9DEAE87A3D55481339837B360B7E1623D3D6CFDD5B2FA03C0E" [0145.390] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0145.390] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0145.425] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6f0b5d90, ftCreationTime.dwHighDateTime=0x1d5dfb8, ftLastAccessTime.dwLowDateTime=0x20ca7ff0, ftLastAccessTime.dwHighDateTime=0x1d5d8e5, ftLastWriteTime.dwLowDateTime=0x20ca7ff0, ftLastWriteTime.dwHighDateTime=0x1d5d8e5, nFileSizeHigh=0x0, nFileSizeLow=0x11929, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="qKgvVzcp8_KFLXTSHIv.avi", cAlternateFileName="QKGVVZ~1.AVI")) returned 1 [0145.425] lstrcmpiW (lpString1="qKgvVzcp8_KFLXTSHIv.avi", lpString2="Windows") returned -1 [0145.425] lstrcmpiW (lpString1="qKgvVzcp8_KFLXTSHIv.avi", lpString2="Program Files") returned 1 [0145.425] lstrcmpiW (lpString1="qKgvVzcp8_KFLXTSHIv.avi", lpString2="Program Files (x86)") returned 1 [0145.425] lstrcmpiW (lpString1="qKgvVzcp8_KFLXTSHIv.avi", lpString2="$Recycle.bin") returned 1 [0145.425] lstrcmpiW (lpString1="qKgvVzcp8_KFLXTSHIv.avi", lpString2="System Volume Information") returned -1 [0145.425] lstrcmpiW (lpString1="qKgvVzcp8_KFLXTSHIv.avi", lpString2=".") returned 1 [0145.425] lstrcmpiW (lpString1="qKgvVzcp8_KFLXTSHIv.avi", lpString2="..") returned 1 [0145.425] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi") returned 73 [0145.426] lstrcmpW (lpString1="qKgvVzcp8_KFLXTSHIv.avi", lpString2="PUSSY.TXT") returned 1 [0145.426] PathFindExtensionW (pszPath="qKgvVzcp8_KFLXTSHIv.avi") returned=".avi" [0145.426] lstrlenW (lpString=".avi") returned 4 [0145.426] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0145.426] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\qkgvvzcp8_kflxtshiv.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0145.427] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=71977) returned 1 [0145.427] GetProcessHeap () returned 0x4c0000 [0145.427] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0145.437] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="A0") returned 2 [0145.437] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="FD") returned 2 [0145.437] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="12") returned 2 [0145.437] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="1B") returned 2 [0145.437] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="31") returned 2 [0145.437] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="3C") returned 2 [0145.437] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="0B") returned 2 [0145.437] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="A3") returned 2 [0145.437] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="35") returned 2 [0145.437] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="F3") returned 2 [0145.437] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="54") returned 2 [0145.437] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="DC") returned 2 [0145.437] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="BF") returned 2 [0145.437] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="78") returned 2 [0145.437] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="BF") returned 2 [0145.437] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="13") returned 2 [0145.437] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="D3") returned 2 [0145.437] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="D4") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="5C") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="55") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="84") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="F1") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="B8") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="4C") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="5B") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="AC") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="75") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="A3") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="10") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="A3") returned 2 [0145.438] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="B5") returned 2 [0145.438] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="2E") returned 2 [0145.446] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi" [0145.446] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi" [0145.446] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi", lpString2=".A0FD121B313C0BA335F354DCBF78BF13D3D45C5584F1B84C5BAC75A310A3B52E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi.A0FD121B313C0BA335F354DCBF78BF13D3D45C5584F1B84C5BAC75A310A3B52E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi.A0FD121B313C0BA335F354DCBF78BF13D3D45C5584F1B84C5BAC75A310A3B52E" [0145.446] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0145.446] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0145.479] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1e24db80, ftCreationTime.dwHighDateTime=0x1d5d9ce, ftLastAccessTime.dwLowDateTime=0x1eaa43b0, ftLastAccessTime.dwHighDateTime=0x1d5dea6, ftLastWriteTime.dwLowDateTime=0x1eaa43b0, ftLastWriteTime.dwHighDateTime=0x1d5dea6, nFileSizeHigh=0x0, nFileSizeLow=0x28d3, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="QVAM3q.bmp", cAlternateFileName="")) returned 1 [0145.479] lstrcmpiW (lpString1="QVAM3q.bmp", lpString2="Windows") returned -1 [0145.479] lstrcmpiW (lpString1="QVAM3q.bmp", lpString2="Program Files") returned 1 [0145.479] lstrcmpiW (lpString1="QVAM3q.bmp", lpString2="Program Files (x86)") returned 1 [0145.479] lstrcmpiW (lpString1="QVAM3q.bmp", lpString2="$Recycle.bin") returned 1 [0145.479] lstrcmpiW (lpString1="QVAM3q.bmp", lpString2="System Volume Information") returned -1 [0145.479] lstrcmpiW (lpString1="QVAM3q.bmp", lpString2=".") returned 1 [0145.479] lstrcmpiW (lpString1="QVAM3q.bmp", lpString2="..") returned 1 [0145.479] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp") returned 60 [0145.479] lstrcmpW (lpString1="QVAM3q.bmp", lpString2="PUSSY.TXT") returned 1 [0145.479] PathFindExtensionW (pszPath="QVAM3q.bmp") returned=".bmp" [0145.479] lstrlenW (lpString=".bmp") returned 4 [0145.479] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0145.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\qvam3q.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0145.480] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=10451) returned 1 [0145.480] GetProcessHeap () returned 0x4c0000 [0145.480] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0145.588] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="1D") returned 2 [0145.588] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="18") returned 2 [0145.588] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="E0") returned 2 [0145.588] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="AD") returned 2 [0145.588] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="B2") returned 2 [0145.588] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="D2") returned 2 [0145.588] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="85") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="D3") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="4A") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="D8") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="EF") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="54") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="4D") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="48") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="20") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="3D") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="B3") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="A6") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="51") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="FF") returned 2 [0145.588] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="8E") returned 2 [0145.589] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="E9") returned 2 [0145.589] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="43") returned 2 [0145.589] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="76") returned 2 [0145.589] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="B1") returned 2 [0145.589] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="04") returned 2 [0145.589] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="3A") returned 2 [0145.589] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="BB") returned 2 [0145.589] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="18") returned 2 [0145.589] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="C3") returned 2 [0145.589] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="03") returned 2 [0145.589] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="07") returned 2 [0145.598] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp" [0145.598] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp" [0145.598] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp", lpString2=".1D18E0ADB2D285D34AD8EF544D48203DB3A651FF8EE94376B1043ABB18C30307" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp.1D18E0ADB2D285D34AD8EF544D48203DB3A651FF8EE94376B1043ABB18C30307") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp.1D18E0ADB2D285D34AD8EF544D48203DB3A651FF8EE94376B1043ABB18C30307" [0145.598] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0145.598] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0145.611] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27842660, ftCreationTime.dwHighDateTime=0x1d5e47b, ftLastAccessTime.dwLowDateTime=0xc0c8dc20, ftLastAccessTime.dwHighDateTime=0x1d5e2d8, ftLastWriteTime.dwLowDateTime=0xc0c8dc20, ftLastWriteTime.dwHighDateTime=0x1d5e2d8, nFileSizeHigh=0x0, nFileSizeLow=0xd19a, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="rfWLnqosBl.ppt", cAlternateFileName="RFWLNQ~1.PPT")) returned 1 [0145.611] lstrcmpiW (lpString1="rfWLnqosBl.ppt", lpString2="Windows") returned -1 [0145.611] lstrcmpiW (lpString1="rfWLnqosBl.ppt", lpString2="Program Files") returned 1 [0145.611] lstrcmpiW (lpString1="rfWLnqosBl.ppt", lpString2="Program Files (x86)") returned 1 [0145.611] lstrcmpiW (lpString1="rfWLnqosBl.ppt", lpString2="$Recycle.bin") returned 1 [0145.611] lstrcmpiW (lpString1="rfWLnqosBl.ppt", lpString2="System Volume Information") returned -1 [0145.611] lstrcmpiW (lpString1="rfWLnqosBl.ppt", lpString2=".") returned 1 [0145.611] lstrcmpiW (lpString1="rfWLnqosBl.ppt", lpString2="..") returned 1 [0145.611] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt") returned 64 [0145.611] lstrcmpW (lpString1="rfWLnqosBl.ppt", lpString2="PUSSY.TXT") returned 1 [0145.611] PathFindExtensionW (pszPath="rfWLnqosBl.ppt") returned=".ppt" [0145.611] lstrlenW (lpString=".ppt") returned 4 [0145.611] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0145.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rfwlnqosbl.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0145.612] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=53658) returned 1 [0145.612] GetProcessHeap () returned 0x4c0000 [0145.612] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0145.620] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="58") returned 2 [0145.620] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="00") returned 2 [0145.620] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="48") returned 2 [0145.620] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="35") returned 2 [0145.621] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="F1") returned 2 [0145.621] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="F1") returned 2 [0145.621] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="15") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="7C") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="66") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="66") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="25") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="EC") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="7D") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="C2") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="72") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="CB") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="5E") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="5B") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="AC") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="93") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="CC") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="94") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="7A") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="CA") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="5A") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="38") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="5B") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="16") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="6C") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="D0") returned 2 [0145.621] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="59") returned 2 [0145.621] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="4F") returned 2 [0145.630] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt" [0145.630] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt" [0145.631] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt", lpString2=".58004835F1F1157C666625EC7DC272CB5E5BAC93CC947ACA5A385B166CD0594F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt.58004835F1F1157C666625EC7DC272CB5E5BAC93CC947ACA5A385B166CD0594F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt.58004835F1F1157C666625EC7DC272CB5E5BAC93CC947ACA5A385B166CD0594F" [0145.631] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0145.631] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0145.665] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x608eff30, ftCreationTime.dwHighDateTime=0x1d5d921, ftLastAccessTime.dwLowDateTime=0xc67dc060, ftLastAccessTime.dwHighDateTime=0x1d5e1c3, ftLastWriteTime.dwLowDateTime=0xc67dc060, ftLastWriteTime.dwHighDateTime=0x1d5e1c3, nFileSizeHigh=0x0, nFileSizeLow=0x145df, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="rkQBZn Vs0dgR0u1hye6.gif", cAlternateFileName="RKQBZN~1.GIF")) returned 1 [0145.665] lstrcmpiW (lpString1="rkQBZn Vs0dgR0u1hye6.gif", lpString2="Windows") returned -1 [0145.665] lstrcmpiW (lpString1="rkQBZn Vs0dgR0u1hye6.gif", lpString2="Program Files") returned 1 [0145.665] lstrcmpiW (lpString1="rkQBZn Vs0dgR0u1hye6.gif", lpString2="Program Files (x86)") returned 1 [0145.665] lstrcmpiW (lpString1="rkQBZn Vs0dgR0u1hye6.gif", lpString2="$Recycle.bin") returned 1 [0145.665] lstrcmpiW (lpString1="rkQBZn Vs0dgR0u1hye6.gif", lpString2="System Volume Information") returned -1 [0145.665] lstrcmpiW (lpString1="rkQBZn Vs0dgR0u1hye6.gif", lpString2=".") returned 1 [0145.665] lstrcmpiW (lpString1="rkQBZn Vs0dgR0u1hye6.gif", lpString2="..") returned 1 [0145.665] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif") returned 74 [0145.665] lstrcmpW (lpString1="rkQBZn Vs0dgR0u1hye6.gif", lpString2="PUSSY.TXT") returned 1 [0145.665] PathFindExtensionW (pszPath="rkQBZn Vs0dgR0u1hye6.gif") returned=".gif" [0145.665] lstrlenW (lpString=".gif") returned 4 [0145.665] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0145.665] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rkqbzn vs0dgr0u1hye6.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0145.666] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=83423) returned 1 [0145.666] GetProcessHeap () returned 0x4c0000 [0145.666] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0145.674] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="7B") returned 2 [0145.674] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="76") returned 2 [0145.674] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="64") returned 2 [0145.675] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="60") returned 2 [0145.675] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="87") returned 2 [0145.675] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="36") returned 2 [0145.675] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="0B") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="D5") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="11") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="19") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="4A") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="F9") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="14") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="0A") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="4D") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="91") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="83") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="21") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="25") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="7E") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="95") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="D3") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="86") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="BC") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="82") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="47") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="9E") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="CE") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="67") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="52") returned 2 [0145.675] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="D7") returned 2 [0145.675] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="62") returned 2 [0145.683] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif" [0145.683] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif" [0145.683] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif", lpString2=".7B76646087360BD511194AF9140A4D918321257E95D386BC82479ECE6752D762" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif.7B76646087360BD511194AF9140A4D918321257E95D386BC82479ECE6752D762") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif.7B76646087360BD511194AF9140A4D918321257E95D386BC82479ECE6752D762" [0145.683] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0145.684] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0145.718] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3b06def0, ftCreationTime.dwHighDateTime=0x1d5e1f9, ftLastAccessTime.dwLowDateTime=0x6c258ca0, ftLastAccessTime.dwHighDateTime=0x1d5dadf, ftLastWriteTime.dwLowDateTime=0x6c258ca0, ftLastWriteTime.dwHighDateTime=0x1d5dadf, nFileSizeHigh=0x0, nFileSizeLow=0x1780a, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="t xJ7vhKbu92Ki7.swf", cAlternateFileName="TXJ7VH~1.SWF")) returned 1 [0145.718] lstrcmpiW (lpString1="t xJ7vhKbu92Ki7.swf", lpString2="Windows") returned -1 [0145.718] lstrcmpiW (lpString1="t xJ7vhKbu92Ki7.swf", lpString2="Program Files") returned 1 [0145.718] lstrcmpiW (lpString1="t xJ7vhKbu92Ki7.swf", lpString2="Program Files (x86)") returned 1 [0145.718] lstrcmpiW (lpString1="t xJ7vhKbu92Ki7.swf", lpString2="$Recycle.bin") returned 1 [0145.718] lstrcmpiW (lpString1="t xJ7vhKbu92Ki7.swf", lpString2="System Volume Information") returned 1 [0145.718] lstrcmpiW (lpString1="t xJ7vhKbu92Ki7.swf", lpString2=".") returned 1 [0145.718] lstrcmpiW (lpString1="t xJ7vhKbu92Ki7.swf", lpString2="..") returned 1 [0145.718] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf") returned 69 [0145.718] lstrcmpW (lpString1="t xJ7vhKbu92Ki7.swf", lpString2="PUSSY.TXT") returned 1 [0145.718] PathFindExtensionW (pszPath="t xJ7vhKbu92Ki7.swf") returned=".swf" [0145.718] lstrlenW (lpString=".swf") returned 4 [0145.718] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0145.718] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\t xj7vhkbu92ki7.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0145.719] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=96266) returned 1 [0145.719] GetProcessHeap () returned 0x4c0000 [0145.719] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0145.729] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="C9") returned 2 [0145.729] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="19") returned 2 [0145.729] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="B0") returned 2 [0145.729] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="40") returned 2 [0145.729] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="11") returned 2 [0145.729] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="15") returned 2 [0145.729] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="65") returned 2 [0145.729] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="66") returned 2 [0145.729] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="4C") returned 2 [0145.729] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="F6") returned 2 [0145.729] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="AE") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="A5") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="1B") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="B3") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="77") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="DB") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="78") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="38") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="E5") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="88") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="78") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="48") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="86") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="1E") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="6D") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="45") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="47") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="4B") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="75") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="66") returned 2 [0145.730] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="A3") returned 2 [0145.730] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="00") returned 2 [0145.738] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf" [0145.738] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf" [0145.739] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf", lpString2=".C919B040111565664CF6AEA51BB377DB7838E5887848861E6D45474B7566A300" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf.C919B040111565664CF6AEA51BB377DB7838E5887848861E6D45474B7566A300") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf.C919B040111565664CF6AEA51BB377DB7838E5887848861E6D45474B7566A300" [0145.739] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0145.739] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0145.772] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x72b3c620, ftCreationTime.dwHighDateTime=0x1d5e26b, ftLastAccessTime.dwLowDateTime=0xff91f6f0, ftLastAccessTime.dwHighDateTime=0x1d5e52e, ftLastWriteTime.dwLowDateTime=0xff91f6f0, ftLastWriteTime.dwHighDateTime=0x1d5e52e, nFileSizeHigh=0x0, nFileSizeLow=0x8916, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="tICyJkN.gif", cAlternateFileName="")) returned 1 [0145.772] lstrcmpiW (lpString1="tICyJkN.gif", lpString2="Windows") returned -1 [0145.772] lstrcmpiW (lpString1="tICyJkN.gif", lpString2="Program Files") returned 1 [0145.772] lstrcmpiW (lpString1="tICyJkN.gif", lpString2="Program Files (x86)") returned 1 [0145.772] lstrcmpiW (lpString1="tICyJkN.gif", lpString2="$Recycle.bin") returned 1 [0145.772] lstrcmpiW (lpString1="tICyJkN.gif", lpString2="System Volume Information") returned 1 [0145.772] lstrcmpiW (lpString1="tICyJkN.gif", lpString2=".") returned 1 [0145.772] lstrcmpiW (lpString1="tICyJkN.gif", lpString2="..") returned 1 [0145.772] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif") returned 61 [0145.772] lstrcmpW (lpString1="tICyJkN.gif", lpString2="PUSSY.TXT") returned 1 [0145.772] PathFindExtensionW (pszPath="tICyJkN.gif") returned=".gif" [0145.772] lstrlenW (lpString=".gif") returned 4 [0145.772] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0145.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ticyjkn.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0145.773] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=35094) returned 1 [0145.773] GetProcessHeap () returned 0x4c0000 [0145.773] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0145.782] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="76") returned 2 [0145.782] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="67") returned 2 [0145.782] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="7B") returned 2 [0145.782] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="F0") returned 2 [0145.782] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="64") returned 2 [0145.782] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="2F") returned 2 [0145.782] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="C3") returned 2 [0145.782] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="D1") returned 2 [0145.782] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="14") returned 2 [0145.782] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="FF") returned 2 [0145.782] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="7F") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="DD") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="90") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="E9") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="C9") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="2D") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="4C") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="C8") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="38") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="6A") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="4E") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="33") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="9E") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="83") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="4B") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="6A") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="1C") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="50") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="1E") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="DD") returned 2 [0145.783] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="F9") returned 2 [0145.783] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="69") returned 2 [0145.791] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif" [0145.791] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif" [0145.791] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif", lpString2=".76677BF0642FC3D114FF7FDD90E9C92D4CC8386A4E339E834B6A1C501EDDF969" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif.76677BF0642FC3D114FF7FDD90E9C92D4CC8386A4E339E834B6A1C501EDDF969") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif.76677BF0642FC3D114FF7FDD90E9C92D4CC8386A4E339E834B6A1C501EDDF969" [0145.792] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0145.792] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0145.929] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5c661d0, ftCreationTime.dwHighDateTime=0x1d5dd09, ftLastAccessTime.dwLowDateTime=0x1db03420, ftLastAccessTime.dwHighDateTime=0x1d5daf4, ftLastWriteTime.dwLowDateTime=0x1db03420, ftLastWriteTime.dwHighDateTime=0x1d5daf4, nFileSizeHigh=0x0, nFileSizeLow=0x10954, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="udkFco0GjQIuPfreiC.bmp", cAlternateFileName="UDKFCO~1.BMP")) returned 1 [0145.929] lstrcmpiW (lpString1="udkFco0GjQIuPfreiC.bmp", lpString2="Windows") returned -1 [0145.929] lstrcmpiW (lpString1="udkFco0GjQIuPfreiC.bmp", lpString2="Program Files") returned 1 [0145.929] lstrcmpiW (lpString1="udkFco0GjQIuPfreiC.bmp", lpString2="Program Files (x86)") returned 1 [0145.929] lstrcmpiW (lpString1="udkFco0GjQIuPfreiC.bmp", lpString2="$Recycle.bin") returned 1 [0145.929] lstrcmpiW (lpString1="udkFco0GjQIuPfreiC.bmp", lpString2="System Volume Information") returned 1 [0145.929] lstrcmpiW (lpString1="udkFco0GjQIuPfreiC.bmp", lpString2=".") returned 1 [0145.929] lstrcmpiW (lpString1="udkFco0GjQIuPfreiC.bmp", lpString2="..") returned 1 [0145.929] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp") returned 72 [0145.929] lstrcmpW (lpString1="udkFco0GjQIuPfreiC.bmp", lpString2="PUSSY.TXT") returned 1 [0145.929] PathFindExtensionW (pszPath="udkFco0GjQIuPfreiC.bmp") returned=".bmp" [0145.929] lstrlenW (lpString=".bmp") returned 4 [0145.929] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0145.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\udkfco0gjqiupfreic.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0145.930] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=67924) returned 1 [0145.930] GetProcessHeap () returned 0x4c0000 [0145.930] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0145.943] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="6F") returned 2 [0145.943] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="4A") returned 2 [0145.943] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="D3") returned 2 [0145.943] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="84") returned 2 [0145.943] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="0F") returned 2 [0145.943] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="6C") returned 2 [0145.943] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="79") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="7F") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="51") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="B9") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="AC") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="AB") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="F1") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="A4") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="2A") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="47") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="D7") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="CA") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="B8") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="EA") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="4D") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="7E") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="8B") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="69") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="2E") returned 2 [0145.943] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="DA") returned 2 [0145.944] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="BC") returned 2 [0145.944] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="3D") returned 2 [0145.944] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="20") returned 2 [0145.944] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="F2") returned 2 [0145.944] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="D2") returned 2 [0145.944] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="08") returned 2 [0145.956] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp" [0145.956] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp" [0145.956] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp", lpString2=".6F4AD3840F6C797F51B9ACABF1A42A47D7CAB8EA4D7E8B692EDABC3D20F2D208" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp.6F4AD3840F6C797F51B9ACABF1A42A47D7CAB8EA4D7E8B692EDABC3D20F2D208") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp.6F4AD3840F6C797F51B9ACABF1A42A47D7CAB8EA4D7E8B692EDABC3D20F2D208" [0145.956] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0145.956] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0146.003] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x349507d0, ftCreationTime.dwHighDateTime=0x1d5e4c5, ftLastAccessTime.dwLowDateTime=0x4c6b11d0, ftLastAccessTime.dwHighDateTime=0x1d5da28, ftLastWriteTime.dwLowDateTime=0x4c6b11d0, ftLastWriteTime.dwHighDateTime=0x1d5da28, nFileSizeHigh=0x0, nFileSizeLow=0x6042, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="UI4qmN8ZH.mkv", cAlternateFileName="UI4QMN~1.MKV")) returned 1 [0146.003] lstrcmpiW (lpString1="UI4qmN8ZH.mkv", lpString2="Windows") returned -1 [0146.003] lstrcmpiW (lpString1="UI4qmN8ZH.mkv", lpString2="Program Files") returned 1 [0146.003] lstrcmpiW (lpString1="UI4qmN8ZH.mkv", lpString2="Program Files (x86)") returned 1 [0146.003] lstrcmpiW (lpString1="UI4qmN8ZH.mkv", lpString2="$Recycle.bin") returned 1 [0146.003] lstrcmpiW (lpString1="UI4qmN8ZH.mkv", lpString2="System Volume Information") returned 1 [0146.003] lstrcmpiW (lpString1="UI4qmN8ZH.mkv", lpString2=".") returned 1 [0146.003] lstrcmpiW (lpString1="UI4qmN8ZH.mkv", lpString2="..") returned 1 [0146.003] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv") returned 63 [0146.003] lstrcmpW (lpString1="UI4qmN8ZH.mkv", lpString2="PUSSY.TXT") returned 1 [0146.003] PathFindExtensionW (pszPath="UI4qmN8ZH.mkv") returned=".mkv" [0146.003] lstrlenW (lpString=".mkv") returned 4 [0146.003] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0146.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ui4qmn8zh.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0146.004] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=24642) returned 1 [0146.004] GetProcessHeap () returned 0x4c0000 [0146.004] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0146.017] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="27") returned 2 [0146.017] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="44") returned 2 [0146.017] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="33") returned 2 [0146.017] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="E6") returned 2 [0146.017] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="94") returned 2 [0146.017] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="18") returned 2 [0146.017] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="52") returned 2 [0146.017] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="A3") returned 2 [0146.017] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="97") returned 2 [0146.017] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="68") returned 2 [0146.017] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="D3") returned 2 [0146.017] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="6F") returned 2 [0146.017] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="AD") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="31") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="87") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="2C") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="93") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="D0") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="1A") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="F1") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="7D") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="1A") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="BD") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="73") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="A8") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="9C") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="49") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="25") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="25") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="EA") returned 2 [0146.018] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="3F") returned 2 [0146.018] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="56") returned 2 [0146.030] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv" [0146.030] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv" [0146.030] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv", lpString2=".274433E6941852A39768D36FAD31872C93D01AF17D1ABD73A89C492525EA3F56" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv.274433E6941852A39768D36FAD31872C93D01AF17D1ABD73A89C492525EA3F56") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv.274433E6941852A39768D36FAD31872C93D01AF17D1ABD73A89C492525EA3F56" [0146.030] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.030] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0146.066] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x291d480, ftCreationTime.dwHighDateTime=0x1d5e3f2, ftLastAccessTime.dwLowDateTime=0x6361870, ftLastAccessTime.dwHighDateTime=0x1d5dc5f, ftLastWriteTime.dwLowDateTime=0x6361870, ftLastWriteTime.dwHighDateTime=0x1d5dc5f, nFileSizeHigh=0x0, nFileSizeLow=0x8674, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="WPh5.m4a", cAlternateFileName="")) returned 1 [0146.067] lstrcmpiW (lpString1="WPh5.m4a", lpString2="Windows") returned 1 [0146.067] lstrcmpiW (lpString1="WPh5.m4a", lpString2="Program Files") returned 1 [0146.067] lstrcmpiW (lpString1="WPh5.m4a", lpString2="Program Files (x86)") returned 1 [0146.067] lstrcmpiW (lpString1="WPh5.m4a", lpString2="$Recycle.bin") returned 1 [0146.067] lstrcmpiW (lpString1="WPh5.m4a", lpString2="System Volume Information") returned 1 [0146.067] lstrcmpiW (lpString1="WPh5.m4a", lpString2=".") returned 1 [0146.067] lstrcmpiW (lpString1="WPh5.m4a", lpString2="..") returned 1 [0146.067] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a") returned 58 [0146.067] lstrcmpW (lpString1="WPh5.m4a", lpString2="PUSSY.TXT") returned 1 [0146.067] PathFindExtensionW (pszPath="WPh5.m4a") returned=".m4a" [0146.067] lstrlenW (lpString=".m4a") returned 4 [0146.067] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0146.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wph5.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0146.068] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=34420) returned 1 [0146.068] GetProcessHeap () returned 0x4c0000 [0146.068] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0146.080] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="0B") returned 2 [0146.080] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="9A") returned 2 [0146.080] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="85") returned 2 [0146.081] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="46") returned 2 [0146.081] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="45") returned 2 [0146.081] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="23") returned 2 [0146.081] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="88") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="FA") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="3B") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="44") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="60") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="59") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="6B") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="46") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="CF") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="2D") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="A9") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="F6") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="4D") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="A8") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="E8") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="61") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="EC") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="1A") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="FC") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="31") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="D9") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="29") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="7B") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="68") returned 2 [0146.081] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="8E") returned 2 [0146.081] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="32") returned 2 [0146.093] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a" [0146.093] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a" [0146.094] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a", lpString2=".0B9A8546452388FA3B4460596B46CF2DA9F64DA8E861EC1AFC31D9297B688E32" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a.0B9A8546452388FA3B4460596B46CF2DA9F64DA8E861EC1AFC31D9297B688E32") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a.0B9A8546452388FA3B4460596B46CF2DA9F64DA8E861EC1AFC31D9297B688E32" [0146.094] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.094] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0146.142] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf42d8f30, ftCreationTime.dwHighDateTime=0x1d5e011, ftLastAccessTime.dwLowDateTime=0x402c7070, ftLastAccessTime.dwHighDateTime=0x1d5dfb0, ftLastWriteTime.dwLowDateTime=0x402c7070, ftLastWriteTime.dwHighDateTime=0x1d5dfb0, nFileSizeHigh=0x0, nFileSizeLow=0xfffe, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Xk3p1kbq.bmp", cAlternateFileName="")) returned 1 [0146.142] lstrcmpiW (lpString1="Xk3p1kbq.bmp", lpString2="Windows") returned 1 [0146.142] lstrcmpiW (lpString1="Xk3p1kbq.bmp", lpString2="Program Files") returned 1 [0146.142] lstrcmpiW (lpString1="Xk3p1kbq.bmp", lpString2="Program Files (x86)") returned 1 [0146.142] lstrcmpiW (lpString1="Xk3p1kbq.bmp", lpString2="$Recycle.bin") returned 1 [0146.142] lstrcmpiW (lpString1="Xk3p1kbq.bmp", lpString2="System Volume Information") returned 1 [0146.142] lstrcmpiW (lpString1="Xk3p1kbq.bmp", lpString2=".") returned 1 [0146.142] lstrcmpiW (lpString1="Xk3p1kbq.bmp", lpString2="..") returned 1 [0146.142] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp") returned 62 [0146.142] lstrcmpW (lpString1="Xk3p1kbq.bmp", lpString2="PUSSY.TXT") returned 1 [0146.142] PathFindExtensionW (pszPath="Xk3p1kbq.bmp") returned=".bmp" [0146.142] lstrlenW (lpString=".bmp") returned 4 [0146.142] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0146.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xk3p1kbq.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0146.143] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=65534) returned 1 [0146.143] GetProcessHeap () returned 0x4c0000 [0146.143] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0146.155] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="6E") returned 2 [0146.155] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="74") returned 2 [0146.155] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="02") returned 2 [0146.155] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="28") returned 2 [0146.155] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="6E") returned 2 [0146.155] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="B9") returned 2 [0146.155] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="B2") returned 2 [0146.155] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="A4") returned 2 [0146.155] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="81") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="E2") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="16") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="67") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="D1") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="C5") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="FE") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="0D") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="58") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="12") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="39") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="31") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="54") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="0D") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="B9") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="42") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="D7") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="BE") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="0B") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="05") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="95") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="C0") returned 2 [0146.156] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="BD") returned 2 [0146.156] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="13") returned 2 [0146.168] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp" [0146.168] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp" [0146.168] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp", lpString2=".6E7402286EB9B2A481E21667D1C5FE0D58123931540DB942D7BE0B0595C0BD13" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp.6E7402286EB9B2A481E21667D1C5FE0D58123931540DB942D7BE0B0595C0BD13") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp.6E7402286EB9B2A481E21667D1C5FE0D58123931540DB942D7BE0B0595C0BD13" [0146.168] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.169] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0146.257] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf42d8f30, ftCreationTime.dwHighDateTime=0x1d5e011, ftLastAccessTime.dwLowDateTime=0x402c7070, ftLastAccessTime.dwHighDateTime=0x1d5dfb0, ftLastWriteTime.dwLowDateTime=0x402c7070, ftLastWriteTime.dwHighDateTime=0x1d5dfb0, nFileSizeHigh=0x0, nFileSizeLow=0xfffe, dwReserved0=0xa0000003, dwReserved1=0xfe000000, cFileName="Xk3p1kbq.bmp", cAlternateFileName="")) returned 0 [0146.257] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0146.258] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PUSSY.TXT") returned 59 [0146.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0146.262] lstrlenA (lpString="abcd") returned 4 [0146.262] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0146.263] CloseHandle (hObject=0x19c) returned 1 [0146.263] GetProcessHeap () returned 0x4c0000 [0146.263] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57bb80 | out: hHeap=0x4c0000) returned 1 [0146.263] FindNextFileW (in: hFindFile=0x4ddc08, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbe53600, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbe53600, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="Roaming", cAlternateFileName="")) returned 0 [0146.263] FindClose (in: hFindFile=0x4ddc08 | out: hFindFile=0x4ddc08) returned 1 [0146.263] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\PUSSY.TXT") returned 51 [0146.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0146.264] lstrlenA (lpString="abcd") returned 4 [0146.264] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0146.265] CloseHandle (hObject=0x190) returned 1 [0146.265] GetProcessHeap () returned 0x4c0000 [0146.266] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0146.272] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0146.272] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0146.272] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0146.272] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0146.272] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0146.273] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0146.273] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0146.273] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0146.273] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data") returned 50 [0146.273] GetProcessHeap () returned 0x4c0000 [0146.273] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0146.274] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data" [0146.274] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*" [0146.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbe53600, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbe53600, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="Roaming", cAlternateFileName="a")) returned 0xffffffff [0146.274] GetProcessHeap () returned 0x4c0000 [0146.274] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0146.274] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Contacts", cAlternateFileName="")) returned 1 [0146.274] lstrcmpiW (lpString1="Contacts", lpString2="Windows") returned -1 [0146.274] lstrcmpiW (lpString1="Contacts", lpString2="Program Files") returned -1 [0146.274] lstrcmpiW (lpString1="Contacts", lpString2="Program Files (x86)") returned -1 [0146.274] lstrcmpiW (lpString1="Contacts", lpString2="$Recycle.bin") returned 1 [0146.274] lstrcmpiW (lpString1="Contacts", lpString2="System Volume Information") returned -1 [0146.274] lstrcmpiW (lpString1="Contacts", lpString2=".") returned 1 [0146.274] lstrcmpiW (lpString1="Contacts", lpString2="..") returned 1 [0146.275] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 42 [0146.275] GetProcessHeap () returned 0x4c0000 [0146.275] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0146.275] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0146.275] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*" [0146.275] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0146.275] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0146.275] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0146.275] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0146.275] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0146.275] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0146.275] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.275] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0146.275] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0146.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0146.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0146.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0146.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0146.275] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.275] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.275] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ea7ef20, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2ea7ef20, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2ea7ef20, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x49a, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="Aclviho ASldjfl.contact", cAlternateFileName="ACLVIH~1.CON")) returned 1 [0146.275] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="Windows") returned -1 [0146.276] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="Program Files") returned -1 [0146.276] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="Program Files (x86)") returned -1 [0146.276] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="$Recycle.bin") returned 1 [0146.276] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="System Volume Information") returned -1 [0146.276] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2=".") returned 1 [0146.276] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="..") returned 1 [0146.276] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned 66 [0146.276] lstrcmpW (lpString1="Aclviho ASldjfl.contact", lpString2="PUSSY.TXT") returned -1 [0146.276] PathFindExtensionW (pszPath="Aclviho ASldjfl.contact") returned=".contact" [0146.276] lstrlenW (lpString=".contact") returned 8 [0146.276] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0146.277] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1178) returned 1 [0146.277] GetProcessHeap () returned 0x4c0000 [0146.277] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0146.291] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="77") returned 2 [0146.291] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="4C") returned 2 [0146.291] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="92") returned 2 [0146.291] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="A5") returned 2 [0146.291] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="D6") returned 2 [0146.291] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="A7") returned 2 [0146.291] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="F1") returned 2 [0146.292] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="94") returned 2 [0146.292] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="04") returned 2 [0146.292] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="E4") returned 2 [0146.292] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="7F") returned 2 [0146.292] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="F9") returned 2 [0146.292] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="44") returned 2 [0146.292] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="11") returned 2 [0146.292] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="5D") returned 2 [0146.292] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="35") returned 2 [0146.292] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="B0") returned 2 [0146.292] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="65") returned 2 [0146.292] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="A9") returned 2 [0146.292] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="28") returned 2 [0146.292] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="29") returned 2 [0146.292] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="42") returned 2 [0146.292] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="92") returned 2 [0146.292] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="47") returned 2 [0146.292] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="05") returned 2 [0146.292] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="8C") returned 2 [0146.292] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="FC") returned 2 [0146.292] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="40") returned 2 [0146.292] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="78") returned 2 [0146.292] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0E") returned 2 [0146.292] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="21") returned 2 [0146.292] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="2B") returned 2 [0146.304] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" [0146.304] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" [0146.304] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact", lpString2=".774C92A5D6A7F19404E47FF944115D35B065A92829429247058CFC40780E212B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.774C92A5D6A7F19404E47FF944115D35B065A92829429247058CFC40780E212B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.774C92A5D6A7F19404E47FF944115D35B065A92829429247058CFC40780E212B" [0146.304] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.305] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0146.305] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0146.305] lstrcmpiW (lpString1="Administrator.contact", lpString2="Windows") returned -1 [0146.305] lstrcmpiW (lpString1="Administrator.contact", lpString2="Program Files") returned -1 [0146.305] lstrcmpiW (lpString1="Administrator.contact", lpString2="Program Files (x86)") returned -1 [0146.305] lstrcmpiW (lpString1="Administrator.contact", lpString2="$Recycle.bin") returned 1 [0146.305] lstrcmpiW (lpString1="Administrator.contact", lpString2="System Volume Information") returned -1 [0146.305] lstrcmpiW (lpString1="Administrator.contact", lpString2=".") returned 1 [0146.305] lstrcmpiW (lpString1="Administrator.contact", lpString2="..") returned 1 [0146.305] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned 64 [0146.305] lstrcmpW (lpString1="Administrator.contact", lpString2="PUSSY.TXT") returned -1 [0146.305] PathFindExtensionW (pszPath="Administrator.contact") returned=".contact" [0146.305] lstrlenW (lpString=".contact") returned 8 [0146.305] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0146.306] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=68382) returned 1 [0146.306] GetProcessHeap () returned 0x4c0000 [0146.306] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0146.321] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="ED") returned 2 [0146.321] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B0") returned 2 [0146.321] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="56") returned 2 [0146.321] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="EF") returned 2 [0146.321] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="26") returned 2 [0146.321] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="E0") returned 2 [0146.321] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E9") returned 2 [0146.321] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="D7") returned 2 [0146.321] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="68") returned 2 [0146.321] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="33") returned 2 [0146.321] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="0B") returned 2 [0146.321] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C4") returned 2 [0146.321] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="7F") returned 2 [0146.321] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="F0") returned 2 [0146.321] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="EB") returned 2 [0146.322] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="CA") returned 2 [0146.322] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="8B") returned 2 [0146.322] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D2") returned 2 [0146.322] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="B0") returned 2 [0146.322] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="13") returned 2 [0146.322] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="43") returned 2 [0146.322] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="38") returned 2 [0146.322] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="D8") returned 2 [0146.322] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="59") returned 2 [0146.322] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="EE") returned 2 [0146.322] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="77") returned 2 [0146.322] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="C4") returned 2 [0146.322] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="1B") returned 2 [0146.322] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="DF") returned 2 [0146.322] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="D2") returned 2 [0146.322] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="EC") returned 2 [0146.322] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="14") returned 2 [0146.334] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" [0146.334] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" [0146.334] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact", lpString2=".EDB056EF26E0E9D768330BC47FF0EBCA8BD2B0134338D859EE77C41BDFD2EC14" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.EDB056EF26E0E9D768330BC47FF0EBCA8BD2B0134338D859EE77C41BDFD2EC14") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.EDB056EF26E0E9D768330BC47FF0EBCA8BD2B0134338D859EE77C41BDFD2EC14" [0146.334] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.334] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0146.334] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaa5080, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaa5080, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaa5080, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="asdlfk poopvy.contact", cAlternateFileName="ASDLFK~1.CON")) returned 1 [0146.335] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="Windows") returned -1 [0146.335] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="Program Files") returned -1 [0146.335] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="Program Files (x86)") returned -1 [0146.335] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="$Recycle.bin") returned 1 [0146.335] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="System Volume Information") returned -1 [0146.335] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2=".") returned 1 [0146.335] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="..") returned 1 [0146.335] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned 64 [0146.335] lstrcmpW (lpString1="asdlfk poopvy.contact", lpString2="PUSSY.TXT") returned -1 [0146.335] PathFindExtensionW (pszPath="asdlfk poopvy.contact") returned=".contact" [0146.335] lstrlenW (lpString=".contact") returned 8 [0146.335] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0146.336] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1171) returned 1 [0146.336] GetProcessHeap () returned 0x4c0000 [0146.336] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0146.349] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="DF") returned 2 [0146.349] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="BA") returned 2 [0146.349] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E0") returned 2 [0146.349] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="6B") returned 2 [0146.350] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="16") returned 2 [0146.350] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="4F") returned 2 [0146.350] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="0E") returned 2 [0146.350] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="89") returned 2 [0146.350] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="0C") returned 2 [0146.350] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="22") returned 2 [0146.350] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="0B") returned 2 [0146.350] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A2") returned 2 [0146.350] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="AA") returned 2 [0146.350] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="91") returned 2 [0146.350] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="CE") returned 2 [0146.350] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="FF") returned 2 [0146.350] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="C6") returned 2 [0146.350] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="98") returned 2 [0146.350] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="8F") returned 2 [0146.350] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="9E") returned 2 [0146.350] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="25") returned 2 [0146.350] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="51") returned 2 [0146.350] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="69") returned 2 [0146.350] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="7E") returned 2 [0146.350] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="CF") returned 2 [0146.350] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="67") returned 2 [0146.351] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="3F") returned 2 [0146.351] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="35") returned 2 [0146.351] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="1C") returned 2 [0146.351] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="D5") returned 2 [0146.351] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="1D") returned 2 [0146.351] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="1B") returned 2 [0146.464] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" [0146.464] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" [0146.464] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact", lpString2=".DFBAE06B164F0E890C220BA2AA91CEFFC6988F9E2551697ECF673F351CD51D1B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.DFBAE06B164F0E890C220BA2AA91CEFFC6988F9E2551697ECF673F351CD51D1B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.DFBAE06B164F0E890C220BA2AA91CEFFC6988F9E2551697ECF673F351CD51D1B" [0146.465] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.465] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0146.465] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eacb1e0, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eacb1e0, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eacb1e0, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x499, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="chucu jadnvk.contact", cAlternateFileName="CHUCUJ~1.CON")) returned 1 [0146.465] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="Windows") returned -1 [0146.468] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="Program Files") returned -1 [0146.468] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="Program Files (x86)") returned -1 [0146.468] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="$Recycle.bin") returned 1 [0146.468] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="System Volume Information") returned -1 [0146.468] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2=".") returned 1 [0146.470] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="..") returned 1 [0146.470] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned 63 [0146.470] lstrcmpW (lpString1="chucu jadnvk.contact", lpString2="PUSSY.TXT") returned -1 [0146.470] PathFindExtensionW (pszPath="chucu jadnvk.contact") returned=".contact" [0146.470] lstrlenW (lpString=".contact") returned 8 [0146.470] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0146.471] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1177) returned 1 [0146.471] GetProcessHeap () returned 0x4c0000 [0146.471] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0146.479] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="A5") returned 2 [0146.480] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="8D") returned 2 [0146.480] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="31") returned 2 [0146.480] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FE") returned 2 [0146.480] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="60") returned 2 [0146.480] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="7A") returned 2 [0146.480] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="14") returned 2 [0146.480] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="20") returned 2 [0146.480] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="3A") returned 2 [0146.480] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="56") returned 2 [0146.480] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="70") returned 2 [0146.480] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="52") returned 2 [0146.480] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="DC") returned 2 [0146.480] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="16") returned 2 [0146.480] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="0D") returned 2 [0146.480] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="06") returned 2 [0146.480] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="E5") returned 2 [0146.480] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="A6") returned 2 [0146.480] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="4F") returned 2 [0146.480] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="7C") returned 2 [0146.480] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="1E") returned 2 [0146.480] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="82") returned 2 [0146.480] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="98") returned 2 [0146.480] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="B0") returned 2 [0146.480] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="F1") returned 2 [0146.480] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="88") returned 2 [0146.480] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="7D") returned 2 [0146.480] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="B2") returned 2 [0146.480] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="B3") returned 2 [0146.480] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="2C") returned 2 [0146.480] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="93") returned 2 [0146.480] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="43") returned 2 [0146.488] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" [0146.488] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" [0146.489] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact", lpString2=".A58D31FE607A14203A567052DC160D06E5A64F7C1E8298B0F1887DB2B32C9343" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.A58D31FE607A14203A567052DC160D06E5A64F7C1E8298B0F1887DB2B32C9343") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.A58D31FE607A14203A567052DC160D06E5A64F7C1E8298B0F1887DB2B32C9343" [0146.489] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.489] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0146.491] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0146.491] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0146.491] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0146.491] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0146.491] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0146.491] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0146.491] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0146.491] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0146.491] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned 54 [0146.491] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0146.491] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0146.491] lstrlenW (lpString=".ini") returned 4 [0146.491] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0146.492] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=412) returned 1 [0146.492] CloseHandle (hObject=0x19c) returned 1 [0146.492] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="lulcit amkdfe.contact", cAlternateFileName="LULCIT~1.CON")) returned 1 [0146.493] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="Windows") returned -1 [0146.493] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="Program Files") returned -1 [0146.493] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="Program Files (x86)") returned -1 [0146.493] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="$Recycle.bin") returned 1 [0146.493] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="System Volume Information") returned -1 [0146.493] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2=".") returned 1 [0146.493] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="..") returned 1 [0146.493] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned 64 [0146.493] lstrcmpW (lpString1="lulcit amkdfe.contact", lpString2="PUSSY.TXT") returned -1 [0146.493] PathFindExtensionW (pszPath="lulcit amkdfe.contact") returned=".contact" [0146.493] lstrlenW (lpString=".contact") returned 8 [0146.493] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0146.494] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1174) returned 1 [0146.494] GetProcessHeap () returned 0x4c0000 [0146.494] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0146.506] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="07") returned 2 [0146.506] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="6F") returned 2 [0146.506] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="99") returned 2 [0146.506] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="8C") returned 2 [0146.506] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="70") returned 2 [0146.506] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="65") returned 2 [0146.506] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="85") returned 2 [0146.506] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="AA") returned 2 [0146.506] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="22") returned 2 [0146.506] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="F4") returned 2 [0146.506] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="2E") returned 2 [0146.506] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="B2") returned 2 [0146.506] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="1F") returned 2 [0146.506] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="BA") returned 2 [0146.506] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="01") returned 2 [0146.506] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="B5") returned 2 [0146.506] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="CB") returned 2 [0146.506] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="88") returned 2 [0146.506] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="96") returned 2 [0146.506] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="8C") returned 2 [0146.506] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="97") returned 2 [0146.506] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="7A") returned 2 [0146.506] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="A5") returned 2 [0146.506] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="77") returned 2 [0146.506] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="EF") returned 2 [0146.507] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="6A") returned 2 [0146.507] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="0B") returned 2 [0146.507] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F3") returned 2 [0146.507] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A3") returned 2 [0146.507] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="27") returned 2 [0146.507] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="8C") returned 2 [0146.507] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="55") returned 2 [0146.516] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" [0146.516] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" [0146.516] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact", lpString2=".076F998C706585AA22F42EB21FBA01B5CB88968C977AA577EF6A0BF3A3278C55" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.076F998C706585AA22F42EB21FBA01B5CB88968C977AA577EF6A0BF3A3278C55") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.076F998C706585AA22F42EB21FBA01B5CB88968C977AA577EF6A0BF3A3278C55" [0146.516] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.516] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0146.522] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 1 [0146.522] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="Windows") returned -1 [0146.522] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="Program Files") returned 1 [0146.522] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="Program Files (x86)") returned 1 [0146.522] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="$Recycle.bin") returned 1 [0146.522] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="System Volume Information") returned -1 [0146.522] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2=".") returned 1 [0146.522] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="..") returned 1 [0146.522] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned 64 [0146.522] lstrcmpW (lpString1="sikvnb huvuib.contact", lpString2="PUSSY.TXT") returned 1 [0146.522] PathFindExtensionW (pszPath="sikvnb huvuib.contact") returned=".contact" [0146.522] lstrlenW (lpString=".contact") returned 8 [0146.523] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0146.523] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1172) returned 1 [0146.523] GetProcessHeap () returned 0x4c0000 [0146.523] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0146.531] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="2B") returned 2 [0146.531] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="00") returned 2 [0146.531] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="05") returned 2 [0146.531] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="07") returned 2 [0146.532] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="D2") returned 2 [0146.532] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="ED") returned 2 [0146.532] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="B1") returned 2 [0146.532] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="FF") returned 2 [0146.532] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="6C") returned 2 [0146.532] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="FD") returned 2 [0146.532] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="C0") returned 2 [0146.532] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="32") returned 2 [0146.532] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="83") returned 2 [0146.532] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C6") returned 2 [0146.532] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="8B") returned 2 [0146.532] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="76") returned 2 [0146.532] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="82") returned 2 [0146.532] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D9") returned 2 [0146.532] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="1B") returned 2 [0146.532] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="D4") returned 2 [0146.532] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="1A") returned 2 [0146.532] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="1B") returned 2 [0146.532] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="B4") returned 2 [0146.532] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="50") returned 2 [0146.532] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="FD") returned 2 [0146.532] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="60") returned 2 [0146.532] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="75") returned 2 [0146.532] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="51") returned 2 [0146.532] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="71") returned 2 [0146.532] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="7C") returned 2 [0146.532] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="38") returned 2 [0146.532] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="54") returned 2 [0146.540] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" [0146.540] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" [0146.540] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact", lpString2=".2B000507D2EDB1FF6CFDC03283C68B7682D91BD41A1BB450FD607551717C3854" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.2B000507D2EDB1FF6CFDC03283C68B7682D91BD41A1BB450FD607551717C3854") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.2B000507D2EDB1FF6CFDC03283C68B7682D91BD41A1BB450FD607551717C3854" [0146.540] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.540] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0146.545] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 0 [0146.545] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0146.545] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\PUSSY.TXT") returned 52 [0146.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0146.546] lstrlenA (lpString="abcd") returned 4 [0146.546] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0146.547] CloseHandle (hObject=0x190) returned 1 [0146.547] GetProcessHeap () returned 0x4c0000 [0146.547] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0146.550] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Cookies", cAlternateFileName="")) returned 1 [0146.550] lstrcmpiW (lpString1="Cookies", lpString2="Windows") returned -1 [0146.550] lstrcmpiW (lpString1="Cookies", lpString2="Program Files") returned -1 [0146.550] lstrcmpiW (lpString1="Cookies", lpString2="Program Files (x86)") returned -1 [0146.550] lstrcmpiW (lpString1="Cookies", lpString2="$Recycle.bin") returned 1 [0146.550] lstrcmpiW (lpString1="Cookies", lpString2="System Volume Information") returned -1 [0146.550] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0146.550] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0146.550] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies") returned 41 [0146.550] GetProcessHeap () returned 0x4c0000 [0146.550] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0146.551] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies" [0146.551] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*" [0146.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="sikvnb huvuib.contact", cAlternateFileName="s")) returned 0xffffffff [0146.551] GetProcessHeap () returned 0x4c0000 [0146.551] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0146.551] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xa4f1aa00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa4f1aa00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Desktop", cAlternateFileName="")) returned 1 [0146.551] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0146.551] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0146.551] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0146.551] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0146.551] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0146.551] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0146.551] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0146.551] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 41 [0146.551] GetProcessHeap () returned 0x4c0000 [0146.551] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0146.551] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0146.551] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" [0146.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xa4f1aa00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa4f1aa00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0146.551] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0146.552] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0146.552] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0146.552] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0146.552] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0146.552] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.552] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xa4f1aa00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa4f1aa00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0146.552] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0146.552] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0146.552] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0146.552] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0146.552] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0146.552] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.552] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.552] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f14c420, ftCreationTime.dwHighDateTime=0x1d5d7fc, ftLastAccessTime.dwLowDateTime=0x6b9c21a0, ftLastAccessTime.dwHighDateTime=0x1d5ddae, ftLastWriteTime.dwLowDateTime=0x6b9c21a0, ftLastWriteTime.dwHighDateTime=0x1d5ddae, nFileSizeHigh=0x0, nFileSizeLow=0x147ca, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="-tf4134D3q69ThXdEm8.wav", cAlternateFileName="-TF413~1.WAV")) returned 1 [0146.552] lstrcmpiW (lpString1="-tf4134D3q69ThXdEm8.wav", lpString2="Windows") returned -1 [0146.552] lstrcmpiW (lpString1="-tf4134D3q69ThXdEm8.wav", lpString2="Program Files") returned 1 [0146.552] lstrcmpiW (lpString1="-tf4134D3q69ThXdEm8.wav", lpString2="Program Files (x86)") returned 1 [0146.552] lstrcmpiW (lpString1="-tf4134D3q69ThXdEm8.wav", lpString2="$Recycle.bin") returned 1 [0146.552] lstrcmpiW (lpString1="-tf4134D3q69ThXdEm8.wav", lpString2="System Volume Information") returned 1 [0146.552] lstrcmpiW (lpString1="-tf4134D3q69ThXdEm8.wav", lpString2=".") returned 1 [0146.552] lstrcmpiW (lpString1="-tf4134D3q69ThXdEm8.wav", lpString2="..") returned 1 [0146.552] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav") returned 65 [0146.552] lstrcmpW (lpString1="-tf4134D3q69ThXdEm8.wav", lpString2="PUSSY.TXT") returned 1 [0146.552] PathFindExtensionW (pszPath="-tf4134D3q69ThXdEm8.wav") returned=".wav" [0146.552] lstrlenW (lpString=".wav") returned 4 [0146.552] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-tf4134d3q69thxdem8.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0146.553] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=83914) returned 1 [0146.553] GetProcessHeap () returned 0x4c0000 [0146.553] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0146.563] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="E5") returned 2 [0146.563] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="CF") returned 2 [0146.563] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="C6") returned 2 [0146.563] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="7E") returned 2 [0146.564] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="C4") returned 2 [0146.564] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="09") returned 2 [0146.564] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="3E") returned 2 [0146.564] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="DA") returned 2 [0146.564] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="DB") returned 2 [0146.564] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="00") returned 2 [0146.564] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="29") returned 2 [0146.564] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="71") returned 2 [0146.564] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="E8") returned 2 [0146.564] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="66") returned 2 [0146.564] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="9E") returned 2 [0146.564] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="5A") returned 2 [0146.564] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="4F") returned 2 [0146.564] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="9D") returned 2 [0146.564] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="1A") returned 2 [0146.564] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="05") returned 2 [0146.564] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="8E") returned 2 [0146.564] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="61") returned 2 [0146.564] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="2C") returned 2 [0146.564] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="2B") returned 2 [0146.564] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="8A") returned 2 [0146.565] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="F3") returned 2 [0146.565] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="77") returned 2 [0146.565] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="14") returned 2 [0146.565] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="64") returned 2 [0146.565] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="98") returned 2 [0146.565] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="B5") returned 2 [0146.565] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="50") returned 2 [0146.573] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav" [0146.573] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav" [0146.573] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav", lpString2=".E5CFC67EC4093EDADB002971E8669E5A4F9D1A058E612C2B8AF377146498B550" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav.E5CFC67EC4093EDADB002971E8669E5A4F9D1A058E612C2B8AF377146498B550") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav.E5CFC67EC4093EDADB002971E8669E5A4F9D1A058E612C2B8AF377146498B550" [0146.573] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.574] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0146.612] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeddcbc20, ftCreationTime.dwHighDateTime=0x1d5d8ee, ftLastAccessTime.dwLowDateTime=0xc68736f0, ftLastAccessTime.dwHighDateTime=0x1d5de39, ftLastWriteTime.dwLowDateTime=0xc68736f0, ftLastWriteTime.dwHighDateTime=0x1d5de39, nFileSizeHigh=0x0, nFileSizeLow=0x7356, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="0F8K7uAbDRg2oKlHOOp.swf", cAlternateFileName="0F8K7U~1.SWF")) returned 1 [0146.612] lstrcmpiW (lpString1="0F8K7uAbDRg2oKlHOOp.swf", lpString2="Windows") returned -1 [0146.612] lstrcmpiW (lpString1="0F8K7uAbDRg2oKlHOOp.swf", lpString2="Program Files") returned -1 [0146.612] lstrcmpiW (lpString1="0F8K7uAbDRg2oKlHOOp.swf", lpString2="Program Files (x86)") returned -1 [0146.612] lstrcmpiW (lpString1="0F8K7uAbDRg2oKlHOOp.swf", lpString2="$Recycle.bin") returned 1 [0146.612] lstrcmpiW (lpString1="0F8K7uAbDRg2oKlHOOp.swf", lpString2="System Volume Information") returned -1 [0146.612] lstrcmpiW (lpString1="0F8K7uAbDRg2oKlHOOp.swf", lpString2=".") returned 1 [0146.612] lstrcmpiW (lpString1="0F8K7uAbDRg2oKlHOOp.swf", lpString2="..") returned 1 [0146.612] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf") returned 65 [0146.612] lstrcmpW (lpString1="0F8K7uAbDRg2oKlHOOp.swf", lpString2="PUSSY.TXT") returned -1 [0146.612] PathFindExtensionW (pszPath="0F8K7uAbDRg2oKlHOOp.swf") returned=".swf" [0146.612] lstrlenW (lpString=".swf") returned 4 [0146.612] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0f8k7uabdrg2oklhoop.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0146.659] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=29526) returned 1 [0146.659] GetProcessHeap () returned 0x4c0000 [0146.659] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0146.667] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="43") returned 2 [0146.667] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="13") returned 2 [0146.667] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E8") returned 2 [0146.667] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="70") returned 2 [0146.667] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="A7") returned 2 [0146.667] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="21") returned 2 [0146.667] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="A3") returned 2 [0146.667] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A8") returned 2 [0146.667] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="D9") returned 2 [0146.667] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="95") returned 2 [0146.667] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="52") returned 2 [0146.667] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="E6") returned 2 [0146.667] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="88") returned 2 [0146.667] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="35") returned 2 [0146.668] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="79") returned 2 [0146.668] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="37") returned 2 [0146.668] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="B2") returned 2 [0146.668] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="E9") returned 2 [0146.668] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="5F") returned 2 [0146.668] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="4F") returned 2 [0146.668] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="E2") returned 2 [0146.668] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="E1") returned 2 [0146.668] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="48") returned 2 [0146.668] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="B7") returned 2 [0146.668] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="E3") returned 2 [0146.668] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="98") returned 2 [0146.668] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="6C") returned 2 [0146.668] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="32") returned 2 [0146.668] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A0") returned 2 [0146.668] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E5") returned 2 [0146.668] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="07") returned 2 [0146.668] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="36") returned 2 [0146.676] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf" [0146.676] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf" [0146.676] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf", lpString2=".4313E870A721A3A8D99552E688357937B2E95F4FE2E148B7E3986C32A0E50736" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf.4313E870A721A3A8D99552E688357937B2E95F4FE2E148B7E3986C32A0E50736") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf.4313E870A721A3A8D99552E688357937B2E95F4FE2E148B7E3986C32A0E50736" [0146.676] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.676] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0146.707] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7137d9a0, ftCreationTime.dwHighDateTime=0x1d5e58e, ftLastAccessTime.dwLowDateTime=0xf290a130, ftLastAccessTime.dwHighDateTime=0x1d5e147, ftLastWriteTime.dwLowDateTime=0xf290a130, ftLastWriteTime.dwHighDateTime=0x1d5e147, nFileSizeHigh=0x0, nFileSizeLow=0x132c2, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="0Pb8wZh1_u354fUc5Pg.png", cAlternateFileName="0PB8WZ~1.PNG")) returned 1 [0146.707] lstrcmpiW (lpString1="0Pb8wZh1_u354fUc5Pg.png", lpString2="Windows") returned -1 [0146.707] lstrcmpiW (lpString1="0Pb8wZh1_u354fUc5Pg.png", lpString2="Program Files") returned -1 [0146.707] lstrcmpiW (lpString1="0Pb8wZh1_u354fUc5Pg.png", lpString2="Program Files (x86)") returned -1 [0146.707] lstrcmpiW (lpString1="0Pb8wZh1_u354fUc5Pg.png", lpString2="$Recycle.bin") returned 1 [0146.707] lstrcmpiW (lpString1="0Pb8wZh1_u354fUc5Pg.png", lpString2="System Volume Information") returned -1 [0146.707] lstrcmpiW (lpString1="0Pb8wZh1_u354fUc5Pg.png", lpString2=".") returned 1 [0146.707] lstrcmpiW (lpString1="0Pb8wZh1_u354fUc5Pg.png", lpString2="..") returned 1 [0146.707] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png") returned 65 [0146.707] lstrcmpW (lpString1="0Pb8wZh1_u354fUc5Pg.png", lpString2="PUSSY.TXT") returned -1 [0146.707] PathFindExtensionW (pszPath="0Pb8wZh1_u354fUc5Pg.png") returned=".png" [0146.707] lstrlenW (lpString=".png") returned 4 [0146.707] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.707] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0pb8wzh1_u354fuc5pg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0146.708] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=78530) returned 1 [0146.708] GetProcessHeap () returned 0x4c0000 [0146.708] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0146.717] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="B0") returned 2 [0146.717] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="CF") returned 2 [0146.717] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="55") returned 2 [0146.717] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="8A") returned 2 [0146.717] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="67") returned 2 [0146.717] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="F2") returned 2 [0146.717] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="25") returned 2 [0146.717] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="AE") returned 2 [0146.717] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="6B") returned 2 [0146.717] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="98") returned 2 [0146.717] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="5E") returned 2 [0146.717] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C5") returned 2 [0146.717] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="A9") returned 2 [0146.717] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="25") returned 2 [0146.717] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="BA") returned 2 [0146.717] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="AF") returned 2 [0146.717] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="C4") returned 2 [0146.717] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="70") returned 2 [0146.717] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="82") returned 2 [0146.717] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="8C") returned 2 [0146.717] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="7E") returned 2 [0146.717] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="8B") returned 2 [0146.718] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="58") returned 2 [0146.718] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E0") returned 2 [0146.718] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="A5") returned 2 [0146.718] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="7C") returned 2 [0146.718] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="E8") returned 2 [0146.718] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="1E") returned 2 [0146.718] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="B9") returned 2 [0146.718] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="77") returned 2 [0146.718] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="21") returned 2 [0146.718] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="5A") returned 2 [0146.726] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png" [0146.726] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png" [0146.726] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png", lpString2=".B0CF558A67F225AE6B985EC5A925BAAFC470828C7E8B58E0A57CE81EB977215A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png.B0CF558A67F225AE6B985EC5A925BAAFC470828C7E8B58E0A57CE81EB977215A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png.B0CF558A67F225AE6B985EC5A925BAAFC470828C7E8B58E0A57CE81EB977215A" [0146.726] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.726] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0146.764] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72d67c30, ftCreationTime.dwHighDateTime=0x1d5e804, ftLastAccessTime.dwLowDateTime=0xfff0ae80, ftLastAccessTime.dwHighDateTime=0x1d5da06, ftLastWriteTime.dwLowDateTime=0xfff0ae80, ftLastWriteTime.dwHighDateTime=0x1d5da06, nFileSizeHigh=0x0, nFileSizeLow=0x16806, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="0w2_HuzBVKK.swf", cAlternateFileName="0W2_HU~1.SWF")) returned 1 [0146.764] lstrcmpiW (lpString1="0w2_HuzBVKK.swf", lpString2="Windows") returned -1 [0146.764] lstrcmpiW (lpString1="0w2_HuzBVKK.swf", lpString2="Program Files") returned -1 [0146.764] lstrcmpiW (lpString1="0w2_HuzBVKK.swf", lpString2="Program Files (x86)") returned -1 [0146.764] lstrcmpiW (lpString1="0w2_HuzBVKK.swf", lpString2="$Recycle.bin") returned 1 [0146.764] lstrcmpiW (lpString1="0w2_HuzBVKK.swf", lpString2="System Volume Information") returned -1 [0146.764] lstrcmpiW (lpString1="0w2_HuzBVKK.swf", lpString2=".") returned 1 [0146.764] lstrcmpiW (lpString1="0w2_HuzBVKK.swf", lpString2="..") returned 1 [0146.764] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf") returned 57 [0146.764] lstrcmpW (lpString1="0w2_HuzBVKK.swf", lpString2="PUSSY.TXT") returned -1 [0146.764] PathFindExtensionW (pszPath="0w2_HuzBVKK.swf") returned=".swf" [0146.764] lstrlenW (lpString=".swf") returned 4 [0146.764] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0w2_huzbvkk.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0146.765] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=92166) returned 1 [0146.765] GetProcessHeap () returned 0x4c0000 [0146.765] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0146.774] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="D6") returned 2 [0146.774] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="75") returned 2 [0146.774] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="57") returned 2 [0146.774] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="38") returned 2 [0146.774] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="F4") returned 2 [0146.774] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="81") returned 2 [0146.774] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="9D") returned 2 [0146.774] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="35") returned 2 [0146.774] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="CF") returned 2 [0146.774] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="D6") returned 2 [0146.774] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="71") returned 2 [0146.774] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="2C") returned 2 [0146.774] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="2A") returned 2 [0146.774] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="60") returned 2 [0146.774] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="1F") returned 2 [0146.774] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="9C") returned 2 [0146.774] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="A4") returned 2 [0146.774] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="48") returned 2 [0146.774] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="74") returned 2 [0146.774] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="15") returned 2 [0146.774] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="A0") returned 2 [0146.774] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="C7") returned 2 [0146.774] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="03") returned 2 [0146.774] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6F") returned 2 [0146.774] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="45") returned 2 [0146.774] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="B3") returned 2 [0146.774] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="BD") returned 2 [0146.775] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F9") returned 2 [0146.775] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A4") returned 2 [0146.775] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="17") returned 2 [0146.775] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="60") returned 2 [0146.775] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="64") returned 2 [0146.783] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf" [0146.783] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf" [0146.783] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf", lpString2=".D6755738F4819D35CFD6712C2A601F9CA4487415A0C7036F45B3BDF9A4176064" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf.D6755738F4819D35CFD6712C2A601F9CA4487415A0C7036F45B3BDF9A4176064") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf.D6755738F4819D35CFD6712C2A601F9CA4487415A0C7036F45B3BDF9A4176064" [0146.783] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.783] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0146.817] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ce09d0, ftCreationTime.dwHighDateTime=0x1d5e723, ftLastAccessTime.dwLowDateTime=0x8680b790, ftLastAccessTime.dwHighDateTime=0x1d5e54e, ftLastWriteTime.dwLowDateTime=0x8680b790, ftLastWriteTime.dwHighDateTime=0x1d5e54e, nFileSizeHigh=0x0, nFileSizeLow=0x5df6, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="A_KbH9euCoWB16sjFP.wav", cAlternateFileName="A_KBH9~1.WAV")) returned 1 [0146.817] lstrcmpiW (lpString1="A_KbH9euCoWB16sjFP.wav", lpString2="Windows") returned -1 [0146.817] lstrcmpiW (lpString1="A_KbH9euCoWB16sjFP.wav", lpString2="Program Files") returned -1 [0146.817] lstrcmpiW (lpString1="A_KbH9euCoWB16sjFP.wav", lpString2="Program Files (x86)") returned -1 [0146.817] lstrcmpiW (lpString1="A_KbH9euCoWB16sjFP.wav", lpString2="$Recycle.bin") returned 1 [0146.817] lstrcmpiW (lpString1="A_KbH9euCoWB16sjFP.wav", lpString2="System Volume Information") returned -1 [0146.817] lstrcmpiW (lpString1="A_KbH9euCoWB16sjFP.wav", lpString2=".") returned 1 [0146.817] lstrcmpiW (lpString1="A_KbH9euCoWB16sjFP.wav", lpString2="..") returned 1 [0146.817] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav") returned 64 [0146.817] lstrcmpW (lpString1="A_KbH9euCoWB16sjFP.wav", lpString2="PUSSY.TXT") returned -1 [0146.817] PathFindExtensionW (pszPath="A_KbH9euCoWB16sjFP.wav") returned=".wav" [0146.817] lstrlenW (lpString=".wav") returned 4 [0146.817] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a_kbh9eucowb16sjfp.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0146.820] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=24054) returned 1 [0146.820] GetProcessHeap () returned 0x4c0000 [0146.820] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0146.829] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="B5") returned 2 [0146.829] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="80") returned 2 [0146.829] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="89") returned 2 [0146.829] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="8F") returned 2 [0146.829] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="1E") returned 2 [0146.829] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="18") returned 2 [0146.829] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="0A") returned 2 [0146.829] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A6") returned 2 [0146.829] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B2") returned 2 [0146.829] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="97") returned 2 [0146.829] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="F3") returned 2 [0146.829] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="12") returned 2 [0146.829] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="9A") returned 2 [0146.829] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="6B") returned 2 [0146.829] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="DA") returned 2 [0146.829] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="43") returned 2 [0146.829] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="82") returned 2 [0146.829] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="FA") returned 2 [0146.829] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="9C") returned 2 [0146.829] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="06") returned 2 [0146.829] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="0B") returned 2 [0146.830] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="5E") returned 2 [0146.830] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="16") returned 2 [0146.830] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="3A") returned 2 [0146.830] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="E3") returned 2 [0146.830] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="FC") returned 2 [0146.830] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="C7") returned 2 [0146.830] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="AD") returned 2 [0146.830] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="CD") returned 2 [0146.830] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="ED") returned 2 [0146.830] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="4E") returned 2 [0146.830] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="26") returned 2 [0146.838] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav" [0146.838] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav" [0146.838] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav", lpString2=".B580898F1E180AA6B297F3129A6BDA4382FA9C060B5E163AE3FCC7ADCDED4E26" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav.B580898F1E180AA6B297F3129A6BDA4382FA9C060B5E163AE3FCC7ADCDED4E26") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav.B580898F1E180AA6B297F3129A6BDA4382FA9C060B5E163AE3FCC7ADCDED4E26" [0146.838] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.838] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0146.885] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb99845e0, ftCreationTime.dwHighDateTime=0x1d5e5c5, ftLastAccessTime.dwLowDateTime=0x9f932210, ftLastAccessTime.dwHighDateTime=0x1d5e218, ftLastWriteTime.dwLowDateTime=0x9f932210, ftLastWriteTime.dwHighDateTime=0x1d5e218, nFileSizeHigh=0x0, nFileSizeLow=0xd00f, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="b9jHjBWD.docx", cAlternateFileName="B9JHJB~1.DOC")) returned 1 [0146.885] lstrcmpiW (lpString1="b9jHjBWD.docx", lpString2="Windows") returned -1 [0146.885] lstrcmpiW (lpString1="b9jHjBWD.docx", lpString2="Program Files") returned -1 [0146.885] lstrcmpiW (lpString1="b9jHjBWD.docx", lpString2="Program Files (x86)") returned -1 [0146.885] lstrcmpiW (lpString1="b9jHjBWD.docx", lpString2="$Recycle.bin") returned 1 [0146.885] lstrcmpiW (lpString1="b9jHjBWD.docx", lpString2="System Volume Information") returned -1 [0146.885] lstrcmpiW (lpString1="b9jHjBWD.docx", lpString2=".") returned 1 [0146.885] lstrcmpiW (lpString1="b9jHjBWD.docx", lpString2="..") returned 1 [0146.886] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx") returned 55 [0146.886] lstrcmpW (lpString1="b9jHjBWD.docx", lpString2="PUSSY.TXT") returned -1 [0146.886] PathFindExtensionW (pszPath="b9jHjBWD.docx") returned=".docx" [0146.886] lstrlenW (lpString=".docx") returned 5 [0146.886] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.886] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\b9jhjbwd.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0146.887] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=53263) returned 1 [0146.887] GetProcessHeap () returned 0x4c0000 [0146.887] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0146.898] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="29") returned 2 [0146.898] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="87") returned 2 [0146.898] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="3B") returned 2 [0146.898] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="8C") returned 2 [0146.898] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="60") returned 2 [0146.898] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="83") returned 2 [0146.898] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="AB") returned 2 [0146.898] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="46") returned 2 [0146.898] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="67") returned 2 [0146.898] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="90") returned 2 [0146.898] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="6F") returned 2 [0146.898] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="4F") returned 2 [0146.898] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="3F") returned 2 [0146.898] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="27") returned 2 [0146.898] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="D6") returned 2 [0146.898] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="BD") returned 2 [0146.898] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="60") returned 2 [0146.898] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="4E") returned 2 [0146.899] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="B9") returned 2 [0146.899] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="CC") returned 2 [0146.899] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="47") returned 2 [0146.899] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="EF") returned 2 [0146.899] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C6") returned 2 [0146.899] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="27") returned 2 [0146.899] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="B8") returned 2 [0146.899] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="D9") returned 2 [0146.899] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="66") returned 2 [0146.899] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="B5") returned 2 [0146.899] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="48") returned 2 [0146.899] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="C9") returned 2 [0146.899] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="AD") returned 2 [0146.899] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="69") returned 2 [0146.907] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx" [0146.907] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx" [0146.907] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx", lpString2=".29873B8C6083AB4667906F4F3F27D6BD604EB9CC47EFC627B8D966B548C9AD69" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx.29873B8C6083AB4667906F4F3F27D6BD604EB9CC47EFC627B8D966B548C9AD69") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx.29873B8C6083AB4667906F4F3F27D6BD604EB9CC47EFC627B8D966B548C9AD69" [0146.907] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0146.908] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0146.991] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f72fa80, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0x8f72fa80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0x79fcd100, ftLastWriteTime.dwHighDateTime=0x1d6b804, nFileSizeHigh=0x0, nFileSizeLow=0x78600, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="build.exe", cAlternateFileName="")) returned 1 [0146.991] lstrcmpiW (lpString1="build.exe", lpString2="Windows") returned -1 [0146.991] lstrcmpiW (lpString1="build.exe", lpString2="Program Files") returned -1 [0146.991] lstrcmpiW (lpString1="build.exe", lpString2="Program Files (x86)") returned -1 [0146.991] lstrcmpiW (lpString1="build.exe", lpString2="$Recycle.bin") returned 1 [0146.991] lstrcmpiW (lpString1="build.exe", lpString2="System Volume Information") returned -1 [0146.992] lstrcmpiW (lpString1="build.exe", lpString2=".") returned 1 [0146.992] lstrcmpiW (lpString1="build.exe", lpString2="..") returned 1 [0146.992] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\build.exe") returned 51 [0146.992] lstrcmpW (lpString1="build.exe", lpString2="PUSSY.TXT") returned -1 [0146.992] PathFindExtensionW (pszPath="build.exe") returned=".exe" [0146.992] lstrlenW (lpString=".exe") returned 4 [0146.992] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.992] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\build.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\build.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0146.992] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62564cd0, ftCreationTime.dwHighDateTime=0x1d5da41, ftLastAccessTime.dwLowDateTime=0x147ce3c0, ftLastAccessTime.dwHighDateTime=0x1d5e4aa, ftLastWriteTime.dwLowDateTime=0x147ce3c0, ftLastWriteTime.dwHighDateTime=0x1d5e4aa, nFileSizeHigh=0x0, nFileSizeLow=0xdef2, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="CLpT2zEHp.m4a", cAlternateFileName="CLPT2Z~1.M4A")) returned 1 [0146.992] lstrcmpiW (lpString1="CLpT2zEHp.m4a", lpString2="Windows") returned -1 [0146.992] lstrcmpiW (lpString1="CLpT2zEHp.m4a", lpString2="Program Files") returned -1 [0146.992] lstrcmpiW (lpString1="CLpT2zEHp.m4a", lpString2="Program Files (x86)") returned -1 [0146.992] lstrcmpiW (lpString1="CLpT2zEHp.m4a", lpString2="$Recycle.bin") returned 1 [0146.992] lstrcmpiW (lpString1="CLpT2zEHp.m4a", lpString2="System Volume Information") returned -1 [0146.992] lstrcmpiW (lpString1="CLpT2zEHp.m4a", lpString2=".") returned 1 [0146.992] lstrcmpiW (lpString1="CLpT2zEHp.m4a", lpString2="..") returned 1 [0146.993] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a") returned 55 [0146.993] lstrcmpW (lpString1="CLpT2zEHp.m4a", lpString2="PUSSY.TXT") returned -1 [0146.993] PathFindExtensionW (pszPath="CLpT2zEHp.m4a") returned=".m4a" [0146.993] lstrlenW (lpString=".m4a") returned 4 [0146.993] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0146.993] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\clpt2zehp.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0146.994] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=57074) returned 1 [0146.994] GetProcessHeap () returned 0x4c0000 [0146.994] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.002] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="0C") returned 2 [0147.002] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="9F") returned 2 [0147.002] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="6D") returned 2 [0147.002] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="98") returned 2 [0147.002] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="10") returned 2 [0147.002] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="7A") returned 2 [0147.002] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="F4") returned 2 [0147.002] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="E2") returned 2 [0147.002] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="23") returned 2 [0147.002] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="D3") returned 2 [0147.002] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="66") returned 2 [0147.002] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="BD") returned 2 [0147.002] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="3F") returned 2 [0147.002] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="F6") returned 2 [0147.002] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="72") returned 2 [0147.002] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="13") returned 2 [0147.002] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="6E") returned 2 [0147.003] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="7A") returned 2 [0147.003] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E8") returned 2 [0147.003] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="80") returned 2 [0147.003] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="25") returned 2 [0147.003] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="37") returned 2 [0147.003] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="00") returned 2 [0147.003] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="63") returned 2 [0147.003] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="EC") returned 2 [0147.003] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="D4") returned 2 [0147.003] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="DF") returned 2 [0147.003] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="E8") returned 2 [0147.003] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="49") returned 2 [0147.003] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="31") returned 2 [0147.003] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="0B") returned 2 [0147.003] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="14") returned 2 [0147.011] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a" [0147.011] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a" [0147.011] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a", lpString2=".0C9F6D98107AF4E223D366BD3FF672136E7AE88025370063ECD4DFE849310B14" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a.0C9F6D98107AF4E223D366BD3FF672136E7AE88025370063ECD4DFE849310B14") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a.0C9F6D98107AF4E223D366BD3FF672136E7AE88025370063ECD4DFE849310B14" [0147.011] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.011] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.044] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63f894e0, ftCreationTime.dwHighDateTime=0x1d5da72, ftLastAccessTime.dwLowDateTime=0xd98e6ca0, ftLastAccessTime.dwHighDateTime=0x1d5e799, ftLastWriteTime.dwLowDateTime=0xd98e6ca0, ftLastWriteTime.dwHighDateTime=0x1d5e799, nFileSizeHigh=0x0, nFileSizeLow=0xee11, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="Cn5147j.flv", cAlternateFileName="")) returned 1 [0147.044] lstrcmpiW (lpString1="Cn5147j.flv", lpString2="Windows") returned -1 [0147.044] lstrcmpiW (lpString1="Cn5147j.flv", lpString2="Program Files") returned -1 [0147.044] lstrcmpiW (lpString1="Cn5147j.flv", lpString2="Program Files (x86)") returned -1 [0147.044] lstrcmpiW (lpString1="Cn5147j.flv", lpString2="$Recycle.bin") returned 1 [0147.044] lstrcmpiW (lpString1="Cn5147j.flv", lpString2="System Volume Information") returned -1 [0147.044] lstrcmpiW (lpString1="Cn5147j.flv", lpString2=".") returned 1 [0147.044] lstrcmpiW (lpString1="Cn5147j.flv", lpString2="..") returned 1 [0147.044] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv") returned 53 [0147.044] lstrcmpW (lpString1="Cn5147j.flv", lpString2="PUSSY.TXT") returned -1 [0147.044] PathFindExtensionW (pszPath="Cn5147j.flv") returned=".flv" [0147.044] lstrlenW (lpString=".flv") returned 4 [0147.044] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0147.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cn5147j.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0147.045] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=60945) returned 1 [0147.045] GetProcessHeap () returned 0x4c0000 [0147.045] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.053] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="60") returned 2 [0147.053] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B5") returned 2 [0147.054] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="30") returned 2 [0147.054] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="F0") returned 2 [0147.054] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="F1") returned 2 [0147.054] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="92") returned 2 [0147.054] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="3D") returned 2 [0147.054] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="73") returned 2 [0147.054] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="83") returned 2 [0147.054] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="84") returned 2 [0147.054] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="4F") returned 2 [0147.054] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D5") returned 2 [0147.054] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="B4") returned 2 [0147.054] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="EA") returned 2 [0147.054] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="F0") returned 2 [0147.054] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="1A") returned 2 [0147.054] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="42") returned 2 [0147.054] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="34") returned 2 [0147.054] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="B4") returned 2 [0147.054] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="C1") returned 2 [0147.054] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="52") returned 2 [0147.054] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="3C") returned 2 [0147.054] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="D5") returned 2 [0147.054] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="F3") returned 2 [0147.054] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="D3") returned 2 [0147.054] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="D2") returned 2 [0147.054] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="91") returned 2 [0147.054] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="E0") returned 2 [0147.054] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="3B") returned 2 [0147.054] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0E") returned 2 [0147.054] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="74") returned 2 [0147.054] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6F") returned 2 [0147.062] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv" [0147.062] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv" [0147.062] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv", lpString2=".60B530F0F1923D7383844FD5B4EAF01A4234B4C1523CD5F3D3D291E03B0E746F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv.60B530F0F1923D7383844FD5B4EAF01A4234B4C1523CD5F3D3D291E03B0E746F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv.60B530F0F1923D7383844FD5B4EAF01A4234B4C1523CD5F3D3D291E03B0E746F" [0147.062] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.062] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.094] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.094] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0147.094] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0147.094] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0147.094] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0147.094] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0147.094] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0147.094] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0147.094] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned 53 [0147.094] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0147.095] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0147.095] lstrlenW (lpString=".ini") returned 4 [0147.095] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0147.095] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0147.095] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=282) returned 1 [0147.095] CloseHandle (hObject=0x19c) returned 1 [0147.095] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x342a7210, ftCreationTime.dwHighDateTime=0x1d5e729, ftLastAccessTime.dwLowDateTime=0x44533e00, ftLastAccessTime.dwHighDateTime=0x1d5e3a6, ftLastWriteTime.dwLowDateTime=0x44533e00, ftLastWriteTime.dwHighDateTime=0x1d5e3a6, nFileSizeHigh=0x0, nFileSizeLow=0x12e52, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="eo-jl0VAL04zBAHvgF8.ots", cAlternateFileName="EO-JL0~1.OTS")) returned 1 [0147.095] lstrcmpiW (lpString1="eo-jl0VAL04zBAHvgF8.ots", lpString2="Windows") returned -1 [0147.096] lstrcmpiW (lpString1="eo-jl0VAL04zBAHvgF8.ots", lpString2="Program Files") returned -1 [0147.096] lstrcmpiW (lpString1="eo-jl0VAL04zBAHvgF8.ots", lpString2="Program Files (x86)") returned -1 [0147.096] lstrcmpiW (lpString1="eo-jl0VAL04zBAHvgF8.ots", lpString2="$Recycle.bin") returned 1 [0147.096] lstrcmpiW (lpString1="eo-jl0VAL04zBAHvgF8.ots", lpString2="System Volume Information") returned -1 [0147.096] lstrcmpiW (lpString1="eo-jl0VAL04zBAHvgF8.ots", lpString2=".") returned 1 [0147.096] lstrcmpiW (lpString1="eo-jl0VAL04zBAHvgF8.ots", lpString2="..") returned 1 [0147.096] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots") returned 65 [0147.096] lstrcmpW (lpString1="eo-jl0VAL04zBAHvgF8.ots", lpString2="PUSSY.TXT") returned -1 [0147.096] PathFindExtensionW (pszPath="eo-jl0VAL04zBAHvgF8.ots") returned=".ots" [0147.096] lstrlenW (lpString=".ots") returned 4 [0147.096] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0147.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\eo-jl0val04zbahvgf8.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0147.096] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=77394) returned 1 [0147.096] GetProcessHeap () returned 0x4c0000 [0147.097] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.106] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="54") returned 2 [0147.106] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="1B") returned 2 [0147.106] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="7B") returned 2 [0147.106] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="3C") returned 2 [0147.106] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="9B") returned 2 [0147.106] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="DB") returned 2 [0147.106] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="6D") returned 2 [0147.106] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="44") returned 2 [0147.106] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="10") returned 2 [0147.106] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="4B") returned 2 [0147.106] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="F0") returned 2 [0147.106] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D5") returned 2 [0147.106] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="26") returned 2 [0147.106] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="40") returned 2 [0147.106] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="38") returned 2 [0147.106] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="04") returned 2 [0147.106] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="08") returned 2 [0147.106] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="9B") returned 2 [0147.106] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="27") returned 2 [0147.106] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="1B") returned 2 [0147.106] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="11") returned 2 [0147.106] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="59") returned 2 [0147.106] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="78") returned 2 [0147.106] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="42") returned 2 [0147.106] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="F1") returned 2 [0147.106] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="DF") returned 2 [0147.107] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="70") returned 2 [0147.107] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="67") returned 2 [0147.107] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="CE") returned 2 [0147.107] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="8B") returned 2 [0147.107] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="5E") returned 2 [0147.107] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="7B") returned 2 [0147.115] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots" [0147.115] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots" [0147.115] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots", lpString2=".541B7B3C9BDB6D44104BF0D526403804089B271B11597842F1DF7067CE8B5E7B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots.541B7B3C9BDB6D44104BF0D526403804089B271B11597842F1DF7067CE8B5E7B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots.541B7B3C9BDB6D44104BF0D526403804089B271B11597842F1DF7067CE8B5E7B" [0147.115] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.115] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.147] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c111b0, ftCreationTime.dwHighDateTime=0x1d5e045, ftLastAccessTime.dwLowDateTime=0x562c8d10, ftLastAccessTime.dwHighDateTime=0x1d5e1b8, ftLastWriteTime.dwLowDateTime=0x562c8d10, ftLastWriteTime.dwHighDateTime=0x1d5e1b8, nFileSizeHigh=0x0, nFileSizeLow=0x90fb, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="fpO9vJe.swf", cAlternateFileName="")) returned 1 [0147.147] lstrcmpiW (lpString1="fpO9vJe.swf", lpString2="Windows") returned -1 [0147.147] lstrcmpiW (lpString1="fpO9vJe.swf", lpString2="Program Files") returned -1 [0147.147] lstrcmpiW (lpString1="fpO9vJe.swf", lpString2="Program Files (x86)") returned -1 [0147.147] lstrcmpiW (lpString1="fpO9vJe.swf", lpString2="$Recycle.bin") returned 1 [0147.147] lstrcmpiW (lpString1="fpO9vJe.swf", lpString2="System Volume Information") returned -1 [0147.147] lstrcmpiW (lpString1="fpO9vJe.swf", lpString2=".") returned 1 [0147.147] lstrcmpiW (lpString1="fpO9vJe.swf", lpString2="..") returned 1 [0147.147] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf") returned 53 [0147.147] lstrcmpW (lpString1="fpO9vJe.swf", lpString2="PUSSY.TXT") returned -1 [0147.147] PathFindExtensionW (pszPath="fpO9vJe.swf") returned=".swf" [0147.147] lstrlenW (lpString=".swf") returned 4 [0147.147] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0147.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fpo9vje.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0147.148] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=37115) returned 1 [0147.148] GetProcessHeap () returned 0x4c0000 [0147.148] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.157] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="A2") returned 2 [0147.157] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B9") returned 2 [0147.157] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="6D") returned 2 [0147.157] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="86") returned 2 [0147.157] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="EA") returned 2 [0147.157] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="34") returned 2 [0147.157] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="68") returned 2 [0147.157] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="01") returned 2 [0147.157] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="5E") returned 2 [0147.157] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="50") returned 2 [0147.157] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="2B") returned 2 [0147.157] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="5D") returned 2 [0147.157] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="A0") returned 2 [0147.157] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="70") returned 2 [0147.157] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="2F") returned 2 [0147.157] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="C8") returned 2 [0147.157] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="0E") returned 2 [0147.157] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="10") returned 2 [0147.157] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="B9") returned 2 [0147.157] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="3C") returned 2 [0147.157] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="4B") returned 2 [0147.157] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="23") returned 2 [0147.157] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="6C") returned 2 [0147.157] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6E") returned 2 [0147.158] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="2D") returned 2 [0147.158] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="D7") returned 2 [0147.158] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="44") returned 2 [0147.158] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="FD") returned 2 [0147.158] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="BC") returned 2 [0147.158] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="8B") returned 2 [0147.158] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="DC") returned 2 [0147.158] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="7E") returned 2 [0147.167] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf" [0147.167] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf" [0147.167] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf", lpString2=".A2B96D86EA3468015E502B5DA0702FC80E10B93C4B236C6E2DD744FDBC8BDC7E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf.A2B96D86EA3468015E502B5DA0702FC80E10B93C4B236C6E2DD744FDBC8BDC7E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf.A2B96D86EA3468015E502B5DA0702FC80E10B93C4B236C6E2DD744FDBC8BDC7E" [0147.167] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.167] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.202] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2d9fda0, ftCreationTime.dwHighDateTime=0x1d5dc76, ftLastAccessTime.dwLowDateTime=0xa2f7c510, ftLastAccessTime.dwHighDateTime=0x1d5e7a3, ftLastWriteTime.dwLowDateTime=0xa2f7c510, ftLastWriteTime.dwHighDateTime=0x1d5e7a3, nFileSizeHigh=0x0, nFileSizeLow=0x7380, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="GqCMA7FMS.avi", cAlternateFileName="GQCMA7~1.AVI")) returned 1 [0147.202] lstrcmpiW (lpString1="GqCMA7FMS.avi", lpString2="Windows") returned -1 [0147.202] lstrcmpiW (lpString1="GqCMA7FMS.avi", lpString2="Program Files") returned -1 [0147.202] lstrcmpiW (lpString1="GqCMA7FMS.avi", lpString2="Program Files (x86)") returned -1 [0147.202] lstrcmpiW (lpString1="GqCMA7FMS.avi", lpString2="$Recycle.bin") returned 1 [0147.203] lstrcmpiW (lpString1="GqCMA7FMS.avi", lpString2="System Volume Information") returned -1 [0147.203] lstrcmpiW (lpString1="GqCMA7FMS.avi", lpString2=".") returned 1 [0147.203] lstrcmpiW (lpString1="GqCMA7FMS.avi", lpString2="..") returned 1 [0147.203] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi") returned 55 [0147.203] lstrcmpW (lpString1="GqCMA7FMS.avi", lpString2="PUSSY.TXT") returned -1 [0147.203] PathFindExtensionW (pszPath="GqCMA7FMS.avi") returned=".avi" [0147.203] lstrlenW (lpString=".avi") returned 4 [0147.203] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0147.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gqcma7fms.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0147.204] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=29568) returned 1 [0147.204] GetProcessHeap () returned 0x4c0000 [0147.204] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.212] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="9A") returned 2 [0147.212] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="89") returned 2 [0147.212] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="06") returned 2 [0147.212] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="06") returned 2 [0147.212] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="07") returned 2 [0147.212] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="DA") returned 2 [0147.212] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="2A") returned 2 [0147.212] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="8B") returned 2 [0147.212] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="23") returned 2 [0147.212] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="BB") returned 2 [0147.213] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="AC") returned 2 [0147.213] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="15") returned 2 [0147.213] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="3D") returned 2 [0147.213] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="27") returned 2 [0147.213] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="74") returned 2 [0147.213] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="F4") returned 2 [0147.213] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="09") returned 2 [0147.213] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="56") returned 2 [0147.213] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="84") returned 2 [0147.213] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="51") returned 2 [0147.213] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="15") returned 2 [0147.213] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="4C") returned 2 [0147.213] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="BF") returned 2 [0147.213] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="00") returned 2 [0147.213] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="5B") returned 2 [0147.213] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="F9") returned 2 [0147.213] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="74") returned 2 [0147.213] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="14") returned 2 [0147.213] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="74") returned 2 [0147.213] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0E") returned 2 [0147.213] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="40") returned 2 [0147.213] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="00") returned 2 [0147.222] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi" [0147.222] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi" [0147.222] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi", lpString2=".9A89060607DA2A8B23BBAC153D2774F409568451154CBF005BF97414740E4000" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi.9A89060607DA2A8B23BBAC153D2774F409568451154CBF005BF97414740E4000") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi.9A89060607DA2A8B23BBAC153D2774F409568451154CBF005BF97414740E4000" [0147.222] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.222] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.295] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65efc630, ftCreationTime.dwHighDateTime=0x1d5e4d4, ftLastAccessTime.dwLowDateTime=0x95307c10, ftLastAccessTime.dwHighDateTime=0x1d5d7db, ftLastWriteTime.dwLowDateTime=0x95307c10, ftLastWriteTime.dwHighDateTime=0x1d5d7db, nFileSizeHigh=0x0, nFileSizeLow=0x110cf, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="hg9V R.xlsx", cAlternateFileName="HG9VR~1.XLS")) returned 1 [0147.295] lstrcmpiW (lpString1="hg9V R.xlsx", lpString2="Windows") returned -1 [0147.295] lstrcmpiW (lpString1="hg9V R.xlsx", lpString2="Program Files") returned -1 [0147.295] lstrcmpiW (lpString1="hg9V R.xlsx", lpString2="Program Files (x86)") returned -1 [0147.295] lstrcmpiW (lpString1="hg9V R.xlsx", lpString2="$Recycle.bin") returned 1 [0147.295] lstrcmpiW (lpString1="hg9V R.xlsx", lpString2="System Volume Information") returned -1 [0147.295] lstrcmpiW (lpString1="hg9V R.xlsx", lpString2=".") returned 1 [0147.295] lstrcmpiW (lpString1="hg9V R.xlsx", lpString2="..") returned 1 [0147.295] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx") returned 53 [0147.295] lstrcmpW (lpString1="hg9V R.xlsx", lpString2="PUSSY.TXT") returned -1 [0147.295] PathFindExtensionW (pszPath="hg9V R.xlsx") returned=".xlsx" [0147.295] lstrlenW (lpString=".xlsx") returned 5 [0147.295] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0147.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hg9v r.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0147.296] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=69839) returned 1 [0147.296] GetProcessHeap () returned 0x4c0000 [0147.296] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.305] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="F9") returned 2 [0147.305] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="29") returned 2 [0147.305] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="BD") returned 2 [0147.305] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FB") returned 2 [0147.305] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="85") returned 2 [0147.305] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="AA") returned 2 [0147.305] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="F7") returned 2 [0147.305] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="08") returned 2 [0147.305] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="17") returned 2 [0147.305] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="E5") returned 2 [0147.305] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="D5") returned 2 [0147.305] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="12") returned 2 [0147.305] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="27") returned 2 [0147.305] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="17") returned 2 [0147.305] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="E3") returned 2 [0147.305] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="EC") returned 2 [0147.305] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="E3") returned 2 [0147.305] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="A6") returned 2 [0147.305] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="9E") returned 2 [0147.305] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="2F") returned 2 [0147.305] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="9B") returned 2 [0147.305] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="AF") returned 2 [0147.306] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C6") returned 2 [0147.306] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="F6") returned 2 [0147.306] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="7C") returned 2 [0147.306] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="9C") returned 2 [0147.306] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="7E") returned 2 [0147.306] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="BC") returned 2 [0147.306] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="FB") returned 2 [0147.306] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="27") returned 2 [0147.306] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="6C") returned 2 [0147.306] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="3E") returned 2 [0147.315] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx" [0147.315] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx" [0147.315] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx", lpString2=".F929BDFB85AAF70817E5D5122717E3ECE3A69E2F9BAFC6F67C9C7EBCFB276C3E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx.F929BDFB85AAF70817E5D5122717E3ECE3A69E2F9BAFC6F67C9C7EBCFB276C3E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx.F929BDFB85AAF70817E5D5122717E3ECE3A69E2F9BAFC6F67C9C7EBCFB276C3E" [0147.315] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.315] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.348] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x783f5e40, ftCreationTime.dwHighDateTime=0x1d5de26, ftLastAccessTime.dwLowDateTime=0x10926e30, ftLastAccessTime.dwHighDateTime=0x1d5d9a9, ftLastWriteTime.dwLowDateTime=0x10926e30, ftLastWriteTime.dwHighDateTime=0x1d5d9a9, nFileSizeHigh=0x0, nFileSizeLow=0x143ae, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="JjSSrqnbwtn 7n.csv", cAlternateFileName="JJSSRQ~1.CSV")) returned 1 [0147.348] lstrcmpiW (lpString1="JjSSrqnbwtn 7n.csv", lpString2="Windows") returned -1 [0147.348] lstrcmpiW (lpString1="JjSSrqnbwtn 7n.csv", lpString2="Program Files") returned -1 [0147.348] lstrcmpiW (lpString1="JjSSrqnbwtn 7n.csv", lpString2="Program Files (x86)") returned -1 [0147.349] lstrcmpiW (lpString1="JjSSrqnbwtn 7n.csv", lpString2="$Recycle.bin") returned 1 [0147.349] lstrcmpiW (lpString1="JjSSrqnbwtn 7n.csv", lpString2="System Volume Information") returned -1 [0147.349] lstrcmpiW (lpString1="JjSSrqnbwtn 7n.csv", lpString2=".") returned 1 [0147.349] lstrcmpiW (lpString1="JjSSrqnbwtn 7n.csv", lpString2="..") returned 1 [0147.349] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv") returned 60 [0147.349] lstrcmpW (lpString1="JjSSrqnbwtn 7n.csv", lpString2="PUSSY.TXT") returned -1 [0147.349] PathFindExtensionW (pszPath="JjSSrqnbwtn 7n.csv") returned=".csv" [0147.349] lstrlenW (lpString=".csv") returned 4 [0147.349] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0147.349] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jjssrqnbwtn 7n.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0147.350] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=82862) returned 1 [0147.350] GetProcessHeap () returned 0x4c0000 [0147.350] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.363] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="7F") returned 2 [0147.363] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="F4") returned 2 [0147.363] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B6") returned 2 [0147.363] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="95") returned 2 [0147.363] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="D0") returned 2 [0147.363] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="3D") returned 2 [0147.363] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="00") returned 2 [0147.363] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="AF") returned 2 [0147.363] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="4E") returned 2 [0147.363] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="5A") returned 2 [0147.363] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="4C") returned 2 [0147.363] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="70") returned 2 [0147.363] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="F5") returned 2 [0147.363] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="20") returned 2 [0147.363] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="3F") returned 2 [0147.363] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="C7") returned 2 [0147.363] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="7B") returned 2 [0147.363] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="1B") returned 2 [0147.364] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="C9") returned 2 [0147.364] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="C9") returned 2 [0147.364] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="A6") returned 2 [0147.364] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="CF") returned 2 [0147.364] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="34") returned 2 [0147.364] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="A3") returned 2 [0147.364] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="72") returned 2 [0147.364] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="E4") returned 2 [0147.364] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="BE") returned 2 [0147.364] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="60") returned 2 [0147.364] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="4A") returned 2 [0147.364] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="B2") returned 2 [0147.364] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="77") returned 2 [0147.364] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="66") returned 2 [0147.375] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv" [0147.375] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv" [0147.375] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv", lpString2=".7FF4B695D03D00AF4E5A4C70F5203FC77B1BC9C9A6CF34A372E4BE604AB27766" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv.7FF4B695D03D00AF4E5A4C70F5203FC77B1BC9C9A6CF34A372E4BE604AB27766") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv.7FF4B695D03D00AF4E5A4C70F5203FC77B1BC9C9A6CF34A372E4BE604AB27766" [0147.375] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.376] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.410] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb836c0, ftCreationTime.dwHighDateTime=0x1d5e53d, ftLastAccessTime.dwLowDateTime=0x60b8fe10, ftLastAccessTime.dwHighDateTime=0x1d5da21, ftLastWriteTime.dwLowDateTime=0x60b8fe10, ftLastWriteTime.dwHighDateTime=0x1d5da21, nFileSizeHigh=0x0, nFileSizeLow=0x4df7, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="JQBip1QT0RH K9qcKPU.mkv", cAlternateFileName="JQBIP1~1.MKV")) returned 1 [0147.410] lstrcmpiW (lpString1="JQBip1QT0RH K9qcKPU.mkv", lpString2="Windows") returned -1 [0147.410] lstrcmpiW (lpString1="JQBip1QT0RH K9qcKPU.mkv", lpString2="Program Files") returned -1 [0147.410] lstrcmpiW (lpString1="JQBip1QT0RH K9qcKPU.mkv", lpString2="Program Files (x86)") returned -1 [0147.410] lstrcmpiW (lpString1="JQBip1QT0RH K9qcKPU.mkv", lpString2="$Recycle.bin") returned 1 [0147.410] lstrcmpiW (lpString1="JQBip1QT0RH K9qcKPU.mkv", lpString2="System Volume Information") returned -1 [0147.410] lstrcmpiW (lpString1="JQBip1QT0RH K9qcKPU.mkv", lpString2=".") returned 1 [0147.410] lstrcmpiW (lpString1="JQBip1QT0RH K9qcKPU.mkv", lpString2="..") returned 1 [0147.410] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv") returned 65 [0147.410] lstrcmpW (lpString1="JQBip1QT0RH K9qcKPU.mkv", lpString2="PUSSY.TXT") returned -1 [0147.410] PathFindExtensionW (pszPath="JQBip1QT0RH K9qcKPU.mkv") returned=".mkv" [0147.410] lstrlenW (lpString=".mkv") returned 4 [0147.410] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0147.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jqbip1qt0rh k9qckpu.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0147.412] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=19959) returned 1 [0147.412] GetProcessHeap () returned 0x4c0000 [0147.412] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.420] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="1D") returned 2 [0147.420] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="A3") returned 2 [0147.420] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="DE") returned 2 [0147.420] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="CF") returned 2 [0147.420] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="D2") returned 2 [0147.420] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="1A") returned 2 [0147.420] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="4A") returned 2 [0147.420] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="FC") returned 2 [0147.420] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="D2") returned 2 [0147.420] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="49") returned 2 [0147.420] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="2C") returned 2 [0147.420] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="43") returned 2 [0147.420] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="58") returned 2 [0147.420] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="02") returned 2 [0147.420] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="09") returned 2 [0147.420] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="9B") returned 2 [0147.420] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="C8") returned 2 [0147.420] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="1B") returned 2 [0147.420] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="EC") returned 2 [0147.420] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="9E") returned 2 [0147.420] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="D7") returned 2 [0147.420] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="0B") returned 2 [0147.421] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="45") returned 2 [0147.421] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="5A") returned 2 [0147.421] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="33") returned 2 [0147.421] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="F3") returned 2 [0147.421] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="78") returned 2 [0147.421] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="D3") returned 2 [0147.421] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="8E") returned 2 [0147.421] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0F") returned 2 [0147.421] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="22") returned 2 [0147.421] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="33") returned 2 [0147.430] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv" [0147.431] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv" [0147.431] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv", lpString2=".1DA3DECFD21A4AFCD2492C435802099BC81BEC9ED70B455A33F378D38E0F2233" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv.1DA3DECFD21A4AFCD2492C435802099BC81BEC9ED70B455A33F378D38E0F2233") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv.1DA3DECFD21A4AFCD2492C435802099BC81BEC9ED70B455A33F378D38E0F2233" [0147.431] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.431] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.456] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3ae0480, ftCreationTime.dwHighDateTime=0x1d5e4dd, ftLastAccessTime.dwLowDateTime=0xad224e40, ftLastAccessTime.dwHighDateTime=0x1d5e080, ftLastWriteTime.dwLowDateTime=0xad224e40, ftLastWriteTime.dwHighDateTime=0x1d5e080, nFileSizeHigh=0x0, nFileSizeLow=0xe1a2, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="jxhq0Xrk.avi", cAlternateFileName="")) returned 1 [0147.456] lstrcmpiW (lpString1="jxhq0Xrk.avi", lpString2="Windows") returned -1 [0147.456] lstrcmpiW (lpString1="jxhq0Xrk.avi", lpString2="Program Files") returned -1 [0147.456] lstrcmpiW (lpString1="jxhq0Xrk.avi", lpString2="Program Files (x86)") returned -1 [0147.456] lstrcmpiW (lpString1="jxhq0Xrk.avi", lpString2="$Recycle.bin") returned 1 [0147.456] lstrcmpiW (lpString1="jxhq0Xrk.avi", lpString2="System Volume Information") returned -1 [0147.456] lstrcmpiW (lpString1="jxhq0Xrk.avi", lpString2=".") returned 1 [0147.456] lstrcmpiW (lpString1="jxhq0Xrk.avi", lpString2="..") returned 1 [0147.456] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi") returned 54 [0147.456] lstrcmpW (lpString1="jxhq0Xrk.avi", lpString2="PUSSY.TXT") returned -1 [0147.456] PathFindExtensionW (pszPath="jxhq0Xrk.avi") returned=".avi" [0147.456] lstrlenW (lpString=".avi") returned 4 [0147.456] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0147.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jxhq0xrk.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0147.457] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=57762) returned 1 [0147.457] GetProcessHeap () returned 0x4c0000 [0147.457] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.466] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="DD") returned 2 [0147.466] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="CC") returned 2 [0147.466] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="31") returned 2 [0147.466] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="D6") returned 2 [0147.466] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="5C") returned 2 [0147.466] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="56") returned 2 [0147.466] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="84") returned 2 [0147.466] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="38") returned 2 [0147.467] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="6C") returned 2 [0147.467] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="B4") returned 2 [0147.467] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="D7") returned 2 [0147.467] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="82") returned 2 [0147.467] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="BB") returned 2 [0147.467] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="20") returned 2 [0147.467] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="78") returned 2 [0147.467] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="8C") returned 2 [0147.467] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="EA") returned 2 [0147.467] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="21") returned 2 [0147.467] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="C9") returned 2 [0147.467] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="9D") returned 2 [0147.467] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="EE") returned 2 [0147.467] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="38") returned 2 [0147.467] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="5F") returned 2 [0147.467] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="79") returned 2 [0147.467] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="B4") returned 2 [0147.467] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="1E") returned 2 [0147.467] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="E1") returned 2 [0147.467] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="5A") returned 2 [0147.467] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="4D") returned 2 [0147.467] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E3") returned 2 [0147.467] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="73") returned 2 [0147.467] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="29") returned 2 [0147.477] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi" [0147.477] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi" [0147.477] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi", lpString2=".DDCC31D65C5684386CB4D782BB20788CEA21C99DEE385F79B41EE15A4DE37329" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi.DDCC31D65C5684386CB4D782BB20788CEA21C99DEE385F79B41EE15A4DE37329") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi.DDCC31D65C5684386CB4D782BB20788CEA21C99DEE385F79B41EE15A4DE37329" [0147.477] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.477] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.506] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61765760, ftCreationTime.dwHighDateTime=0x1d5dae1, ftLastAccessTime.dwLowDateTime=0x553ff5a0, ftLastAccessTime.dwHighDateTime=0x1d5d861, ftLastWriteTime.dwLowDateTime=0x553ff5a0, ftLastWriteTime.dwHighDateTime=0x1d5d861, nFileSizeHigh=0x0, nFileSizeLow=0xf418, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="Jz6ANkacGhqE6CkEu.png", cAlternateFileName="JZ6ANK~1.PNG")) returned 1 [0147.506] lstrcmpiW (lpString1="Jz6ANkacGhqE6CkEu.png", lpString2="Windows") returned -1 [0147.506] lstrcmpiW (lpString1="Jz6ANkacGhqE6CkEu.png", lpString2="Program Files") returned -1 [0147.506] lstrcmpiW (lpString1="Jz6ANkacGhqE6CkEu.png", lpString2="Program Files (x86)") returned -1 [0147.506] lstrcmpiW (lpString1="Jz6ANkacGhqE6CkEu.png", lpString2="$Recycle.bin") returned 1 [0147.506] lstrcmpiW (lpString1="Jz6ANkacGhqE6CkEu.png", lpString2="System Volume Information") returned -1 [0147.506] lstrcmpiW (lpString1="Jz6ANkacGhqE6CkEu.png", lpString2=".") returned 1 [0147.506] lstrcmpiW (lpString1="Jz6ANkacGhqE6CkEu.png", lpString2="..") returned 1 [0147.510] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png") returned 63 [0147.510] lstrcmpW (lpString1="Jz6ANkacGhqE6CkEu.png", lpString2="PUSSY.TXT") returned -1 [0147.510] PathFindExtensionW (pszPath="Jz6ANkacGhqE6CkEu.png") returned=".png" [0147.510] lstrlenW (lpString=".png") returned 4 [0147.510] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0147.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jz6ankacghqe6ckeu.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0147.511] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=62488) returned 1 [0147.511] GetProcessHeap () returned 0x4c0000 [0147.511] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.521] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="6B") returned 2 [0147.521] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="C3") returned 2 [0147.521] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="52") returned 2 [0147.521] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="C1") returned 2 [0147.521] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="7A") returned 2 [0147.521] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="D0") returned 2 [0147.521] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="BA") returned 2 [0147.521] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="49") returned 2 [0147.521] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="D5") returned 2 [0147.521] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="C6") returned 2 [0147.521] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="DF") returned 2 [0147.521] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="17") returned 2 [0147.521] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="5C") returned 2 [0147.521] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="F1") returned 2 [0147.521] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="F4") returned 2 [0147.521] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="48") returned 2 [0147.521] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="AB") returned 2 [0147.521] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="25") returned 2 [0147.521] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="04") returned 2 [0147.521] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="2D") returned 2 [0147.521] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="EF") returned 2 [0147.521] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="EE") returned 2 [0147.521] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="A8") returned 2 [0147.521] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="41") returned 2 [0147.521] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="B6") returned 2 [0147.522] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="B7") returned 2 [0147.522] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="35") returned 2 [0147.522] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="0B") returned 2 [0147.522] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="CE") returned 2 [0147.522] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="9E") returned 2 [0147.522] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="5B") returned 2 [0147.522] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="0F") returned 2 [0147.611] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png" [0147.611] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png" [0147.611] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png", lpString2=".6BC352C17AD0BA49D5C6DF175CF1F448AB25042DEFEEA841B6B7350BCE9E5B0F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png.6BC352C17AD0BA49D5C6DF175CF1F448AB25042DEFEEA841B6B7350BCE9E5B0F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png.6BC352C17AD0BA49D5C6DF175CF1F448AB25042DEFEEA841B6B7350BCE9E5B0F" [0147.611] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.612] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.652] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a474580, ftCreationTime.dwHighDateTime=0x1d5e5af, ftLastAccessTime.dwLowDateTime=0xd9e56a60, ftLastAccessTime.dwHighDateTime=0x1d5d9b0, ftLastWriteTime.dwLowDateTime=0xd9e56a60, ftLastWriteTime.dwHighDateTime=0x1d5d9b0, nFileSizeHigh=0x0, nFileSizeLow=0x18c55, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="MYxG7te.csv", cAlternateFileName="")) returned 1 [0147.652] lstrcmpiW (lpString1="MYxG7te.csv", lpString2="Windows") returned -1 [0147.652] lstrcmpiW (lpString1="MYxG7te.csv", lpString2="Program Files") returned -1 [0147.652] lstrcmpiW (lpString1="MYxG7te.csv", lpString2="Program Files (x86)") returned -1 [0147.653] lstrcmpiW (lpString1="MYxG7te.csv", lpString2="$Recycle.bin") returned 1 [0147.653] lstrcmpiW (lpString1="MYxG7te.csv", lpString2="System Volume Information") returned -1 [0147.653] lstrcmpiW (lpString1="MYxG7te.csv", lpString2=".") returned 1 [0147.653] lstrcmpiW (lpString1="MYxG7te.csv", lpString2="..") returned 1 [0147.653] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv") returned 53 [0147.653] lstrcmpW (lpString1="MYxG7te.csv", lpString2="PUSSY.TXT") returned -1 [0147.653] PathFindExtensionW (pszPath="MYxG7te.csv") returned=".csv" [0147.653] lstrlenW (lpString=".csv") returned 4 [0147.653] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0147.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\myxg7te.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0147.654] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=101461) returned 1 [0147.654] GetProcessHeap () returned 0x4c0000 [0147.654] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.664] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="09") returned 2 [0147.664] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="EC") returned 2 [0147.664] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="DA") returned 2 [0147.664] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="D4") returned 2 [0147.664] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="97") returned 2 [0147.664] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="1D") returned 2 [0147.664] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="6B") returned 2 [0147.664] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A6") returned 2 [0147.664] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="27") returned 2 [0147.664] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="CA") returned 2 [0147.664] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="EA") returned 2 [0147.664] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="64") returned 2 [0147.664] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="A7") returned 2 [0147.664] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="EF") returned 2 [0147.664] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="68") returned 2 [0147.664] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="FD") returned 2 [0147.665] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="0D") returned 2 [0147.665] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="E8") returned 2 [0147.665] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E6") returned 2 [0147.665] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="56") returned 2 [0147.665] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="2E") returned 2 [0147.665] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="AA") returned 2 [0147.665] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="4B") returned 2 [0147.665] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="C3") returned 2 [0147.665] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="98") returned 2 [0147.665] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="12") returned 2 [0147.665] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="DC") returned 2 [0147.665] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="1C") returned 2 [0147.665] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="07") returned 2 [0147.665] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="15") returned 2 [0147.665] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="73") returned 2 [0147.665] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="59") returned 2 [0147.674] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv" [0147.674] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv" [0147.674] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv", lpString2=".09ECDAD4971D6BA627CAEA64A7EF68FD0DE8E6562EAA4BC39812DC1C07157359" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv.09ECDAD4971D6BA627CAEA64A7EF68FD0DE8E6562EAA4BC39812DC1C07157359") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv.09ECDAD4971D6BA627CAEA64A7EF68FD0DE8E6562EAA4BC39812DC1C07157359" [0147.674] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.674] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.708] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x890d0910, ftCreationTime.dwHighDateTime=0x1d5e16f, ftLastAccessTime.dwLowDateTime=0x780b7100, ftLastAccessTime.dwHighDateTime=0x1d5dc39, ftLastWriteTime.dwLowDateTime=0x780b7100, ftLastWriteTime.dwHighDateTime=0x1d5dc39, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="NxdzY2", cAlternateFileName="")) returned 1 [0147.708] lstrcmpiW (lpString1="NxdzY2", lpString2="Windows") returned -1 [0147.708] lstrcmpiW (lpString1="NxdzY2", lpString2="Program Files") returned -1 [0147.708] lstrcmpiW (lpString1="NxdzY2", lpString2="Program Files (x86)") returned -1 [0147.708] lstrcmpiW (lpString1="NxdzY2", lpString2="$Recycle.bin") returned 1 [0147.708] lstrcmpiW (lpString1="NxdzY2", lpString2="System Volume Information") returned -1 [0147.709] lstrcmpiW (lpString1="NxdzY2", lpString2=".") returned 1 [0147.709] lstrcmpiW (lpString1="NxdzY2", lpString2="..") returned 1 [0147.709] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2") returned 48 [0147.709] GetProcessHeap () returned 0x4c0000 [0147.709] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0147.709] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2" [0147.709] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\*" [0147.710] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x890d0910, ftCreationTime.dwHighDateTime=0x1d5e16f, ftLastAccessTime.dwLowDateTime=0x780b7100, ftLastAccessTime.dwHighDateTime=0x1d5dc39, ftLastWriteTime.dwLowDateTime=0x780b7100, ftLastWriteTime.dwHighDateTime=0x1d5dc39, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0147.710] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0147.710] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0147.710] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0147.710] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0147.710] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0147.710] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.710] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x890d0910, ftCreationTime.dwHighDateTime=0x1d5e16f, ftLastAccessTime.dwLowDateTime=0x780b7100, ftLastAccessTime.dwHighDateTime=0x1d5dc39, ftLastWriteTime.dwLowDateTime=0x780b7100, ftLastWriteTime.dwHighDateTime=0x1d5dc39, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0147.710] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0147.710] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0147.710] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0147.710] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0147.710] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0147.710] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.710] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.710] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34d0f060, ftCreationTime.dwHighDateTime=0x1d5e2f9, ftLastAccessTime.dwLowDateTime=0x15dc5740, ftLastAccessTime.dwHighDateTime=0x1d5e23a, ftLastWriteTime.dwLowDateTime=0x15dc5740, ftLastWriteTime.dwHighDateTime=0x1d5e23a, nFileSizeHigh=0x0, nFileSizeLow=0xd134, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="7AQSxvG8ewCZZCEY.mkv", cAlternateFileName="7AQSXV~1.MKV")) returned 1 [0147.710] lstrcmpiW (lpString1="7AQSxvG8ewCZZCEY.mkv", lpString2="Windows") returned -1 [0147.710] lstrcmpiW (lpString1="7AQSxvG8ewCZZCEY.mkv", lpString2="Program Files") returned -1 [0147.710] lstrcmpiW (lpString1="7AQSxvG8ewCZZCEY.mkv", lpString2="Program Files (x86)") returned -1 [0147.710] lstrcmpiW (lpString1="7AQSxvG8ewCZZCEY.mkv", lpString2="$Recycle.bin") returned 1 [0147.710] lstrcmpiW (lpString1="7AQSxvG8ewCZZCEY.mkv", lpString2="System Volume Information") returned -1 [0147.710] lstrcmpiW (lpString1="7AQSxvG8ewCZZCEY.mkv", lpString2=".") returned 1 [0147.710] lstrcmpiW (lpString1="7AQSxvG8ewCZZCEY.mkv", lpString2="..") returned 1 [0147.710] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv") returned 69 [0147.711] lstrcmpW (lpString1="7AQSxvG8ewCZZCEY.mkv", lpString2="PUSSY.TXT") returned -1 [0147.711] PathFindExtensionW (pszPath="7AQSxvG8ewCZZCEY.mkv") returned=".mkv" [0147.711] lstrlenW (lpString=".mkv") returned 4 [0147.711] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0147.711] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\7aqsxvg8ewczzcey.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0147.712] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=53556) returned 1 [0147.712] GetProcessHeap () returned 0x4c0000 [0147.712] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0147.723] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="F8") returned 2 [0147.723] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="7C") returned 2 [0147.723] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="61") returned 2 [0147.723] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="5F") returned 2 [0147.723] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="B1") returned 2 [0147.723] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="2D") returned 2 [0147.723] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="41") returned 2 [0147.723] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="95") returned 2 [0147.723] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="E5") returned 2 [0147.723] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="DA") returned 2 [0147.723] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="C0") returned 2 [0147.723] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="5D") returned 2 [0147.723] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="27") returned 2 [0147.723] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="15") returned 2 [0147.723] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="07") returned 2 [0147.723] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="4F") returned 2 [0147.723] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="BC") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="AA") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="E7") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="ED") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="7A") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="8E") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="8C") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="DA") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="24") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="42") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="46") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="A9") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="D9") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="F9") returned 2 [0147.724] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="4C") returned 2 [0147.724] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="4B") returned 2 [0147.733] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv" [0147.733] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv" [0147.733] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv", lpString2=".F87C615FB12D4195E5DAC05D2715074FBCAAE7ED7A8E8CDA244246A9D9F94C4B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv.F87C615FB12D4195E5DAC05D2715074FBCAAE7ED7A8E8CDA244246A9D9F94C4B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv.F87C615FB12D4195E5DAC05D2715074FBCAAE7ED7A8E8CDA244246A9D9F94C4B" [0147.733] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.733] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0147.767] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b4d6950, ftCreationTime.dwHighDateTime=0x1d5e090, ftLastAccessTime.dwLowDateTime=0x26c1a490, ftLastAccessTime.dwHighDateTime=0x1d5e0a8, ftLastWriteTime.dwLowDateTime=0x26c1a490, ftLastWriteTime.dwHighDateTime=0x1d5e0a8, nFileSizeHigh=0x0, nFileSizeLow=0x18e61, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="7bVVsB0zr v0.odp", cAlternateFileName="7BVVSB~1.ODP")) returned 1 [0147.767] lstrcmpiW (lpString1="7bVVsB0zr v0.odp", lpString2="Windows") returned -1 [0147.767] lstrcmpiW (lpString1="7bVVsB0zr v0.odp", lpString2="Program Files") returned -1 [0147.767] lstrcmpiW (lpString1="7bVVsB0zr v0.odp", lpString2="Program Files (x86)") returned -1 [0147.767] lstrcmpiW (lpString1="7bVVsB0zr v0.odp", lpString2="$Recycle.bin") returned 1 [0147.767] lstrcmpiW (lpString1="7bVVsB0zr v0.odp", lpString2="System Volume Information") returned -1 [0147.767] lstrcmpiW (lpString1="7bVVsB0zr v0.odp", lpString2=".") returned 1 [0147.767] lstrcmpiW (lpString1="7bVVsB0zr v0.odp", lpString2="..") returned 1 [0147.767] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp") returned 65 [0147.768] lstrcmpW (lpString1="7bVVsB0zr v0.odp", lpString2="PUSSY.TXT") returned -1 [0147.768] PathFindExtensionW (pszPath="7bVVsB0zr v0.odp") returned=".odp" [0147.768] lstrlenW (lpString=".odp") returned 4 [0147.768] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0147.768] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\7bvvsb0zr v0.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0147.768] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=101985) returned 1 [0147.769] GetProcessHeap () returned 0x4c0000 [0147.769] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.778] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="28") returned 2 [0147.778] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="71") returned 2 [0147.778] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="7A") returned 2 [0147.778] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="05") returned 2 [0147.778] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="99") returned 2 [0147.778] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="87") returned 2 [0147.778] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="44") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="57") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="BD") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="80") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="CC") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="B7") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="8C") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="F0") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="7E") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="77") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="E7") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="01") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="88") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="EC") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="EC") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="06") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="E1") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="E3") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="03") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="C8") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="18") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="47") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="CB") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="CD") returned 2 [0147.778] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="4A") returned 2 [0147.778] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="26") returned 2 [0147.786] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp" [0147.786] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp" [0147.787] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp", lpString2=".28717A0599874457BD80CCB78CF07E77E70188ECEC06E1E303C81847CBCD4A26" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp.28717A0599874457BD80CCB78CF07E77E70188ECEC06E1E303C81847CBCD4A26") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp.28717A0599874457BD80CCB78CF07E77E70188ECEC06E1E303C81847CBCD4A26" [0147.787] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.787] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.833] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6fa3f60, ftCreationTime.dwHighDateTime=0x1d5dac3, ftLastAccessTime.dwLowDateTime=0x54e73190, ftLastAccessTime.dwHighDateTime=0x1d5e2c5, ftLastWriteTime.dwLowDateTime=0x54e73190, ftLastWriteTime.dwHighDateTime=0x1d5e2c5, nFileSizeHigh=0x0, nFileSizeLow=0x16ff3, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="H19h.mkv", cAlternateFileName="")) returned 1 [0147.834] lstrcmpiW (lpString1="H19h.mkv", lpString2="Windows") returned -1 [0147.834] lstrcmpiW (lpString1="H19h.mkv", lpString2="Program Files") returned -1 [0147.834] lstrcmpiW (lpString1="H19h.mkv", lpString2="Program Files (x86)") returned -1 [0147.834] lstrcmpiW (lpString1="H19h.mkv", lpString2="$Recycle.bin") returned 1 [0147.834] lstrcmpiW (lpString1="H19h.mkv", lpString2="System Volume Information") returned -1 [0147.834] lstrcmpiW (lpString1="H19h.mkv", lpString2=".") returned 1 [0147.834] lstrcmpiW (lpString1="H19h.mkv", lpString2="..") returned 1 [0147.834] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv") returned 57 [0147.834] lstrcmpW (lpString1="H19h.mkv", lpString2="PUSSY.TXT") returned -1 [0147.834] PathFindExtensionW (pszPath="H19h.mkv") returned=".mkv" [0147.834] lstrlenW (lpString=".mkv") returned 4 [0147.834] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0147.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\h19h.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0147.835] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=94195) returned 1 [0147.835] GetProcessHeap () returned 0x4c0000 [0147.835] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.858] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="CC") returned 2 [0147.858] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="62") returned 2 [0147.858] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="77") returned 2 [0147.858] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="9B") returned 2 [0147.858] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="C6") returned 2 [0147.858] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="B7") returned 2 [0147.858] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="BB") returned 2 [0147.858] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="3A") returned 2 [0147.858] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="BA") returned 2 [0147.858] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="DD") returned 2 [0147.858] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="9D") returned 2 [0147.858] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="59") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="E3") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="B8") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="83") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="8F") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="1E") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="27") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="6F") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="B1") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="F2") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="10") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="ED") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="12") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="F6") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="A0") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="EB") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="EA") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="4B") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="01") returned 2 [0147.859] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="5D") returned 2 [0147.859] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="6B") returned 2 [0147.871] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv" [0147.871] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv" [0147.871] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv", lpString2=".CC62779BC6B7BB3ABADD9D59E3B8838F1E276FB1F210ED12F6A0EBEA4B015D6B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv.CC62779BC6B7BB3ABADD9D59E3B8838F1E276FB1F210ED12F6A0EBEA4B015D6B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv.CC62779BC6B7BB3ABADD9D59E3B8838F1E276FB1F210ED12F6A0EBEA4B015D6B" [0147.871] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.871] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0147.930] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86ae7bc0, ftCreationTime.dwHighDateTime=0x1d5e013, ftLastAccessTime.dwLowDateTime=0x8af66130, ftLastAccessTime.dwHighDateTime=0x1d5ddfb, ftLastWriteTime.dwLowDateTime=0x8af66130, ftLastWriteTime.dwHighDateTime=0x1d5ddfb, nFileSizeHigh=0x0, nFileSizeLow=0xe06, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="Hw0F.bmp", cAlternateFileName="")) returned 1 [0147.930] lstrcmpiW (lpString1="Hw0F.bmp", lpString2="Windows") returned -1 [0147.930] lstrcmpiW (lpString1="Hw0F.bmp", lpString2="Program Files") returned -1 [0147.930] lstrcmpiW (lpString1="Hw0F.bmp", lpString2="Program Files (x86)") returned -1 [0147.930] lstrcmpiW (lpString1="Hw0F.bmp", lpString2="$Recycle.bin") returned 1 [0147.930] lstrcmpiW (lpString1="Hw0F.bmp", lpString2="System Volume Information") returned -1 [0147.930] lstrcmpiW (lpString1="Hw0F.bmp", lpString2=".") returned 1 [0147.930] lstrcmpiW (lpString1="Hw0F.bmp", lpString2="..") returned 1 [0147.930] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp") returned 57 [0147.930] lstrcmpW (lpString1="Hw0F.bmp", lpString2="PUSSY.TXT") returned -1 [0147.930] PathFindExtensionW (pszPath="Hw0F.bmp") returned=".bmp" [0147.931] lstrlenW (lpString=".bmp") returned 4 [0147.931] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0147.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\hw0f.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0147.965] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=3590) returned 1 [0147.965] GetProcessHeap () returned 0x4c0000 [0147.965] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0147.977] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="3F") returned 2 [0147.977] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="1C") returned 2 [0147.977] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="23") returned 2 [0147.977] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="2F") returned 2 [0147.977] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="93") returned 2 [0147.977] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="5B") returned 2 [0147.977] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="ED") returned 2 [0147.977] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="62") returned 2 [0147.977] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="3B") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="2E") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="34") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="10") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="04") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="4B") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="D3") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="E9") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="F5") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="32") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="D3") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="41") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="D4") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="34") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="70") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="DC") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="26") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="C9") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="69") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="FE") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="00") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="57") returned 2 [0147.978] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="FD") returned 2 [0147.978] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="18") returned 2 [0147.989] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp" [0147.989] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp" [0147.990] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp", lpString2=".3F1C232F935BED623B2E3410044BD3E9F532D341D43470DC26C969FE0057FD18" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp.3F1C232F935BED623B2E3410044BD3E9F532D341D43470DC26C969FE0057FD18") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp.3F1C232F935BED623B2E3410044BD3E9F532D341D43470DC26C969FE0057FD18" [0147.990] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0147.990] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0148.001] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa01c4cd0, ftCreationTime.dwHighDateTime=0x1d5e2a8, ftLastAccessTime.dwLowDateTime=0x868e5f0, ftLastAccessTime.dwHighDateTime=0x1d5e30d, ftLastWriteTime.dwLowDateTime=0x868e5f0, ftLastWriteTime.dwHighDateTime=0x1d5e30d, nFileSizeHigh=0x0, nFileSizeLow=0x16452, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="hw3bBwh.gif", cAlternateFileName="")) returned 1 [0148.001] lstrcmpiW (lpString1="hw3bBwh.gif", lpString2="Windows") returned -1 [0148.001] lstrcmpiW (lpString1="hw3bBwh.gif", lpString2="Program Files") returned -1 [0148.001] lstrcmpiW (lpString1="hw3bBwh.gif", lpString2="Program Files (x86)") returned -1 [0148.001] lstrcmpiW (lpString1="hw3bBwh.gif", lpString2="$Recycle.bin") returned 1 [0148.001] lstrcmpiW (lpString1="hw3bBwh.gif", lpString2="System Volume Information") returned -1 [0148.001] lstrcmpiW (lpString1="hw3bBwh.gif", lpString2=".") returned 1 [0148.001] lstrcmpiW (lpString1="hw3bBwh.gif", lpString2="..") returned 1 [0148.001] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif") returned 60 [0148.001] lstrcmpW (lpString1="hw3bBwh.gif", lpString2="PUSSY.TXT") returned -1 [0148.001] PathFindExtensionW (pszPath="hw3bBwh.gif") returned=".gif" [0148.001] lstrlenW (lpString=".gif") returned 4 [0148.001] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0148.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\hw3bbwh.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0148.002] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=91218) returned 1 [0148.003] GetProcessHeap () returned 0x4c0000 [0148.003] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0148.015] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="D5") returned 2 [0148.015] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="1A") returned 2 [0148.015] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="84") returned 2 [0148.015] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="D1") returned 2 [0148.015] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="E9") returned 2 [0148.015] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="4F") returned 2 [0148.015] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="F5") returned 2 [0148.015] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="9E") returned 2 [0148.015] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="BD") returned 2 [0148.015] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="02") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="A0") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="62") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="65") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="04") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="40") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="E0") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="11") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="DA") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="FC") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="0D") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="5D") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="1E") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="FE") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="25") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="08") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="38") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="61") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="82") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="CF") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="AF") returned 2 [0148.016] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="63") returned 2 [0148.016] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="70") returned 2 [0148.027] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif" [0148.027] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif" [0148.027] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif", lpString2=".D51A84D1E94FF59EBD02A062650440E011DAFC0D5D1EFE2508386182CFAF6370" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif.D51A84D1E94FF59EBD02A062650440E011DAFC0D5D1EFE2508386182CFAF6370") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif.D51A84D1E94FF59EBD02A062650440E011DAFC0D5D1EFE2508386182CFAF6370" [0148.027] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0148.027] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0148.061] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22cbdcb0, ftCreationTime.dwHighDateTime=0x1d5e0d1, ftLastAccessTime.dwLowDateTime=0xdc58dfd0, ftLastAccessTime.dwHighDateTime=0x1d5e2ce, ftLastWriteTime.dwLowDateTime=0xdc58dfd0, ftLastWriteTime.dwHighDateTime=0x1d5e2ce, nFileSizeHigh=0x0, nFileSizeLow=0x66b2, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="lAMD.flv", cAlternateFileName="")) returned 1 [0148.061] lstrcmpiW (lpString1="lAMD.flv", lpString2="Windows") returned -1 [0148.061] lstrcmpiW (lpString1="lAMD.flv", lpString2="Program Files") returned -1 [0148.061] lstrcmpiW (lpString1="lAMD.flv", lpString2="Program Files (x86)") returned -1 [0148.061] lstrcmpiW (lpString1="lAMD.flv", lpString2="$Recycle.bin") returned 1 [0148.061] lstrcmpiW (lpString1="lAMD.flv", lpString2="System Volume Information") returned -1 [0148.061] lstrcmpiW (lpString1="lAMD.flv", lpString2=".") returned 1 [0148.061] lstrcmpiW (lpString1="lAMD.flv", lpString2="..") returned 1 [0148.061] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv") returned 57 [0148.061] lstrcmpW (lpString1="lAMD.flv", lpString2="PUSSY.TXT") returned -1 [0148.061] PathFindExtensionW (pszPath="lAMD.flv") returned=".flv" [0148.061] lstrlenW (lpString=".flv") returned 4 [0148.061] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0148.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\lamd.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0148.062] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=26290) returned 1 [0148.063] GetProcessHeap () returned 0x4c0000 [0148.063] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0148.071] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="C3") returned 2 [0148.071] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="3F") returned 2 [0148.071] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="90") returned 2 [0148.071] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="CA") returned 2 [0148.071] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="55") returned 2 [0148.071] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="CF") returned 2 [0148.071] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="4D") returned 2 [0148.071] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="1B") returned 2 [0148.071] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="0C") returned 2 [0148.071] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="5B") returned 2 [0148.071] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="41") returned 2 [0148.071] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="FE") returned 2 [0148.071] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="10") returned 2 [0148.071] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="FC") returned 2 [0148.071] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="41") returned 2 [0148.071] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="61") returned 2 [0148.071] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="E3") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="F0") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="F0") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="0E") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="6D") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="BC") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="43") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="09") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="CF") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="06") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="78") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="C1") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="F1") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="E9") returned 2 [0148.072] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="34") returned 2 [0148.072] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="7F") returned 2 [0148.082] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv" [0148.082] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv" [0148.082] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv", lpString2=".C33F90CA55CF4D1B0C5B41FE10FC4161E3F0F00E6DBC4309CF0678C1F1E9347F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv.C33F90CA55CF4D1B0C5B41FE10FC4161E3F0F00E6DBC4309CF0678C1F1E9347F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv.C33F90CA55CF4D1B0C5B41FE10FC4161E3F0F00E6DBC4309CF0678C1F1E9347F" [0148.083] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0148.083] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0148.125] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6021d8b0, ftCreationTime.dwHighDateTime=0x1d5e60a, ftLastAccessTime.dwLowDateTime=0xdd84a6b0, ftLastAccessTime.dwHighDateTime=0x1d5d8eb, ftLastWriteTime.dwLowDateTime=0xdd84a6b0, ftLastWriteTime.dwHighDateTime=0x1d5d8eb, nFileSizeHigh=0x0, nFileSizeLow=0x9c60, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="MpGXl_XVVu_5V.docx", cAlternateFileName="MPGXL_~1.DOC")) returned 1 [0148.125] lstrcmpiW (lpString1="MpGXl_XVVu_5V.docx", lpString2="Windows") returned -1 [0148.125] lstrcmpiW (lpString1="MpGXl_XVVu_5V.docx", lpString2="Program Files") returned -1 [0148.125] lstrcmpiW (lpString1="MpGXl_XVVu_5V.docx", lpString2="Program Files (x86)") returned -1 [0148.126] lstrcmpiW (lpString1="MpGXl_XVVu_5V.docx", lpString2="$Recycle.bin") returned 1 [0148.126] lstrcmpiW (lpString1="MpGXl_XVVu_5V.docx", lpString2="System Volume Information") returned -1 [0148.126] lstrcmpiW (lpString1="MpGXl_XVVu_5V.docx", lpString2=".") returned 1 [0148.126] lstrcmpiW (lpString1="MpGXl_XVVu_5V.docx", lpString2="..") returned 1 [0148.126] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx") returned 67 [0148.126] lstrcmpW (lpString1="MpGXl_XVVu_5V.docx", lpString2="PUSSY.TXT") returned -1 [0148.126] PathFindExtensionW (pszPath="MpGXl_XVVu_5V.docx") returned=".docx" [0148.126] lstrlenW (lpString=".docx") returned 5 [0148.126] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0148.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\mpgxl_xvvu_5v.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0148.127] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=40032) returned 1 [0148.127] GetProcessHeap () returned 0x4c0000 [0148.127] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0148.139] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="1E") returned 2 [0148.139] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="E4") returned 2 [0148.139] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="35") returned 2 [0148.139] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="25") returned 2 [0148.139] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="14") returned 2 [0148.139] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="19") returned 2 [0148.139] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="60") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="78") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="83") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="1B") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="47") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="F2") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="49") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="5E") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="8C") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="BE") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="42") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="CC") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="2A") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="C1") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="57") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="A2") returned 2 [0148.139] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="E4") returned 2 [0148.140] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="0E") returned 2 [0148.140] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="20") returned 2 [0148.140] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="03") returned 2 [0148.140] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="FB") returned 2 [0148.140] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="73") returned 2 [0148.140] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="47") returned 2 [0148.140] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="29") returned 2 [0148.140] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="04") returned 2 [0148.140] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="74") returned 2 [0148.215] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx" [0148.215] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx" [0148.215] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx", lpString2=".1EE4352514196078831B47F2495E8CBE42CC2AC157A2E40E2003FB7347290474" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx.1EE4352514196078831B47F2495E8CBE42CC2AC157A2E40E2003FB7347290474") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx.1EE4352514196078831B47F2495E8CBE42CC2AC157A2E40E2003FB7347290474" [0148.215] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0148.215] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0148.246] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b8a10f0, ftCreationTime.dwHighDateTime=0x1d5da11, ftLastAccessTime.dwLowDateTime=0x166f93d0, ftLastAccessTime.dwHighDateTime=0x1d5dcda, ftLastWriteTime.dwLowDateTime=0x166f93d0, ftLastWriteTime.dwHighDateTime=0x1d5dcda, nFileSizeHigh=0x0, nFileSizeLow=0x10f0c, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="OeTVb4wUvvYAOmAI.png", cAlternateFileName="OETVB4~1.PNG")) returned 1 [0148.246] lstrcmpiW (lpString1="OeTVb4wUvvYAOmAI.png", lpString2="Windows") returned -1 [0148.246] lstrcmpiW (lpString1="OeTVb4wUvvYAOmAI.png", lpString2="Program Files") returned -1 [0148.246] lstrcmpiW (lpString1="OeTVb4wUvvYAOmAI.png", lpString2="Program Files (x86)") returned -1 [0148.246] lstrcmpiW (lpString1="OeTVb4wUvvYAOmAI.png", lpString2="$Recycle.bin") returned 1 [0148.246] lstrcmpiW (lpString1="OeTVb4wUvvYAOmAI.png", lpString2="System Volume Information") returned -1 [0148.246] lstrcmpiW (lpString1="OeTVb4wUvvYAOmAI.png", lpString2=".") returned 1 [0148.246] lstrcmpiW (lpString1="OeTVb4wUvvYAOmAI.png", lpString2="..") returned 1 [0148.248] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png") returned 69 [0148.249] lstrcmpW (lpString1="OeTVb4wUvvYAOmAI.png", lpString2="PUSSY.TXT") returned -1 [0148.249] PathFindExtensionW (pszPath="OeTVb4wUvvYAOmAI.png") returned=".png" [0148.249] lstrlenW (lpString=".png") returned 4 [0148.250] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0148.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\oetvb4wuvvyaomai.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0148.250] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=69388) returned 1 [0148.250] GetProcessHeap () returned 0x4c0000 [0148.250] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0148.261] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="00") returned 2 [0148.261] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="CE") returned 2 [0148.261] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="C0") returned 2 [0148.261] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="7D") returned 2 [0148.261] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="7F") returned 2 [0148.261] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="25") returned 2 [0148.261] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="EF") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="D7") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="73") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="9D") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="4E") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="36") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="29") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="FF") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="EF") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="C6") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="D0") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="08") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="49") returned 2 [0148.261] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="A7") returned 2 [0148.262] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="5B") returned 2 [0148.262] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="B7") returned 2 [0148.262] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="C7") returned 2 [0148.262] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="86") returned 2 [0148.262] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="C0") returned 2 [0148.262] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="47") returned 2 [0148.262] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="23") returned 2 [0148.262] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="6A") returned 2 [0148.262] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="9B") returned 2 [0148.262] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="1E") returned 2 [0148.262] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="06") returned 2 [0148.262] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="08") returned 2 [0148.273] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png" [0148.273] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png" [0148.273] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png", lpString2=".00CEC07D7F25EFD7739D4E3629FFEFC6D00849A75BB7C786C047236A9B1E0608" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png.00CEC07D7F25EFD7739D4E3629FFEFC6D00849A75BB7C786C047236A9B1E0608") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png.00CEC07D7F25EFD7739D4E3629FFEFC6D00849A75BB7C786C047236A9B1E0608" [0148.273] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0148.273] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0148.306] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xded2afe0, ftCreationTime.dwHighDateTime=0x1d5e533, ftLastAccessTime.dwLowDateTime=0x1db0f5f0, ftLastAccessTime.dwHighDateTime=0x1d5d9cc, ftLastWriteTime.dwLowDateTime=0x1db0f5f0, ftLastWriteTime.dwHighDateTime=0x1d5d9cc, nFileSizeHigh=0x0, nFileSizeLow=0xa8b8, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="_5lrKHjlF2GNU.pdf", cAlternateFileName="_5LRKH~1.PDF")) returned 1 [0148.306] lstrcmpiW (lpString1="_5lrKHjlF2GNU.pdf", lpString2="Windows") returned -1 [0148.306] lstrcmpiW (lpString1="_5lrKHjlF2GNU.pdf", lpString2="Program Files") returned -1 [0148.306] lstrcmpiW (lpString1="_5lrKHjlF2GNU.pdf", lpString2="Program Files (x86)") returned -1 [0148.306] lstrcmpiW (lpString1="_5lrKHjlF2GNU.pdf", lpString2="$Recycle.bin") returned 1 [0148.306] lstrcmpiW (lpString1="_5lrKHjlF2GNU.pdf", lpString2="System Volume Information") returned -1 [0148.306] lstrcmpiW (lpString1="_5lrKHjlF2GNU.pdf", lpString2=".") returned 1 [0148.306] lstrcmpiW (lpString1="_5lrKHjlF2GNU.pdf", lpString2="..") returned 1 [0148.306] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf") returned 66 [0148.306] lstrcmpW (lpString1="_5lrKHjlF2GNU.pdf", lpString2="PUSSY.TXT") returned -1 [0148.306] PathFindExtensionW (pszPath="_5lrKHjlF2GNU.pdf") returned=".pdf" [0148.306] lstrlenW (lpString=".pdf") returned 4 [0148.306] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0148.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\_5lrkhjlf2gnu.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0148.307] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=43192) returned 1 [0148.307] GetProcessHeap () returned 0x4c0000 [0148.307] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0148.316] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="72") returned 2 [0148.316] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="86") returned 2 [0148.316] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="9D") returned 2 [0148.316] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="B3") returned 2 [0148.316] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="57") returned 2 [0148.316] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="62") returned 2 [0148.316] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="9A") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="25") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="14") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="0C") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="A3") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="53") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="92") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="50") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="F7") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="C8") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="0F") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="10") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="96") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="58") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="54") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="1F") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="FB") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="B9") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="F0") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="7F") returned 2 [0148.316] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="A7") returned 2 [0148.317] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="2A") returned 2 [0148.317] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="D3") returned 2 [0148.317] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="DF") returned 2 [0148.317] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="11") returned 2 [0148.317] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="0F") returned 2 [0148.325] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf" [0148.325] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf" [0148.325] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf", lpString2=".72869DB357629A25140CA3539250F7C80F109658541FFBB9F07FA72AD3DF110F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf.72869DB357629A25140CA3539250F7C80F109658541FFBB9F07FA72AD3DF110F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf.72869DB357629A25140CA3539250F7C80F109658541FFBB9F07FA72AD3DF110F" [0148.325] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0148.326] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0148.361] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xded2afe0, ftCreationTime.dwHighDateTime=0x1d5e533, ftLastAccessTime.dwLowDateTime=0x1db0f5f0, ftLastAccessTime.dwHighDateTime=0x1d5d9cc, ftLastWriteTime.dwLowDateTime=0x1db0f5f0, ftLastWriteTime.dwHighDateTime=0x1d5d9cc, nFileSizeHigh=0x0, nFileSizeLow=0xa8b8, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="_5lrKHjlF2GNU.pdf", cAlternateFileName="_5LRKH~1.PDF")) returned 0 [0148.361] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0148.361] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\PUSSY.TXT") returned 58 [0148.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0148.362] lstrlenA (lpString="abcd") returned 4 [0148.362] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0148.363] CloseHandle (hObject=0x1b8) returned 1 [0148.363] GetProcessHeap () returned 0x4c0000 [0148.363] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0148.366] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67467f00, ftCreationTime.dwHighDateTime=0x1d5e444, ftLastAccessTime.dwLowDateTime=0xf6a04b60, ftLastAccessTime.dwHighDateTime=0x1d5e31b, ftLastWriteTime.dwLowDateTime=0xf6a04b60, ftLastWriteTime.dwHighDateTime=0x1d5e31b, nFileSizeHigh=0x0, nFileSizeLow=0x7191, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="oxSI_sgNB -Ju.avi", cAlternateFileName="OXSI_S~1.AVI")) returned 1 [0148.366] lstrcmpiW (lpString1="oxSI_sgNB -Ju.avi", lpString2="Windows") returned -1 [0148.366] lstrcmpiW (lpString1="oxSI_sgNB -Ju.avi", lpString2="Program Files") returned -1 [0148.366] lstrcmpiW (lpString1="oxSI_sgNB -Ju.avi", lpString2="Program Files (x86)") returned -1 [0148.366] lstrcmpiW (lpString1="oxSI_sgNB -Ju.avi", lpString2="$Recycle.bin") returned 1 [0148.366] lstrcmpiW (lpString1="oxSI_sgNB -Ju.avi", lpString2="System Volume Information") returned -1 [0148.366] lstrcmpiW (lpString1="oxSI_sgNB -Ju.avi", lpString2=".") returned 1 [0148.366] lstrcmpiW (lpString1="oxSI_sgNB -Ju.avi", lpString2="..") returned 1 [0148.366] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi") returned 59 [0148.366] lstrcmpW (lpString1="oxSI_sgNB -Ju.avi", lpString2="PUSSY.TXT") returned -1 [0148.366] PathFindExtensionW (pszPath="oxSI_sgNB -Ju.avi") returned=".avi" [0148.366] lstrlenW (lpString=".avi") returned 4 [0148.366] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0148.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\oxsi_sgnb -ju.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0148.367] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=29073) returned 1 [0148.367] GetProcessHeap () returned 0x4c0000 [0148.367] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0148.378] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="E1") returned 2 [0148.378] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="92") returned 2 [0148.378] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E7") returned 2 [0148.378] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="47") returned 2 [0148.378] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="0B") returned 2 [0148.378] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="4E") returned 2 [0148.378] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="70") returned 2 [0148.378] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="7A") returned 2 [0148.378] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B3") returned 2 [0148.378] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="92") returned 2 [0148.378] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="AF") returned 2 [0148.378] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="60") returned 2 [0148.378] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="D9") returned 2 [0148.378] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="CA") returned 2 [0148.378] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="49") returned 2 [0148.378] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="4F") returned 2 [0148.378] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="48") returned 2 [0148.378] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="5F") returned 2 [0148.378] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="86") returned 2 [0148.378] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="CC") returned 2 [0148.378] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="83") returned 2 [0148.378] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="AD") returned 2 [0148.378] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="8B") returned 2 [0148.378] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="03") returned 2 [0148.378] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="8C") returned 2 [0148.378] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="79") returned 2 [0148.378] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="D7") returned 2 [0148.379] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="E4") returned 2 [0148.379] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="B7") returned 2 [0148.379] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E7") returned 2 [0148.379] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="FC") returned 2 [0148.379] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="10") returned 2 [0148.388] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi" [0148.388] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi" [0148.388] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi", lpString2=".E192E7470B4E707AB392AF60D9CA494F485F86CC83AD8B038C79D7E4B7E7FC10" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi.E192E7470B4E707AB392AF60D9CA494F485F86CC83AD8B038C79D7E4B7E7FC10") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi.E192E7470B4E707AB392AF60D9CA494F485F86CC83AD8B038C79D7E4B7E7FC10" [0148.388] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0148.388] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0148.417] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5527fb0, ftCreationTime.dwHighDateTime=0x1d5e40d, ftLastAccessTime.dwLowDateTime=0x8ccaa4b0, ftLastAccessTime.dwHighDateTime=0x1d5e48d, ftLastWriteTime.dwLowDateTime=0x8ccaa4b0, ftLastWriteTime.dwHighDateTime=0x1d5e48d, nFileSizeHigh=0x0, nFileSizeLow=0x154c8, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="PyP_N wrZ-sc.m4a", cAlternateFileName="PYP_NW~1.M4A")) returned 1 [0148.417] lstrcmpiW (lpString1="PyP_N wrZ-sc.m4a", lpString2="Windows") returned -1 [0148.417] lstrcmpiW (lpString1="PyP_N wrZ-sc.m4a", lpString2="Program Files") returned 1 [0148.418] lstrcmpiW (lpString1="PyP_N wrZ-sc.m4a", lpString2="Program Files (x86)") returned 1 [0148.418] lstrcmpiW (lpString1="PyP_N wrZ-sc.m4a", lpString2="$Recycle.bin") returned 1 [0148.418] lstrcmpiW (lpString1="PyP_N wrZ-sc.m4a", lpString2="System Volume Information") returned -1 [0148.418] lstrcmpiW (lpString1="PyP_N wrZ-sc.m4a", lpString2=".") returned 1 [0148.418] lstrcmpiW (lpString1="PyP_N wrZ-sc.m4a", lpString2="..") returned 1 [0148.418] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a") returned 58 [0148.418] lstrcmpW (lpString1="PyP_N wrZ-sc.m4a", lpString2="PUSSY.TXT") returned 1 [0148.418] PathFindExtensionW (pszPath="PyP_N wrZ-sc.m4a") returned=".m4a" [0148.418] lstrlenW (lpString=".m4a") returned 4 [0148.418] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0148.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pyp_n wrz-sc.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0148.419] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=87240) returned 1 [0148.419] GetProcessHeap () returned 0x4c0000 [0148.419] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0148.427] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="75") returned 2 [0148.427] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="76") returned 2 [0148.427] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="F0") returned 2 [0148.427] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="BB") returned 2 [0148.428] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="E2") returned 2 [0148.428] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="80") returned 2 [0148.428] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="F0") returned 2 [0148.428] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="E1") returned 2 [0148.428] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="C6") returned 2 [0148.428] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="F9") returned 2 [0148.428] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="7A") returned 2 [0148.428] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A2") returned 2 [0148.428] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="D1") returned 2 [0148.428] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="43") returned 2 [0148.428] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="F7") returned 2 [0148.428] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="A3") returned 2 [0148.428] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="89") returned 2 [0148.428] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D9") returned 2 [0148.428] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="33") returned 2 [0148.428] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="52") returned 2 [0148.428] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="26") returned 2 [0148.428] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="A8") returned 2 [0148.428] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="8E") returned 2 [0148.428] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="10") returned 2 [0148.428] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="22") returned 2 [0148.428] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="C8") returned 2 [0148.428] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="34") returned 2 [0148.428] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="5B") returned 2 [0148.428] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="39") returned 2 [0148.428] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="05") returned 2 [0148.428] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="4C") returned 2 [0148.428] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="75") returned 2 [0148.437] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a" [0148.437] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a" [0148.437] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a", lpString2=".7576F0BBE280F0E1C6F97AA2D143F7A389D9335226A88E1022C8345B39054C75" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a.7576F0BBE280F0E1C6F97AA2D143F7A389D9335226A88E1022C8345B39054C75") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a.7576F0BBE280F0E1C6F97AA2D143F7A389D9335226A88E1022C8345B39054C75" [0148.437] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0148.437] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0148.469] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a708940, ftCreationTime.dwHighDateTime=0x1d5d899, ftLastAccessTime.dwLowDateTime=0x6a1e5310, ftLastAccessTime.dwHighDateTime=0x1d5e2c3, ftLastWriteTime.dwLowDateTime=0x6a1e5310, ftLastWriteTime.dwHighDateTime=0x1d5e2c3, nFileSizeHigh=0x0, nFileSizeLow=0x384a, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="qWedV4GiHAlkHS.png", cAlternateFileName="QWEDV4~1.PNG")) returned 1 [0148.469] lstrcmpiW (lpString1="qWedV4GiHAlkHS.png", lpString2="Windows") returned -1 [0148.469] lstrcmpiW (lpString1="qWedV4GiHAlkHS.png", lpString2="Program Files") returned 1 [0148.469] lstrcmpiW (lpString1="qWedV4GiHAlkHS.png", lpString2="Program Files (x86)") returned 1 [0148.469] lstrcmpiW (lpString1="qWedV4GiHAlkHS.png", lpString2="$Recycle.bin") returned 1 [0148.470] lstrcmpiW (lpString1="qWedV4GiHAlkHS.png", lpString2="System Volume Information") returned -1 [0148.470] lstrcmpiW (lpString1="qWedV4GiHAlkHS.png", lpString2=".") returned 1 [0148.470] lstrcmpiW (lpString1="qWedV4GiHAlkHS.png", lpString2="..") returned 1 [0148.470] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png") returned 60 [0148.470] lstrcmpW (lpString1="qWedV4GiHAlkHS.png", lpString2="PUSSY.TXT") returned 1 [0148.470] PathFindExtensionW (pszPath="qWedV4GiHAlkHS.png") returned=".png" [0148.470] lstrlenW (lpString=".png") returned 4 [0148.470] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0148.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qwedv4gihalkhs.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0148.471] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=14410) returned 1 [0148.471] GetProcessHeap () returned 0x4c0000 [0148.471] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0148.687] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="CD") returned 2 [0148.687] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="63") returned 2 [0148.688] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B5") returned 2 [0148.688] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="D0") returned 2 [0148.688] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="65") returned 2 [0148.688] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="1F") returned 2 [0148.688] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="BE") returned 2 [0148.688] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="6A") returned 2 [0148.688] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="79") returned 2 [0148.688] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="06") returned 2 [0148.688] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="0D") returned 2 [0148.688] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="F3") returned 2 [0148.688] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="49") returned 2 [0148.688] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="99") returned 2 [0148.688] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="4D") returned 2 [0148.688] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E4") returned 2 [0148.688] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="E3") returned 2 [0148.688] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="88") returned 2 [0148.688] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="8D") returned 2 [0148.689] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="28") returned 2 [0148.689] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="DE") returned 2 [0148.689] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="57") returned 2 [0148.689] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="22") returned 2 [0148.689] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="42") returned 2 [0148.689] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="22") returned 2 [0148.689] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="77") returned 2 [0148.689] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="04") returned 2 [0148.689] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="4E") returned 2 [0148.689] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="38") returned 2 [0148.689] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="47") returned 2 [0148.689] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="7A") returned 2 [0148.689] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4F") returned 2 [0148.698] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png" [0148.698] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png" [0148.698] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png", lpString2=".CD63B5D0651FBE6A79060DF349994DE4E3888D28DE5722422277044E38477A4F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png.CD63B5D0651FBE6A79060DF349994DE4E3888D28DE5722422277044E38477A4F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png.CD63B5D0651FBE6A79060DF349994DE4E3888D28DE5722422277044E38477A4F" [0148.698] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0148.698] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0148.714] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f5f84d0, ftCreationTime.dwHighDateTime=0x1d5e0da, ftLastAccessTime.dwLowDateTime=0x87dfd010, ftLastAccessTime.dwHighDateTime=0x1d5e6c7, ftLastWriteTime.dwLowDateTime=0x87dfd010, ftLastWriteTime.dwHighDateTime=0x1d5e6c7, nFileSizeHigh=0x0, nFileSizeLow=0x1872d, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="t1jgxIqaPpFxf.mp3", cAlternateFileName="T1JGXI~1.MP3")) returned 1 [0148.714] lstrcmpiW (lpString1="t1jgxIqaPpFxf.mp3", lpString2="Windows") returned -1 [0148.714] lstrcmpiW (lpString1="t1jgxIqaPpFxf.mp3", lpString2="Program Files") returned 1 [0148.714] lstrcmpiW (lpString1="t1jgxIqaPpFxf.mp3", lpString2="Program Files (x86)") returned 1 [0148.714] lstrcmpiW (lpString1="t1jgxIqaPpFxf.mp3", lpString2="$Recycle.bin") returned 1 [0148.714] lstrcmpiW (lpString1="t1jgxIqaPpFxf.mp3", lpString2="System Volume Information") returned 1 [0148.714] lstrcmpiW (lpString1="t1jgxIqaPpFxf.mp3", lpString2=".") returned 1 [0148.714] lstrcmpiW (lpString1="t1jgxIqaPpFxf.mp3", lpString2="..") returned 1 [0148.714] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3") returned 59 [0148.714] lstrcmpW (lpString1="t1jgxIqaPpFxf.mp3", lpString2="PUSSY.TXT") returned 1 [0148.714] PathFindExtensionW (pszPath="t1jgxIqaPpFxf.mp3") returned=".mp3" [0148.715] lstrlenW (lpString=".mp3") returned 4 [0148.715] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0148.715] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t1jgxiqappfxf.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0148.716] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=100141) returned 1 [0148.716] GetProcessHeap () returned 0x4c0000 [0148.716] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0148.724] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="A9") returned 2 [0148.724] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="AE") returned 2 [0148.724] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="9B") returned 2 [0148.725] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FB") returned 2 [0148.725] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="8E") returned 2 [0148.725] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="A6") returned 2 [0148.725] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="40") returned 2 [0148.725] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="37") returned 2 [0148.725] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B7") returned 2 [0148.725] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="07") returned 2 [0148.725] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="C6") returned 2 [0148.725] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="90") returned 2 [0148.725] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="85") returned 2 [0148.725] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E6") returned 2 [0148.725] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="68") returned 2 [0148.725] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="3A") returned 2 [0148.725] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="6E") returned 2 [0148.725] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="E3") returned 2 [0148.725] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="3A") returned 2 [0148.725] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="1E") returned 2 [0148.725] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="D5") returned 2 [0148.725] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="FF") returned 2 [0148.725] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="62") returned 2 [0148.725] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="FA") returned 2 [0148.725] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="5C") returned 2 [0148.725] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="99") returned 2 [0148.725] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="98") returned 2 [0148.725] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="5D") returned 2 [0148.725] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="33") returned 2 [0148.725] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="51") returned 2 [0148.725] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="CE") returned 2 [0148.725] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="32") returned 2 [0148.734] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3" [0148.734] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3" [0148.734] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3", lpString2=".A9AE9BFB8EA64037B707C69085E6683A6EE33A1ED5FF62FA5C99985D3351CE32" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3.A9AE9BFB8EA64037B707C69085E6683A6EE33A1ED5FF62FA5C99985D3351CE32") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3.A9AE9BFB8EA64037B707C69085E6683A6EE33A1ED5FF62FA5C99985D3351CE32" [0148.734] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0148.734] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0148.768] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1edbe0, ftCreationTime.dwHighDateTime=0x1d5e2bb, ftLastAccessTime.dwLowDateTime=0xf097a1c0, ftLastAccessTime.dwHighDateTime=0x1d5e283, ftLastWriteTime.dwLowDateTime=0xf097a1c0, ftLastWriteTime.dwHighDateTime=0x1d5e283, nFileSizeHigh=0x0, nFileSizeLow=0xc230, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="tiZLL5aGz.wav", cAlternateFileName="TIZLL5~1.WAV")) returned 1 [0148.768] lstrcmpiW (lpString1="tiZLL5aGz.wav", lpString2="Windows") returned -1 [0148.768] lstrcmpiW (lpString1="tiZLL5aGz.wav", lpString2="Program Files") returned 1 [0148.768] lstrcmpiW (lpString1="tiZLL5aGz.wav", lpString2="Program Files (x86)") returned 1 [0148.768] lstrcmpiW (lpString1="tiZLL5aGz.wav", lpString2="$Recycle.bin") returned 1 [0148.768] lstrcmpiW (lpString1="tiZLL5aGz.wav", lpString2="System Volume Information") returned 1 [0148.768] lstrcmpiW (lpString1="tiZLL5aGz.wav", lpString2=".") returned 1 [0148.768] lstrcmpiW (lpString1="tiZLL5aGz.wav", lpString2="..") returned 1 [0148.768] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav") returned 55 [0148.768] lstrcmpW (lpString1="tiZLL5aGz.wav", lpString2="PUSSY.TXT") returned 1 [0148.768] PathFindExtensionW (pszPath="tiZLL5aGz.wav") returned=".wav" [0148.768] lstrlenW (lpString=".wav") returned 4 [0148.768] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0148.768] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tizll5agz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0148.769] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=49712) returned 1 [0148.769] GetProcessHeap () returned 0x4c0000 [0148.769] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0148.777] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="CB") returned 2 [0148.777] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="75") returned 2 [0148.777] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="67") returned 2 [0148.777] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="4F") returned 2 [0148.777] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="88") returned 2 [0148.777] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="E7") returned 2 [0148.777] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="F9") returned 2 [0148.777] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="BB") returned 2 [0148.778] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="A3") returned 2 [0148.778] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="43") returned 2 [0148.778] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="7F") returned 2 [0148.778] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="10") returned 2 [0148.778] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="60") returned 2 [0148.778] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C7") returned 2 [0148.778] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="A5") returned 2 [0148.778] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="AF") returned 2 [0148.778] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="BF") returned 2 [0148.778] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="B9") returned 2 [0148.778] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="43") returned 2 [0148.778] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="D1") returned 2 [0148.778] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="BD") returned 2 [0148.778] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="14") returned 2 [0148.778] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="78") returned 2 [0148.778] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="44") returned 2 [0148.778] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="32") returned 2 [0148.778] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="7E") returned 2 [0148.778] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="FC") returned 2 [0148.778] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="AB") returned 2 [0148.778] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="65") returned 2 [0148.778] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="78") returned 2 [0148.778] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="F1") returned 2 [0148.779] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="32") returned 2 [0148.788] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav" [0148.788] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav" [0148.788] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav", lpString2=".CB75674F88E7F9BBA3437F1060C7A5AFBFB943D1BD147844327EFCAB6578F132" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav.CB75674F88E7F9BBA3437F1060C7A5AFBFB943D1BD147844327EFCAB6578F132") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav.CB75674F88E7F9BBA3437F1060C7A5AFBFB943D1BD147844327EFCAB6578F132" [0148.788] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0148.788] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0148.829] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3da538f0, ftCreationTime.dwHighDateTime=0x1d5deb6, ftLastAccessTime.dwLowDateTime=0x7c1aee50, ftLastAccessTime.dwHighDateTime=0x1d5dc03, ftLastWriteTime.dwLowDateTime=0x7c1aee50, ftLastWriteTime.dwHighDateTime=0x1d5dc03, nFileSizeHigh=0x0, nFileSizeLow=0x4b42, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="UDvlcVCbmLzsoln6-.flv", cAlternateFileName="UDVLCV~1.FLV")) returned 1 [0148.829] lstrcmpiW (lpString1="UDvlcVCbmLzsoln6-.flv", lpString2="Windows") returned -1 [0148.829] lstrcmpiW (lpString1="UDvlcVCbmLzsoln6-.flv", lpString2="Program Files") returned 1 [0148.829] lstrcmpiW (lpString1="UDvlcVCbmLzsoln6-.flv", lpString2="Program Files (x86)") returned 1 [0148.829] lstrcmpiW (lpString1="UDvlcVCbmLzsoln6-.flv", lpString2="$Recycle.bin") returned 1 [0148.829] lstrcmpiW (lpString1="UDvlcVCbmLzsoln6-.flv", lpString2="System Volume Information") returned 1 [0148.829] lstrcmpiW (lpString1="UDvlcVCbmLzsoln6-.flv", lpString2=".") returned 1 [0148.829] lstrcmpiW (lpString1="UDvlcVCbmLzsoln6-.flv", lpString2="..") returned 1 [0148.829] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv") returned 63 [0148.829] lstrcmpW (lpString1="UDvlcVCbmLzsoln6-.flv", lpString2="PUSSY.TXT") returned 1 [0148.829] PathFindExtensionW (pszPath="UDvlcVCbmLzsoln6-.flv") returned=".flv" [0148.829] lstrlenW (lpString=".flv") returned 4 [0148.829] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0148.829] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\udvlcvcbmlzsoln6-.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0148.830] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=19266) returned 1 [0148.830] GetProcessHeap () returned 0x4c0000 [0148.830] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0148.932] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="44") returned 2 [0148.932] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="EB") returned 2 [0148.932] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="43") returned 2 [0148.932] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="2C") returned 2 [0148.932] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="80") returned 2 [0148.932] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="17") returned 2 [0148.932] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="46") returned 2 [0148.932] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="98") returned 2 [0148.932] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="60") returned 2 [0148.932] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="4C") returned 2 [0148.932] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="05") returned 2 [0148.932] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="F3") returned 2 [0148.932] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="AF") returned 2 [0148.932] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="86") returned 2 [0148.932] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="8F") returned 2 [0148.932] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="48") returned 2 [0148.932] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="79") returned 2 [0148.932] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="EB") returned 2 [0148.932] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="8B") returned 2 [0148.932] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="80") returned 2 [0148.933] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="25") returned 2 [0148.933] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="F9") returned 2 [0148.933] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="27") returned 2 [0148.933] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="0C") returned 2 [0148.933] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="AF") returned 2 [0148.933] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="5B") returned 2 [0148.933] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="59") returned 2 [0148.933] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F9") returned 2 [0148.933] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="41") returned 2 [0148.933] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="B7") returned 2 [0148.933] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="1B") returned 2 [0148.933] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="56") returned 2 [0148.947] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv" [0148.948] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv" [0148.948] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv", lpString2=".44EB432C80174698604C05F3AF868F4879EB8B8025F9270CAF5B59F941B71B56" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv.44EB432C80174698604C05F3AF868F4879EB8B8025F9270CAF5B59F941B71B56") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv.44EB432C80174698604C05F3AF868F4879EB8B8025F9270CAF5B59F941B71B56" [0148.948] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0148.948] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0148.979] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x171c620, ftCreationTime.dwHighDateTime=0x1d5dbfd, ftLastAccessTime.dwLowDateTime=0x385747f0, ftLastAccessTime.dwHighDateTime=0x1d5e46d, ftLastWriteTime.dwLowDateTime=0x385747f0, ftLastWriteTime.dwHighDateTime=0x1d5e46d, nFileSizeHigh=0x0, nFileSizeLow=0x12138, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="ui2INzx5pef4SN35R5ox.png", cAlternateFileName="UI2INZ~1.PNG")) returned 1 [0148.979] lstrcmpiW (lpString1="ui2INzx5pef4SN35R5ox.png", lpString2="Windows") returned -1 [0148.979] lstrcmpiW (lpString1="ui2INzx5pef4SN35R5ox.png", lpString2="Program Files") returned 1 [0148.979] lstrcmpiW (lpString1="ui2INzx5pef4SN35R5ox.png", lpString2="Program Files (x86)") returned 1 [0148.979] lstrcmpiW (lpString1="ui2INzx5pef4SN35R5ox.png", lpString2="$Recycle.bin") returned 1 [0148.979] lstrcmpiW (lpString1="ui2INzx5pef4SN35R5ox.png", lpString2="System Volume Information") returned 1 [0148.980] lstrcmpiW (lpString1="ui2INzx5pef4SN35R5ox.png", lpString2=".") returned 1 [0148.980] lstrcmpiW (lpString1="ui2INzx5pef4SN35R5ox.png", lpString2="..") returned 1 [0148.980] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png") returned 66 [0148.980] lstrcmpW (lpString1="ui2INzx5pef4SN35R5ox.png", lpString2="PUSSY.TXT") returned 1 [0148.980] PathFindExtensionW (pszPath="ui2INzx5pef4SN35R5ox.png") returned=".png" [0148.980] lstrlenW (lpString=".png") returned 4 [0148.980] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0148.980] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ui2inzx5pef4sn35r5ox.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0148.981] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=74040) returned 1 [0148.981] GetProcessHeap () returned 0x4c0000 [0148.981] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0149.247] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="96") returned 2 [0149.247] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="80") returned 2 [0149.247] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="05") returned 2 [0149.247] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="A1") returned 2 [0149.247] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="32") returned 2 [0149.247] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="A3") returned 2 [0149.247] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="9B") returned 2 [0149.247] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="9F") returned 2 [0149.247] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="BD") returned 2 [0149.247] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="83") returned 2 [0149.247] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="74") returned 2 [0149.247] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="B7") returned 2 [0149.247] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="51") returned 2 [0149.247] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="35") returned 2 [0149.247] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="15") returned 2 [0149.247] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="63") returned 2 [0149.247] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="24") returned 2 [0149.247] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="BF") returned 2 [0149.247] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="23") returned 2 [0149.247] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="12") returned 2 [0149.247] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="E6") returned 2 [0149.248] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="9E") returned 2 [0149.248] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C2") returned 2 [0149.248] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="B2") returned 2 [0149.248] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="B6") returned 2 [0149.248] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="98") returned 2 [0149.248] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="64") returned 2 [0149.248] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="D3") returned 2 [0149.248] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="3F") returned 2 [0149.248] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="FD") returned 2 [0149.248] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="94") returned 2 [0149.248] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="2C") returned 2 [0149.262] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png" [0149.262] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png" [0149.262] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png", lpString2=".968005A132A39B9FBD8374B75135156324BF2312E69EC2B2B69864D33FFD942C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png.968005A132A39B9FBD8374B75135156324BF2312E69EC2B2B69864D33FFD942C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png.968005A132A39B9FBD8374B75135156324BF2312E69EC2B2B69864D33FFD942C" [0149.262] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0149.263] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0149.316] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa62be6b0, ftCreationTime.dwHighDateTime=0x1d5e200, ftLastAccessTime.dwLowDateTime=0xb0d5f540, ftLastAccessTime.dwHighDateTime=0x1d5e392, ftLastWriteTime.dwLowDateTime=0xb0d5f540, ftLastWriteTime.dwHighDateTime=0x1d5e392, nFileSizeHigh=0x0, nFileSizeLow=0x932c, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="utf36wt3njCMh.mp4", cAlternateFileName="UTF36W~1.MP4")) returned 1 [0149.316] lstrcmpiW (lpString1="utf36wt3njCMh.mp4", lpString2="Windows") returned -1 [0149.316] lstrcmpiW (lpString1="utf36wt3njCMh.mp4", lpString2="Program Files") returned 1 [0149.316] lstrcmpiW (lpString1="utf36wt3njCMh.mp4", lpString2="Program Files (x86)") returned 1 [0149.316] lstrcmpiW (lpString1="utf36wt3njCMh.mp4", lpString2="$Recycle.bin") returned 1 [0149.316] lstrcmpiW (lpString1="utf36wt3njCMh.mp4", lpString2="System Volume Information") returned 1 [0149.316] lstrcmpiW (lpString1="utf36wt3njCMh.mp4", lpString2=".") returned 1 [0149.316] lstrcmpiW (lpString1="utf36wt3njCMh.mp4", lpString2="..") returned 1 [0149.316] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4") returned 59 [0149.316] lstrcmpW (lpString1="utf36wt3njCMh.mp4", lpString2="PUSSY.TXT") returned 1 [0149.316] PathFindExtensionW (pszPath="utf36wt3njCMh.mp4") returned=".mp4" [0149.317] lstrlenW (lpString=".mp4") returned 4 [0149.317] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0149.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\utf36wt3njcmh.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0149.318] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=37676) returned 1 [0149.318] GetProcessHeap () returned 0x4c0000 [0149.318] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0149.330] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="F5") returned 2 [0149.330] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="27") returned 2 [0149.330] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="DA") returned 2 [0149.330] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FC") returned 2 [0149.330] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="41") returned 2 [0149.330] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="01") returned 2 [0149.330] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="2A") returned 2 [0149.330] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="B9") returned 2 [0149.330] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="E6") returned 2 [0149.330] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="94") returned 2 [0149.331] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="F6") returned 2 [0149.331] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="44") returned 2 [0149.331] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="D8") returned 2 [0149.331] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="08") returned 2 [0149.331] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="C6") returned 2 [0149.331] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="B0") returned 2 [0149.331] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="FF") returned 2 [0149.331] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="2A") returned 2 [0149.331] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="A2") returned 2 [0149.331] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="99") returned 2 [0149.331] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="24") returned 2 [0149.331] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="89") returned 2 [0149.331] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="72") returned 2 [0149.331] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6F") returned 2 [0149.331] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="F6") returned 2 [0149.331] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="DD") returned 2 [0149.331] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="72") returned 2 [0149.331] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="68") returned 2 [0149.331] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="AC") returned 2 [0149.331] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="07") returned 2 [0149.331] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="9E") returned 2 [0149.331] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="7B") returned 2 [0149.344] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4" [0149.344] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4" [0149.345] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4", lpString2=".F527DAFC41012AB9E694F644D808C6B0FF2AA2992489726FF6DD7268AC079E7B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4.F527DAFC41012AB9E694F644D808C6B0FF2AA2992489726FF6DD7268AC079E7B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4.F527DAFC41012AB9E694F644D808C6B0FF2AA2992489726FF6DD7268AC079E7B" [0149.345] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0149.345] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0149.400] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ee8b380, ftCreationTime.dwHighDateTime=0x1d5e50d, ftLastAccessTime.dwLowDateTime=0x7e7caee0, ftLastAccessTime.dwHighDateTime=0x1d5e581, ftLastWriteTime.dwLowDateTime=0x7e7caee0, ftLastWriteTime.dwHighDateTime=0x1d5e581, nFileSizeHigh=0x0, nFileSizeLow=0x1313d, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="W1iY9C2qWbWd-YMp.avi", cAlternateFileName="W1IY9C~1.AVI")) returned 1 [0149.400] lstrcmpiW (lpString1="W1iY9C2qWbWd-YMp.avi", lpString2="Windows") returned -1 [0149.400] lstrcmpiW (lpString1="W1iY9C2qWbWd-YMp.avi", lpString2="Program Files") returned 1 [0149.400] lstrcmpiW (lpString1="W1iY9C2qWbWd-YMp.avi", lpString2="Program Files (x86)") returned 1 [0149.400] lstrcmpiW (lpString1="W1iY9C2qWbWd-YMp.avi", lpString2="$Recycle.bin") returned 1 [0149.400] lstrcmpiW (lpString1="W1iY9C2qWbWd-YMp.avi", lpString2="System Volume Information") returned 1 [0149.400] lstrcmpiW (lpString1="W1iY9C2qWbWd-YMp.avi", lpString2=".") returned 1 [0149.400] lstrcmpiW (lpString1="W1iY9C2qWbWd-YMp.avi", lpString2="..") returned 1 [0149.400] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi") returned 62 [0149.400] lstrcmpW (lpString1="W1iY9C2qWbWd-YMp.avi", lpString2="PUSSY.TXT") returned 1 [0149.400] PathFindExtensionW (pszPath="W1iY9C2qWbWd-YMp.avi") returned=".avi" [0149.400] lstrlenW (lpString=".avi") returned 4 [0149.400] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0149.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\w1iy9c2qwbwd-ymp.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0149.401] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=78141) returned 1 [0149.402] GetProcessHeap () returned 0x4c0000 [0149.402] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0149.415] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="4D") returned 2 [0149.415] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B2") returned 2 [0149.415] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="14") returned 2 [0149.415] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FD") returned 2 [0149.415] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="96") returned 2 [0149.415] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="BE") returned 2 [0149.415] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="00") returned 2 [0149.415] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="56") returned 2 [0149.415] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="AE") returned 2 [0149.415] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="EC") returned 2 [0149.415] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="5E") returned 2 [0149.415] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="56") returned 2 [0149.415] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="90") returned 2 [0149.415] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="08") returned 2 [0149.415] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="4C") returned 2 [0149.415] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="F5") returned 2 [0149.415] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="9F") returned 2 [0149.415] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="89") returned 2 [0149.415] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="40") returned 2 [0149.415] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="92") returned 2 [0149.415] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="09") returned 2 [0149.415] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="29") returned 2 [0149.416] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="1D") returned 2 [0149.416] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="FD") returned 2 [0149.416] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="F0") returned 2 [0149.416] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="65") returned 2 [0149.416] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="75") returned 2 [0149.416] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="B6") returned 2 [0149.416] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="36") returned 2 [0149.416] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="B3") returned 2 [0149.416] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="31") returned 2 [0149.416] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="64") returned 2 [0149.431] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi" [0149.431] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi" [0149.431] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi", lpString2=".4DB214FD96BE0056AEEC5E5690084CF59F89409209291DFDF06575B636B33164" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi.4DB214FD96BE0056AEEC5E5690084CF59F89409209291DFDF06575B636B33164") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi.4DB214FD96BE0056AEEC5E5690084CF59F89409209291DFDF06575B636B33164" [0149.431] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0149.431] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0149.485] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c908960, ftCreationTime.dwHighDateTime=0x1d5db3a, ftLastAccessTime.dwLowDateTime=0x770b9540, ftLastAccessTime.dwHighDateTime=0x1d5dd8e, ftLastWriteTime.dwLowDateTime=0x770b9540, ftLastWriteTime.dwHighDateTime=0x1d5dd8e, nFileSizeHigh=0x0, nFileSizeLow=0x1984, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="w8uqhRtiR.ppt", cAlternateFileName="W8UQHR~1.PPT")) returned 1 [0149.486] lstrcmpiW (lpString1="w8uqhRtiR.ppt", lpString2="Windows") returned -1 [0149.486] lstrcmpiW (lpString1="w8uqhRtiR.ppt", lpString2="Program Files") returned 1 [0149.486] lstrcmpiW (lpString1="w8uqhRtiR.ppt", lpString2="Program Files (x86)") returned 1 [0149.486] lstrcmpiW (lpString1="w8uqhRtiR.ppt", lpString2="$Recycle.bin") returned 1 [0149.486] lstrcmpiW (lpString1="w8uqhRtiR.ppt", lpString2="System Volume Information") returned 1 [0149.486] lstrcmpiW (lpString1="w8uqhRtiR.ppt", lpString2=".") returned 1 [0149.486] lstrcmpiW (lpString1="w8uqhRtiR.ppt", lpString2="..") returned 1 [0149.486] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt") returned 55 [0149.486] lstrcmpW (lpString1="w8uqhRtiR.ppt", lpString2="PUSSY.TXT") returned 1 [0149.486] PathFindExtensionW (pszPath="w8uqhRtiR.ppt") returned=".ppt" [0149.486] lstrlenW (lpString=".ppt") returned 4 [0149.486] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0149.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\w8uqhrtir.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0149.487] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=6532) returned 1 [0149.487] GetProcessHeap () returned 0x4c0000 [0149.487] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0149.501] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="90") returned 2 [0149.501] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="AF") returned 2 [0149.501] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="EB") returned 2 [0149.501] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="03") returned 2 [0149.501] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="37") returned 2 [0149.501] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="BB") returned 2 [0149.501] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="01") returned 2 [0149.501] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="58") returned 2 [0149.502] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="4B") returned 2 [0149.502] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="4D") returned 2 [0149.502] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="BA") returned 2 [0149.502] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="08") returned 2 [0149.502] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="4D") returned 2 [0149.502] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="15") returned 2 [0149.502] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="F9") returned 2 [0149.502] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="5A") returned 2 [0149.502] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="A5") returned 2 [0149.502] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="65") returned 2 [0149.502] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E6") returned 2 [0149.502] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="74") returned 2 [0149.502] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="36") returned 2 [0149.502] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="D0") returned 2 [0149.502] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="6E") returned 2 [0149.502] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="35") returned 2 [0149.502] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="6E") returned 2 [0149.502] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="6A") returned 2 [0149.502] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="6A") returned 2 [0149.502] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="67") returned 2 [0149.502] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="20") returned 2 [0149.502] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="47") returned 2 [0149.502] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="F7") returned 2 [0149.502] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4F") returned 2 [0149.609] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt" [0149.609] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt" [0149.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt", lpString2=".90AFEB0337BB01584B4DBA084D15F95AA565E67436D06E356E6A6A672047F74F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt.90AFEB0337BB01584B4DBA084D15F95AA565E67436D06E356E6A6A672047F74F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt.90AFEB0337BB01584B4DBA084D15F95AA565E67436D06E356E6A6A672047F74F" [0149.609] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0149.609] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0149.622] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efe3b40, ftCreationTime.dwHighDateTime=0x1d5d9e5, ftLastAccessTime.dwLowDateTime=0x67c96b0, ftLastAccessTime.dwHighDateTime=0x1d5e678, ftLastWriteTime.dwLowDateTime=0x67c96b0, ftLastWriteTime.dwHighDateTime=0x1d5e678, nFileSizeHigh=0x0, nFileSizeLow=0xf098, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="XAfEmSzW32uNo.mp4", cAlternateFileName="XAFEMS~1.MP4")) returned 1 [0149.622] lstrcmpiW (lpString1="XAfEmSzW32uNo.mp4", lpString2="Windows") returned 1 [0149.622] lstrcmpiW (lpString1="XAfEmSzW32uNo.mp4", lpString2="Program Files") returned 1 [0149.622] lstrcmpiW (lpString1="XAfEmSzW32uNo.mp4", lpString2="Program Files (x86)") returned 1 [0149.622] lstrcmpiW (lpString1="XAfEmSzW32uNo.mp4", lpString2="$Recycle.bin") returned 1 [0149.622] lstrcmpiW (lpString1="XAfEmSzW32uNo.mp4", lpString2="System Volume Information") returned 1 [0149.623] lstrcmpiW (lpString1="XAfEmSzW32uNo.mp4", lpString2=".") returned 1 [0149.623] lstrcmpiW (lpString1="XAfEmSzW32uNo.mp4", lpString2="..") returned 1 [0149.623] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4") returned 59 [0149.623] lstrcmpW (lpString1="XAfEmSzW32uNo.mp4", lpString2="PUSSY.TXT") returned 1 [0149.623] PathFindExtensionW (pszPath="XAfEmSzW32uNo.mp4") returned=".mp4" [0149.623] lstrlenW (lpString=".mp4") returned 4 [0149.623] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0149.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xafemszw32uno.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0149.624] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=61592) returned 1 [0149.624] GetProcessHeap () returned 0x4c0000 [0149.624] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0149.637] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="56") returned 2 [0149.637] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="12") returned 2 [0149.637] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="A4") returned 2 [0149.637] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="AB") returned 2 [0149.637] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="A1") returned 2 [0149.637] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="54") returned 2 [0149.637] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="32") returned 2 [0149.637] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="22") returned 2 [0149.637] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="7C") returned 2 [0149.637] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="23") returned 2 [0149.637] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="6A") returned 2 [0149.637] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="2B") returned 2 [0149.637] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="EA") returned 2 [0149.637] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="67") returned 2 [0149.637] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="CA") returned 2 [0149.638] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="F5") returned 2 [0149.638] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="6F") returned 2 [0149.638] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="04") returned 2 [0149.638] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="C8") returned 2 [0149.638] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="CC") returned 2 [0149.638] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="D8") returned 2 [0149.638] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="61") returned 2 [0149.638] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="E3") returned 2 [0149.638] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="29") returned 2 [0149.638] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="83") returned 2 [0149.638] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="C7") returned 2 [0149.638] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="0A") returned 2 [0149.638] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="B7") returned 2 [0149.638] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="C6") returned 2 [0149.638] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="D8") returned 2 [0149.638] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="6C") returned 2 [0149.638] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="09") returned 2 [0149.652] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4" [0149.652] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4" [0149.652] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4", lpString2=".5612A4ABA15432227C236A2BEA67CAF56F04C8CCD861E32983C70AB7C6D86C09" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4.5612A4ABA15432227C236A2BEA67CAF56F04C8CCD861E32983C70AB7C6D86C09") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4.5612A4ABA15432227C236A2BEA67CAF56F04C8CCD861E32983C70AB7C6D86C09" [0149.652] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0149.652] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0149.707] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x987876e0, ftCreationTime.dwHighDateTime=0x1d5dff9, ftLastAccessTime.dwLowDateTime=0xbb5c1870, ftLastAccessTime.dwHighDateTime=0x1d5e200, ftLastWriteTime.dwLowDateTime=0xbb5c1870, ftLastWriteTime.dwHighDateTime=0x1d5e200, nFileSizeHigh=0x0, nFileSizeLow=0x16a0d, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="yCsEXnLveL.ods", cAlternateFileName="YCSEXN~1.ODS")) returned 1 [0149.707] lstrcmpiW (lpString1="yCsEXnLveL.ods", lpString2="Windows") returned 1 [0149.707] lstrcmpiW (lpString1="yCsEXnLveL.ods", lpString2="Program Files") returned 1 [0149.707] lstrcmpiW (lpString1="yCsEXnLveL.ods", lpString2="Program Files (x86)") returned 1 [0149.707] lstrcmpiW (lpString1="yCsEXnLveL.ods", lpString2="$Recycle.bin") returned 1 [0149.707] lstrcmpiW (lpString1="yCsEXnLveL.ods", lpString2="System Volume Information") returned 1 [0149.707] lstrcmpiW (lpString1="yCsEXnLveL.ods", lpString2=".") returned 1 [0149.707] lstrcmpiW (lpString1="yCsEXnLveL.ods", lpString2="..") returned 1 [0149.707] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods") returned 56 [0149.707] lstrcmpW (lpString1="yCsEXnLveL.ods", lpString2="PUSSY.TXT") returned 1 [0149.707] PathFindExtensionW (pszPath="yCsEXnLveL.ods") returned=".ods" [0149.707] lstrlenW (lpString=".ods") returned 4 [0149.707] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0149.707] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ycsexnlvel.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0149.708] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=92685) returned 1 [0149.708] GetProcessHeap () returned 0x4c0000 [0149.708] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0149.723] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="07") returned 2 [0149.723] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="08") returned 2 [0149.723] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="BB") returned 2 [0149.723] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="4A") returned 2 [0149.723] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="C0") returned 2 [0149.723] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="B4") returned 2 [0149.723] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="FE") returned 2 [0149.724] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="5E") returned 2 [0149.724] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="55") returned 2 [0149.724] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="87") returned 2 [0149.724] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="DB") returned 2 [0149.724] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="63") returned 2 [0149.724] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="9D") returned 2 [0149.724] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="53") returned 2 [0149.724] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="B5") returned 2 [0149.724] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="C7") returned 2 [0149.724] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="27") returned 2 [0149.724] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="4B") returned 2 [0149.724] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="41") returned 2 [0149.724] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="88") returned 2 [0149.724] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="6E") returned 2 [0149.724] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="3D") returned 2 [0149.724] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="E8") returned 2 [0149.724] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="FA") returned 2 [0149.724] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="FD") returned 2 [0149.724] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="B1") returned 2 [0149.724] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="BD") returned 2 [0149.724] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="00") returned 2 [0149.724] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="2C") returned 2 [0149.724] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="57") returned 2 [0149.724] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="28") returned 2 [0149.724] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="34") returned 2 [0149.739] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods" [0149.739] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods" [0149.739] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods", lpString2=".0708BB4AC0B4FE5E5587DB639D53B5C7274B41886E3DE8FAFDB1BD002C572834" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods.0708BB4AC0B4FE5E5587DB639D53B5C7274B41886E3DE8FAFDB1BD002C572834") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods.0708BB4AC0B4FE5E5587DB639D53B5C7274B41886E3DE8FAFDB1BD002C572834" [0149.739] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0149.739] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0149.789] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc32a9bd0, ftCreationTime.dwHighDateTime=0x1d5dea4, ftLastAccessTime.dwLowDateTime=0x99a0b550, ftLastAccessTime.dwHighDateTime=0x1d5d8c9, ftLastWriteTime.dwLowDateTime=0x99a0b550, ftLastWriteTime.dwHighDateTime=0x1d5d8c9, nFileSizeHigh=0x0, nFileSizeLow=0xd28f, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="ZGmauB7tHN.odt", cAlternateFileName="ZGMAUB~1.ODT")) returned 1 [0149.789] lstrcmpiW (lpString1="ZGmauB7tHN.odt", lpString2="Windows") returned 1 [0149.789] lstrcmpiW (lpString1="ZGmauB7tHN.odt", lpString2="Program Files") returned 1 [0149.789] lstrcmpiW (lpString1="ZGmauB7tHN.odt", lpString2="Program Files (x86)") returned 1 [0149.789] lstrcmpiW (lpString1="ZGmauB7tHN.odt", lpString2="$Recycle.bin") returned 1 [0149.789] lstrcmpiW (lpString1="ZGmauB7tHN.odt", lpString2="System Volume Information") returned 1 [0149.789] lstrcmpiW (lpString1="ZGmauB7tHN.odt", lpString2=".") returned 1 [0149.789] lstrcmpiW (lpString1="ZGmauB7tHN.odt", lpString2="..") returned 1 [0149.789] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt") returned 56 [0149.789] lstrcmpW (lpString1="ZGmauB7tHN.odt", lpString2="PUSSY.TXT") returned 1 [0149.789] PathFindExtensionW (pszPath="ZGmauB7tHN.odt") returned=".odt" [0149.789] lstrlenW (lpString=".odt") returned 4 [0149.789] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0149.789] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zgmaub7thn.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0149.790] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=53903) returned 1 [0149.790] GetProcessHeap () returned 0x4c0000 [0149.790] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0149.803] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="26") returned 2 [0149.803] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="8B") returned 2 [0149.803] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="CF") returned 2 [0149.803] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="1B") returned 2 [0149.803] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="49") returned 2 [0149.803] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="D6") returned 2 [0149.803] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="35") returned 2 [0149.803] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="5A") returned 2 [0149.803] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="BE") returned 2 [0149.804] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="9A") returned 2 [0149.804] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="A4") returned 2 [0149.804] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="5A") returned 2 [0149.804] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="61") returned 2 [0149.804] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="67") returned 2 [0149.804] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="F1") returned 2 [0149.804] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="6D") returned 2 [0149.804] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="5C") returned 2 [0149.804] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="3F") returned 2 [0149.804] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="57") returned 2 [0149.804] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="54") returned 2 [0149.804] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="08") returned 2 [0149.804] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="FF") returned 2 [0149.804] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="0D") returned 2 [0149.804] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="C4") returned 2 [0149.804] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="5D") returned 2 [0149.804] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="70") returned 2 [0149.804] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="B9") returned 2 [0149.805] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F4") returned 2 [0149.805] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="29") returned 2 [0149.805] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="5C") returned 2 [0149.805] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="D8") returned 2 [0149.805] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="77") returned 2 [0149.818] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt" [0149.818] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt" [0149.818] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt", lpString2=".268BCF1B49D6355ABE9AA45A6167F16D5C3F575408FF0DC45D70B9F4295CD877" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt.268BCF1B49D6355ABE9AA45A6167F16D5C3F575408FF0DC45D70B9F4295CD877") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt.268BCF1B49D6355ABE9AA45A6167F16D5C3F575408FF0DC45D70B9F4295CD877" [0149.818] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0149.818] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0149.930] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x841036a0, ftCreationTime.dwHighDateTime=0x1d5d7c2, ftLastAccessTime.dwLowDateTime=0x40b5d000, ftLastAccessTime.dwHighDateTime=0x1d5e045, ftLastWriteTime.dwLowDateTime=0x40b5d000, ftLastWriteTime.dwHighDateTime=0x1d5e045, nFileSizeHigh=0x0, nFileSizeLow=0x1619f, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="ZO0F-QI2EeaUOsWG O.jpg", cAlternateFileName="ZO0F-Q~1.JPG")) returned 1 [0149.930] lstrcmpiW (lpString1="ZO0F-QI2EeaUOsWG O.jpg", lpString2="Windows") returned 1 [0149.930] lstrcmpiW (lpString1="ZO0F-QI2EeaUOsWG O.jpg", lpString2="Program Files") returned 1 [0149.930] lstrcmpiW (lpString1="ZO0F-QI2EeaUOsWG O.jpg", lpString2="Program Files (x86)") returned 1 [0149.930] lstrcmpiW (lpString1="ZO0F-QI2EeaUOsWG O.jpg", lpString2="$Recycle.bin") returned 1 [0149.930] lstrcmpiW (lpString1="ZO0F-QI2EeaUOsWG O.jpg", lpString2="System Volume Information") returned 1 [0149.930] lstrcmpiW (lpString1="ZO0F-QI2EeaUOsWG O.jpg", lpString2=".") returned 1 [0149.930] lstrcmpiW (lpString1="ZO0F-QI2EeaUOsWG O.jpg", lpString2="..") returned 1 [0149.930] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg") returned 64 [0149.931] lstrcmpW (lpString1="ZO0F-QI2EeaUOsWG O.jpg", lpString2="PUSSY.TXT") returned 1 [0149.931] PathFindExtensionW (pszPath="ZO0F-QI2EeaUOsWG O.jpg") returned=".jpg" [0149.931] lstrlenW (lpString=".jpg") returned 4 [0149.931] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0149.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zo0f-qi2eeauoswg o.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0149.932] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=90527) returned 1 [0149.932] GetProcessHeap () returned 0x4c0000 [0149.932] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0149.946] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="67") returned 2 [0149.946] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="1E") returned 2 [0149.946] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="7D") returned 2 [0149.946] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="24") returned 2 [0149.946] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="1E") returned 2 [0149.946] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="84") returned 2 [0149.947] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E7") returned 2 [0149.947] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="D3") returned 2 [0149.947] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="FF") returned 2 [0149.947] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="D7") returned 2 [0149.947] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B2") returned 2 [0149.947] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="2B") returned 2 [0149.947] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="17") returned 2 [0149.947] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="20") returned 2 [0149.947] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="38") returned 2 [0149.947] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="B7") returned 2 [0149.947] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="92") returned 2 [0149.947] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="92") returned 2 [0149.947] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="20") returned 2 [0149.947] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="56") returned 2 [0149.947] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="42") returned 2 [0149.947] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="28") returned 2 [0149.947] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="1E") returned 2 [0149.947] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="9A") returned 2 [0149.947] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="79") returned 2 [0149.947] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="F1") returned 2 [0149.947] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="6F") returned 2 [0149.947] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="3C") returned 2 [0149.947] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D2") returned 2 [0149.947] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0F") returned 2 [0149.947] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="3F") returned 2 [0149.947] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="05") returned 2 [0149.961] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg" [0149.961] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg" [0149.961] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg", lpString2=".671E7D241E84E7D3FFD7B22B172038B79292205642281E9A79F16F3CD20F3F05" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg.671E7D241E84E7D3FFD7B22B172038B79292205642281E9A79F16F3CD20F3F05") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg.671E7D241E84E7D3FFD7B22B172038B79292205642281E9A79F16F3CD20F3F05" [0149.961] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0149.961] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.019] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d94b580, ftCreationTime.dwHighDateTime=0x1d5e271, ftLastAccessTime.dwLowDateTime=0x9416b070, ftLastAccessTime.dwHighDateTime=0x1d5e388, ftLastWriteTime.dwLowDateTime=0x9416b070, ftLastWriteTime.dwHighDateTime=0x1d5e388, nFileSizeHigh=0x0, nFileSizeLow=0x7fc, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="_QZQ0b_.csv", cAlternateFileName="")) returned 1 [0150.019] lstrcmpiW (lpString1="_QZQ0b_.csv", lpString2="Windows") returned -1 [0150.019] lstrcmpiW (lpString1="_QZQ0b_.csv", lpString2="Program Files") returned -1 [0150.019] lstrcmpiW (lpString1="_QZQ0b_.csv", lpString2="Program Files (x86)") returned -1 [0150.019] lstrcmpiW (lpString1="_QZQ0b_.csv", lpString2="$Recycle.bin") returned 1 [0150.019] lstrcmpiW (lpString1="_QZQ0b_.csv", lpString2="System Volume Information") returned -1 [0150.019] lstrcmpiW (lpString1="_QZQ0b_.csv", lpString2=".") returned 1 [0150.019] lstrcmpiW (lpString1="_QZQ0b_.csv", lpString2="..") returned 1 [0150.019] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv") returned 53 [0150.019] lstrcmpW (lpString1="_QZQ0b_.csv", lpString2="PUSSY.TXT") returned -1 [0150.019] PathFindExtensionW (pszPath="_QZQ0b_.csv") returned=".csv" [0150.019] lstrlenW (lpString=".csv") returned 4 [0150.019] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_qzq0b_.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.020] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2044) returned 1 [0150.020] GetProcessHeap () returned 0x4c0000 [0150.021] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.034] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="B0") returned 2 [0150.034] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="1C") returned 2 [0150.034] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="3E") returned 2 [0150.034] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="18") returned 2 [0150.034] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="84") returned 2 [0150.034] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="98") returned 2 [0150.034] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="CF") returned 2 [0150.034] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="57") returned 2 [0150.034] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="7C") returned 2 [0150.034] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="25") returned 2 [0150.034] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="97") returned 2 [0150.034] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="CF") returned 2 [0150.034] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="5F") returned 2 [0150.034] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="BE") returned 2 [0150.034] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="1B") returned 2 [0150.034] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="72") returned 2 [0150.034] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="61") returned 2 [0150.034] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="0B") returned 2 [0150.034] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="B2") returned 2 [0150.035] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="92") returned 2 [0150.035] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="78") returned 2 [0150.035] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="B6") returned 2 [0150.035] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="2F") returned 2 [0150.035] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="65") returned 2 [0150.035] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="D6") returned 2 [0150.035] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="47") returned 2 [0150.035] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="04") returned 2 [0150.035] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="03") returned 2 [0150.035] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="7A") returned 2 [0150.035] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="85") returned 2 [0150.035] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="13") returned 2 [0150.035] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="29") returned 2 [0150.047] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv" [0150.047] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv" [0150.047] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv", lpString2=".B01C3E188498CF577C2597CF5FBE1B72610BB29278B62F65D64704037A851329" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv.B01C3E188498CF577C2597CF5FBE1B72610BB29278B62F65D64704037A851329") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv.B01C3E188498CF577C2597CF5FBE1B72610BB29278B62F65D64704037A851329" [0150.047] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.048] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.057] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcb37b90, ftCreationTime.dwHighDateTime=0x1d5e060, ftLastAccessTime.dwLowDateTime=0xc127af10, ftLastAccessTime.dwHighDateTime=0x1d5d942, ftLastWriteTime.dwLowDateTime=0xc127af10, ftLastWriteTime.dwHighDateTime=0x1d5d942, nFileSizeHigh=0x0, nFileSizeLow=0x6f99, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="_Zan1QCfG445yVu.avi", cAlternateFileName="_ZAN1Q~1.AVI")) returned 1 [0150.057] lstrcmpiW (lpString1="_Zan1QCfG445yVu.avi", lpString2="Windows") returned -1 [0150.057] lstrcmpiW (lpString1="_Zan1QCfG445yVu.avi", lpString2="Program Files") returned -1 [0150.057] lstrcmpiW (lpString1="_Zan1QCfG445yVu.avi", lpString2="Program Files (x86)") returned -1 [0150.057] lstrcmpiW (lpString1="_Zan1QCfG445yVu.avi", lpString2="$Recycle.bin") returned 1 [0150.057] lstrcmpiW (lpString1="_Zan1QCfG445yVu.avi", lpString2="System Volume Information") returned -1 [0150.057] lstrcmpiW (lpString1="_Zan1QCfG445yVu.avi", lpString2=".") returned 1 [0150.057] lstrcmpiW (lpString1="_Zan1QCfG445yVu.avi", lpString2="..") returned 1 [0150.057] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi") returned 61 [0150.057] lstrcmpW (lpString1="_Zan1QCfG445yVu.avi", lpString2="PUSSY.TXT") returned -1 [0150.057] PathFindExtensionW (pszPath="_Zan1QCfG445yVu.avi") returned=".avi" [0150.057] lstrlenW (lpString=".avi") returned 4 [0150.057] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_zan1qcfg445yvu.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.058] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=28569) returned 1 [0150.058] GetProcessHeap () returned 0x4c0000 [0150.058] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.067] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="31") returned 2 [0150.067] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="5D") returned 2 [0150.067] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="6E") returned 2 [0150.067] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="0F") returned 2 [0150.067] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="F0") returned 2 [0150.067] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="EC") returned 2 [0150.067] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C4") returned 2 [0150.067] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="F1") returned 2 [0150.067] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="83") returned 2 [0150.067] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="9B") returned 2 [0150.067] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="A7") returned 2 [0150.067] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="AC") returned 2 [0150.067] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="63") returned 2 [0150.067] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="03") returned 2 [0150.067] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="CD") returned 2 [0150.068] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="F4") returned 2 [0150.068] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="34") returned 2 [0150.068] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="57") returned 2 [0150.068] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E9") returned 2 [0150.068] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="7F") returned 2 [0150.068] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="1E") returned 2 [0150.068] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="A6") returned 2 [0150.068] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="20") returned 2 [0150.068] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="4A") returned 2 [0150.068] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="46") returned 2 [0150.068] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="FD") returned 2 [0150.068] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="6F") returned 2 [0150.068] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F8") returned 2 [0150.068] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="C8") returned 2 [0150.068] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E9") returned 2 [0150.068] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="DC") returned 2 [0150.068] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="35") returned 2 [0150.076] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi" [0150.077] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi" [0150.077] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi", lpString2=".315D6E0FF0ECC4F1839BA7AC6303CDF43457E97F1EA6204A46FD6FF8C8E9DC35" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi.315D6E0FF0ECC4F1839BA7AC6303CDF43457E97F1EA6204A46FD6FF8C8E9DC35") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi.315D6E0FF0ECC4F1839BA7AC6303CDF43457E97F1EA6204A46FD6FF8C8E9DC35" [0150.077] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.077] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.105] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcb37b90, ftCreationTime.dwHighDateTime=0x1d5e060, ftLastAccessTime.dwLowDateTime=0xc127af10, ftLastAccessTime.dwHighDateTime=0x1d5d942, ftLastWriteTime.dwLowDateTime=0xc127af10, ftLastWriteTime.dwHighDateTime=0x1d5d942, nFileSizeHigh=0x0, nFileSizeLow=0x6f99, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="_Zan1QCfG445yVu.avi", cAlternateFileName="_ZAN1Q~1.AVI")) returned 0 [0150.105] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0150.105] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PUSSY.TXT") returned 51 [0150.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0150.106] lstrlenA (lpString="abcd") returned 4 [0150.106] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0150.107] CloseHandle (hObject=0x190) returned 1 [0150.107] GetProcessHeap () returned 0x4c0000 [0150.108] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0150.110] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd9aeaec0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd9aeaec0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0150.110] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0150.110] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0150.110] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0150.110] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0150.110] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0150.110] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0150.110] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0150.110] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 43 [0150.110] GetProcessHeap () returned 0x4c0000 [0150.110] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0150.111] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0150.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" [0150.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd9aeaec0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd9aeaec0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0150.111] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0150.111] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0150.111] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0150.111] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0150.111] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0150.111] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0150.111] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd9aeaec0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd9aeaec0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0150.112] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0150.112] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0150.112] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0150.112] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0150.112] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0150.112] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0150.112] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0150.112] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a6c26e0, ftCreationTime.dwHighDateTime=0x1d59503, ftLastAccessTime.dwLowDateTime=0xdf904d50, ftLastAccessTime.dwHighDateTime=0x1d5b0ab, ftLastWriteTime.dwLowDateTime=0xdf904d50, ftLastWriteTime.dwHighDateTime=0x1d5b0ab, nFileSizeHigh=0x0, nFileSizeLow=0xe607, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="-HQ50Y79h.pptx", cAlternateFileName="-HQ50Y~1.PPT")) returned 1 [0150.112] lstrcmpiW (lpString1="-HQ50Y79h.pptx", lpString2="Windows") returned -1 [0150.112] lstrcmpiW (lpString1="-HQ50Y79h.pptx", lpString2="Program Files") returned -1 [0150.112] lstrcmpiW (lpString1="-HQ50Y79h.pptx", lpString2="Program Files (x86)") returned -1 [0150.112] lstrcmpiW (lpString1="-HQ50Y79h.pptx", lpString2="$Recycle.bin") returned 1 [0150.112] lstrcmpiW (lpString1="-HQ50Y79h.pptx", lpString2="System Volume Information") returned -1 [0150.112] lstrcmpiW (lpString1="-HQ50Y79h.pptx", lpString2=".") returned 1 [0150.112] lstrcmpiW (lpString1="-HQ50Y79h.pptx", lpString2="..") returned 1 [0150.112] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx") returned 58 [0150.112] lstrcmpW (lpString1="-HQ50Y79h.pptx", lpString2="PUSSY.TXT") returned -1 [0150.112] PathFindExtensionW (pszPath="-HQ50Y79h.pptx") returned=".pptx" [0150.112] lstrlenW (lpString=".pptx") returned 5 [0150.112] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-hq50y79h.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.113] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=58887) returned 1 [0150.113] GetProcessHeap () returned 0x4c0000 [0150.113] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.123] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="1C") returned 2 [0150.123] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="F2") returned 2 [0150.123] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="90") returned 2 [0150.123] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FF") returned 2 [0150.123] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="63") returned 2 [0150.123] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="42") returned 2 [0150.123] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="99") returned 2 [0150.123] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="28") returned 2 [0150.123] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="7A") returned 2 [0150.123] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="AA") returned 2 [0150.123] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="8F") returned 2 [0150.123] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="21") returned 2 [0150.123] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="F1") returned 2 [0150.123] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="55") returned 2 [0150.123] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="22") returned 2 [0150.123] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E1") returned 2 [0150.123] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="24") returned 2 [0150.123] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="0F") returned 2 [0150.123] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="EC") returned 2 [0150.123] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="49") returned 2 [0150.123] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="10") returned 2 [0150.123] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="19") returned 2 [0150.123] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="07") returned 2 [0150.123] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="26") returned 2 [0150.123] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="AE") returned 2 [0150.123] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="2A") returned 2 [0150.123] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="C1") returned 2 [0150.123] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="49") returned 2 [0150.123] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="4D") returned 2 [0150.124] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="CB") returned 2 [0150.124] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="BD") returned 2 [0150.124] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4B") returned 2 [0150.180] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx" [0150.180] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx" [0150.180] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx", lpString2=".1CF290FF634299287AAA8F21F15522E1240FEC4910190726AE2AC1494DCBBD4B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx.1CF290FF634299287AAA8F21F15522E1240FEC4910190726AE2AC1494DCBBD4B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx.1CF290FF634299287AAA8F21F15522E1240FEC4910190726AE2AC1494DCBBD4B" [0150.180] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.180] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.218] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9b9d70, ftCreationTime.dwHighDateTime=0x1d5b614, ftLastAccessTime.dwLowDateTime=0x70e00a20, ftLastAccessTime.dwHighDateTime=0x1d56962, ftLastWriteTime.dwLowDateTime=0x70e00a20, ftLastWriteTime.dwHighDateTime=0x1d56962, nFileSizeHigh=0x0, nFileSizeLow=0xb939, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="1e6jlo2AwZK5Na.xlsx", cAlternateFileName="1E6JLO~1.XLS")) returned 1 [0150.218] lstrcmpiW (lpString1="1e6jlo2AwZK5Na.xlsx", lpString2="Windows") returned -1 [0150.218] lstrcmpiW (lpString1="1e6jlo2AwZK5Na.xlsx", lpString2="Program Files") returned -1 [0150.218] lstrcmpiW (lpString1="1e6jlo2AwZK5Na.xlsx", lpString2="Program Files (x86)") returned -1 [0150.218] lstrcmpiW (lpString1="1e6jlo2AwZK5Na.xlsx", lpString2="$Recycle.bin") returned 1 [0150.218] lstrcmpiW (lpString1="1e6jlo2AwZK5Na.xlsx", lpString2="System Volume Information") returned -1 [0150.218] lstrcmpiW (lpString1="1e6jlo2AwZK5Na.xlsx", lpString2=".") returned 1 [0150.218] lstrcmpiW (lpString1="1e6jlo2AwZK5Na.xlsx", lpString2="..") returned 1 [0150.218] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx") returned 63 [0150.218] lstrcmpW (lpString1="1e6jlo2AwZK5Na.xlsx", lpString2="PUSSY.TXT") returned -1 [0150.218] PathFindExtensionW (pszPath="1e6jlo2AwZK5Na.xlsx") returned=".xlsx" [0150.218] lstrlenW (lpString=".xlsx") returned 5 [0150.218] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\1e6jlo2awzk5na.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.219] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=47417) returned 1 [0150.219] GetProcessHeap () returned 0x4c0000 [0150.219] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.227] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="5A") returned 2 [0150.227] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="30") returned 2 [0150.227] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B1") returned 2 [0150.227] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="C9") returned 2 [0150.227] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="A4") returned 2 [0150.227] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="AB") returned 2 [0150.227] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="91") returned 2 [0150.228] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="1E") returned 2 [0150.228] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="84") returned 2 [0150.228] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="AD") returned 2 [0150.228] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="EA") returned 2 [0150.228] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="2A") returned 2 [0150.228] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="1A") returned 2 [0150.228] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E6") returned 2 [0150.228] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="EB") returned 2 [0150.228] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="DE") returned 2 [0150.228] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="67") returned 2 [0150.228] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="59") returned 2 [0150.228] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="FA") returned 2 [0150.228] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="82") returned 2 [0150.228] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="5E") returned 2 [0150.228] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="03") returned 2 [0150.228] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="7A") returned 2 [0150.228] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="9A") returned 2 [0150.228] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="AD") returned 2 [0150.228] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="1A") returned 2 [0150.228] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="9C") returned 2 [0150.228] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="38") returned 2 [0150.228] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="3B") returned 2 [0150.228] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="18") returned 2 [0150.228] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="0A") returned 2 [0150.228] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4E") returned 2 [0150.236] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx" [0150.237] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx" [0150.237] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx", lpString2=".5A30B1C9A4AB911E84ADEA2A1AE6EBDE6759FA825E037A9AAD1A9C383B180A4E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx.5A30B1C9A4AB911E84ADEA2A1AE6EBDE6759FA825E037A9AAD1A9C383B180A4E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx.5A30B1C9A4AB911E84ADEA2A1AE6EBDE6759FA825E037A9AAD1A9C383B180A4E" [0150.237] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.237] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.270] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacdc3be0, ftCreationTime.dwHighDateTime=0x1d582ba, ftLastAccessTime.dwLowDateTime=0xefda4790, ftLastAccessTime.dwHighDateTime=0x1d5be18, ftLastWriteTime.dwLowDateTime=0xefda4790, ftLastWriteTime.dwHighDateTime=0x1d5be18, nFileSizeHigh=0x0, nFileSizeLow=0x5a3e, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="6agQ.docx", cAlternateFileName="6AGQ~1.DOC")) returned 1 [0150.270] lstrcmpiW (lpString1="6agQ.docx", lpString2="Windows") returned -1 [0150.270] lstrcmpiW (lpString1="6agQ.docx", lpString2="Program Files") returned -1 [0150.270] lstrcmpiW (lpString1="6agQ.docx", lpString2="Program Files (x86)") returned -1 [0150.270] lstrcmpiW (lpString1="6agQ.docx", lpString2="$Recycle.bin") returned 1 [0150.270] lstrcmpiW (lpString1="6agQ.docx", lpString2="System Volume Information") returned -1 [0150.270] lstrcmpiW (lpString1="6agQ.docx", lpString2=".") returned 1 [0150.270] lstrcmpiW (lpString1="6agQ.docx", lpString2="..") returned 1 [0150.270] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx") returned 53 [0150.270] lstrcmpW (lpString1="6agQ.docx", lpString2="PUSSY.TXT") returned -1 [0150.270] PathFindExtensionW (pszPath="6agQ.docx") returned=".docx" [0150.270] lstrlenW (lpString=".docx") returned 5 [0150.270] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.270] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6agq.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.271] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=23102) returned 1 [0150.271] GetProcessHeap () returned 0x4c0000 [0150.271] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.284] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="3B") returned 2 [0150.284] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="0B") returned 2 [0150.284] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E4") returned 2 [0150.284] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="67") returned 2 [0150.284] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="65") returned 2 [0150.284] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="9B") returned 2 [0150.284] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="31") returned 2 [0150.284] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="CE") returned 2 [0150.284] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="11") returned 2 [0150.284] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="FB") returned 2 [0150.284] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="17") returned 2 [0150.284] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="60") returned 2 [0150.284] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="DC") returned 2 [0150.284] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="FD") returned 2 [0150.284] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="A6") returned 2 [0150.284] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="D2") returned 2 [0150.284] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="76") returned 2 [0150.284] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="8B") returned 2 [0150.284] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="DA") returned 2 [0150.284] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="F5") returned 2 [0150.284] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="DF") returned 2 [0150.285] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="80") returned 2 [0150.285] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="D9") returned 2 [0150.285] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="1A") returned 2 [0150.285] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="97") returned 2 [0150.285] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="26") returned 2 [0150.285] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="65") returned 2 [0150.285] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="56") returned 2 [0150.285] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="3C") returned 2 [0150.285] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="B9") returned 2 [0150.285] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="74") returned 2 [0150.285] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="02") returned 2 [0150.297] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx" [0150.297] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx" [0150.297] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx", lpString2=".3B0BE467659B31CE11FB1760DCFDA6D2768BDAF5DF80D91A972665563CB97402" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx.3B0BE467659B31CE11FB1760DCFDA6D2768BDAF5DF80D91A972665563CB97402") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx.3B0BE467659B31CE11FB1760DCFDA6D2768BDAF5DF80D91A972665563CB97402" [0150.297] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.297] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.331] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0150.331] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0150.331] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0150.331] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0150.331] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0150.331] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0150.331] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0150.331] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0150.332] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned 55 [0150.332] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0150.332] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0150.332] lstrlenW (lpString=".ini") returned 4 [0150.332] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.333] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=402) returned 1 [0150.333] CloseHandle (hObject=0x120) returned 1 [0150.333] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf72f3f20, ftCreationTime.dwHighDateTime=0x1d5c3c5, ftLastAccessTime.dwLowDateTime=0xba978940, ftLastAccessTime.dwHighDateTime=0x1d5d997, ftLastWriteTime.dwLowDateTime=0xba978940, ftLastWriteTime.dwHighDateTime=0x1d5d997, nFileSizeHigh=0x0, nFileSizeLow=0x21fa, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="Ecc0L4E.xlsx", cAlternateFileName="ECC0L4~1.XLS")) returned 1 [0150.333] lstrcmpiW (lpString1="Ecc0L4E.xlsx", lpString2="Windows") returned -1 [0150.333] lstrcmpiW (lpString1="Ecc0L4E.xlsx", lpString2="Program Files") returned -1 [0150.333] lstrcmpiW (lpString1="Ecc0L4E.xlsx", lpString2="Program Files (x86)") returned -1 [0150.333] lstrcmpiW (lpString1="Ecc0L4E.xlsx", lpString2="$Recycle.bin") returned 1 [0150.333] lstrcmpiW (lpString1="Ecc0L4E.xlsx", lpString2="System Volume Information") returned -1 [0150.333] lstrcmpiW (lpString1="Ecc0L4E.xlsx", lpString2=".") returned 1 [0150.333] lstrcmpiW (lpString1="Ecc0L4E.xlsx", lpString2="..") returned 1 [0150.333] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx") returned 56 [0150.333] lstrcmpW (lpString1="Ecc0L4E.xlsx", lpString2="PUSSY.TXT") returned -1 [0150.333] PathFindExtensionW (pszPath="Ecc0L4E.xlsx") returned=".xlsx" [0150.333] lstrlenW (lpString=".xlsx") returned 5 [0150.333] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ecc0l4e.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.334] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=8698) returned 1 [0150.334] GetProcessHeap () returned 0x4c0000 [0150.334] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.346] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="4C") returned 2 [0150.346] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="11") returned 2 [0150.346] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="C2") returned 2 [0150.346] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="3A") returned 2 [0150.346] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="08") returned 2 [0150.346] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="A1") returned 2 [0150.346] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="0F") returned 2 [0150.346] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="10") returned 2 [0150.346] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="68") returned 2 [0150.346] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="19") returned 2 [0150.346] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B3") returned 2 [0150.346] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="04") returned 2 [0150.347] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="CF") returned 2 [0150.347] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="0A") returned 2 [0150.347] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="EC") returned 2 [0150.347] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="98") returned 2 [0150.347] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="94") returned 2 [0150.347] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="0B") returned 2 [0150.347] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="93") returned 2 [0150.347] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="8D") returned 2 [0150.347] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="A4") returned 2 [0150.347] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="E9") returned 2 [0150.347] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="44") returned 2 [0150.347] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="F2") returned 2 [0150.347] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="E9") returned 2 [0150.347] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="30") returned 2 [0150.347] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="CD") returned 2 [0150.347] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="64") returned 2 [0150.347] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="3D") returned 2 [0150.347] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="8E") returned 2 [0150.347] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="9B") returned 2 [0150.347] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="61") returned 2 [0150.360] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx" [0150.360] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx" [0150.360] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx", lpString2=".4C11C23A08A10F106819B304CF0AEC98940B938DA4E944F2E930CD643D8E9B61" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx.4C11C23A08A10F106819B304CF0AEC98940B938DA4E944F2E930CD643D8E9B61") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx.4C11C23A08A10F106819B304CF0AEC98940B938DA4E944F2E930CD643D8E9B61" [0150.360] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.360] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.373] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2b41220, ftCreationTime.dwHighDateTime=0x1d5a049, ftLastAccessTime.dwLowDateTime=0xab3de9f0, ftLastAccessTime.dwHighDateTime=0x1d5a871, ftLastWriteTime.dwLowDateTime=0xab3de9f0, ftLastWriteTime.dwHighDateTime=0x1d5a871, nFileSizeHigh=0x0, nFileSizeLow=0x811, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="ed4Ncr.docx", cAlternateFileName="ED4NCR~1.DOC")) returned 1 [0150.373] lstrcmpiW (lpString1="ed4Ncr.docx", lpString2="Windows") returned -1 [0150.373] lstrcmpiW (lpString1="ed4Ncr.docx", lpString2="Program Files") returned -1 [0150.373] lstrcmpiW (lpString1="ed4Ncr.docx", lpString2="Program Files (x86)") returned -1 [0150.373] lstrcmpiW (lpString1="ed4Ncr.docx", lpString2="$Recycle.bin") returned 1 [0150.373] lstrcmpiW (lpString1="ed4Ncr.docx", lpString2="System Volume Information") returned -1 [0150.373] lstrcmpiW (lpString1="ed4Ncr.docx", lpString2=".") returned 1 [0150.373] lstrcmpiW (lpString1="ed4Ncr.docx", lpString2="..") returned 1 [0150.373] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx") returned 55 [0150.375] lstrcmpW (lpString1="ed4Ncr.docx", lpString2="PUSSY.TXT") returned -1 [0150.378] PathFindExtensionW (pszPath="ed4Ncr.docx") returned=".docx" [0150.378] lstrlenW (lpString=".docx") returned 5 [0150.378] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ed4ncr.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.379] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2065) returned 1 [0150.379] GetProcessHeap () returned 0x4c0000 [0150.379] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.391] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="9C") returned 2 [0150.391] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="60") returned 2 [0150.391] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="C9") returned 2 [0150.391] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="11") returned 2 [0150.391] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="1D") returned 2 [0150.391] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="A3") returned 2 [0150.391] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="FE") returned 2 [0150.391] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="3D") returned 2 [0150.391] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="AD") returned 2 [0150.391] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="D7") returned 2 [0150.391] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="86") returned 2 [0150.391] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="EE") returned 2 [0150.391] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="B2") returned 2 [0150.391] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="31") returned 2 [0150.391] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="2F") returned 2 [0150.391] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="D7") returned 2 [0150.391] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="CB") returned 2 [0150.391] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="A4") returned 2 [0150.391] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="BF") returned 2 [0150.391] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="6A") returned 2 [0150.391] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="2A") returned 2 [0150.392] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="6E") returned 2 [0150.392] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C2") returned 2 [0150.392] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="9F") returned 2 [0150.392] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="07") returned 2 [0150.392] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="20") returned 2 [0150.392] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="A0") returned 2 [0150.392] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="4D") returned 2 [0150.392] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="55") returned 2 [0150.392] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="A5") returned 2 [0150.392] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="C5") returned 2 [0150.392] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="0C") returned 2 [0150.466] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx" [0150.466] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx" [0150.466] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx", lpString2=".9C60C9111DA3FE3DADD786EEB2312FD7CBA4BF6A2A6EC29F0720A04D55A5C50C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx.9C60C9111DA3FE3DADD786EEB2312FD7CBA4BF6A2A6EC29F0720A04D55A5C50C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx.9C60C9111DA3FE3DADD786EEB2312FD7CBA4BF6A2A6EC29F0720A04D55A5C50C" [0150.466] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.466] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.474] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb80188f0, ftCreationTime.dwHighDateTime=0x1d5e678, ftLastAccessTime.dwLowDateTime=0xbf2a7640, ftLastAccessTime.dwHighDateTime=0x1d5e408, ftLastWriteTime.dwLowDateTime=0xbf2a7640, ftLastWriteTime.dwHighDateTime=0x1d5e408, nFileSizeHigh=0x0, nFileSizeLow=0xd98e, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="F jHWaq.xlsx", cAlternateFileName="FJHWAQ~1.XLS")) returned 1 [0150.474] lstrcmpiW (lpString1="F jHWaq.xlsx", lpString2="Windows") returned -1 [0150.474] lstrcmpiW (lpString1="F jHWaq.xlsx", lpString2="Program Files") returned -1 [0150.474] lstrcmpiW (lpString1="F jHWaq.xlsx", lpString2="Program Files (x86)") returned -1 [0150.474] lstrcmpiW (lpString1="F jHWaq.xlsx", lpString2="$Recycle.bin") returned 1 [0150.474] lstrcmpiW (lpString1="F jHWaq.xlsx", lpString2="System Volume Information") returned -1 [0150.474] lstrcmpiW (lpString1="F jHWaq.xlsx", lpString2=".") returned 1 [0150.474] lstrcmpiW (lpString1="F jHWaq.xlsx", lpString2="..") returned 1 [0150.474] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx") returned 56 [0150.474] lstrcmpW (lpString1="F jHWaq.xlsx", lpString2="PUSSY.TXT") returned -1 [0150.474] PathFindExtensionW (pszPath="F jHWaq.xlsx") returned=".xlsx" [0150.474] lstrlenW (lpString=".xlsx") returned 5 [0150.474] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f jhwaq.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.476] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=55694) returned 1 [0150.476] GetProcessHeap () returned 0x4c0000 [0150.476] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.486] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="8C") returned 2 [0150.486] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="BB") returned 2 [0150.486] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="83") returned 2 [0150.486] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="00") returned 2 [0150.486] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="24") returned 2 [0150.486] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="6B") returned 2 [0150.486] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="B4") returned 2 [0150.486] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="69") returned 2 [0150.486] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="A2") returned 2 [0150.486] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="B9") returned 2 [0150.486] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="EC") returned 2 [0150.486] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="CB") returned 2 [0150.486] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="4C") returned 2 [0150.486] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C8") returned 2 [0150.486] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="87") returned 2 [0150.487] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="D7") returned 2 [0150.487] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="A5") returned 2 [0150.487] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="93") returned 2 [0150.487] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="9E") returned 2 [0150.487] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="7D") returned 2 [0150.487] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="6D") returned 2 [0150.487] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="96") returned 2 [0150.487] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="5F") returned 2 [0150.487] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="EF") returned 2 [0150.487] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="85") returned 2 [0150.487] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="0E") returned 2 [0150.487] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="DF") returned 2 [0150.487] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="09") returned 2 [0150.487] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="4D") returned 2 [0150.487] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="DD") returned 2 [0150.487] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="EA") returned 2 [0150.487] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="32") returned 2 [0150.498] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx" [0150.498] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx" [0150.498] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx", lpString2=".8CBB8300246BB469A2B9ECCB4CC887D7A5939E7D6D965FEF850EDF094DDDEA32" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx.8CBB8300246BB469A2B9ECCB4CC887D7A5939E7D6D965FEF850EDF094DDDEA32") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx.8CBB8300246BB469A2B9ECCB4CC887D7A5939E7D6D965FEF850EDF094DDDEA32" [0150.498] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.498] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.530] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x962011e0, ftCreationTime.dwHighDateTime=0x1d574e3, ftLastAccessTime.dwLowDateTime=0x16192320, ftLastAccessTime.dwHighDateTime=0x1d57fd7, ftLastWriteTime.dwLowDateTime=0x16192320, ftLastWriteTime.dwHighDateTime=0x1d57fd7, nFileSizeHigh=0x0, nFileSizeLow=0x1357, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="iCizVMn37xQp.docx", cAlternateFileName="ICIZVM~1.DOC")) returned 1 [0150.530] lstrcmpiW (lpString1="iCizVMn37xQp.docx", lpString2="Windows") returned -1 [0150.530] lstrcmpiW (lpString1="iCizVMn37xQp.docx", lpString2="Program Files") returned -1 [0150.530] lstrcmpiW (lpString1="iCizVMn37xQp.docx", lpString2="Program Files (x86)") returned -1 [0150.530] lstrcmpiW (lpString1="iCizVMn37xQp.docx", lpString2="$Recycle.bin") returned 1 [0150.531] lstrcmpiW (lpString1="iCizVMn37xQp.docx", lpString2="System Volume Information") returned -1 [0150.531] lstrcmpiW (lpString1="iCizVMn37xQp.docx", lpString2=".") returned 1 [0150.531] lstrcmpiW (lpString1="iCizVMn37xQp.docx", lpString2="..") returned 1 [0150.531] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx") returned 61 [0150.531] lstrcmpW (lpString1="iCizVMn37xQp.docx", lpString2="PUSSY.TXT") returned -1 [0150.531] PathFindExtensionW (pszPath="iCizVMn37xQp.docx") returned=".docx" [0150.531] lstrlenW (lpString=".docx") returned 5 [0150.531] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\icizvmn37xqp.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.532] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=4951) returned 1 [0150.532] GetProcessHeap () returned 0x4c0000 [0150.532] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.540] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="7A") returned 2 [0150.540] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="FF") returned 2 [0150.540] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="BE") returned 2 [0150.540] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="10") returned 2 [0150.540] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="BC") returned 2 [0150.540] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="1D") returned 2 [0150.540] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="01") returned 2 [0150.540] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="8F") returned 2 [0150.540] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="F3") returned 2 [0150.540] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="19") returned 2 [0150.540] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="D6") returned 2 [0150.540] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="8C") returned 2 [0150.540] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="59") returned 2 [0150.540] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="AC") returned 2 [0150.540] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="57") returned 2 [0150.540] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="2D") returned 2 [0150.540] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="96") returned 2 [0150.540] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="A3") returned 2 [0150.540] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="C1") returned 2 [0150.541] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="46") returned 2 [0150.541] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="28") returned 2 [0150.541] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="B6") returned 2 [0150.541] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="74") returned 2 [0150.541] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="9C") returned 2 [0150.541] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="12") returned 2 [0150.541] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="5A") returned 2 [0150.541] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="A5") returned 2 [0150.541] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="C6") returned 2 [0150.541] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="53") returned 2 [0150.541] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0F") returned 2 [0150.541] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="A3") returned 2 [0150.541] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6A") returned 2 [0150.549] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx" [0150.549] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx" [0150.549] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx", lpString2=".7AFFBE10BC1D018FF319D68C59AC572D96A3C14628B6749C125AA5C6530FA36A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx.7AFFBE10BC1D018FF319D68C59AC572D96A3C14628B6749C125AA5C6530FA36A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx.7AFFBE10BC1D018FF319D68C59AC572D96A3C14628B6749C125AA5C6530FA36A" [0150.549] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.549] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.557] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae0592f0, ftCreationTime.dwHighDateTime=0x1d5bd4d, ftLastAccessTime.dwLowDateTime=0x698174c0, ftLastAccessTime.dwHighDateTime=0x1d5ab76, ftLastWriteTime.dwLowDateTime=0x698174c0, ftLastWriteTime.dwHighDateTime=0x1d5ab76, nFileSizeHigh=0x0, nFileSizeLow=0x4272, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="KNANQ59bINsR fD2hz1x.docx", cAlternateFileName="KNANQ5~1.DOC")) returned 1 [0150.557] lstrcmpiW (lpString1="KNANQ59bINsR fD2hz1x.docx", lpString2="Windows") returned -1 [0150.557] lstrcmpiW (lpString1="KNANQ59bINsR fD2hz1x.docx", lpString2="Program Files") returned -1 [0150.557] lstrcmpiW (lpString1="KNANQ59bINsR fD2hz1x.docx", lpString2="Program Files (x86)") returned -1 [0150.557] lstrcmpiW (lpString1="KNANQ59bINsR fD2hz1x.docx", lpString2="$Recycle.bin") returned 1 [0150.557] lstrcmpiW (lpString1="KNANQ59bINsR fD2hz1x.docx", lpString2="System Volume Information") returned -1 [0150.557] lstrcmpiW (lpString1="KNANQ59bINsR fD2hz1x.docx", lpString2=".") returned 1 [0150.557] lstrcmpiW (lpString1="KNANQ59bINsR fD2hz1x.docx", lpString2="..") returned 1 [0150.557] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx") returned 69 [0150.557] lstrcmpW (lpString1="KNANQ59bINsR fD2hz1x.docx", lpString2="PUSSY.TXT") returned -1 [0150.557] PathFindExtensionW (pszPath="KNANQ59bINsR fD2hz1x.docx") returned=".docx" [0150.557] lstrlenW (lpString=".docx") returned 5 [0150.558] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.558] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\knanq59binsr fd2hz1x.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.558] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=17010) returned 1 [0150.558] GetProcessHeap () returned 0x4c0000 [0150.558] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.567] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="D9") returned 2 [0150.567] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="A2") returned 2 [0150.567] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="EE") returned 2 [0150.567] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="EF") returned 2 [0150.567] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="B3") returned 2 [0150.567] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="8C") returned 2 [0150.567] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="07") returned 2 [0150.567] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="9D") returned 2 [0150.567] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B2") returned 2 [0150.567] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="04") returned 2 [0150.567] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="35") returned 2 [0150.567] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D8") returned 2 [0150.567] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="11") returned 2 [0150.567] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="27") returned 2 [0150.567] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="3E") returned 2 [0150.567] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="A6") returned 2 [0150.567] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="F1") returned 2 [0150.567] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="11") returned 2 [0150.567] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="D2") returned 2 [0150.567] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="F4") returned 2 [0150.567] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="2F") returned 2 [0150.567] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="17") returned 2 [0150.567] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="24") returned 2 [0150.567] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="61") returned 2 [0150.567] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="38") returned 2 [0150.567] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="43") returned 2 [0150.567] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="02") returned 2 [0150.567] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="B1") returned 2 [0150.567] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="79") returned 2 [0150.567] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="AE") returned 2 [0150.567] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="FD") returned 2 [0150.567] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="5D") returned 2 [0150.575] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx" [0150.575] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx" [0150.576] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx", lpString2=".D9A2EEEFB38C079DB20435D811273EA6F111D2F42F172461384302B179AEFD5D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx.D9A2EEEFB38C079DB20435D811273EA6F111D2F42F172461384302B179AEFD5D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx.D9A2EEEFB38C079DB20435D811273EA6F111D2F42F172461384302B179AEFD5D" [0150.576] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.576] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.594] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x228780b0, ftCreationTime.dwHighDateTime=0x1d58dcf, ftLastAccessTime.dwLowDateTime=0xbdf773d0, ftLastAccessTime.dwHighDateTime=0x1d574d3, ftLastWriteTime.dwLowDateTime=0xbdf773d0, ftLastWriteTime.dwHighDateTime=0x1d574d3, nFileSizeHigh=0x0, nFileSizeLow=0xa653, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="KOsd6Ahis5aG9Xb2Z.xlsx", cAlternateFileName="KOSD6A~1.XLS")) returned 1 [0150.594] lstrcmpiW (lpString1="KOsd6Ahis5aG9Xb2Z.xlsx", lpString2="Windows") returned -1 [0150.594] lstrcmpiW (lpString1="KOsd6Ahis5aG9Xb2Z.xlsx", lpString2="Program Files") returned -1 [0150.594] lstrcmpiW (lpString1="KOsd6Ahis5aG9Xb2Z.xlsx", lpString2="Program Files (x86)") returned -1 [0150.594] lstrcmpiW (lpString1="KOsd6Ahis5aG9Xb2Z.xlsx", lpString2="$Recycle.bin") returned 1 [0150.594] lstrcmpiW (lpString1="KOsd6Ahis5aG9Xb2Z.xlsx", lpString2="System Volume Information") returned -1 [0150.594] lstrcmpiW (lpString1="KOsd6Ahis5aG9Xb2Z.xlsx", lpString2=".") returned 1 [0150.594] lstrcmpiW (lpString1="KOsd6Ahis5aG9Xb2Z.xlsx", lpString2="..") returned 1 [0150.594] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx") returned 66 [0150.594] lstrcmpW (lpString1="KOsd6Ahis5aG9Xb2Z.xlsx", lpString2="PUSSY.TXT") returned -1 [0150.594] PathFindExtensionW (pszPath="KOsd6Ahis5aG9Xb2Z.xlsx") returned=".xlsx" [0150.594] lstrlenW (lpString=".xlsx") returned 5 [0150.594] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kosd6ahis5ag9xb2z.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.595] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=42579) returned 1 [0150.595] GetProcessHeap () returned 0x4c0000 [0150.595] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.603] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="25") returned 2 [0150.603] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="8E") returned 2 [0150.603] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="7B") returned 2 [0150.603] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="45") returned 2 [0150.604] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="5D") returned 2 [0150.604] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="F5") returned 2 [0150.604] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="6D") returned 2 [0150.604] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="9C") returned 2 [0150.604] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="D1") returned 2 [0150.604] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="39") returned 2 [0150.604] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="46") returned 2 [0150.604] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A4") returned 2 [0150.604] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="01") returned 2 [0150.604] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E4") returned 2 [0150.604] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="56") returned 2 [0150.604] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="33") returned 2 [0150.604] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="B2") returned 2 [0150.604] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="BA") returned 2 [0150.604] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="3A") returned 2 [0150.604] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="B3") returned 2 [0150.604] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="46") returned 2 [0150.604] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="D8") returned 2 [0150.604] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C2") returned 2 [0150.604] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="C0") returned 2 [0150.604] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="ED") returned 2 [0150.604] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="8F") returned 2 [0150.604] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="B4") returned 2 [0150.604] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="35") returned 2 [0150.604] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="DA") returned 2 [0150.604] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="1B") returned 2 [0150.604] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="E7") returned 2 [0150.604] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="1F") returned 2 [0150.613] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx" [0150.613] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx" [0150.613] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx", lpString2=".258E7B455DF56D9CD13946A401E45633B2BA3AB346D8C2C0ED8FB435DA1BE71F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx.258E7B455DF56D9CD13946A401E45633B2BA3AB346D8C2C0ED8FB435DA1BE71F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx.258E7B455DF56D9CD13946A401E45633B2BA3AB346D8C2C0ED8FB435DA1BE71F" [0150.613] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.613] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.648] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fff7240, ftCreationTime.dwHighDateTime=0x1d5a1f8, ftLastAccessTime.dwLowDateTime=0x7aaff000, ftLastAccessTime.dwHighDateTime=0x1d57a84, ftLastWriteTime.dwLowDateTime=0x7aaff000, ftLastWriteTime.dwHighDateTime=0x1d57a84, nFileSizeHigh=0x0, nFileSizeLow=0x81bc, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="lEbTOgfk.docx", cAlternateFileName="LEBTOG~1.DOC")) returned 1 [0150.648] lstrcmpiW (lpString1="lEbTOgfk.docx", lpString2="Windows") returned -1 [0150.648] lstrcmpiW (lpString1="lEbTOgfk.docx", lpString2="Program Files") returned -1 [0150.648] lstrcmpiW (lpString1="lEbTOgfk.docx", lpString2="Program Files (x86)") returned -1 [0150.648] lstrcmpiW (lpString1="lEbTOgfk.docx", lpString2="$Recycle.bin") returned 1 [0150.648] lstrcmpiW (lpString1="lEbTOgfk.docx", lpString2="System Volume Information") returned -1 [0150.648] lstrcmpiW (lpString1="lEbTOgfk.docx", lpString2=".") returned 1 [0150.648] lstrcmpiW (lpString1="lEbTOgfk.docx", lpString2="..") returned 1 [0150.648] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx") returned 57 [0150.648] lstrcmpW (lpString1="lEbTOgfk.docx", lpString2="PUSSY.TXT") returned -1 [0150.648] PathFindExtensionW (pszPath="lEbTOgfk.docx") returned=".docx" [0150.648] lstrlenW (lpString=".docx") returned 5 [0150.648] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lebtogfk.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.649] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=33212) returned 1 [0150.649] GetProcessHeap () returned 0x4c0000 [0150.649] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.658] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="8D") returned 2 [0150.658] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="8B") returned 2 [0150.658] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="A9") returned 2 [0150.658] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="23") returned 2 [0150.658] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="54") returned 2 [0150.658] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="1B") returned 2 [0150.658] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="75") returned 2 [0150.658] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="19") returned 2 [0150.658] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="04") returned 2 [0150.658] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="00") returned 2 [0150.658] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="E0") returned 2 [0150.658] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="CC") returned 2 [0150.658] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="B6") returned 2 [0150.658] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="B9") returned 2 [0150.658] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="66") returned 2 [0150.658] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="98") returned 2 [0150.658] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="EE") returned 2 [0150.658] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="B1") returned 2 [0150.658] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="2A") returned 2 [0150.658] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="77") returned 2 [0150.658] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="E3") returned 2 [0150.658] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="33") returned 2 [0150.658] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="50") returned 2 [0150.658] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="A9") returned 2 [0150.658] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="93") returned 2 [0150.658] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="FF") returned 2 [0150.658] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="4B") returned 2 [0150.658] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="8D") returned 2 [0150.658] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="28") returned 2 [0150.658] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="74") returned 2 [0150.658] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="15") returned 2 [0150.658] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="3A") returned 2 [0150.715] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx" [0150.715] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx" [0150.715] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx", lpString2=".8D8BA923541B75190400E0CCB6B96698EEB12A77E33350A993FF4B8D2874153A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx.8D8BA923541B75190400E0CCB6B96698EEB12A77E33350A993FF4B8D2874153A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx.8D8BA923541B75190400E0CCB6B96698EEB12A77E33350A993FF4B8D2874153A" [0150.715] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.715] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.750] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66a24110, ftCreationTime.dwHighDateTime=0x1d5bc76, ftLastAccessTime.dwLowDateTime=0xafbf6c30, ftLastAccessTime.dwHighDateTime=0x1d5ce49, ftLastWriteTime.dwLowDateTime=0xafbf6c30, ftLastWriteTime.dwHighDateTime=0x1d5ce49, nFileSizeHigh=0x0, nFileSizeLow=0x110f, dwReserved0=0x4ddc70, dwReserved1=0x77c61b06, cFileName="lKfueVx.pptx", cAlternateFileName="LKFUEV~1.PPT")) returned 1 [0150.750] lstrcmpiW (lpString1="lKfueVx.pptx", lpString2="Windows") returned -1 [0150.750] lstrcmpiW (lpString1="lKfueVx.pptx", lpString2="Program Files") returned -1 [0150.750] lstrcmpiW (lpString1="lKfueVx.pptx", lpString2="Program Files (x86)") returned -1 [0150.750] lstrcmpiW (lpString1="lKfueVx.pptx", lpString2="$Recycle.bin") returned 1 [0150.750] lstrcmpiW (lpString1="lKfueVx.pptx", lpString2="System Volume Information") returned -1 [0150.750] lstrcmpiW (lpString1="lKfueVx.pptx", lpString2=".") returned 1 [0150.750] lstrcmpiW (lpString1="lKfueVx.pptx", lpString2="..") returned 1 [0150.750] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx") returned 56 [0150.750] lstrcmpW (lpString1="lKfueVx.pptx", lpString2="PUSSY.TXT") returned -1 [0150.750] PathFindExtensionW (pszPath="lKfueVx.pptx") returned=".pptx" [0150.750] lstrlenW (lpString=".pptx") returned 5 [0150.750] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lkfuevx.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.751] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=4367) returned 1 [0150.751] GetProcessHeap () returned 0x4c0000 [0150.751] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.759] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="DD") returned 2 [0150.759] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="A3") returned 2 [0150.759] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="84") returned 2 [0150.759] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="EF") returned 2 [0150.759] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="EE") returned 2 [0150.759] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="EB") returned 2 [0150.759] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="94") returned 2 [0150.759] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="68") returned 2 [0150.759] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="F0") returned 2 [0150.760] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="44") returned 2 [0150.760] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="93") returned 2 [0150.760] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="F3") returned 2 [0150.760] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="E9") returned 2 [0150.760] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="CF") returned 2 [0150.760] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="96") returned 2 [0150.760] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="6A") returned 2 [0150.760] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="50") returned 2 [0150.760] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="DD") returned 2 [0150.760] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="6F") returned 2 [0150.760] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="95") returned 2 [0150.760] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="CF") returned 2 [0150.760] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="B6") returned 2 [0150.760] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="2E") returned 2 [0150.760] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="A8") returned 2 [0150.760] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="AE") returned 2 [0150.760] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="4D") returned 2 [0150.760] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="C6") returned 2 [0150.760] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="74") returned 2 [0150.760] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="C5") returned 2 [0150.760] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="17") returned 2 [0150.760] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="3E") returned 2 [0150.760] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="33") returned 2 [0150.768] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx" [0150.768] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx" [0150.768] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx", lpString2=".DDA384EFEEEB9468F04493F3E9CF966A50DD6F95CFB62EA8AE4DC674C5173E33" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx.DDA384EFEEEB9468F04493F3E9CF966A50DD6F95CFB62EA8AE4DC674C5173E33") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx.DDA384EFEEEB9468F04493F3E9CF966A50DD6F95CFB62EA8AE4DC674C5173E33" [0150.768] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.768] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.779] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0150.779] lstrcmpiW (lpString1="My Music", lpString2="Windows") returned -1 [0150.779] lstrcmpiW (lpString1="My Music", lpString2="Program Files") returned -1 [0150.779] lstrcmpiW (lpString1="My Music", lpString2="Program Files (x86)") returned -1 [0150.779] lstrcmpiW (lpString1="My Music", lpString2="$Recycle.bin") returned 1 [0150.779] lstrcmpiW (lpString1="My Music", lpString2="System Volume Information") returned -1 [0150.779] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0150.779] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0150.779] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music") returned 52 [0150.779] GetProcessHeap () returned 0x4c0000 [0150.779] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0150.780] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music" [0150.780] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*" [0150.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0xb8b8b8, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x2e2e2e, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x3171717, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x77c5fc3a, nFileSizeHigh=0x76c17575, nFileSizeLow=0x120, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="痊盁\x94", cAlternateFileName="c")) returned 0xffffffff [0150.780] GetProcessHeap () returned 0x4c0000 [0150.780] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0150.782] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0150.782] lstrcmpiW (lpString1="My Pictures", lpString2="Windows") returned -1 [0150.782] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files") returned -1 [0150.782] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files (x86)") returned -1 [0150.782] lstrcmpiW (lpString1="My Pictures", lpString2="$Recycle.bin") returned 1 [0150.782] lstrcmpiW (lpString1="My Pictures", lpString2="System Volume Information") returned -1 [0150.782] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0150.782] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0150.782] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures") returned 55 [0150.783] GetProcessHeap () returned 0x4c0000 [0150.783] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0150.783] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures" [0150.783] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*" [0150.783] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0xb8b8b8, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x2e2e2e, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x3171717, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x77c5fc3a, nFileSizeHigh=0x76c17575, nFileSizeLow=0x120, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="痊盁\x94", cAlternateFileName="s")) returned 0xffffffff [0150.784] GetProcessHeap () returned 0x4c0000 [0150.784] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0150.784] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0150.784] lstrcmpiW (lpString1="My Shapes", lpString2="Windows") returned -1 [0150.784] lstrcmpiW (lpString1="My Shapes", lpString2="Program Files") returned -1 [0150.784] lstrcmpiW (lpString1="My Shapes", lpString2="Program Files (x86)") returned -1 [0150.784] lstrcmpiW (lpString1="My Shapes", lpString2="$Recycle.bin") returned 1 [0150.784] lstrcmpiW (lpString1="My Shapes", lpString2="System Volume Information") returned -1 [0150.784] lstrcmpiW (lpString1="My Shapes", lpString2=".") returned 1 [0150.784] lstrcmpiW (lpString1="My Shapes", lpString2="..") returned 1 [0150.784] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes") returned 53 [0150.784] GetProcessHeap () returned 0x4c0000 [0150.784] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0150.784] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" [0150.784] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*" [0150.784] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0150.785] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0150.785] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0150.785] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0150.785] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0150.785] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0150.785] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0150.785] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0150.785] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0150.785] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0150.785] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0150.785] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0150.785] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0150.785] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0150.785] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0150.785] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0150.785] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0150.785] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0150.785] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0150.785] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0150.785] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0150.785] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0150.785] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0150.786] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini") returned 65 [0150.786] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0150.786] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0150.786] lstrlenW (lpString=".ini") returned 4 [0150.786] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0150.786] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0150.787] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=216) returned 1 [0150.788] CloseHandle (hObject=0x1b8) returned 1 [0150.788] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9e9e4460, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9e9e4460, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="Favorites.vss", cAlternateFileName="FAVORI~1.VSS")) returned 1 [0150.788] lstrcmpiW (lpString1="Favorites.vss", lpString2="Windows") returned -1 [0150.788] lstrcmpiW (lpString1="Favorites.vss", lpString2="Program Files") returned -1 [0150.788] lstrcmpiW (lpString1="Favorites.vss", lpString2="Program Files (x86)") returned -1 [0150.788] lstrcmpiW (lpString1="Favorites.vss", lpString2="$Recycle.bin") returned 1 [0150.788] lstrcmpiW (lpString1="Favorites.vss", lpString2="System Volume Information") returned -1 [0150.788] lstrcmpiW (lpString1="Favorites.vss", lpString2=".") returned 1 [0150.788] lstrcmpiW (lpString1="Favorites.vss", lpString2="..") returned 1 [0150.788] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss") returned 67 [0150.788] lstrcmpW (lpString1="Favorites.vss", lpString2="PUSSY.TXT") returned -1 [0150.788] PathFindExtensionW (pszPath="Favorites.vss") returned=".vss" [0150.788] lstrlenW (lpString=".vss") returned 4 [0150.788] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0150.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0150.789] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=0) returned 1 [0150.789] CloseHandle (hObject=0x1b8) returned 1 [0150.789] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="_private", cAlternateFileName="")) returned 1 [0150.789] lstrcmpiW (lpString1="_private", lpString2="Windows") returned -1 [0150.789] lstrcmpiW (lpString1="_private", lpString2="Program Files") returned -1 [0150.789] lstrcmpiW (lpString1="_private", lpString2="Program Files (x86)") returned -1 [0150.789] lstrcmpiW (lpString1="_private", lpString2="$Recycle.bin") returned 1 [0150.789] lstrcmpiW (lpString1="_private", lpString2="System Volume Information") returned -1 [0150.789] lstrcmpiW (lpString1="_private", lpString2=".") returned 1 [0150.789] lstrcmpiW (lpString1="_private", lpString2="..") returned 1 [0150.789] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private") returned 62 [0150.789] GetProcessHeap () returned 0x4c0000 [0150.789] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0150.790] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" [0150.790] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*" [0150.790] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0150.791] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0150.791] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0150.791] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0150.791] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0150.791] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0150.791] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0150.792] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0150.792] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0150.792] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0150.792] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0150.792] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0150.792] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0150.792] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0150.792] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0150.792] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0150.792] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0150.792] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0150.792] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0150.792] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0150.792] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0150.792] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0150.792] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0150.792] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned 73 [0150.792] lstrcmpW (lpString1="folder.ico", lpString2="PUSSY.TXT") returned -1 [0150.792] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0150.792] lstrlenW (lpString=".ico") returned 4 [0150.792] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0150.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0150.794] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=29926) returned 1 [0150.794] GetProcessHeap () returned 0x4c0000 [0150.794] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0150.808] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="5C") returned 2 [0150.808] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="21") returned 2 [0150.808] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="CA") returned 2 [0150.808] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="83") returned 2 [0150.808] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="7D") returned 2 [0150.808] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="76") returned 2 [0150.808] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="05") returned 2 [0150.808] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="EF") returned 2 [0150.808] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="FE") returned 2 [0150.808] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="39") returned 2 [0150.808] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="B9") returned 2 [0150.808] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="E6") returned 2 [0150.808] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="73") returned 2 [0150.808] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="E8") returned 2 [0150.808] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="DB") returned 2 [0150.808] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="9B") returned 2 [0150.808] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="4D") returned 2 [0150.808] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="43") returned 2 [0150.808] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="5F") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="52") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="0B") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="38") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="FC") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="99") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="19") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="ED") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="B8") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="45") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="E2") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="A2") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="B1") returned 2 [0150.809] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="48") returned 2 [0150.821] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" [0150.821] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" [0150.821] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico", lpString2=".5C21CA837D7605EFFE39B9E673E8DB9B4D435F520B38FC9919EDB845E2A2B148" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.5C21CA837D7605EFFE39B9E673E8DB9B4D435F520B38FC9919EDB845E2A2B148") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.5C21CA837D7605EFFE39B9E673E8DB9B4D435F520B38FC9919EDB845E2A2B148" [0150.821] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0150.821] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0150.821] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="folder.ico", cAlternateFileName="")) returned 0 [0150.822] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0150.822] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\PUSSY.TXT") returned 72 [0150.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0150.823] lstrlenA (lpString="abcd") returned 4 [0150.823] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0150.826] CloseHandle (hObject=0x1b8) returned 1 [0150.826] GetProcessHeap () returned 0x4c0000 [0150.827] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0150.827] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="_private", cAlternateFileName="")) returned 0 [0150.827] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0150.827] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\PUSSY.TXT") returned 63 [0150.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x120 [0150.828] lstrlenA (lpString="abcd") returned 4 [0150.828] WriteFile (in: hFile=0x120, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0150.829] CloseHandle (hObject=0x120) returned 1 [0150.829] GetProcessHeap () returned 0x4c0000 [0150.829] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0150.830] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0150.830] lstrcmpiW (lpString1="My Videos", lpString2="Windows") returned -1 [0150.830] lstrcmpiW (lpString1="My Videos", lpString2="Program Files") returned -1 [0150.830] lstrcmpiW (lpString1="My Videos", lpString2="Program Files (x86)") returned -1 [0150.830] lstrcmpiW (lpString1="My Videos", lpString2="$Recycle.bin") returned 1 [0150.830] lstrcmpiW (lpString1="My Videos", lpString2="System Volume Information") returned -1 [0150.831] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0150.831] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0150.832] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos") returned 53 [0150.832] GetProcessHeap () returned 0x4c0000 [0150.832] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0150.833] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos" [0150.833] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*" [0150.833] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="_private", cAlternateFileName="s")) returned 0xffffffff [0150.833] GetProcessHeap () returned 0x4c0000 [0150.833] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0150.833] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b762d0, ftCreationTime.dwHighDateTime=0x1d5e564, ftLastAccessTime.dwLowDateTime=0xb4644aa0, ftLastAccessTime.dwHighDateTime=0x1d5dff9, ftLastWriteTime.dwLowDateTime=0xb4644aa0, ftLastWriteTime.dwHighDateTime=0x1d5dff9, nFileSizeHigh=0x0, nFileSizeLow=0x13082, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="Niz7GS.ppt", cAlternateFileName="")) returned 1 [0150.833] lstrcmpiW (lpString1="Niz7GS.ppt", lpString2="Windows") returned -1 [0150.833] lstrcmpiW (lpString1="Niz7GS.ppt", lpString2="Program Files") returned -1 [0150.833] lstrcmpiW (lpString1="Niz7GS.ppt", lpString2="Program Files (x86)") returned -1 [0150.833] lstrcmpiW (lpString1="Niz7GS.ppt", lpString2="$Recycle.bin") returned 1 [0150.833] lstrcmpiW (lpString1="Niz7GS.ppt", lpString2="System Volume Information") returned -1 [0150.833] lstrcmpiW (lpString1="Niz7GS.ppt", lpString2=".") returned 1 [0150.833] lstrcmpiW (lpString1="Niz7GS.ppt", lpString2="..") returned 1 [0150.833] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt") returned 54 [0150.833] lstrcmpW (lpString1="Niz7GS.ppt", lpString2="PUSSY.TXT") returned -1 [0150.834] PathFindExtensionW (pszPath="Niz7GS.ppt") returned=".ppt" [0150.834] lstrlenW (lpString=".ppt") returned 4 [0150.834] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0150.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\niz7gs.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0150.835] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=77954) returned 1 [0150.835] GetProcessHeap () returned 0x4c0000 [0150.835] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0150.860] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="C6") returned 2 [0150.860] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="BA") returned 2 [0150.860] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="8A") returned 2 [0150.860] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="6D") returned 2 [0150.861] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="AD") returned 2 [0150.861] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="88") returned 2 [0150.861] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="41") returned 2 [0150.861] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="3E") returned 2 [0150.861] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="94") returned 2 [0150.861] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="80") returned 2 [0150.861] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="CA") returned 2 [0150.861] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="18") returned 2 [0150.861] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="24") returned 2 [0150.861] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="8A") returned 2 [0150.861] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="6E") returned 2 [0150.861] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="63") returned 2 [0150.861] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="49") returned 2 [0150.861] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="F6") returned 2 [0150.861] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="8A") returned 2 [0150.861] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="CE") returned 2 [0150.861] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="E7") returned 2 [0150.861] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="49") returned 2 [0150.861] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="E1") returned 2 [0150.861] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="7B") returned 2 [0150.861] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="5D") returned 2 [0150.861] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="F4") returned 2 [0150.861] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="D5") returned 2 [0150.861] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="A4") returned 2 [0150.861] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="64") returned 2 [0150.862] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="85") returned 2 [0150.862] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="F4") returned 2 [0150.862] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="53") returned 2 [0151.013] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt" [0151.013] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt" [0151.013] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt", lpString2=".C6BA8A6DAD88413E9480CA18248A6E6349F68ACEE749E17B5DF4D5A46485F453" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt.C6BA8A6DAD88413E9480CA18248A6E6349F68ACEE749E17B5DF4D5A46485F453") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt.C6BA8A6DAD88413E9480CA18248A6E6349F68ACEE749E17B5DF4D5A46485F453" [0151.013] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0151.013] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0151.045] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x674c9300, ftCreationTime.dwHighDateTime=0x1d57576, ftLastAccessTime.dwLowDateTime=0x1b70f4b0, ftLastAccessTime.dwHighDateTime=0x1d5a54d, ftLastWriteTime.dwLowDateTime=0x1b70f4b0, ftLastWriteTime.dwHighDateTime=0x1d5a54d, nFileSizeHigh=0x0, nFileSizeLow=0x18f0e, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="OCJkdYLw-GFERurZ9O.xlsx", cAlternateFileName="OCJKDY~1.XLS")) returned 1 [0151.045] lstrcmpiW (lpString1="OCJkdYLw-GFERurZ9O.xlsx", lpString2="Windows") returned -1 [0151.045] lstrcmpiW (lpString1="OCJkdYLw-GFERurZ9O.xlsx", lpString2="Program Files") returned -1 [0151.045] lstrcmpiW (lpString1="OCJkdYLw-GFERurZ9O.xlsx", lpString2="Program Files (x86)") returned -1 [0151.045] lstrcmpiW (lpString1="OCJkdYLw-GFERurZ9O.xlsx", lpString2="$Recycle.bin") returned 1 [0151.045] lstrcmpiW (lpString1="OCJkdYLw-GFERurZ9O.xlsx", lpString2="System Volume Information") returned -1 [0151.045] lstrcmpiW (lpString1="OCJkdYLw-GFERurZ9O.xlsx", lpString2=".") returned 1 [0151.045] lstrcmpiW (lpString1="OCJkdYLw-GFERurZ9O.xlsx", lpString2="..") returned 1 [0151.045] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx") returned 67 [0151.045] lstrcmpW (lpString1="OCJkdYLw-GFERurZ9O.xlsx", lpString2="PUSSY.TXT") returned -1 [0151.045] PathFindExtensionW (pszPath="OCJkdYLw-GFERurZ9O.xlsx") returned=".xlsx" [0151.045] lstrlenW (lpString=".xlsx") returned 5 [0151.045] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0151.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ocjkdylw-gferurz9o.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0151.046] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=102158) returned 1 [0151.046] GetProcessHeap () returned 0x4c0000 [0151.046] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0151.056] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="27") returned 2 [0151.056] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="3A") returned 2 [0151.056] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="44") returned 2 [0151.056] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="CE") returned 2 [0151.056] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="AF") returned 2 [0151.056] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="B9") returned 2 [0151.056] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="23") returned 2 [0151.056] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="DE") returned 2 [0151.056] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="51") returned 2 [0151.056] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="F3") returned 2 [0151.056] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="C5") returned 2 [0151.056] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="DD") returned 2 [0151.056] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="37") returned 2 [0151.056] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="14") returned 2 [0151.056] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="8F") returned 2 [0151.056] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="28") returned 2 [0151.056] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="4C") returned 2 [0151.056] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="1D") returned 2 [0151.056] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="31") returned 2 [0151.056] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="DD") returned 2 [0151.056] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="CC") returned 2 [0151.056] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="30") returned 2 [0151.056] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="D3") returned 2 [0151.057] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="54") returned 2 [0151.057] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="D7") returned 2 [0151.057] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="36") returned 2 [0151.057] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="32") returned 2 [0151.057] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="2C") returned 2 [0151.057] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="65") returned 2 [0151.057] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="DB") returned 2 [0151.057] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="27") returned 2 [0151.057] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="0C") returned 2 [0151.066] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx" [0151.066] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx" [0151.066] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx", lpString2=".273A44CEAFB923DE51F3C5DD37148F284C1D31DDCC30D354D736322C65DB270C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx.273A44CEAFB923DE51F3C5DD37148F284C1D31DDCC30D354D736322C65DB270C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx.273A44CEAFB923DE51F3C5DD37148F284C1D31DDCC30D354D736322C65DB270C" [0151.066] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0151.066] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0151.097] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9963fd20, ftCreationTime.dwHighDateTime=0x1d59a91, ftLastAccessTime.dwLowDateTime=0xeb1e8600, ftLastAccessTime.dwHighDateTime=0x1d5cdf7, ftLastWriteTime.dwLowDateTime=0xeb1e8600, ftLastWriteTime.dwHighDateTime=0x1d5cdf7, nFileSizeHigh=0x0, nFileSizeLow=0x14cfa, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="oDtfmtDtdiKSGL.pptx", cAlternateFileName="ODTFMT~1.PPT")) returned 1 [0151.097] lstrcmpiW (lpString1="oDtfmtDtdiKSGL.pptx", lpString2="Windows") returned -1 [0151.097] lstrcmpiW (lpString1="oDtfmtDtdiKSGL.pptx", lpString2="Program Files") returned -1 [0151.097] lstrcmpiW (lpString1="oDtfmtDtdiKSGL.pptx", lpString2="Program Files (x86)") returned -1 [0151.097] lstrcmpiW (lpString1="oDtfmtDtdiKSGL.pptx", lpString2="$Recycle.bin") returned 1 [0151.097] lstrcmpiW (lpString1="oDtfmtDtdiKSGL.pptx", lpString2="System Volume Information") returned -1 [0151.097] lstrcmpiW (lpString1="oDtfmtDtdiKSGL.pptx", lpString2=".") returned 1 [0151.097] lstrcmpiW (lpString1="oDtfmtDtdiKSGL.pptx", lpString2="..") returned 1 [0151.097] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx") returned 63 [0151.098] lstrcmpW (lpString1="oDtfmtDtdiKSGL.pptx", lpString2="PUSSY.TXT") returned -1 [0151.098] PathFindExtensionW (pszPath="oDtfmtDtdiKSGL.pptx") returned=".pptx" [0151.098] lstrlenW (lpString=".pptx") returned 5 [0151.098] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0151.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\odtfmtdtdiksgl.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0151.098] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=85242) returned 1 [0151.098] GetProcessHeap () returned 0x4c0000 [0151.099] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0151.107] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="F1") returned 2 [0151.107] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="1E") returned 2 [0151.107] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="0A") returned 2 [0151.107] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="F4") returned 2 [0151.107] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="A4") returned 2 [0151.107] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="AC") returned 2 [0151.107] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="13") returned 2 [0151.107] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="0E") returned 2 [0151.107] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="9C") returned 2 [0151.107] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="C2") returned 2 [0151.107] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="55") returned 2 [0151.107] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D7") returned 2 [0151.107] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="9B") returned 2 [0151.107] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="52") returned 2 [0151.107] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="05") returned 2 [0151.107] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="D2") returned 2 [0151.107] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="03") returned 2 [0151.107] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="05") returned 2 [0151.108] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="A8") returned 2 [0151.108] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="9C") returned 2 [0151.108] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="58") returned 2 [0151.108] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="5A") returned 2 [0151.108] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="5C") returned 2 [0151.108] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="B1") returned 2 [0151.108] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="4B") returned 2 [0151.108] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="47") returned 2 [0151.108] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="C1") returned 2 [0151.108] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="42") returned 2 [0151.108] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="0A") returned 2 [0151.108] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="85") returned 2 [0151.108] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="2B") returned 2 [0151.108] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="41") returned 2 [0151.117] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx" [0151.117] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx" [0151.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx", lpString2=".F11E0AF4A4AC130E9CC255D79B5205D20305A89C585A5CB14B47C1420A852B41" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx.F11E0AF4A4AC130E9CC255D79B5205D20305A89C585A5CB14B47C1420A852B41") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx.F11E0AF4A4AC130E9CC255D79B5205D20305A89C585A5CB14B47C1420A852B41" [0151.117] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0151.117] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0151.155] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36bf9850, ftCreationTime.dwHighDateTime=0x1d5ac43, ftLastAccessTime.dwLowDateTime=0xf3c2760, ftLastAccessTime.dwHighDateTime=0x1d56505, ftLastWriteTime.dwLowDateTime=0xf3c2760, ftLastWriteTime.dwHighDateTime=0x1d56505, nFileSizeHigh=0x0, nFileSizeLow=0x6870, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="OQgUKVa7GGa4T8C.pptx", cAlternateFileName="OQGUKV~1.PPT")) returned 1 [0151.155] lstrcmpiW (lpString1="OQgUKVa7GGa4T8C.pptx", lpString2="Windows") returned -1 [0151.155] lstrcmpiW (lpString1="OQgUKVa7GGa4T8C.pptx", lpString2="Program Files") returned -1 [0151.155] lstrcmpiW (lpString1="OQgUKVa7GGa4T8C.pptx", lpString2="Program Files (x86)") returned -1 [0151.155] lstrcmpiW (lpString1="OQgUKVa7GGa4T8C.pptx", lpString2="$Recycle.bin") returned 1 [0151.155] lstrcmpiW (lpString1="OQgUKVa7GGa4T8C.pptx", lpString2="System Volume Information") returned -1 [0151.155] lstrcmpiW (lpString1="OQgUKVa7GGa4T8C.pptx", lpString2=".") returned 1 [0151.155] lstrcmpiW (lpString1="OQgUKVa7GGa4T8C.pptx", lpString2="..") returned 1 [0151.155] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx") returned 64 [0151.155] lstrcmpW (lpString1="OQgUKVa7GGa4T8C.pptx", lpString2="PUSSY.TXT") returned -1 [0151.155] PathFindExtensionW (pszPath="OQgUKVa7GGa4T8C.pptx") returned=".pptx" [0151.155] lstrlenW (lpString=".pptx") returned 5 [0151.155] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0151.155] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oqgukva7gga4t8c.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0151.156] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=26736) returned 1 [0151.156] GetProcessHeap () returned 0x4c0000 [0151.156] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0151.165] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="6A") returned 2 [0151.165] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="8C") returned 2 [0151.165] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E6") returned 2 [0151.165] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="26") returned 2 [0151.165] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="8E") returned 2 [0151.165] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="42") returned 2 [0151.165] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="5C") returned 2 [0151.165] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="86") returned 2 [0151.165] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="36") returned 2 [0151.165] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="10") returned 2 [0151.165] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="F4") returned 2 [0151.165] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="59") returned 2 [0151.165] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="AE") returned 2 [0151.165] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="10") returned 2 [0151.165] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="D7") returned 2 [0151.165] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="8E") returned 2 [0151.165] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="AD") returned 2 [0151.165] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="95") returned 2 [0151.165] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="FB") returned 2 [0151.165] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="41") returned 2 [0151.165] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="BE") returned 2 [0151.165] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="12") returned 2 [0151.165] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C3") returned 2 [0151.166] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E5") returned 2 [0151.166] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="A7") returned 2 [0151.166] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="96") returned 2 [0151.166] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="23") returned 2 [0151.166] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="D2") returned 2 [0151.166] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A4") returned 2 [0151.166] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="57") returned 2 [0151.166] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="03") returned 2 [0151.166] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="53") returned 2 [0151.174] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx" [0151.174] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx" [0151.174] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx", lpString2=".6A8CE6268E425C863610F459AE10D78EAD95FB41BE12C3E5A79623D2A4570353" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx.6A8CE6268E425C863610F459AE10D78EAD95FB41BE12C3E5A79623D2A4570353") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx.6A8CE6268E425C863610F459AE10D78EAD95FB41BE12C3E5A79623D2A4570353" [0151.174] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0151.174] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0151.205] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0151.206] lstrcmpiW (lpString1="Outlook Files", lpString2="Windows") returned -1 [0151.206] lstrcmpiW (lpString1="Outlook Files", lpString2="Program Files") returned -1 [0151.206] lstrcmpiW (lpString1="Outlook Files", lpString2="Program Files (x86)") returned -1 [0151.206] lstrcmpiW (lpString1="Outlook Files", lpString2="$Recycle.bin") returned 1 [0151.206] lstrcmpiW (lpString1="Outlook Files", lpString2="System Volume Information") returned -1 [0151.206] lstrcmpiW (lpString1="Outlook Files", lpString2=".") returned 1 [0151.206] lstrcmpiW (lpString1="Outlook Files", lpString2="..") returned 1 [0151.206] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files") returned 57 [0151.206] GetProcessHeap () returned 0x4c0000 [0151.206] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0151.206] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" [0151.206] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*" [0151.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0151.206] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0151.206] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0151.206] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0151.207] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0151.207] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0151.207] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.207] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0151.207] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0151.207] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0151.207] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0151.207] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0151.207] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0151.207] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.207] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.207] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5a868660, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5a868660, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x8a4fb680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="voeimd@djhreuu.uhd.pst", cAlternateFileName="VOEIMD~1.PST")) returned 1 [0151.207] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="Windows") returned -1 [0151.207] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="Program Files") returned 1 [0151.207] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="Program Files (x86)") returned 1 [0151.207] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="$Recycle.bin") returned 1 [0151.207] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="System Volume Information") returned 1 [0151.207] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2=".") returned 1 [0151.207] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="..") returned 1 [0151.207] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned 80 [0151.207] lstrcmpW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="PUSSY.TXT") returned 1 [0151.207] PathFindExtensionW (pszPath="voeimd@djhreuu.uhd.pst") returned=".pst" [0151.207] lstrlenW (lpString=".pst") returned 4 [0151.207] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0151.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0151.208] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=271360) returned 1 [0151.208] GetProcessHeap () returned 0x4c0000 [0151.208] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0151.217] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="FB") returned 2 [0151.217] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="D4") returned 2 [0151.217] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="A1") returned 2 [0151.217] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="FA") returned 2 [0151.217] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="20") returned 2 [0151.217] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="DC") returned 2 [0151.217] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="88") returned 2 [0151.217] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="5C") returned 2 [0151.217] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="12") returned 2 [0151.217] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="63") returned 2 [0151.217] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="F9") returned 2 [0151.217] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="5B") returned 2 [0151.217] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="91") returned 2 [0151.217] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="AD") returned 2 [0151.217] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="42") returned 2 [0151.217] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="F7") returned 2 [0151.217] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="18") returned 2 [0151.217] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="4B") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="89") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="79") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="8B") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="F5") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="24") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="AF") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="94") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="7C") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="2B") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="8D") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="2E") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="36") returned 2 [0151.218] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="8E") returned 2 [0151.218] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="46") returned 2 [0151.226] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" [0151.226] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" [0151.226] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", lpString2=".FBD4A1FA20DC885C1263F95B91AD42F7184B89798BF524AF947C2B8D2E368E46" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.FBD4A1FA20DC885C1263F95B91AD42F7184B89798BF524AF947C2B8D2E368E46") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.FBD4A1FA20DC885C1263F95B91AD42F7184B89798BF524AF947C2B8D2E368E46" [0151.227] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0151.227] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0151.260] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5a868660, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5a868660, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x8a4fb680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="voeimd@djhreuu.uhd.pst", cAlternateFileName="VOEIMD~1.PST")) returned 0 [0151.260] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0151.260] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\PUSSY.TXT") returned 67 [0151.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x120 [0151.261] lstrlenA (lpString="abcd") returned 4 [0151.261] WriteFile (in: hFile=0x120, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0151.262] CloseHandle (hObject=0x120) returned 1 [0151.262] GetProcessHeap () returned 0x4c0000 [0151.262] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0151.264] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbb41910, ftCreationTime.dwHighDateTime=0x1d5d9c0, ftLastAccessTime.dwLowDateTime=0xf62f09b0, ftLastAccessTime.dwHighDateTime=0x1d5dfff, ftLastWriteTime.dwLowDateTime=0xf62f09b0, ftLastWriteTime.dwHighDateTime=0x1d5dfff, nFileSizeHigh=0x0, nFileSizeLow=0xa62c, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="pUUBN.pps", cAlternateFileName="")) returned 1 [0151.264] lstrcmpiW (lpString1="pUUBN.pps", lpString2="Windows") returned -1 [0151.264] lstrcmpiW (lpString1="pUUBN.pps", lpString2="Program Files") returned 1 [0151.264] lstrcmpiW (lpString1="pUUBN.pps", lpString2="Program Files (x86)") returned 1 [0151.264] lstrcmpiW (lpString1="pUUBN.pps", lpString2="$Recycle.bin") returned 1 [0151.264] lstrcmpiW (lpString1="pUUBN.pps", lpString2="System Volume Information") returned -1 [0151.264] lstrcmpiW (lpString1="pUUBN.pps", lpString2=".") returned 1 [0151.264] lstrcmpiW (lpString1="pUUBN.pps", lpString2="..") returned 1 [0151.264] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps") returned 53 [0151.264] lstrcmpW (lpString1="pUUBN.pps", lpString2="PUSSY.TXT") returned 1 [0151.264] PathFindExtensionW (pszPath="pUUBN.pps") returned=".pps" [0151.264] lstrlenW (lpString=".pps") returned 4 [0151.264] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0151.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\puubn.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0151.265] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=42540) returned 1 [0151.265] GetProcessHeap () returned 0x4c0000 [0151.265] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0151.346] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="CD") returned 2 [0151.346] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="98") returned 2 [0151.346] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="70") returned 2 [0151.346] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="EA") returned 2 [0151.346] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="B5") returned 2 [0151.347] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="0D") returned 2 [0151.347] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="9D") returned 2 [0151.347] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="2B") returned 2 [0151.347] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="2C") returned 2 [0151.347] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="3A") returned 2 [0151.347] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="2E") returned 2 [0151.347] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="79") returned 2 [0151.347] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="7C") returned 2 [0151.347] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="58") returned 2 [0151.347] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="31") returned 2 [0151.347] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="1C") returned 2 [0151.347] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="D8") returned 2 [0151.347] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="6D") returned 2 [0151.347] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="9B") returned 2 [0151.347] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="F5") returned 2 [0151.347] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="CF") returned 2 [0151.347] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="22") returned 2 [0151.347] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="7D") returned 2 [0151.347] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="C5") returned 2 [0151.347] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="2B") returned 2 [0151.347] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="FE") returned 2 [0151.347] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="16") returned 2 [0151.347] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="C8") returned 2 [0151.347] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="00") returned 2 [0151.347] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="B6") returned 2 [0151.347] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="D4") returned 2 [0151.347] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="1E") returned 2 [0151.356] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps" [0151.356] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps" [0151.356] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps", lpString2=".CD9870EAB50D9D2B2C3A2E797C58311CD86D9BF5CF227DC52BFE16C800B6D41E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps.CD9870EAB50D9D2B2C3A2E797C58311CD86D9BF5CF227DC52BFE16C800B6D41E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps.CD9870EAB50D9D2B2C3A2E797C58311CD86D9BF5CF227DC52BFE16C800B6D41E" [0151.356] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0151.356] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0151.573] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c4409c0, ftCreationTime.dwHighDateTime=0x1d5d8e6, ftLastAccessTime.dwLowDateTime=0x5758df80, ftLastAccessTime.dwHighDateTime=0x1d5e0f1, ftLastWriteTime.dwLowDateTime=0x5758df80, ftLastWriteTime.dwHighDateTime=0x1d5e0f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="qe9vNJ9FzXmj9B4", cAlternateFileName="QE9VNJ~1")) returned 1 [0151.573] lstrcmpiW (lpString1="qe9vNJ9FzXmj9B4", lpString2="Windows") returned -1 [0151.573] lstrcmpiW (lpString1="qe9vNJ9FzXmj9B4", lpString2="Program Files") returned 1 [0151.573] lstrcmpiW (lpString1="qe9vNJ9FzXmj9B4", lpString2="Program Files (x86)") returned 1 [0151.573] lstrcmpiW (lpString1="qe9vNJ9FzXmj9B4", lpString2="$Recycle.bin") returned 1 [0151.573] lstrcmpiW (lpString1="qe9vNJ9FzXmj9B4", lpString2="System Volume Information") returned -1 [0151.573] lstrcmpiW (lpString1="qe9vNJ9FzXmj9B4", lpString2=".") returned 1 [0151.573] lstrcmpiW (lpString1="qe9vNJ9FzXmj9B4", lpString2="..") returned 1 [0151.573] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4") returned 59 [0151.573] GetProcessHeap () returned 0x4c0000 [0151.573] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0151.574] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4" [0151.574] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\*" [0151.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c4409c0, ftCreationTime.dwHighDateTime=0x1d5d8e6, ftLastAccessTime.dwLowDateTime=0x5758df80, ftLastAccessTime.dwHighDateTime=0x1d5e0f1, ftLastWriteTime.dwLowDateTime=0x5758df80, ftLastWriteTime.dwHighDateTime=0x1d5e0f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0151.574] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0151.574] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0151.574] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0151.574] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0151.574] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0151.574] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.574] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c4409c0, ftCreationTime.dwHighDateTime=0x1d5d8e6, ftLastAccessTime.dwLowDateTime=0x5758df80, ftLastAccessTime.dwHighDateTime=0x1d5e0f1, ftLastWriteTime.dwLowDateTime=0x5758df80, ftLastWriteTime.dwHighDateTime=0x1d5e0f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0151.574] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0151.574] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0151.575] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0151.575] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0151.575] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0151.575] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.575] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.575] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a35c750, ftCreationTime.dwHighDateTime=0x1d5e340, ftLastAccessTime.dwLowDateTime=0x3fff9570, ftLastAccessTime.dwHighDateTime=0x1d5db0d, ftLastWriteTime.dwLowDateTime=0x3fff9570, ftLastWriteTime.dwHighDateTime=0x1d5db0d, nFileSizeHigh=0x0, nFileSizeLow=0x4c7b, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="DqH1D-RwAV.odt", cAlternateFileName="DQH1D-~1.ODT")) returned 1 [0151.575] lstrcmpiW (lpString1="DqH1D-RwAV.odt", lpString2="Windows") returned -1 [0151.575] lstrcmpiW (lpString1="DqH1D-RwAV.odt", lpString2="Program Files") returned -1 [0151.575] lstrcmpiW (lpString1="DqH1D-RwAV.odt", lpString2="Program Files (x86)") returned -1 [0151.575] lstrcmpiW (lpString1="DqH1D-RwAV.odt", lpString2="$Recycle.bin") returned 1 [0151.575] lstrcmpiW (lpString1="DqH1D-RwAV.odt", lpString2="System Volume Information") returned -1 [0151.575] lstrcmpiW (lpString1="DqH1D-RwAV.odt", lpString2=".") returned 1 [0151.575] lstrcmpiW (lpString1="DqH1D-RwAV.odt", lpString2="..") returned 1 [0151.575] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt") returned 74 [0151.575] lstrcmpW (lpString1="DqH1D-RwAV.odt", lpString2="PUSSY.TXT") returned -1 [0151.575] PathFindExtensionW (pszPath="DqH1D-RwAV.odt") returned=".odt" [0151.575] lstrlenW (lpString=".odt") returned 4 [0151.575] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0151.575] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\dqh1d-rwav.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0151.576] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=19579) returned 1 [0151.576] GetProcessHeap () returned 0x4c0000 [0151.576] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0151.585] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="41") returned 2 [0151.585] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="94") returned 2 [0151.585] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="28") returned 2 [0151.585] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="55") returned 2 [0151.585] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="CC") returned 2 [0151.585] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="40") returned 2 [0151.585] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="B8") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="1C") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="10") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="DF") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="6B") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="96") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="FF") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="AB") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="5D") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="22") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="D7") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="7E") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="84") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="F4") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="DF") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="EB") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="DC") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="B9") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="5E") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="09") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="48") returned 2 [0151.585] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="2C") returned 2 [0151.586] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="88") returned 2 [0151.586] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="37") returned 2 [0151.586] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="09") returned 2 [0151.586] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="03") returned 2 [0151.594] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt" [0151.594] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt" [0151.594] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt", lpString2=".41942855CC40B81C10DF6B96FFAB5D22D77E84F4DFEBDCB95E09482C88370903" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt.41942855CC40B81C10DF6B96FFAB5D22D77E84F4DFEBDCB95E09482C88370903") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt.41942855CC40B81C10DF6B96FFAB5D22D77E84F4DFEBDCB95E09482C88370903" [0151.594] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0151.594] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0151.616] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc18729d0, ftCreationTime.dwHighDateTime=0x1d5e0b9, ftLastAccessTime.dwLowDateTime=0x51242480, ftLastAccessTime.dwHighDateTime=0x1d5def3, ftLastWriteTime.dwLowDateTime=0x51242480, ftLastWriteTime.dwHighDateTime=0x1d5def3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="K Arjl", cAlternateFileName="KARJL~1")) returned 1 [0151.616] lstrcmpiW (lpString1="K Arjl", lpString2="Windows") returned -1 [0151.616] lstrcmpiW (lpString1="K Arjl", lpString2="Program Files") returned -1 [0151.617] lstrcmpiW (lpString1="K Arjl", lpString2="Program Files (x86)") returned -1 [0151.617] lstrcmpiW (lpString1="K Arjl", lpString2="$Recycle.bin") returned 1 [0151.617] lstrcmpiW (lpString1="K Arjl", lpString2="System Volume Information") returned -1 [0151.617] lstrcmpiW (lpString1="K Arjl", lpString2=".") returned 1 [0151.617] lstrcmpiW (lpString1="K Arjl", lpString2="..") returned 1 [0151.617] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl") returned 66 [0151.617] GetProcessHeap () returned 0x4c0000 [0151.617] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0151.618] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl" [0151.618] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\*" [0151.618] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc18729d0, ftCreationTime.dwHighDateTime=0x1d5e0b9, ftLastAccessTime.dwLowDateTime=0x51242480, ftLastAccessTime.dwHighDateTime=0x1d5def3, ftLastWriteTime.dwLowDateTime=0x51242480, ftLastWriteTime.dwHighDateTime=0x1d5def3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0151.618] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0151.618] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0151.618] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0151.618] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0151.618] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0151.618] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.618] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc18729d0, ftCreationTime.dwHighDateTime=0x1d5e0b9, ftLastAccessTime.dwLowDateTime=0x51242480, ftLastAccessTime.dwHighDateTime=0x1d5def3, ftLastWriteTime.dwLowDateTime=0x51242480, ftLastWriteTime.dwHighDateTime=0x1d5def3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0151.618] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0151.618] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0151.618] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0151.618] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0151.618] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0151.618] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.618] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.618] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4e8a0, ftCreationTime.dwHighDateTime=0x1d5dbc1, ftLastAccessTime.dwLowDateTime=0x163e2780, ftLastAccessTime.dwHighDateTime=0x1d5e254, ftLastWriteTime.dwLowDateTime=0x163e2780, ftLastWriteTime.dwHighDateTime=0x1d5e254, nFileSizeHigh=0x0, nFileSizeLow=0x1877e, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="FZkt.pps", cAlternateFileName="")) returned 1 [0151.618] lstrcmpiW (lpString1="FZkt.pps", lpString2="Windows") returned -1 [0151.618] lstrcmpiW (lpString1="FZkt.pps", lpString2="Program Files") returned -1 [0151.618] lstrcmpiW (lpString1="FZkt.pps", lpString2="Program Files (x86)") returned -1 [0151.618] lstrcmpiW (lpString1="FZkt.pps", lpString2="$Recycle.bin") returned 1 [0151.618] lstrcmpiW (lpString1="FZkt.pps", lpString2="System Volume Information") returned -1 [0151.618] lstrcmpiW (lpString1="FZkt.pps", lpString2=".") returned 1 [0151.618] lstrcmpiW (lpString1="FZkt.pps", lpString2="..") returned 1 [0151.619] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps") returned 75 [0151.619] lstrcmpW (lpString1="FZkt.pps", lpString2="PUSSY.TXT") returned -1 [0151.619] PathFindExtensionW (pszPath="FZkt.pps") returned=".pps" [0151.619] lstrlenW (lpString=".pps") returned 4 [0151.619] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0151.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\fzkt.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0151.620] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=100222) returned 1 [0151.620] GetProcessHeap () returned 0x4c0000 [0151.620] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0151.628] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="60") returned 2 [0151.628] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="46") returned 2 [0151.628] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="C9") returned 2 [0151.628] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="DA") returned 2 [0151.628] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="DD") returned 2 [0151.628] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="36") returned 2 [0151.628] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="89") returned 2 [0151.628] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="08") returned 2 [0151.628] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="1C") returned 2 [0151.628] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="F9") returned 2 [0151.628] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="47") returned 2 [0151.628] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="7B") returned 2 [0151.628] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="8D") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="8D") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="F6") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="D4") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="AC") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="C0") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="C6") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="04") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="D6") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="41") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="4F") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="38") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="69") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="E1") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="84") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="30") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="AA") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="5F") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="4E") returned 2 [0151.629] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="7C") returned 2 [0151.637] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps" [0151.637] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps" [0151.637] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps", lpString2=".6046C9DADD3689081CF9477B8D8DF6D4ACC0C604D6414F3869E18430AA5F4E7C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps.6046C9DADD3689081CF9477B8D8DF6D4ACC0C604D6414F3869E18430AA5F4E7C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps.6046C9DADD3689081CF9477B8D8DF6D4ACC0C604D6414F3869E18430AA5F4E7C" [0151.637] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0151.638] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0151.670] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85a2fc20, ftCreationTime.dwHighDateTime=0x1d5e0f8, ftLastAccessTime.dwLowDateTime=0x394a9580, ftLastAccessTime.dwHighDateTime=0x1d5d820, ftLastWriteTime.dwLowDateTime=0x394a9580, ftLastWriteTime.dwHighDateTime=0x1d5d820, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Iw22pBXKxLvEur2Q", cAlternateFileName="IW22PB~1")) returned 1 [0151.670] lstrcmpiW (lpString1="Iw22pBXKxLvEur2Q", lpString2="Windows") returned -1 [0151.670] lstrcmpiW (lpString1="Iw22pBXKxLvEur2Q", lpString2="Program Files") returned -1 [0151.670] lstrcmpiW (lpString1="Iw22pBXKxLvEur2Q", lpString2="Program Files (x86)") returned -1 [0151.670] lstrcmpiW (lpString1="Iw22pBXKxLvEur2Q", lpString2="$Recycle.bin") returned 1 [0151.670] lstrcmpiW (lpString1="Iw22pBXKxLvEur2Q", lpString2="System Volume Information") returned -1 [0151.670] lstrcmpiW (lpString1="Iw22pBXKxLvEur2Q", lpString2=".") returned 1 [0151.670] lstrcmpiW (lpString1="Iw22pBXKxLvEur2Q", lpString2="..") returned 1 [0151.670] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q") returned 83 [0151.670] GetProcessHeap () returned 0x4c0000 [0151.670] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0151.671] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q" [0151.671] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\*" [0151.671] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85a2fc20, ftCreationTime.dwHighDateTime=0x1d5e0f8, ftLastAccessTime.dwLowDateTime=0x394a9580, ftLastAccessTime.dwHighDateTime=0x1d5d820, ftLastWriteTime.dwLowDateTime=0x394a9580, ftLastWriteTime.dwHighDateTime=0x1d5d820, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0151.671] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0151.671] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0151.671] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0151.671] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0151.671] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0151.671] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.671] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85a2fc20, ftCreationTime.dwHighDateTime=0x1d5e0f8, ftLastAccessTime.dwLowDateTime=0x394a9580, ftLastAccessTime.dwHighDateTime=0x1d5d820, ftLastWriteTime.dwLowDateTime=0x394a9580, ftLastWriteTime.dwHighDateTime=0x1d5d820, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0151.671] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0151.671] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0151.671] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0151.671] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0151.671] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0151.671] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.671] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.671] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a975920, ftCreationTime.dwHighDateTime=0x1d5da70, ftLastAccessTime.dwLowDateTime=0x7ab69750, ftLastAccessTime.dwHighDateTime=0x1d5e70f, ftLastWriteTime.dwLowDateTime=0x7ab69750, ftLastWriteTime.dwHighDateTime=0x1d5e70f, nFileSizeHigh=0x0, nFileSizeLow=0xd675, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="7k4S9_o.pdf", cAlternateFileName="")) returned 1 [0151.671] lstrcmpiW (lpString1="7k4S9_o.pdf", lpString2="Windows") returned -1 [0151.671] lstrcmpiW (lpString1="7k4S9_o.pdf", lpString2="Program Files") returned -1 [0151.671] lstrcmpiW (lpString1="7k4S9_o.pdf", lpString2="Program Files (x86)") returned -1 [0151.671] lstrcmpiW (lpString1="7k4S9_o.pdf", lpString2="$Recycle.bin") returned 1 [0151.671] lstrcmpiW (lpString1="7k4S9_o.pdf", lpString2="System Volume Information") returned -1 [0151.672] lstrcmpiW (lpString1="7k4S9_o.pdf", lpString2=".") returned 1 [0151.672] lstrcmpiW (lpString1="7k4S9_o.pdf", lpString2="..") returned 1 [0151.672] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf") returned 95 [0151.672] lstrcmpW (lpString1="7k4S9_o.pdf", lpString2="PUSSY.TXT") returned -1 [0151.672] PathFindExtensionW (pszPath="7k4S9_o.pdf") returned=".pdf" [0151.672] lstrlenW (lpString=".pdf") returned 4 [0151.672] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0151.672] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\7k4s9_o.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0151.673] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=54901) returned 1 [0151.673] GetProcessHeap () returned 0x4c0000 [0151.673] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0151.681] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="38") returned 2 [0151.681] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="EB") returned 2 [0151.681] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="EA") returned 2 [0151.681] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="F0") returned 2 [0151.681] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="B0") returned 2 [0151.681] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="40") returned 2 [0151.681] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="2C") returned 2 [0151.681] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="B5") returned 2 [0151.681] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="85") returned 2 [0151.681] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="23") returned 2 [0151.682] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="BF") returned 2 [0151.682] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="AA") returned 2 [0151.682] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="95") returned 2 [0151.682] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="25") returned 2 [0151.682] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="11") returned 2 [0151.682] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="DD") returned 2 [0151.682] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="1A") returned 2 [0151.682] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="5E") returned 2 [0151.682] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="BD") returned 2 [0151.682] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="55") returned 2 [0151.682] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="3F") returned 2 [0151.682] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="C9") returned 2 [0151.682] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="F7") returned 2 [0151.682] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="07") returned 2 [0151.682] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="3C") returned 2 [0151.682] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="7F") returned 2 [0151.682] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="CB") returned 2 [0151.682] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="66") returned 2 [0151.682] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="6D") returned 2 [0151.682] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="21") returned 2 [0151.682] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="E9") returned 2 [0151.682] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="0B") returned 2 [0151.691] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf" [0151.691] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf" [0151.691] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf", lpString2=".38EBEAF0B0402CB58523BFAA952511DD1A5EBD553FC9F7073C7FCB666D21E90B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf.38EBEAF0B0402CB58523BFAA952511DD1A5EBD553FC9F7073C7FCB666D21E90B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf.38EBEAF0B0402CB58523BFAA952511DD1A5EBD553FC9F7073C7FCB666D21E90B" [0151.691] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0151.691] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0151.719] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdaf49e40, ftCreationTime.dwHighDateTime=0x1d5ddd3, ftLastAccessTime.dwLowDateTime=0x58d08630, ftLastAccessTime.dwHighDateTime=0x1d5dc21, ftLastWriteTime.dwLowDateTime=0x58d08630, ftLastWriteTime.dwHighDateTime=0x1d5dc21, nFileSizeHigh=0x0, nFileSizeLow=0x24c5, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="Q6xrv4uNCLEiIosbRekD.odt", cAlternateFileName="Q6XRV4~1.ODT")) returned 1 [0151.719] lstrcmpiW (lpString1="Q6xrv4uNCLEiIosbRekD.odt", lpString2="Windows") returned -1 [0151.719] lstrcmpiW (lpString1="Q6xrv4uNCLEiIosbRekD.odt", lpString2="Program Files") returned 1 [0151.719] lstrcmpiW (lpString1="Q6xrv4uNCLEiIosbRekD.odt", lpString2="Program Files (x86)") returned 1 [0151.719] lstrcmpiW (lpString1="Q6xrv4uNCLEiIosbRekD.odt", lpString2="$Recycle.bin") returned 1 [0151.719] lstrcmpiW (lpString1="Q6xrv4uNCLEiIosbRekD.odt", lpString2="System Volume Information") returned -1 [0151.719] lstrcmpiW (lpString1="Q6xrv4uNCLEiIosbRekD.odt", lpString2=".") returned 1 [0151.719] lstrcmpiW (lpString1="Q6xrv4uNCLEiIosbRekD.odt", lpString2="..") returned 1 [0151.719] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt") returned 108 [0151.719] lstrcmpW (lpString1="Q6xrv4uNCLEiIosbRekD.odt", lpString2="PUSSY.TXT") returned 1 [0151.719] PathFindExtensionW (pszPath="Q6xrv4uNCLEiIosbRekD.odt") returned=".odt" [0151.719] lstrlenW (lpString=".odt") returned 4 [0151.719] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0151.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\q6xrv4uncleiiosbrekd.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0151.720] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=9413) returned 1 [0151.721] GetProcessHeap () returned 0x4c0000 [0151.721] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0151.734] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="4A") returned 2 [0151.734] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="B2") returned 2 [0151.734] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="A5") returned 2 [0151.734] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="C7") returned 2 [0151.734] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="24") returned 2 [0151.734] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="10") returned 2 [0151.734] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="96") returned 2 [0151.734] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="BC") returned 2 [0151.734] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="52") returned 2 [0151.734] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="9D") returned 2 [0151.734] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="60") returned 2 [0151.734] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="36") returned 2 [0151.734] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="7A") returned 2 [0151.734] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="D7") returned 2 [0151.734] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="E6") returned 2 [0151.734] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="BB") returned 2 [0151.734] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="B8") returned 2 [0151.734] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="73") returned 2 [0151.734] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="69") returned 2 [0151.734] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="C2") returned 2 [0151.734] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="E9") returned 2 [0151.735] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="11") returned 2 [0151.735] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="4A") returned 2 [0151.735] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="59") returned 2 [0151.735] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="D8") returned 2 [0151.735] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="44") returned 2 [0151.735] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="88") returned 2 [0151.735] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="AA") returned 2 [0151.735] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="93") returned 2 [0151.735] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="C5") returned 2 [0151.735] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="35") returned 2 [0151.735] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="26") returned 2 [0151.967] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt" [0151.967] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt" [0151.967] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt", lpString2=".4AB2A5C7241096BC529D60367AD7E6BBB87369C2E9114A59D84488AA93C53526" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt.4AB2A5C7241096BC529D60367AD7E6BBB87369C2E9114A59D84488AA93C53526") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt.4AB2A5C7241096BC529D60367AD7E6BBB87369C2E9114A59D84488AA93C53526" [0151.967] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0151.967] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0151.979] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddf4e8e0, ftCreationTime.dwHighDateTime=0x1d5e5c9, ftLastAccessTime.dwLowDateTime=0x9a675440, ftLastAccessTime.dwHighDateTime=0x1d5d9c7, ftLastWriteTime.dwLowDateTime=0x9a675440, ftLastWriteTime.dwHighDateTime=0x1d5d9c7, nFileSizeHigh=0x0, nFileSizeLow=0x110ef, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="sTsZNB.xlsx", cAlternateFileName="STSZNB~1.XLS")) returned 1 [0151.979] lstrcmpiW (lpString1="sTsZNB.xlsx", lpString2="Windows") returned -1 [0151.979] lstrcmpiW (lpString1="sTsZNB.xlsx", lpString2="Program Files") returned 1 [0151.979] lstrcmpiW (lpString1="sTsZNB.xlsx", lpString2="Program Files (x86)") returned 1 [0151.979] lstrcmpiW (lpString1="sTsZNB.xlsx", lpString2="$Recycle.bin") returned 1 [0151.979] lstrcmpiW (lpString1="sTsZNB.xlsx", lpString2="System Volume Information") returned -1 [0151.979] lstrcmpiW (lpString1="sTsZNB.xlsx", lpString2=".") returned 1 [0151.979] lstrcmpiW (lpString1="sTsZNB.xlsx", lpString2="..") returned 1 [0151.979] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx") returned 95 [0151.979] lstrcmpW (lpString1="sTsZNB.xlsx", lpString2="PUSSY.TXT") returned 1 [0151.979] PathFindExtensionW (pszPath="sTsZNB.xlsx") returned=".xlsx" [0151.979] lstrlenW (lpString=".xlsx") returned 5 [0151.979] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0151.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\stsznb.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0151.980] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=69871) returned 1 [0151.980] GetProcessHeap () returned 0x4c0000 [0151.980] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0151.990] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="1A") returned 2 [0151.990] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="01") returned 2 [0151.990] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="9D") returned 2 [0151.990] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="37") returned 2 [0151.990] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="54") returned 2 [0151.990] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="D4") returned 2 [0151.990] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="D5") returned 2 [0151.990] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="70") returned 2 [0151.990] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="B9") returned 2 [0151.990] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="21") returned 2 [0151.990] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="08") returned 2 [0151.990] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="6F") returned 2 [0151.990] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="AD") returned 2 [0151.990] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="C2") returned 2 [0151.990] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="DE") returned 2 [0151.991] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="61") returned 2 [0151.991] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="5F") returned 2 [0151.991] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="50") returned 2 [0151.991] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="A1") returned 2 [0151.991] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="78") returned 2 [0151.991] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="C9") returned 2 [0151.991] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="36") returned 2 [0151.991] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="4D") returned 2 [0151.991] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="EA") returned 2 [0151.991] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="B3") returned 2 [0151.991] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="9C") returned 2 [0151.991] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="64") returned 2 [0151.991] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="76") returned 2 [0151.991] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="95") returned 2 [0151.991] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="70") returned 2 [0151.991] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="A4") returned 2 [0151.991] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="49") returned 2 [0151.999] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx" [0151.999] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx" [0152.000] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx", lpString2=".1A019D3754D4D570B921086FADC2DE615F50A178C9364DEAB39C64769570A449" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx.1A019D3754D4D570B921086FADC2DE615F50A178C9364DEAB39C64769570A449") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx.1A019D3754D4D570B921086FADC2DE615F50A178C9364DEAB39C64769570A449" [0152.000] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.000] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.043] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1e7f90, ftCreationTime.dwHighDateTime=0x1d5ddfb, ftLastAccessTime.dwLowDateTime=0xc89ae9f0, ftLastAccessTime.dwHighDateTime=0x1d5e677, ftLastWriteTime.dwLowDateTime=0xc89ae9f0, ftLastWriteTime.dwHighDateTime=0x1d5e677, nFileSizeHigh=0x0, nFileSizeLow=0x11e92, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="_6MFepDBFNfzWIf.pps", cAlternateFileName="_6MFEP~1.PPS")) returned 1 [0152.043] lstrcmpiW (lpString1="_6MFepDBFNfzWIf.pps", lpString2="Windows") returned -1 [0152.043] lstrcmpiW (lpString1="_6MFepDBFNfzWIf.pps", lpString2="Program Files") returned -1 [0152.043] lstrcmpiW (lpString1="_6MFepDBFNfzWIf.pps", lpString2="Program Files (x86)") returned -1 [0152.043] lstrcmpiW (lpString1="_6MFepDBFNfzWIf.pps", lpString2="$Recycle.bin") returned 1 [0152.043] lstrcmpiW (lpString1="_6MFepDBFNfzWIf.pps", lpString2="System Volume Information") returned -1 [0152.044] lstrcmpiW (lpString1="_6MFepDBFNfzWIf.pps", lpString2=".") returned 1 [0152.044] lstrcmpiW (lpString1="_6MFepDBFNfzWIf.pps", lpString2="..") returned 1 [0152.044] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps") returned 103 [0152.044] lstrcmpW (lpString1="_6MFepDBFNfzWIf.pps", lpString2="PUSSY.TXT") returned -1 [0152.044] PathFindExtensionW (pszPath="_6MFepDBFNfzWIf.pps") returned=".pps" [0152.044] lstrlenW (lpString=".pps") returned 4 [0152.044] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0152.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\_6mfepdbfnfzwif.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0152.045] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=73362) returned 1 [0152.045] GetProcessHeap () returned 0x4c0000 [0152.045] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.054] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="0B") returned 2 [0152.054] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="4D") returned 2 [0152.054] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="6B") returned 2 [0152.054] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="8E") returned 2 [0152.054] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="63") returned 2 [0152.054] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="9B") returned 2 [0152.054] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="3F") returned 2 [0152.054] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="45") returned 2 [0152.054] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="E8") returned 2 [0152.054] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="32") returned 2 [0152.054] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="B5") returned 2 [0152.054] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="99") returned 2 [0152.054] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="B2") returned 2 [0152.054] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="04") returned 2 [0152.054] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="F0") returned 2 [0152.054] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="3D") returned 2 [0152.054] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="05") returned 2 [0152.054] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="75") returned 2 [0152.054] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="EE") returned 2 [0152.054] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="40") returned 2 [0152.054] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="AA") returned 2 [0152.054] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="49") returned 2 [0152.054] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="05") returned 2 [0152.054] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="7A") returned 2 [0152.054] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="C7") returned 2 [0152.054] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="47") returned 2 [0152.054] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="2A") returned 2 [0152.054] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="5F") returned 2 [0152.054] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="CE") returned 2 [0152.054] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="E6") returned 2 [0152.054] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="03") returned 2 [0152.054] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="6A") returned 2 [0152.064] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps" [0152.064] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps" [0152.064] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps", lpString2=".0B4D6B8E639B3F45E832B599B204F03D0575EE40AA49057AC7472A5FCEE6036A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps.0B4D6B8E639B3F45E832B599B204F03D0575EE40AA49057AC7472A5FCEE6036A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps.0B4D6B8E639B3F45E832B599B204F03D0575EE40AA49057AC7472A5FCEE6036A" [0152.064] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.064] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.106] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1e7f90, ftCreationTime.dwHighDateTime=0x1d5ddfb, ftLastAccessTime.dwLowDateTime=0xc89ae9f0, ftLastAccessTime.dwHighDateTime=0x1d5e677, ftLastWriteTime.dwLowDateTime=0xc89ae9f0, ftLastWriteTime.dwHighDateTime=0x1d5e677, nFileSizeHigh=0x0, nFileSizeLow=0x11e92, dwReserved0=0x28c550, dwReserved1=0x77c61b06, cFileName="_6MFepDBFNfzWIf.pps", cAlternateFileName="_6MFEP~1.PPS")) returned 0 [0152.106] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0152.107] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\PUSSY.TXT") returned 93 [0152.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0152.108] lstrlenA (lpString="abcd") returned 4 [0152.108] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0152.109] CloseHandle (hObject=0x18c) returned 1 [0152.109] GetProcessHeap () returned 0x4c0000 [0152.109] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0152.113] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3fa6420, ftCreationTime.dwHighDateTime=0x1d5e18c, ftLastAccessTime.dwLowDateTime=0xac986090, ftLastAccessTime.dwHighDateTime=0x1d5e2ab, ftLastWriteTime.dwLowDateTime=0xac986090, ftLastWriteTime.dwHighDateTime=0x1d5e2ab, nFileSizeHigh=0x0, nFileSizeLow=0x6d43, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="KtHl.ots", cAlternateFileName="")) returned 1 [0152.113] lstrcmpiW (lpString1="KtHl.ots", lpString2="Windows") returned -1 [0152.113] lstrcmpiW (lpString1="KtHl.ots", lpString2="Program Files") returned -1 [0152.113] lstrcmpiW (lpString1="KtHl.ots", lpString2="Program Files (x86)") returned -1 [0152.113] lstrcmpiW (lpString1="KtHl.ots", lpString2="$Recycle.bin") returned 1 [0152.113] lstrcmpiW (lpString1="KtHl.ots", lpString2="System Volume Information") returned -1 [0152.113] lstrcmpiW (lpString1="KtHl.ots", lpString2=".") returned 1 [0152.113] lstrcmpiW (lpString1="KtHl.ots", lpString2="..") returned 1 [0152.113] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots") returned 75 [0152.113] lstrcmpW (lpString1="KtHl.ots", lpString2="PUSSY.TXT") returned -1 [0152.114] PathFindExtensionW (pszPath="KtHl.ots") returned=".ots" [0152.114] lstrlenW (lpString=".ots") returned 4 [0152.114] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0152.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\kthl.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0152.115] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=27971) returned 1 [0152.115] GetProcessHeap () returned 0x4c0000 [0152.115] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.128] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="5E") returned 2 [0152.129] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="9B") returned 2 [0152.129] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="BC") returned 2 [0152.129] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="FE") returned 2 [0152.129] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="0D") returned 2 [0152.129] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="54") returned 2 [0152.129] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="AE") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="A7") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="46") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="54") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="EA") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="DC") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="27") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="C2") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="A7") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="AA") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="5A") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="77") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="7C") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="2B") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="EF") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="14") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="5E") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="75") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="BF") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="CD") returned 2 [0152.129] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="5B") returned 2 [0152.130] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="87") returned 2 [0152.130] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="67") returned 2 [0152.130] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="7B") returned 2 [0152.130] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="EE") returned 2 [0152.130] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="77") returned 2 [0152.142] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots" [0152.142] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots" [0152.142] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots", lpString2=".5E9BBCFE0D54AEA74654EADC27C2A7AA5A777C2BEF145E75BFCD5B87677BEE77" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots.5E9BBCFE0D54AEA74654EADC27C2A7AA5A777C2BEF145E75BFCD5B87677BEE77") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots.5E9BBCFE0D54AEA74654EADC27C2A7AA5A777C2BEF145E75BFCD5B87677BEE77" [0152.142] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.142] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.171] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0217040, ftCreationTime.dwHighDateTime=0x1d5e779, ftLastAccessTime.dwLowDateTime=0x8eca5f40, ftLastAccessTime.dwHighDateTime=0x1d5dc1c, ftLastWriteTime.dwLowDateTime=0x8eca5f40, ftLastWriteTime.dwHighDateTime=0x1d5dc1c, nFileSizeHigh=0x0, nFileSizeLow=0x6574, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="m2SJfU_P9eRX.pptx", cAlternateFileName="M2SJFU~1.PPT")) returned 1 [0152.171] lstrcmpiW (lpString1="m2SJfU_P9eRX.pptx", lpString2="Windows") returned -1 [0152.171] lstrcmpiW (lpString1="m2SJfU_P9eRX.pptx", lpString2="Program Files") returned -1 [0152.171] lstrcmpiW (lpString1="m2SJfU_P9eRX.pptx", lpString2="Program Files (x86)") returned -1 [0152.171] lstrcmpiW (lpString1="m2SJfU_P9eRX.pptx", lpString2="$Recycle.bin") returned 1 [0152.171] lstrcmpiW (lpString1="m2SJfU_P9eRX.pptx", lpString2="System Volume Information") returned -1 [0152.171] lstrcmpiW (lpString1="m2SJfU_P9eRX.pptx", lpString2=".") returned 1 [0152.171] lstrcmpiW (lpString1="m2SJfU_P9eRX.pptx", lpString2="..") returned 1 [0152.171] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx") returned 84 [0152.171] lstrcmpW (lpString1="m2SJfU_P9eRX.pptx", lpString2="PUSSY.TXT") returned -1 [0152.171] PathFindExtensionW (pszPath="m2SJfU_P9eRX.pptx") returned=".pptx" [0152.171] lstrlenW (lpString=".pptx") returned 5 [0152.171] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0152.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\m2sjfu_p9erx.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0152.172] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=25972) returned 1 [0152.172] GetProcessHeap () returned 0x4c0000 [0152.172] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.184] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="68") returned 2 [0152.184] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="A2") returned 2 [0152.184] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="0F") returned 2 [0152.184] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="64") returned 2 [0152.184] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="9D") returned 2 [0152.184] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="F6") returned 2 [0152.184] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="D9") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="8E") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="33") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="FF") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="AD") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="8B") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="43") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="FC") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="B5") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="3A") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="7A") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="E4") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="2D") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="AE") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="2A") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="24") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="BA") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="BC") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="96") returned 2 [0152.184] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="30") returned 2 [0152.185] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="36") returned 2 [0152.185] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="EB") returned 2 [0152.185] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="5A") returned 2 [0152.185] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="1A") returned 2 [0152.185] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="5E") returned 2 [0152.185] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="1D") returned 2 [0152.235] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx" [0152.235] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx" [0152.235] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx", lpString2=".68A20F649DF6D98E33FFAD8B43FCB53A7AE42DAE2A24BABC963036EB5A1A5E1D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx.68A20F649DF6D98E33FFAD8B43FCB53A7AE42DAE2A24BABC963036EB5A1A5E1D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx.68A20F649DF6D98E33FFAD8B43FCB53A7AE42DAE2A24BABC963036EB5A1A5E1D" [0152.235] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.235] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.264] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979766f0, ftCreationTime.dwHighDateTime=0x1d5e431, ftLastAccessTime.dwLowDateTime=0xf5a123b0, ftLastAccessTime.dwHighDateTime=0x1d5e825, ftLastWriteTime.dwLowDateTime=0xf5a123b0, ftLastWriteTime.dwHighDateTime=0x1d5e825, nFileSizeHigh=0x0, nFileSizeLow=0x10a18, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="q0ve.xlsx", cAlternateFileName="Q0VE~1.XLS")) returned 1 [0152.264] lstrcmpiW (lpString1="q0ve.xlsx", lpString2="Windows") returned -1 [0152.264] lstrcmpiW (lpString1="q0ve.xlsx", lpString2="Program Files") returned 1 [0152.264] lstrcmpiW (lpString1="q0ve.xlsx", lpString2="Program Files (x86)") returned 1 [0152.264] lstrcmpiW (lpString1="q0ve.xlsx", lpString2="$Recycle.bin") returned 1 [0152.264] lstrcmpiW (lpString1="q0ve.xlsx", lpString2="System Volume Information") returned -1 [0152.264] lstrcmpiW (lpString1="q0ve.xlsx", lpString2=".") returned 1 [0152.264] lstrcmpiW (lpString1="q0ve.xlsx", lpString2="..") returned 1 [0152.264] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx") returned 76 [0152.264] lstrcmpW (lpString1="q0ve.xlsx", lpString2="PUSSY.TXT") returned 1 [0152.264] PathFindExtensionW (pszPath="q0ve.xlsx") returned=".xlsx" [0152.265] lstrlenW (lpString=".xlsx") returned 5 [0152.265] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0152.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\q0ve.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0152.266] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=68120) returned 1 [0152.266] GetProcessHeap () returned 0x4c0000 [0152.266] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.278] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="0F") returned 2 [0152.278] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="CE") returned 2 [0152.279] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="41") returned 2 [0152.279] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="1C") returned 2 [0152.279] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="A2") returned 2 [0152.279] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="FA") returned 2 [0152.279] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="26") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="46") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="18") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="A7") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="2B") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="11") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="02") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="70") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="91") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="29") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="0F") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="CB") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="84") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="88") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="F3") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="36") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="48") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="DC") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="D4") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="AF") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="16") returned 2 [0152.279] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="B6") returned 2 [0152.280] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="F4") returned 2 [0152.280] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="17") returned 2 [0152.280] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="4E") returned 2 [0152.280] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="5C") returned 2 [0152.290] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx" [0152.290] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx" [0152.290] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx", lpString2=".0FCE411CA2FA264618A72B11027091290FCB8488F33648DCD4AF16B6F4174E5C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx.0FCE411CA2FA264618A72B11027091290FCB8488F33648DCD4AF16B6F4174E5C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx.0FCE411CA2FA264618A72B11027091290FCB8488F33648DCD4AF16B6F4174E5C" [0152.290] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.290] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.325] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979766f0, ftCreationTime.dwHighDateTime=0x1d5e431, ftLastAccessTime.dwLowDateTime=0xf5a123b0, ftLastAccessTime.dwHighDateTime=0x1d5e825, ftLastWriteTime.dwLowDateTime=0xf5a123b0, ftLastWriteTime.dwHighDateTime=0x1d5e825, nFileSizeHigh=0x0, nFileSizeLow=0x10a18, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="q0ve.xlsx", cAlternateFileName="Q0VE~1.XLS")) returned 0 [0152.325] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0152.325] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\PUSSY.TXT") returned 76 [0152.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0152.326] lstrlenA (lpString="abcd") returned 4 [0152.326] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0152.327] CloseHandle (hObject=0x1b8) returned 1 [0152.327] GetProcessHeap () returned 0x4c0000 [0152.327] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0152.327] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc18729d0, ftCreationTime.dwHighDateTime=0x1d5e0b9, ftLastAccessTime.dwLowDateTime=0x51242480, ftLastAccessTime.dwHighDateTime=0x1d5def3, ftLastWriteTime.dwLowDateTime=0x51242480, ftLastWriteTime.dwHighDateTime=0x1d5def3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="K Arjl", cAlternateFileName="KARJL~1")) returned 0 [0152.327] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0152.327] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\PUSSY.TXT") returned 69 [0152.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x120 [0152.328] lstrlenA (lpString="abcd") returned 4 [0152.328] WriteFile (in: hFile=0x120, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0152.329] CloseHandle (hObject=0x120) returned 1 [0152.329] GetProcessHeap () returned 0x4c0000 [0152.329] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0152.331] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf90dec10, ftCreationTime.dwHighDateTime=0x1d5e4f4, ftLastAccessTime.dwLowDateTime=0x67d76150, ftLastAccessTime.dwHighDateTime=0x1d5de86, ftLastWriteTime.dwLowDateTime=0x67d76150, ftLastWriteTime.dwHighDateTime=0x1d5de86, nFileSizeHigh=0x0, nFileSizeLow=0x2524, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="SZkkvF.odt", cAlternateFileName="")) returned 1 [0152.331] lstrcmpiW (lpString1="SZkkvF.odt", lpString2="Windows") returned -1 [0152.331] lstrcmpiW (lpString1="SZkkvF.odt", lpString2="Program Files") returned 1 [0152.331] lstrcmpiW (lpString1="SZkkvF.odt", lpString2="Program Files (x86)") returned 1 [0152.331] lstrcmpiW (lpString1="SZkkvF.odt", lpString2="$Recycle.bin") returned 1 [0152.331] lstrcmpiW (lpString1="SZkkvF.odt", lpString2="System Volume Information") returned 1 [0152.331] lstrcmpiW (lpString1="SZkkvF.odt", lpString2=".") returned 1 [0152.331] lstrcmpiW (lpString1="SZkkvF.odt", lpString2="..") returned 1 [0152.331] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt") returned 54 [0152.331] lstrcmpW (lpString1="SZkkvF.odt", lpString2="PUSSY.TXT") returned 1 [0152.331] PathFindExtensionW (pszPath="SZkkvF.odt") returned=".odt" [0152.331] lstrlenW (lpString=".odt") returned 4 [0152.331] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0152.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\szkkvf.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0152.332] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=9508) returned 1 [0152.332] GetProcessHeap () returned 0x4c0000 [0152.332] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.341] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="13") returned 2 [0152.341] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="D6") returned 2 [0152.341] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="58") returned 2 [0152.341] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="F5") returned 2 [0152.341] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="E2") returned 2 [0152.341] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="88") returned 2 [0152.341] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="6D") returned 2 [0152.341] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="17") returned 2 [0152.341] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="CC") returned 2 [0152.341] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="15") returned 2 [0152.342] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="85") returned 2 [0152.342] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="0F") returned 2 [0152.342] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="B1") returned 2 [0152.342] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="60") returned 2 [0152.342] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="2E") returned 2 [0152.342] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="CE") returned 2 [0152.342] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="FF") returned 2 [0152.342] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="84") returned 2 [0152.342] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="C7") returned 2 [0152.342] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="C0") returned 2 [0152.342] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="C6") returned 2 [0152.342] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="16") returned 2 [0152.342] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="84") returned 2 [0152.342] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="C7") returned 2 [0152.342] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="E6") returned 2 [0152.342] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="2F") returned 2 [0152.342] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="BB") returned 2 [0152.342] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="AA") returned 2 [0152.342] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A7") returned 2 [0152.342] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="DF") returned 2 [0152.342] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="26") returned 2 [0152.342] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="14") returned 2 [0152.350] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt" [0152.350] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt" [0152.350] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt", lpString2=".13D658F5E2886D17CC15850FB1602ECEFF84C7C0C61684C7E62FBBAAA7DF2614" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt.13D658F5E2886D17CC15850FB1602ECEFF84C7C0C61684C7E62FBBAAA7DF2614") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt.13D658F5E2886D17CC15850FB1602ECEFF84C7C0C61684C7E62FBBAAA7DF2614" [0152.350] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.350] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.359] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d77f6a0, ftCreationTime.dwHighDateTime=0x1d5db76, ftLastAccessTime.dwLowDateTime=0xfc146220, ftLastAccessTime.dwHighDateTime=0x1d5d96b, ftLastWriteTime.dwLowDateTime=0xfc146220, ftLastWriteTime.dwHighDateTime=0x1d5d96b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="tDyPV_9YGFbgvlp", cAlternateFileName="TDYPV_~1")) returned 1 [0152.359] lstrcmpiW (lpString1="tDyPV_9YGFbgvlp", lpString2="Windows") returned -1 [0152.359] lstrcmpiW (lpString1="tDyPV_9YGFbgvlp", lpString2="Program Files") returned 1 [0152.359] lstrcmpiW (lpString1="tDyPV_9YGFbgvlp", lpString2="Program Files (x86)") returned 1 [0152.359] lstrcmpiW (lpString1="tDyPV_9YGFbgvlp", lpString2="$Recycle.bin") returned 1 [0152.359] lstrcmpiW (lpString1="tDyPV_9YGFbgvlp", lpString2="System Volume Information") returned 1 [0152.359] lstrcmpiW (lpString1="tDyPV_9YGFbgvlp", lpString2=".") returned 1 [0152.359] lstrcmpiW (lpString1="tDyPV_9YGFbgvlp", lpString2="..") returned 1 [0152.359] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp") returned 59 [0152.359] GetProcessHeap () returned 0x4c0000 [0152.359] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0152.364] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp" [0152.364] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\*" [0152.364] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d77f6a0, ftCreationTime.dwHighDateTime=0x1d5db76, ftLastAccessTime.dwLowDateTime=0xfc146220, ftLastAccessTime.dwHighDateTime=0x1d5d96b, ftLastWriteTime.dwLowDateTime=0xfc146220, ftLastWriteTime.dwHighDateTime=0x1d5d96b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0152.364] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0152.364] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0152.364] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0152.364] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0152.364] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0152.364] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0152.364] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d77f6a0, ftCreationTime.dwHighDateTime=0x1d5db76, ftLastAccessTime.dwLowDateTime=0xfc146220, ftLastAccessTime.dwHighDateTime=0x1d5d96b, ftLastWriteTime.dwLowDateTime=0xfc146220, ftLastWriteTime.dwHighDateTime=0x1d5d96b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0152.364] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0152.365] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0152.365] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0152.365] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0152.365] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0152.365] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0152.365] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0152.365] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bc03ba0, ftCreationTime.dwHighDateTime=0x1d5db76, ftLastAccessTime.dwLowDateTime=0x81b748c0, ftLastAccessTime.dwHighDateTime=0x1d5dc73, ftLastWriteTime.dwLowDateTime=0x81b748c0, ftLastWriteTime.dwHighDateTime=0x1d5dc73, nFileSizeHigh=0x0, nFileSizeLow=0x3089, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="bg-uh7lC.xlsx", cAlternateFileName="BG-UH7~1.XLS")) returned 1 [0152.365] lstrcmpiW (lpString1="bg-uh7lC.xlsx", lpString2="Windows") returned -1 [0152.365] lstrcmpiW (lpString1="bg-uh7lC.xlsx", lpString2="Program Files") returned -1 [0152.365] lstrcmpiW (lpString1="bg-uh7lC.xlsx", lpString2="Program Files (x86)") returned -1 [0152.365] lstrcmpiW (lpString1="bg-uh7lC.xlsx", lpString2="$Recycle.bin") returned 1 [0152.365] lstrcmpiW (lpString1="bg-uh7lC.xlsx", lpString2="System Volume Information") returned -1 [0152.365] lstrcmpiW (lpString1="bg-uh7lC.xlsx", lpString2=".") returned 1 [0152.365] lstrcmpiW (lpString1="bg-uh7lC.xlsx", lpString2="..") returned 1 [0152.365] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx") returned 73 [0152.365] lstrcmpW (lpString1="bg-uh7lC.xlsx", lpString2="PUSSY.TXT") returned -1 [0152.365] PathFindExtensionW (pszPath="bg-uh7lC.xlsx") returned=".xlsx" [0152.365] lstrlenW (lpString=".xlsx") returned 5 [0152.365] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0152.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\bg-uh7lc.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0152.366] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=12425) returned 1 [0152.366] GetProcessHeap () returned 0x4c0000 [0152.366] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.376] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="D2") returned 2 [0152.376] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="4B") returned 2 [0152.376] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="16") returned 2 [0152.376] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="78") returned 2 [0152.376] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="60") returned 2 [0152.376] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="33") returned 2 [0152.376] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="32") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="59") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="90") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="01") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="5C") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="A6") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="2E") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="F0") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="88") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="D6") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="F6") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="8D") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="9D") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="5B") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="62") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="44") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="07") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="A3") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="A7") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="8D") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="B7") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="B5") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="30") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="53") returned 2 [0152.376] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="50") returned 2 [0152.376] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="39") returned 2 [0152.385] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx" [0152.385] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx" [0152.385] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx", lpString2=".D24B16786033325990015CA62EF088D6F68D9D5B624407A3A78DB7B530535039" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx.D24B16786033325990015CA62EF088D6F68D9D5B624407A3A78DB7B530535039") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx.D24B16786033325990015CA62EF088D6F68D9D5B624407A3A78DB7B530535039" [0152.385] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.385] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.400] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc795e920, ftCreationTime.dwHighDateTime=0x1d5dccb, ftLastAccessTime.dwLowDateTime=0xca61d9b0, ftLastAccessTime.dwHighDateTime=0x1d5e7a8, ftLastWriteTime.dwLowDateTime=0xca61d9b0, ftLastWriteTime.dwHighDateTime=0x1d5e7a8, nFileSizeHigh=0x0, nFileSizeLow=0xa333, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="oDJIlf2_pTEHo0.odt", cAlternateFileName="ODJILF~1.ODT")) returned 1 [0152.400] lstrcmpiW (lpString1="oDJIlf2_pTEHo0.odt", lpString2="Windows") returned -1 [0152.400] lstrcmpiW (lpString1="oDJIlf2_pTEHo0.odt", lpString2="Program Files") returned -1 [0152.400] lstrcmpiW (lpString1="oDJIlf2_pTEHo0.odt", lpString2="Program Files (x86)") returned -1 [0152.400] lstrcmpiW (lpString1="oDJIlf2_pTEHo0.odt", lpString2="$Recycle.bin") returned 1 [0152.400] lstrcmpiW (lpString1="oDJIlf2_pTEHo0.odt", lpString2="System Volume Information") returned -1 [0152.400] lstrcmpiW (lpString1="oDJIlf2_pTEHo0.odt", lpString2=".") returned 1 [0152.400] lstrcmpiW (lpString1="oDJIlf2_pTEHo0.odt", lpString2="..") returned 1 [0152.400] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt") returned 78 [0152.400] lstrcmpW (lpString1="oDJIlf2_pTEHo0.odt", lpString2="PUSSY.TXT") returned -1 [0152.400] PathFindExtensionW (pszPath="oDJIlf2_pTEHo0.odt") returned=".odt" [0152.400] lstrlenW (lpString=".odt") returned 4 [0152.400] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0152.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\odjilf2_pteho0.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0152.401] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=41779) returned 1 [0152.401] GetProcessHeap () returned 0x4c0000 [0152.401] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.409] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="B7") returned 2 [0152.409] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="3E") returned 2 [0152.409] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="1F") returned 2 [0152.409] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="B9") returned 2 [0152.409] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="BA") returned 2 [0152.409] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="C5") returned 2 [0152.409] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="E8") returned 2 [0152.409] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="46") returned 2 [0152.409] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="75") returned 2 [0152.409] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="87") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="0B") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="F2") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="56") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="DA") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="F1") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="6B") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="35") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="64") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="E4") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="ED") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="0A") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="CA") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="4C") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="41") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="57") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="B2") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="EB") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="34") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="78") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="30") returned 2 [0152.410] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="6A") returned 2 [0152.410] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="56") returned 2 [0152.418] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt" [0152.418] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt" [0152.418] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt", lpString2=".B73E1FB9BAC5E84675870BF256DAF16B3564E4ED0ACA4C4157B2EB3478306A56" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt.B73E1FB9BAC5E84675870BF256DAF16B3564E4ED0ACA4C4157B2EB3478306A56") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt.B73E1FB9BAC5E84675870BF256DAF16B3564E4ED0ACA4C4157B2EB3478306A56" [0152.418] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.418] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.461] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41f90cf0, ftCreationTime.dwHighDateTime=0x1d5e76d, ftLastAccessTime.dwLowDateTime=0x4fcb9550, ftLastAccessTime.dwHighDateTime=0x1d5e4c5, ftLastWriteTime.dwLowDateTime=0x4fcb9550, ftLastWriteTime.dwHighDateTime=0x1d5e4c5, nFileSizeHigh=0x0, nFileSizeLow=0x16c98, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="PFovFcFkMoDv.rtf", cAlternateFileName="PFOVFC~1.RTF")) returned 1 [0152.461] lstrcmpiW (lpString1="PFovFcFkMoDv.rtf", lpString2="Windows") returned -1 [0152.461] lstrcmpiW (lpString1="PFovFcFkMoDv.rtf", lpString2="Program Files") returned -1 [0152.461] lstrcmpiW (lpString1="PFovFcFkMoDv.rtf", lpString2="Program Files (x86)") returned -1 [0152.461] lstrcmpiW (lpString1="PFovFcFkMoDv.rtf", lpString2="$Recycle.bin") returned 1 [0152.461] lstrcmpiW (lpString1="PFovFcFkMoDv.rtf", lpString2="System Volume Information") returned -1 [0152.461] lstrcmpiW (lpString1="PFovFcFkMoDv.rtf", lpString2=".") returned 1 [0152.461] lstrcmpiW (lpString1="PFovFcFkMoDv.rtf", lpString2="..") returned 1 [0152.461] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf") returned 76 [0152.461] lstrcmpW (lpString1="PFovFcFkMoDv.rtf", lpString2="PUSSY.TXT") returned -1 [0152.461] PathFindExtensionW (pszPath="PFovFcFkMoDv.rtf") returned=".rtf" [0152.461] lstrlenW (lpString=".rtf") returned 4 [0152.461] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0152.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\pfovfcfkmodv.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0152.463] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=93336) returned 1 [0152.463] GetProcessHeap () returned 0x4c0000 [0152.463] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.472] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="30") returned 2 [0152.472] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="BB") returned 2 [0152.472] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="39") returned 2 [0152.472] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="3A") returned 2 [0152.472] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="D6") returned 2 [0152.472] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="48") returned 2 [0152.472] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="EC") returned 2 [0152.472] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="9E") returned 2 [0152.472] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="66") returned 2 [0152.472] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="E3") returned 2 [0152.472] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="C4") returned 2 [0152.472] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="07") returned 2 [0152.472] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="9D") returned 2 [0152.472] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="4B") returned 2 [0152.472] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="BE") returned 2 [0152.472] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="84") returned 2 [0152.472] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="7B") returned 2 [0152.472] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="47") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="FC") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="EA") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="57") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="73") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="98") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="A4") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="08") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="4B") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="8B") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="2F") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="A0") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="B6") returned 2 [0152.473] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="2A") returned 2 [0152.473] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="0C") returned 2 [0152.482] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf" [0152.482] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf" [0152.482] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf", lpString2=".30BB393AD648EC9E66E3C4079D4BBE847B47FCEA577398A4084B8B2FA0B62A0C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf.30BB393AD648EC9E66E3C4079D4BBE847B47FCEA577398A4084B8B2FA0B62A0C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf.30BB393AD648EC9E66E3C4079D4BBE847B47FCEA577398A4084B8B2FA0B62A0C" [0152.482] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.482] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.515] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2365980, ftCreationTime.dwHighDateTime=0x1d5dee0, ftLastAccessTime.dwLowDateTime=0x5aeecfb0, ftLastAccessTime.dwHighDateTime=0x1d5e16e, ftLastWriteTime.dwLowDateTime=0x5aeecfb0, ftLastWriteTime.dwHighDateTime=0x1d5e16e, nFileSizeHigh=0x0, nFileSizeLow=0x152a2, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="qklcRi7Zjm61 ijnq.ots", cAlternateFileName="QKLCRI~1.OTS")) returned 1 [0152.516] lstrcmpiW (lpString1="qklcRi7Zjm61 ijnq.ots", lpString2="Windows") returned -1 [0152.516] lstrcmpiW (lpString1="qklcRi7Zjm61 ijnq.ots", lpString2="Program Files") returned 1 [0152.516] lstrcmpiW (lpString1="qklcRi7Zjm61 ijnq.ots", lpString2="Program Files (x86)") returned 1 [0152.516] lstrcmpiW (lpString1="qklcRi7Zjm61 ijnq.ots", lpString2="$Recycle.bin") returned 1 [0152.516] lstrcmpiW (lpString1="qklcRi7Zjm61 ijnq.ots", lpString2="System Volume Information") returned -1 [0152.516] lstrcmpiW (lpString1="qklcRi7Zjm61 ijnq.ots", lpString2=".") returned 1 [0152.516] lstrcmpiW (lpString1="qklcRi7Zjm61 ijnq.ots", lpString2="..") returned 1 [0152.516] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots") returned 81 [0152.516] lstrcmpW (lpString1="qklcRi7Zjm61 ijnq.ots", lpString2="PUSSY.TXT") returned 1 [0152.516] PathFindExtensionW (pszPath="qklcRi7Zjm61 ijnq.ots") returned=".ots" [0152.516] lstrlenW (lpString=".ots") returned 4 [0152.516] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0152.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\qklcri7zjm61 ijnq.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0152.517] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=86690) returned 1 [0152.517] GetProcessHeap () returned 0x4c0000 [0152.517] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.526] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="40") returned 2 [0152.526] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="5A") returned 2 [0152.526] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="90") returned 2 [0152.526] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="B5") returned 2 [0152.526] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="02") returned 2 [0152.526] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="C4") returned 2 [0152.526] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="CF") returned 2 [0152.526] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="F7") returned 2 [0152.526] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="01") returned 2 [0152.526] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="43") returned 2 [0152.526] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="5E") returned 2 [0152.526] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="62") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="8E") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="AE") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="CB") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="C1") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="93") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="58") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="44") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="20") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="02") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="55") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="52") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="98") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="93") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="61") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="0C") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="C9") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="B8") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="59") returned 2 [0152.527] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="DE") returned 2 [0152.527] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="23") returned 2 [0152.535] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots" [0152.536] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots" [0152.536] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots", lpString2=".405A90B502C4CFF701435E628EAECBC1935844200255529893610CC9B859DE23" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots.405A90B502C4CFF701435E628EAECBC1935844200255529893610CC9B859DE23") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots.405A90B502C4CFF701435E628EAECBC1935844200255529893610CC9B859DE23" [0152.536] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.536] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.571] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80d9fef0, ftCreationTime.dwHighDateTime=0x1d5e404, ftLastAccessTime.dwLowDateTime=0x61a722f0, ftLastAccessTime.dwHighDateTime=0x1d5d942, ftLastWriteTime.dwLowDateTime=0x61a722f0, ftLastWriteTime.dwHighDateTime=0x1d5d942, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="r2rdS_PLw", cAlternateFileName="R2RDS_~1")) returned 1 [0152.571] lstrcmpiW (lpString1="r2rdS_PLw", lpString2="Windows") returned -1 [0152.571] lstrcmpiW (lpString1="r2rdS_PLw", lpString2="Program Files") returned 1 [0152.571] lstrcmpiW (lpString1="r2rdS_PLw", lpString2="Program Files (x86)") returned 1 [0152.571] lstrcmpiW (lpString1="r2rdS_PLw", lpString2="$Recycle.bin") returned 1 [0152.571] lstrcmpiW (lpString1="r2rdS_PLw", lpString2="System Volume Information") returned -1 [0152.571] lstrcmpiW (lpString1="r2rdS_PLw", lpString2=".") returned 1 [0152.571] lstrcmpiW (lpString1="r2rdS_PLw", lpString2="..") returned 1 [0152.571] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw") returned 69 [0152.571] GetProcessHeap () returned 0x4c0000 [0152.571] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0152.572] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw" [0152.572] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\*" [0152.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80d9fef0, ftCreationTime.dwHighDateTime=0x1d5e404, ftLastAccessTime.dwLowDateTime=0x61a722f0, ftLastAccessTime.dwHighDateTime=0x1d5d942, ftLastWriteTime.dwLowDateTime=0x61a722f0, ftLastWriteTime.dwHighDateTime=0x1d5d942, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0152.572] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0152.572] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0152.572] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0152.572] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0152.572] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0152.572] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0152.572] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80d9fef0, ftCreationTime.dwHighDateTime=0x1d5e404, ftLastAccessTime.dwLowDateTime=0x61a722f0, ftLastAccessTime.dwHighDateTime=0x1d5d942, ftLastWriteTime.dwLowDateTime=0x61a722f0, ftLastWriteTime.dwHighDateTime=0x1d5d942, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0152.572] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0152.572] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0152.572] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0152.573] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0152.573] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0152.573] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0152.573] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0152.573] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26989550, ftCreationTime.dwHighDateTime=0x1d5d9f0, ftLastAccessTime.dwLowDateTime=0xdfdd35c0, ftLastAccessTime.dwHighDateTime=0x1d5e238, ftLastWriteTime.dwLowDateTime=0xdfdd35c0, ftLastWriteTime.dwHighDateTime=0x1d5e238, nFileSizeHigh=0x0, nFileSizeLow=0x3424, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="15UhXOS.ods", cAlternateFileName="")) returned 1 [0152.573] lstrcmpiW (lpString1="15UhXOS.ods", lpString2="Windows") returned -1 [0152.573] lstrcmpiW (lpString1="15UhXOS.ods", lpString2="Program Files") returned -1 [0152.573] lstrcmpiW (lpString1="15UhXOS.ods", lpString2="Program Files (x86)") returned -1 [0152.573] lstrcmpiW (lpString1="15UhXOS.ods", lpString2="$Recycle.bin") returned 1 [0152.573] lstrcmpiW (lpString1="15UhXOS.ods", lpString2="System Volume Information") returned -1 [0152.573] lstrcmpiW (lpString1="15UhXOS.ods", lpString2=".") returned 1 [0152.573] lstrcmpiW (lpString1="15UhXOS.ods", lpString2="..") returned 1 [0152.573] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods") returned 81 [0152.573] lstrcmpW (lpString1="15UhXOS.ods", lpString2="PUSSY.TXT") returned -1 [0152.573] PathFindExtensionW (pszPath="15UhXOS.ods") returned=".ods" [0152.573] lstrlenW (lpString=".ods") returned 4 [0152.573] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0152.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\15uhxos.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0152.575] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=13348) returned 1 [0152.575] GetProcessHeap () returned 0x4c0000 [0152.575] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.583] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="4A") returned 2 [0152.583] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="06") returned 2 [0152.583] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="54") returned 2 [0152.583] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="71") returned 2 [0152.583] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="A0") returned 2 [0152.583] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="AC") returned 2 [0152.583] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="80") returned 2 [0152.583] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="24") returned 2 [0152.583] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="67") returned 2 [0152.583] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="7C") returned 2 [0152.583] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="EF") returned 2 [0152.583] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="9A") returned 2 [0152.583] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="DD") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="BA") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="BB") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="FE") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="08") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="B8") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="62") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="FA") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="49") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="37") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="89") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="EC") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="D0") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="A6") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="84") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="02") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="31") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="E7") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="6C") returned 2 [0152.584] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="37") returned 2 [0152.592] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods" [0152.592] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods" [0152.592] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods", lpString2=".4A065471A0AC8024677CEF9ADDBABBFE08B862FA493789ECD0A6840231E76C37" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods.4A065471A0AC8024677CEF9ADDBABBFE08B862FA493789ECD0A6840231E76C37") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods.4A065471A0AC8024677CEF9ADDBABBFE08B862FA493789ECD0A6840231E76C37" [0152.592] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.592] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.607] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5492890, ftCreationTime.dwHighDateTime=0x1d5dbb6, ftLastAccessTime.dwLowDateTime=0x4398be80, ftLastAccessTime.dwHighDateTime=0x1d5de3e, ftLastWriteTime.dwLowDateTime=0x4398be80, ftLastWriteTime.dwHighDateTime=0x1d5de3e, nFileSizeHigh=0x0, nFileSizeLow=0x9246, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="5Wsr.xls", cAlternateFileName="")) returned 1 [0152.607] lstrcmpiW (lpString1="5Wsr.xls", lpString2="Windows") returned -1 [0152.607] lstrcmpiW (lpString1="5Wsr.xls", lpString2="Program Files") returned -1 [0152.608] lstrcmpiW (lpString1="5Wsr.xls", lpString2="Program Files (x86)") returned -1 [0152.608] lstrcmpiW (lpString1="5Wsr.xls", lpString2="$Recycle.bin") returned 1 [0152.608] lstrcmpiW (lpString1="5Wsr.xls", lpString2="System Volume Information") returned -1 [0152.608] lstrcmpiW (lpString1="5Wsr.xls", lpString2=".") returned 1 [0152.608] lstrcmpiW (lpString1="5Wsr.xls", lpString2="..") returned 1 [0152.608] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls") returned 78 [0152.608] lstrcmpW (lpString1="5Wsr.xls", lpString2="PUSSY.TXT") returned -1 [0152.608] PathFindExtensionW (pszPath="5Wsr.xls") returned=".xls" [0152.608] lstrlenW (lpString=".xls") returned 4 [0152.608] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0152.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\5wsr.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0152.609] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=37446) returned 1 [0152.609] GetProcessHeap () returned 0x4c0000 [0152.609] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.617] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="5C") returned 2 [0152.618] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="1B") returned 2 [0152.618] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="BB") returned 2 [0152.618] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="86") returned 2 [0152.618] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="D8") returned 2 [0152.618] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="54") returned 2 [0152.618] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="86") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="03") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="DC") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="D8") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="D4") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="BF") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="1A") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="0A") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="BE") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="40") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="90") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="CE") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="79") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="20") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="12") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="D8") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="3A") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="94") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="8B") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="F2") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="CF") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="C9") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="75") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="49") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="52") returned 2 [0152.618] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="15") returned 2 [0152.627] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls" [0152.627] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls" [0152.627] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls", lpString2=".5C1BBB86D8548603DCD8D4BF1A0ABE4090CE792012D83A948BF2CFC975495215" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls.5C1BBB86D8548603DCD8D4BF1A0ABE4090CE792012D83A948BF2CFC975495215") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls.5C1BBB86D8548603DCD8D4BF1A0ABE4090CE792012D83A948BF2CFC975495215" [0152.627] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.627] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.659] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7bc640, ftCreationTime.dwHighDateTime=0x1d5e73e, ftLastAccessTime.dwLowDateTime=0xab552dd0, ftLastAccessTime.dwHighDateTime=0x1d5ddab, ftLastWriteTime.dwLowDateTime=0xab552dd0, ftLastWriteTime.dwHighDateTime=0x1d5ddab, nFileSizeHigh=0x0, nFileSizeLow=0xadb6, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="8w_iQoUo6XxuX02SScr4.pps", cAlternateFileName="8W_IQO~1.PPS")) returned 1 [0152.659] lstrcmpiW (lpString1="8w_iQoUo6XxuX02SScr4.pps", lpString2="Windows") returned -1 [0152.659] lstrcmpiW (lpString1="8w_iQoUo6XxuX02SScr4.pps", lpString2="Program Files") returned -1 [0152.659] lstrcmpiW (lpString1="8w_iQoUo6XxuX02SScr4.pps", lpString2="Program Files (x86)") returned -1 [0152.659] lstrcmpiW (lpString1="8w_iQoUo6XxuX02SScr4.pps", lpString2="$Recycle.bin") returned 1 [0152.659] lstrcmpiW (lpString1="8w_iQoUo6XxuX02SScr4.pps", lpString2="System Volume Information") returned -1 [0152.659] lstrcmpiW (lpString1="8w_iQoUo6XxuX02SScr4.pps", lpString2=".") returned 1 [0152.659] lstrcmpiW (lpString1="8w_iQoUo6XxuX02SScr4.pps", lpString2="..") returned 1 [0152.659] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps") returned 94 [0152.659] lstrcmpW (lpString1="8w_iQoUo6XxuX02SScr4.pps", lpString2="PUSSY.TXT") returned -1 [0152.659] PathFindExtensionW (pszPath="8w_iQoUo6XxuX02SScr4.pps") returned=".pps" [0152.659] lstrlenW (lpString=".pps") returned 4 [0152.659] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0152.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\8w_iqouo6xxux02sscr4.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0152.660] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=44470) returned 1 [0152.660] GetProcessHeap () returned 0x4c0000 [0152.660] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.668] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="70") returned 2 [0152.668] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="A2") returned 2 [0152.668] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="3E") returned 2 [0152.669] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="75") returned 2 [0152.669] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="97") returned 2 [0152.669] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="20") returned 2 [0152.669] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="48") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="A6") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="B1") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="B4") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="A7") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="06") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="87") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="D4") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="6B") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="52") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="82") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="28") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="CF") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="90") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="9C") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="4E") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="3F") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="C1") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="93") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="8F") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="DB") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="57") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C4") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="08") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="1A") returned 2 [0152.669] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="1B") returned 2 [0152.680] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps" [0152.680] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps" [0152.680] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps", lpString2=".70A23E75972048A6B1B4A70687D46B528228CF909C4E3FC1938FDB57C4081A1B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps.70A23E75972048A6B1B4A70687D46B528228CF909C4E3FC1938FDB57C4081A1B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps.70A23E75972048A6B1B4A70687D46B528228CF909C4E3FC1938FDB57C4081A1B" [0152.680] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.681] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.713] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b493db0, ftCreationTime.dwHighDateTime=0x1d5d893, ftLastAccessTime.dwLowDateTime=0xb15ee310, ftLastAccessTime.dwHighDateTime=0x1d5d9c8, ftLastWriteTime.dwLowDateTime=0xb15ee310, ftLastWriteTime.dwHighDateTime=0x1d5d9c8, nFileSizeHigh=0x0, nFileSizeLow=0x11955, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="F73w.rtf", cAlternateFileName="")) returned 1 [0152.713] lstrcmpiW (lpString1="F73w.rtf", lpString2="Windows") returned -1 [0152.713] lstrcmpiW (lpString1="F73w.rtf", lpString2="Program Files") returned -1 [0152.713] lstrcmpiW (lpString1="F73w.rtf", lpString2="Program Files (x86)") returned -1 [0152.713] lstrcmpiW (lpString1="F73w.rtf", lpString2="$Recycle.bin") returned 1 [0152.713] lstrcmpiW (lpString1="F73w.rtf", lpString2="System Volume Information") returned -1 [0152.713] lstrcmpiW (lpString1="F73w.rtf", lpString2=".") returned 1 [0152.714] lstrcmpiW (lpString1="F73w.rtf", lpString2="..") returned 1 [0152.714] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf") returned 78 [0152.714] lstrcmpW (lpString1="F73w.rtf", lpString2="PUSSY.TXT") returned -1 [0152.714] PathFindExtensionW (pszPath="F73w.rtf") returned=".rtf" [0152.714] lstrlenW (lpString=".rtf") returned 4 [0152.714] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0152.714] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\f73w.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0152.715] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=72021) returned 1 [0152.715] GetProcessHeap () returned 0x4c0000 [0152.715] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.724] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="D6") returned 2 [0152.724] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="A7") returned 2 [0152.724] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="D3") returned 2 [0152.724] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="75") returned 2 [0152.724] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="15") returned 2 [0152.725] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="D6") returned 2 [0152.725] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="D9") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="F5") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="67") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="7C") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="8F") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="70") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="98") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="86") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="4E") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="61") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="7B") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="E1") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="0D") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="EE") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="83") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="FE") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="89") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="DB") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="35") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="5D") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="17") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="9F") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="53") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="A2") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="DA") returned 2 [0152.725] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="4B") returned 2 [0152.733] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf" [0152.733] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf" [0152.733] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf", lpString2=".D6A7D37515D6D9F5677C8F7098864E617BE10DEE83FE89DB355D179F53A2DA4B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf.D6A7D37515D6D9F5677C8F7098864E617BE10DEE83FE89DB355D179F53A2DA4B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf.D6A7D37515D6D9F5677C8F7098864E617BE10DEE83FE89DB355D179F53A2DA4B" [0152.733] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.734] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.766] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeac95110, ftCreationTime.dwHighDateTime=0x1d5e2f3, ftLastAccessTime.dwLowDateTime=0xe65db5b0, ftLastAccessTime.dwHighDateTime=0x1d5d7d3, ftLastWriteTime.dwLowDateTime=0xe65db5b0, ftLastWriteTime.dwHighDateTime=0x1d5d7d3, nFileSizeHigh=0x0, nFileSizeLow=0xd2bd, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="hx33cCEIveP89JAH.xls", cAlternateFileName="HX33CC~1.XLS")) returned 1 [0152.767] lstrcmpiW (lpString1="hx33cCEIveP89JAH.xls", lpString2="Windows") returned -1 [0152.767] lstrcmpiW (lpString1="hx33cCEIveP89JAH.xls", lpString2="Program Files") returned -1 [0152.767] lstrcmpiW (lpString1="hx33cCEIveP89JAH.xls", lpString2="Program Files (x86)") returned -1 [0152.767] lstrcmpiW (lpString1="hx33cCEIveP89JAH.xls", lpString2="$Recycle.bin") returned 1 [0152.767] lstrcmpiW (lpString1="hx33cCEIveP89JAH.xls", lpString2="System Volume Information") returned -1 [0152.767] lstrcmpiW (lpString1="hx33cCEIveP89JAH.xls", lpString2=".") returned 1 [0152.767] lstrcmpiW (lpString1="hx33cCEIveP89JAH.xls", lpString2="..") returned 1 [0152.767] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls") returned 90 [0152.767] lstrcmpW (lpString1="hx33cCEIveP89JAH.xls", lpString2="PUSSY.TXT") returned -1 [0152.767] PathFindExtensionW (pszPath="hx33cCEIveP89JAH.xls") returned=".xls" [0152.767] lstrlenW (lpString=".xls") returned 4 [0152.767] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0152.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\hx33cceivep89jah.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0152.768] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=53949) returned 1 [0152.768] GetProcessHeap () returned 0x4c0000 [0152.768] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.776] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="B0") returned 2 [0152.776] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="31") returned 2 [0152.776] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="E5") returned 2 [0152.776] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="D2") returned 2 [0152.776] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="99") returned 2 [0152.776] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="63") returned 2 [0152.776] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="9B") returned 2 [0152.776] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="C5") returned 2 [0152.776] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="FC") returned 2 [0152.776] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="0C") returned 2 [0152.776] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="D4") returned 2 [0152.776] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="49") returned 2 [0152.776] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="AB") returned 2 [0152.776] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="2A") returned 2 [0152.776] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="2E") returned 2 [0152.776] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="D4") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="D2") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="64") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="D8") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="F1") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="0E") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="49") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="69") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="92") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="A6") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="66") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="FB") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="51") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="C4") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="30") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="55") returned 2 [0152.777] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="41") returned 2 [0152.785] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls" [0152.785] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls" [0152.785] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls", lpString2=".B031E5D299639BC5FC0CD449AB2A2ED4D264D8F10E496992A666FB51C4305541" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls.B031E5D299639BC5FC0CD449AB2A2ED4D264D8F10E496992A666FB51C4305541") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls.B031E5D299639BC5FC0CD449AB2A2ED4D264D8F10E496992A666FB51C4305541" [0152.785] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.785] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.823] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75ce8e10, ftCreationTime.dwHighDateTime=0x1d5dbf1, ftLastAccessTime.dwLowDateTime=0x5f591e70, ftLastAccessTime.dwHighDateTime=0x1d5e79f, ftLastWriteTime.dwLowDateTime=0x5f591e70, ftLastWriteTime.dwHighDateTime=0x1d5e79f, nFileSizeHigh=0x0, nFileSizeLow=0x164aa, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="SkoU9rx_w-xtaay.xls", cAlternateFileName="SKOU9R~1.XLS")) returned 1 [0152.823] lstrcmpiW (lpString1="SkoU9rx_w-xtaay.xls", lpString2="Windows") returned -1 [0152.823] lstrcmpiW (lpString1="SkoU9rx_w-xtaay.xls", lpString2="Program Files") returned 1 [0152.823] lstrcmpiW (lpString1="SkoU9rx_w-xtaay.xls", lpString2="Program Files (x86)") returned 1 [0152.823] lstrcmpiW (lpString1="SkoU9rx_w-xtaay.xls", lpString2="$Recycle.bin") returned 1 [0152.824] lstrcmpiW (lpString1="SkoU9rx_w-xtaay.xls", lpString2="System Volume Information") returned -1 [0152.826] lstrcmpiW (lpString1="SkoU9rx_w-xtaay.xls", lpString2=".") returned 1 [0152.826] lstrcmpiW (lpString1="SkoU9rx_w-xtaay.xls", lpString2="..") returned 1 [0152.826] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls") returned 89 [0152.826] lstrcmpW (lpString1="SkoU9rx_w-xtaay.xls", lpString2="PUSSY.TXT") returned 1 [0152.826] PathFindExtensionW (pszPath="SkoU9rx_w-xtaay.xls") returned=".xls" [0152.826] lstrlenW (lpString=".xls") returned 4 [0152.827] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0152.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\skou9rx_w-xtaay.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0152.828] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=91306) returned 1 [0152.828] GetProcessHeap () returned 0x4c0000 [0152.828] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.841] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="F2") returned 2 [0152.841] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="CE") returned 2 [0152.841] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="88") returned 2 [0152.841] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="C6") returned 2 [0152.841] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="2A") returned 2 [0152.841] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="A5") returned 2 [0152.841] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="90") returned 2 [0152.841] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="F1") returned 2 [0152.841] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="28") returned 2 [0152.841] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="EC") returned 2 [0152.841] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="ED") returned 2 [0152.841] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="E7") returned 2 [0152.841] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="B7") returned 2 [0152.841] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="3D") returned 2 [0152.841] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="F8") returned 2 [0152.841] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="2B") returned 2 [0152.841] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="BA") returned 2 [0152.841] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="A8") returned 2 [0152.841] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="42") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="0C") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="06") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="87") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="60") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="E7") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="51") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="07") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="6B") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="12") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="FE") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="99") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="8A") returned 2 [0152.842] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="51") returned 2 [0152.866] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls" [0152.866] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls" [0152.866] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls", lpString2=".F2CE88C62AA590F128ECEDE7B73DF82BBAA8420C068760E751076B12FE998A51" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls.F2CE88C62AA590F128ECEDE7B73DF82BBAA8420C068760E751076B12FE998A51") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls.F2CE88C62AA590F128ECEDE7B73DF82BBAA8420C068760E751076B12FE998A51" [0152.866] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.866] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.907] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75ce8e10, ftCreationTime.dwHighDateTime=0x1d5dbf1, ftLastAccessTime.dwLowDateTime=0x5f591e70, ftLastAccessTime.dwHighDateTime=0x1d5e79f, ftLastWriteTime.dwLowDateTime=0x5f591e70, ftLastWriteTime.dwHighDateTime=0x1d5e79f, nFileSizeHigh=0x0, nFileSizeLow=0x164aa, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="SkoU9rx_w-xtaay.xls", cAlternateFileName="SKOU9R~1.XLS")) returned 0 [0152.907] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0152.907] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\PUSSY.TXT") returned 79 [0152.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0152.908] lstrlenA (lpString="abcd") returned 4 [0152.908] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0152.909] CloseHandle (hObject=0x1b8) returned 1 [0152.909] GetProcessHeap () returned 0x4c0000 [0152.909] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0152.909] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6c23e20, ftCreationTime.dwHighDateTime=0x1d5d999, ftLastAccessTime.dwLowDateTime=0xa9d4a20, ftLastAccessTime.dwHighDateTime=0x1d5e5d6, ftLastWriteTime.dwLowDateTime=0xa9d4a20, ftLastWriteTime.dwHighDateTime=0x1d5e5d6, nFileSizeHigh=0x0, nFileSizeLow=0x8b02, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="u3Ly.odp", cAlternateFileName="")) returned 1 [0152.909] lstrcmpiW (lpString1="u3Ly.odp", lpString2="Windows") returned -1 [0152.909] lstrcmpiW (lpString1="u3Ly.odp", lpString2="Program Files") returned 1 [0152.909] lstrcmpiW (lpString1="u3Ly.odp", lpString2="Program Files (x86)") returned 1 [0152.909] lstrcmpiW (lpString1="u3Ly.odp", lpString2="$Recycle.bin") returned 1 [0152.910] lstrcmpiW (lpString1="u3Ly.odp", lpString2="System Volume Information") returned 1 [0152.910] lstrcmpiW (lpString1="u3Ly.odp", lpString2=".") returned 1 [0152.910] lstrcmpiW (lpString1="u3Ly.odp", lpString2="..") returned 1 [0152.910] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp") returned 68 [0152.910] lstrcmpW (lpString1="u3Ly.odp", lpString2="PUSSY.TXT") returned 1 [0152.910] PathFindExtensionW (pszPath="u3Ly.odp") returned=".odp" [0152.910] lstrlenW (lpString=".odp") returned 4 [0152.910] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0152.910] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\u3ly.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0152.910] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=35586) returned 1 [0152.911] GetProcessHeap () returned 0x4c0000 [0152.911] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.919] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="62") returned 2 [0152.919] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="AF") returned 2 [0152.919] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="4B") returned 2 [0152.919] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="B4") returned 2 [0152.919] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="04") returned 2 [0152.919] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="88") returned 2 [0152.919] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="93") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="4D") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="E7") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="2F") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="67") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="5E") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="B4") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="03") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="E5") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="B0") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="3B") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="02") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="2A") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="45") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="41") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="68") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="3E") returned 2 [0152.919] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="E9") returned 2 [0152.920] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="33") returned 2 [0152.920] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="D0") returned 2 [0152.920] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="EE") returned 2 [0152.920] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="2E") returned 2 [0152.920] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="AB") returned 2 [0152.920] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="9F") returned 2 [0152.920] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="46") returned 2 [0152.920] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="3A") returned 2 [0152.928] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp" [0152.928] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp" [0152.928] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp", lpString2=".62AF4BB40488934DE72F675EB403E5B03B022A4541683EE933D0EE2EAB9F463A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp.62AF4BB40488934DE72F675EB403E5B03B022A4541683EE933D0EE2EAB9F463A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp.62AF4BB40488934DE72F675EB403E5B03B022A4541683EE933D0EE2EAB9F463A" [0152.928] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0152.929] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0152.980] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc65e8010, ftCreationTime.dwHighDateTime=0x1d5e51a, ftLastAccessTime.dwLowDateTime=0xf22a5cb0, ftLastAccessTime.dwHighDateTime=0x1d5dd12, ftLastWriteTime.dwLowDateTime=0xf22a5cb0, ftLastWriteTime.dwHighDateTime=0x1d5dd12, nFileSizeHigh=0x0, nFileSizeLow=0x17be8, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="xzM99eC6FmvYKnm.pdf", cAlternateFileName="XZM99E~1.PDF")) returned 1 [0152.980] lstrcmpiW (lpString1="xzM99eC6FmvYKnm.pdf", lpString2="Windows") returned 1 [0152.980] lstrcmpiW (lpString1="xzM99eC6FmvYKnm.pdf", lpString2="Program Files") returned 1 [0152.980] lstrcmpiW (lpString1="xzM99eC6FmvYKnm.pdf", lpString2="Program Files (x86)") returned 1 [0152.980] lstrcmpiW (lpString1="xzM99eC6FmvYKnm.pdf", lpString2="$Recycle.bin") returned 1 [0152.980] lstrcmpiW (lpString1="xzM99eC6FmvYKnm.pdf", lpString2="System Volume Information") returned 1 [0152.980] lstrcmpiW (lpString1="xzM99eC6FmvYKnm.pdf", lpString2=".") returned 1 [0152.980] lstrcmpiW (lpString1="xzM99eC6FmvYKnm.pdf", lpString2="..") returned 1 [0152.980] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf") returned 79 [0152.980] lstrcmpW (lpString1="xzM99eC6FmvYKnm.pdf", lpString2="PUSSY.TXT") returned 1 [0152.980] PathFindExtensionW (pszPath="xzM99eC6FmvYKnm.pdf") returned=".pdf" [0152.980] lstrlenW (lpString=".pdf") returned 4 [0152.980] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0152.980] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\xzm99ec6fmvyknm.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0152.981] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=97256) returned 1 [0152.981] GetProcessHeap () returned 0x4c0000 [0152.981] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0152.993] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="D3") returned 2 [0152.993] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="AE") returned 2 [0152.993] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="EE") returned 2 [0152.993] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="F3") returned 2 [0152.993] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="32") returned 2 [0152.993] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="DD") returned 2 [0152.993] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="4B") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="05") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="C9") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="0D") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="6C") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="EA") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="A5") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="46") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="2E") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="A0") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="BC") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="E2") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="C6") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="19") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="75") returned 2 [0152.993] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="CD") returned 2 [0152.994] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="59") returned 2 [0152.994] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="92") returned 2 [0152.994] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="49") returned 2 [0152.994] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="96") returned 2 [0152.994] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="FE") returned 2 [0152.994] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="EB") returned 2 [0152.994] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="C3") returned 2 [0152.994] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="0A") returned 2 [0152.994] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="70") returned 2 [0152.994] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="53") returned 2 [0153.002] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf" [0153.002] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf" [0153.002] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf", lpString2=".D3AEEEF332DD4B05C90D6CEAA5462EA0BCE2C61975CD59924996FEEBC30A7053" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf.D3AEEEF332DD4B05C90D6CEAA5462EA0BCE2C61975CD59924996FEEBC30A7053") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf.D3AEEEF332DD4B05C90D6CEAA5462EA0BCE2C61975CD59924996FEEBC30A7053" [0153.002] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.002] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0153.034] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d3e6890, ftCreationTime.dwHighDateTime=0x1d5dade, ftLastAccessTime.dwLowDateTime=0x846e6210, ftLastAccessTime.dwHighDateTime=0x1d5db79, ftLastWriteTime.dwLowDateTime=0x846e6210, ftLastWriteTime.dwHighDateTime=0x1d5db79, nFileSizeHigh=0x0, nFileSizeLow=0x4c09, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="YhBVoagfnEj_xYGMCjyl.odp", cAlternateFileName="YHBVOA~1.ODP")) returned 1 [0153.034] lstrcmpiW (lpString1="YhBVoagfnEj_xYGMCjyl.odp", lpString2="Windows") returned 1 [0153.034] lstrcmpiW (lpString1="YhBVoagfnEj_xYGMCjyl.odp", lpString2="Program Files") returned 1 [0153.034] lstrcmpiW (lpString1="YhBVoagfnEj_xYGMCjyl.odp", lpString2="Program Files (x86)") returned 1 [0153.034] lstrcmpiW (lpString1="YhBVoagfnEj_xYGMCjyl.odp", lpString2="$Recycle.bin") returned 1 [0153.034] lstrcmpiW (lpString1="YhBVoagfnEj_xYGMCjyl.odp", lpString2="System Volume Information") returned 1 [0153.034] lstrcmpiW (lpString1="YhBVoagfnEj_xYGMCjyl.odp", lpString2=".") returned 1 [0153.034] lstrcmpiW (lpString1="YhBVoagfnEj_xYGMCjyl.odp", lpString2="..") returned 1 [0153.035] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp") returned 84 [0153.035] lstrcmpW (lpString1="YhBVoagfnEj_xYGMCjyl.odp", lpString2="PUSSY.TXT") returned 1 [0153.035] PathFindExtensionW (pszPath="YhBVoagfnEj_xYGMCjyl.odp") returned=".odp" [0153.035] lstrlenW (lpString=".odp") returned 4 [0153.035] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\yhbvoagfnej_xygmcjyl.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.036] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=19465) returned 1 [0153.036] GetProcessHeap () returned 0x4c0000 [0153.036] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0153.044] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="01") returned 2 [0153.044] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="9F") returned 2 [0153.044] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="C8") returned 2 [0153.044] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="29") returned 2 [0153.044] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="06") returned 2 [0153.044] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="3C") returned 2 [0153.044] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="CC") returned 2 [0153.044] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="00") returned 2 [0153.044] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="7F") returned 2 [0153.044] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="5F") returned 2 [0153.044] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="50") returned 2 [0153.044] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="36") returned 2 [0153.044] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="D1") returned 2 [0153.044] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="BF") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="B6") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="17") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="C3") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="77") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="24") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="8C") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="5A") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="71") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="F7") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="F6") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="1D") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="18") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="D7") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="6D") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="A9") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="C5") returned 2 [0153.045] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="B4") returned 2 [0153.045] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="2F") returned 2 [0153.054] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp" [0153.054] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp" [0153.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp", lpString2=".019FC829063CCC007F5F5036D1BFB617C377248C5A71F7F61D18D76DA9C5B42F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp.019FC829063CCC007F5F5036D1BFB617C377248C5A71F7F61D18D76DA9C5B42F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp.019FC829063CCC007F5F5036D1BFB617C377248C5A71F7F61D18D76DA9C5B42F" [0153.054] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.054] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0153.076] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d3e6890, ftCreationTime.dwHighDateTime=0x1d5dade, ftLastAccessTime.dwLowDateTime=0x846e6210, ftLastAccessTime.dwHighDateTime=0x1d5db79, ftLastWriteTime.dwLowDateTime=0x846e6210, ftLastWriteTime.dwHighDateTime=0x1d5db79, nFileSizeHigh=0x0, nFileSizeLow=0x4c09, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="YhBVoagfnEj_xYGMCjyl.odp", cAlternateFileName="YHBVOA~1.ODP")) returned 0 [0153.076] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0153.077] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PUSSY.TXT") returned 69 [0153.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x120 [0153.077] lstrlenA (lpString="abcd") returned 4 [0153.078] WriteFile (in: hFile=0x120, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0153.078] CloseHandle (hObject=0x120) returned 1 [0153.078] GetProcessHeap () returned 0x4c0000 [0153.078] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0153.081] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5816c6f0, ftCreationTime.dwHighDateTime=0x1d58bef, ftLastAccessTime.dwLowDateTime=0xb32eea00, ftLastAccessTime.dwHighDateTime=0x1d5e28d, ftLastWriteTime.dwLowDateTime=0xb32eea00, ftLastWriteTime.dwHighDateTime=0x1d5e28d, nFileSizeHigh=0x0, nFileSizeLow=0x2dce, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="VW75nIg9v3wnArStE23.xlsx", cAlternateFileName="VW75NI~1.XLS")) returned 1 [0153.081] lstrcmpiW (lpString1="VW75nIg9v3wnArStE23.xlsx", lpString2="Windows") returned -1 [0153.081] lstrcmpiW (lpString1="VW75nIg9v3wnArStE23.xlsx", lpString2="Program Files") returned 1 [0153.081] lstrcmpiW (lpString1="VW75nIg9v3wnArStE23.xlsx", lpString2="Program Files (x86)") returned 1 [0153.081] lstrcmpiW (lpString1="VW75nIg9v3wnArStE23.xlsx", lpString2="$Recycle.bin") returned 1 [0153.081] lstrcmpiW (lpString1="VW75nIg9v3wnArStE23.xlsx", lpString2="System Volume Information") returned 1 [0153.081] lstrcmpiW (lpString1="VW75nIg9v3wnArStE23.xlsx", lpString2=".") returned 1 [0153.081] lstrcmpiW (lpString1="VW75nIg9v3wnArStE23.xlsx", lpString2="..") returned 1 [0153.081] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx") returned 68 [0153.081] lstrcmpW (lpString1="VW75nIg9v3wnArStE23.xlsx", lpString2="PUSSY.TXT") returned 1 [0153.081] PathFindExtensionW (pszPath="VW75nIg9v3wnArStE23.xlsx") returned=".xlsx" [0153.081] lstrlenW (lpString=".xlsx") returned 5 [0153.081] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vw75nig9v3wnarste23.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0153.082] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=11726) returned 1 [0153.082] GetProcessHeap () returned 0x4c0000 [0153.082] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0153.092] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="D6") returned 2 [0153.092] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="C5") returned 2 [0153.092] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="6F") returned 2 [0153.092] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="6D") returned 2 [0153.092] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="A0") returned 2 [0153.092] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="E2") returned 2 [0153.092] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="D1") returned 2 [0153.092] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="77") returned 2 [0153.092] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="92") returned 2 [0153.092] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="BB") returned 2 [0153.092] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="92") returned 2 [0153.092] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="2E") returned 2 [0153.093] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="20") returned 2 [0153.093] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="B5") returned 2 [0153.093] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="9D") returned 2 [0153.093] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="50") returned 2 [0153.093] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="EA") returned 2 [0153.093] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="1A") returned 2 [0153.093] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="89") returned 2 [0153.093] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="8A") returned 2 [0153.093] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="B9") returned 2 [0153.093] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="F2") returned 2 [0153.093] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="8D") returned 2 [0153.093] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="BC") returned 2 [0153.093] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="BD") returned 2 [0153.093] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="0A") returned 2 [0153.093] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="C0") returned 2 [0153.093] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="85") returned 2 [0153.093] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="77") returned 2 [0153.093] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="DE") returned 2 [0153.093] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="0E") returned 2 [0153.093] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6B") returned 2 [0153.102] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx" [0153.102] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx" [0153.102] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx", lpString2=".D6C56F6DA0E2D17792BB922E20B59D50EA1A898AB9F28DBCBD0AC08577DE0E6B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx.D6C56F6DA0E2D17792BB922E20B59D50EA1A898AB9F28DBCBD0AC08577DE0E6B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx.D6C56F6DA0E2D17792BB922E20B59D50EA1A898AB9F28DBCBD0AC08577DE0E6B" [0153.102] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.102] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0153.117] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75509150, ftCreationTime.dwHighDateTime=0x1d5a4c3, ftLastAccessTime.dwLowDateTime=0x64ce69a0, ftLastAccessTime.dwHighDateTime=0x1d5625c, ftLastWriteTime.dwLowDateTime=0x64ce69a0, ftLastWriteTime.dwHighDateTime=0x1d5625c, nFileSizeHigh=0x0, nFileSizeLow=0x14c4a, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="WyoL6z5i9f.pptx", cAlternateFileName="WYOL6Z~1.PPT")) returned 1 [0153.117] lstrcmpiW (lpString1="WyoL6z5i9f.pptx", lpString2="Windows") returned 1 [0153.117] lstrcmpiW (lpString1="WyoL6z5i9f.pptx", lpString2="Program Files") returned 1 [0153.117] lstrcmpiW (lpString1="WyoL6z5i9f.pptx", lpString2="Program Files (x86)") returned 1 [0153.117] lstrcmpiW (lpString1="WyoL6z5i9f.pptx", lpString2="$Recycle.bin") returned 1 [0153.117] lstrcmpiW (lpString1="WyoL6z5i9f.pptx", lpString2="System Volume Information") returned 1 [0153.117] lstrcmpiW (lpString1="WyoL6z5i9f.pptx", lpString2=".") returned 1 [0153.117] lstrcmpiW (lpString1="WyoL6z5i9f.pptx", lpString2="..") returned 1 [0153.117] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx") returned 59 [0153.117] lstrcmpW (lpString1="WyoL6z5i9f.pptx", lpString2="PUSSY.TXT") returned 1 [0153.117] PathFindExtensionW (pszPath="WyoL6z5i9f.pptx") returned=".pptx" [0153.117] lstrlenW (lpString=".pptx") returned 5 [0153.117] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\wyol6z5i9f.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0153.118] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=85066) returned 1 [0153.118] GetProcessHeap () returned 0x4c0000 [0153.118] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0153.126] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="03") returned 2 [0153.126] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B2") returned 2 [0153.126] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="95") returned 2 [0153.126] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="1E") returned 2 [0153.126] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="36") returned 2 [0153.126] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="CE") returned 2 [0153.126] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="9E") returned 2 [0153.126] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="DF") returned 2 [0153.126] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="72") returned 2 [0153.126] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="8F") returned 2 [0153.126] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="85") returned 2 [0153.126] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="7D") returned 2 [0153.126] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="B4") returned 2 [0153.126] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C6") returned 2 [0153.126] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="DB") returned 2 [0153.126] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="97") returned 2 [0153.126] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="B2") returned 2 [0153.126] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="67") returned 2 [0153.126] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="C7") returned 2 [0153.127] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="DF") returned 2 [0153.127] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="5E") returned 2 [0153.127] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="4F") returned 2 [0153.127] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C2") returned 2 [0153.127] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="07") returned 2 [0153.127] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="6A") returned 2 [0153.127] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="C1") returned 2 [0153.127] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="0D") returned 2 [0153.127] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="99") returned 2 [0153.127] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="66") returned 2 [0153.127] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="92") returned 2 [0153.127] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="F3") returned 2 [0153.127] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="15") returned 2 [0153.135] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx" [0153.135] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx" [0153.135] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx", lpString2=".03B2951E36CE9EDF728F857DB4C6DB97B267C7DF5E4FC2076AC10D996692F315" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx.03B2951E36CE9EDF728F857DB4C6DB97B267C7DF5E4FC2076AC10D996692F315") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx.03B2951E36CE9EDF728F857DB4C6DB97B267C7DF5E4FC2076AC10D996692F315" [0153.135] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.135] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0153.167] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75509150, ftCreationTime.dwHighDateTime=0x1d5a4c3, ftLastAccessTime.dwLowDateTime=0x64ce69a0, ftLastAccessTime.dwHighDateTime=0x1d5625c, ftLastWriteTime.dwLowDateTime=0x64ce69a0, ftLastWriteTime.dwHighDateTime=0x1d5625c, nFileSizeHigh=0x0, nFileSizeLow=0x14c4a, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="WyoL6z5i9f.pptx", cAlternateFileName="WYOL6Z~1.PPT")) returned 0 [0153.167] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0153.167] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PUSSY.TXT") returned 53 [0153.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0153.168] lstrlenA (lpString="abcd") returned 4 [0153.168] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0153.169] CloseHandle (hObject=0x190) returned 1 [0153.169] GetProcessHeap () returned 0x4c0000 [0153.169] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0153.171] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0153.171] lstrcmpiW (lpString1="Downloads", lpString2="Windows") returned -1 [0153.171] lstrcmpiW (lpString1="Downloads", lpString2="Program Files") returned -1 [0153.171] lstrcmpiW (lpString1="Downloads", lpString2="Program Files (x86)") returned -1 [0153.171] lstrcmpiW (lpString1="Downloads", lpString2="$Recycle.bin") returned 1 [0153.171] lstrcmpiW (lpString1="Downloads", lpString2="System Volume Information") returned -1 [0153.171] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0153.171] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0153.171] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads") returned 43 [0153.171] GetProcessHeap () returned 0x4c0000 [0153.171] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0153.172] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" [0153.172] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*" [0153.172] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0153.172] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0153.172] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0153.172] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0153.172] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0153.172] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0153.172] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.172] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0153.172] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0153.172] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0153.172] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0153.172] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0153.172] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0153.172] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.172] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.172] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.172] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0153.172] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0153.172] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0153.172] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0153.172] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0153.173] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.173] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.173] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned 55 [0153.173] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0153.173] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.173] lstrlenW (lpString=".ini") returned 4 [0153.173] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0153.174] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=282) returned 1 [0153.174] CloseHandle (hObject=0x120) returned 1 [0153.174] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0153.174] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0153.174] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\PUSSY.TXT") returned 53 [0153.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0153.183] lstrlenA (lpString="abcd") returned 4 [0153.183] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0153.184] CloseHandle (hObject=0x190) returned 1 [0153.184] GetProcessHeap () returned 0x4c0000 [0153.184] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0153.184] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0153.184] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0153.185] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0153.185] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0153.185] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0153.185] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0153.185] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0153.185] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0153.185] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites") returned 43 [0153.185] GetProcessHeap () returned 0x4c0000 [0153.185] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0153.185] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" [0153.185] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" [0153.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0153.185] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0153.185] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0153.185] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0153.185] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0153.185] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0153.185] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.185] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0153.185] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0153.185] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0153.185] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0153.185] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0153.185] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0153.185] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.185] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.185] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.185] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0153.186] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0153.186] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0153.186] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0153.186] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0153.186] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.186] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.186] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned 55 [0153.186] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0153.186] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.186] lstrlenW (lpString=".ini") returned 4 [0153.186] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0153.190] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=402) returned 1 [0153.190] CloseHandle (hObject=0x120) returned 1 [0153.190] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="Links", cAlternateFileName="")) returned 1 [0153.190] lstrcmpiW (lpString1="Links", lpString2="Windows") returned -1 [0153.190] lstrcmpiW (lpString1="Links", lpString2="Program Files") returned -1 [0153.190] lstrcmpiW (lpString1="Links", lpString2="Program Files (x86)") returned -1 [0153.190] lstrcmpiW (lpString1="Links", lpString2="$Recycle.bin") returned 1 [0153.190] lstrcmpiW (lpString1="Links", lpString2="System Volume Information") returned -1 [0153.190] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0153.190] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0153.190] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned 49 [0153.190] GetProcessHeap () returned 0x4c0000 [0153.190] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0153.191] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" [0153.191] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*" [0153.191] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0153.191] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0153.191] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0153.191] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0153.191] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0153.191] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0153.191] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.191] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0153.191] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0153.191] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0153.192] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0153.192] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0153.192] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0153.192] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.192] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.192] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.192] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0153.192] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0153.192] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0153.192] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0153.192] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0153.192] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.192] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.192] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini") returned 61 [0153.192] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0153.192] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.192] lstrlenW (lpString=".ini") returned 4 [0153.192] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.193] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=80) returned 1 [0153.193] CloseHandle (hObject=0x1b8) returned 1 [0153.193] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52cd1930, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52fcb4b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xec, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Suggested Sites.url", cAlternateFileName="SUGGES~1.URL")) returned 1 [0153.193] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="Windows") returned -1 [0153.193] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="Program Files") returned 1 [0153.193] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="Program Files (x86)") returned 1 [0153.193] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="$Recycle.bin") returned 1 [0153.193] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="System Volume Information") returned -1 [0153.193] lstrcmpiW (lpString1="Suggested Sites.url", lpString2=".") returned 1 [0153.193] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="..") returned 1 [0153.193] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned 69 [0153.193] lstrcmpW (lpString1="Suggested Sites.url", lpString2="PUSSY.TXT") returned 1 [0153.193] PathFindExtensionW (pszPath="Suggested Sites.url") returned=".url" [0153.193] lstrlenW (lpString=".url") returned 4 [0153.193] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.193] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.194] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=236) returned 1 [0153.194] CloseHandle (hObject=0x1b8) returned 1 [0153.194] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d9517a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 1 [0153.194] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="Windows") returned -1 [0153.194] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="Program Files") returned 1 [0153.194] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="Program Files (x86)") returned 1 [0153.194] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="$Recycle.bin") returned 1 [0153.194] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="System Volume Information") returned 1 [0153.194] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2=".") returned 1 [0153.194] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="..") returned 1 [0153.194] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned 71 [0153.194] lstrcmpW (lpString1="Web Slice Gallery.url", lpString2="PUSSY.TXT") returned 1 [0153.194] PathFindExtensionW (pszPath="Web Slice Gallery.url") returned=".url" [0153.194] lstrlenW (lpString=".url") returned 4 [0153.194] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.195] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=226) returned 1 [0153.195] CloseHandle (hObject=0x1b8) returned 1 [0153.195] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d9517a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 0 [0153.195] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0153.195] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\PUSSY.TXT") returned 59 [0153.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x120 [0153.196] lstrlenA (lpString="abcd") returned 4 [0153.196] WriteFile (in: hFile=0x120, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0153.197] CloseHandle (hObject=0x120) returned 1 [0153.197] GetProcessHeap () returned 0x4c0000 [0153.197] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0153.197] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0153.197] lstrcmpiW (lpString1="Microsoft Websites", lpString2="Windows") returned -1 [0153.197] lstrcmpiW (lpString1="Microsoft Websites", lpString2="Program Files") returned -1 [0153.197] lstrcmpiW (lpString1="Microsoft Websites", lpString2="Program Files (x86)") returned -1 [0153.197] lstrcmpiW (lpString1="Microsoft Websites", lpString2="$Recycle.bin") returned 1 [0153.197] lstrcmpiW (lpString1="Microsoft Websites", lpString2="System Volume Information") returned -1 [0153.197] lstrcmpiW (lpString1="Microsoft Websites", lpString2=".") returned 1 [0153.197] lstrcmpiW (lpString1="Microsoft Websites", lpString2="..") returned 1 [0153.197] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned 62 [0153.197] GetProcessHeap () returned 0x4c0000 [0153.197] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0153.197] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0153.197] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*" [0153.197] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0153.200] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0153.200] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0153.200] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0153.200] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0153.200] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0153.200] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.200] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0153.200] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0153.200] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0153.200] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0153.200] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0153.200] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0153.200] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.200] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.200] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0153.200] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="Windows") returned -1 [0153.201] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="Program Files") returned -1 [0153.201] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="Program Files (x86)") returned -1 [0153.201] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="$Recycle.bin") returned 1 [0153.201] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="System Volume Information") returned -1 [0153.201] lstrcmpiW (lpString1="IE Add-on site.url", lpString2=".") returned 1 [0153.201] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="..") returned 1 [0153.201] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 81 [0153.201] lstrcmpW (lpString1="IE Add-on site.url", lpString2="PUSSY.TXT") returned -1 [0153.201] PathFindExtensionW (pszPath="IE Add-on site.url") returned=".url" [0153.201] lstrlenW (lpString=".url") returned 4 [0153.201] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.201] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.201] CloseHandle (hObject=0x1b8) returned 1 [0153.201] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="IE site on Microsoft.com.url", cAlternateFileName="IESITE~1.URL")) returned 1 [0153.202] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="Windows") returned -1 [0153.202] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="Program Files") returned -1 [0153.202] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="Program Files (x86)") returned -1 [0153.202] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="$Recycle.bin") returned 1 [0153.202] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="System Volume Information") returned -1 [0153.202] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2=".") returned 1 [0153.202] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="..") returned 1 [0153.202] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 91 [0153.202] lstrcmpW (lpString1="IE site on Microsoft.com.url", lpString2="PUSSY.TXT") returned -1 [0153.202] PathFindExtensionW (pszPath="IE site on Microsoft.com.url") returned=".url" [0153.202] lstrlenW (lpString=".url") returned 4 [0153.202] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.202] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.202] CloseHandle (hObject=0x1b8) returned 1 [0153.202] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Microsoft At Home.url", cAlternateFileName="MICROS~3.URL")) returned 1 [0153.202] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="Windows") returned -1 [0153.202] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="Program Files") returned -1 [0153.203] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="Program Files (x86)") returned -1 [0153.203] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="$Recycle.bin") returned 1 [0153.203] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="System Volume Information") returned -1 [0153.203] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2=".") returned 1 [0153.203] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="..") returned 1 [0153.203] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 84 [0153.203] lstrcmpW (lpString1="Microsoft At Home.url", lpString2="PUSSY.TXT") returned -1 [0153.203] PathFindExtensionW (pszPath="Microsoft At Home.url") returned=".url" [0153.203] lstrlenW (lpString=".url") returned 4 [0153.203] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.203] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.203] CloseHandle (hObject=0x1b8) returned 1 [0153.203] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Microsoft At Work.url", cAlternateFileName="MICROS~2.URL")) returned 1 [0153.203] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="Windows") returned -1 [0153.203] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="Program Files") returned -1 [0153.203] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="Program Files (x86)") returned -1 [0153.203] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="$Recycle.bin") returned 1 [0153.203] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="System Volume Information") returned -1 [0153.203] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2=".") returned 1 [0153.203] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="..") returned 1 [0153.204] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 84 [0153.204] lstrcmpW (lpString1="Microsoft At Work.url", lpString2="PUSSY.TXT") returned -1 [0153.204] PathFindExtensionW (pszPath="Microsoft At Work.url") returned=".url" [0153.204] lstrlenW (lpString=".url") returned 4 [0153.204] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.204] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.204] CloseHandle (hObject=0x1b8) returned 1 [0153.204] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 1 [0153.204] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="Windows") returned -1 [0153.204] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="Program Files") returned -1 [0153.204] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="Program Files (x86)") returned -1 [0153.204] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="$Recycle.bin") returned 1 [0153.204] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="System Volume Information") returned -1 [0153.204] lstrcmpiW (lpString1="Microsoft Store.url", lpString2=".") returned 1 [0153.204] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="..") returned 1 [0153.204] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 82 [0153.204] lstrcmpW (lpString1="Microsoft Store.url", lpString2="PUSSY.TXT") returned -1 [0153.205] PathFindExtensionW (pszPath="Microsoft Store.url") returned=".url" [0153.205] lstrlenW (lpString=".url") returned 4 [0153.205] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.206] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=134) returned 1 [0153.206] CloseHandle (hObject=0x1b8) returned 1 [0153.206] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 0 [0153.206] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0153.206] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\PUSSY.TXT") returned 72 [0153.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x120 [0153.206] lstrlenA (lpString="abcd") returned 4 [0153.206] WriteFile (in: hFile=0x120, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0153.207] CloseHandle (hObject=0x120) returned 1 [0153.207] GetProcessHeap () returned 0x4c0000 [0153.207] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0153.207] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0153.207] lstrcmpiW (lpString1="MSN Websites", lpString2="Windows") returned -1 [0153.208] lstrcmpiW (lpString1="MSN Websites", lpString2="Program Files") returned -1 [0153.208] lstrcmpiW (lpString1="MSN Websites", lpString2="Program Files (x86)") returned -1 [0153.208] lstrcmpiW (lpString1="MSN Websites", lpString2="$Recycle.bin") returned 1 [0153.208] lstrcmpiW (lpString1="MSN Websites", lpString2="System Volume Information") returned -1 [0153.208] lstrcmpiW (lpString1="MSN Websites", lpString2=".") returned 1 [0153.208] lstrcmpiW (lpString1="MSN Websites", lpString2="..") returned 1 [0153.208] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 56 [0153.208] GetProcessHeap () returned 0x4c0000 [0153.208] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0153.208] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0153.208] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*" [0153.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0153.209] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0153.209] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0153.209] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0153.209] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0153.209] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0153.209] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.209] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0153.210] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0153.210] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0153.210] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0153.210] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0153.210] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0153.210] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.210] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.210] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0153.210] lstrcmpiW (lpString1="MSN Autos.url", lpString2="Windows") returned -1 [0153.210] lstrcmpiW (lpString1="MSN Autos.url", lpString2="Program Files") returned -1 [0153.210] lstrcmpiW (lpString1="MSN Autos.url", lpString2="Program Files (x86)") returned -1 [0153.210] lstrcmpiW (lpString1="MSN Autos.url", lpString2="$Recycle.bin") returned 1 [0153.210] lstrcmpiW (lpString1="MSN Autos.url", lpString2="System Volume Information") returned -1 [0153.210] lstrcmpiW (lpString1="MSN Autos.url", lpString2=".") returned 1 [0153.210] lstrcmpiW (lpString1="MSN Autos.url", lpString2="..") returned 1 [0153.210] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned 70 [0153.210] lstrcmpW (lpString1="MSN Autos.url", lpString2="PUSSY.TXT") returned -1 [0153.210] PathFindExtensionW (pszPath="MSN Autos.url") returned=".url" [0153.210] lstrlenW (lpString=".url") returned 4 [0153.210] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.211] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.211] CloseHandle (hObject=0x1b8) returned 1 [0153.211] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSN Entertainment.url", cAlternateFileName="MSNENT~1.URL")) returned 1 [0153.211] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="Windows") returned -1 [0153.211] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="Program Files") returned -1 [0153.211] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="Program Files (x86)") returned -1 [0153.211] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="$Recycle.bin") returned 1 [0153.211] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="System Volume Information") returned -1 [0153.211] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2=".") returned 1 [0153.211] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="..") returned 1 [0153.211] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 78 [0153.211] lstrcmpW (lpString1="MSN Entertainment.url", lpString2="PUSSY.TXT") returned -1 [0153.211] PathFindExtensionW (pszPath="MSN Entertainment.url") returned=".url" [0153.211] lstrlenW (lpString=".url") returned 4 [0153.211] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.212] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.212] CloseHandle (hObject=0x1b8) returned 1 [0153.212] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSN Money.url", cAlternateFileName="MSNMON~1.URL")) returned 1 [0153.212] lstrcmpiW (lpString1="MSN Money.url", lpString2="Windows") returned -1 [0153.212] lstrcmpiW (lpString1="MSN Money.url", lpString2="Program Files") returned -1 [0153.212] lstrcmpiW (lpString1="MSN Money.url", lpString2="Program Files (x86)") returned -1 [0153.212] lstrcmpiW (lpString1="MSN Money.url", lpString2="$Recycle.bin") returned 1 [0153.212] lstrcmpiW (lpString1="MSN Money.url", lpString2="System Volume Information") returned -1 [0153.212] lstrcmpiW (lpString1="MSN Money.url", lpString2=".") returned 1 [0153.212] lstrcmpiW (lpString1="MSN Money.url", lpString2="..") returned 1 [0153.212] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned 70 [0153.212] lstrcmpW (lpString1="MSN Money.url", lpString2="PUSSY.TXT") returned -1 [0153.213] PathFindExtensionW (pszPath="MSN Money.url") returned=".url" [0153.213] lstrlenW (lpString=".url") returned 4 [0153.213] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.214] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.214] CloseHandle (hObject=0x1b8) returned 1 [0153.214] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSN Sports.url", cAlternateFileName="MSNSPO~1.URL")) returned 1 [0153.214] lstrcmpiW (lpString1="MSN Sports.url", lpString2="Windows") returned -1 [0153.214] lstrcmpiW (lpString1="MSN Sports.url", lpString2="Program Files") returned -1 [0153.214] lstrcmpiW (lpString1="MSN Sports.url", lpString2="Program Files (x86)") returned -1 [0153.214] lstrcmpiW (lpString1="MSN Sports.url", lpString2="$Recycle.bin") returned 1 [0153.214] lstrcmpiW (lpString1="MSN Sports.url", lpString2="System Volume Information") returned -1 [0153.214] lstrcmpiW (lpString1="MSN Sports.url", lpString2=".") returned 1 [0153.214] lstrcmpiW (lpString1="MSN Sports.url", lpString2="..") returned 1 [0153.214] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned 71 [0153.214] lstrcmpW (lpString1="MSN Sports.url", lpString2="PUSSY.TXT") returned -1 [0153.214] PathFindExtensionW (pszPath="MSN Sports.url") returned=".url" [0153.214] lstrlenW (lpString=".url") returned 4 [0153.214] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.216] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.216] CloseHandle (hObject=0x1b8) returned 1 [0153.216] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSN.url", cAlternateFileName="")) returned 1 [0153.216] lstrcmpiW (lpString1="MSN.url", lpString2="Windows") returned -1 [0153.216] lstrcmpiW (lpString1="MSN.url", lpString2="Program Files") returned -1 [0153.216] lstrcmpiW (lpString1="MSN.url", lpString2="Program Files (x86)") returned -1 [0153.216] lstrcmpiW (lpString1="MSN.url", lpString2="$Recycle.bin") returned 1 [0153.216] lstrcmpiW (lpString1="MSN.url", lpString2="System Volume Information") returned -1 [0153.216] lstrcmpiW (lpString1="MSN.url", lpString2=".") returned 1 [0153.216] lstrcmpiW (lpString1="MSN.url", lpString2="..") returned 1 [0153.216] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned 64 [0153.216] lstrcmpW (lpString1="MSN.url", lpString2="PUSSY.TXT") returned -1 [0153.216] PathFindExtensionW (pszPath="MSN.url") returned=".url" [0153.216] lstrlenW (lpString=".url") returned 4 [0153.216] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.216] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.217] CloseHandle (hObject=0x1b8) returned 1 [0153.217] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 1 [0153.217] lstrcmpiW (lpString1="MSNBC News.url", lpString2="Windows") returned -1 [0153.217] lstrcmpiW (lpString1="MSNBC News.url", lpString2="Program Files") returned -1 [0153.217] lstrcmpiW (lpString1="MSNBC News.url", lpString2="Program Files (x86)") returned -1 [0153.217] lstrcmpiW (lpString1="MSNBC News.url", lpString2="$Recycle.bin") returned 1 [0153.217] lstrcmpiW (lpString1="MSNBC News.url", lpString2="System Volume Information") returned -1 [0153.217] lstrcmpiW (lpString1="MSNBC News.url", lpString2=".") returned 1 [0153.217] lstrcmpiW (lpString1="MSNBC News.url", lpString2="..") returned 1 [0153.217] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned 71 [0153.217] lstrcmpW (lpString1="MSNBC News.url", lpString2="PUSSY.TXT") returned -1 [0153.217] PathFindExtensionW (pszPath="MSNBC News.url") returned=".url" [0153.217] lstrlenW (lpString=".url") returned 4 [0153.217] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.218] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.218] CloseHandle (hObject=0x1b8) returned 1 [0153.218] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 0 [0153.218] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0153.218] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\PUSSY.TXT") returned 66 [0153.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x120 [0153.219] lstrlenA (lpString="abcd") returned 4 [0153.219] WriteFile (in: hFile=0x120, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0153.220] CloseHandle (hObject=0x120) returned 1 [0153.220] GetProcessHeap () returned 0x4c0000 [0153.220] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0153.220] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0153.220] lstrcmpiW (lpString1="Windows Live", lpString2="Windows") returned 1 [0153.220] lstrcmpiW (lpString1="Windows Live", lpString2="Program Files") returned 1 [0153.220] lstrcmpiW (lpString1="Windows Live", lpString2="Program Files (x86)") returned 1 [0153.220] lstrcmpiW (lpString1="Windows Live", lpString2="$Recycle.bin") returned 1 [0153.220] lstrcmpiW (lpString1="Windows Live", lpString2="System Volume Information") returned 1 [0153.220] lstrcmpiW (lpString1="Windows Live", lpString2=".") returned 1 [0153.220] lstrcmpiW (lpString1="Windows Live", lpString2="..") returned 1 [0153.220] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned 56 [0153.220] GetProcessHeap () returned 0x4c0000 [0153.220] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0153.220] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0153.220] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*" [0153.220] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0153.222] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0153.222] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0153.222] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0153.222] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0153.222] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0153.222] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.222] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0153.222] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0153.222] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0153.223] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0153.223] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0153.223] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0153.223] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.223] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.223] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0153.223] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="Windows") returned -1 [0153.223] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="Program Files") returned -1 [0153.223] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="Program Files (x86)") returned -1 [0153.223] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="$Recycle.bin") returned 1 [0153.223] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="System Volume Information") returned -1 [0153.223] lstrcmpiW (lpString1="Get Windows Live.url", lpString2=".") returned 1 [0153.223] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="..") returned 1 [0153.223] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned 77 [0153.223] lstrcmpW (lpString1="Get Windows Live.url", lpString2="PUSSY.TXT") returned -1 [0153.223] PathFindExtensionW (pszPath="Get Windows Live.url") returned=".url" [0153.223] lstrlenW (lpString=".url") returned 4 [0153.223] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.224] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.224] CloseHandle (hObject=0x1b8) returned 1 [0153.224] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Windows Live Gallery.url", cAlternateFileName="WINDOW~2.URL")) returned 1 [0153.224] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="Windows") returned 1 [0153.224] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="Program Files") returned 1 [0153.224] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="Program Files (x86)") returned 1 [0153.225] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="$Recycle.bin") returned 1 [0153.225] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="System Volume Information") returned 1 [0153.225] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2=".") returned 1 [0153.225] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="..") returned 1 [0153.225] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 81 [0153.225] lstrcmpW (lpString1="Windows Live Gallery.url", lpString2="PUSSY.TXT") returned 1 [0153.225] PathFindExtensionW (pszPath="Windows Live Gallery.url") returned=".url" [0153.225] lstrlenW (lpString=".url") returned 4 [0153.225] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.226] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.226] CloseHandle (hObject=0x1b8) returned 1 [0153.226] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Windows Live Mail.url", cAlternateFileName="WINDOW~1.URL")) returned 1 [0153.226] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="Windows") returned 1 [0153.226] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="Program Files") returned 1 [0153.226] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="Program Files (x86)") returned 1 [0153.226] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="$Recycle.bin") returned 1 [0153.226] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="System Volume Information") returned 1 [0153.226] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2=".") returned 1 [0153.226] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="..") returned 1 [0153.226] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned 78 [0153.226] lstrcmpW (lpString1="Windows Live Mail.url", lpString2="PUSSY.TXT") returned 1 [0153.226] PathFindExtensionW (pszPath="Windows Live Mail.url") returned=".url" [0153.226] lstrlenW (lpString=".url") returned 4 [0153.226] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.227] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.227] CloseHandle (hObject=0x1b8) returned 1 [0153.227] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 1 [0153.227] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="Windows") returned 1 [0153.227] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="Program Files") returned 1 [0153.227] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="Program Files (x86)") returned 1 [0153.227] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="$Recycle.bin") returned 1 [0153.227] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="System Volume Information") returned 1 [0153.227] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2=".") returned 1 [0153.227] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="..") returned 1 [0153.227] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 80 [0153.227] lstrcmpW (lpString1="Windows Live Spaces.url", lpString2="PUSSY.TXT") returned 1 [0153.227] PathFindExtensionW (pszPath="Windows Live Spaces.url") returned=".url" [0153.227] lstrlenW (lpString=".url") returned 4 [0153.227] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0153.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.228] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0153.228] CloseHandle (hObject=0x1b8) returned 1 [0153.229] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 0 [0153.229] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0153.229] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\PUSSY.TXT") returned 66 [0153.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x120 [0153.240] lstrlenA (lpString="abcd") returned 4 [0153.240] WriteFile (in: hFile=0x120, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0153.240] CloseHandle (hObject=0x120) returned 1 [0153.240] GetProcessHeap () returned 0x4c0000 [0153.241] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0153.241] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0153.241] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0153.241] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\PUSSY.TXT") returned 53 [0153.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0153.241] lstrlenA (lpString="abcd") returned 4 [0153.241] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0153.242] CloseHandle (hObject=0x190) returned 1 [0153.242] GetProcessHeap () returned 0x4c0000 [0153.242] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0153.243] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Links", cAlternateFileName="")) returned 1 [0153.243] lstrcmpiW (lpString1="Links", lpString2="Windows") returned -1 [0153.243] lstrcmpiW (lpString1="Links", lpString2="Program Files") returned -1 [0153.243] lstrcmpiW (lpString1="Links", lpString2="Program Files (x86)") returned -1 [0153.243] lstrcmpiW (lpString1="Links", lpString2="$Recycle.bin") returned 1 [0153.243] lstrcmpiW (lpString1="Links", lpString2="System Volume Information") returned -1 [0153.243] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0153.243] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0153.244] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links") returned 39 [0153.244] GetProcessHeap () returned 0x4c0000 [0153.244] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0153.244] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" [0153.244] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*" [0153.244] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0153.244] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0153.244] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0153.245] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0153.245] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0153.245] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0153.245] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.245] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0153.245] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0153.245] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0153.245] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0153.245] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0153.245] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0153.245] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.245] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.245] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.245] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0153.245] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0153.245] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0153.245] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0153.245] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0153.245] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.245] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.245] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned 51 [0153.245] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0153.245] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.245] lstrlenW (lpString=".ini") returned 4 [0153.245] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0153.246] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=580) returned 1 [0153.246] GetProcessHeap () returned 0x4c0000 [0153.246] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0153.256] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="EF") returned 2 [0153.256] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="1D") returned 2 [0153.256] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B8") returned 2 [0153.256] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="4A") returned 2 [0153.256] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="AD") returned 2 [0153.256] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="B5") returned 2 [0153.256] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="43") returned 2 [0153.256] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="54") returned 2 [0153.256] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="51") returned 2 [0153.256] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="2C") returned 2 [0153.256] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="00") returned 2 [0153.257] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="34") returned 2 [0153.257] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="39") returned 2 [0153.257] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="D8") returned 2 [0153.257] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="B8") returned 2 [0153.257] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="59") returned 2 [0153.257] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="12") returned 2 [0153.257] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="BF") returned 2 [0153.257] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="4B") returned 2 [0153.257] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="AF") returned 2 [0153.257] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="01") returned 2 [0153.257] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="38") returned 2 [0153.257] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="E2") returned 2 [0153.257] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E9") returned 2 [0153.257] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="FC") returned 2 [0153.257] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="04") returned 2 [0153.257] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="30") returned 2 [0153.257] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="BB") returned 2 [0153.257] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="25") returned 2 [0153.257] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="D9") returned 2 [0153.257] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="8A") returned 2 [0153.257] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="43") returned 2 [0153.266] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" [0153.266] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" [0153.266] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini", lpString2=".EF1DB84AADB54354512C003439D8B85912BF4BAF0138E2E9FC0430BB25D98A43" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.EF1DB84AADB54354512C003439D8B85912BF4BAF0138E2E9FC0430BB25D98A43") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.EF1DB84AADB54354512C003439D8B85912BF4BAF0138E2E9FC0430BB25D98A43" [0153.266] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.266] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0153.266] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1e6, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0153.266] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Windows") returned -1 [0153.266] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Program Files") returned -1 [0153.266] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Program Files (x86)") returned -1 [0153.266] lstrcmpiW (lpString1="Desktop.lnk", lpString2="$Recycle.bin") returned 1 [0153.266] lstrcmpiW (lpString1="Desktop.lnk", lpString2="System Volume Information") returned -1 [0153.266] lstrcmpiW (lpString1="Desktop.lnk", lpString2=".") returned 1 [0153.266] lstrcmpiW (lpString1="Desktop.lnk", lpString2="..") returned 1 [0153.266] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned 51 [0153.267] lstrcmpW (lpString1="Desktop.lnk", lpString2="PUSSY.TXT") returned -1 [0153.267] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0153.267] lstrlenW (lpString=".lnk") returned 4 [0153.267] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.271] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=486) returned 1 [0153.271] CloseHandle (hObject=0x1b8) returned 1 [0153.271] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x3a1, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0153.271] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Windows") returned -1 [0153.272] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Program Files") returned -1 [0153.272] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Program Files (x86)") returned -1 [0153.272] lstrcmpiW (lpString1="Downloads.lnk", lpString2="$Recycle.bin") returned 1 [0153.272] lstrcmpiW (lpString1="Downloads.lnk", lpString2="System Volume Information") returned -1 [0153.272] lstrcmpiW (lpString1="Downloads.lnk", lpString2=".") returned 1 [0153.272] lstrcmpiW (lpString1="Downloads.lnk", lpString2="..") returned 1 [0153.272] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned 53 [0153.272] lstrcmpW (lpString1="Downloads.lnk", lpString2="PUSSY.TXT") returned -1 [0153.272] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0153.272] lstrlenW (lpString=".lnk") returned 4 [0153.272] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.272] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0153.273] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=929) returned 1 [0153.273] GetProcessHeap () returned 0x4c0000 [0153.273] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0153.288] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="5A") returned 2 [0153.288] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="9C") returned 2 [0153.288] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="A9") returned 2 [0153.288] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="91") returned 2 [0153.288] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="68") returned 2 [0153.288] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="09") returned 2 [0153.288] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C8") returned 2 [0153.288] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="60") returned 2 [0153.289] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="C9") returned 2 [0153.289] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="28") returned 2 [0153.289] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="3F") returned 2 [0153.289] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="1D") returned 2 [0153.289] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="D0") returned 2 [0153.289] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E7") returned 2 [0153.289] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="56") returned 2 [0153.289] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="DB") returned 2 [0153.289] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="CD") returned 2 [0153.289] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="9C") returned 2 [0153.289] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="68") returned 2 [0153.289] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="76") returned 2 [0153.289] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="7C") returned 2 [0153.289] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="9D") returned 2 [0153.289] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="64") returned 2 [0153.289] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="DC") returned 2 [0153.289] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="A2") returned 2 [0153.289] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="46") returned 2 [0153.289] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="B5") returned 2 [0153.289] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="1A") returned 2 [0153.289] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A6") returned 2 [0153.289] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="D4") returned 2 [0153.289] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="96") returned 2 [0153.289] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="50") returned 2 [0153.297] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" [0153.297] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" [0153.297] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk", lpString2=".5A9CA9916809C860C9283F1DD0E756DBCD9C68767C9D64DCA246B51AA6D49650" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.5A9CA9916809C860C9283F1DD0E756DBCD9C68767C9D64DCA246B51AA6D49650") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.5A9CA9916809C860C9283F1DD0E756DBCD9C68767C9D64DCA246B51AA6D49650" [0153.298] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.298] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0153.298] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0153.298] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="Windows") returned -1 [0153.298] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="Program Files") returned 1 [0153.298] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="Program Files (x86)") returned 1 [0153.298] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="$Recycle.bin") returned 1 [0153.298] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="System Volume Information") returned -1 [0153.298] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2=".") returned 1 [0153.298] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="..") returned 1 [0153.298] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned 56 [0153.298] lstrcmpW (lpString1="RecentPlaces.lnk", lpString2="PUSSY.TXT") returned 1 [0153.298] PathFindExtensionW (pszPath="RecentPlaces.lnk") returned=".lnk" [0153.298] lstrlenW (lpString=".lnk") returned 4 [0153.298] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.298] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0153.318] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=363) returned 1 [0153.318] CloseHandle (hObject=0x18c) returned 1 [0153.319] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0 [0153.319] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0153.319] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\PUSSY.TXT") returned 49 [0153.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0153.320] lstrlenA (lpString="abcd") returned 4 [0153.320] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0153.320] CloseHandle (hObject=0x190) returned 1 [0153.320] GetProcessHeap () returned 0x4c0000 [0153.321] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0153.321] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0153.321] lstrcmpiW (lpString1="Local Settings", lpString2="Windows") returned -1 [0153.321] lstrcmpiW (lpString1="Local Settings", lpString2="Program Files") returned -1 [0153.321] lstrcmpiW (lpString1="Local Settings", lpString2="Program Files (x86)") returned -1 [0153.321] lstrcmpiW (lpString1="Local Settings", lpString2="$Recycle.bin") returned 1 [0153.321] lstrcmpiW (lpString1="Local Settings", lpString2="System Volume Information") returned -1 [0153.321] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0153.321] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0153.321] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings") returned 48 [0153.321] GetProcessHeap () returned 0x4c0000 [0153.321] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0153.321] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings" [0153.321] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*" [0153.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="RecentPlaces.lnk", cAlternateFileName="s")) returned 0xffffffff [0153.321] GetProcessHeap () returned 0x4c0000 [0153.321] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0153.321] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb0574c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb0574c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Music", cAlternateFileName="")) returned 1 [0153.321] lstrcmpiW (lpString1="Music", lpString2="Windows") returned -1 [0153.321] lstrcmpiW (lpString1="Music", lpString2="Program Files") returned -1 [0153.321] lstrcmpiW (lpString1="Music", lpString2="Program Files (x86)") returned -1 [0153.321] lstrcmpiW (lpString1="Music", lpString2="$Recycle.bin") returned 1 [0153.321] lstrcmpiW (lpString1="Music", lpString2="System Volume Information") returned -1 [0153.322] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0153.322] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0153.322] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned 39 [0153.322] GetProcessHeap () returned 0x4c0000 [0153.322] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0153.322] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" [0153.322] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" [0153.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb0574c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb0574c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0153.322] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0153.322] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0153.322] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0153.322] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0153.322] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0153.322] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.322] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb0574c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb0574c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0153.322] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0153.322] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0153.322] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0153.322] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0153.322] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0153.322] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.322] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.322] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1bbad90, ftCreationTime.dwHighDateTime=0x1d5dacf, ftLastAccessTime.dwLowDateTime=0x36fc3270, ftLastAccessTime.dwHighDateTime=0x1d5e536, ftLastWriteTime.dwLowDateTime=0x36fc3270, ftLastWriteTime.dwHighDateTime=0x1d5e536, nFileSizeHigh=0x0, nFileSizeLow=0x6bbb, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="-zBSgGuwMeGChxChQZPn.m4a", cAlternateFileName="-ZBSGG~1.M4A")) returned 1 [0153.322] lstrcmpiW (lpString1="-zBSgGuwMeGChxChQZPn.m4a", lpString2="Windows") returned 1 [0153.322] lstrcmpiW (lpString1="-zBSgGuwMeGChxChQZPn.m4a", lpString2="Program Files") returned 1 [0153.323] lstrcmpiW (lpString1="-zBSgGuwMeGChxChQZPn.m4a", lpString2="Program Files (x86)") returned 1 [0153.323] lstrcmpiW (lpString1="-zBSgGuwMeGChxChQZPn.m4a", lpString2="$Recycle.bin") returned 1 [0153.323] lstrcmpiW (lpString1="-zBSgGuwMeGChxChQZPn.m4a", lpString2="System Volume Information") returned 1 [0153.323] lstrcmpiW (lpString1="-zBSgGuwMeGChxChQZPn.m4a", lpString2=".") returned 1 [0153.323] lstrcmpiW (lpString1="-zBSgGuwMeGChxChQZPn.m4a", lpString2="..") returned 1 [0153.323] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a") returned 64 [0153.323] lstrcmpW (lpString1="-zBSgGuwMeGChxChQZPn.m4a", lpString2="PUSSY.TXT") returned 1 [0153.323] PathFindExtensionW (pszPath="-zBSgGuwMeGChxChQZPn.m4a") returned=".m4a" [0153.323] lstrlenW (lpString=".m4a") returned 4 [0153.323] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\-zbsgguwmegchxchqzpn.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0153.324] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=27579) returned 1 [0153.324] GetProcessHeap () returned 0x4c0000 [0153.324] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0153.333] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="31") returned 2 [0153.333] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="40") returned 2 [0153.333] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="76") returned 2 [0153.333] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="CE") returned 2 [0153.333] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="97") returned 2 [0153.333] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="4E") returned 2 [0153.333] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="99") returned 2 [0153.333] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A1") returned 2 [0153.333] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="E3") returned 2 [0153.333] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="3C") returned 2 [0153.333] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="FD") returned 2 [0153.333] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="17") returned 2 [0153.333] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="D2") returned 2 [0153.333] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="6F") returned 2 [0153.333] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="BF") returned 2 [0153.334] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="27") returned 2 [0153.334] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="E2") returned 2 [0153.334] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="2D") returned 2 [0153.334] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="33") returned 2 [0153.334] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="26") returned 2 [0153.334] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="D5") returned 2 [0153.334] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="06") returned 2 [0153.334] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="86") returned 2 [0153.334] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="81") returned 2 [0153.334] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="22") returned 2 [0153.334] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="94") returned 2 [0153.334] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="EF") returned 2 [0153.334] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="DC") returned 2 [0153.334] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="00") returned 2 [0153.334] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0D") returned 2 [0153.334] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="7A") returned 2 [0153.334] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="7F") returned 2 [0153.342] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a" [0153.342] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a" [0153.342] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a", lpString2=".314076CE974E99A1E33CFD17D26FBF27E22D3326D50686812294EFDC000D7A7F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a.314076CE974E99A1E33CFD17D26FBF27E22D3326D50686812294EFDC000D7A7F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a.314076CE974E99A1E33CFD17D26FBF27E22D3326D50686812294EFDC000D7A7F" [0153.342] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.342] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0153.342] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6292db70, ftCreationTime.dwHighDateTime=0x1d5e417, ftLastAccessTime.dwLowDateTime=0xea3dc90, ftLastAccessTime.dwHighDateTime=0x1d5d854, ftLastWriteTime.dwLowDateTime=0xea3dc90, ftLastWriteTime.dwHighDateTime=0x1d5d854, nFileSizeHigh=0x0, nFileSizeLow=0x111f1, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="6j5sFZq4Osz.wav", cAlternateFileName="6J5SFZ~1.WAV")) returned 1 [0153.343] lstrcmpiW (lpString1="6j5sFZq4Osz.wav", lpString2="Windows") returned -1 [0153.343] lstrcmpiW (lpString1="6j5sFZq4Osz.wav", lpString2="Program Files") returned -1 [0153.343] lstrcmpiW (lpString1="6j5sFZq4Osz.wav", lpString2="Program Files (x86)") returned -1 [0153.343] lstrcmpiW (lpString1="6j5sFZq4Osz.wav", lpString2="$Recycle.bin") returned 1 [0153.343] lstrcmpiW (lpString1="6j5sFZq4Osz.wav", lpString2="System Volume Information") returned -1 [0153.343] lstrcmpiW (lpString1="6j5sFZq4Osz.wav", lpString2=".") returned 1 [0153.343] lstrcmpiW (lpString1="6j5sFZq4Osz.wav", lpString2="..") returned 1 [0153.343] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav") returned 55 [0153.343] lstrcmpW (lpString1="6j5sFZq4Osz.wav", lpString2="PUSSY.TXT") returned -1 [0153.343] PathFindExtensionW (pszPath="6j5sFZq4Osz.wav") returned=".wav" [0153.343] lstrlenW (lpString=".wav") returned 4 [0153.343] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\6j5sfzq4osz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0153.344] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=70129) returned 1 [0153.344] GetProcessHeap () returned 0x4c0000 [0153.344] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0153.355] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="F2") returned 2 [0153.355] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="0D") returned 2 [0153.355] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="F0") returned 2 [0153.355] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="16") returned 2 [0153.355] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="C6") returned 2 [0153.355] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="9C") returned 2 [0153.355] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="6D") returned 2 [0153.355] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="74") returned 2 [0153.355] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="9C") returned 2 [0153.355] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="61") returned 2 [0153.355] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="63") returned 2 [0153.355] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D3") returned 2 [0153.355] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="52") returned 2 [0153.355] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="71") returned 2 [0153.355] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="73") returned 2 [0153.355] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="DD") returned 2 [0153.355] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="D5") returned 2 [0153.355] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="B8") returned 2 [0153.355] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="8D") returned 2 [0153.355] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="9C") returned 2 [0153.355] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="C6") returned 2 [0153.355] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="0B") returned 2 [0153.355] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="7F") returned 2 [0153.356] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="68") returned 2 [0153.356] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="71") returned 2 [0153.356] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="7C") returned 2 [0153.356] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="6C") returned 2 [0153.356] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="36") returned 2 [0153.356] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="4F") returned 2 [0153.356] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="A1") returned 2 [0153.356] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="15") returned 2 [0153.356] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="60") returned 2 [0153.365] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav" [0153.366] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav" [0153.366] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav", lpString2=".F20DF016C69C6D749C6163D3527173DDD5B88D9CC60B7F68717C6C364FA11560" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav.F20DF016C69C6D749C6163D3527173DDD5B88D9CC60B7F68717C6C364FA11560") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav.F20DF016C69C6D749C6163D3527173DDD5B88D9CC60B7F68717C6C364FA11560" [0153.366] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.366] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0153.366] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1791d0d0, ftCreationTime.dwHighDateTime=0x1d5d8b5, ftLastAccessTime.dwLowDateTime=0x9ab8bdc0, ftLastAccessTime.dwHighDateTime=0x1d5dde7, ftLastWriteTime.dwLowDateTime=0x9ab8bdc0, ftLastWriteTime.dwHighDateTime=0x1d5dde7, nFileSizeHigh=0x0, nFileSizeLow=0x8477, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="agshLti0U31roviK.m4a", cAlternateFileName="AGSHLT~1.M4A")) returned 1 [0153.366] lstrcmpiW (lpString1="agshLti0U31roviK.m4a", lpString2="Windows") returned -1 [0153.366] lstrcmpiW (lpString1="agshLti0U31roviK.m4a", lpString2="Program Files") returned -1 [0153.366] lstrcmpiW (lpString1="agshLti0U31roviK.m4a", lpString2="Program Files (x86)") returned -1 [0153.366] lstrcmpiW (lpString1="agshLti0U31roviK.m4a", lpString2="$Recycle.bin") returned 1 [0153.366] lstrcmpiW (lpString1="agshLti0U31roviK.m4a", lpString2="System Volume Information") returned -1 [0153.366] lstrcmpiW (lpString1="agshLti0U31roviK.m4a", lpString2=".") returned 1 [0153.366] lstrcmpiW (lpString1="agshLti0U31roviK.m4a", lpString2="..") returned 1 [0153.366] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a") returned 60 [0153.366] lstrcmpW (lpString1="agshLti0U31roviK.m4a", lpString2="PUSSY.TXT") returned -1 [0153.366] PathFindExtensionW (pszPath="agshLti0U31roviK.m4a") returned=".m4a" [0153.366] lstrlenW (lpString=".m4a") returned 4 [0153.366] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\agshlti0u31rovik.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0153.367] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=33911) returned 1 [0153.367] GetProcessHeap () returned 0x4c0000 [0153.367] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0153.376] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="52") returned 2 [0153.376] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="45") returned 2 [0153.376] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E5") returned 2 [0153.377] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="1A") returned 2 [0153.377] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="8C") returned 2 [0153.377] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="F3") returned 2 [0153.377] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="6C") returned 2 [0153.377] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="37") returned 2 [0153.377] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="10") returned 2 [0153.377] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="57") returned 2 [0153.377] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="CC") returned 2 [0153.377] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="9E") returned 2 [0153.377] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="ED") returned 2 [0153.377] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="27") returned 2 [0153.377] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="48") returned 2 [0153.377] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="06") returned 2 [0153.377] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="24") returned 2 [0153.377] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="8B") returned 2 [0153.377] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="D5") returned 2 [0153.377] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="94") returned 2 [0153.377] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="9C") returned 2 [0153.377] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="3F") returned 2 [0153.377] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="04") returned 2 [0153.377] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="B3") returned 2 [0153.377] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="C5") returned 2 [0153.377] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="57") returned 2 [0153.377] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="DE") returned 2 [0153.377] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="8E") returned 2 [0153.377] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="E3") returned 2 [0153.377] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="FD") returned 2 [0153.377] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="57") returned 2 [0153.377] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="24") returned 2 [0153.386] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a" [0153.386] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a" [0153.386] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a", lpString2=".5245E51A8CF36C371057CC9EED274806248BD5949C3F04B3C557DE8EE3FD5724" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a.5245E51A8CF36C371057CC9EED274806248BD5949C3F04B3C557DE8EE3FD5724") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a.5245E51A8CF36C371057CC9EED274806248BD5949C3F04B3C557DE8EE3FD5724" [0153.386] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.386] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0153.386] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0f1720, ftCreationTime.dwHighDateTime=0x1d5e0f7, ftLastAccessTime.dwLowDateTime=0x4a81a4d0, ftLastAccessTime.dwHighDateTime=0x1d5da8a, ftLastWriteTime.dwLowDateTime=0x4a81a4d0, ftLastWriteTime.dwHighDateTime=0x1d5da8a, nFileSizeHigh=0x0, nFileSizeLow=0x156b5, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="bghxGGm.m4a", cAlternateFileName="")) returned 1 [0153.386] lstrcmpiW (lpString1="bghxGGm.m4a", lpString2="Windows") returned -1 [0153.386] lstrcmpiW (lpString1="bghxGGm.m4a", lpString2="Program Files") returned -1 [0153.386] lstrcmpiW (lpString1="bghxGGm.m4a", lpString2="Program Files (x86)") returned -1 [0153.386] lstrcmpiW (lpString1="bghxGGm.m4a", lpString2="$Recycle.bin") returned 1 [0153.386] lstrcmpiW (lpString1="bghxGGm.m4a", lpString2="System Volume Information") returned -1 [0153.386] lstrcmpiW (lpString1="bghxGGm.m4a", lpString2=".") returned 1 [0153.386] lstrcmpiW (lpString1="bghxGGm.m4a", lpString2="..") returned 1 [0153.386] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a") returned 51 [0153.386] lstrcmpW (lpString1="bghxGGm.m4a", lpString2="PUSSY.TXT") returned -1 [0153.387] PathFindExtensionW (pszPath="bghxGGm.m4a") returned=".m4a" [0153.387] lstrlenW (lpString=".m4a") returned 4 [0153.387] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bghxggm.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0153.388] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=87733) returned 1 [0153.388] GetProcessHeap () returned 0x4c0000 [0153.388] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0153.398] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="91") returned 2 [0153.398] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="AA") returned 2 [0153.398] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="DE") returned 2 [0153.399] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="2D") returned 2 [0153.399] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="04") returned 2 [0153.399] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="27") returned 2 [0153.399] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="0B") returned 2 [0153.399] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="9F") returned 2 [0153.399] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="5E") returned 2 [0153.399] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="40") returned 2 [0153.399] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="58") returned 2 [0153.399] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="8A") returned 2 [0153.399] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="28") returned 2 [0153.399] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="B9") returned 2 [0153.399] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="38") returned 2 [0153.399] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="52") returned 2 [0153.399] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="CB") returned 2 [0153.399] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="D9") returned 2 [0153.399] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="8D") returned 2 [0153.399] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="1A") returned 2 [0153.399] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="67") returned 2 [0153.399] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="70") returned 2 [0153.399] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="93") returned 2 [0153.399] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="99") returned 2 [0153.399] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="0A") returned 2 [0153.399] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="E5") returned 2 [0153.399] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="6E") returned 2 [0153.399] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="36") returned 2 [0153.399] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="5C") returned 2 [0153.399] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="46") returned 2 [0153.399] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="AA") returned 2 [0153.399] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="02") returned 2 [0153.407] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a" [0153.407] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a" [0153.407] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a", lpString2=".91AADE2D04270B9F5E40588A28B93852CBD98D1A677093990AE56E365C46AA02" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a.91AADE2D04270B9F5E40588A28B93852CBD98D1A677093990AE56E365C46AA02") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a.91AADE2D04270B9F5E40588A28B93852CBD98D1A677093990AE56E365C46AA02" [0153.408] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.408] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0153.441] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fcaec00, ftCreationTime.dwHighDateTime=0x1d5df3a, ftLastAccessTime.dwLowDateTime=0xee1a2150, ftLastAccessTime.dwHighDateTime=0x1d5e3c5, ftLastWriteTime.dwLowDateTime=0xee1a2150, ftLastWriteTime.dwHighDateTime=0x1d5e3c5, nFileSizeHigh=0x0, nFileSizeLow=0x9a95, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="bJM8w O3fk fqat.m4a", cAlternateFileName="BJM8WO~1.M4A")) returned 1 [0153.441] lstrcmpiW (lpString1="bJM8w O3fk fqat.m4a", lpString2="Windows") returned -1 [0153.441] lstrcmpiW (lpString1="bJM8w O3fk fqat.m4a", lpString2="Program Files") returned -1 [0153.441] lstrcmpiW (lpString1="bJM8w O3fk fqat.m4a", lpString2="Program Files (x86)") returned -1 [0153.441] lstrcmpiW (lpString1="bJM8w O3fk fqat.m4a", lpString2="$Recycle.bin") returned 1 [0153.441] lstrcmpiW (lpString1="bJM8w O3fk fqat.m4a", lpString2="System Volume Information") returned -1 [0153.441] lstrcmpiW (lpString1="bJM8w O3fk fqat.m4a", lpString2=".") returned 1 [0153.441] lstrcmpiW (lpString1="bJM8w O3fk fqat.m4a", lpString2="..") returned 1 [0153.441] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a") returned 59 [0153.441] lstrcmpW (lpString1="bJM8w O3fk fqat.m4a", lpString2="PUSSY.TXT") returned -1 [0153.441] PathFindExtensionW (pszPath="bJM8w O3fk fqat.m4a") returned=".m4a" [0153.441] lstrlenW (lpString=".m4a") returned 4 [0153.441] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bjm8w o3fk fqat.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0153.442] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=39573) returned 1 [0153.442] GetProcessHeap () returned 0x4c0000 [0153.442] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b380a0 [0153.451] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="4C") returned 2 [0153.451] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="E6") returned 2 [0153.451] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="0E") returned 2 [0153.451] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="CD") returned 2 [0153.451] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="9E") returned 2 [0153.451] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="48") returned 2 [0153.451] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="4D") returned 2 [0153.451] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="CC") returned 2 [0153.451] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="DF") returned 2 [0153.451] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="CE") returned 2 [0153.451] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="CB") returned 2 [0153.451] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="62") returned 2 [0153.451] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="45") returned 2 [0153.451] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="40") returned 2 [0153.451] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="9D") returned 2 [0153.451] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="9D") returned 2 [0153.451] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="1E") returned 2 [0153.451] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="55") returned 2 [0153.452] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="10") returned 2 [0153.452] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="46") returned 2 [0153.452] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="B8") returned 2 [0153.452] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="BE") returned 2 [0153.452] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="72") returned 2 [0153.452] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6B") returned 2 [0153.452] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="44") returned 2 [0153.452] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="37") returned 2 [0153.452] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="99") returned 2 [0153.452] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="3A") returned 2 [0153.452] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="B3") returned 2 [0153.452] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="DB") returned 2 [0153.452] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="61") returned 2 [0153.452] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="74") returned 2 [0153.593] lstrcpyW (in: lpString1=0x3b480d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a" [0153.593] lstrcpyW (in: lpString1=0x3b380d4, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a" [0153.593] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a", lpString2=".4CE60ECD9E484DCCDFCECB6245409D9D1E551046B8BE726B4437993AB3DB6174" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a.4CE60ECD9E484DCCDFCECB6245409D9D1E551046B8BE726B4437993AB3DB6174") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a.4CE60ECD9E484DCCDFCECB6245409D9D1E551046B8BE726B4437993AB3DB6174" [0153.593] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b380a0, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.593] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b380a0, lpOverlapped=0x3b380a0) returned 1 [0153.645] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c3c48a0, ftCreationTime.dwHighDateTime=0x1d5e0fd, ftLastAccessTime.dwLowDateTime=0x3c5ae370, ftLastAccessTime.dwHighDateTime=0x1d5de5a, ftLastWriteTime.dwLowDateTime=0x3c5ae370, ftLastWriteTime.dwHighDateTime=0x1d5de5a, nFileSizeHigh=0x0, nFileSizeLow=0x6824, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="bojzw00wTqXzntf5.mp3", cAlternateFileName="BOJZW0~1.MP3")) returned 1 [0153.645] lstrcmpiW (lpString1="bojzw00wTqXzntf5.mp3", lpString2="Windows") returned -1 [0153.645] lstrcmpiW (lpString1="bojzw00wTqXzntf5.mp3", lpString2="Program Files") returned -1 [0153.645] lstrcmpiW (lpString1="bojzw00wTqXzntf5.mp3", lpString2="Program Files (x86)") returned -1 [0153.645] lstrcmpiW (lpString1="bojzw00wTqXzntf5.mp3", lpString2="$Recycle.bin") returned 1 [0153.645] lstrcmpiW (lpString1="bojzw00wTqXzntf5.mp3", lpString2="System Volume Information") returned -1 [0153.645] lstrcmpiW (lpString1="bojzw00wTqXzntf5.mp3", lpString2=".") returned 1 [0153.645] lstrcmpiW (lpString1="bojzw00wTqXzntf5.mp3", lpString2="..") returned 1 [0153.645] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3") returned 60 [0153.646] lstrcmpW (lpString1="bojzw00wTqXzntf5.mp3", lpString2="PUSSY.TXT") returned -1 [0153.646] PathFindExtensionW (pszPath="bojzw00wTqXzntf5.mp3") returned=".mp3" [0153.646] lstrlenW (lpString=".mp3") returned 4 [0153.646] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bojzw00wtqxzntf5.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0153.647] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=26660) returned 1 [0153.647] GetProcessHeap () returned 0x4c0000 [0153.647] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0153.660] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="58") returned 2 [0153.660] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="D5") returned 2 [0153.660] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="06") returned 2 [0153.660] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="8B") returned 2 [0153.660] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="0F") returned 2 [0153.660] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="F7") returned 2 [0153.660] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="6F") returned 2 [0153.660] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="99") returned 2 [0153.660] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="54") returned 2 [0153.660] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="6E") returned 2 [0153.660] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B9") returned 2 [0153.660] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C2") returned 2 [0153.660] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="3A") returned 2 [0153.660] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="5F") returned 2 [0153.660] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="E3") returned 2 [0153.660] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="0D") returned 2 [0153.660] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="BF") returned 2 [0153.660] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="81") returned 2 [0153.660] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="64") returned 2 [0153.660] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="DD") returned 2 [0153.660] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="59") returned 2 [0153.660] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="41") returned 2 [0153.661] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="41") returned 2 [0153.661] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="D6") returned 2 [0153.661] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="AA") returned 2 [0153.661] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="47") returned 2 [0153.661] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="8A") returned 2 [0153.661] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="58") returned 2 [0153.661] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="71") returned 2 [0153.661] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="51") returned 2 [0153.661] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="CC") returned 2 [0153.661] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="01") returned 2 [0153.672] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3" [0153.673] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3" [0153.673] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3", lpString2=".58D5068B0FF76F99546EB9C23A5FE30DBF8164DD594141D6AA478A587151CC01" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3.58D5068B0FF76F99546EB9C23A5FE30DBF8164DD594141D6AA478A587151CC01") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3.58D5068B0FF76F99546EB9C23A5FE30DBF8164DD594141D6AA478A587151CC01" [0153.673] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.673] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0153.716] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e03620, ftCreationTime.dwHighDateTime=0x1d5d969, ftLastAccessTime.dwLowDateTime=0xebd506c0, ftLastAccessTime.dwHighDateTime=0x1d5def8, ftLastWriteTime.dwLowDateTime=0xebd506c0, ftLastWriteTime.dwHighDateTime=0x1d5def8, nFileSizeHigh=0x0, nFileSizeLow=0x1367a, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="C-0uHHocNF3U8qyXLbB.m4a", cAlternateFileName="C-0UHH~1.M4A")) returned 1 [0153.716] lstrcmpiW (lpString1="C-0uHHocNF3U8qyXLbB.m4a", lpString2="Windows") returned -1 [0153.716] lstrcmpiW (lpString1="C-0uHHocNF3U8qyXLbB.m4a", lpString2="Program Files") returned -1 [0153.716] lstrcmpiW (lpString1="C-0uHHocNF3U8qyXLbB.m4a", lpString2="Program Files (x86)") returned -1 [0153.716] lstrcmpiW (lpString1="C-0uHHocNF3U8qyXLbB.m4a", lpString2="$Recycle.bin") returned 1 [0153.716] lstrcmpiW (lpString1="C-0uHHocNF3U8qyXLbB.m4a", lpString2="System Volume Information") returned -1 [0153.716] lstrcmpiW (lpString1="C-0uHHocNF3U8qyXLbB.m4a", lpString2=".") returned 1 [0153.717] lstrcmpiW (lpString1="C-0uHHocNF3U8qyXLbB.m4a", lpString2="..") returned 1 [0153.717] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a") returned 63 [0153.717] lstrcmpW (lpString1="C-0uHHocNF3U8qyXLbB.m4a", lpString2="PUSSY.TXT") returned -1 [0153.717] PathFindExtensionW (pszPath="C-0uHHocNF3U8qyXLbB.m4a") returned=".m4a" [0153.717] lstrlenW (lpString=".m4a") returned 4 [0153.717] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.717] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\c-0uhhocnf3u8qyxlbb.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0153.718] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=79482) returned 1 [0153.718] GetProcessHeap () returned 0x4c0000 [0153.718] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0153.730] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="00") returned 2 [0153.731] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="A9") returned 2 [0153.731] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="89") returned 2 [0153.731] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="66") returned 2 [0153.731] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="DF") returned 2 [0153.731] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="08") returned 2 [0153.731] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="13") returned 2 [0153.731] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="83") returned 2 [0153.731] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="77") returned 2 [0153.731] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="63") returned 2 [0153.731] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="50") returned 2 [0153.731] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="2D") returned 2 [0153.731] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="CE") returned 2 [0153.731] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="8E") returned 2 [0153.731] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="3C") returned 2 [0153.731] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="71") returned 2 [0153.731] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="C1") returned 2 [0153.731] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="7E") returned 2 [0153.731] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="1E") returned 2 [0153.731] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="D5") returned 2 [0153.731] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="33") returned 2 [0153.731] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="49") returned 2 [0153.731] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="AB") returned 2 [0153.731] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="35") returned 2 [0153.731] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="9F") returned 2 [0153.731] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="CD") returned 2 [0153.731] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="43") returned 2 [0153.732] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="09") returned 2 [0153.732] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="CF") returned 2 [0153.732] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="9D") returned 2 [0153.732] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="FF") returned 2 [0153.732] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="75") returned 2 [0153.743] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a" [0153.743] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a" [0153.743] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a", lpString2=".00A98966DF0813837763502DCE8E3C71C17E1ED53349AB359FCD4309CF9DFF75" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a.00A98966DF0813837763502DCE8E3C71C17E1ED53349AB359FCD4309CF9DFF75") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a.00A98966DF0813837763502DCE8E3C71C17E1ED53349AB359FCD4309CF9DFF75" [0153.743] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.744] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0153.790] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9da24f30, ftCreationTime.dwHighDateTime=0x1d5e1c3, ftLastAccessTime.dwLowDateTime=0x5563df70, ftLastAccessTime.dwHighDateTime=0x1d5dd92, ftLastWriteTime.dwLowDateTime=0x5563df70, ftLastWriteTime.dwHighDateTime=0x1d5dd92, nFileSizeHigh=0x0, nFileSizeLow=0x15553, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="cDO7YnHJe.m4a", cAlternateFileName="CDO7YN~1.M4A")) returned 1 [0153.790] lstrcmpiW (lpString1="cDO7YnHJe.m4a", lpString2="Windows") returned -1 [0153.790] lstrcmpiW (lpString1="cDO7YnHJe.m4a", lpString2="Program Files") returned -1 [0153.790] lstrcmpiW (lpString1="cDO7YnHJe.m4a", lpString2="Program Files (x86)") returned -1 [0153.790] lstrcmpiW (lpString1="cDO7YnHJe.m4a", lpString2="$Recycle.bin") returned 1 [0153.790] lstrcmpiW (lpString1="cDO7YnHJe.m4a", lpString2="System Volume Information") returned -1 [0153.790] lstrcmpiW (lpString1="cDO7YnHJe.m4a", lpString2=".") returned 1 [0153.790] lstrcmpiW (lpString1="cDO7YnHJe.m4a", lpString2="..") returned 1 [0153.790] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a") returned 53 [0153.790] lstrcmpW (lpString1="cDO7YnHJe.m4a", lpString2="PUSSY.TXT") returned -1 [0153.790] PathFindExtensionW (pszPath="cDO7YnHJe.m4a") returned=".m4a" [0153.790] lstrlenW (lpString=".m4a") returned 4 [0153.790] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\cdo7ynhje.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0153.791] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=87379) returned 1 [0153.791] GetProcessHeap () returned 0x4c0000 [0153.791] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0153.803] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="FF") returned 2 [0153.803] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="4A") returned 2 [0153.803] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="8A") returned 2 [0153.803] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="F6") returned 2 [0153.803] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="D0") returned 2 [0153.803] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="C5") returned 2 [0153.803] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="1F") returned 2 [0153.803] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="55") returned 2 [0153.803] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="DB") returned 2 [0153.804] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="10") returned 2 [0153.804] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="AE") returned 2 [0153.804] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C1") returned 2 [0153.804] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="19") returned 2 [0153.804] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="AF") returned 2 [0153.804] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="EE") returned 2 [0153.804] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E5") returned 2 [0153.804] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="F3") returned 2 [0153.804] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="66") returned 2 [0153.804] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="DE") returned 2 [0153.804] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="CE") returned 2 [0153.804] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="69") returned 2 [0153.804] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="DB") returned 2 [0153.804] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="0D") returned 2 [0153.804] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E0") returned 2 [0153.804] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="97") returned 2 [0153.804] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="17") returned 2 [0153.804] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="4C") returned 2 [0153.804] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="2E") returned 2 [0153.804] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="77") returned 2 [0153.804] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="57") returned 2 [0153.804] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="C1") returned 2 [0153.804] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="68") returned 2 [0153.816] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a" [0153.816] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a" [0153.816] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a", lpString2=".FF4A8AF6D0C51F55DB10AEC119AFEEE5F366DECE69DB0DE097174C2E7757C168" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a.FF4A8AF6D0C51F55DB10AEC119AFEEE5F366DECE69DB0DE097174C2E7757C168") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a.FF4A8AF6D0C51F55DB10AEC119AFEEE5F366DECE69DB0DE097174C2E7757C168" [0153.816] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.816] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0153.897] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.897] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0153.897] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0153.897] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0153.897] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0153.897] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0153.897] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.897] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.897] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned 51 [0153.897] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0153.897] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.897] lstrlenW (lpString=".ini") returned 4 [0153.897] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0153.899] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=504) returned 1 [0153.899] CloseHandle (hObject=0x184) returned 1 [0153.899] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe9bc6d0, ftCreationTime.dwHighDateTime=0x1d5dd7d, ftLastAccessTime.dwLowDateTime=0xb46807a0, ftLastAccessTime.dwHighDateTime=0x1d5e05b, ftLastWriteTime.dwLowDateTime=0xb46807a0, ftLastWriteTime.dwHighDateTime=0x1d5e05b, nFileSizeHigh=0x0, nFileSizeLow=0xad6b, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="eCCI2YeA.m4a", cAlternateFileName="")) returned 1 [0153.899] lstrcmpiW (lpString1="eCCI2YeA.m4a", lpString2="Windows") returned -1 [0153.899] lstrcmpiW (lpString1="eCCI2YeA.m4a", lpString2="Program Files") returned -1 [0153.899] lstrcmpiW (lpString1="eCCI2YeA.m4a", lpString2="Program Files (x86)") returned -1 [0153.899] lstrcmpiW (lpString1="eCCI2YeA.m4a", lpString2="$Recycle.bin") returned 1 [0153.899] lstrcmpiW (lpString1="eCCI2YeA.m4a", lpString2="System Volume Information") returned -1 [0153.900] lstrcmpiW (lpString1="eCCI2YeA.m4a", lpString2=".") returned 1 [0153.900] lstrcmpiW (lpString1="eCCI2YeA.m4a", lpString2="..") returned 1 [0153.900] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a") returned 52 [0153.900] lstrcmpW (lpString1="eCCI2YeA.m4a", lpString2="PUSSY.TXT") returned -1 [0153.900] PathFindExtensionW (pszPath="eCCI2YeA.m4a") returned=".m4a" [0153.900] lstrlenW (lpString=".m4a") returned 4 [0153.900] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0153.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ecci2yea.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0153.930] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=44395) returned 1 [0153.930] GetProcessHeap () returned 0x4c0000 [0153.930] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0153.962] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="4A") returned 2 [0153.962] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="18") returned 2 [0153.962] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="8C") returned 2 [0153.962] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="79") returned 2 [0153.962] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="E1") returned 2 [0153.963] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="3C") returned 2 [0153.963] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="95") returned 2 [0153.963] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="92") returned 2 [0153.963] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B8") returned 2 [0153.963] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="66") returned 2 [0153.963] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="9D") returned 2 [0153.963] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="3C") returned 2 [0153.963] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="08") returned 2 [0153.963] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="45") returned 2 [0153.963] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="85") returned 2 [0153.963] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="7C") returned 2 [0153.963] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="78") returned 2 [0153.963] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="6F") returned 2 [0153.963] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="06") returned 2 [0153.963] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="F2") returned 2 [0153.963] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="9C") returned 2 [0153.963] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="0F") returned 2 [0153.963] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="51") returned 2 [0153.963] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="1A") returned 2 [0153.963] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="FD") returned 2 [0153.963] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="87") returned 2 [0153.963] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="05") returned 2 [0153.963] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="B4") returned 2 [0153.963] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="9C") returned 2 [0153.963] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="5C") returned 2 [0153.963] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="CA") returned 2 [0153.963] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6A") returned 2 [0153.975] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a" [0153.976] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a" [0153.976] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a", lpString2=".4A188C79E13C9592B8669D3C0845857C786F06F29C0F511AFD8705B49C5CCA6A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a.4A188C79E13C9592B8669D3C0845857C786F06F29C0F511AFD8705B49C5CCA6A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a.4A188C79E13C9592B8669D3C0845857C786F06F29C0F511AFD8705B49C5CCA6A" [0153.976] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0153.976] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.021] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc101cd30, ftCreationTime.dwHighDateTime=0x1d5e0b9, ftLastAccessTime.dwLowDateTime=0xa091ae30, ftLastAccessTime.dwHighDateTime=0x1d5e348, ftLastWriteTime.dwLowDateTime=0xa091ae30, ftLastWriteTime.dwHighDateTime=0x1d5e348, nFileSizeHigh=0x0, nFileSizeLow=0xa012, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="I-Jc_nzs4Sp.wav", cAlternateFileName="I-JC_N~1.WAV")) returned 1 [0154.021] lstrcmpiW (lpString1="I-Jc_nzs4Sp.wav", lpString2="Windows") returned -1 [0154.021] lstrcmpiW (lpString1="I-Jc_nzs4Sp.wav", lpString2="Program Files") returned -1 [0154.021] lstrcmpiW (lpString1="I-Jc_nzs4Sp.wav", lpString2="Program Files (x86)") returned -1 [0154.021] lstrcmpiW (lpString1="I-Jc_nzs4Sp.wav", lpString2="$Recycle.bin") returned 1 [0154.021] lstrcmpiW (lpString1="I-Jc_nzs4Sp.wav", lpString2="System Volume Information") returned -1 [0154.021] lstrcmpiW (lpString1="I-Jc_nzs4Sp.wav", lpString2=".") returned 1 [0154.025] lstrcmpiW (lpString1="I-Jc_nzs4Sp.wav", lpString2="..") returned 1 [0154.025] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav") returned 55 [0154.025] lstrcmpW (lpString1="I-Jc_nzs4Sp.wav", lpString2="PUSSY.TXT") returned -1 [0154.025] PathFindExtensionW (pszPath="I-Jc_nzs4Sp.wav") returned=".wav" [0154.025] lstrlenW (lpString=".wav") returned 4 [0154.025] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i-jc_nzs4sp.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.027] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=40978) returned 1 [0154.027] GetProcessHeap () returned 0x4c0000 [0154.027] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.039] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="75") returned 2 [0154.039] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="0D") returned 2 [0154.039] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="F7") returned 2 [0154.039] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="49") returned 2 [0154.039] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="1F") returned 2 [0154.039] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="4B") returned 2 [0154.039] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="9E") returned 2 [0154.039] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="63") returned 2 [0154.040] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B1") returned 2 [0154.040] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="12") returned 2 [0154.040] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="E6") returned 2 [0154.040] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="51") returned 2 [0154.040] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="41") returned 2 [0154.040] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="45") returned 2 [0154.040] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="77") returned 2 [0154.040] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E5") returned 2 [0154.040] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="D5") returned 2 [0154.040] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="19") returned 2 [0154.040] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="C9") returned 2 [0154.040] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="A6") returned 2 [0154.040] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="63") returned 2 [0154.040] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="39") returned 2 [0154.040] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="B1") returned 2 [0154.040] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="07") returned 2 [0154.040] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="D6") returned 2 [0154.040] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="6A") returned 2 [0154.040] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="88") returned 2 [0154.040] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="64") returned 2 [0154.040] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="01") returned 2 [0154.040] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="92") returned 2 [0154.040] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="91") returned 2 [0154.040] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="7F") returned 2 [0154.053] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav" [0154.053] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav" [0154.053] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav", lpString2=".750DF7491F4B9E63B112E651414577E5D519C9A66339B107D66A88640192917F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav.750DF7491F4B9E63B112E651414577E5D519C9A66339B107D66A88640192917F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav.750DF7491F4B9E63B112E651414577E5D519C9A66339B107D66A88640192917F" [0154.053] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.053] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.101] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4db444f0, ftCreationTime.dwHighDateTime=0x1d5d80a, ftLastAccessTime.dwLowDateTime=0xb0421970, ftLastAccessTime.dwHighDateTime=0x1d5da6d, ftLastWriteTime.dwLowDateTime=0xb0421970, ftLastWriteTime.dwHighDateTime=0x1d5da6d, nFileSizeHigh=0x0, nFileSizeLow=0x6fbe, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="imlf6Qkfuo21Ta7GuS2.mp3", cAlternateFileName="IMLF6Q~1.MP3")) returned 1 [0154.102] lstrcmpiW (lpString1="imlf6Qkfuo21Ta7GuS2.mp3", lpString2="Windows") returned -1 [0154.102] lstrcmpiW (lpString1="imlf6Qkfuo21Ta7GuS2.mp3", lpString2="Program Files") returned -1 [0154.102] lstrcmpiW (lpString1="imlf6Qkfuo21Ta7GuS2.mp3", lpString2="Program Files (x86)") returned -1 [0154.102] lstrcmpiW (lpString1="imlf6Qkfuo21Ta7GuS2.mp3", lpString2="$Recycle.bin") returned 1 [0154.102] lstrcmpiW (lpString1="imlf6Qkfuo21Ta7GuS2.mp3", lpString2="System Volume Information") returned -1 [0154.102] lstrcmpiW (lpString1="imlf6Qkfuo21Ta7GuS2.mp3", lpString2=".") returned 1 [0154.102] lstrcmpiW (lpString1="imlf6Qkfuo21Ta7GuS2.mp3", lpString2="..") returned 1 [0154.102] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3") returned 63 [0154.102] lstrcmpW (lpString1="imlf6Qkfuo21Ta7GuS2.mp3", lpString2="PUSSY.TXT") returned -1 [0154.102] PathFindExtensionW (pszPath="imlf6Qkfuo21Ta7GuS2.mp3") returned=".mp3" [0154.102] lstrlenW (lpString=".mp3") returned 4 [0154.102] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\imlf6qkfuo21ta7gus2.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.103] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=28606) returned 1 [0154.103] GetProcessHeap () returned 0x4c0000 [0154.103] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.115] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="06") returned 2 [0154.116] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="8D") returned 2 [0154.116] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="17") returned 2 [0154.116] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="DD") returned 2 [0154.116] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="F9") returned 2 [0154.116] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="9F") returned 2 [0154.116] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="D4") returned 2 [0154.116] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="52") returned 2 [0154.116] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="05") returned 2 [0154.116] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="B8") returned 2 [0154.116] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="4D") returned 2 [0154.116] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="91") returned 2 [0154.116] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="3D") returned 2 [0154.116] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="31") returned 2 [0154.116] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="F8") returned 2 [0154.116] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="FB") returned 2 [0154.116] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="65") returned 2 [0154.116] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="13") returned 2 [0154.116] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="76") returned 2 [0154.116] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="AC") returned 2 [0154.116] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="CE") returned 2 [0154.116] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="AE") returned 2 [0154.116] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="3F") returned 2 [0154.116] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="6B") returned 2 [0154.116] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="7D") returned 2 [0154.116] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="89") returned 2 [0154.116] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="45") returned 2 [0154.116] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="8E") returned 2 [0154.117] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="FB") returned 2 [0154.117] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="7C") returned 2 [0154.117] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="97") returned 2 [0154.117] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="3B") returned 2 [0154.128] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3" [0154.128] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3" [0154.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3", lpString2=".068D17DDF99FD45205B84D913D31F8FB651376ACCEAE3F6B7D89458EFB7C973B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3.068D17DDF99FD45205B84D913D31F8FB651376ACCEAE3F6B7D89458EFB7C973B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3.068D17DDF99FD45205B84D913D31F8FB651376ACCEAE3F6B7D89458EFB7C973B" [0154.128] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.128] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.168] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93e46a80, ftCreationTime.dwHighDateTime=0x1d5e404, ftLastAccessTime.dwLowDateTime=0x60fcc5f0, ftLastAccessTime.dwHighDateTime=0x1d5dd23, ftLastWriteTime.dwLowDateTime=0x60fcc5f0, ftLastWriteTime.dwHighDateTime=0x1d5dd23, nFileSizeHigh=0x0, nFileSizeLow=0x2501, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="itwD4RV5.wav", cAlternateFileName="")) returned 1 [0154.168] lstrcmpiW (lpString1="itwD4RV5.wav", lpString2="Windows") returned -1 [0154.168] lstrcmpiW (lpString1="itwD4RV5.wav", lpString2="Program Files") returned -1 [0154.168] lstrcmpiW (lpString1="itwD4RV5.wav", lpString2="Program Files (x86)") returned -1 [0154.168] lstrcmpiW (lpString1="itwD4RV5.wav", lpString2="$Recycle.bin") returned 1 [0154.168] lstrcmpiW (lpString1="itwD4RV5.wav", lpString2="System Volume Information") returned -1 [0154.168] lstrcmpiW (lpString1="itwD4RV5.wav", lpString2=".") returned 1 [0154.168] lstrcmpiW (lpString1="itwD4RV5.wav", lpString2="..") returned 1 [0154.168] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav") returned 52 [0154.168] lstrcmpW (lpString1="itwD4RV5.wav", lpString2="PUSSY.TXT") returned -1 [0154.168] PathFindExtensionW (pszPath="itwD4RV5.wav") returned=".wav" [0154.168] lstrlenW (lpString=".wav") returned 4 [0154.168] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\itwd4rv5.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.170] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=9473) returned 1 [0154.170] GetProcessHeap () returned 0x4c0000 [0154.170] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.182] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="32") returned 2 [0154.182] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="A6") returned 2 [0154.182] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E9") returned 2 [0154.182] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="24") returned 2 [0154.182] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="8E") returned 2 [0154.182] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="4A") returned 2 [0154.182] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="76") returned 2 [0154.182] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="22") returned 2 [0154.182] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="8B") returned 2 [0154.182] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="69") returned 2 [0154.182] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="65") returned 2 [0154.182] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="49") returned 2 [0154.182] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="52") returned 2 [0154.183] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="83") returned 2 [0154.183] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="CD") returned 2 [0154.183] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="1D") returned 2 [0154.183] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="29") returned 2 [0154.183] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="AC") returned 2 [0154.183] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="68") returned 2 [0154.183] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="05") returned 2 [0154.183] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="A6") returned 2 [0154.183] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="F7") returned 2 [0154.183] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="AC") returned 2 [0154.183] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="73") returned 2 [0154.183] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="7A") returned 2 [0154.183] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="81") returned 2 [0154.183] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="4D") returned 2 [0154.183] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="33") returned 2 [0154.183] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="B3") returned 2 [0154.183] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="F1") returned 2 [0154.183] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="B7") returned 2 [0154.183] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="2E") returned 2 [0154.198] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav" [0154.198] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav" [0154.198] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav", lpString2=".32A6E9248E4A76228B6965495283CD1D29AC6805A6F7AC737A814D33B3F1B72E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav.32A6E9248E4A76228B6965495283CD1D29AC6805A6F7AC737A814D33B3F1B72E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav.32A6E9248E4A76228B6965495283CD1D29AC6805A6F7AC737A814D33B3F1B72E" [0154.198] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.198] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.212] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa51eaf0, ftCreationTime.dwHighDateTime=0x1d5dfa8, ftLastAccessTime.dwLowDateTime=0xf2b63e70, ftLastAccessTime.dwHighDateTime=0x1d5d82f, ftLastWriteTime.dwLowDateTime=0xf2b63e70, ftLastWriteTime.dwHighDateTime=0x1d5d82f, nFileSizeHigh=0x0, nFileSizeLow=0x13d76, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="iUZFVgJS1_7PJ.wav", cAlternateFileName="IUZFVG~1.WAV")) returned 1 [0154.212] lstrcmpiW (lpString1="iUZFVgJS1_7PJ.wav", lpString2="Windows") returned -1 [0154.212] lstrcmpiW (lpString1="iUZFVgJS1_7PJ.wav", lpString2="Program Files") returned -1 [0154.212] lstrcmpiW (lpString1="iUZFVgJS1_7PJ.wav", lpString2="Program Files (x86)") returned -1 [0154.212] lstrcmpiW (lpString1="iUZFVgJS1_7PJ.wav", lpString2="$Recycle.bin") returned 1 [0154.212] lstrcmpiW (lpString1="iUZFVgJS1_7PJ.wav", lpString2="System Volume Information") returned -1 [0154.212] lstrcmpiW (lpString1="iUZFVgJS1_7PJ.wav", lpString2=".") returned 1 [0154.212] lstrcmpiW (lpString1="iUZFVgJS1_7PJ.wav", lpString2="..") returned 1 [0154.212] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav") returned 57 [0154.212] lstrcmpW (lpString1="iUZFVgJS1_7PJ.wav", lpString2="PUSSY.TXT") returned -1 [0154.212] PathFindExtensionW (pszPath="iUZFVgJS1_7PJ.wav") returned=".wav" [0154.212] lstrlenW (lpString=".wav") returned 4 [0154.212] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\iuzfvgjs1_7pj.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.214] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=81270) returned 1 [0154.214] GetProcessHeap () returned 0x4c0000 [0154.214] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.224] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="2E") returned 2 [0154.224] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="CC") returned 2 [0154.224] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="87") returned 2 [0154.224] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="FE") returned 2 [0154.224] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="02") returned 2 [0154.224] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="43") returned 2 [0154.224] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="63") returned 2 [0154.224] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="8F") returned 2 [0154.224] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="8A") returned 2 [0154.224] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="27") returned 2 [0154.224] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="C3") returned 2 [0154.224] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C3") returned 2 [0154.224] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="8D") returned 2 [0154.224] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E5") returned 2 [0154.224] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="90") returned 2 [0154.224] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="B6") returned 2 [0154.224] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="8C") returned 2 [0154.224] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="0B") returned 2 [0154.224] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E4") returned 2 [0154.224] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="FD") returned 2 [0154.224] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="EE") returned 2 [0154.224] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="D9") returned 2 [0154.224] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="EF") returned 2 [0154.224] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="3D") returned 2 [0154.224] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="6F") returned 2 [0154.224] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="FF") returned 2 [0154.224] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="4F") returned 2 [0154.224] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="BC") returned 2 [0154.224] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="2C") returned 2 [0154.224] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0B") returned 2 [0154.224] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="F4") returned 2 [0154.225] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="0B") returned 2 [0154.233] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav" [0154.234] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav" [0154.234] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav", lpString2=".2ECC87FE0243638F8A27C3C38DE590B68C0BE4FDEED9EF3D6FFF4FBC2C0BF40B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav.2ECC87FE0243638F8A27C3C38DE590B68C0BE4FDEED9EF3D6FFF4FBC2C0BF40B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav.2ECC87FE0243638F8A27C3C38DE590B68C0BE4FDEED9EF3D6FFF4FBC2C0BF40B" [0154.234] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.234] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.268] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59cefb0, ftCreationTime.dwHighDateTime=0x1d5dbf1, ftLastAccessTime.dwLowDateTime=0x10dd5ab0, ftLastAccessTime.dwHighDateTime=0x1d5e81f, ftLastWriteTime.dwLowDateTime=0x10dd5ab0, ftLastWriteTime.dwHighDateTime=0x1d5e81f, nFileSizeHigh=0x0, nFileSizeLow=0x136dc, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="I_74.m4a", cAlternateFileName="")) returned 1 [0154.268] lstrcmpiW (lpString1="I_74.m4a", lpString2="Windows") returned -1 [0154.268] lstrcmpiW (lpString1="I_74.m4a", lpString2="Program Files") returned -1 [0154.268] lstrcmpiW (lpString1="I_74.m4a", lpString2="Program Files (x86)") returned -1 [0154.268] lstrcmpiW (lpString1="I_74.m4a", lpString2="$Recycle.bin") returned 1 [0154.268] lstrcmpiW (lpString1="I_74.m4a", lpString2="System Volume Information") returned -1 [0154.269] lstrcmpiW (lpString1="I_74.m4a", lpString2=".") returned 1 [0154.269] lstrcmpiW (lpString1="I_74.m4a", lpString2="..") returned 1 [0154.269] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a") returned 48 [0154.269] lstrcmpW (lpString1="I_74.m4a", lpString2="PUSSY.TXT") returned -1 [0154.269] PathFindExtensionW (pszPath="I_74.m4a") returned=".m4a" [0154.269] lstrlenW (lpString=".m4a") returned 4 [0154.269] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.269] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i_74.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.271] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=79580) returned 1 [0154.271] GetProcessHeap () returned 0x4c0000 [0154.271] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.283] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="A7") returned 2 [0154.283] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="E8") returned 2 [0154.283] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="6F") returned 2 [0154.283] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="F3") returned 2 [0154.283] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="DC") returned 2 [0154.283] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="CE") returned 2 [0154.283] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="50") returned 2 [0154.283] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="28") returned 2 [0154.283] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="F6") returned 2 [0154.284] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="55") returned 2 [0154.284] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="3A") returned 2 [0154.284] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="90") returned 2 [0154.284] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="F5") returned 2 [0154.284] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="6A") returned 2 [0154.284] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="FB") returned 2 [0154.284] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="45") returned 2 [0154.284] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="19") returned 2 [0154.284] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="CC") returned 2 [0154.284] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="BE") returned 2 [0154.284] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="7D") returned 2 [0154.284] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="62") returned 2 [0154.284] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="7F") returned 2 [0154.284] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="B7") returned 2 [0154.284] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="85") returned 2 [0154.284] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="51") returned 2 [0154.284] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="67") returned 2 [0154.284] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="02") returned 2 [0154.284] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="A9") returned 2 [0154.284] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="B9") returned 2 [0154.284] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="A1") returned 2 [0154.284] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="98") returned 2 [0154.284] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="2D") returned 2 [0154.299] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a" [0154.299] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a" [0154.299] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a", lpString2=".A7E86FF3DCCE5028F6553A90F56AFB4519CCBE7D627FB785516702A9B9A1982D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a.A7E86FF3DCCE5028F6553A90F56AFB4519CCBE7D627FB785516702A9B9A1982D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a.A7E86FF3DCCE5028F6553A90F56AFB4519CCBE7D627FB785516702A9B9A1982D" [0154.299] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.299] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.354] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ad80ef0, ftCreationTime.dwHighDateTime=0x1d5dd0b, ftLastAccessTime.dwLowDateTime=0xf0fe42c0, ftLastAccessTime.dwHighDateTime=0x1d5e668, ftLastWriteTime.dwLowDateTime=0xf0fe42c0, ftLastWriteTime.dwHighDateTime=0x1d5e668, nFileSizeHigh=0x0, nFileSizeLow=0xaf46, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="J1YysQ1gIJGrFG7NF S.m4a", cAlternateFileName="J1YYSQ~1.M4A")) returned 1 [0154.354] lstrcmpiW (lpString1="J1YysQ1gIJGrFG7NF S.m4a", lpString2="Windows") returned -1 [0154.354] lstrcmpiW (lpString1="J1YysQ1gIJGrFG7NF S.m4a", lpString2="Program Files") returned -1 [0154.354] lstrcmpiW (lpString1="J1YysQ1gIJGrFG7NF S.m4a", lpString2="Program Files (x86)") returned -1 [0154.354] lstrcmpiW (lpString1="J1YysQ1gIJGrFG7NF S.m4a", lpString2="$Recycle.bin") returned 1 [0154.354] lstrcmpiW (lpString1="J1YysQ1gIJGrFG7NF S.m4a", lpString2="System Volume Information") returned -1 [0154.354] lstrcmpiW (lpString1="J1YysQ1gIJGrFG7NF S.m4a", lpString2=".") returned 1 [0154.354] lstrcmpiW (lpString1="J1YysQ1gIJGrFG7NF S.m4a", lpString2="..") returned 1 [0154.354] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a") returned 63 [0154.354] lstrcmpW (lpString1="J1YysQ1gIJGrFG7NF S.m4a", lpString2="PUSSY.TXT") returned -1 [0154.354] PathFindExtensionW (pszPath="J1YysQ1gIJGrFG7NF S.m4a") returned=".m4a" [0154.354] lstrlenW (lpString=".m4a") returned 4 [0154.354] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.354] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j1yysq1gijgrfg7nf s.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.355] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=44870) returned 1 [0154.355] GetProcessHeap () returned 0x4c0000 [0154.355] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.367] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="44") returned 2 [0154.367] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="94") returned 2 [0154.367] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="FD") returned 2 [0154.367] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="68") returned 2 [0154.367] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="FE") returned 2 [0154.367] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="DA") returned 2 [0154.367] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="6A") returned 2 [0154.367] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="88") returned 2 [0154.367] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="1C") returned 2 [0154.368] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="BD") returned 2 [0154.368] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="0C") returned 2 [0154.368] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="BF") returned 2 [0154.368] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="5F") returned 2 [0154.368] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="39") returned 2 [0154.368] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="06") returned 2 [0154.368] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="C2") returned 2 [0154.368] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="AF") returned 2 [0154.368] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="F5") returned 2 [0154.368] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="B9") returned 2 [0154.368] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="52") returned 2 [0154.368] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="06") returned 2 [0154.368] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="22") returned 2 [0154.368] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="F4") returned 2 [0154.368] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="48") returned 2 [0154.368] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="9A") returned 2 [0154.368] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="11") returned 2 [0154.368] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="9E") returned 2 [0154.368] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="77") returned 2 [0154.368] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="8A") returned 2 [0154.368] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="6E") returned 2 [0154.368] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="ED") returned 2 [0154.368] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="56") returned 2 [0154.376] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a" [0154.376] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a" [0154.376] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a", lpString2=".4494FD68FEDA6A881CBD0CBF5F3906C2AFF5B9520622F4489A119E778A6EED56" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a.4494FD68FEDA6A881CBD0CBF5F3906C2AFF5B9520622F4489A119E778A6EED56") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a.4494FD68FEDA6A881CBD0CBF5F3906C2AFF5B9520622F4489A119E778A6EED56" [0154.376] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.376] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.416] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4cfcde0, ftCreationTime.dwHighDateTime=0x1d5de36, ftLastAccessTime.dwLowDateTime=0xe2c86c00, ftLastAccessTime.dwHighDateTime=0x1d5db2b, ftLastWriteTime.dwLowDateTime=0xe2c86c00, ftLastWriteTime.dwHighDateTime=0x1d5db2b, nFileSizeHigh=0x0, nFileSizeLow=0x7e2f, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="jXIlwQ2Ju.wav", cAlternateFileName="JXILWQ~1.WAV")) returned 1 [0154.416] lstrcmpiW (lpString1="jXIlwQ2Ju.wav", lpString2="Windows") returned -1 [0154.416] lstrcmpiW (lpString1="jXIlwQ2Ju.wav", lpString2="Program Files") returned -1 [0154.416] lstrcmpiW (lpString1="jXIlwQ2Ju.wav", lpString2="Program Files (x86)") returned -1 [0154.416] lstrcmpiW (lpString1="jXIlwQ2Ju.wav", lpString2="$Recycle.bin") returned 1 [0154.416] lstrcmpiW (lpString1="jXIlwQ2Ju.wav", lpString2="System Volume Information") returned -1 [0154.416] lstrcmpiW (lpString1="jXIlwQ2Ju.wav", lpString2=".") returned 1 [0154.416] lstrcmpiW (lpString1="jXIlwQ2Ju.wav", lpString2="..") returned 1 [0154.416] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav") returned 53 [0154.416] lstrcmpW (lpString1="jXIlwQ2Ju.wav", lpString2="PUSSY.TXT") returned -1 [0154.416] PathFindExtensionW (pszPath="jXIlwQ2Ju.wav") returned=".wav" [0154.416] lstrlenW (lpString=".wav") returned 4 [0154.416] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.417] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jxilwq2ju.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.418] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=32303) returned 1 [0154.418] GetProcessHeap () returned 0x4c0000 [0154.418] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.430] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="AB") returned 2 [0154.430] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="82") returned 2 [0154.430] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="A8") returned 2 [0154.430] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="6A") returned 2 [0154.431] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="75") returned 2 [0154.431] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="A9") returned 2 [0154.431] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="89") returned 2 [0154.431] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="51") returned 2 [0154.431] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="2E") returned 2 [0154.431] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="3F") returned 2 [0154.431] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="1F") returned 2 [0154.431] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="6C") returned 2 [0154.431] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="E1") returned 2 [0154.431] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="81") returned 2 [0154.431] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="7F") returned 2 [0154.431] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="77") returned 2 [0154.431] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="7D") returned 2 [0154.431] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="4F") returned 2 [0154.431] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="3D") returned 2 [0154.431] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="D2") returned 2 [0154.431] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="CF") returned 2 [0154.431] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="98") returned 2 [0154.431] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="F4") returned 2 [0154.431] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E1") returned 2 [0154.431] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="68") returned 2 [0154.431] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="21") returned 2 [0154.431] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="95") returned 2 [0154.431] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="D9") returned 2 [0154.431] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="83") returned 2 [0154.431] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="74") returned 2 [0154.431] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="C9") returned 2 [0154.431] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6A") returned 2 [0154.449] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav" [0154.449] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav" [0154.449] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav", lpString2=".AB82A86A75A989512E3F1F6CE1817F777D4F3DD2CF98F4E1682195D98374C96A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav.AB82A86A75A989512E3F1F6CE1817F777D4F3DD2CF98F4E1682195D98374C96A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav.AB82A86A75A989512E3F1F6CE1817F777D4F3DD2CF98F4E1682195D98374C96A" [0154.449] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.449] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.489] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ba95010, ftCreationTime.dwHighDateTime=0x1d5e630, ftLastAccessTime.dwLowDateTime=0x337ceef0, ftLastAccessTime.dwHighDateTime=0x1d5e342, ftLastWriteTime.dwLowDateTime=0x337ceef0, ftLastWriteTime.dwHighDateTime=0x1d5e342, nFileSizeHigh=0x0, nFileSizeLow=0x9f9, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="KNdqRB_LKb9rLEGzw78p.m4a", cAlternateFileName="KNDQRB~1.M4A")) returned 1 [0154.489] lstrcmpiW (lpString1="KNdqRB_LKb9rLEGzw78p.m4a", lpString2="Windows") returned -1 [0154.489] lstrcmpiW (lpString1="KNdqRB_LKb9rLEGzw78p.m4a", lpString2="Program Files") returned -1 [0154.489] lstrcmpiW (lpString1="KNdqRB_LKb9rLEGzw78p.m4a", lpString2="Program Files (x86)") returned -1 [0154.489] lstrcmpiW (lpString1="KNdqRB_LKb9rLEGzw78p.m4a", lpString2="$Recycle.bin") returned 1 [0154.489] lstrcmpiW (lpString1="KNdqRB_LKb9rLEGzw78p.m4a", lpString2="System Volume Information") returned -1 [0154.489] lstrcmpiW (lpString1="KNdqRB_LKb9rLEGzw78p.m4a", lpString2=".") returned 1 [0154.489] lstrcmpiW (lpString1="KNdqRB_LKb9rLEGzw78p.m4a", lpString2="..") returned 1 [0154.489] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a") returned 64 [0154.489] lstrcmpW (lpString1="KNdqRB_LKb9rLEGzw78p.m4a", lpString2="PUSSY.TXT") returned -1 [0154.489] PathFindExtensionW (pszPath="KNdqRB_LKb9rLEGzw78p.m4a") returned=".m4a" [0154.489] lstrlenW (lpString=".m4a") returned 4 [0154.489] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kndqrb_lkb9rlegzw78p.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.490] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2553) returned 1 [0154.490] GetProcessHeap () returned 0x4c0000 [0154.490] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.503] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="D2") returned 2 [0154.503] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="13") returned 2 [0154.503] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="27") returned 2 [0154.503] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="D7") returned 2 [0154.503] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="72") returned 2 [0154.503] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="C1") returned 2 [0154.503] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="AA") returned 2 [0154.503] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="C6") returned 2 [0154.503] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="17") returned 2 [0154.503] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="FC") returned 2 [0154.503] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="9E") returned 2 [0154.503] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="AE") returned 2 [0154.503] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="00") returned 2 [0154.503] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="88") returned 2 [0154.503] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="72") returned 2 [0154.503] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="84") returned 2 [0154.503] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="17") returned 2 [0154.503] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="3F") returned 2 [0154.503] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="96") returned 2 [0154.503] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="5D") returned 2 [0154.503] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="BE") returned 2 [0154.503] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="8D") returned 2 [0154.503] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="4E") returned 2 [0154.503] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="EC") returned 2 [0154.503] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="C9") returned 2 [0154.504] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="4E") returned 2 [0154.504] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="4D") returned 2 [0154.504] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="BD") returned 2 [0154.504] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="B5") returned 2 [0154.504] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="1E") returned 2 [0154.504] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="AC") returned 2 [0154.504] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="5B") returned 2 [0154.516] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a" [0154.516] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a" [0154.516] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a", lpString2=".D21327D772C1AAC617FC9EAE00887284173F965DBE8D4EECC94E4DBDB51EAC5B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a.D21327D772C1AAC617FC9EAE00887284173F965DBE8D4EECC94E4DBDB51EAC5B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a.D21327D772C1AAC617FC9EAE00887284173F965DBE8D4EECC94E4DBDB51EAC5B" [0154.516] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.516] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.524] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60c90c70, ftCreationTime.dwHighDateTime=0x1d5dc0a, ftLastAccessTime.dwLowDateTime=0x58da0d10, ftLastAccessTime.dwHighDateTime=0x1d5ddd7, ftLastWriteTime.dwLowDateTime=0x58da0d10, ftLastWriteTime.dwHighDateTime=0x1d5ddd7, nFileSizeHigh=0x0, nFileSizeLow=0x6550, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="lcx7.m4a", cAlternateFileName="")) returned 1 [0154.524] lstrcmpiW (lpString1="lcx7.m4a", lpString2="Windows") returned -1 [0154.524] lstrcmpiW (lpString1="lcx7.m4a", lpString2="Program Files") returned -1 [0154.524] lstrcmpiW (lpString1="lcx7.m4a", lpString2="Program Files (x86)") returned -1 [0154.524] lstrcmpiW (lpString1="lcx7.m4a", lpString2="$Recycle.bin") returned 1 [0154.524] lstrcmpiW (lpString1="lcx7.m4a", lpString2="System Volume Information") returned -1 [0154.524] lstrcmpiW (lpString1="lcx7.m4a", lpString2=".") returned 1 [0154.524] lstrcmpiW (lpString1="lcx7.m4a", lpString2="..") returned 1 [0154.524] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a") returned 48 [0154.524] lstrcmpW (lpString1="lcx7.m4a", lpString2="PUSSY.TXT") returned -1 [0154.524] PathFindExtensionW (pszPath="lcx7.m4a") returned=".m4a" [0154.524] lstrlenW (lpString=".m4a") returned 4 [0154.525] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\lcx7.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.525] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=25936) returned 1 [0154.526] GetProcessHeap () returned 0x4c0000 [0154.526] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.538] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="DB") returned 2 [0154.538] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="E2") returned 2 [0154.538] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="BA") returned 2 [0154.538] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="4B") returned 2 [0154.538] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="1F") returned 2 [0154.538] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="02") returned 2 [0154.538] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C8") returned 2 [0154.538] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="84") returned 2 [0154.538] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="BB") returned 2 [0154.538] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="40") returned 2 [0154.538] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="9E") returned 2 [0154.538] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C9") returned 2 [0154.538] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="E1") returned 2 [0154.538] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="77") returned 2 [0154.538] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="2F") returned 2 [0154.538] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="FC") returned 2 [0154.538] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="21") returned 2 [0154.538] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="7C") returned 2 [0154.538] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="2E") returned 2 [0154.538] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="2C") returned 2 [0154.538] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="44") returned 2 [0154.538] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="3F") returned 2 [0154.538] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="40") returned 2 [0154.539] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="11") returned 2 [0154.539] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="CC") returned 2 [0154.539] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="21") returned 2 [0154.539] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="02") returned 2 [0154.539] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F4") returned 2 [0154.539] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="48") returned 2 [0154.539] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="DD") returned 2 [0154.539] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="E8") returned 2 [0154.539] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="1A") returned 2 [0154.551] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a" [0154.551] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a" [0154.551] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a", lpString2=".DBE2BA4B1F02C884BB409EC9E1772FFC217C2E2C443F4011CC2102F448DDE81A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a.DBE2BA4B1F02C884BB409EC9E1772FFC217C2E2C443F4011CC2102F448DDE81A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a.DBE2BA4B1F02C884BB409EC9E1772FFC217C2E2C443F4011CC2102F448DDE81A" [0154.551] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.551] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.589] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3208b680, ftCreationTime.dwHighDateTime=0x1d5dc94, ftLastAccessTime.dwLowDateTime=0x3886aeb0, ftLastAccessTime.dwHighDateTime=0x1d5e3a4, ftLastWriteTime.dwLowDateTime=0x3886aeb0, ftLastWriteTime.dwHighDateTime=0x1d5e3a4, nFileSizeHigh=0x0, nFileSizeLow=0x16cdc, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="lk3_IftMtfnr7.wav", cAlternateFileName="LK3_IF~1.WAV")) returned 1 [0154.589] lstrcmpiW (lpString1="lk3_IftMtfnr7.wav", lpString2="Windows") returned -1 [0154.589] lstrcmpiW (lpString1="lk3_IftMtfnr7.wav", lpString2="Program Files") returned -1 [0154.589] lstrcmpiW (lpString1="lk3_IftMtfnr7.wav", lpString2="Program Files (x86)") returned -1 [0154.589] lstrcmpiW (lpString1="lk3_IftMtfnr7.wav", lpString2="$Recycle.bin") returned 1 [0154.589] lstrcmpiW (lpString1="lk3_IftMtfnr7.wav", lpString2="System Volume Information") returned -1 [0154.589] lstrcmpiW (lpString1="lk3_IftMtfnr7.wav", lpString2=".") returned 1 [0154.589] lstrcmpiW (lpString1="lk3_IftMtfnr7.wav", lpString2="..") returned 1 [0154.589] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav") returned 57 [0154.589] lstrcmpW (lpString1="lk3_IftMtfnr7.wav", lpString2="PUSSY.TXT") returned -1 [0154.589] PathFindExtensionW (pszPath="lk3_IftMtfnr7.wav") returned=".wav" [0154.589] lstrlenW (lpString=".wav") returned 4 [0154.589] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.589] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\lk3_iftmtfnr7.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.590] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=93404) returned 1 [0154.590] GetProcessHeap () returned 0x4c0000 [0154.590] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.603] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="38") returned 2 [0154.603] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="18") returned 2 [0154.603] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="AE") returned 2 [0154.603] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="4D") returned 2 [0154.603] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="31") returned 2 [0154.603] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="C8") returned 2 [0154.603] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="B3") returned 2 [0154.603] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="E6") returned 2 [0154.603] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="61") returned 2 [0154.603] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="DC") returned 2 [0154.603] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="35") returned 2 [0154.603] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="78") returned 2 [0154.603] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="DE") returned 2 [0154.603] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="10") returned 2 [0154.603] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="EF") returned 2 [0154.603] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="99") returned 2 [0154.603] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="03") returned 2 [0154.603] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="C7") returned 2 [0154.603] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="89") returned 2 [0154.603] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="5A") returned 2 [0154.603] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="23") returned 2 [0154.603] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="95") returned 2 [0154.603] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="5C") returned 2 [0154.603] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="A7") returned 2 [0154.603] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="10") returned 2 [0154.604] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="A5") returned 2 [0154.604] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="2F") returned 2 [0154.604] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="B1") returned 2 [0154.604] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="0F") returned 2 [0154.604] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="12") returned 2 [0154.604] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="27") returned 2 [0154.604] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="47") returned 2 [0154.616] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav" [0154.616] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav" [0154.616] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav", lpString2=".3818AE4D31C8B3E661DC3578DE10EF9903C7895A23955CA710A52FB10F122747" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav.3818AE4D31C8B3E661DC3578DE10EF9903C7895A23955CA710A52FB10F122747") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav.3818AE4D31C8B3E661DC3578DE10EF9903C7895A23955CA710A52FB10F122747" [0154.616] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.616] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.659] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea9cf830, ftCreationTime.dwHighDateTime=0x1d5e0f6, ftLastAccessTime.dwLowDateTime=0x1a492cc0, ftLastAccessTime.dwHighDateTime=0x1d5e336, ftLastWriteTime.dwLowDateTime=0x1a492cc0, ftLastWriteTime.dwHighDateTime=0x1d5e336, nFileSizeHigh=0x0, nFileSizeLow=0x18cb5, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="M-nb0eXJMDzaZSML.mp3", cAlternateFileName="M-NB0E~1.MP3")) returned 1 [0154.659] lstrcmpiW (lpString1="M-nb0eXJMDzaZSML.mp3", lpString2="Windows") returned -1 [0154.659] lstrcmpiW (lpString1="M-nb0eXJMDzaZSML.mp3", lpString2="Program Files") returned -1 [0154.659] lstrcmpiW (lpString1="M-nb0eXJMDzaZSML.mp3", lpString2="Program Files (x86)") returned -1 [0154.659] lstrcmpiW (lpString1="M-nb0eXJMDzaZSML.mp3", lpString2="$Recycle.bin") returned 1 [0154.659] lstrcmpiW (lpString1="M-nb0eXJMDzaZSML.mp3", lpString2="System Volume Information") returned -1 [0154.664] lstrcmpiW (lpString1="M-nb0eXJMDzaZSML.mp3", lpString2=".") returned 1 [0154.664] lstrcmpiW (lpString1="M-nb0eXJMDzaZSML.mp3", lpString2="..") returned 1 [0154.664] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3") returned 60 [0154.664] lstrcmpW (lpString1="M-nb0eXJMDzaZSML.mp3", lpString2="PUSSY.TXT") returned -1 [0154.664] PathFindExtensionW (pszPath="M-nb0eXJMDzaZSML.mp3") returned=".mp3" [0154.664] lstrlenW (lpString=".mp3") returned 4 [0154.664] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\m-nb0exjmdzazsml.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.665] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=101557) returned 1 [0154.665] GetProcessHeap () returned 0x4c0000 [0154.665] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.678] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="64") returned 2 [0154.678] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="20") returned 2 [0154.678] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="64") returned 2 [0154.678] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="8D") returned 2 [0154.678] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="66") returned 2 [0154.678] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="7A") returned 2 [0154.678] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="B4") returned 2 [0154.678] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="64") returned 2 [0154.678] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="C5") returned 2 [0154.678] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="5E") returned 2 [0154.678] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B5") returned 2 [0154.678] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="48") returned 2 [0154.678] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="19") returned 2 [0154.678] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="7D") returned 2 [0154.678] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="7D") returned 2 [0154.678] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="B8") returned 2 [0154.678] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="A6") returned 2 [0154.679] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="89") returned 2 [0154.679] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="84") returned 2 [0154.679] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="C9") returned 2 [0154.679] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="24") returned 2 [0154.679] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="5C") returned 2 [0154.679] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="01") returned 2 [0154.679] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="64") returned 2 [0154.679] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="0F") returned 2 [0154.679] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="28") returned 2 [0154.679] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="B8") returned 2 [0154.679] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="E2") returned 2 [0154.679] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="9D") returned 2 [0154.679] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="D8") returned 2 [0154.679] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="CF") returned 2 [0154.679] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="47") returned 2 [0154.694] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3" [0154.694] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3" [0154.694] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3", lpString2=".6420648D667AB464C55EB548197D7DB8A68984C9245C01640F28B8E29DD8CF47" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3.6420648D667AB464C55EB548197D7DB8A68984C9245C01640F28B8E29DD8CF47") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3.6420648D667AB464C55EB548197D7DB8A68984C9245C01640F28B8E29DD8CF47" [0154.694] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.694] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.740] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c46f730, ftCreationTime.dwHighDateTime=0x1d5e568, ftLastAccessTime.dwLowDateTime=0xc2164070, ftLastAccessTime.dwHighDateTime=0x1d5e398, ftLastWriteTime.dwLowDateTime=0xc2164070, ftLastWriteTime.dwHighDateTime=0x1d5e398, nFileSizeHigh=0x0, nFileSizeLow=0x155c8, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="MHSl6lBxqzlm.mp3", cAlternateFileName="MHSL6L~1.MP3")) returned 1 [0154.740] lstrcmpiW (lpString1="MHSl6lBxqzlm.mp3", lpString2="Windows") returned -1 [0154.740] lstrcmpiW (lpString1="MHSl6lBxqzlm.mp3", lpString2="Program Files") returned -1 [0154.740] lstrcmpiW (lpString1="MHSl6lBxqzlm.mp3", lpString2="Program Files (x86)") returned -1 [0154.740] lstrcmpiW (lpString1="MHSl6lBxqzlm.mp3", lpString2="$Recycle.bin") returned 1 [0154.740] lstrcmpiW (lpString1="MHSl6lBxqzlm.mp3", lpString2="System Volume Information") returned -1 [0154.741] lstrcmpiW (lpString1="MHSl6lBxqzlm.mp3", lpString2=".") returned 1 [0154.741] lstrcmpiW (lpString1="MHSl6lBxqzlm.mp3", lpString2="..") returned 1 [0154.741] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3") returned 56 [0154.741] lstrcmpW (lpString1="MHSl6lBxqzlm.mp3", lpString2="PUSSY.TXT") returned -1 [0154.741] PathFindExtensionW (pszPath="MHSl6lBxqzlm.mp3") returned=".mp3" [0154.741] lstrlenW (lpString=".mp3") returned 4 [0154.741] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\mhsl6lbxqzlm.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.742] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=87496) returned 1 [0154.742] GetProcessHeap () returned 0x4c0000 [0154.742] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.751] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="5A") returned 2 [0154.751] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="5A") returned 2 [0154.751] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="6A") returned 2 [0154.751] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="9D") returned 2 [0154.751] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="C7") returned 2 [0154.751] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="F0") returned 2 [0154.751] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="1E") returned 2 [0154.751] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="4D") returned 2 [0154.751] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="B5") returned 2 [0154.751] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="DB") returned 2 [0154.751] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="39") returned 2 [0154.751] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="60") returned 2 [0154.751] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="F2") returned 2 [0154.751] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="3C") returned 2 [0154.751] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="3B") returned 2 [0154.751] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="82") returned 2 [0154.751] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="66") returned 2 [0154.751] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="BC") returned 2 [0154.751] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="63") returned 2 [0154.751] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="FA") returned 2 [0154.751] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="6A") returned 2 [0154.751] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="36") returned 2 [0154.751] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="7A") returned 2 [0154.751] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="65") returned 2 [0154.751] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="57") returned 2 [0154.751] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="3B") returned 2 [0154.751] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="67") returned 2 [0154.751] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="6A") returned 2 [0154.752] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="8E") returned 2 [0154.752] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="8F") returned 2 [0154.752] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="C0") returned 2 [0154.752] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="35") returned 2 [0154.760] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3" [0154.760] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3" [0154.760] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3", lpString2=".5A5A6A9DC7F01E4DB5DB3960F23C3B8266BC63FA6A367A65573B676A8E8FC035" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3.5A5A6A9DC7F01E4DB5DB3960F23C3B8266BC63FA6A367A65573B676A8E8FC035") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3.5A5A6A9DC7F01E4DB5DB3960F23C3B8266BC63FA6A367A65573B676A8E8FC035" [0154.760] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.760] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.795] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f5cdbf0, ftCreationTime.dwHighDateTime=0x1d5e404, ftLastAccessTime.dwLowDateTime=0x645e7bf0, ftLastAccessTime.dwHighDateTime=0x1d5de3e, ftLastWriteTime.dwLowDateTime=0x645e7bf0, ftLastWriteTime.dwHighDateTime=0x1d5de3e, nFileSizeHigh=0x0, nFileSizeLow=0x1701a, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="NHW dS3rWIEV8xMYC.wav", cAlternateFileName="NHWDS3~1.WAV")) returned 1 [0154.795] lstrcmpiW (lpString1="NHW dS3rWIEV8xMYC.wav", lpString2="Windows") returned -1 [0154.795] lstrcmpiW (lpString1="NHW dS3rWIEV8xMYC.wav", lpString2="Program Files") returned -1 [0154.795] lstrcmpiW (lpString1="NHW dS3rWIEV8xMYC.wav", lpString2="Program Files (x86)") returned -1 [0154.795] lstrcmpiW (lpString1="NHW dS3rWIEV8xMYC.wav", lpString2="$Recycle.bin") returned 1 [0154.795] lstrcmpiW (lpString1="NHW dS3rWIEV8xMYC.wav", lpString2="System Volume Information") returned -1 [0154.795] lstrcmpiW (lpString1="NHW dS3rWIEV8xMYC.wav", lpString2=".") returned 1 [0154.795] lstrcmpiW (lpString1="NHW dS3rWIEV8xMYC.wav", lpString2="..") returned 1 [0154.795] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav") returned 61 [0154.795] lstrcmpW (lpString1="NHW dS3rWIEV8xMYC.wav", lpString2="PUSSY.TXT") returned -1 [0154.795] PathFindExtensionW (pszPath="NHW dS3rWIEV8xMYC.wav") returned=".wav" [0154.795] lstrlenW (lpString=".wav") returned 4 [0154.795] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\nhw ds3rwiev8xmyc.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.797] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=94234) returned 1 [0154.797] GetProcessHeap () returned 0x4c0000 [0154.797] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.805] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="4F") returned 2 [0154.805] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="4A") returned 2 [0154.805] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="55") returned 2 [0154.805] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="F6") returned 2 [0154.805] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="9A") returned 2 [0154.805] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="76") returned 2 [0154.805] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="AF") returned 2 [0154.805] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="7E") returned 2 [0154.805] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="A0") returned 2 [0154.805] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="9D") returned 2 [0154.805] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="BD") returned 2 [0154.805] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="66") returned 2 [0154.805] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="07") returned 2 [0154.805] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E5") returned 2 [0154.805] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="F5") returned 2 [0154.805] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="DD") returned 2 [0154.806] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="D2") returned 2 [0154.806] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="42") returned 2 [0154.806] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="CD") returned 2 [0154.806] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="0D") returned 2 [0154.806] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="67") returned 2 [0154.806] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="99") returned 2 [0154.806] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="5E") returned 2 [0154.806] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="F0") returned 2 [0154.806] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="C4") returned 2 [0154.806] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="11") returned 2 [0154.806] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="16") returned 2 [0154.806] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="D2") returned 2 [0154.806] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A8") returned 2 [0154.806] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="1E") returned 2 [0154.806] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="40") returned 2 [0154.806] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4D") returned 2 [0154.815] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav" [0154.815] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav" [0154.815] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav", lpString2=".4F4A55F69A76AF7EA09DBD6607E5F5DDD242CD0D67995EF0C41116D2A81E404D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav.4F4A55F69A76AF7EA09DBD6607E5F5DDD242CD0D67995EF0C41116D2A81E404D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav.4F4A55F69A76AF7EA09DBD6607E5F5DDD242CD0D67995EF0C41116D2A81E404D" [0154.815] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.815] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.864] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85f438c0, ftCreationTime.dwHighDateTime=0x1d5d94a, ftLastAccessTime.dwLowDateTime=0xd8401c0, ftLastAccessTime.dwHighDateTime=0x1d5e225, ftLastWriteTime.dwLowDateTime=0xd8401c0, ftLastWriteTime.dwHighDateTime=0x1d5e225, nFileSizeHigh=0x0, nFileSizeLow=0xc04, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="njC4S9Pob8EXa9ymY_i.mp3", cAlternateFileName="NJC4S9~1.MP3")) returned 1 [0154.864] lstrcmpiW (lpString1="njC4S9Pob8EXa9ymY_i.mp3", lpString2="Windows") returned -1 [0154.864] lstrcmpiW (lpString1="njC4S9Pob8EXa9ymY_i.mp3", lpString2="Program Files") returned -1 [0154.864] lstrcmpiW (lpString1="njC4S9Pob8EXa9ymY_i.mp3", lpString2="Program Files (x86)") returned -1 [0154.864] lstrcmpiW (lpString1="njC4S9Pob8EXa9ymY_i.mp3", lpString2="$Recycle.bin") returned 1 [0154.864] lstrcmpiW (lpString1="njC4S9Pob8EXa9ymY_i.mp3", lpString2="System Volume Information") returned -1 [0154.864] lstrcmpiW (lpString1="njC4S9Pob8EXa9ymY_i.mp3", lpString2=".") returned 1 [0154.864] lstrcmpiW (lpString1="njC4S9Pob8EXa9ymY_i.mp3", lpString2="..") returned 1 [0154.864] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3") returned 63 [0154.864] lstrcmpW (lpString1="njC4S9Pob8EXa9ymY_i.mp3", lpString2="PUSSY.TXT") returned -1 [0154.864] PathFindExtensionW (pszPath="njC4S9Pob8EXa9ymY_i.mp3") returned=".mp3" [0154.864] lstrlenW (lpString=".mp3") returned 4 [0154.864] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\njc4s9pob8exa9ymy_i.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.865] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=3076) returned 1 [0154.865] GetProcessHeap () returned 0x4c0000 [0154.865] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.873] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="72") returned 2 [0154.873] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="23") returned 2 [0154.873] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="0C") returned 2 [0154.873] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="9D") returned 2 [0154.874] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="69") returned 2 [0154.874] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="53") returned 2 [0154.874] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C4") returned 2 [0154.874] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="57") returned 2 [0154.874] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="07") returned 2 [0154.874] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="5E") returned 2 [0154.874] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="7D") returned 2 [0154.874] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="08") returned 2 [0154.874] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="47") returned 2 [0154.874] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="7C") returned 2 [0154.874] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="F3") returned 2 [0154.874] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="6E") returned 2 [0154.874] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="91") returned 2 [0154.874] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="14") returned 2 [0154.874] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E5") returned 2 [0154.874] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="86") returned 2 [0154.874] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="90") returned 2 [0154.874] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="02") returned 2 [0154.874] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="D4") returned 2 [0154.874] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="D9") returned 2 [0154.874] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="39") returned 2 [0154.874] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="F8") returned 2 [0154.874] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="DA") returned 2 [0154.874] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="D9") returned 2 [0154.874] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="70") returned 2 [0154.874] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="C2") returned 2 [0154.874] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="80") returned 2 [0154.874] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="71") returned 2 [0154.882] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3" [0154.882] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3" [0154.882] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3", lpString2=".72230C9D6953C457075E7D08477CF36E9114E5869002D4D939F8DAD970C28071" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3.72230C9D6953C457075E7D08477CF36E9114E5869002D4D939F8DAD970C28071") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3.72230C9D6953C457075E7D08477CF36E9114E5869002D4D939F8DAD970C28071" [0154.882] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.882] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.889] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23501f50, ftCreationTime.dwHighDateTime=0x1d5e32b, ftLastAccessTime.dwLowDateTime=0xf97b52c0, ftLastAccessTime.dwHighDateTime=0x1d5d7e1, ftLastWriteTime.dwLowDateTime=0xf97b52c0, ftLastWriteTime.dwHighDateTime=0x1d5d7e1, nFileSizeHigh=0x0, nFileSizeLow=0x128b8, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="Q-oBtzb2PDPM-x0rj.mp3", cAlternateFileName="Q-OBTZ~1.MP3")) returned 1 [0154.889] lstrcmpiW (lpString1="Q-oBtzb2PDPM-x0rj.mp3", lpString2="Windows") returned -1 [0154.889] lstrcmpiW (lpString1="Q-oBtzb2PDPM-x0rj.mp3", lpString2="Program Files") returned 1 [0154.889] lstrcmpiW (lpString1="Q-oBtzb2PDPM-x0rj.mp3", lpString2="Program Files (x86)") returned 1 [0154.889] lstrcmpiW (lpString1="Q-oBtzb2PDPM-x0rj.mp3", lpString2="$Recycle.bin") returned 1 [0154.889] lstrcmpiW (lpString1="Q-oBtzb2PDPM-x0rj.mp3", lpString2="System Volume Information") returned -1 [0154.889] lstrcmpiW (lpString1="Q-oBtzb2PDPM-x0rj.mp3", lpString2=".") returned 1 [0154.889] lstrcmpiW (lpString1="Q-oBtzb2PDPM-x0rj.mp3", lpString2="..") returned 1 [0154.889] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3") returned 61 [0154.889] lstrcmpW (lpString1="Q-oBtzb2PDPM-x0rj.mp3", lpString2="PUSSY.TXT") returned 1 [0154.890] PathFindExtensionW (pszPath="Q-oBtzb2PDPM-x0rj.mp3") returned=".mp3" [0154.890] lstrlenW (lpString=".mp3") returned 4 [0154.890] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.890] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\q-obtzb2pdpm-x0rj.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.891] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=75960) returned 1 [0154.891] GetProcessHeap () returned 0x4c0000 [0154.891] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.902] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="89") returned 2 [0154.902] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="52") returned 2 [0154.902] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="B2") returned 2 [0154.902] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="04") returned 2 [0154.902] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="5B") returned 2 [0154.902] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="49") returned 2 [0154.902] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="52") returned 2 [0154.902] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="9E") returned 2 [0154.902] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="CC") returned 2 [0154.902] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="8B") returned 2 [0154.902] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B8") returned 2 [0154.902] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="69") returned 2 [0154.902] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="2A") returned 2 [0154.902] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C1") returned 2 [0154.903] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="7A") returned 2 [0154.903] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="F5") returned 2 [0154.903] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="61") returned 2 [0154.903] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="12") returned 2 [0154.903] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="FC") returned 2 [0154.903] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="59") returned 2 [0154.903] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="B9") returned 2 [0154.903] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="2F") returned 2 [0154.903] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="CE") returned 2 [0154.903] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="11") returned 2 [0154.903] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="71") returned 2 [0154.903] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="34") returned 2 [0154.903] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="47") returned 2 [0154.903] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="6F") returned 2 [0154.903] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="36") returned 2 [0154.903] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="2F") returned 2 [0154.903] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="E8") returned 2 [0154.903] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="73") returned 2 [0154.912] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3" [0154.912] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3" [0154.912] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3", lpString2=".8952B2045B49529ECC8BB8692AC17AF56112FC59B92FCE117134476F362FE873" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3.8952B2045B49529ECC8BB8692AC17AF56112FC59B92FCE117134476F362FE873") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3.8952B2045B49529ECC8BB8692AC17AF56112FC59B92FCE117134476F362FE873" [0154.912] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.912] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0154.960] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06515d0, ftCreationTime.dwHighDateTime=0x1d5dc16, ftLastAccessTime.dwLowDateTime=0x50f72780, ftLastAccessTime.dwHighDateTime=0x1d5e58a, ftLastWriteTime.dwLowDateTime=0x50f72780, ftLastWriteTime.dwHighDateTime=0x1d5e58a, nFileSizeHigh=0x0, nFileSizeLow=0x371f, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="TS8M.mp3", cAlternateFileName="")) returned 1 [0154.960] lstrcmpiW (lpString1="TS8M.mp3", lpString2="Windows") returned -1 [0154.960] lstrcmpiW (lpString1="TS8M.mp3", lpString2="Program Files") returned 1 [0154.960] lstrcmpiW (lpString1="TS8M.mp3", lpString2="Program Files (x86)") returned 1 [0154.960] lstrcmpiW (lpString1="TS8M.mp3", lpString2="$Recycle.bin") returned 1 [0154.960] lstrcmpiW (lpString1="TS8M.mp3", lpString2="System Volume Information") returned 1 [0154.960] lstrcmpiW (lpString1="TS8M.mp3", lpString2=".") returned 1 [0154.960] lstrcmpiW (lpString1="TS8M.mp3", lpString2="..") returned 1 [0154.960] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3") returned 48 [0154.960] lstrcmpW (lpString1="TS8M.mp3", lpString2="PUSSY.TXT") returned 1 [0154.960] PathFindExtensionW (pszPath="TS8M.mp3") returned=".mp3" [0154.960] lstrlenW (lpString=".mp3") returned 4 [0154.961] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0154.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ts8m.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0154.962] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=14111) returned 1 [0154.962] GetProcessHeap () returned 0x4c0000 [0154.962] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0154.970] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="CD") returned 2 [0154.971] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="F0") returned 2 [0154.971] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="2B") returned 2 [0154.971] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="09") returned 2 [0154.971] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="B1") returned 2 [0154.971] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="1A") returned 2 [0154.971] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="04") returned 2 [0154.971] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="95") returned 2 [0154.971] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="FC") returned 2 [0154.971] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="9D") returned 2 [0154.971] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="D6") returned 2 [0154.971] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="EE") returned 2 [0154.971] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="29") returned 2 [0154.971] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="EC") returned 2 [0154.971] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="6A") returned 2 [0154.971] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="8D") returned 2 [0154.971] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="A2") returned 2 [0154.971] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="77") returned 2 [0154.971] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="6B") returned 2 [0154.971] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="80") returned 2 [0154.971] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="9A") returned 2 [0154.971] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="9E") returned 2 [0154.971] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="07") returned 2 [0154.971] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="D5") returned 2 [0154.971] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="A6") returned 2 [0154.971] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="44") returned 2 [0154.972] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="C3") returned 2 [0154.972] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="9F") returned 2 [0154.972] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="E2") returned 2 [0154.972] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="C2") returned 2 [0154.972] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="A4") returned 2 [0154.972] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="44") returned 2 [0154.980] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3" [0154.980] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3" [0154.980] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3", lpString2=".CDF02B09B11A0495FC9DD6EE29EC6A8DA2776B809A9E07D5A644C39FE2C2A444" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3.CDF02B09B11A0495FC9DD6EE29EC6A8DA2776B809A9E07D5A644C39FE2C2A444") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3.CDF02B09B11A0495FC9DD6EE29EC6A8DA2776B809A9E07D5A644C39FE2C2A444" [0154.980] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0154.980] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0155.002] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cb6bad0, ftCreationTime.dwHighDateTime=0x1d5e232, ftLastAccessTime.dwLowDateTime=0x100f90e0, ftLastAccessTime.dwHighDateTime=0x1d5d7ac, ftLastWriteTime.dwLowDateTime=0x100f90e0, ftLastWriteTime.dwHighDateTime=0x1d5d7ac, nFileSizeHigh=0x0, nFileSizeLow=0xfa3a, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="UF4JePTVus_qiR.m4a", cAlternateFileName="UF4JEP~1.M4A")) returned 1 [0155.002] lstrcmpiW (lpString1="UF4JePTVus_qiR.m4a", lpString2="Windows") returned -1 [0155.002] lstrcmpiW (lpString1="UF4JePTVus_qiR.m4a", lpString2="Program Files") returned 1 [0155.002] lstrcmpiW (lpString1="UF4JePTVus_qiR.m4a", lpString2="Program Files (x86)") returned 1 [0155.002] lstrcmpiW (lpString1="UF4JePTVus_qiR.m4a", lpString2="$Recycle.bin") returned 1 [0155.002] lstrcmpiW (lpString1="UF4JePTVus_qiR.m4a", lpString2="System Volume Information") returned 1 [0155.002] lstrcmpiW (lpString1="UF4JePTVus_qiR.m4a", lpString2=".") returned 1 [0155.002] lstrcmpiW (lpString1="UF4JePTVus_qiR.m4a", lpString2="..") returned 1 [0155.002] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a") returned 58 [0155.002] lstrcmpW (lpString1="UF4JePTVus_qiR.m4a", lpString2="PUSSY.TXT") returned 1 [0155.002] PathFindExtensionW (pszPath="UF4JePTVus_qiR.m4a") returned=".m4a" [0155.002] lstrlenW (lpString=".m4a") returned 4 [0155.002] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0155.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uf4jeptvus_qir.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0155.003] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=64058) returned 1 [0155.003] GetProcessHeap () returned 0x4c0000 [0155.004] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0155.016] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="0D") returned 2 [0155.016] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="12") returned 2 [0155.016] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="21") returned 2 [0155.016] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="90") returned 2 [0155.016] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="4F") returned 2 [0155.016] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="09") returned 2 [0155.016] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E3") returned 2 [0155.016] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="3D") returned 2 [0155.016] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="D8") returned 2 [0155.017] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="A9") returned 2 [0155.017] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="21") returned 2 [0155.017] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="7B") returned 2 [0155.017] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="72") returned 2 [0155.017] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="44") returned 2 [0155.017] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="DC") returned 2 [0155.017] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="8C") returned 2 [0155.017] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="B1") returned 2 [0155.017] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="2D") returned 2 [0155.017] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="01") returned 2 [0155.017] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="70") returned 2 [0155.017] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="24") returned 2 [0155.017] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="2B") returned 2 [0155.017] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="F9") returned 2 [0155.017] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="D5") returned 2 [0155.017] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="18") returned 2 [0155.017] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="34") returned 2 [0155.017] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="77") returned 2 [0155.017] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="B0") returned 2 [0155.017] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="F2") returned 2 [0155.017] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="52") returned 2 [0155.017] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="63") returned 2 [0155.017] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="14") returned 2 [0155.030] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a" [0155.030] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a" [0155.030] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a", lpString2=".0D1221904F09E33DD8A9217B7244DC8CB12D0170242BF9D5183477B0F2526314" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a.0D1221904F09E33DD8A9217B7244DC8CB12D0170242BF9D5183477B0F2526314") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a.0D1221904F09E33DD8A9217B7244DC8CB12D0170242BF9D5183477B0F2526314" [0155.031] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.031] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0155.084] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915daa50, ftCreationTime.dwHighDateTime=0x1d5defb, ftLastAccessTime.dwLowDateTime=0xc3c2fc90, ftLastAccessTime.dwHighDateTime=0x1d5dde6, ftLastWriteTime.dwLowDateTime=0xc3c2fc90, ftLastWriteTime.dwHighDateTime=0x1d5dde6, nFileSizeHigh=0x0, nFileSizeLow=0x3a5f, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="UNnKJphG57hMozy.m4a", cAlternateFileName="UNNKJP~1.M4A")) returned 1 [0155.084] lstrcmpiW (lpString1="UNnKJphG57hMozy.m4a", lpString2="Windows") returned -1 [0155.084] lstrcmpiW (lpString1="UNnKJphG57hMozy.m4a", lpString2="Program Files") returned 1 [0155.084] lstrcmpiW (lpString1="UNnKJphG57hMozy.m4a", lpString2="Program Files (x86)") returned 1 [0155.084] lstrcmpiW (lpString1="UNnKJphG57hMozy.m4a", lpString2="$Recycle.bin") returned 1 [0155.084] lstrcmpiW (lpString1="UNnKJphG57hMozy.m4a", lpString2="System Volume Information") returned 1 [0155.084] lstrcmpiW (lpString1="UNnKJphG57hMozy.m4a", lpString2=".") returned 1 [0155.084] lstrcmpiW (lpString1="UNnKJphG57hMozy.m4a", lpString2="..") returned 1 [0155.084] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a") returned 59 [0155.084] lstrcmpW (lpString1="UNnKJphG57hMozy.m4a", lpString2="PUSSY.TXT") returned 1 [0155.084] PathFindExtensionW (pszPath="UNnKJphG57hMozy.m4a") returned=".m4a" [0155.084] lstrlenW (lpString=".m4a") returned 4 [0155.084] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0155.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\unnkjphg57hmozy.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0155.085] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=14943) returned 1 [0155.085] GetProcessHeap () returned 0x4c0000 [0155.085] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0155.093] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="EE") returned 2 [0155.093] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="52") returned 2 [0155.094] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E0") returned 2 [0155.094] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="67") returned 2 [0155.094] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="AE") returned 2 [0155.094] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="6B") returned 2 [0155.094] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="EC") returned 2 [0155.094] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="02") returned 2 [0155.094] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="DA") returned 2 [0155.094] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="E7") returned 2 [0155.094] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="1A") returned 2 [0155.094] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A1") returned 2 [0155.094] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="2D") returned 2 [0155.094] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="27") returned 2 [0155.094] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="B9") returned 2 [0155.094] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="38") returned 2 [0155.094] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="FE") returned 2 [0155.094] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="C4") returned 2 [0155.094] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="2F") returned 2 [0155.094] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="DA") returned 2 [0155.094] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="24") returned 2 [0155.094] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="38") returned 2 [0155.094] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="1F") returned 2 [0155.094] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="30") returned 2 [0155.094] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="D4") returned 2 [0155.094] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="93") returned 2 [0155.094] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="9B") returned 2 [0155.094] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="3B") returned 2 [0155.094] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="17") returned 2 [0155.094] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="AD") returned 2 [0155.094] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="BC") returned 2 [0155.094] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="74") returned 2 [0155.103] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a" [0155.103] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a" [0155.103] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a", lpString2=".EE52E067AE6BEC02DAE71AA12D27B938FEC42FDA24381F30D4939B3B17ADBC74" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a.EE52E067AE6BEC02DAE71AA12D27B938FEC42FDA24381F30D4939B3B17ADBC74") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a.EE52E067AE6BEC02DAE71AA12D27B938FEC42FDA24381F30D4939B3B17ADBC74" [0155.103] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.103] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0155.118] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42fb9ba0, ftCreationTime.dwHighDateTime=0x1d5da42, ftLastAccessTime.dwLowDateTime=0xce745af0, ftLastAccessTime.dwHighDateTime=0x1d5e6c7, ftLastWriteTime.dwLowDateTime=0xce745af0, ftLastWriteTime.dwHighDateTime=0x1d5e6c7, nFileSizeHigh=0x0, nFileSizeLow=0x16ee5, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="vhalY1z4.m4a", cAlternateFileName="")) returned 1 [0155.118] lstrcmpiW (lpString1="vhalY1z4.m4a", lpString2="Windows") returned -1 [0155.118] lstrcmpiW (lpString1="vhalY1z4.m4a", lpString2="Program Files") returned 1 [0155.122] lstrcmpiW (lpString1="vhalY1z4.m4a", lpString2="Program Files (x86)") returned 1 [0155.122] lstrcmpiW (lpString1="vhalY1z4.m4a", lpString2="$Recycle.bin") returned 1 [0155.122] lstrcmpiW (lpString1="vhalY1z4.m4a", lpString2="System Volume Information") returned 1 [0155.122] lstrcmpiW (lpString1="vhalY1z4.m4a", lpString2=".") returned 1 [0155.122] lstrcmpiW (lpString1="vhalY1z4.m4a", lpString2="..") returned 1 [0155.122] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a") returned 52 [0155.122] lstrcmpW (lpString1="vhalY1z4.m4a", lpString2="PUSSY.TXT") returned 1 [0155.122] PathFindExtensionW (pszPath="vhalY1z4.m4a") returned=".m4a" [0155.122] lstrlenW (lpString=".m4a") returned 4 [0155.122] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0155.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vhaly1z4.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0155.123] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=93925) returned 1 [0155.123] GetProcessHeap () returned 0x4c0000 [0155.123] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0155.131] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="8F") returned 2 [0155.131] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="95") returned 2 [0155.131] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="EA") returned 2 [0155.131] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="60") returned 2 [0155.131] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="67") returned 2 [0155.131] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="91") returned 2 [0155.132] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="DE") returned 2 [0155.132] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="C4") returned 2 [0155.132] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="5D") returned 2 [0155.132] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="43") returned 2 [0155.132] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="57") returned 2 [0155.132] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="45") returned 2 [0155.132] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="C2") returned 2 [0155.132] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="37") returned 2 [0155.132] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="9B") returned 2 [0155.132] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="01") returned 2 [0155.132] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="4B") returned 2 [0155.132] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="4C") returned 2 [0155.132] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="83") returned 2 [0155.132] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="19") returned 2 [0155.132] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="D6") returned 2 [0155.132] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="28") returned 2 [0155.132] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="F3") returned 2 [0155.132] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="35") returned 2 [0155.132] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="38") returned 2 [0155.132] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="50") returned 2 [0155.132] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="19") returned 2 [0155.132] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="25") returned 2 [0155.132] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="0C") returned 2 [0155.132] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="D9") returned 2 [0155.132] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="1D") returned 2 [0155.132] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="48") returned 2 [0155.140] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a" [0155.140] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a" [0155.140] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a", lpString2=".8F95EA606791DEC45D435745C2379B014B4C8319D628F335385019250CD91D48" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a.8F95EA606791DEC45D435745C2379B014B4C8319D628F335385019250CD91D48") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a.8F95EA606791DEC45D435745C2379B014B4C8319D628F335385019250CD91D48" [0155.140] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.140] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0155.178] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49fc5d50, ftCreationTime.dwHighDateTime=0x1d5da8c, ftLastAccessTime.dwLowDateTime=0x62363cf0, ftLastAccessTime.dwHighDateTime=0x1d5dc4a, ftLastWriteTime.dwLowDateTime=0x62363cf0, ftLastWriteTime.dwHighDateTime=0x1d5dc4a, nFileSizeHigh=0x0, nFileSizeLow=0x14132, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="vO1mUYE6ocXqRWxu.m4a", cAlternateFileName="VO1MUY~1.M4A")) returned 1 [0155.178] lstrcmpiW (lpString1="vO1mUYE6ocXqRWxu.m4a", lpString2="Windows") returned -1 [0155.178] lstrcmpiW (lpString1="vO1mUYE6ocXqRWxu.m4a", lpString2="Program Files") returned 1 [0155.178] lstrcmpiW (lpString1="vO1mUYE6ocXqRWxu.m4a", lpString2="Program Files (x86)") returned 1 [0155.178] lstrcmpiW (lpString1="vO1mUYE6ocXqRWxu.m4a", lpString2="$Recycle.bin") returned 1 [0155.178] lstrcmpiW (lpString1="vO1mUYE6ocXqRWxu.m4a", lpString2="System Volume Information") returned 1 [0155.178] lstrcmpiW (lpString1="vO1mUYE6ocXqRWxu.m4a", lpString2=".") returned 1 [0155.178] lstrcmpiW (lpString1="vO1mUYE6ocXqRWxu.m4a", lpString2="..") returned 1 [0155.178] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a") returned 60 [0155.179] lstrcmpW (lpString1="vO1mUYE6ocXqRWxu.m4a", lpString2="PUSSY.TXT") returned 1 [0155.179] PathFindExtensionW (pszPath="vO1mUYE6ocXqRWxu.m4a") returned=".m4a" [0155.179] lstrlenW (lpString=".m4a") returned 4 [0155.179] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0155.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vo1muye6ocxqrwxu.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0155.180] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=82226) returned 1 [0155.180] GetProcessHeap () returned 0x4c0000 [0155.180] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0155.192] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="A5") returned 2 [0155.192] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B4") returned 2 [0155.192] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="19") returned 2 [0155.192] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="2C") returned 2 [0155.192] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="93") returned 2 [0155.192] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="B9") returned 2 [0155.192] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="14") returned 2 [0155.192] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="00") returned 2 [0155.192] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="2F") returned 2 [0155.192] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="AA") returned 2 [0155.192] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="C0") returned 2 [0155.192] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="8F") returned 2 [0155.192] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="BC") returned 2 [0155.192] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="42") returned 2 [0155.192] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="0C") returned 2 [0155.192] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="4D") returned 2 [0155.192] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="86") returned 2 [0155.192] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="30") returned 2 [0155.192] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="E6") returned 2 [0155.192] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="42") returned 2 [0155.192] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="3C") returned 2 [0155.192] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="9A") returned 2 [0155.192] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="4B") returned 2 [0155.192] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="DA") returned 2 [0155.192] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="DA") returned 2 [0155.193] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="F3") returned 2 [0155.193] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="4B") returned 2 [0155.193] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="FF") returned 2 [0155.193] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="F4") returned 2 [0155.193] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="CF") returned 2 [0155.193] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="83") returned 2 [0155.193] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="41") returned 2 [0155.204] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a" [0155.204] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a" [0155.204] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a", lpString2=".A5B4192C93B914002FAAC08FBC420C4D8630E6423C9A4BDADAF34BFFF4CF8341" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a.A5B4192C93B914002FAAC08FBC420C4D8630E6423C9A4BDADAF34BFFF4CF8341") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a.A5B4192C93B914002FAAC08FBC420C4D8630E6423C9A4BDADAF34BFFF4CF8341" [0155.204] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.205] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0155.268] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30031eb0, ftCreationTime.dwHighDateTime=0x1d5dce5, ftLastAccessTime.dwLowDateTime=0x77dfb3b0, ftLastAccessTime.dwHighDateTime=0x1d5e2a8, ftLastWriteTime.dwLowDateTime=0x77dfb3b0, ftLastWriteTime.dwHighDateTime=0x1d5e2a8, nFileSizeHigh=0x0, nFileSizeLow=0x11f10, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="YjrSuayk6nrk.m4a", cAlternateFileName="YJRSUA~1.M4A")) returned 1 [0155.268] lstrcmpiW (lpString1="YjrSuayk6nrk.m4a", lpString2="Windows") returned 1 [0155.268] lstrcmpiW (lpString1="YjrSuayk6nrk.m4a", lpString2="Program Files") returned 1 [0155.268] lstrcmpiW (lpString1="YjrSuayk6nrk.m4a", lpString2="Program Files (x86)") returned 1 [0155.268] lstrcmpiW (lpString1="YjrSuayk6nrk.m4a", lpString2="$Recycle.bin") returned 1 [0155.268] lstrcmpiW (lpString1="YjrSuayk6nrk.m4a", lpString2="System Volume Information") returned 1 [0155.269] lstrcmpiW (lpString1="YjrSuayk6nrk.m4a", lpString2=".") returned 1 [0155.269] lstrcmpiW (lpString1="YjrSuayk6nrk.m4a", lpString2="..") returned 1 [0155.269] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a") returned 56 [0155.269] lstrcmpW (lpString1="YjrSuayk6nrk.m4a", lpString2="PUSSY.TXT") returned 1 [0155.269] PathFindExtensionW (pszPath="YjrSuayk6nrk.m4a") returned=".m4a" [0155.269] lstrlenW (lpString=".m4a") returned 4 [0155.269] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0155.269] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\yjrsuayk6nrk.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0155.309] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=73488) returned 1 [0155.309] GetProcessHeap () returned 0x4c0000 [0155.309] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0155.331] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="CE") returned 2 [0155.341] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="2D") returned 2 [0155.341] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="62") returned 2 [0155.341] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="EE") returned 2 [0155.342] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="00") returned 2 [0155.342] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="14") returned 2 [0155.342] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="90") returned 2 [0155.342] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="6D") returned 2 [0155.342] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="73") returned 2 [0155.342] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="95") returned 2 [0155.342] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="98") returned 2 [0155.342] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D3") returned 2 [0155.342] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="D4") returned 2 [0155.342] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="97") returned 2 [0155.342] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="08") returned 2 [0155.342] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="D8") returned 2 [0155.342] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="CF") returned 2 [0155.342] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="60") returned 2 [0155.342] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="16") returned 2 [0155.342] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="B8") returned 2 [0155.343] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="D2") returned 2 [0155.343] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="8A") returned 2 [0155.343] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C4") returned 2 [0155.343] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="D9") returned 2 [0155.343] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="48") returned 2 [0155.343] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="26") returned 2 [0155.343] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="8A") returned 2 [0155.343] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="0B") returned 2 [0155.343] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="60") returned 2 [0155.343] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="5A") returned 2 [0155.343] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="D8") returned 2 [0155.343] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="42") returned 2 [0155.355] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a" [0155.355] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a" [0155.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a", lpString2=".CE2D62EE0014906D739598D3D49708D8CF6016B8D28AC4D948268A0B605AD842" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a.CE2D62EE0014906D739598D3D49708D8CF6016B8D28AC4D948268A0B605AD842") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a.CE2D62EE0014906D739598D3D49708D8CF6016B8D28AC4D948268A0B605AD842" [0155.355] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.355] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0155.400] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30031eb0, ftCreationTime.dwHighDateTime=0x1d5dce5, ftLastAccessTime.dwLowDateTime=0x77dfb3b0, ftLastAccessTime.dwHighDateTime=0x1d5e2a8, ftLastWriteTime.dwLowDateTime=0x77dfb3b0, ftLastWriteTime.dwHighDateTime=0x1d5e2a8, nFileSizeHigh=0x0, nFileSizeLow=0x11f10, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="YjrSuayk6nrk.m4a", cAlternateFileName="YJRSUA~1.M4A")) returned 0 [0155.400] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0155.400] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\PUSSY.TXT") returned 49 [0155.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0155.401] lstrlenA (lpString="abcd") returned 4 [0155.401] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0155.402] CloseHandle (hObject=0x190) returned 1 [0155.402] GetProcessHeap () returned 0x4c0000 [0155.402] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0155.411] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0155.412] lstrcmpiW (lpString1="My Documents", lpString2="Windows") returned -1 [0155.412] lstrcmpiW (lpString1="My Documents", lpString2="Program Files") returned -1 [0155.412] lstrcmpiW (lpString1="My Documents", lpString2="Program Files (x86)") returned -1 [0155.412] lstrcmpiW (lpString1="My Documents", lpString2="$Recycle.bin") returned 1 [0155.412] lstrcmpiW (lpString1="My Documents", lpString2="System Volume Information") returned -1 [0155.412] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0155.412] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0155.412] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents") returned 46 [0155.412] GetProcessHeap () returned 0x4c0000 [0155.412] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0155.413] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents" [0155.413] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*" [0155.413] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30031eb0, ftCreationTime.dwHighDateTime=0x1d5dce5, ftLastAccessTime.dwLowDateTime=0x77dfb3b0, ftLastAccessTime.dwHighDateTime=0x1d5e2a8, ftLastWriteTime.dwLowDateTime=0x77dfb3b0, ftLastWriteTime.dwHighDateTime=0x1d5e2a8, nFileSizeHigh=0x0, nFileSizeLow=0x11f10, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="YjrSuayk6nrk.m4a", cAlternateFileName="s")) returned 0xffffffff [0155.414] GetProcessHeap () returned 0x4c0000 [0155.414] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0155.414] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NetHood", cAlternateFileName="")) returned 1 [0155.414] lstrcmpiW (lpString1="NetHood", lpString2="Windows") returned -1 [0155.414] lstrcmpiW (lpString1="NetHood", lpString2="Program Files") returned -1 [0155.414] lstrcmpiW (lpString1="NetHood", lpString2="Program Files (x86)") returned -1 [0155.414] lstrcmpiW (lpString1="NetHood", lpString2="$Recycle.bin") returned 1 [0155.414] lstrcmpiW (lpString1="NetHood", lpString2="System Volume Information") returned -1 [0155.414] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0155.414] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0155.414] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood") returned 41 [0155.414] GetProcessHeap () returned 0x4c0000 [0155.414] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0155.414] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood" [0155.414] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*" [0155.414] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30031eb0, ftCreationTime.dwHighDateTime=0x1d5dce5, ftLastAccessTime.dwLowDateTime=0x77dfb3b0, ftLastAccessTime.dwHighDateTime=0x1d5e2a8, ftLastWriteTime.dwLowDateTime=0x77dfb3b0, ftLastWriteTime.dwHighDateTime=0x1d5e2a8, nFileSizeHigh=0x0, nFileSizeLow=0x11f10, dwReserved0=0xa0000003, dwReserved1=0x77c61b06, cFileName="YjrSuayk6nrk.m4a", cAlternateFileName="d")) returned 0xffffffff [0155.414] GetProcessHeap () returned 0x4c0000 [0155.414] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0155.414] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8f3afd80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8f3afd80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0155.414] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Windows") returned -1 [0155.414] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Program Files") returned -1 [0155.414] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Program Files (x86)") returned -1 [0155.414] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$Recycle.bin") returned 1 [0155.415] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="System Volume Information") returned -1 [0155.415] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0155.415] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0155.415] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT") returned 44 [0155.415] lstrcmpW (lpString1="NTUSER.DAT", lpString2="PUSSY.TXT") returned -1 [0155.415] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0155.415] lstrlenW (lpString=".DAT") returned 4 [0155.415] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0155.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0155.415] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x8f389c20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0155.415] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="Windows") returned -1 [0155.415] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="Program Files") returned -1 [0155.415] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="Program Files (x86)") returned -1 [0155.415] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="$Recycle.bin") returned 1 [0155.415] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="System Volume Information") returned -1 [0155.415] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2=".") returned 1 [0155.415] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="..") returned 1 [0155.415] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1") returned 49 [0155.416] lstrcmpW (lpString1="ntuser.dat.LOG1", lpString2="PUSSY.TXT") returned -1 [0155.416] PathFindExtensionW (pszPath="ntuser.dat.LOG1") returned=".LOG1" [0155.416] lstrlenW (lpString=".LOG1") returned 5 [0155.416] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0155.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0155.416] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28f60c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0155.416] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="Windows") returned -1 [0155.416] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="Program Files") returned -1 [0155.416] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="Program Files (x86)") returned -1 [0155.416] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="$Recycle.bin") returned 1 [0155.416] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="System Volume Information") returned -1 [0155.416] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2=".") returned 1 [0155.416] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="..") returned 1 [0155.416] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2") returned 49 [0155.416] lstrcmpW (lpString1="ntuser.dat.LOG2", lpString2="PUSSY.TXT") returned -1 [0155.416] PathFindExtensionW (pszPath="ntuser.dat.LOG2") returned=".LOG2" [0155.416] lstrlenW (lpString=".LOG2") returned 5 [0155.416] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0155.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0155.416] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="Windows") returned -1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="Program Files") returned -1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="Program Files (x86)") returned -1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="$Recycle.bin") returned 1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="System Volume Information") returned -1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".") returned 1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="..") returned 1 [0155.417] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 89 [0155.417] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="PUSSY.TXT") returned -1 [0155.417] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned=".blf" [0155.417] lstrlenW (lpString=".blf") returned 4 [0155.417] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0155.417] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0155.417] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="Windows") returned -1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="Program Files") returned -1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="Program Files (x86)") returned -1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="$Recycle.bin") returned 1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="System Volume Information") returned -1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0155.417] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0155.418] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 126 [0155.418] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="PUSSY.TXT") returned -1 [0155.418] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0155.418] lstrlenW (lpString=".regtrans-ms") returned 12 [0155.418] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0155.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0155.418] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0155.418] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="Windows") returned -1 [0155.418] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="Program Files") returned -1 [0155.418] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="Program Files (x86)") returned -1 [0155.418] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="$Recycle.bin") returned 1 [0155.418] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="System Volume Information") returned -1 [0155.418] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0155.418] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0155.418] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 126 [0155.418] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="PUSSY.TXT") returned -1 [0155.418] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0155.418] lstrlenW (lpString=".regtrans-ms") returned 12 [0155.418] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0155.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0155.419] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cd94e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0155.419] lstrcmpiW (lpString1="ntuser.ini", lpString2="Windows") returned -1 [0155.419] lstrcmpiW (lpString1="ntuser.ini", lpString2="Program Files") returned -1 [0155.419] lstrcmpiW (lpString1="ntuser.ini", lpString2="Program Files (x86)") returned -1 [0155.419] lstrcmpiW (lpString1="ntuser.ini", lpString2="$Recycle.bin") returned 1 [0155.419] lstrcmpiW (lpString1="ntuser.ini", lpString2="System Volume Information") returned -1 [0155.419] lstrcmpiW (lpString1="ntuser.ini", lpString2=".") returned 1 [0155.419] lstrcmpiW (lpString1="ntuser.ini", lpString2="..") returned 1 [0155.419] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned 44 [0155.419] lstrcmpW (lpString1="ntuser.ini", lpString2="PUSSY.TXT") returned -1 [0155.419] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0155.419] lstrlenW (lpString=".ini") returned 4 [0155.419] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0155.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0155.421] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=20) returned 1 [0155.421] CloseHandle (hObject=0x190) returned 1 [0155.421] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb2dec20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb2dec20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Pictures", cAlternateFileName="")) returned 1 [0155.421] lstrcmpiW (lpString1="Pictures", lpString2="Windows") returned -1 [0155.421] lstrcmpiW (lpString1="Pictures", lpString2="Program Files") returned -1 [0155.421] lstrcmpiW (lpString1="Pictures", lpString2="Program Files (x86)") returned -1 [0155.421] lstrcmpiW (lpString1="Pictures", lpString2="$Recycle.bin") returned 1 [0155.421] lstrcmpiW (lpString1="Pictures", lpString2="System Volume Information") returned -1 [0155.421] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0155.421] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0155.421] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned 42 [0155.421] GetProcessHeap () returned 0x4c0000 [0155.421] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0155.421] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0155.421] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*" [0155.421] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb2dec20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb2dec20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0155.422] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0155.422] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0155.422] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0155.422] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0155.422] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0155.422] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0155.422] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb2dec20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb2dec20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0155.422] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0155.422] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0155.422] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0155.422] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0155.422] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0155.422] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0155.422] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0155.422] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d5e240, ftCreationTime.dwHighDateTime=0x1d5e577, ftLastAccessTime.dwLowDateTime=0xeac05420, ftLastAccessTime.dwHighDateTime=0x1d5de84, ftLastWriteTime.dwLowDateTime=0xeac05420, ftLastWriteTime.dwHighDateTime=0x1d5de84, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="AA5E4XH FD", cAlternateFileName="AA5E4X~1")) returned 1 [0155.422] lstrcmpiW (lpString1="AA5E4XH FD", lpString2="Windows") returned -1 [0155.422] lstrcmpiW (lpString1="AA5E4XH FD", lpString2="Program Files") returned -1 [0155.422] lstrcmpiW (lpString1="AA5E4XH FD", lpString2="Program Files (x86)") returned -1 [0155.422] lstrcmpiW (lpString1="AA5E4XH FD", lpString2="$Recycle.bin") returned 1 [0155.422] lstrcmpiW (lpString1="AA5E4XH FD", lpString2="System Volume Information") returned -1 [0155.422] lstrcmpiW (lpString1="AA5E4XH FD", lpString2=".") returned 1 [0155.422] lstrcmpiW (lpString1="AA5E4XH FD", lpString2="..") returned 1 [0155.422] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD") returned 53 [0155.423] GetProcessHeap () returned 0x4c0000 [0155.423] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0155.424] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD" [0155.424] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\*" [0155.424] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d5e240, ftCreationTime.dwHighDateTime=0x1d5e577, ftLastAccessTime.dwLowDateTime=0xeac05420, ftLastAccessTime.dwHighDateTime=0x1d5de84, ftLastWriteTime.dwLowDateTime=0xeac05420, ftLastWriteTime.dwHighDateTime=0x1d5de84, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0155.424] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0155.424] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0155.424] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0155.424] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0155.424] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0155.424] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0155.424] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d5e240, ftCreationTime.dwHighDateTime=0x1d5e577, ftLastAccessTime.dwLowDateTime=0xeac05420, ftLastAccessTime.dwHighDateTime=0x1d5de84, ftLastWriteTime.dwLowDateTime=0xeac05420, ftLastWriteTime.dwHighDateTime=0x1d5de84, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0155.424] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0155.424] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0155.424] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0155.424] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0155.424] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0155.424] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0155.424] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0155.424] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2af91d40, ftCreationTime.dwHighDateTime=0x1d5e7ba, ftLastAccessTime.dwLowDateTime=0x82279a10, ftLastAccessTime.dwHighDateTime=0x1d5e724, ftLastWriteTime.dwLowDateTime=0x82279a10, ftLastWriteTime.dwHighDateTime=0x1d5e724, nFileSizeHigh=0x0, nFileSizeLow=0x1560b, dwReserved0=0x4dbf68, dwReserved1=0x77c61b06, cFileName="0eZdlbhe1hMr.gif", cAlternateFileName="0EZDLB~1.GIF")) returned 1 [0155.424] lstrcmpiW (lpString1="0eZdlbhe1hMr.gif", lpString2="Windows") returned -1 [0155.424] lstrcmpiW (lpString1="0eZdlbhe1hMr.gif", lpString2="Program Files") returned -1 [0155.424] lstrcmpiW (lpString1="0eZdlbhe1hMr.gif", lpString2="Program Files (x86)") returned -1 [0155.425] lstrcmpiW (lpString1="0eZdlbhe1hMr.gif", lpString2="$Recycle.bin") returned 1 [0155.425] lstrcmpiW (lpString1="0eZdlbhe1hMr.gif", lpString2="System Volume Information") returned -1 [0155.425] lstrcmpiW (lpString1="0eZdlbhe1hMr.gif", lpString2=".") returned 1 [0155.425] lstrcmpiW (lpString1="0eZdlbhe1hMr.gif", lpString2="..") returned 1 [0155.425] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif") returned 70 [0155.425] lstrcmpW (lpString1="0eZdlbhe1hMr.gif", lpString2="PUSSY.TXT") returned -1 [0155.425] PathFindExtensionW (pszPath="0eZdlbhe1hMr.gif") returned=".gif" [0155.425] lstrlenW (lpString=".gif") returned 4 [0155.425] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0155.425] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aa5e4xh fd\\0ezdlbhe1hmr.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0155.426] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=87563) returned 1 [0155.426] GetProcessHeap () returned 0x4c0000 [0155.426] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0155.440] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="5B") returned 2 [0155.440] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="BE") returned 2 [0155.440] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="E7") returned 2 [0155.440] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="25") returned 2 [0155.440] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="C7") returned 2 [0155.440] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="51") returned 2 [0155.440] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="A8") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="39") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="0A") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="13") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="FA") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="AB") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="EB") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="86") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="02") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="74") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="BF") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="1F") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="01") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="C1") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="EC") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="38") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="03") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="DE") returned 2 [0155.440] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="06") returned 2 [0155.441] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="C9") returned 2 [0155.441] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="0E") returned 2 [0155.441] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="82") returned 2 [0155.441] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="F1") returned 2 [0155.441] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="2F") returned 2 [0155.441] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="98") returned 2 [0155.441] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="5E") returned 2 [0155.452] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif" [0155.452] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif" [0155.452] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif", lpString2=".5BBEE725C751A8390A13FAABEB860274BF1F01C1EC3803DE06C90E82F12F985E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif.5BBEE725C751A8390A13FAABEB860274BF1F01C1EC3803DE06C90E82F12F985E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif.5BBEE725C751A8390A13FAABEB860274BF1F01C1EC3803DE06C90E82F12F985E" [0155.452] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.452] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0155.502] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2af91d40, ftCreationTime.dwHighDateTime=0x1d5e7ba, ftLastAccessTime.dwLowDateTime=0x82279a10, ftLastAccessTime.dwHighDateTime=0x1d5e724, ftLastWriteTime.dwLowDateTime=0x82279a10, ftLastWriteTime.dwHighDateTime=0x1d5e724, nFileSizeHigh=0x0, nFileSizeLow=0x1560b, dwReserved0=0x4dbf68, dwReserved1=0x77c61b06, cFileName="0eZdlbhe1hMr.gif", cAlternateFileName="0EZDLB~1.GIF")) returned 0 [0155.502] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0155.502] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\PUSSY.TXT") returned 63 [0155.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aa5e4xh fd\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0155.503] lstrlenA (lpString="abcd") returned 4 [0155.503] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0155.504] CloseHandle (hObject=0x184) returned 1 [0155.504] GetProcessHeap () returned 0x4c0000 [0155.504] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0155.506] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x775bcf10, ftCreationTime.dwHighDateTime=0x1d5deb5, ftLastAccessTime.dwLowDateTime=0xcf200aa0, ftLastAccessTime.dwHighDateTime=0x1d5e6cf, ftLastWriteTime.dwLowDateTime=0xcf200aa0, ftLastWriteTime.dwHighDateTime=0x1d5e6cf, nFileSizeHigh=0x0, nFileSizeLow=0x13ddf, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="bHFr.gif", cAlternateFileName="")) returned 1 [0155.506] lstrcmpiW (lpString1="bHFr.gif", lpString2="Windows") returned -1 [0155.506] lstrcmpiW (lpString1="bHFr.gif", lpString2="Program Files") returned -1 [0155.506] lstrcmpiW (lpString1="bHFr.gif", lpString2="Program Files (x86)") returned -1 [0155.506] lstrcmpiW (lpString1="bHFr.gif", lpString2="$Recycle.bin") returned 1 [0155.506] lstrcmpiW (lpString1="bHFr.gif", lpString2="System Volume Information") returned -1 [0155.506] lstrcmpiW (lpString1="bHFr.gif", lpString2=".") returned 1 [0155.506] lstrcmpiW (lpString1="bHFr.gif", lpString2="..") returned 1 [0155.507] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif") returned 51 [0155.507] lstrcmpW (lpString1="bHFr.gif", lpString2="PUSSY.TXT") returned -1 [0155.507] PathFindExtensionW (pszPath="bHFr.gif") returned=".gif" [0155.507] lstrlenW (lpString=".gif") returned 4 [0155.507] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0155.507] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bhfr.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0155.508] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=81375) returned 1 [0155.508] GetProcessHeap () returned 0x4c0000 [0155.508] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0155.527] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="D4") returned 2 [0155.527] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="45") returned 2 [0155.527] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="30") returned 2 [0155.527] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="2E") returned 2 [0155.527] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="61") returned 2 [0155.527] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="10") returned 2 [0155.527] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="37") returned 2 [0155.527] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="2B") returned 2 [0155.527] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="87") returned 2 [0155.527] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="F4") returned 2 [0155.527] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="50") returned 2 [0155.527] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="0A") returned 2 [0155.527] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="03") returned 2 [0155.527] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="8B") returned 2 [0155.527] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="06") returned 2 [0155.527] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="B4") returned 2 [0155.528] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="95") returned 2 [0155.528] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="21") returned 2 [0155.528] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="19") returned 2 [0155.528] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="A4") returned 2 [0155.528] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="E6") returned 2 [0155.528] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="6B") returned 2 [0155.528] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="37") returned 2 [0155.528] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="25") returned 2 [0155.528] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="74") returned 2 [0155.528] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="03") returned 2 [0155.528] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="75") returned 2 [0155.528] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="5C") returned 2 [0155.528] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="F0") returned 2 [0155.528] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="1B") returned 2 [0155.528] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="13") returned 2 [0155.528] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="0D") returned 2 [0155.540] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif" [0155.540] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif" [0155.540] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif", lpString2=".D445302E6110372B87F4500A038B06B4952119A4E66B37257403755CF01B130D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif.D445302E6110372B87F4500A038B06B4952119A4E66B37257403755CF01B130D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif.D445302E6110372B87F4500A038B06B4952119A4E66B37257403755CF01B130D" [0155.540] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.540] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0155.587] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0155.587] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0155.587] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0155.587] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0155.587] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0155.587] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0155.587] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0155.587] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0155.587] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini") returned 54 [0155.587] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0155.587] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0155.587] lstrlenW (lpString=".ini") returned 4 [0155.587] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0155.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0155.588] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=504) returned 1 [0155.588] CloseHandle (hObject=0x184) returned 1 [0155.588] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3575f10, ftCreationTime.dwHighDateTime=0x1d5e5fa, ftLastAccessTime.dwLowDateTime=0x4ec14170, ftLastAccessTime.dwHighDateTime=0x1d5e329, ftLastWriteTime.dwLowDateTime=0x4ec14170, ftLastWriteTime.dwHighDateTime=0x1d5e329, nFileSizeHigh=0x0, nFileSizeLow=0xb7f6, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="IAzX.jpg", cAlternateFileName="")) returned 1 [0155.588] lstrcmpiW (lpString1="IAzX.jpg", lpString2="Windows") returned -1 [0155.588] lstrcmpiW (lpString1="IAzX.jpg", lpString2="Program Files") returned -1 [0155.588] lstrcmpiW (lpString1="IAzX.jpg", lpString2="Program Files (x86)") returned -1 [0155.588] lstrcmpiW (lpString1="IAzX.jpg", lpString2="$Recycle.bin") returned 1 [0155.588] lstrcmpiW (lpString1="IAzX.jpg", lpString2="System Volume Information") returned -1 [0155.588] lstrcmpiW (lpString1="IAzX.jpg", lpString2=".") returned 1 [0155.588] lstrcmpiW (lpString1="IAzX.jpg", lpString2="..") returned 1 [0155.589] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg") returned 51 [0155.589] lstrcmpW (lpString1="IAzX.jpg", lpString2="PUSSY.TXT") returned -1 [0155.589] PathFindExtensionW (pszPath="IAzX.jpg") returned=".jpg" [0155.589] lstrlenW (lpString=".jpg") returned 4 [0155.589] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0155.589] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iazx.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0155.589] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=47094) returned 1 [0155.589] GetProcessHeap () returned 0x4c0000 [0155.589] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0155.602] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="05") returned 2 [0155.602] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="6B") returned 2 [0155.602] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="7D") returned 2 [0155.602] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="0F") returned 2 [0155.602] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="82") returned 2 [0155.602] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="EE") returned 2 [0155.602] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="5B") returned 2 [0155.602] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="A1") returned 2 [0155.602] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="CE") returned 2 [0155.602] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="DB") returned 2 [0155.602] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="4C") returned 2 [0155.602] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A9") returned 2 [0155.602] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="E9") returned 2 [0155.602] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="D0") returned 2 [0155.602] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="91") returned 2 [0155.602] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="9A") returned 2 [0155.602] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="EC") returned 2 [0155.602] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="9F") returned 2 [0155.602] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="6A") returned 2 [0155.602] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="36") returned 2 [0155.602] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="17") returned 2 [0155.602] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="27") returned 2 [0155.602] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="13") returned 2 [0155.602] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="33") returned 2 [0155.602] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="11") returned 2 [0155.602] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="E3") returned 2 [0155.602] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="BF") returned 2 [0155.602] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="71") returned 2 [0155.603] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="36") returned 2 [0155.603] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="A5") returned 2 [0155.603] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="75") returned 2 [0155.603] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="33") returned 2 [0155.615] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg" [0155.615] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg" [0155.615] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg", lpString2=".056B7D0F82EE5BA1CEDB4CA9E9D0919AEC9F6A361727133311E3BF7136A57533" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg.056B7D0F82EE5BA1CEDB4CA9E9D0919AEC9F6A361727133311E3BF7136A57533") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg.056B7D0F82EE5BA1CEDB4CA9E9D0919AEC9F6A361727133311E3BF7136A57533" [0155.615] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.615] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0155.660] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c73ce0, ftCreationTime.dwHighDateTime=0x1d5e611, ftLastAccessTime.dwLowDateTime=0x3f9c2440, ftLastAccessTime.dwHighDateTime=0x1d5db03, ftLastWriteTime.dwLowDateTime=0x3f9c2440, ftLastWriteTime.dwHighDateTime=0x1d5db03, nFileSizeHigh=0x0, nFileSizeLow=0xad2c, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Ucr_k.gif", cAlternateFileName="")) returned 1 [0155.660] lstrcmpiW (lpString1="Ucr_k.gif", lpString2="Windows") returned -1 [0155.660] lstrcmpiW (lpString1="Ucr_k.gif", lpString2="Program Files") returned 1 [0155.660] lstrcmpiW (lpString1="Ucr_k.gif", lpString2="Program Files (x86)") returned 1 [0155.661] lstrcmpiW (lpString1="Ucr_k.gif", lpString2="$Recycle.bin") returned 1 [0155.661] lstrcmpiW (lpString1="Ucr_k.gif", lpString2="System Volume Information") returned 1 [0155.661] lstrcmpiW (lpString1="Ucr_k.gif", lpString2=".") returned 1 [0155.661] lstrcmpiW (lpString1="Ucr_k.gif", lpString2="..") returned 1 [0155.661] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif") returned 52 [0155.661] lstrcmpW (lpString1="Ucr_k.gif", lpString2="PUSSY.TXT") returned 1 [0155.661] PathFindExtensionW (pszPath="Ucr_k.gif") returned=".gif" [0155.661] lstrlenW (lpString=".gif") returned 4 [0155.661] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0155.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ucr_k.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0155.662] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=44332) returned 1 [0155.662] GetProcessHeap () returned 0x4c0000 [0155.662] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0155.674] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="43") returned 2 [0155.674] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="9C") returned 2 [0155.674] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="EA") returned 2 [0155.674] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="CB") returned 2 [0155.674] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="55") returned 2 [0155.674] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="A7") returned 2 [0155.674] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="B0") returned 2 [0155.674] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="01") returned 2 [0155.674] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="F0") returned 2 [0155.674] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="EF") returned 2 [0155.674] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="8B") returned 2 [0155.674] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="8B") returned 2 [0155.674] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="FE") returned 2 [0155.675] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E7") returned 2 [0155.675] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="98") returned 2 [0155.675] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="4F") returned 2 [0155.675] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="0B") returned 2 [0155.675] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="37") returned 2 [0155.675] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="DB") returned 2 [0155.675] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="CA") returned 2 [0155.675] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="AB") returned 2 [0155.675] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="5C") returned 2 [0155.675] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="EE") returned 2 [0155.675] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="11") returned 2 [0155.675] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="EA") returned 2 [0155.675] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="2E") returned 2 [0155.675] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="D3") returned 2 [0155.675] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="40") returned 2 [0155.675] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="32") returned 2 [0155.675] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="7A") returned 2 [0155.675] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="CE") returned 2 [0155.675] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="79") returned 2 [0155.687] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif" [0155.687] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif" [0155.687] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif", lpString2=".439CEACB55A7B001F0EF8B8BFEE7984F0B37DBCAAB5CEE11EA2ED340327ACE79" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif.439CEACB55A7B001F0EF8B8BFEE7984F0B37DBCAAB5CEE11EA2ED340327ACE79") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif.439CEACB55A7B001F0EF8B8BFEE7984F0B37DBCAAB5CEE11EA2ED340327ACE79" [0155.687] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.687] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0155.732] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24966630, ftCreationTime.dwHighDateTime=0x1d5e213, ftLastAccessTime.dwLowDateTime=0x3263d020, ftLastAccessTime.dwHighDateTime=0x1d5e008, ftLastWriteTime.dwLowDateTime=0x3263d020, ftLastWriteTime.dwHighDateTime=0x1d5e008, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="_DGkrO4j3 3", cAlternateFileName="_DGKRO~1")) returned 1 [0155.732] lstrcmpiW (lpString1="_DGkrO4j3 3", lpString2="Windows") returned -1 [0155.732] lstrcmpiW (lpString1="_DGkrO4j3 3", lpString2="Program Files") returned -1 [0155.732] lstrcmpiW (lpString1="_DGkrO4j3 3", lpString2="Program Files (x86)") returned -1 [0155.733] lstrcmpiW (lpString1="_DGkrO4j3 3", lpString2="$Recycle.bin") returned 1 [0155.733] lstrcmpiW (lpString1="_DGkrO4j3 3", lpString2="System Volume Information") returned -1 [0155.733] lstrcmpiW (lpString1="_DGkrO4j3 3", lpString2=".") returned 1 [0155.733] lstrcmpiW (lpString1="_DGkrO4j3 3", lpString2="..") returned 1 [0155.733] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3") returned 54 [0155.733] GetProcessHeap () returned 0x4c0000 [0155.733] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0155.734] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3" [0155.734] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\*" [0155.734] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24966630, ftCreationTime.dwHighDateTime=0x1d5e213, ftLastAccessTime.dwLowDateTime=0x3263d020, ftLastAccessTime.dwHighDateTime=0x1d5e008, ftLastWriteTime.dwLowDateTime=0x3263d020, ftLastWriteTime.dwHighDateTime=0x1d5e008, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0155.734] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0155.734] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0155.734] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0155.734] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0155.734] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0155.734] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0155.734] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24966630, ftCreationTime.dwHighDateTime=0x1d5e213, ftLastAccessTime.dwLowDateTime=0x3263d020, ftLastAccessTime.dwHighDateTime=0x1d5e008, ftLastWriteTime.dwLowDateTime=0x3263d020, ftLastWriteTime.dwHighDateTime=0x1d5e008, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0155.734] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0155.734] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0155.734] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0155.734] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0155.734] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0155.734] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0155.734] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0155.734] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd71e8a00, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0xb9aedf70, ftLastAccessTime.dwHighDateTime=0x1d5e436, ftLastWriteTime.dwLowDateTime=0xb9aedf70, ftLastWriteTime.dwHighDateTime=0x1d5e436, nFileSizeHigh=0x0, nFileSizeLow=0x10a9c, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="0bhJKihw0wLow.gif", cAlternateFileName="0BHJKI~1.GIF")) returned 1 [0155.734] lstrcmpiW (lpString1="0bhJKihw0wLow.gif", lpString2="Windows") returned -1 [0155.735] lstrcmpiW (lpString1="0bhJKihw0wLow.gif", lpString2="Program Files") returned -1 [0155.735] lstrcmpiW (lpString1="0bhJKihw0wLow.gif", lpString2="Program Files (x86)") returned -1 [0155.735] lstrcmpiW (lpString1="0bhJKihw0wLow.gif", lpString2="$Recycle.bin") returned 1 [0155.735] lstrcmpiW (lpString1="0bhJKihw0wLow.gif", lpString2="System Volume Information") returned -1 [0155.735] lstrcmpiW (lpString1="0bhJKihw0wLow.gif", lpString2=".") returned 1 [0155.735] lstrcmpiW (lpString1="0bhJKihw0wLow.gif", lpString2="..") returned 1 [0155.735] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif") returned 72 [0155.735] lstrcmpW (lpString1="0bhJKihw0wLow.gif", lpString2="PUSSY.TXT") returned -1 [0155.735] PathFindExtensionW (pszPath="0bhJKihw0wLow.gif") returned=".gif" [0155.735] lstrlenW (lpString=".gif") returned 4 [0155.735] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0155.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\0bhjkihw0wlow.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0155.736] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=68252) returned 1 [0155.736] GetProcessHeap () returned 0x4c0000 [0155.736] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0155.748] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="CF") returned 2 [0155.748] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="61") returned 2 [0155.748] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="68") returned 2 [0155.748] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="77") returned 2 [0155.748] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="BB") returned 2 [0155.748] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="BE") returned 2 [0155.748] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="36") returned 2 [0155.748] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="A4") returned 2 [0155.748] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="A8") returned 2 [0155.748] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="C6") returned 2 [0155.748] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="4E") returned 2 [0155.748] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="00") returned 2 [0155.748] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="C7") returned 2 [0155.748] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="6D") returned 2 [0155.748] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="CF") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="79") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="37") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="C3") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="F6") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="EC") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="8B") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="71") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="BE") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="8B") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="C8") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="B9") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="FD") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="A0") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="7B") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="AE") returned 2 [0155.749] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="77") returned 2 [0155.749] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="28") returned 2 [0155.761] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif" [0155.761] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif" [0155.761] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif", lpString2=".CF616877BBBE36A4A8C64E00C76DCF7937C3F6EC8B71BE8BC8B9FDA07BAE7728" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif.CF616877BBBE36A4A8C64E00C76DCF7937C3F6EC8B71BE8BC8B9FDA07BAE7728") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif.CF616877BBBE36A4A8C64E00C76DCF7937C3F6EC8B71BE8BC8B9FDA07BAE7728" [0155.761] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.761] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0155.813] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4960d30, ftCreationTime.dwHighDateTime=0x1d5e4ad, ftLastAccessTime.dwLowDateTime=0xbf9e42e0, ftLastAccessTime.dwHighDateTime=0x1d5e459, ftLastWriteTime.dwLowDateTime=0xbf9e42e0, ftLastWriteTime.dwHighDateTime=0x1d5e459, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="Gam6UBN", cAlternateFileName="")) returned 1 [0155.813] lstrcmpiW (lpString1="Gam6UBN", lpString2="Windows") returned -1 [0155.813] lstrcmpiW (lpString1="Gam6UBN", lpString2="Program Files") returned -1 [0155.813] lstrcmpiW (lpString1="Gam6UBN", lpString2="Program Files (x86)") returned -1 [0155.813] lstrcmpiW (lpString1="Gam6UBN", lpString2="$Recycle.bin") returned 1 [0155.813] lstrcmpiW (lpString1="Gam6UBN", lpString2="System Volume Information") returned -1 [0155.813] lstrcmpiW (lpString1="Gam6UBN", lpString2=".") returned 1 [0155.813] lstrcmpiW (lpString1="Gam6UBN", lpString2="..") returned 1 [0155.814] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN") returned 62 [0155.814] GetProcessHeap () returned 0x4c0000 [0155.814] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0155.815] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN" [0155.815] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\*" [0155.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4960d30, ftCreationTime.dwHighDateTime=0x1d5e4ad, ftLastAccessTime.dwLowDateTime=0xbf9e42e0, ftLastAccessTime.dwHighDateTime=0x1d5e459, ftLastWriteTime.dwLowDateTime=0xbf9e42e0, ftLastWriteTime.dwHighDateTime=0x1d5e459, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0155.815] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0155.815] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0155.815] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0155.815] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0155.815] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0155.815] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0155.815] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4960d30, ftCreationTime.dwHighDateTime=0x1d5e4ad, ftLastAccessTime.dwLowDateTime=0xbf9e42e0, ftLastAccessTime.dwHighDateTime=0x1d5e459, ftLastWriteTime.dwLowDateTime=0xbf9e42e0, ftLastWriteTime.dwHighDateTime=0x1d5e459, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0155.815] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0155.815] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0155.815] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0155.815] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0155.815] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0155.815] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0155.816] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0155.816] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89a4b50, ftCreationTime.dwHighDateTime=0x1d5e384, ftLastAccessTime.dwLowDateTime=0x8785ee30, ftLastAccessTime.dwHighDateTime=0x1d5e2bf, ftLastWriteTime.dwLowDateTime=0x8785ee30, ftLastWriteTime.dwHighDateTime=0x1d5e2bf, nFileSizeHigh=0x0, nFileSizeLow=0x4fd2, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="d8yr0xGA.png", cAlternateFileName="")) returned 1 [0155.816] lstrcmpiW (lpString1="d8yr0xGA.png", lpString2="Windows") returned -1 [0155.816] lstrcmpiW (lpString1="d8yr0xGA.png", lpString2="Program Files") returned -1 [0155.816] lstrcmpiW (lpString1="d8yr0xGA.png", lpString2="Program Files (x86)") returned -1 [0155.816] lstrcmpiW (lpString1="d8yr0xGA.png", lpString2="$Recycle.bin") returned 1 [0155.816] lstrcmpiW (lpString1="d8yr0xGA.png", lpString2="System Volume Information") returned -1 [0155.816] lstrcmpiW (lpString1="d8yr0xGA.png", lpString2=".") returned 1 [0155.816] lstrcmpiW (lpString1="d8yr0xGA.png", lpString2="..") returned 1 [0155.816] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png") returned 75 [0155.816] lstrcmpW (lpString1="d8yr0xGA.png", lpString2="PUSSY.TXT") returned -1 [0155.816] PathFindExtensionW (pszPath="d8yr0xGA.png") returned=".png" [0155.816] lstrlenW (lpString=".png") returned 4 [0155.816] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0155.816] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\d8yr0xga.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0155.817] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=20434) returned 1 [0155.817] GetProcessHeap () returned 0x4c0000 [0155.817] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0155.829] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="A6") returned 2 [0155.829] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="C2") returned 2 [0155.829] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="65") returned 2 [0155.829] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="B3") returned 2 [0155.830] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="CF") returned 2 [0155.830] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="57") returned 2 [0155.830] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="32") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="D7") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="18") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="75") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="F7") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="F3") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="CB") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="BA") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="61") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="C5") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="51") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="1C") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="92") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="E2") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="4F") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="84") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="4C") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="AB") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="97") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="64") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="08") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="34") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="79") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="46") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="5B") returned 2 [0155.830] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="76") returned 2 [0155.856] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png" [0155.856] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png" [0155.856] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png", lpString2=".A6C265B3CF5732D71875F7F3CBBA61C5511C92E24F844CAB9764083479465B76" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png.A6C265B3CF5732D71875F7F3CBBA61C5511C92E24F844CAB9764083479465B76") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png.A6C265B3CF5732D71875F7F3CBBA61C5511C92E24F844CAB9764083479465B76" [0155.857] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.857] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0155.882] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd9dc20, ftCreationTime.dwHighDateTime=0x1d5d830, ftLastAccessTime.dwLowDateTime=0x1c23c10, ftLastAccessTime.dwHighDateTime=0x1d5e05b, ftLastWriteTime.dwLowDateTime=0x1c23c10, ftLastWriteTime.dwHighDateTime=0x1d5e05b, nFileSizeHigh=0x0, nFileSizeLow=0xedc3, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="D_TxNc6.gif", cAlternateFileName="")) returned 1 [0155.882] lstrcmpiW (lpString1="D_TxNc6.gif", lpString2="Windows") returned -1 [0155.882] lstrcmpiW (lpString1="D_TxNc6.gif", lpString2="Program Files") returned -1 [0155.882] lstrcmpiW (lpString1="D_TxNc6.gif", lpString2="Program Files (x86)") returned -1 [0155.882] lstrcmpiW (lpString1="D_TxNc6.gif", lpString2="$Recycle.bin") returned 1 [0155.882] lstrcmpiW (lpString1="D_TxNc6.gif", lpString2="System Volume Information") returned -1 [0155.882] lstrcmpiW (lpString1="D_TxNc6.gif", lpString2=".") returned 1 [0155.882] lstrcmpiW (lpString1="D_TxNc6.gif", lpString2="..") returned 1 [0155.882] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif") returned 74 [0155.882] lstrcmpW (lpString1="D_TxNc6.gif", lpString2="PUSSY.TXT") returned -1 [0155.882] PathFindExtensionW (pszPath="D_TxNc6.gif") returned=".gif" [0155.882] lstrlenW (lpString=".gif") returned 4 [0155.882] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0155.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\d_txnc6.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0155.884] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=60867) returned 1 [0155.884] GetProcessHeap () returned 0x4c0000 [0155.884] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0155.898] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="29") returned 2 [0155.898] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="CB") returned 2 [0155.898] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="80") returned 2 [0155.898] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="0F") returned 2 [0155.898] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="0C") returned 2 [0155.898] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="56") returned 2 [0155.898] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="BD") returned 2 [0155.898] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="59") returned 2 [0155.898] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="F2") returned 2 [0155.898] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="D6") returned 2 [0155.898] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="7D") returned 2 [0155.898] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="CD") returned 2 [0155.898] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="E4") returned 2 [0155.898] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="F8") returned 2 [0155.898] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="70") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="02") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="47") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="D8") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="07") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="42") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="C0") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="45") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="A5") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="4F") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="28") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="27") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="3E") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="7E") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="87") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="BB") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="3B") returned 2 [0155.899] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="21") returned 2 [0155.915] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif" [0155.916] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif" [0155.916] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif", lpString2=".29CB800F0C56BD59F2D67DCDE4F8700247D80742C045A54F28273E7E87BB3B21" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif.29CB800F0C56BD59F2D67DCDE4F8700247D80742C045A54F28273E7E87BB3B21") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif.29CB800F0C56BD59F2D67DCDE4F8700247D80742C045A54F28273E7E87BB3B21" [0155.916] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.916] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0155.970] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c498af0, ftCreationTime.dwHighDateTime=0x1d5e486, ftLastAccessTime.dwLowDateTime=0xf42658e0, ftLastAccessTime.dwHighDateTime=0x1d5e517, ftLastWriteTime.dwLowDateTime=0xf42658e0, ftLastWriteTime.dwHighDateTime=0x1d5e517, nFileSizeHigh=0x0, nFileSizeLow=0x8f4c, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="GU5APZ4Tw.png", cAlternateFileName="GU5APZ~1.PNG")) returned 1 [0155.970] lstrcmpiW (lpString1="GU5APZ4Tw.png", lpString2="Windows") returned -1 [0155.970] lstrcmpiW (lpString1="GU5APZ4Tw.png", lpString2="Program Files") returned -1 [0155.970] lstrcmpiW (lpString1="GU5APZ4Tw.png", lpString2="Program Files (x86)") returned -1 [0155.970] lstrcmpiW (lpString1="GU5APZ4Tw.png", lpString2="$Recycle.bin") returned 1 [0155.970] lstrcmpiW (lpString1="GU5APZ4Tw.png", lpString2="System Volume Information") returned -1 [0155.970] lstrcmpiW (lpString1="GU5APZ4Tw.png", lpString2=".") returned 1 [0155.970] lstrcmpiW (lpString1="GU5APZ4Tw.png", lpString2="..") returned 1 [0155.970] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png") returned 76 [0155.970] lstrcmpW (lpString1="GU5APZ4Tw.png", lpString2="PUSSY.TXT") returned -1 [0155.970] PathFindExtensionW (pszPath="GU5APZ4Tw.png") returned=".png" [0155.970] lstrlenW (lpString=".png") returned 4 [0155.970] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0155.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\gu5apz4tw.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0155.973] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=36684) returned 1 [0155.973] GetProcessHeap () returned 0x4c0000 [0155.973] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0155.981] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="24") returned 2 [0155.981] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="39") returned 2 [0155.981] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="68") returned 2 [0155.981] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="80") returned 2 [0155.981] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="88") returned 2 [0155.982] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="88") returned 2 [0155.982] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="42") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="5A") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="4D") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="BE") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="E4") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="03") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="FB") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="2A") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="A6") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="BC") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="EF") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="2C") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="B4") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="19") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="9E") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="4B") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="D8") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="52") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="D5") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="55") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="1C") returned 2 [0155.982] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="56") returned 2 [0155.983] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="41") returned 2 [0155.983] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="E6") returned 2 [0155.983] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="CF") returned 2 [0155.983] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="23") returned 2 [0155.992] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png" [0155.992] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png" [0155.992] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png", lpString2=".243968808888425A4DBEE403FB2AA6BCEF2CB4199E4BD852D5551C5641E6CF23" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png.243968808888425A4DBEE403FB2AA6BCEF2CB4199E4BD852D5551C5641E6CF23") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png.243968808888425A4DBEE403FB2AA6BCEF2CB4199E4BD852D5551C5641E6CF23" [0155.992] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0155.992] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.024] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e1791e0, ftCreationTime.dwHighDateTime=0x1d5e144, ftLastAccessTime.dwLowDateTime=0xe46b41d0, ftLastAccessTime.dwHighDateTime=0x1d5e487, ftLastWriteTime.dwLowDateTime=0xe46b41d0, ftLastWriteTime.dwHighDateTime=0x1d5e487, nFileSizeHigh=0x0, nFileSizeLow=0xdd9c, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="I4FUnuiyLDNq8ecE3N33.bmp", cAlternateFileName="I4FUNU~1.BMP")) returned 1 [0156.024] lstrcmpiW (lpString1="I4FUnuiyLDNq8ecE3N33.bmp", lpString2="Windows") returned -1 [0156.024] lstrcmpiW (lpString1="I4FUnuiyLDNq8ecE3N33.bmp", lpString2="Program Files") returned -1 [0156.024] lstrcmpiW (lpString1="I4FUnuiyLDNq8ecE3N33.bmp", lpString2="Program Files (x86)") returned -1 [0156.024] lstrcmpiW (lpString1="I4FUnuiyLDNq8ecE3N33.bmp", lpString2="$Recycle.bin") returned 1 [0156.024] lstrcmpiW (lpString1="I4FUnuiyLDNq8ecE3N33.bmp", lpString2="System Volume Information") returned -1 [0156.024] lstrcmpiW (lpString1="I4FUnuiyLDNq8ecE3N33.bmp", lpString2=".") returned 1 [0156.024] lstrcmpiW (lpString1="I4FUnuiyLDNq8ecE3N33.bmp", lpString2="..") returned 1 [0156.024] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp") returned 87 [0156.024] lstrcmpW (lpString1="I4FUnuiyLDNq8ecE3N33.bmp", lpString2="PUSSY.TXT") returned -1 [0156.024] PathFindExtensionW (pszPath="I4FUnuiyLDNq8ecE3N33.bmp") returned=".bmp" [0156.024] lstrlenW (lpString=".bmp") returned 4 [0156.024] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0156.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\i4funuiyldnq8ece3n33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0156.025] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=56732) returned 1 [0156.025] GetProcessHeap () returned 0x4c0000 [0156.025] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.033] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="A4") returned 2 [0156.033] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="5C") returned 2 [0156.033] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="B5") returned 2 [0156.033] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="D6") returned 2 [0156.033] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="3C") returned 2 [0156.033] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="71") returned 2 [0156.034] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="29") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="EB") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="33") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="31") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="D0") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="52") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="70") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="6A") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="10") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="98") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="2B") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="8F") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="B5") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="AA") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="31") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="EF") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="16") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="CC") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="3A") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="E0") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="CA") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="90") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="9E") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="CF") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="40") returned 2 [0156.034] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="7A") returned 2 [0156.042] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp" [0156.042] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp" [0156.042] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp", lpString2=".A45CB5D63C7129EB3331D052706A10982B8FB5AA31EF16CC3AE0CA909ECF407A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp.A45CB5D63C7129EB3331D052706A10982B8FB5AA31EF16CC3AE0CA909ECF407A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp.A45CB5D63C7129EB3331D052706A10982B8FB5AA31EF16CC3AE0CA909ECF407A" [0156.042] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.043] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.076] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38c89300, ftCreationTime.dwHighDateTime=0x1d5e770, ftLastAccessTime.dwLowDateTime=0x7f7e7cb0, ftLastAccessTime.dwHighDateTime=0x1d5e18a, ftLastWriteTime.dwLowDateTime=0x7f7e7cb0, ftLastWriteTime.dwHighDateTime=0x1d5e18a, nFileSizeHigh=0x0, nFileSizeLow=0x28cc, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="lB4EANCI.png", cAlternateFileName="")) returned 1 [0156.076] lstrcmpiW (lpString1="lB4EANCI.png", lpString2="Windows") returned -1 [0156.076] lstrcmpiW (lpString1="lB4EANCI.png", lpString2="Program Files") returned -1 [0156.076] lstrcmpiW (lpString1="lB4EANCI.png", lpString2="Program Files (x86)") returned -1 [0156.076] lstrcmpiW (lpString1="lB4EANCI.png", lpString2="$Recycle.bin") returned 1 [0156.076] lstrcmpiW (lpString1="lB4EANCI.png", lpString2="System Volume Information") returned -1 [0156.076] lstrcmpiW (lpString1="lB4EANCI.png", lpString2=".") returned 1 [0156.076] lstrcmpiW (lpString1="lB4EANCI.png", lpString2="..") returned 1 [0156.076] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png") returned 75 [0156.076] lstrcmpW (lpString1="lB4EANCI.png", lpString2="PUSSY.TXT") returned -1 [0156.076] PathFindExtensionW (pszPath="lB4EANCI.png") returned=".png" [0156.076] lstrlenW (lpString=".png") returned 4 [0156.076] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0156.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\lb4eanci.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0156.077] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=10444) returned 1 [0156.077] GetProcessHeap () returned 0x4c0000 [0156.077] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.086] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="DB") returned 2 [0156.086] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="8E") returned 2 [0156.086] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="B4") returned 2 [0156.086] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="41") returned 2 [0156.086] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="A8") returned 2 [0156.086] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="79") returned 2 [0156.086] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="76") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="40") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="BE") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="6A") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="C6") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="77") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="09") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="04") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="D3") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="DF") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="E3") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="32") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="41") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="DA") returned 2 [0156.086] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="2A") returned 2 [0156.087] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="90") returned 2 [0156.087] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="C6") returned 2 [0156.087] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="57") returned 2 [0156.087] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="25") returned 2 [0156.087] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="80") returned 2 [0156.087] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="C1") returned 2 [0156.087] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="F2") returned 2 [0156.087] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="15") returned 2 [0156.087] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="9D") returned 2 [0156.087] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="97") returned 2 [0156.087] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="3E") returned 2 [0156.095] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png" [0156.095] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png" [0156.095] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png", lpString2=".DB8EB441A8797640BE6AC6770904D3DFE33241DA2A90C6572580C1F2159D973E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png.DB8EB441A8797640BE6AC6770904D3DFE33241DA2A90C6572580C1F2159D973E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png.DB8EB441A8797640BE6AC6770904D3DFE33241DA2A90C6572580C1F2159D973E" [0156.095] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.095] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.113] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38c89300, ftCreationTime.dwHighDateTime=0x1d5e770, ftLastAccessTime.dwLowDateTime=0x7f7e7cb0, ftLastAccessTime.dwHighDateTime=0x1d5e18a, ftLastWriteTime.dwLowDateTime=0x7f7e7cb0, ftLastWriteTime.dwHighDateTime=0x1d5e18a, nFileSizeHigh=0x0, nFileSizeLow=0x28cc, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="lB4EANCI.png", cAlternateFileName="")) returned 0 [0156.113] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0156.113] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\PUSSY.TXT") returned 72 [0156.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x120 [0156.115] lstrlenA (lpString="abcd") returned 4 [0156.115] WriteFile (in: hFile=0x120, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0156.116] CloseHandle (hObject=0x120) returned 1 [0156.116] GetProcessHeap () returned 0x4c0000 [0156.116] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0156.116] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbb16fc0, ftCreationTime.dwHighDateTime=0x1d5dfae, ftLastAccessTime.dwLowDateTime=0x91a238e0, ftLastAccessTime.dwHighDateTime=0x1d5e497, ftLastWriteTime.dwLowDateTime=0x91a238e0, ftLastWriteTime.dwHighDateTime=0x1d5e497, nFileSizeHigh=0x0, nFileSizeLow=0x1528c, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="hyJTA5O3eZ6IAF4Op.bmp", cAlternateFileName="HYJTA5~1.BMP")) returned 1 [0156.116] lstrcmpiW (lpString1="hyJTA5O3eZ6IAF4Op.bmp", lpString2="Windows") returned -1 [0156.116] lstrcmpiW (lpString1="hyJTA5O3eZ6IAF4Op.bmp", lpString2="Program Files") returned -1 [0156.116] lstrcmpiW (lpString1="hyJTA5O3eZ6IAF4Op.bmp", lpString2="Program Files (x86)") returned -1 [0156.116] lstrcmpiW (lpString1="hyJTA5O3eZ6IAF4Op.bmp", lpString2="$Recycle.bin") returned 1 [0156.116] lstrcmpiW (lpString1="hyJTA5O3eZ6IAF4Op.bmp", lpString2="System Volume Information") returned -1 [0156.116] lstrcmpiW (lpString1="hyJTA5O3eZ6IAF4Op.bmp", lpString2=".") returned 1 [0156.116] lstrcmpiW (lpString1="hyJTA5O3eZ6IAF4Op.bmp", lpString2="..") returned 1 [0156.116] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp") returned 76 [0156.116] lstrcmpW (lpString1="hyJTA5O3eZ6IAF4Op.bmp", lpString2="PUSSY.TXT") returned -1 [0156.116] PathFindExtensionW (pszPath="hyJTA5O3eZ6IAF4Op.bmp") returned=".bmp" [0156.116] lstrlenW (lpString=".bmp") returned 4 [0156.116] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0156.116] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\hyjta5o3ez6iaf4op.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0156.117] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=86668) returned 1 [0156.117] GetProcessHeap () returned 0x4c0000 [0156.117] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.130] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="32") returned 2 [0156.130] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="62") returned 2 [0156.130] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="A1") returned 2 [0156.130] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="9E") returned 2 [0156.130] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="DF") returned 2 [0156.130] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="D7") returned 2 [0156.130] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="2D") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="F8") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="06") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="A6") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="F3") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="67") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="D9") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="B2") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="F2") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="E2") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="CD") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="F5") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="12") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="7A") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="6B") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="89") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="7F") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="E7") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="C4") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="A6") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="F7") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="5B") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="8B") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="B4") returned 2 [0156.131] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="40") returned 2 [0156.131] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="7D") returned 2 [0156.144] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp" [0156.144] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp" [0156.144] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp", lpString2=".3262A19EDFD72DF806A6F367D9B2F2E2CDF5127A6B897FE7C4A6F75B8BB4407D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp.3262A19EDFD72DF806A6F367D9B2F2E2CDF5127A6B897FE7C4A6F75B8BB4407D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp.3262A19EDFD72DF806A6F367D9B2F2E2CDF5127A6B897FE7C4A6F75B8BB4407D" [0156.144] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.145] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.190] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4efa0fb0, ftCreationTime.dwHighDateTime=0x1d5e521, ftLastAccessTime.dwLowDateTime=0x34d000d0, ftLastAccessTime.dwHighDateTime=0x1d5e57c, ftLastWriteTime.dwLowDateTime=0x34d000d0, ftLastWriteTime.dwHighDateTime=0x1d5e57c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="juol4xTqVzS0BOezLm", cAlternateFileName="JUOL4X~1")) returned 1 [0156.191] lstrcmpiW (lpString1="juol4xTqVzS0BOezLm", lpString2="Windows") returned -1 [0156.191] lstrcmpiW (lpString1="juol4xTqVzS0BOezLm", lpString2="Program Files") returned -1 [0156.191] lstrcmpiW (lpString1="juol4xTqVzS0BOezLm", lpString2="Program Files (x86)") returned -1 [0156.191] lstrcmpiW (lpString1="juol4xTqVzS0BOezLm", lpString2="$Recycle.bin") returned 1 [0156.191] lstrcmpiW (lpString1="juol4xTqVzS0BOezLm", lpString2="System Volume Information") returned -1 [0156.191] lstrcmpiW (lpString1="juol4xTqVzS0BOezLm", lpString2=".") returned 1 [0156.191] lstrcmpiW (lpString1="juol4xTqVzS0BOezLm", lpString2="..") returned 1 [0156.191] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm") returned 73 [0156.191] GetProcessHeap () returned 0x4c0000 [0156.191] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0156.191] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm" [0156.191] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\*" [0156.191] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4efa0fb0, ftCreationTime.dwHighDateTime=0x1d5e521, ftLastAccessTime.dwLowDateTime=0x34d000d0, ftLastAccessTime.dwHighDateTime=0x1d5e57c, ftLastWriteTime.dwLowDateTime=0x34d000d0, ftLastWriteTime.dwHighDateTime=0x1d5e57c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0156.191] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0156.191] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0156.191] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0156.191] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0156.191] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0156.191] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0156.191] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4efa0fb0, ftCreationTime.dwHighDateTime=0x1d5e521, ftLastAccessTime.dwLowDateTime=0x34d000d0, ftLastAccessTime.dwHighDateTime=0x1d5e57c, ftLastWriteTime.dwLowDateTime=0x34d000d0, ftLastWriteTime.dwHighDateTime=0x1d5e57c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0156.191] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0156.191] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0156.191] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0156.191] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0156.191] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0156.192] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0156.192] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0156.192] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb85b4420, ftCreationTime.dwHighDateTime=0x1d5d9b3, ftLastAccessTime.dwLowDateTime=0x5d02c4d0, ftLastAccessTime.dwHighDateTime=0x1d5ddfb, ftLastWriteTime.dwLowDateTime=0x5d02c4d0, ftLastWriteTime.dwHighDateTime=0x1d5ddfb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="2n948L34tgvG", cAlternateFileName="2N948L~1")) returned 1 [0156.192] lstrcmpiW (lpString1="2n948L34tgvG", lpString2="Windows") returned -1 [0156.192] lstrcmpiW (lpString1="2n948L34tgvG", lpString2="Program Files") returned -1 [0156.192] lstrcmpiW (lpString1="2n948L34tgvG", lpString2="Program Files (x86)") returned -1 [0156.192] lstrcmpiW (lpString1="2n948L34tgvG", lpString2="$Recycle.bin") returned 1 [0156.192] lstrcmpiW (lpString1="2n948L34tgvG", lpString2="System Volume Information") returned -1 [0156.192] lstrcmpiW (lpString1="2n948L34tgvG", lpString2=".") returned 1 [0156.192] lstrcmpiW (lpString1="2n948L34tgvG", lpString2="..") returned 1 [0156.192] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG") returned 86 [0156.192] GetProcessHeap () returned 0x4c0000 [0156.192] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0156.192] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG" [0156.192] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\*" [0156.192] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb85b4420, ftCreationTime.dwHighDateTime=0x1d5d9b3, ftLastAccessTime.dwLowDateTime=0x5d02c4d0, ftLastAccessTime.dwHighDateTime=0x1d5ddfb, ftLastWriteTime.dwLowDateTime=0x5d02c4d0, ftLastWriteTime.dwHighDateTime=0x1d5ddfb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0156.192] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0156.192] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0156.193] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0156.193] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0156.193] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0156.193] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0156.193] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb85b4420, ftCreationTime.dwHighDateTime=0x1d5d9b3, ftLastAccessTime.dwLowDateTime=0x5d02c4d0, ftLastAccessTime.dwHighDateTime=0x1d5ddfb, ftLastWriteTime.dwLowDateTime=0x5d02c4d0, ftLastWriteTime.dwHighDateTime=0x1d5ddfb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0156.193] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0156.193] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0156.193] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0156.193] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0156.193] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0156.193] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0156.193] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0156.193] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57c3fbf0, ftCreationTime.dwHighDateTime=0x1d5df05, ftLastAccessTime.dwLowDateTime=0x6411aac0, ftLastAccessTime.dwHighDateTime=0x1d5d978, ftLastWriteTime.dwLowDateTime=0x6411aac0, ftLastWriteTime.dwHighDateTime=0x1d5d978, nFileSizeHigh=0x0, nFileSizeLow=0x13430, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="EapIZfAo_VRPUK0XM-cW.png", cAlternateFileName="EAPIZF~1.PNG")) returned 1 [0156.193] lstrcmpiW (lpString1="EapIZfAo_VRPUK0XM-cW.png", lpString2="Windows") returned -1 [0156.193] lstrcmpiW (lpString1="EapIZfAo_VRPUK0XM-cW.png", lpString2="Program Files") returned -1 [0156.193] lstrcmpiW (lpString1="EapIZfAo_VRPUK0XM-cW.png", lpString2="Program Files (x86)") returned -1 [0156.193] lstrcmpiW (lpString1="EapIZfAo_VRPUK0XM-cW.png", lpString2="$Recycle.bin") returned 1 [0156.193] lstrcmpiW (lpString1="EapIZfAo_VRPUK0XM-cW.png", lpString2="System Volume Information") returned -1 [0156.193] lstrcmpiW (lpString1="EapIZfAo_VRPUK0XM-cW.png", lpString2=".") returned 1 [0156.193] lstrcmpiW (lpString1="EapIZfAo_VRPUK0XM-cW.png", lpString2="..") returned 1 [0156.193] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png") returned 111 [0156.193] lstrcmpW (lpString1="EapIZfAo_VRPUK0XM-cW.png", lpString2="PUSSY.TXT") returned -1 [0156.193] PathFindExtensionW (pszPath="EapIZfAo_VRPUK0XM-cW.png") returned=".png" [0156.193] lstrlenW (lpString=".png") returned 4 [0156.193] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0156.193] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\2n948l34tgvg\\eapizfao_vrpuk0xm-cw.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0156.194] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=78896) returned 1 [0156.194] GetProcessHeap () returned 0x4c0000 [0156.194] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.203] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="04") returned 2 [0156.203] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="C0") returned 2 [0156.203] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="FD") returned 2 [0156.203] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="56") returned 2 [0156.203] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="86") returned 2 [0156.203] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="79") returned 2 [0156.203] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="EE") returned 2 [0156.203] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="8D") returned 2 [0156.203] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="76") returned 2 [0156.203] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="DD") returned 2 [0156.203] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="33") returned 2 [0156.203] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="AB") returned 2 [0156.203] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="3C") returned 2 [0156.203] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="38") returned 2 [0156.203] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="C1") returned 2 [0156.203] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="8C") returned 2 [0156.203] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="65") returned 2 [0156.203] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="7B") returned 2 [0156.203] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="8F") returned 2 [0156.203] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="23") returned 2 [0156.203] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="F8") returned 2 [0156.203] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="81") returned 2 [0156.203] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="2B") returned 2 [0156.203] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="55") returned 2 [0156.203] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="E6") returned 2 [0156.203] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="FD") returned 2 [0156.203] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="D3") returned 2 [0156.203] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="7D") returned 2 [0156.203] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="82") returned 2 [0156.204] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="C0") returned 2 [0156.204] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="31") returned 2 [0156.204] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="04") returned 2 [0156.212] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png" [0156.212] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png" [0156.212] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png", lpString2=".04C0FD568679EE8D76DD33AB3C38C18C657B8F23F8812B55E6FDD37D82C03104" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png.04C0FD568679EE8D76DD33AB3C38C18C657B8F23F8812B55E6FDD37D82C03104") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png.04C0FD568679EE8D76DD33AB3C38C18C657B8F23F8812B55E6FDD37D82C03104" [0156.212] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.212] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.248] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d17b1d0, ftCreationTime.dwHighDateTime=0x1d5da64, ftLastAccessTime.dwLowDateTime=0xb0c463e0, ftLastAccessTime.dwHighDateTime=0x1d5dec2, ftLastWriteTime.dwLowDateTime=0xb0c463e0, ftLastWriteTime.dwHighDateTime=0x1d5dec2, nFileSizeHigh=0x0, nFileSizeLow=0xc1c, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Gm39.jpg", cAlternateFileName="")) returned 1 [0156.248] lstrcmpiW (lpString1="Gm39.jpg", lpString2="Windows") returned -1 [0156.248] lstrcmpiW (lpString1="Gm39.jpg", lpString2="Program Files") returned -1 [0156.248] lstrcmpiW (lpString1="Gm39.jpg", lpString2="Program Files (x86)") returned -1 [0156.248] lstrcmpiW (lpString1="Gm39.jpg", lpString2="$Recycle.bin") returned 1 [0156.248] lstrcmpiW (lpString1="Gm39.jpg", lpString2="System Volume Information") returned -1 [0156.248] lstrcmpiW (lpString1="Gm39.jpg", lpString2=".") returned 1 [0156.248] lstrcmpiW (lpString1="Gm39.jpg", lpString2="..") returned 1 [0156.248] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg") returned 95 [0156.248] lstrcmpW (lpString1="Gm39.jpg", lpString2="PUSSY.TXT") returned -1 [0156.248] PathFindExtensionW (pszPath="Gm39.jpg") returned=".jpg" [0156.248] lstrlenW (lpString=".jpg") returned 4 [0156.248] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0156.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\2n948l34tgvg\\gm39.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0156.249] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=3100) returned 1 [0156.249] GetProcessHeap () returned 0x4c0000 [0156.249] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0156.257] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="93") returned 2 [0156.257] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="8E") returned 2 [0156.258] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="1B") returned 2 [0156.258] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="8C") returned 2 [0156.258] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="22") returned 2 [0156.258] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="1E") returned 2 [0156.258] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="89") returned 2 [0156.258] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="E5") returned 2 [0156.258] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="FA") returned 2 [0156.258] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="0D") returned 2 [0156.258] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="B6") returned 2 [0156.258] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="6A") returned 2 [0156.258] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="7F") returned 2 [0156.258] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="7D") returned 2 [0156.258] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="F6") returned 2 [0156.258] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="15") returned 2 [0156.258] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="C8") returned 2 [0156.258] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="3E") returned 2 [0156.258] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="D8") returned 2 [0156.258] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="00") returned 2 [0156.258] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="82") returned 2 [0156.258] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="71") returned 2 [0156.258] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="A9") returned 2 [0156.258] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="A0") returned 2 [0156.258] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="EB") returned 2 [0156.258] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="3F") returned 2 [0156.258] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="51") returned 2 [0156.258] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="3B") returned 2 [0156.258] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="B2") returned 2 [0156.258] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="DE") returned 2 [0156.261] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="53") returned 2 [0156.261] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="7D") returned 2 [0156.270] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg" [0156.270] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg" [0156.270] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg", lpString2=".938E1B8C221E89E5FA0DB66A7F7DF615C83ED8008271A9A0EB3F513BB2DE537D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg.938E1B8C221E89E5FA0DB66A7F7DF615C83ED8008271A9A0EB3F513BB2DE537D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg.938E1B8C221E89E5FA0DB66A7F7DF615C83ED8008271A9A0EB3F513BB2DE537D" [0156.270] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.270] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0156.278] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2988ad0, ftCreationTime.dwHighDateTime=0x1d5d837, ftLastAccessTime.dwLowDateTime=0xb65797b0, ftLastAccessTime.dwHighDateTime=0x1d5db2e, ftLastWriteTime.dwLowDateTime=0xb65797b0, ftLastWriteTime.dwHighDateTime=0x1d5db2e, nFileSizeHigh=0x0, nFileSizeLow=0xd470, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="kSo74.jpg", cAlternateFileName="")) returned 1 [0156.278] lstrcmpiW (lpString1="kSo74.jpg", lpString2="Windows") returned -1 [0156.278] lstrcmpiW (lpString1="kSo74.jpg", lpString2="Program Files") returned -1 [0156.278] lstrcmpiW (lpString1="kSo74.jpg", lpString2="Program Files (x86)") returned -1 [0156.278] lstrcmpiW (lpString1="kSo74.jpg", lpString2="$Recycle.bin") returned 1 [0156.278] lstrcmpiW (lpString1="kSo74.jpg", lpString2="System Volume Information") returned -1 [0156.278] lstrcmpiW (lpString1="kSo74.jpg", lpString2=".") returned 1 [0156.278] lstrcmpiW (lpString1="kSo74.jpg", lpString2="..") returned 1 [0156.278] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg") returned 96 [0156.278] lstrcmpW (lpString1="kSo74.jpg", lpString2="PUSSY.TXT") returned -1 [0156.279] PathFindExtensionW (pszPath="kSo74.jpg") returned=".jpg" [0156.279] lstrlenW (lpString=".jpg") returned 4 [0156.279] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0156.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\2n948l34tgvg\\kso74.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0156.280] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=54384) returned 1 [0156.280] GetProcessHeap () returned 0x4c0000 [0156.280] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.288] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="E0") returned 2 [0156.288] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="CA") returned 2 [0156.288] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="65") returned 2 [0156.288] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="3C") returned 2 [0156.288] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="94") returned 2 [0156.288] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="E2") returned 2 [0156.288] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="D3") returned 2 [0156.288] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="A5") returned 2 [0156.288] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="3D") returned 2 [0156.288] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="E7") returned 2 [0156.288] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="69") returned 2 [0156.288] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="CC") returned 2 [0156.288] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="31") returned 2 [0156.288] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="DE") returned 2 [0156.288] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="F8") returned 2 [0156.288] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="29") returned 2 [0156.289] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="0B") returned 2 [0156.289] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="6B") returned 2 [0156.289] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="02") returned 2 [0156.289] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="5D") returned 2 [0156.289] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="D7") returned 2 [0156.289] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="1D") returned 2 [0156.289] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="49") returned 2 [0156.289] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="81") returned 2 [0156.289] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="B3") returned 2 [0156.289] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="3C") returned 2 [0156.289] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="0F") returned 2 [0156.289] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="50") returned 2 [0156.289] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="B7") returned 2 [0156.289] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="EB") returned 2 [0156.289] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="23") returned 2 [0156.289] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="37") returned 2 [0156.307] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg" [0156.307] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg" [0156.307] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg", lpString2=".E0CA653C94E2D3A53DE769CC31DEF8290B6B025DD71D4981B33C0F50B7EB2337" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg.E0CA653C94E2D3A53DE769CC31DEF8290B6B025DD71D4981B33C0F50B7EB2337") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg.E0CA653C94E2D3A53DE769CC31DEF8290B6B025DD71D4981B33C0F50B7EB2337" [0156.307] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.307] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.340] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2988ad0, ftCreationTime.dwHighDateTime=0x1d5d837, ftLastAccessTime.dwLowDateTime=0xb65797b0, ftLastAccessTime.dwHighDateTime=0x1d5db2e, ftLastWriteTime.dwLowDateTime=0xb65797b0, ftLastWriteTime.dwHighDateTime=0x1d5db2e, nFileSizeHigh=0x0, nFileSizeLow=0xd470, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="kSo74.jpg", cAlternateFileName="")) returned 0 [0156.340] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0156.340] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\PUSSY.TXT") returned 96 [0156.340] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\2n948l34tgvg\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0156.341] lstrlenA (lpString="abcd") returned 4 [0156.341] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0156.342] CloseHandle (hObject=0x124) returned 1 [0156.342] GetProcessHeap () returned 0x4c0000 [0156.342] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0156.345] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91e9b310, ftCreationTime.dwHighDateTime=0x1d5e711, ftLastAccessTime.dwLowDateTime=0x63955470, ftLastAccessTime.dwHighDateTime=0x1d5e792, ftLastWriteTime.dwLowDateTime=0x63955470, ftLastWriteTime.dwHighDateTime=0x1d5e792, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="P8vNB3ngVTYiwbuP", cAlternateFileName="P8VNB3~1")) returned 1 [0156.345] lstrcmpiW (lpString1="P8vNB3ngVTYiwbuP", lpString2="Windows") returned -1 [0156.345] lstrcmpiW (lpString1="P8vNB3ngVTYiwbuP", lpString2="Program Files") returned -1 [0156.345] lstrcmpiW (lpString1="P8vNB3ngVTYiwbuP", lpString2="Program Files (x86)") returned -1 [0156.345] lstrcmpiW (lpString1="P8vNB3ngVTYiwbuP", lpString2="$Recycle.bin") returned 1 [0156.345] lstrcmpiW (lpString1="P8vNB3ngVTYiwbuP", lpString2="System Volume Information") returned -1 [0156.345] lstrcmpiW (lpString1="P8vNB3ngVTYiwbuP", lpString2=".") returned 1 [0156.345] lstrcmpiW (lpString1="P8vNB3ngVTYiwbuP", lpString2="..") returned 1 [0156.345] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP") returned 90 [0156.345] GetProcessHeap () returned 0x4c0000 [0156.345] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0156.346] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP" [0156.346] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\*" [0156.346] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91e9b310, ftCreationTime.dwHighDateTime=0x1d5e711, ftLastAccessTime.dwLowDateTime=0x63955470, ftLastAccessTime.dwHighDateTime=0x1d5e792, ftLastWriteTime.dwLowDateTime=0x63955470, ftLastWriteTime.dwHighDateTime=0x1d5e792, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0156.346] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0156.346] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0156.346] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0156.346] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0156.346] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0156.346] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0156.346] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91e9b310, ftCreationTime.dwHighDateTime=0x1d5e711, ftLastAccessTime.dwLowDateTime=0x63955470, ftLastAccessTime.dwHighDateTime=0x1d5e792, ftLastWriteTime.dwLowDateTime=0x63955470, ftLastWriteTime.dwHighDateTime=0x1d5e792, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0156.346] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0156.346] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0156.346] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0156.346] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0156.346] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0156.347] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0156.347] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0156.347] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc26400, ftCreationTime.dwHighDateTime=0x1d5e558, ftLastAccessTime.dwLowDateTime=0x3bf39c60, ftLastAccessTime.dwHighDateTime=0x1d5e73d, ftLastWriteTime.dwLowDateTime=0x3bf39c60, ftLastWriteTime.dwHighDateTime=0x1d5e73d, nFileSizeHigh=0x0, nFileSizeLow=0xe06c, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="10Dg.gif", cAlternateFileName="")) returned 1 [0156.347] lstrcmpiW (lpString1="10Dg.gif", lpString2="Windows") returned -1 [0156.347] lstrcmpiW (lpString1="10Dg.gif", lpString2="Program Files") returned -1 [0156.347] lstrcmpiW (lpString1="10Dg.gif", lpString2="Program Files (x86)") returned -1 [0156.347] lstrcmpiW (lpString1="10Dg.gif", lpString2="$Recycle.bin") returned 1 [0156.347] lstrcmpiW (lpString1="10Dg.gif", lpString2="System Volume Information") returned -1 [0156.347] lstrcmpiW (lpString1="10Dg.gif", lpString2=".") returned 1 [0156.347] lstrcmpiW (lpString1="10Dg.gif", lpString2="..") returned 1 [0156.347] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif") returned 99 [0156.347] lstrcmpW (lpString1="10Dg.gif", lpString2="PUSSY.TXT") returned -1 [0156.347] PathFindExtensionW (pszPath="10Dg.gif") returned=".gif" [0156.347] lstrlenW (lpString=".gif") returned 4 [0156.347] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0156.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\10dg.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0156.349] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=57452) returned 1 [0156.349] GetProcessHeap () returned 0x4c0000 [0156.349] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.360] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="C5") returned 2 [0156.360] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="48") returned 2 [0156.360] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="F3") returned 2 [0156.360] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="83") returned 2 [0156.360] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="3F") returned 2 [0156.360] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="8E") returned 2 [0156.360] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="96") returned 2 [0156.360] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="F8") returned 2 [0156.360] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="91") returned 2 [0156.360] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="82") returned 2 [0156.360] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="60") returned 2 [0156.360] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="BC") returned 2 [0156.360] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="9E") returned 2 [0156.360] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="A4") returned 2 [0156.360] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="C0") returned 2 [0156.360] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="7B") returned 2 [0156.360] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="51") returned 2 [0156.360] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="1E") returned 2 [0156.360] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="EE") returned 2 [0156.361] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="AC") returned 2 [0156.361] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="A5") returned 2 [0156.361] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="C6") returned 2 [0156.361] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="83") returned 2 [0156.361] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="57") returned 2 [0156.361] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="56") returned 2 [0156.361] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="B3") returned 2 [0156.361] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="C2") returned 2 [0156.361] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="45") returned 2 [0156.361] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="2E") returned 2 [0156.361] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="23") returned 2 [0156.361] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="C0") returned 2 [0156.361] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="4F") returned 2 [0156.370] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif" [0156.370] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif" [0156.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif", lpString2=".C548F3833F8E96F8918260BC9EA4C07B511EEEACA5C6835756B3C2452E23C04F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif.C548F3833F8E96F8918260BC9EA4C07B511EEEACA5C6835756B3C2452E23C04F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif.C548F3833F8E96F8918260BC9EA4C07B511EEEACA5C6835756B3C2452E23C04F" [0156.370] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.370] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.403] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x495bb710, ftCreationTime.dwHighDateTime=0x1d5e20c, ftLastAccessTime.dwLowDateTime=0x5aab09b0, ftLastAccessTime.dwHighDateTime=0x1d5dd6d, ftLastWriteTime.dwLowDateTime=0x5aab09b0, ftLastWriteTime.dwHighDateTime=0x1d5dd6d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="dmZhPX3 2DF4PZBW", cAlternateFileName="DMZHPX~1")) returned 1 [0156.403] lstrcmpiW (lpString1="dmZhPX3 2DF4PZBW", lpString2="Windows") returned -1 [0156.403] lstrcmpiW (lpString1="dmZhPX3 2DF4PZBW", lpString2="Program Files") returned -1 [0156.403] lstrcmpiW (lpString1="dmZhPX3 2DF4PZBW", lpString2="Program Files (x86)") returned -1 [0156.403] lstrcmpiW (lpString1="dmZhPX3 2DF4PZBW", lpString2="$Recycle.bin") returned 1 [0156.403] lstrcmpiW (lpString1="dmZhPX3 2DF4PZBW", lpString2="System Volume Information") returned -1 [0156.403] lstrcmpiW (lpString1="dmZhPX3 2DF4PZBW", lpString2=".") returned 1 [0156.404] lstrcmpiW (lpString1="dmZhPX3 2DF4PZBW", lpString2="..") returned 1 [0156.404] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW") returned 107 [0156.404] GetProcessHeap () returned 0x4c0000 [0156.404] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0156.404] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW" [0156.405] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\*" [0156.405] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x495bb710, ftCreationTime.dwHighDateTime=0x1d5e20c, ftLastAccessTime.dwLowDateTime=0x5aab09b0, ftLastAccessTime.dwHighDateTime=0x1d5dd6d, ftLastWriteTime.dwLowDateTime=0x5aab09b0, ftLastWriteTime.dwHighDateTime=0x1d5dd6d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0156.405] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0156.405] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0156.405] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0156.405] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0156.405] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0156.405] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0156.405] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x495bb710, ftCreationTime.dwHighDateTime=0x1d5e20c, ftLastAccessTime.dwLowDateTime=0x5aab09b0, ftLastAccessTime.dwHighDateTime=0x1d5dd6d, ftLastWriteTime.dwLowDateTime=0x5aab09b0, ftLastWriteTime.dwHighDateTime=0x1d5dd6d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0156.405] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0156.405] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0156.405] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0156.405] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0156.405] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0156.405] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0156.405] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0156.405] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9e2a710, ftCreationTime.dwHighDateTime=0x1d5e10a, ftLastAccessTime.dwLowDateTime=0x64783090, ftLastAccessTime.dwHighDateTime=0x1d5e0d2, ftLastWriteTime.dwLowDateTime=0x64783090, ftLastWriteTime.dwHighDateTime=0x1d5e0d2, nFileSizeHigh=0x0, nFileSizeLow=0xb2b2, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="9kasv8v8KYbh-7.jpg", cAlternateFileName="9KASV8~1.JPG")) returned 1 [0156.405] lstrcmpiW (lpString1="9kasv8v8KYbh-7.jpg", lpString2="Windows") returned -1 [0156.405] lstrcmpiW (lpString1="9kasv8v8KYbh-7.jpg", lpString2="Program Files") returned -1 [0156.405] lstrcmpiW (lpString1="9kasv8v8KYbh-7.jpg", lpString2="Program Files (x86)") returned -1 [0156.405] lstrcmpiW (lpString1="9kasv8v8KYbh-7.jpg", lpString2="$Recycle.bin") returned 1 [0156.405] lstrcmpiW (lpString1="9kasv8v8KYbh-7.jpg", lpString2="System Volume Information") returned -1 [0156.405] lstrcmpiW (lpString1="9kasv8v8KYbh-7.jpg", lpString2=".") returned 1 [0156.405] lstrcmpiW (lpString1="9kasv8v8KYbh-7.jpg", lpString2="..") returned 1 [0156.405] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg") returned 126 [0156.405] lstrcmpW (lpString1="9kasv8v8KYbh-7.jpg", lpString2="PUSSY.TXT") returned -1 [0156.405] PathFindExtensionW (pszPath="9kasv8v8KYbh-7.jpg") returned=".jpg" [0156.405] lstrlenW (lpString=".jpg") returned 4 [0156.405] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0156.406] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\9kasv8v8kybh-7.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0156.406] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=45746) returned 1 [0156.407] GetProcessHeap () returned 0x4c0000 [0156.407] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.415] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="27") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="86") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="1D") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="A6") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="F5") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="EC") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="00") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="3E") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="5D") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="6D") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="D3") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="D6") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="19") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="CB") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="07") returned 2 [0156.415] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="A2") returned 2 [0156.415] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="19") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="0A") returned 2 [0156.415] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="D5") returned 2 [0156.416] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="EA") returned 2 [0156.416] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="01") returned 2 [0156.416] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="B5") returned 2 [0156.416] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="E7") returned 2 [0156.416] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="2F") returned 2 [0156.416] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="72") returned 2 [0156.416] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="F7") returned 2 [0156.416] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="E1") returned 2 [0156.416] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="D6") returned 2 [0156.416] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="08") returned 2 [0156.416] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="78") returned 2 [0156.416] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="BC") returned 2 [0156.416] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="26") returned 2 [0156.424] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg" [0156.424] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg" [0156.424] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg", lpString2=".27861DA6F5EC003E5D6DD3D619CB07A2190AD5EA01B5E72F72F7E1D60878BC26" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg.27861DA6F5EC003E5D6DD3D619CB07A2190AD5EA01B5E72F72F7E1D60878BC26") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg.27861DA6F5EC003E5D6DD3D619CB07A2190AD5EA01B5E72F72F7E1D60878BC26" [0156.424] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.424] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.458] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5a8e2e0, ftCreationTime.dwHighDateTime=0x1d5dc2c, ftLastAccessTime.dwLowDateTime=0x69bc7c30, ftLastAccessTime.dwHighDateTime=0x1d5e822, ftLastWriteTime.dwLowDateTime=0x69bc7c30, ftLastWriteTime.dwHighDateTime=0x1d5e822, nFileSizeHigh=0x0, nFileSizeLow=0xe7dc, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="fUGm5.jpg", cAlternateFileName="")) returned 1 [0156.459] lstrcmpiW (lpString1="fUGm5.jpg", lpString2="Windows") returned -1 [0156.459] lstrcmpiW (lpString1="fUGm5.jpg", lpString2="Program Files") returned -1 [0156.459] lstrcmpiW (lpString1="fUGm5.jpg", lpString2="Program Files (x86)") returned -1 [0156.459] lstrcmpiW (lpString1="fUGm5.jpg", lpString2="$Recycle.bin") returned 1 [0156.459] lstrcmpiW (lpString1="fUGm5.jpg", lpString2="System Volume Information") returned -1 [0156.459] lstrcmpiW (lpString1="fUGm5.jpg", lpString2=".") returned 1 [0156.459] lstrcmpiW (lpString1="fUGm5.jpg", lpString2="..") returned 1 [0156.459] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg") returned 117 [0156.459] lstrcmpW (lpString1="fUGm5.jpg", lpString2="PUSSY.TXT") returned -1 [0156.459] PathFindExtensionW (pszPath="fUGm5.jpg") returned=".jpg" [0156.459] lstrlenW (lpString=".jpg") returned 4 [0156.459] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0156.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\fugm5.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0156.460] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=59356) returned 1 [0156.460] GetProcessHeap () returned 0x4c0000 [0156.460] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.470] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="BD") returned 2 [0156.470] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="0C") returned 2 [0156.470] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="50") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="09") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="97") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="94") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="FC") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="C3") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="19") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="DC") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="36") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="45") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="0F") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="A9") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="C8") returned 2 [0156.471] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="19") returned 2 [0156.471] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="A5") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="99") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="CB") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="A2") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="D5") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="13") returned 2 [0156.471] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="C0") returned 2 [0156.471] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="86") returned 2 [0156.471] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="B6") returned 2 [0156.471] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="50") returned 2 [0156.471] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="6A") returned 2 [0156.471] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="A1") returned 2 [0156.471] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="A4") returned 2 [0156.471] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="26") returned 2 [0156.471] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="7A") returned 2 [0156.471] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="0B") returned 2 [0156.485] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg" [0156.485] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg" [0156.485] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg", lpString2=".BD0C50099794FCC319DC36450FA9C819A599CBA2D513C086B6506AA1A4267A0B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg.BD0C50099794FCC319DC36450FA9C819A599CBA2D513C086B6506AA1A4267A0B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg.BD0C50099794FCC319DC36450FA9C819A599CBA2D513C086B6506AA1A4267A0B" [0156.485] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.485] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.540] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66fbead0, ftCreationTime.dwHighDateTime=0x1d5e1ba, ftLastAccessTime.dwLowDateTime=0xbf7d2380, ftLastAccessTime.dwHighDateTime=0x1d5dd4c, ftLastWriteTime.dwLowDateTime=0xbf7d2380, ftLastWriteTime.dwHighDateTime=0x1d5dd4c, nFileSizeHigh=0x0, nFileSizeLow=0xa198, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="g_IG6dqa.jpg", cAlternateFileName="")) returned 1 [0156.540] lstrcmpiW (lpString1="g_IG6dqa.jpg", lpString2="Windows") returned -1 [0156.540] lstrcmpiW (lpString1="g_IG6dqa.jpg", lpString2="Program Files") returned -1 [0156.540] lstrcmpiW (lpString1="g_IG6dqa.jpg", lpString2="Program Files (x86)") returned -1 [0156.540] lstrcmpiW (lpString1="g_IG6dqa.jpg", lpString2="$Recycle.bin") returned 1 [0156.540] lstrcmpiW (lpString1="g_IG6dqa.jpg", lpString2="System Volume Information") returned -1 [0156.540] lstrcmpiW (lpString1="g_IG6dqa.jpg", lpString2=".") returned 1 [0156.540] lstrcmpiW (lpString1="g_IG6dqa.jpg", lpString2="..") returned 1 [0156.540] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg") returned 120 [0156.540] lstrcmpW (lpString1="g_IG6dqa.jpg", lpString2="PUSSY.TXT") returned -1 [0156.540] PathFindExtensionW (pszPath="g_IG6dqa.jpg") returned=".jpg" [0156.540] lstrlenW (lpString=".jpg") returned 4 [0156.540] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0156.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\g_ig6dqa.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0156.541] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=41368) returned 1 [0156.541] GetProcessHeap () returned 0x4c0000 [0156.541] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.551] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="C8") returned 2 [0156.551] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="6D") returned 2 [0156.551] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="7D") returned 2 [0156.551] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="2A") returned 2 [0156.551] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="81") returned 2 [0156.551] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="89") returned 2 [0156.551] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="46") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="AF") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="7D") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="24") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="87") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="58") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="59") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="AA") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="F2") returned 2 [0156.552] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="E1") returned 2 [0156.552] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="EA") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="85") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="65") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="A6") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="4C") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="FB") returned 2 [0156.552] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="59") returned 2 [0156.552] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="83") returned 2 [0156.552] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="5C") returned 2 [0156.552] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="7C") returned 2 [0156.552] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="C7") returned 2 [0156.552] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="27") returned 2 [0156.552] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="15") returned 2 [0156.552] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="01") returned 2 [0156.552] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="E5") returned 2 [0156.552] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="0D") returned 2 [0156.564] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg" [0156.564] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg" [0156.564] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg", lpString2=".C86D7D2A818946AF7D24875859AAF2E1EA8565A64CFB59835C7CC7271501E50D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg.C86D7D2A818946AF7D24875859AAF2E1EA8565A64CFB59835C7CC7271501E50D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg.C86D7D2A818946AF7D24875859AAF2E1EA8565A64CFB59835C7CC7271501E50D" [0156.564] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.564] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.597] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x770977b0, ftCreationTime.dwHighDateTime=0x1d5d983, ftLastAccessTime.dwLowDateTime=0xd09fe700, ftLastAccessTime.dwHighDateTime=0x1d5de83, ftLastWriteTime.dwLowDateTime=0xd09fe700, ftLastWriteTime.dwHighDateTime=0x1d5de83, nFileSizeHigh=0x0, nFileSizeLow=0x133a9, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="Hewj2Y1GQ6O.png", cAlternateFileName="HEWJ2Y~1.PNG")) returned 1 [0156.597] lstrcmpiW (lpString1="Hewj2Y1GQ6O.png", lpString2="Windows") returned -1 [0156.597] lstrcmpiW (lpString1="Hewj2Y1GQ6O.png", lpString2="Program Files") returned -1 [0156.597] lstrcmpiW (lpString1="Hewj2Y1GQ6O.png", lpString2="Program Files (x86)") returned -1 [0156.597] lstrcmpiW (lpString1="Hewj2Y1GQ6O.png", lpString2="$Recycle.bin") returned 1 [0156.597] lstrcmpiW (lpString1="Hewj2Y1GQ6O.png", lpString2="System Volume Information") returned -1 [0156.597] lstrcmpiW (lpString1="Hewj2Y1GQ6O.png", lpString2=".") returned 1 [0156.597] lstrcmpiW (lpString1="Hewj2Y1GQ6O.png", lpString2="..") returned 1 [0156.597] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png") returned 123 [0156.597] lstrcmpW (lpString1="Hewj2Y1GQ6O.png", lpString2="PUSSY.TXT") returned -1 [0156.597] PathFindExtensionW (pszPath="Hewj2Y1GQ6O.png") returned=".png" [0156.597] lstrlenW (lpString=".png") returned 4 [0156.597] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0156.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\hewj2y1gq6o.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0156.598] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=78761) returned 1 [0156.598] GetProcessHeap () returned 0x4c0000 [0156.599] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.612] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="F1") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="D3") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="1A") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="53") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="15") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="A7") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="97") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="03") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="5D") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="5C") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="A8") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="2E") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="BD") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="A3") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="75") returned 2 [0156.612] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="C2") returned 2 [0156.612] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="76") returned 2 [0156.612] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="C4") returned 2 [0156.613] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="1B") returned 2 [0156.613] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="F5") returned 2 [0156.613] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="2D") returned 2 [0156.613] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="5C") returned 2 [0156.613] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="A4") returned 2 [0156.613] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="B7") returned 2 [0156.613] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="92") returned 2 [0156.613] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="14") returned 2 [0156.613] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="BC") returned 2 [0156.613] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="50") returned 2 [0156.613] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="DB") returned 2 [0156.613] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="12") returned 2 [0156.613] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="CE") returned 2 [0156.613] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="6A") returned 2 [0156.626] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png" [0156.626] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png" [0156.626] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png", lpString2=".F1D31A5315A797035D5CA82EBDA375C276C41BF52D5CA4B79214BC50DB12CE6A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png.F1D31A5315A797035D5CA82EBDA375C276C41BF52D5CA4B79214BC50DB12CE6A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png.F1D31A5315A797035D5CA82EBDA375C276C41BF52D5CA4B79214BC50DB12CE6A" [0156.626] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.626] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.677] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d759a00, ftCreationTime.dwHighDateTime=0x1d5db59, ftLastAccessTime.dwLowDateTime=0xa3afa300, ftLastAccessTime.dwHighDateTime=0x1d5dd95, ftLastWriteTime.dwLowDateTime=0xa3afa300, ftLastWriteTime.dwHighDateTime=0x1d5dd95, nFileSizeHigh=0x0, nFileSizeLow=0x142e5, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="KPas9_W6unI.bmp", cAlternateFileName="KPAS9_~1.BMP")) returned 1 [0156.677] lstrcmpiW (lpString1="KPas9_W6unI.bmp", lpString2="Windows") returned -1 [0156.677] lstrcmpiW (lpString1="KPas9_W6unI.bmp", lpString2="Program Files") returned -1 [0156.677] lstrcmpiW (lpString1="KPas9_W6unI.bmp", lpString2="Program Files (x86)") returned -1 [0156.677] lstrcmpiW (lpString1="KPas9_W6unI.bmp", lpString2="$Recycle.bin") returned 1 [0156.677] lstrcmpiW (lpString1="KPas9_W6unI.bmp", lpString2="System Volume Information") returned -1 [0156.677] lstrcmpiW (lpString1="KPas9_W6unI.bmp", lpString2=".") returned 1 [0156.678] lstrcmpiW (lpString1="KPas9_W6unI.bmp", lpString2="..") returned 1 [0156.678] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp") returned 123 [0156.678] lstrcmpW (lpString1="KPas9_W6unI.bmp", lpString2="PUSSY.TXT") returned -1 [0156.678] PathFindExtensionW (pszPath="KPas9_W6unI.bmp") returned=".bmp" [0156.678] lstrlenW (lpString=".bmp") returned 4 [0156.678] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0156.678] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\kpas9_w6uni.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0156.679] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=82661) returned 1 [0156.679] GetProcessHeap () returned 0x4c0000 [0156.679] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.687] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="5B") returned 2 [0156.687] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="C1") returned 2 [0156.687] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="CD") returned 2 [0156.687] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="6D") returned 2 [0156.687] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="8A") returned 2 [0156.687] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="C1") returned 2 [0156.687] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="4A") returned 2 [0156.687] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="CE") returned 2 [0156.687] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="37") returned 2 [0156.688] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="28") returned 2 [0156.688] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="4D") returned 2 [0156.688] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="A5") returned 2 [0156.688] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="05") returned 2 [0156.688] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="78") returned 2 [0156.688] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="8B") returned 2 [0156.688] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="94") returned 2 [0156.688] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="57") returned 2 [0156.688] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="F9") returned 2 [0156.688] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="5B") returned 2 [0156.688] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="E1") returned 2 [0156.688] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="5A") returned 2 [0156.688] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="31") returned 2 [0156.688] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="FE") returned 2 [0156.688] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="33") returned 2 [0156.688] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="44") returned 2 [0156.688] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="14") returned 2 [0156.688] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="33") returned 2 [0156.688] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="A8") returned 2 [0156.688] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="88") returned 2 [0156.688] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="7A") returned 2 [0156.688] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="F6") returned 2 [0156.688] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="2F") returned 2 [0156.696] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp" [0156.696] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp" [0156.696] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp", lpString2=".5BC1CD6D8AC14ACE37284DA505788B9457F95BE15A31FE33441433A8887AF62F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp.5BC1CD6D8AC14ACE37284DA505788B9457F95BE15A31FE33441433A8887AF62F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp.5BC1CD6D8AC14ACE37284DA505788B9457F95BE15A31FE33441433A8887AF62F" [0156.696] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.697] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.729] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ab80630, ftCreationTime.dwHighDateTime=0x1d5e4b9, ftLastAccessTime.dwLowDateTime=0x53ac6bf0, ftLastAccessTime.dwHighDateTime=0x1d5d9e3, ftLastWriteTime.dwLowDateTime=0x53ac6bf0, ftLastWriteTime.dwHighDateTime=0x1d5d9e3, nFileSizeHigh=0x0, nFileSizeLow=0xd05, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="STvL.gif", cAlternateFileName="")) returned 1 [0156.729] lstrcmpiW (lpString1="STvL.gif", lpString2="Windows") returned -1 [0156.729] lstrcmpiW (lpString1="STvL.gif", lpString2="Program Files") returned 1 [0156.730] lstrcmpiW (lpString1="STvL.gif", lpString2="Program Files (x86)") returned 1 [0156.730] lstrcmpiW (lpString1="STvL.gif", lpString2="$Recycle.bin") returned 1 [0156.730] lstrcmpiW (lpString1="STvL.gif", lpString2="System Volume Information") returned -1 [0156.730] lstrcmpiW (lpString1="STvL.gif", lpString2=".") returned 1 [0156.730] lstrcmpiW (lpString1="STvL.gif", lpString2="..") returned 1 [0156.730] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif") returned 116 [0156.730] lstrcmpW (lpString1="STvL.gif", lpString2="PUSSY.TXT") returned 1 [0156.730] PathFindExtensionW (pszPath="STvL.gif") returned=".gif" [0156.730] lstrlenW (lpString=".gif") returned 4 [0156.730] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0156.730] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\stvl.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0156.731] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=3333) returned 1 [0156.731] GetProcessHeap () returned 0x4c0000 [0156.731] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.742] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="34") returned 2 [0156.742] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="8F") returned 2 [0156.742] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="11") returned 2 [0156.742] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="81") returned 2 [0156.742] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="FE") returned 2 [0156.742] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="E7") returned 2 [0156.742] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="6E") returned 2 [0156.742] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="19") returned 2 [0156.742] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="7B") returned 2 [0156.742] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="32") returned 2 [0156.742] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="F0") returned 2 [0156.742] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="91") returned 2 [0156.743] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="7C") returned 2 [0156.743] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="EB") returned 2 [0156.743] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="63") returned 2 [0156.743] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="91") returned 2 [0156.743] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="CF") returned 2 [0156.743] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="81") returned 2 [0156.743] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="74") returned 2 [0156.743] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="4F") returned 2 [0156.743] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="45") returned 2 [0156.743] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="B6") returned 2 [0156.743] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="D9") returned 2 [0156.743] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="B8") returned 2 [0156.743] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="73") returned 2 [0156.743] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="B0") returned 2 [0156.743] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="5E") returned 2 [0156.743] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="21") returned 2 [0156.743] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="08") returned 2 [0156.743] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="64") returned 2 [0156.743] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="D2") returned 2 [0156.743] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="6F") returned 2 [0156.756] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif" [0156.756] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif" [0156.757] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif", lpString2=".348F1181FEE76E197B32F0917CEB6391CF81744F45B6D9B873B05E210864D26F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif.348F1181FEE76E197B32F0917CEB6391CF81744F45B6D9B873B05E210864D26F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif.348F1181FEE76E197B32F0917CEB6391CF81744F45B6D9B873B05E210864D26F" [0156.757] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.757] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.768] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ab80630, ftCreationTime.dwHighDateTime=0x1d5e4b9, ftLastAccessTime.dwLowDateTime=0x53ac6bf0, ftLastAccessTime.dwHighDateTime=0x1d5d9e3, ftLastWriteTime.dwLowDateTime=0x53ac6bf0, ftLastWriteTime.dwHighDateTime=0x1d5d9e3, nFileSizeHigh=0x0, nFileSizeLow=0xd05, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="STvL.gif", cAlternateFileName="")) returned 0 [0156.768] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0156.768] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\PUSSY.TXT") returned 117 [0156.768] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0156.769] lstrlenA (lpString="abcd") returned 4 [0156.769] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0156.770] CloseHandle (hObject=0x18c) returned 1 [0156.770] GetProcessHeap () returned 0x4c0000 [0156.770] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0156.770] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1a598d0, ftCreationTime.dwHighDateTime=0x1d5e59d, ftLastAccessTime.dwLowDateTime=0x2c73a40, ftLastAccessTime.dwHighDateTime=0x1d5e801, ftLastWriteTime.dwLowDateTime=0x2c73a40, ftLastWriteTime.dwHighDateTime=0x1d5e801, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Ih7C09LXjCNH0UwZ", cAlternateFileName="IH7C09~1")) returned 1 [0156.770] lstrcmpiW (lpString1="Ih7C09LXjCNH0UwZ", lpString2="Windows") returned -1 [0156.771] lstrcmpiW (lpString1="Ih7C09LXjCNH0UwZ", lpString2="Program Files") returned -1 [0156.771] lstrcmpiW (lpString1="Ih7C09LXjCNH0UwZ", lpString2="Program Files (x86)") returned -1 [0156.771] lstrcmpiW (lpString1="Ih7C09LXjCNH0UwZ", lpString2="$Recycle.bin") returned 1 [0156.771] lstrcmpiW (lpString1="Ih7C09LXjCNH0UwZ", lpString2="System Volume Information") returned -1 [0156.771] lstrcmpiW (lpString1="Ih7C09LXjCNH0UwZ", lpString2=".") returned 1 [0156.771] lstrcmpiW (lpString1="Ih7C09LXjCNH0UwZ", lpString2="..") returned 1 [0156.771] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ") returned 107 [0156.771] GetProcessHeap () returned 0x4c0000 [0156.771] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0156.771] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ" [0156.771] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\*" [0156.771] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1a598d0, ftCreationTime.dwHighDateTime=0x1d5e59d, ftLastAccessTime.dwLowDateTime=0x2c73a40, ftLastAccessTime.dwHighDateTime=0x1d5e801, ftLastWriteTime.dwLowDateTime=0x2c73a40, ftLastWriteTime.dwHighDateTime=0x1d5e801, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0156.771] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0156.771] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0156.771] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0156.771] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0156.771] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0156.771] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0156.771] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1a598d0, ftCreationTime.dwHighDateTime=0x1d5e59d, ftLastAccessTime.dwLowDateTime=0x2c73a40, ftLastAccessTime.dwHighDateTime=0x1d5e801, ftLastWriteTime.dwLowDateTime=0x2c73a40, ftLastWriteTime.dwHighDateTime=0x1d5e801, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0156.772] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0156.772] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0156.772] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0156.772] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0156.772] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0156.772] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0156.772] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0156.772] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd84b5b10, ftCreationTime.dwHighDateTime=0x1d5dc71, ftLastAccessTime.dwLowDateTime=0x2993aa40, ftLastAccessTime.dwHighDateTime=0x1d5df3d, ftLastWriteTime.dwLowDateTime=0x2993aa40, ftLastWriteTime.dwHighDateTime=0x1d5df3d, nFileSizeHigh=0x0, nFileSizeLow=0x18b10, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="4P t0oA5awG.gif", cAlternateFileName="4PT0OA~1.GIF")) returned 1 [0156.772] lstrcmpiW (lpString1="4P t0oA5awG.gif", lpString2="Windows") returned -1 [0156.772] lstrcmpiW (lpString1="4P t0oA5awG.gif", lpString2="Program Files") returned -1 [0156.772] lstrcmpiW (lpString1="4P t0oA5awG.gif", lpString2="Program Files (x86)") returned -1 [0156.772] lstrcmpiW (lpString1="4P t0oA5awG.gif", lpString2="$Recycle.bin") returned 1 [0156.772] lstrcmpiW (lpString1="4P t0oA5awG.gif", lpString2="System Volume Information") returned -1 [0156.772] lstrcmpiW (lpString1="4P t0oA5awG.gif", lpString2=".") returned 1 [0156.772] lstrcmpiW (lpString1="4P t0oA5awG.gif", lpString2="..") returned 1 [0156.772] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif") returned 123 [0156.772] lstrcmpW (lpString1="4P t0oA5awG.gif", lpString2="PUSSY.TXT") returned -1 [0156.772] PathFindExtensionW (pszPath="4P t0oA5awG.gif") returned=".gif" [0156.772] lstrlenW (lpString=".gif") returned 4 [0156.772] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0156.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\4p t0oa5awg.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0156.773] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=101136) returned 1 [0156.773] GetProcessHeap () returned 0x4c0000 [0156.773] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.787] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="56") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="24") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="B6") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="45") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="86") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="9B") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="31") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="35") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="D6") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="97") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="07") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="15") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="4B") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="50") returned 2 [0156.787] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="D1") returned 2 [0156.788] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="1E") returned 2 [0156.788] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="E3") returned 2 [0156.788] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="42") returned 2 [0156.788] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="9E") returned 2 [0156.788] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="75") returned 2 [0156.788] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="9D") returned 2 [0156.788] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="73") returned 2 [0156.788] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="DF") returned 2 [0156.788] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="F8") returned 2 [0156.788] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="C3") returned 2 [0156.788] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="D8") returned 2 [0156.788] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="F3") returned 2 [0156.788] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="00") returned 2 [0156.788] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="D1") returned 2 [0156.788] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="87") returned 2 [0156.788] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="40") returned 2 [0156.788] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="4D") returned 2 [0156.799] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif" [0156.799] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif" [0156.799] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif", lpString2=".5624B645869B3135D69707154B50D11EE3429E759D73DFF8C3D8F300D187404D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif.5624B645869B3135D69707154B50D11EE3429E759D73DFF8C3D8F300D187404D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif.5624B645869B3135D69707154B50D11EE3429E759D73DFF8C3D8F300D187404D" [0156.799] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.799] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.840] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15080850, ftCreationTime.dwHighDateTime=0x1d5db8c, ftLastAccessTime.dwLowDateTime=0xc5615470, ftLastAccessTime.dwHighDateTime=0x1d5e232, ftLastWriteTime.dwLowDateTime=0xc5615470, ftLastWriteTime.dwHighDateTime=0x1d5e232, nFileSizeHigh=0x0, nFileSizeLow=0x10fff, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="5WjE.gif", cAlternateFileName="")) returned 1 [0156.840] lstrcmpiW (lpString1="5WjE.gif", lpString2="Windows") returned -1 [0156.840] lstrcmpiW (lpString1="5WjE.gif", lpString2="Program Files") returned -1 [0156.840] lstrcmpiW (lpString1="5WjE.gif", lpString2="Program Files (x86)") returned -1 [0156.840] lstrcmpiW (lpString1="5WjE.gif", lpString2="$Recycle.bin") returned 1 [0156.840] lstrcmpiW (lpString1="5WjE.gif", lpString2="System Volume Information") returned -1 [0156.840] lstrcmpiW (lpString1="5WjE.gif", lpString2=".") returned 1 [0156.840] lstrcmpiW (lpString1="5WjE.gif", lpString2="..") returned 1 [0156.840] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif") returned 116 [0156.840] lstrcmpW (lpString1="5WjE.gif", lpString2="PUSSY.TXT") returned -1 [0156.840] PathFindExtensionW (pszPath="5WjE.gif") returned=".gif" [0156.840] lstrlenW (lpString=".gif") returned 4 [0156.841] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0156.841] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\5wje.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0156.841] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=69631) returned 1 [0156.841] GetProcessHeap () returned 0x4c0000 [0156.841] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.850] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="6E") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="2E") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="23") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="AD") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="41") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="D1") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="5A") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="46") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="53") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="5E") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="D1") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="B6") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="5E") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="1B") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="A0") returned 2 [0156.850] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="85") returned 2 [0156.850] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="0A") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="AA") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="8B") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="29") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="B5") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="35") returned 2 [0156.850] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="41") returned 2 [0156.850] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="30") returned 2 [0156.850] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="90") returned 2 [0156.850] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="99") returned 2 [0156.850] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="1F") returned 2 [0156.851] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="A5") returned 2 [0156.851] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="9D") returned 2 [0156.851] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="46") returned 2 [0156.851] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="F3") returned 2 [0156.851] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="55") returned 2 [0156.875] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif" [0156.875] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif" [0156.875] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif", lpString2=".6E2E23AD41D15A46535ED1B65E1BA0850AAA8B29B535413090991FA59D46F355" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif.6E2E23AD41D15A46535ED1B65E1BA0850AAA8B29B535413090991FA59D46F355") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif.6E2E23AD41D15A46535ED1B65E1BA0850AAA8B29B535413090991FA59D46F355" [0156.875] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.875] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0156.922] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c052180, ftCreationTime.dwHighDateTime=0x1d5df26, ftLastAccessTime.dwLowDateTime=0xd68a4710, ftLastAccessTime.dwHighDateTime=0x1d5dfc7, ftLastWriteTime.dwLowDateTime=0xd68a4710, ftLastWriteTime.dwHighDateTime=0x1d5dfc7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="6wlUcPJLY3ZPAVew2", cAlternateFileName="6WLUCP~1")) returned 1 [0156.923] lstrcmpiW (lpString1="6wlUcPJLY3ZPAVew2", lpString2="Windows") returned -1 [0156.923] lstrcmpiW (lpString1="6wlUcPJLY3ZPAVew2", lpString2="Program Files") returned -1 [0156.923] lstrcmpiW (lpString1="6wlUcPJLY3ZPAVew2", lpString2="Program Files (x86)") returned -1 [0156.923] lstrcmpiW (lpString1="6wlUcPJLY3ZPAVew2", lpString2="$Recycle.bin") returned 1 [0156.923] lstrcmpiW (lpString1="6wlUcPJLY3ZPAVew2", lpString2="System Volume Information") returned -1 [0156.923] lstrcmpiW (lpString1="6wlUcPJLY3ZPAVew2", lpString2=".") returned 1 [0156.923] lstrcmpiW (lpString1="6wlUcPJLY3ZPAVew2", lpString2="..") returned 1 [0156.927] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2") returned 125 [0156.927] GetProcessHeap () returned 0x4c0000 [0156.927] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0156.927] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2" [0156.927] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\*" [0156.928] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c052180, ftCreationTime.dwHighDateTime=0x1d5df26, ftLastAccessTime.dwLowDateTime=0xd68a4710, ftLastAccessTime.dwHighDateTime=0x1d5dfc7, ftLastWriteTime.dwLowDateTime=0xd68a4710, ftLastWriteTime.dwHighDateTime=0x1d5dfc7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0156.928] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0156.928] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0156.928] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0156.928] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0156.928] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0156.928] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0156.928] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c052180, ftCreationTime.dwHighDateTime=0x1d5df26, ftLastAccessTime.dwLowDateTime=0xd68a4710, ftLastAccessTime.dwHighDateTime=0x1d5dfc7, ftLastWriteTime.dwLowDateTime=0xd68a4710, ftLastWriteTime.dwHighDateTime=0x1d5dfc7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0156.928] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0156.928] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0156.928] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0156.928] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0156.928] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0156.928] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0156.928] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0156.928] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9e160c0, ftCreationTime.dwHighDateTime=0x1d5e6d2, ftLastAccessTime.dwLowDateTime=0xb61a6bc0, ftLastAccessTime.dwHighDateTime=0x1d5e0cd, ftLastWriteTime.dwLowDateTime=0xb61a6bc0, ftLastWriteTime.dwHighDateTime=0x1d5e0cd, nFileSizeHigh=0x0, nFileSizeLow=0xec96, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="5eRWhGnYlutAnVdIY.png", cAlternateFileName="5ERWHG~1.PNG")) returned 1 [0156.928] lstrcmpiW (lpString1="5eRWhGnYlutAnVdIY.png", lpString2="Windows") returned -1 [0156.928] lstrcmpiW (lpString1="5eRWhGnYlutAnVdIY.png", lpString2="Program Files") returned -1 [0156.928] lstrcmpiW (lpString1="5eRWhGnYlutAnVdIY.png", lpString2="Program Files (x86)") returned -1 [0156.928] lstrcmpiW (lpString1="5eRWhGnYlutAnVdIY.png", lpString2="$Recycle.bin") returned 1 [0156.928] lstrcmpiW (lpString1="5eRWhGnYlutAnVdIY.png", lpString2="System Volume Information") returned -1 [0156.928] lstrcmpiW (lpString1="5eRWhGnYlutAnVdIY.png", lpString2=".") returned 1 [0156.929] lstrcmpiW (lpString1="5eRWhGnYlutAnVdIY.png", lpString2="..") returned 1 [0156.929] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png") returned 147 [0156.929] lstrcmpW (lpString1="5eRWhGnYlutAnVdIY.png", lpString2="PUSSY.TXT") returned -1 [0156.929] PathFindExtensionW (pszPath="5eRWhGnYlutAnVdIY.png") returned=".png" [0156.929] lstrlenW (lpString=".png") returned 4 [0156.929] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0156.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\5erwhgnylutanvdiy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0156.930] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=60566) returned 1 [0156.930] GetProcessHeap () returned 0x4c0000 [0156.930] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0156.944] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="DC") returned 2 [0156.944] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="68") returned 2 [0156.945] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="74") returned 2 [0156.945] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="0B") returned 2 [0156.945] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="62") returned 2 [0156.945] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="2B") returned 2 [0156.945] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="24") returned 2 [0156.945] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="F7") returned 2 [0156.945] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="D2") returned 2 [0156.945] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="46") returned 2 [0156.945] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="EF") returned 2 [0156.945] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="73") returned 2 [0156.945] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="52") returned 2 [0156.945] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="CC") returned 2 [0156.945] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="2C") returned 2 [0156.945] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="F5") returned 2 [0156.945] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="98") returned 2 [0156.945] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="9C") returned 2 [0156.945] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="10") returned 2 [0156.945] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="00") returned 2 [0156.945] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="4A") returned 2 [0156.945] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="DC") returned 2 [0156.945] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="02") returned 2 [0156.945] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="07") returned 2 [0156.945] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="B3") returned 2 [0156.945] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="21") returned 2 [0156.945] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="C5") returned 2 [0156.945] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="1D") returned 2 [0156.945] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="2A") returned 2 [0156.945] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="26") returned 2 [0156.945] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="DA") returned 2 [0156.946] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="3B") returned 2 [0156.954] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png" [0156.954] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png" [0156.954] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png", lpString2=".DC68740B622B24F7D246EF7352CC2CF5989C10004ADC0207B321C51D2A26DA3B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png.DC68740B622B24F7D246EF7352CC2CF5989C10004ADC0207B321C51D2A26DA3B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png.DC68740B622B24F7D246EF7352CC2CF5989C10004ADC0207B321C51D2A26DA3B" [0156.954] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0156.954] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0157.001] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8f3c040, ftCreationTime.dwHighDateTime=0x1d5d83d, ftLastAccessTime.dwLowDateTime=0xd858c750, ftLastAccessTime.dwHighDateTime=0x1d5d839, ftLastWriteTime.dwLowDateTime=0xd858c750, ftLastWriteTime.dwHighDateTime=0x1d5d839, nFileSizeHigh=0x0, nFileSizeLow=0x86bc, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="8GsYZRAkx.bmp", cAlternateFileName="8GSYZR~1.BMP")) returned 1 [0157.001] lstrcmpiW (lpString1="8GsYZRAkx.bmp", lpString2="Windows") returned -1 [0157.001] lstrcmpiW (lpString1="8GsYZRAkx.bmp", lpString2="Program Files") returned -1 [0157.001] lstrcmpiW (lpString1="8GsYZRAkx.bmp", lpString2="Program Files (x86)") returned -1 [0157.001] lstrcmpiW (lpString1="8GsYZRAkx.bmp", lpString2="$Recycle.bin") returned 1 [0157.001] lstrcmpiW (lpString1="8GsYZRAkx.bmp", lpString2="System Volume Information") returned -1 [0157.001] lstrcmpiW (lpString1="8GsYZRAkx.bmp", lpString2=".") returned 1 [0157.001] lstrcmpiW (lpString1="8GsYZRAkx.bmp", lpString2="..") returned 1 [0157.001] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp") returned 139 [0157.001] lstrcmpW (lpString1="8GsYZRAkx.bmp", lpString2="PUSSY.TXT") returned -1 [0157.001] PathFindExtensionW (pszPath="8GsYZRAkx.bmp") returned=".bmp" [0157.001] lstrlenW (lpString=".bmp") returned 4 [0157.002] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0157.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\8gsyzrakx.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0157.002] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=34492) returned 1 [0157.003] GetProcessHeap () returned 0x4c0000 [0157.003] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0157.012] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="D4") returned 2 [0157.012] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="0F") returned 2 [0157.012] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="BC") returned 2 [0157.012] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="0D") returned 2 [0157.012] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="A3") returned 2 [0157.012] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="E4") returned 2 [0157.012] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="19") returned 2 [0157.012] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="FA") returned 2 [0157.012] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="E0") returned 2 [0157.012] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="EE") returned 2 [0157.012] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="8E") returned 2 [0157.012] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="04") returned 2 [0157.012] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="C6") returned 2 [0157.012] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="FC") returned 2 [0157.012] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="2B") returned 2 [0157.012] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="E4") returned 2 [0157.012] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="14") returned 2 [0157.012] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="FC") returned 2 [0157.013] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="F3") returned 2 [0157.013] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="34") returned 2 [0157.013] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="93") returned 2 [0157.013] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="18") returned 2 [0157.013] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="32") returned 2 [0157.013] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="50") returned 2 [0157.013] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="75") returned 2 [0157.013] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="66") returned 2 [0157.013] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="53") returned 2 [0157.013] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="B6") returned 2 [0157.013] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="03") returned 2 [0157.013] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="56") returned 2 [0157.013] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="BB") returned 2 [0157.013] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="66") returned 2 [0157.021] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp" [0157.021] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp" [0157.021] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp", lpString2=".D40FBC0DA3E419FAE0EE8E04C6FC2BE414FCF33493183250756653B60356BB66" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp.D40FBC0DA3E419FAE0EE8E04C6FC2BE414FCF33493183250756653B60356BB66") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp.D40FBC0DA3E419FAE0EE8E04C6FC2BE414FCF33493183250756653B60356BB66" [0157.021] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.021] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0157.055] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaccc4740, ftCreationTime.dwHighDateTime=0x1d5e46b, ftLastAccessTime.dwLowDateTime=0x5951b880, ftLastAccessTime.dwHighDateTime=0x1d5e442, ftLastWriteTime.dwLowDateTime=0x5951b880, ftLastWriteTime.dwHighDateTime=0x1d5e442, nFileSizeHigh=0x0, nFileSizeLow=0xc417, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="a86HpvdZe.png", cAlternateFileName="A86HPV~1.PNG")) returned 1 [0157.055] lstrcmpiW (lpString1="a86HpvdZe.png", lpString2="Windows") returned -1 [0157.055] lstrcmpiW (lpString1="a86HpvdZe.png", lpString2="Program Files") returned -1 [0157.055] lstrcmpiW (lpString1="a86HpvdZe.png", lpString2="Program Files (x86)") returned -1 [0157.055] lstrcmpiW (lpString1="a86HpvdZe.png", lpString2="$Recycle.bin") returned 1 [0157.055] lstrcmpiW (lpString1="a86HpvdZe.png", lpString2="System Volume Information") returned -1 [0157.055] lstrcmpiW (lpString1="a86HpvdZe.png", lpString2=".") returned 1 [0157.055] lstrcmpiW (lpString1="a86HpvdZe.png", lpString2="..") returned 1 [0157.055] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png") returned 139 [0157.055] lstrcmpW (lpString1="a86HpvdZe.png", lpString2="PUSSY.TXT") returned -1 [0157.055] PathFindExtensionW (pszPath="a86HpvdZe.png") returned=".png" [0157.055] lstrlenW (lpString=".png") returned 4 [0157.055] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0157.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\a86hpvdze.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0157.056] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=50199) returned 1 [0157.056] GetProcessHeap () returned 0x4c0000 [0157.056] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0157.065] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="04") returned 2 [0157.065] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="5E") returned 2 [0157.065] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="E3") returned 2 [0157.065] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="0B") returned 2 [0157.065] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="CD") returned 2 [0157.065] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="57") returned 2 [0157.065] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="CE") returned 2 [0157.065] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="94") returned 2 [0157.065] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="CB") returned 2 [0157.065] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="24") returned 2 [0157.065] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="CF") returned 2 [0157.065] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="F9") returned 2 [0157.065] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="72") returned 2 [0157.065] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="EB") returned 2 [0157.066] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="9B") returned 2 [0157.066] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="21") returned 2 [0157.066] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="BD") returned 2 [0157.066] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="88") returned 2 [0157.066] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="57") returned 2 [0157.066] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="4C") returned 2 [0157.066] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="A2") returned 2 [0157.066] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="BB") returned 2 [0157.066] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="54") returned 2 [0157.066] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="38") returned 2 [0157.066] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="0A") returned 2 [0157.066] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="46") returned 2 [0157.066] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="BE") returned 2 [0157.066] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="8D") returned 2 [0157.066] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="7C") returned 2 [0157.066] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="7A") returned 2 [0157.066] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="73") returned 2 [0157.066] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="6F") returned 2 [0157.075] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png" [0157.075] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png" [0157.075] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png", lpString2=".045EE30BCD57CE94CB24CFF972EB9B21BD88574CA2BB54380A46BE8D7C7A736F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png.045EE30BCD57CE94CB24CFF972EB9B21BD88574CA2BB54380A46BE8D7C7A736F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png.045EE30BCD57CE94CB24CFF972EB9B21BD88574CA2BB54380A46BE8D7C7A736F" [0157.075] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.075] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0157.111] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62f672d0, ftCreationTime.dwHighDateTime=0x1d5e786, ftLastAccessTime.dwLowDateTime=0x5a3f2420, ftLastAccessTime.dwHighDateTime=0x1d5dd4f, ftLastWriteTime.dwLowDateTime=0x5a3f2420, ftLastWriteTime.dwHighDateTime=0x1d5dd4f, nFileSizeHigh=0x0, nFileSizeLow=0x969c, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="RL_Ti8nB0.gif", cAlternateFileName="RL_TI8~1.GIF")) returned 1 [0157.111] lstrcmpiW (lpString1="RL_Ti8nB0.gif", lpString2="Windows") returned -1 [0157.111] lstrcmpiW (lpString1="RL_Ti8nB0.gif", lpString2="Program Files") returned 1 [0157.111] lstrcmpiW (lpString1="RL_Ti8nB0.gif", lpString2="Program Files (x86)") returned 1 [0157.112] lstrcmpiW (lpString1="RL_Ti8nB0.gif", lpString2="$Recycle.bin") returned 1 [0157.112] lstrcmpiW (lpString1="RL_Ti8nB0.gif", lpString2="System Volume Information") returned -1 [0157.112] lstrcmpiW (lpString1="RL_Ti8nB0.gif", lpString2=".") returned 1 [0157.112] lstrcmpiW (lpString1="RL_Ti8nB0.gif", lpString2="..") returned 1 [0157.112] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif") returned 139 [0157.112] lstrcmpW (lpString1="RL_Ti8nB0.gif", lpString2="PUSSY.TXT") returned 1 [0157.112] PathFindExtensionW (pszPath="RL_Ti8nB0.gif") returned=".gif" [0157.112] lstrlenW (lpString=".gif") returned 4 [0157.112] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0157.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\rl_ti8nb0.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0157.113] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=38556) returned 1 [0157.113] GetProcessHeap () returned 0x4c0000 [0157.113] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0157.122] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="A0") returned 2 [0157.122] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="80") returned 2 [0157.122] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="E9") returned 2 [0157.122] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="7F") returned 2 [0157.122] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="AE") returned 2 [0157.122] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="3B") returned 2 [0157.122] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="6D") returned 2 [0157.122] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="03") returned 2 [0157.122] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="89") returned 2 [0157.123] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="97") returned 2 [0157.123] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="32") returned 2 [0157.123] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="BC") returned 2 [0157.123] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="68") returned 2 [0157.123] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="F4") returned 2 [0157.123] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="E4") returned 2 [0157.123] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="BC") returned 2 [0157.123] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="30") returned 2 [0157.123] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="5C") returned 2 [0157.123] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="CB") returned 2 [0157.123] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="CC") returned 2 [0157.123] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="B4") returned 2 [0157.123] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="EA") returned 2 [0157.123] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="A4") returned 2 [0157.123] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="C4") returned 2 [0157.123] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="EE") returned 2 [0157.123] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="43") returned 2 [0157.123] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="51") returned 2 [0157.123] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="0B") returned 2 [0157.123] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="7D") returned 2 [0157.123] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="EB") returned 2 [0157.123] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="32") returned 2 [0157.123] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="53") returned 2 [0157.132] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif" [0157.132] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif" [0157.132] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif", lpString2=".A080E97FAE3B6D03899732BC68F4E4BC305CCBCCB4EAA4C4EE43510B7DEB3253" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif.A080E97FAE3B6D03899732BC68F4E4BC305CCBCCB4EAA4C4EE43510B7DEB3253") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif.A080E97FAE3B6D03899732BC68F4E4BC305CCBCCB4EAA4C4EE43510B7DEB3253" [0157.132] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.132] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0157.166] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62f672d0, ftCreationTime.dwHighDateTime=0x1d5e786, ftLastAccessTime.dwLowDateTime=0x5a3f2420, ftLastAccessTime.dwHighDateTime=0x1d5dd4f, ftLastWriteTime.dwLowDateTime=0x5a3f2420, ftLastWriteTime.dwHighDateTime=0x1d5dd4f, nFileSizeHigh=0x0, nFileSizeLow=0x969c, dwReserved0=0x28b610, dwReserved1=0x77c61b06, cFileName="RL_Ti8nB0.gif", cAlternateFileName="RL_TI8~1.GIF")) returned 0 [0157.166] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0157.166] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\PUSSY.TXT") returned 135 [0157.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0157.167] lstrlenA (lpString="abcd") returned 4 [0157.168] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0157.169] CloseHandle (hObject=0x19c) returned 1 [0157.169] GetProcessHeap () returned 0x4c0000 [0157.169] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0157.170] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd81e05d0, ftCreationTime.dwHighDateTime=0x1d5e76f, ftLastAccessTime.dwLowDateTime=0xa078ade0, ftLastAccessTime.dwHighDateTime=0x1d5dc77, ftLastWriteTime.dwLowDateTime=0xa078ade0, ftLastWriteTime.dwHighDateTime=0x1d5dc77, nFileSizeHigh=0x0, nFileSizeLow=0xe3b2, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="X 22.gif", cAlternateFileName="X22~1.GIF")) returned 1 [0157.170] lstrcmpiW (lpString1="X 22.gif", lpString2="Windows") returned 1 [0157.170] lstrcmpiW (lpString1="X 22.gif", lpString2="Program Files") returned 1 [0157.171] lstrcmpiW (lpString1="X 22.gif", lpString2="Program Files (x86)") returned 1 [0157.171] lstrcmpiW (lpString1="X 22.gif", lpString2="$Recycle.bin") returned 1 [0157.171] lstrcmpiW (lpString1="X 22.gif", lpString2="System Volume Information") returned 1 [0157.171] lstrcmpiW (lpString1="X 22.gif", lpString2=".") returned 1 [0157.171] lstrcmpiW (lpString1="X 22.gif", lpString2="..") returned 1 [0157.171] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif") returned 116 [0157.171] lstrcmpW (lpString1="X 22.gif", lpString2="PUSSY.TXT") returned 1 [0157.171] PathFindExtensionW (pszPath="X 22.gif") returned=".gif" [0157.171] lstrlenW (lpString=".gif") returned 4 [0157.171] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0157.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\x 22.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0157.172] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=58290) returned 1 [0157.172] GetProcessHeap () returned 0x4c0000 [0157.172] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0157.182] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="A5") returned 2 [0157.182] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="6E") returned 2 [0157.182] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="2D") returned 2 [0157.182] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="7A") returned 2 [0157.182] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="42") returned 2 [0157.182] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="32") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="81") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="97") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="5E") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="68") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="FF") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="B4") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="5E") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="6B") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="F3") returned 2 [0157.183] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="52") returned 2 [0157.183] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="2B") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="E0") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="F7") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="0D") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="38") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="2B") returned 2 [0157.183] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="82") returned 2 [0157.183] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="71") returned 2 [0157.183] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="3E") returned 2 [0157.183] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="B8") returned 2 [0157.183] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="35") returned 2 [0157.183] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="FA") returned 2 [0157.183] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="C2") returned 2 [0157.183] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="5D") returned 2 [0157.183] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="DF") returned 2 [0157.183] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="49") returned 2 [0157.193] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif" [0157.193] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif" [0157.193] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif", lpString2=".A56E2D7A423281975E68FFB45E6BF3522BE0F70D382B82713EB835FAC25DDF49" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif.A56E2D7A423281975E68FFB45E6BF3522BE0F70D382B82713EB835FAC25DDF49") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif.A56E2D7A423281975E68FFB45E6BF3522BE0F70D382B82713EB835FAC25DDF49" [0157.193] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.193] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0157.229] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd81e05d0, ftCreationTime.dwHighDateTime=0x1d5e76f, ftLastAccessTime.dwLowDateTime=0xa078ade0, ftLastAccessTime.dwHighDateTime=0x1d5dc77, ftLastWriteTime.dwLowDateTime=0xa078ade0, ftLastWriteTime.dwHighDateTime=0x1d5dc77, nFileSizeHigh=0x0, nFileSizeLow=0xe3b2, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="X 22.gif", cAlternateFileName="X22~1.GIF")) returned 0 [0157.229] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0157.229] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\PUSSY.TXT") returned 117 [0157.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0157.230] lstrlenA (lpString="abcd") returned 4 [0157.230] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0157.231] CloseHandle (hObject=0x18c) returned 1 [0157.231] GetProcessHeap () returned 0x4c0000 [0157.231] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0157.232] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1a598d0, ftCreationTime.dwHighDateTime=0x1d5e59d, ftLastAccessTime.dwLowDateTime=0x2c73a40, ftLastAccessTime.dwHighDateTime=0x1d5e801, ftLastWriteTime.dwLowDateTime=0x2c73a40, ftLastWriteTime.dwHighDateTime=0x1d5e801, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="Ih7C09LXjCNH0UwZ", cAlternateFileName="IH7C09~1")) returned 0 [0157.232] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0157.232] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\PUSSY.TXT") returned 100 [0157.232] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0157.233] lstrlenA (lpString="abcd") returned 4 [0157.233] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0157.234] CloseHandle (hObject=0x124) returned 1 [0157.234] GetProcessHeap () returned 0x4c0000 [0157.234] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0157.236] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19f7ff60, ftCreationTime.dwHighDateTime=0x1d5dfdc, ftLastAccessTime.dwLowDateTime=0xd9da5f90, ftLastAccessTime.dwHighDateTime=0x1d5e571, ftLastWriteTime.dwLowDateTime=0xd9da5f90, ftLastWriteTime.dwHighDateTime=0x1d5e571, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="SyqP4isOx", cAlternateFileName="SYQP4I~1")) returned 1 [0157.236] lstrcmpiW (lpString1="SyqP4isOx", lpString2="Windows") returned -1 [0157.236] lstrcmpiW (lpString1="SyqP4isOx", lpString2="Program Files") returned 1 [0157.236] lstrcmpiW (lpString1="SyqP4isOx", lpString2="Program Files (x86)") returned 1 [0157.236] lstrcmpiW (lpString1="SyqP4isOx", lpString2="$Recycle.bin") returned 1 [0157.236] lstrcmpiW (lpString1="SyqP4isOx", lpString2="System Volume Information") returned -1 [0157.236] lstrcmpiW (lpString1="SyqP4isOx", lpString2=".") returned 1 [0157.236] lstrcmpiW (lpString1="SyqP4isOx", lpString2="..") returned 1 [0157.236] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx") returned 83 [0157.236] GetProcessHeap () returned 0x4c0000 [0157.236] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0157.237] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx" [0157.237] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\*" [0157.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19f7ff60, ftCreationTime.dwHighDateTime=0x1d5dfdc, ftLastAccessTime.dwLowDateTime=0xd9da5f90, ftLastAccessTime.dwHighDateTime=0x1d5e571, ftLastWriteTime.dwLowDateTime=0xd9da5f90, ftLastWriteTime.dwHighDateTime=0x1d5e571, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0157.237] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0157.237] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0157.237] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0157.237] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0157.237] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0157.237] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0157.237] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19f7ff60, ftCreationTime.dwHighDateTime=0x1d5dfdc, ftLastAccessTime.dwLowDateTime=0xd9da5f90, ftLastAccessTime.dwHighDateTime=0x1d5e571, ftLastWriteTime.dwLowDateTime=0xd9da5f90, ftLastWriteTime.dwHighDateTime=0x1d5e571, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0157.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0157.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0157.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0157.237] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0157.237] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0157.237] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0157.237] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0157.238] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb0feae0, ftCreationTime.dwHighDateTime=0x1d5e044, ftLastAccessTime.dwLowDateTime=0x80702000, ftLastAccessTime.dwHighDateTime=0x1d5e0d7, ftLastWriteTime.dwLowDateTime=0x80702000, ftLastWriteTime.dwHighDateTime=0x1d5e0d7, nFileSizeHigh=0x0, nFileSizeLow=0x94e6, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="8XYTGuVrYgHYJkrZbL.jpg", cAlternateFileName="8XYTGU~1.JPG")) returned 1 [0157.238] lstrcmpiW (lpString1="8XYTGuVrYgHYJkrZbL.jpg", lpString2="Windows") returned -1 [0157.238] lstrcmpiW (lpString1="8XYTGuVrYgHYJkrZbL.jpg", lpString2="Program Files") returned -1 [0157.238] lstrcmpiW (lpString1="8XYTGuVrYgHYJkrZbL.jpg", lpString2="Program Files (x86)") returned -1 [0157.238] lstrcmpiW (lpString1="8XYTGuVrYgHYJkrZbL.jpg", lpString2="$Recycle.bin") returned 1 [0157.238] lstrcmpiW (lpString1="8XYTGuVrYgHYJkrZbL.jpg", lpString2="System Volume Information") returned -1 [0157.238] lstrcmpiW (lpString1="8XYTGuVrYgHYJkrZbL.jpg", lpString2=".") returned 1 [0157.238] lstrcmpiW (lpString1="8XYTGuVrYgHYJkrZbL.jpg", lpString2="..") returned 1 [0157.238] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg") returned 106 [0157.238] lstrcmpW (lpString1="8XYTGuVrYgHYJkrZbL.jpg", lpString2="PUSSY.TXT") returned -1 [0157.238] PathFindExtensionW (pszPath="8XYTGuVrYgHYJkrZbL.jpg") returned=".jpg" [0157.238] lstrlenW (lpString=".jpg") returned 4 [0157.238] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0157.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\syqp4isox\\8xytguvryghyjkrzbl.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0157.239] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=38118) returned 1 [0157.239] GetProcessHeap () returned 0x4c0000 [0157.239] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0157.255] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="34") returned 2 [0157.255] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="A2") returned 2 [0157.256] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="DE") returned 2 [0157.256] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="CD") returned 2 [0157.256] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="2B") returned 2 [0157.256] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="3D") returned 2 [0157.256] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="6F") returned 2 [0157.256] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="08") returned 2 [0157.256] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="00") returned 2 [0157.256] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="D4") returned 2 [0157.256] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="30") returned 2 [0157.256] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="CF") returned 2 [0157.256] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="1B") returned 2 [0157.256] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="0F") returned 2 [0157.256] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="C2") returned 2 [0157.256] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="4F") returned 2 [0157.256] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="19") returned 2 [0157.256] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="39") returned 2 [0157.256] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="6E") returned 2 [0157.256] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="2C") returned 2 [0157.256] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="E8") returned 2 [0157.256] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="6B") returned 2 [0157.256] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="A0") returned 2 [0157.256] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="67") returned 2 [0157.256] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="0E") returned 2 [0157.256] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="54") returned 2 [0157.256] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="A2") returned 2 [0157.256] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="91") returned 2 [0157.256] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="13") returned 2 [0157.256] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="5D") returned 2 [0157.257] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="E6") returned 2 [0157.257] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="0F") returned 2 [0157.266] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg" [0157.266] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg" [0157.266] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg", lpString2=".34A2DECD2B3D6F0800D430CF1B0FC24F19396E2CE86BA0670E54A291135DE60F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg.34A2DECD2B3D6F0800D430CF1B0FC24F19396E2CE86BA0670E54A291135DE60F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg.34A2DECD2B3D6F0800D430CF1B0FC24F19396E2CE86BA0670E54A291135DE60F" [0157.266] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.266] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0157.300] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d4a8f40, ftCreationTime.dwHighDateTime=0x1d5dc66, ftLastAccessTime.dwLowDateTime=0xfb7253c0, ftLastAccessTime.dwHighDateTime=0x1d5e5b6, ftLastWriteTime.dwLowDateTime=0xfb7253c0, ftLastWriteTime.dwHighDateTime=0x1d5e5b6, nFileSizeHigh=0x0, nFileSizeLow=0xa724, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="iGDtzKqrWpo3SYX7lF.jpg", cAlternateFileName="IGDTZK~1.JPG")) returned 1 [0157.300] lstrcmpiW (lpString1="iGDtzKqrWpo3SYX7lF.jpg", lpString2="Windows") returned -1 [0157.300] lstrcmpiW (lpString1="iGDtzKqrWpo3SYX7lF.jpg", lpString2="Program Files") returned -1 [0157.300] lstrcmpiW (lpString1="iGDtzKqrWpo3SYX7lF.jpg", lpString2="Program Files (x86)") returned -1 [0157.300] lstrcmpiW (lpString1="iGDtzKqrWpo3SYX7lF.jpg", lpString2="$Recycle.bin") returned 1 [0157.300] lstrcmpiW (lpString1="iGDtzKqrWpo3SYX7lF.jpg", lpString2="System Volume Information") returned -1 [0157.300] lstrcmpiW (lpString1="iGDtzKqrWpo3SYX7lF.jpg", lpString2=".") returned 1 [0157.300] lstrcmpiW (lpString1="iGDtzKqrWpo3SYX7lF.jpg", lpString2="..") returned 1 [0157.300] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg") returned 106 [0157.300] lstrcmpW (lpString1="iGDtzKqrWpo3SYX7lF.jpg", lpString2="PUSSY.TXT") returned -1 [0157.300] PathFindExtensionW (pszPath="iGDtzKqrWpo3SYX7lF.jpg") returned=".jpg" [0157.300] lstrlenW (lpString=".jpg") returned 4 [0157.300] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0157.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\syqp4isox\\igdtzkqrwpo3syx7lf.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0157.301] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=42788) returned 1 [0157.301] GetProcessHeap () returned 0x4c0000 [0157.301] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0157.310] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="97") returned 2 [0157.310] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="C2") returned 2 [0157.310] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="BE") returned 2 [0157.310] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="34") returned 2 [0157.310] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="DE") returned 2 [0157.310] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="2F") returned 2 [0157.310] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="2D") returned 2 [0157.310] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="C4") returned 2 [0157.310] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="57") returned 2 [0157.310] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="0B") returned 2 [0157.310] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="72") returned 2 [0157.310] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="1E") returned 2 [0157.310] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="34") returned 2 [0157.310] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="09") returned 2 [0157.310] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="04") returned 2 [0157.310] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="54") returned 2 [0157.311] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="F8") returned 2 [0157.311] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="E3") returned 2 [0157.311] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="89") returned 2 [0157.311] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="95") returned 2 [0157.311] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="B6") returned 2 [0157.311] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="A1") returned 2 [0157.311] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="87") returned 2 [0157.311] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="5C") returned 2 [0157.311] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="4E") returned 2 [0157.311] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="39") returned 2 [0157.311] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="AB") returned 2 [0157.311] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="BD") returned 2 [0157.311] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="8D") returned 2 [0157.311] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="A1") returned 2 [0157.311] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="49") returned 2 [0157.311] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="67") returned 2 [0157.319] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg" [0157.319] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg" [0157.319] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg", lpString2=".97C2BE34DE2F2DC4570B721E34090454F8E38995B6A1875C4E39ABBD8DA14967" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg.97C2BE34DE2F2DC4570B721E34090454F8E38995B6A1875C4E39ABBD8DA14967") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg.97C2BE34DE2F2DC4570B721E34090454F8E38995B6A1875C4E39ABBD8DA14967" [0157.319] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.319] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0157.372] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x432111f0, ftCreationTime.dwHighDateTime=0x1d5e0b9, ftLastAccessTime.dwLowDateTime=0x51f438e0, ftLastAccessTime.dwHighDateTime=0x1d5db89, ftLastWriteTime.dwLowDateTime=0x51f438e0, ftLastWriteTime.dwHighDateTime=0x1d5db89, nFileSizeHigh=0x0, nFileSizeLow=0x15212, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="UZIDqKIt5.bmp", cAlternateFileName="UZIDQK~1.BMP")) returned 1 [0157.372] lstrcmpiW (lpString1="UZIDqKIt5.bmp", lpString2="Windows") returned -1 [0157.372] lstrcmpiW (lpString1="UZIDqKIt5.bmp", lpString2="Program Files") returned 1 [0157.373] lstrcmpiW (lpString1="UZIDqKIt5.bmp", lpString2="Program Files (x86)") returned 1 [0157.373] lstrcmpiW (lpString1="UZIDqKIt5.bmp", lpString2="$Recycle.bin") returned 1 [0157.373] lstrcmpiW (lpString1="UZIDqKIt5.bmp", lpString2="System Volume Information") returned 1 [0157.373] lstrcmpiW (lpString1="UZIDqKIt5.bmp", lpString2=".") returned 1 [0157.373] lstrcmpiW (lpString1="UZIDqKIt5.bmp", lpString2="..") returned 1 [0157.373] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp") returned 97 [0157.373] lstrcmpW (lpString1="UZIDqKIt5.bmp", lpString2="PUSSY.TXT") returned 1 [0157.373] PathFindExtensionW (pszPath="UZIDqKIt5.bmp") returned=".bmp" [0157.373] lstrlenW (lpString=".bmp") returned 4 [0157.373] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0157.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\syqp4isox\\uzidqkit5.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0157.374] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=86546) returned 1 [0157.374] GetProcessHeap () returned 0x4c0000 [0157.374] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0157.386] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="E3") returned 2 [0157.386] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="73") returned 2 [0157.386] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="ED") returned 2 [0157.386] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="6D") returned 2 [0157.386] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="DF") returned 2 [0157.386] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="34") returned 2 [0157.386] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="AE") returned 2 [0157.386] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="BB") returned 2 [0157.386] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="66") returned 2 [0157.386] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="CE") returned 2 [0157.386] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="1C") returned 2 [0157.386] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="58") returned 2 [0157.386] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="42") returned 2 [0157.386] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="B8") returned 2 [0157.386] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="70") returned 2 [0157.386] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="DC") returned 2 [0157.386] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="FA") returned 2 [0157.386] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="07") returned 2 [0157.387] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="82") returned 2 [0157.387] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="18") returned 2 [0157.387] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="90") returned 2 [0157.387] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="DC") returned 2 [0157.387] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="CD") returned 2 [0157.387] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="B5") returned 2 [0157.387] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="7D") returned 2 [0157.387] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="BF") returned 2 [0157.387] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="4F") returned 2 [0157.387] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="0B") returned 2 [0157.387] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="7F") returned 2 [0157.387] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="78") returned 2 [0157.387] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="E6") returned 2 [0157.387] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="49") returned 2 [0157.399] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp" [0157.399] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp" [0157.400] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp", lpString2=".E373ED6DDF34AEBB66CE1C5842B870DCFA07821890DCCDB57DBF4F0B7F78E649" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp.E373ED6DDF34AEBB66CE1C5842B870DCFA07821890DCCDB57DBF4F0B7F78E649") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp.E373ED6DDF34AEBB66CE1C5842B870DCFA07821890DCCDB57DBF4F0B7F78E649" [0157.400] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.400] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0157.448] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x432111f0, ftCreationTime.dwHighDateTime=0x1d5e0b9, ftLastAccessTime.dwLowDateTime=0x51f438e0, ftLastAccessTime.dwHighDateTime=0x1d5db89, ftLastWriteTime.dwLowDateTime=0x51f438e0, ftLastWriteTime.dwHighDateTime=0x1d5db89, nFileSizeHigh=0x0, nFileSizeLow=0x15212, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="UZIDqKIt5.bmp", cAlternateFileName="UZIDQK~1.BMP")) returned 0 [0157.448] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0157.448] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\PUSSY.TXT") returned 93 [0157.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\syqp4isox\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0157.473] lstrlenA (lpString="abcd") returned 4 [0157.473] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0157.474] CloseHandle (hObject=0x124) returned 1 [0157.474] GetProcessHeap () returned 0x4c0000 [0157.474] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0157.474] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19f7ff60, ftCreationTime.dwHighDateTime=0x1d5dfdc, ftLastAccessTime.dwLowDateTime=0xd9da5f90, ftLastAccessTime.dwHighDateTime=0x1d5e571, ftLastWriteTime.dwLowDateTime=0xd9da5f90, ftLastWriteTime.dwHighDateTime=0x1d5e571, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="SyqP4isOx", cAlternateFileName="SYQP4I~1")) returned 0 [0157.474] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0157.474] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\PUSSY.TXT") returned 83 [0157.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x120 [0157.475] lstrlenA (lpString="abcd") returned 4 [0157.475] WriteFile (in: hFile=0x120, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0157.476] CloseHandle (hObject=0x120) returned 1 [0157.477] GetProcessHeap () returned 0x4c0000 [0157.477] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0157.477] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3b4f260, ftCreationTime.dwHighDateTime=0x1d5e628, ftLastAccessTime.dwLowDateTime=0x44edeff0, ftLastAccessTime.dwHighDateTime=0x1d5df8b, ftLastWriteTime.dwLowDateTime=0x44edeff0, ftLastWriteTime.dwHighDateTime=0x1d5df8b, nFileSizeHigh=0x0, nFileSizeLow=0x13f0a, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="OcbYHyD3phaFfngD.jpg", cAlternateFileName="OCBYHY~1.JPG")) returned 1 [0157.477] lstrcmpiW (lpString1="OcbYHyD3phaFfngD.jpg", lpString2="Windows") returned -1 [0157.477] lstrcmpiW (lpString1="OcbYHyD3phaFfngD.jpg", lpString2="Program Files") returned -1 [0157.477] lstrcmpiW (lpString1="OcbYHyD3phaFfngD.jpg", lpString2="Program Files (x86)") returned -1 [0157.477] lstrcmpiW (lpString1="OcbYHyD3phaFfngD.jpg", lpString2="$Recycle.bin") returned 1 [0157.477] lstrcmpiW (lpString1="OcbYHyD3phaFfngD.jpg", lpString2="System Volume Information") returned -1 [0157.477] lstrcmpiW (lpString1="OcbYHyD3phaFfngD.jpg", lpString2=".") returned 1 [0157.477] lstrcmpiW (lpString1="OcbYHyD3phaFfngD.jpg", lpString2="..") returned 1 [0157.477] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg") returned 75 [0157.477] lstrcmpW (lpString1="OcbYHyD3phaFfngD.jpg", lpString2="PUSSY.TXT") returned -1 [0157.477] PathFindExtensionW (pszPath="OcbYHyD3phaFfngD.jpg") returned=".jpg" [0157.477] lstrlenW (lpString=".jpg") returned 4 [0157.477] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0157.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\ocbyhyd3phaffngd.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0157.478] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=81674) returned 1 [0157.478] GetProcessHeap () returned 0x4c0000 [0157.478] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0157.495] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="E7") returned 2 [0157.495] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="F6") returned 2 [0157.495] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="ED") returned 2 [0157.495] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="A2") returned 2 [0157.495] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="91") returned 2 [0157.495] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="16") returned 2 [0157.495] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="4D") returned 2 [0157.495] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="EF") returned 2 [0157.495] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="30") returned 2 [0157.495] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="F9") returned 2 [0157.495] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="C3") returned 2 [0157.495] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="03") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="57") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="C0") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="53") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="51") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="FC") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="F9") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="7B") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="A4") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="06") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="EF") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="21") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="CC") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="54") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="94") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="DF") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="7B") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="7C") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="92") returned 2 [0157.496] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="D5") returned 2 [0157.496] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="6B") returned 2 [0157.510] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg" [0157.510] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg" [0157.510] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg", lpString2=".E7F6EDA291164DEF30F9C30357C05351FCF97BA406EF21CC5494DF7B7C92D56B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg.E7F6EDA291164DEF30F9C30357C05351FCF97BA406EF21CC5494DF7B7C92D56B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg.E7F6EDA291164DEF30F9C30357C05351FCF97BA406EF21CC5494DF7B7C92D56B" [0157.510] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.510] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0157.510] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3b4f260, ftCreationTime.dwHighDateTime=0x1d5e628, ftLastAccessTime.dwLowDateTime=0x44edeff0, ftLastAccessTime.dwHighDateTime=0x1d5df8b, ftLastWriteTime.dwLowDateTime=0x44edeff0, ftLastWriteTime.dwHighDateTime=0x1d5df8b, nFileSizeHigh=0x0, nFileSizeLow=0x13f0a, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="OcbYHyD3phaFfngD.jpg", cAlternateFileName="OCBYHY~1.JPG")) returned 0 [0157.510] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0157.510] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\PUSSY.TXT") returned 64 [0157.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0157.512] lstrlenA (lpString="abcd") returned 4 [0157.512] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0157.513] CloseHandle (hObject=0x184) returned 1 [0157.513] GetProcessHeap () returned 0x4c0000 [0157.513] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0157.513] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24966630, ftCreationTime.dwHighDateTime=0x1d5e213, ftLastAccessTime.dwLowDateTime=0x3263d020, ftLastAccessTime.dwHighDateTime=0x1d5e008, ftLastWriteTime.dwLowDateTime=0x3263d020, ftLastWriteTime.dwHighDateTime=0x1d5e008, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="_DGkrO4j3 3", cAlternateFileName="_DGKRO~1")) returned 0 [0157.513] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0157.513] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PUSSY.TXT") returned 52 [0157.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0157.514] lstrlenA (lpString="abcd") returned 4 [0157.514] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0157.515] CloseHandle (hObject=0x190) returned 1 [0157.515] GetProcessHeap () returned 0x4c0000 [0157.515] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0157.518] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0157.518] lstrcmpiW (lpString1="PrintHood", lpString2="Windows") returned -1 [0157.518] lstrcmpiW (lpString1="PrintHood", lpString2="Program Files") returned -1 [0157.518] lstrcmpiW (lpString1="PrintHood", lpString2="Program Files (x86)") returned -1 [0157.518] lstrcmpiW (lpString1="PrintHood", lpString2="$Recycle.bin") returned 1 [0157.519] lstrcmpiW (lpString1="PrintHood", lpString2="System Volume Information") returned -1 [0157.519] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0157.519] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0157.519] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood") returned 43 [0157.519] GetProcessHeap () returned 0x4c0000 [0157.519] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0157.520] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood" [0157.520] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*" [0157.520] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24966630, ftCreationTime.dwHighDateTime=0x1d5e213, ftLastAccessTime.dwLowDateTime=0x3263d020, ftLastAccessTime.dwHighDateTime=0x1d5e008, ftLastWriteTime.dwLowDateTime=0x3263d020, ftLastWriteTime.dwHighDateTime=0x1d5e008, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="_DGkrO4j3 3", cAlternateFileName="d")) returned 0xffffffff [0157.520] GetProcessHeap () returned 0x4c0000 [0157.520] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0157.520] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Recent", cAlternateFileName="")) returned 1 [0157.520] lstrcmpiW (lpString1="Recent", lpString2="Windows") returned -1 [0157.520] lstrcmpiW (lpString1="Recent", lpString2="Program Files") returned 1 [0157.520] lstrcmpiW (lpString1="Recent", lpString2="Program Files (x86)") returned 1 [0157.520] lstrcmpiW (lpString1="Recent", lpString2="$Recycle.bin") returned 1 [0157.520] lstrcmpiW (lpString1="Recent", lpString2="System Volume Information") returned -1 [0157.520] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0157.520] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0157.520] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent") returned 40 [0157.520] GetProcessHeap () returned 0x4c0000 [0157.520] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0157.520] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent" [0157.520] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*" [0157.520] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24966630, ftCreationTime.dwHighDateTime=0x1d5e213, ftLastAccessTime.dwLowDateTime=0x3263d020, ftLastAccessTime.dwHighDateTime=0x1d5e008, ftLastWriteTime.dwLowDateTime=0x3263d020, ftLastWriteTime.dwHighDateTime=0x1d5e008, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="_DGkrO4j3 3", cAlternateFileName="t")) returned 0xffffffff [0157.521] GetProcessHeap () returned 0x4c0000 [0157.521] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0157.521] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0157.521] lstrcmpiW (lpString1="Saved Games", lpString2="Windows") returned -1 [0157.521] lstrcmpiW (lpString1="Saved Games", lpString2="Program Files") returned 1 [0157.521] lstrcmpiW (lpString1="Saved Games", lpString2="Program Files (x86)") returned 1 [0157.521] lstrcmpiW (lpString1="Saved Games", lpString2="$Recycle.bin") returned 1 [0157.521] lstrcmpiW (lpString1="Saved Games", lpString2="System Volume Information") returned -1 [0157.521] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0157.521] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0157.521] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games") returned 45 [0157.521] GetProcessHeap () returned 0x4c0000 [0157.521] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0157.521] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" [0157.521] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*" [0157.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0157.522] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0157.522] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0157.522] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0157.522] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0157.522] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0157.522] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0157.522] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0157.522] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0157.522] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0157.522] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0157.522] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0157.522] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0157.522] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0157.522] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0157.522] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0157.522] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0157.522] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0157.522] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0157.522] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0157.522] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0157.522] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0157.522] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0157.522] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned 57 [0157.522] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0157.522] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0157.522] lstrlenW (lpString=".ini") returned 4 [0157.523] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0157.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0157.524] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=282) returned 1 [0157.524] CloseHandle (hObject=0x184) returned 1 [0157.524] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0157.524] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0157.524] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\PUSSY.TXT") returned 55 [0157.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0157.525] lstrlenA (lpString="abcd") returned 4 [0157.525] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0157.526] CloseHandle (hObject=0x190) returned 1 [0157.526] GetProcessHeap () returned 0x4c0000 [0157.526] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0157.526] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Searches", cAlternateFileName="")) returned 1 [0157.526] lstrcmpiW (lpString1="Searches", lpString2="Windows") returned -1 [0157.526] lstrcmpiW (lpString1="Searches", lpString2="Program Files") returned 1 [0157.526] lstrcmpiW (lpString1="Searches", lpString2="Program Files (x86)") returned 1 [0157.527] lstrcmpiW (lpString1="Searches", lpString2="$Recycle.bin") returned 1 [0157.527] lstrcmpiW (lpString1="Searches", lpString2="System Volume Information") returned -1 [0157.527] lstrcmpiW (lpString1="Searches", lpString2=".") returned 1 [0157.527] lstrcmpiW (lpString1="Searches", lpString2="..") returned 1 [0157.527] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned 42 [0157.527] GetProcessHeap () returned 0x4c0000 [0157.527] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0157.527] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" [0157.527] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*" [0157.527] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0157.527] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0157.527] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0157.527] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0157.527] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0157.527] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0157.527] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0157.527] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0157.527] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0157.527] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0157.527] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0157.527] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0157.528] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0157.528] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0157.528] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0157.528] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0157.528] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0157.528] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0157.528] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0157.528] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0157.528] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0157.528] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0157.528] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0157.528] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned 54 [0157.528] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0157.528] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0157.528] lstrlenW (lpString=".ini") returned 4 [0157.528] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0157.528] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0157.529] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=524) returned 1 [0157.529] GetProcessHeap () returned 0x4c0000 [0157.529] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0157.542] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="3B") returned 2 [0157.543] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="4B") returned 2 [0157.543] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="0E") returned 2 [0157.543] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="EE") returned 2 [0157.543] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="1D") returned 2 [0157.543] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="7C") returned 2 [0157.543] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="63") returned 2 [0157.543] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="CA") returned 2 [0157.543] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="61") returned 2 [0157.543] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="61") returned 2 [0157.543] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="22") returned 2 [0157.543] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="0A") returned 2 [0157.543] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="FA") returned 2 [0157.543] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="6D") returned 2 [0157.543] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="8D") returned 2 [0157.543] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="75") returned 2 [0157.543] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="79") returned 2 [0157.543] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="28") returned 2 [0157.543] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="3F") returned 2 [0157.543] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="A6") returned 2 [0157.543] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="25") returned 2 [0157.543] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="91") returned 2 [0157.543] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="02") returned 2 [0157.543] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="30") returned 2 [0157.543] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="80") returned 2 [0157.543] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="41") returned 2 [0157.543] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="42") returned 2 [0157.543] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="71") returned 2 [0157.543] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="6C") returned 2 [0157.543] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="35") returned 2 [0157.543] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="6A") returned 2 [0157.543] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6E") returned 2 [0157.551] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" [0157.551] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" [0157.551] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini", lpString2=".3B4B0EEE1D7C63CA6161220AFA6D8D7579283FA625910230804142716C356A6E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.3B4B0EEE1D7C63CA6161220AFA6D8D7579283FA625910230804142716C356A6E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.3B4B0EEE1D7C63CA6161220AFA6D8D7579283FA625910230804142716C356A6E" [0157.551] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.552] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0157.552] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99d9932, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0157.552] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Windows") returned -1 [0157.552] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Program Files") returned -1 [0157.552] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Program Files (x86)") returned -1 [0157.552] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="$Recycle.bin") returned 1 [0157.552] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="System Volume Information") returned -1 [0157.552] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2=".") returned 1 [0157.552] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="..") returned 1 [0157.552] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned 63 [0157.552] lstrcmpW (lpString1="Everywhere.search-ms", lpString2="PUSSY.TXT") returned -1 [0157.552] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0157.552] lstrlenW (lpString=".search-ms") returned 10 [0157.552] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0157.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0157.552] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0157.552] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Windows") returned -1 [0157.552] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Program Files") returned -1 [0157.553] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Program Files (x86)") returned -1 [0157.553] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="$Recycle.bin") returned 1 [0157.553] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="System Volume Information") returned -1 [0157.553] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1 [0157.553] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1 [0157.553] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned 70 [0157.553] lstrcmpW (lpString1="Indexed Locations.search-ms", lpString2="PUSSY.TXT") returned -1 [0157.553] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0157.553] lstrlenW (lpString=".search-ms") returned 10 [0157.553] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0157.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0157.553] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0157.553] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0157.553] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\PUSSY.TXT") returned 52 [0157.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0157.554] lstrlenA (lpString="abcd") returned 4 [0157.554] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0157.555] CloseHandle (hObject=0x190) returned 1 [0157.555] GetProcessHeap () returned 0x4c0000 [0157.555] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0157.555] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="SendTo", cAlternateFileName="")) returned 1 [0157.555] lstrcmpiW (lpString1="SendTo", lpString2="Windows") returned -1 [0157.556] lstrcmpiW (lpString1="SendTo", lpString2="Program Files") returned 1 [0157.556] lstrcmpiW (lpString1="SendTo", lpString2="Program Files (x86)") returned 1 [0157.556] lstrcmpiW (lpString1="SendTo", lpString2="$Recycle.bin") returned 1 [0157.556] lstrcmpiW (lpString1="SendTo", lpString2="System Volume Information") returned -1 [0157.556] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0157.556] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0157.556] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo") returned 40 [0157.556] GetProcessHeap () returned 0x4c0000 [0157.556] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x57bb80 [0157.556] lstrcpyW (in: lpString1=0x57bb80, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo" [0157.556] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*" [0157.556] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Indexed Locations.search-ms", cAlternateFileName="o")) returned 0xffffffff [0157.556] GetProcessHeap () returned 0x4c0000 [0157.556] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57bb80 | out: hHeap=0x4c0000) returned 1 [0157.556] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0157.557] lstrcmpiW (lpString1="Start Menu", lpString2="Windows") returned -1 [0157.557] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files") returned 1 [0157.557] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files (x86)") returned 1 [0157.557] lstrcmpiW (lpString1="Start Menu", lpString2="$Recycle.bin") returned 1 [0157.557] lstrcmpiW (lpString1="Start Menu", lpString2="System Volume Information") returned -1 [0157.557] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0157.557] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0157.557] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu") returned 44 [0157.557] GetProcessHeap () returned 0x4c0000 [0157.557] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x57bb80 [0157.557] lstrcpyW (in: lpString1=0x57bb80, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu" [0157.557] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*" [0157.557] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Indexed Locations.search-ms", cAlternateFileName="u")) returned 0xffffffff [0157.557] GetProcessHeap () returned 0x4c0000 [0157.557] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57bb80 | out: hHeap=0x4c0000) returned 1 [0157.557] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0157.557] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0157.557] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0157.557] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0157.557] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0157.557] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0157.557] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0157.557] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0157.557] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates") returned 43 [0157.557] GetProcessHeap () returned 0x4c0000 [0157.557] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x57bb80 [0157.557] lstrcpyW (in: lpString1=0x57bb80, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates" [0157.557] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*" [0157.558] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Indexed Locations.search-ms", cAlternateFileName="s")) returned 0xffffffff [0157.558] GetProcessHeap () returned 0x4c0000 [0157.558] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57bb80 | out: hHeap=0x4c0000) returned 1 [0157.558] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb115ba0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb115ba0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Videos", cAlternateFileName="")) returned 1 [0157.558] lstrcmpiW (lpString1="Videos", lpString2="Windows") returned -1 [0157.558] lstrcmpiW (lpString1="Videos", lpString2="Program Files") returned 1 [0157.558] lstrcmpiW (lpString1="Videos", lpString2="Program Files (x86)") returned 1 [0157.558] lstrcmpiW (lpString1="Videos", lpString2="$Recycle.bin") returned 1 [0157.558] lstrcmpiW (lpString1="Videos", lpString2="System Volume Information") returned 1 [0157.558] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0157.558] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0157.558] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned 40 [0157.558] GetProcessHeap () returned 0x4c0000 [0157.558] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x57bb80 [0157.558] lstrcpyW (in: lpString1=0x57bb80, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0157.558] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*" [0157.558] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb115ba0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb115ba0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0157.558] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0157.558] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0157.558] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0157.558] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0157.558] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0157.558] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0157.558] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb115ba0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb115ba0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0157.558] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0157.558] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0157.558] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0157.559] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0157.559] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0157.559] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0157.559] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0157.559] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d9a380, ftCreationTime.dwHighDateTime=0x1d5e7b7, ftLastAccessTime.dwLowDateTime=0xe3f91930, ftLastAccessTime.dwHighDateTime=0x1d5e0d0, ftLastWriteTime.dwLowDateTime=0xe3f91930, ftLastWriteTime.dwHighDateTime=0x1d5e0d0, nFileSizeHigh=0x0, nFileSizeLow=0x55bf, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="55I6lGhTT.mp4", cAlternateFileName="55I6LG~1.MP4")) returned 1 [0157.559] lstrcmpiW (lpString1="55I6lGhTT.mp4", lpString2="Windows") returned -1 [0157.559] lstrcmpiW (lpString1="55I6lGhTT.mp4", lpString2="Program Files") returned -1 [0157.559] lstrcmpiW (lpString1="55I6lGhTT.mp4", lpString2="Program Files (x86)") returned -1 [0157.559] lstrcmpiW (lpString1="55I6lGhTT.mp4", lpString2="$Recycle.bin") returned 1 [0157.559] lstrcmpiW (lpString1="55I6lGhTT.mp4", lpString2="System Volume Information") returned -1 [0157.559] lstrcmpiW (lpString1="55I6lGhTT.mp4", lpString2=".") returned 1 [0157.559] lstrcmpiW (lpString1="55I6lGhTT.mp4", lpString2="..") returned 1 [0157.559] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4") returned 54 [0157.559] lstrcmpW (lpString1="55I6lGhTT.mp4", lpString2="PUSSY.TXT") returned -1 [0157.559] PathFindExtensionW (pszPath="55I6lGhTT.mp4") returned=".mp4" [0157.559] lstrlenW (lpString=".mp4") returned 4 [0157.559] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0157.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\55i6lghtt.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0157.560] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=21951) returned 1 [0157.560] GetProcessHeap () returned 0x4c0000 [0157.560] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0157.572] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="8A") returned 2 [0157.572] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="ED") returned 2 [0157.572] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="37") returned 2 [0157.572] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="AA") returned 2 [0157.572] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="52") returned 2 [0157.572] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="3A") returned 2 [0157.572] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="CB") returned 2 [0157.572] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="F0") returned 2 [0157.572] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="65") returned 2 [0157.572] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="00") returned 2 [0157.572] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="DF") returned 2 [0157.572] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="4B") returned 2 [0157.573] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="37") returned 2 [0157.573] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="85") returned 2 [0157.573] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="C2") returned 2 [0157.573] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="77") returned 2 [0157.573] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="53") returned 2 [0157.573] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="5F") returned 2 [0157.573] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="F6") returned 2 [0157.573] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="2F") returned 2 [0157.573] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="90") returned 2 [0157.573] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="44") returned 2 [0157.573] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="0A") returned 2 [0157.573] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="28") returned 2 [0157.653] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="22") returned 2 [0157.653] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="BA") returned 2 [0157.653] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="23") returned 2 [0157.653] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="19") returned 2 [0157.653] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="10") returned 2 [0157.653] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="C8") returned 2 [0157.653] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="08") returned 2 [0157.653] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="56") returned 2 [0157.665] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4" [0157.665] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4" [0157.665] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4", lpString2=".8AED37AA523ACBF06500DF4B3785C277535FF62F90440A2822BA231910C80856" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4.8AED37AA523ACBF06500DF4B3785C277535FF62F90440A2822BA231910C80856") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4.8AED37AA523ACBF06500DF4B3785C277535FF62F90440A2822BA231910C80856" [0157.665] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.665] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0157.698] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeee9d540, ftCreationTime.dwHighDateTime=0x1d5e4f5, ftLastAccessTime.dwLowDateTime=0x328d6cb0, ftLastAccessTime.dwHighDateTime=0x1d5d7fb, ftLastWriteTime.dwLowDateTime=0x328d6cb0, ftLastWriteTime.dwHighDateTime=0x1d5d7fb, nFileSizeHigh=0x0, nFileSizeLow=0x16188, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="56ZHFrjeUsCd-.swf", cAlternateFileName="56ZHFR~1.SWF")) returned 1 [0157.698] lstrcmpiW (lpString1="56ZHFrjeUsCd-.swf", lpString2="Windows") returned -1 [0157.698] lstrcmpiW (lpString1="56ZHFrjeUsCd-.swf", lpString2="Program Files") returned -1 [0157.698] lstrcmpiW (lpString1="56ZHFrjeUsCd-.swf", lpString2="Program Files (x86)") returned -1 [0157.698] lstrcmpiW (lpString1="56ZHFrjeUsCd-.swf", lpString2="$Recycle.bin") returned 1 [0157.698] lstrcmpiW (lpString1="56ZHFrjeUsCd-.swf", lpString2="System Volume Information") returned -1 [0157.698] lstrcmpiW (lpString1="56ZHFrjeUsCd-.swf", lpString2=".") returned 1 [0157.698] lstrcmpiW (lpString1="56ZHFrjeUsCd-.swf", lpString2="..") returned 1 [0157.698] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf") returned 58 [0157.698] lstrcmpW (lpString1="56ZHFrjeUsCd-.swf", lpString2="PUSSY.TXT") returned -1 [0157.698] PathFindExtensionW (pszPath="56ZHFrjeUsCd-.swf") returned=".swf" [0157.698] lstrlenW (lpString=".swf") returned 4 [0157.698] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0157.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\56zhfrjeuscd-.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0157.699] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=90504) returned 1 [0157.700] GetProcessHeap () returned 0x4c0000 [0157.700] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0157.712] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="2C") returned 2 [0157.712] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="14") returned 2 [0157.712] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="81") returned 2 [0157.712] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="0A") returned 2 [0157.712] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="3B") returned 2 [0157.712] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="7F") returned 2 [0157.712] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="21") returned 2 [0157.712] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="2A") returned 2 [0157.712] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="56") returned 2 [0157.712] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="37") returned 2 [0157.712] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="8D") returned 2 [0157.712] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="9E") returned 2 [0157.713] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="9A") returned 2 [0157.713] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="41") returned 2 [0157.713] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="E7") returned 2 [0157.713] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="45") returned 2 [0157.713] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="78") returned 2 [0157.713] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="89") returned 2 [0157.713] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="2C") returned 2 [0157.713] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="38") returned 2 [0157.713] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="E1") returned 2 [0157.713] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="6B") returned 2 [0157.713] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="27") returned 2 [0157.713] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="21") returned 2 [0157.713] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="52") returned 2 [0157.713] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="BF") returned 2 [0157.713] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="0E") returned 2 [0157.713] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="74") returned 2 [0157.713] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="8B") returned 2 [0157.713] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="70") returned 2 [0157.713] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="BF") returned 2 [0157.713] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="24") returned 2 [0157.728] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf" [0157.728] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf" [0157.728] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf", lpString2=".2C14810A3B7F212A56378D9E9A41E74578892C38E16B272152BF0E748B70BF24" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf.2C14810A3B7F212A56378D9E9A41E74578892C38E16B272152BF0E748B70BF24") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf.2C14810A3B7F212A56378D9E9A41E74578892C38E16B272152BF0E748B70BF24" [0157.728] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.728] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0157.781] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4189bb0, ftCreationTime.dwHighDateTime=0x1d5dfaa, ftLastAccessTime.dwLowDateTime=0xc22926b0, ftLastAccessTime.dwHighDateTime=0x1d5ddba, ftLastWriteTime.dwLowDateTime=0xc22926b0, ftLastWriteTime.dwHighDateTime=0x1d5ddba, nFileSizeHigh=0x0, nFileSizeLow=0xc7fb, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="9JRQNP8d3dIHn.flv", cAlternateFileName="9JRQNP~1.FLV")) returned 1 [0157.781] lstrcmpiW (lpString1="9JRQNP8d3dIHn.flv", lpString2="Windows") returned -1 [0157.781] lstrcmpiW (lpString1="9JRQNP8d3dIHn.flv", lpString2="Program Files") returned -1 [0157.781] lstrcmpiW (lpString1="9JRQNP8d3dIHn.flv", lpString2="Program Files (x86)") returned -1 [0157.781] lstrcmpiW (lpString1="9JRQNP8d3dIHn.flv", lpString2="$Recycle.bin") returned 1 [0157.781] lstrcmpiW (lpString1="9JRQNP8d3dIHn.flv", lpString2="System Volume Information") returned -1 [0157.781] lstrcmpiW (lpString1="9JRQNP8d3dIHn.flv", lpString2=".") returned 1 [0157.781] lstrcmpiW (lpString1="9JRQNP8d3dIHn.flv", lpString2="..") returned 1 [0157.781] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv") returned 58 [0157.781] lstrcmpW (lpString1="9JRQNP8d3dIHn.flv", lpString2="PUSSY.TXT") returned -1 [0157.781] PathFindExtensionW (pszPath="9JRQNP8d3dIHn.flv") returned=".flv" [0157.781] lstrlenW (lpString=".flv") returned 4 [0157.781] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0157.781] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9jrqnp8d3dihn.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0157.782] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=51195) returned 1 [0157.782] GetProcessHeap () returned 0x4c0000 [0157.783] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0157.795] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="B1") returned 2 [0157.795] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="0D") returned 2 [0157.795] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="3A") returned 2 [0157.795] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="7C") returned 2 [0157.795] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="B7") returned 2 [0157.795] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="C9") returned 2 [0157.795] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="26") returned 2 [0157.795] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="F3") returned 2 [0157.795] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="AB") returned 2 [0157.795] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="88") returned 2 [0157.795] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="93") returned 2 [0157.795] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C1") returned 2 [0157.795] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="77") returned 2 [0157.795] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="68") returned 2 [0157.795] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="6A") returned 2 [0157.795] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="5D") returned 2 [0157.795] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="3C") returned 2 [0157.795] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="EF") returned 2 [0157.795] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="7C") returned 2 [0157.795] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="1F") returned 2 [0157.796] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="72") returned 2 [0157.796] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="06") returned 2 [0157.796] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="29") returned 2 [0157.796] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="9D") returned 2 [0157.796] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="E1") returned 2 [0157.796] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="EE") returned 2 [0157.796] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="A2") returned 2 [0157.796] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="6E") returned 2 [0157.796] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="3A") returned 2 [0157.796] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="49") returned 2 [0157.796] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="7F") returned 2 [0157.796] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="5D") returned 2 [0157.808] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv" [0157.808] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv" [0157.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv", lpString2=".B10D3A7CB7C926F3AB8893C177686A5D3CEF7C1F7206299DE1EEA26E3A497F5D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv.B10D3A7CB7C926F3AB8893C177686A5D3CEF7C1F7206299DE1EEA26E3A497F5D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv.B10D3A7CB7C926F3AB8893C177686A5D3CEF7C1F7206299DE1EEA26E3A497F5D" [0157.808] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.808] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0157.853] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44c02ef0, ftCreationTime.dwHighDateTime=0x1d5dfe8, ftLastAccessTime.dwLowDateTime=0xe60837b0, ftLastAccessTime.dwHighDateTime=0x1d5dabd, ftLastWriteTime.dwLowDateTime=0xe60837b0, ftLastWriteTime.dwHighDateTime=0x1d5dabd, nFileSizeHigh=0x0, nFileSizeLow=0xacbb, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="a_mFLj.mkv", cAlternateFileName="")) returned 1 [0157.854] lstrcmpiW (lpString1="a_mFLj.mkv", lpString2="Windows") returned -1 [0157.854] lstrcmpiW (lpString1="a_mFLj.mkv", lpString2="Program Files") returned -1 [0157.854] lstrcmpiW (lpString1="a_mFLj.mkv", lpString2="Program Files (x86)") returned -1 [0157.854] lstrcmpiW (lpString1="a_mFLj.mkv", lpString2="$Recycle.bin") returned 1 [0157.854] lstrcmpiW (lpString1="a_mFLj.mkv", lpString2="System Volume Information") returned -1 [0157.854] lstrcmpiW (lpString1="a_mFLj.mkv", lpString2=".") returned 1 [0157.854] lstrcmpiW (lpString1="a_mFLj.mkv", lpString2="..") returned 1 [0157.866] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv") returned 51 [0157.866] lstrcmpW (lpString1="a_mFLj.mkv", lpString2="PUSSY.TXT") returned -1 [0157.866] PathFindExtensionW (pszPath="a_mFLj.mkv") returned=".mkv" [0157.866] lstrlenW (lpString=".mkv") returned 4 [0157.866] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0157.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\a_mflj.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0157.867] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=44219) returned 1 [0157.867] GetProcessHeap () returned 0x4c0000 [0157.867] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0157.879] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="0D") returned 2 [0157.879] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="E0") returned 2 [0157.879] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="E5") returned 2 [0157.879] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="A0") returned 2 [0157.880] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="13") returned 2 [0157.880] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="57") returned 2 [0157.880] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="AB") returned 2 [0157.880] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="76") returned 2 [0157.880] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="A5") returned 2 [0157.880] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="57") returned 2 [0157.880] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="62") returned 2 [0157.880] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D7") returned 2 [0157.880] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="0B") returned 2 [0157.880] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="49") returned 2 [0157.880] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="F9") returned 2 [0157.880] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E8") returned 2 [0157.880] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="CD") returned 2 [0157.880] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="59") returned 2 [0157.880] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="54") returned 2 [0157.880] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="B9") returned 2 [0157.880] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="4A") returned 2 [0157.880] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="3A") returned 2 [0157.880] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="C3") returned 2 [0157.880] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="DB") returned 2 [0157.880] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="AE") returned 2 [0157.880] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="AE") returned 2 [0157.880] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="2D") returned 2 [0157.880] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="89") returned 2 [0157.880] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="40") returned 2 [0157.880] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="49") returned 2 [0157.880] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="61") returned 2 [0157.881] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="07") returned 2 [0157.892] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv" [0157.892] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv" [0157.892] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv", lpString2=".0DE0E5A01357AB76A55762D70B49F9E8CD5954B94A3AC3DBAEAE2D8940496107" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv.0DE0E5A01357AB76A55762D70B49F9E8CD5954B94A3AC3DBAEAE2D8940496107") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv.0DE0E5A01357AB76A55762D70B49F9E8CD5954B94A3AC3DBAEAE2D8940496107" [0157.892] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0157.892] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0157.978] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x951d5460, ftCreationTime.dwHighDateTime=0x1d5d9ab, ftLastAccessTime.dwLowDateTime=0x2cef2d90, ftLastAccessTime.dwHighDateTime=0x1d5deca, ftLastWriteTime.dwLowDateTime=0x2cef2d90, ftLastWriteTime.dwHighDateTime=0x1d5deca, nFileSizeHigh=0x0, nFileSizeLow=0xbd07, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="b8mBCsoWCFI.mkv", cAlternateFileName="B8MBCS~1.MKV")) returned 1 [0157.978] lstrcmpiW (lpString1="b8mBCsoWCFI.mkv", lpString2="Windows") returned -1 [0157.978] lstrcmpiW (lpString1="b8mBCsoWCFI.mkv", lpString2="Program Files") returned -1 [0157.978] lstrcmpiW (lpString1="b8mBCsoWCFI.mkv", lpString2="Program Files (x86)") returned -1 [0157.978] lstrcmpiW (lpString1="b8mBCsoWCFI.mkv", lpString2="$Recycle.bin") returned 1 [0157.978] lstrcmpiW (lpString1="b8mBCsoWCFI.mkv", lpString2="System Volume Information") returned -1 [0157.978] lstrcmpiW (lpString1="b8mBCsoWCFI.mkv", lpString2=".") returned 1 [0157.978] lstrcmpiW (lpString1="b8mBCsoWCFI.mkv", lpString2="..") returned 1 [0157.978] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv") returned 56 [0157.978] lstrcmpW (lpString1="b8mBCsoWCFI.mkv", lpString2="PUSSY.TXT") returned -1 [0157.978] PathFindExtensionW (pszPath="b8mBCsoWCFI.mkv") returned=".mkv" [0157.978] lstrlenW (lpString=".mkv") returned 4 [0157.978] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0157.978] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b8mbcsowcfi.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0157.979] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=48391) returned 1 [0157.979] GetProcessHeap () returned 0x4c0000 [0157.979] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0157.991] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="8F") returned 2 [0157.992] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B0") returned 2 [0157.992] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="51") returned 2 [0157.992] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="A7") returned 2 [0157.992] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="CA") returned 2 [0157.992] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="67") returned 2 [0157.992] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="7D") returned 2 [0157.992] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="46") returned 2 [0157.992] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="01") returned 2 [0157.992] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="C1") returned 2 [0157.992] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="81") returned 2 [0157.992] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C0") returned 2 [0157.992] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="16") returned 2 [0157.992] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="34") returned 2 [0157.992] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="54") returned 2 [0157.992] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="E3") returned 2 [0157.992] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="3B") returned 2 [0157.992] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="17") returned 2 [0157.992] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="CA") returned 2 [0157.992] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="3B") returned 2 [0157.992] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="13") returned 2 [0157.992] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="DD") returned 2 [0157.992] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="A5") returned 2 [0157.992] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="DA") returned 2 [0157.992] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="8B") returned 2 [0157.992] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="80") returned 2 [0157.992] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="EA") returned 2 [0157.992] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="A1") returned 2 [0157.992] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="BF") returned 2 [0157.993] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="A7") returned 2 [0157.993] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="31") returned 2 [0157.993] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="70") returned 2 [0158.006] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv" [0158.006] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv" [0158.006] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv", lpString2=".8FB051A7CA677D4601C181C0163454E33B17CA3B13DDA5DA8B80EAA1BFA73170" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv.8FB051A7CA677D4601C181C0163454E33B17CA3B13DDA5DA8B80EAA1BFA73170") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv.8FB051A7CA677D4601C181C0163454E33B17CA3B13DDA5DA8B80EAA1BFA73170" [0158.006] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.006] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.052] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f21fef0, ftCreationTime.dwHighDateTime=0x1d5e722, ftLastAccessTime.dwLowDateTime=0xedfab100, ftLastAccessTime.dwHighDateTime=0x1d5e1d9, ftLastWriteTime.dwLowDateTime=0xedfab100, ftLastWriteTime.dwHighDateTime=0x1d5e1d9, nFileSizeHigh=0x0, nFileSizeLow=0xe92d, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="BIYLkslvs tyqIDlX0.avi", cAlternateFileName="BIYLKS~1.AVI")) returned 1 [0158.052] lstrcmpiW (lpString1="BIYLkslvs tyqIDlX0.avi", lpString2="Windows") returned -1 [0158.052] lstrcmpiW (lpString1="BIYLkslvs tyqIDlX0.avi", lpString2="Program Files") returned -1 [0158.052] lstrcmpiW (lpString1="BIYLkslvs tyqIDlX0.avi", lpString2="Program Files (x86)") returned -1 [0158.053] lstrcmpiW (lpString1="BIYLkslvs tyqIDlX0.avi", lpString2="$Recycle.bin") returned 1 [0158.053] lstrcmpiW (lpString1="BIYLkslvs tyqIDlX0.avi", lpString2="System Volume Information") returned -1 [0158.053] lstrcmpiW (lpString1="BIYLkslvs tyqIDlX0.avi", lpString2=".") returned 1 [0158.053] lstrcmpiW (lpString1="BIYLkslvs tyqIDlX0.avi", lpString2="..") returned 1 [0158.053] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi") returned 63 [0158.053] lstrcmpW (lpString1="BIYLkslvs tyqIDlX0.avi", lpString2="PUSSY.TXT") returned -1 [0158.053] PathFindExtensionW (pszPath="BIYLkslvs tyqIDlX0.avi") returned=".avi" [0158.053] lstrlenW (lpString=".avi") returned 4 [0158.053] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0158.053] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\biylkslvs tyqidlx0.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0158.054] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=59693) returned 1 [0158.054] GetProcessHeap () returned 0x4c0000 [0158.054] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.066] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="51") returned 2 [0158.066] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="58") returned 2 [0158.066] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="D9") returned 2 [0158.066] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="13") returned 2 [0158.066] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="66") returned 2 [0158.066] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="89") returned 2 [0158.066] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="81") returned 2 [0158.066] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="38") returned 2 [0158.066] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="11") returned 2 [0158.066] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="E3") returned 2 [0158.066] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="1C") returned 2 [0158.066] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="99") returned 2 [0158.066] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="26") returned 2 [0158.067] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="4C") returned 2 [0158.067] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="0F") returned 2 [0158.067] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="0C") returned 2 [0158.067] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="1D") returned 2 [0158.067] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="E9") returned 2 [0158.067] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="61") returned 2 [0158.067] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="C1") returned 2 [0158.067] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="1B") returned 2 [0158.067] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="EA") returned 2 [0158.067] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="A5") returned 2 [0158.067] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="52") returned 2 [0158.067] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="45") returned 2 [0158.067] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="52") returned 2 [0158.067] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="05") returned 2 [0158.067] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="54") returned 2 [0158.067] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="A6") returned 2 [0158.067] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="35") returned 2 [0158.067] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="AA") returned 2 [0158.067] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="1A") returned 2 [0158.081] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi" [0158.081] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi" [0158.081] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi", lpString2=".5158D9136689813811E31C99264C0F0C1DE961C11BEAA55245520554A635AA1A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi.5158D9136689813811E31C99264C0F0C1DE961C11BEAA55245520554A635AA1A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi.5158D9136689813811E31C99264C0F0C1DE961C11BEAA55245520554A635AA1A" [0158.081] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.081] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.129] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0158.129] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0158.129] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0158.129] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0158.129] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0158.129] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0158.129] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0158.129] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0158.130] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned 52 [0158.130] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0158.130] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0158.130] lstrlenW (lpString=".ini") returned 4 [0158.130] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0158.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0158.131] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=504) returned 1 [0158.131] CloseHandle (hObject=0x124) returned 1 [0158.131] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66cb4910, ftCreationTime.dwHighDateTime=0x1d5e648, ftLastAccessTime.dwLowDateTime=0xafee0b70, ftLastAccessTime.dwHighDateTime=0x1d5e380, ftLastWriteTime.dwLowDateTime=0xafee0b70, ftLastWriteTime.dwHighDateTime=0x1d5e380, nFileSizeHigh=0x0, nFileSizeLow=0x1632, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="G215a0oz xFA.mp4", cAlternateFileName="G215A0~1.MP4")) returned 1 [0158.131] lstrcmpiW (lpString1="G215a0oz xFA.mp4", lpString2="Windows") returned -1 [0158.131] lstrcmpiW (lpString1="G215a0oz xFA.mp4", lpString2="Program Files") returned -1 [0158.131] lstrcmpiW (lpString1="G215a0oz xFA.mp4", lpString2="Program Files (x86)") returned -1 [0158.131] lstrcmpiW (lpString1="G215a0oz xFA.mp4", lpString2="$Recycle.bin") returned 1 [0158.131] lstrcmpiW (lpString1="G215a0oz xFA.mp4", lpString2="System Volume Information") returned -1 [0158.131] lstrcmpiW (lpString1="G215a0oz xFA.mp4", lpString2=".") returned 1 [0158.131] lstrcmpiW (lpString1="G215a0oz xFA.mp4", lpString2="..") returned 1 [0158.131] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4") returned 57 [0158.131] lstrcmpW (lpString1="G215a0oz xFA.mp4", lpString2="PUSSY.TXT") returned -1 [0158.131] PathFindExtensionW (pszPath="G215a0oz xFA.mp4") returned=".mp4" [0158.131] lstrlenW (lpString=".mp4") returned 4 [0158.131] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0158.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\g215a0oz xfa.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0158.132] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=5682) returned 1 [0158.132] GetProcessHeap () returned 0x4c0000 [0158.132] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.144] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="6C") returned 2 [0158.144] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="98") returned 2 [0158.144] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="52") returned 2 [0158.144] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="06") returned 2 [0158.144] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="3A") returned 2 [0158.144] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="C1") returned 2 [0158.144] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="9E") returned 2 [0158.144] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="97") returned 2 [0158.144] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="12") returned 2 [0158.144] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="C7") returned 2 [0158.144] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="8B") returned 2 [0158.144] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="A6") returned 2 [0158.144] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="F1") returned 2 [0158.144] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="64") returned 2 [0158.144] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="61") returned 2 [0158.144] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="B7") returned 2 [0158.144] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="11") returned 2 [0158.144] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="C2") returned 2 [0158.144] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="F8") returned 2 [0158.144] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="98") returned 2 [0158.144] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="DE") returned 2 [0158.144] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="A5") returned 2 [0158.144] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="5F") returned 2 [0158.145] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="5F") returned 2 [0158.145] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="DA") returned 2 [0158.145] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="AA") returned 2 [0158.145] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="28") returned 2 [0158.145] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="E3") returned 2 [0158.145] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="3B") returned 2 [0158.145] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0D") returned 2 [0158.145] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="10") returned 2 [0158.145] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="45") returned 2 [0158.157] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4" [0158.157] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4" [0158.158] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4", lpString2=".6C9852063AC19E9712C78BA6F16461B711C2F898DEA55F5FDAAA28E33B0D1045" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4.6C9852063AC19E9712C78BA6F16461B711C2F898DEA55F5FDAAA28E33B0D1045") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4.6C9852063AC19E9712C78BA6F16461B711C2F898DEA55F5FDAAA28E33B0D1045" [0158.158] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.158] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.170] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc27182a0, ftCreationTime.dwHighDateTime=0x1d5e0e1, ftLastAccessTime.dwLowDateTime=0x2eb36930, ftLastAccessTime.dwHighDateTime=0x1d5e464, ftLastWriteTime.dwLowDateTime=0x2eb36930, ftLastWriteTime.dwHighDateTime=0x1d5e464, nFileSizeHigh=0x0, nFileSizeLow=0x1478a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="GOVWhH0SJQ5f5.avi", cAlternateFileName="GOVWHH~1.AVI")) returned 1 [0158.170] lstrcmpiW (lpString1="GOVWhH0SJQ5f5.avi", lpString2="Windows") returned -1 [0158.170] lstrcmpiW (lpString1="GOVWhH0SJQ5f5.avi", lpString2="Program Files") returned -1 [0158.170] lstrcmpiW (lpString1="GOVWhH0SJQ5f5.avi", lpString2="Program Files (x86)") returned -1 [0158.171] lstrcmpiW (lpString1="GOVWhH0SJQ5f5.avi", lpString2="$Recycle.bin") returned 1 [0158.171] lstrcmpiW (lpString1="GOVWhH0SJQ5f5.avi", lpString2="System Volume Information") returned -1 [0158.171] lstrcmpiW (lpString1="GOVWhH0SJQ5f5.avi", lpString2=".") returned 1 [0158.171] lstrcmpiW (lpString1="GOVWhH0SJQ5f5.avi", lpString2="..") returned 1 [0158.171] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi") returned 58 [0158.171] lstrcmpW (lpString1="GOVWhH0SJQ5f5.avi", lpString2="PUSSY.TXT") returned -1 [0158.171] PathFindExtensionW (pszPath="GOVWhH0SJQ5f5.avi") returned=".avi" [0158.171] lstrlenW (lpString=".avi") returned 4 [0158.171] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0158.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\govwhh0sjq5f5.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0158.172] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=83850) returned 1 [0158.172] GetProcessHeap () returned 0x4c0000 [0158.172] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.189] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="FF") returned 2 [0158.189] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="A5") returned 2 [0158.189] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="CF") returned 2 [0158.189] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="19") returned 2 [0158.189] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="53") returned 2 [0158.189] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="61") returned 2 [0158.189] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="08") returned 2 [0158.189] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="D7") returned 2 [0158.189] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="D4") returned 2 [0158.189] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="4A") returned 2 [0158.189] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="EE") returned 2 [0158.189] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="C6") returned 2 [0158.189] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="8B") returned 2 [0158.189] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="95") returned 2 [0158.189] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="37") returned 2 [0158.189] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="0E") returned 2 [0158.189] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="10") returned 2 [0158.189] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="99") returned 2 [0158.189] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="D5") returned 2 [0158.190] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="44") returned 2 [0158.190] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="F7") returned 2 [0158.190] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="56") returned 2 [0158.190] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="0E") returned 2 [0158.190] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="1E") returned 2 [0158.190] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="B1") returned 2 [0158.190] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="5A") returned 2 [0158.190] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="D3") returned 2 [0158.190] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="5A") returned 2 [0158.190] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="C8") returned 2 [0158.190] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="0B") returned 2 [0158.190] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="14") returned 2 [0158.190] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="25") returned 2 [0158.202] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi" [0158.202] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi" [0158.202] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi", lpString2=".FFA5CF19536108D7D44AEEC68B95370E1099D544F7560E1EB15AD35AC80B1425" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi.FFA5CF19536108D7D44AEEC68B95370E1099D544F7560E1EB15AD35AC80B1425") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi.FFA5CF19536108D7D44AEEC68B95370E1099D544F7560E1EB15AD35AC80B1425" [0158.202] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.202] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.247] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x443f2c50, ftCreationTime.dwHighDateTime=0x1d5e5c0, ftLastAccessTime.dwLowDateTime=0xf98c200, ftLastAccessTime.dwHighDateTime=0x1d5e588, ftLastWriteTime.dwLowDateTime=0xf98c200, ftLastWriteTime.dwHighDateTime=0x1d5e588, nFileSizeHigh=0x0, nFileSizeLow=0x16e8b, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="gPyfKQhW.mp4", cAlternateFileName="")) returned 1 [0158.247] lstrcmpiW (lpString1="gPyfKQhW.mp4", lpString2="Windows") returned -1 [0158.247] lstrcmpiW (lpString1="gPyfKQhW.mp4", lpString2="Program Files") returned -1 [0158.247] lstrcmpiW (lpString1="gPyfKQhW.mp4", lpString2="Program Files (x86)") returned -1 [0158.247] lstrcmpiW (lpString1="gPyfKQhW.mp4", lpString2="$Recycle.bin") returned 1 [0158.247] lstrcmpiW (lpString1="gPyfKQhW.mp4", lpString2="System Volume Information") returned -1 [0158.247] lstrcmpiW (lpString1="gPyfKQhW.mp4", lpString2=".") returned 1 [0158.247] lstrcmpiW (lpString1="gPyfKQhW.mp4", lpString2="..") returned 1 [0158.247] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4") returned 53 [0158.247] lstrcmpW (lpString1="gPyfKQhW.mp4", lpString2="PUSSY.TXT") returned -1 [0158.247] PathFindExtensionW (pszPath="gPyfKQhW.mp4") returned=".mp4" [0158.247] lstrlenW (lpString=".mp4") returned 4 [0158.247] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0158.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\gpyfkqhw.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0158.248] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=93835) returned 1 [0158.248] GetProcessHeap () returned 0x4c0000 [0158.248] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.260] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="98") returned 2 [0158.260] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="41") returned 2 [0158.260] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="D8") returned 2 [0158.260] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="AA") returned 2 [0158.260] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="FC") returned 2 [0158.260] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="EC") returned 2 [0158.260] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E8") returned 2 [0158.260] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="6A") returned 2 [0158.260] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="0D") returned 2 [0158.260] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="F5") returned 2 [0158.260] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="23") returned 2 [0158.260] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="13") returned 2 [0158.260] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="87") returned 2 [0158.261] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E5") returned 2 [0158.261] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="45") returned 2 [0158.261] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="9C") returned 2 [0158.261] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="08") returned 2 [0158.261] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="FB") returned 2 [0158.261] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="49") returned 2 [0158.261] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="1B") returned 2 [0158.261] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="57") returned 2 [0158.261] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="BF") returned 2 [0158.261] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="2F") returned 2 [0158.261] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="8B") returned 2 [0158.261] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="01") returned 2 [0158.261] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="5E") returned 2 [0158.261] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="37") returned 2 [0158.261] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F7") returned 2 [0158.261] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="CF") returned 2 [0158.261] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="3B") returned 2 [0158.261] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="2B") returned 2 [0158.261] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="26") returned 2 [0158.273] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4" [0158.273] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4" [0158.273] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4", lpString2=".9841D8AAFCECE86A0DF5231387E5459C08FB491B57BF2F8B015E37F7CF3B2B26" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4.9841D8AAFCECE86A0DF5231387E5459C08FB491B57BF2F8B015E37F7CF3B2B26") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4.9841D8AAFCECE86A0DF5231387E5459C08FB491B57BF2F8B015E37F7CF3B2B26" [0158.273] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.273] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.319] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ddd01d0, ftCreationTime.dwHighDateTime=0x1d5e692, ftLastAccessTime.dwLowDateTime=0x214e8940, ftLastAccessTime.dwHighDateTime=0x1d5e186, ftLastWriteTime.dwLowDateTime=0x214e8940, ftLastWriteTime.dwHighDateTime=0x1d5e186, nFileSizeHigh=0x0, nFileSizeLow=0x4183, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MVSVc7SIy.mp4", cAlternateFileName="MVSVC7~1.MP4")) returned 1 [0158.319] lstrcmpiW (lpString1="MVSVc7SIy.mp4", lpString2="Windows") returned -1 [0158.319] lstrcmpiW (lpString1="MVSVc7SIy.mp4", lpString2="Program Files") returned -1 [0158.319] lstrcmpiW (lpString1="MVSVc7SIy.mp4", lpString2="Program Files (x86)") returned -1 [0158.319] lstrcmpiW (lpString1="MVSVc7SIy.mp4", lpString2="$Recycle.bin") returned 1 [0158.319] lstrcmpiW (lpString1="MVSVc7SIy.mp4", lpString2="System Volume Information") returned -1 [0158.319] lstrcmpiW (lpString1="MVSVc7SIy.mp4", lpString2=".") returned 1 [0158.319] lstrcmpiW (lpString1="MVSVc7SIy.mp4", lpString2="..") returned 1 [0158.319] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4") returned 54 [0158.319] lstrcmpW (lpString1="MVSVc7SIy.mp4", lpString2="PUSSY.TXT") returned -1 [0158.319] PathFindExtensionW (pszPath="MVSVc7SIy.mp4") returned=".mp4" [0158.319] lstrlenW (lpString=".mp4") returned 4 [0158.319] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0158.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mvsvc7siy.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0158.320] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=16771) returned 1 [0158.320] GetProcessHeap () returned 0x4c0000 [0158.320] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.332] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="EA") returned 2 [0158.332] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="DC") returned 2 [0158.332] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="47") returned 2 [0158.332] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="01") returned 2 [0158.332] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="A8") returned 2 [0158.332] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="13") returned 2 [0158.332] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E7") returned 2 [0158.332] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="98") returned 2 [0158.332] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="63") returned 2 [0158.332] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="D5") returned 2 [0158.332] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="2E") returned 2 [0158.333] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="93") returned 2 [0158.333] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="8A") returned 2 [0158.333] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="F5") returned 2 [0158.333] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="67") returned 2 [0158.333] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="49") returned 2 [0158.333] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="C4") returned 2 [0158.333] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="0F") returned 2 [0158.333] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="30") returned 2 [0158.333] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="00") returned 2 [0158.333] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="7E") returned 2 [0158.333] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="59") returned 2 [0158.333] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="73") returned 2 [0158.333] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="97") returned 2 [0158.333] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="56") returned 2 [0158.333] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="9A") returned 2 [0158.333] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="29") returned 2 [0158.333] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="8F") returned 2 [0158.333] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="4D") returned 2 [0158.333] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="76") returned 2 [0158.333] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="D6") returned 2 [0158.333] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="0D") returned 2 [0158.345] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4" [0158.345] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4" [0158.345] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4", lpString2=".EADC4701A813E79863D52E938AF56749C40F30007E597397569A298F4D76D60D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4.EADC4701A813E79863D52E938AF56749C40F30007E597397569A298F4D76D60D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4.EADC4701A813E79863D52E938AF56749C40F30007E597397569A298F4D76D60D" [0158.345] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.345] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.371] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79f552f0, ftCreationTime.dwHighDateTime=0x1d5e63a, ftLastAccessTime.dwLowDateTime=0xacf28d10, ftLastAccessTime.dwHighDateTime=0x1d5e5a1, ftLastWriteTime.dwLowDateTime=0xacf28d10, ftLastWriteTime.dwHighDateTime=0x1d5e5a1, nFileSizeHigh=0x0, nFileSizeLow=0xa97, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="NVFJq19nmq29JD.mp4", cAlternateFileName="NVFJQ1~1.MP4")) returned 1 [0158.371] lstrcmpiW (lpString1="NVFJq19nmq29JD.mp4", lpString2="Windows") returned -1 [0158.371] lstrcmpiW (lpString1="NVFJq19nmq29JD.mp4", lpString2="Program Files") returned -1 [0158.371] lstrcmpiW (lpString1="NVFJq19nmq29JD.mp4", lpString2="Program Files (x86)") returned -1 [0158.371] lstrcmpiW (lpString1="NVFJq19nmq29JD.mp4", lpString2="$Recycle.bin") returned 1 [0158.371] lstrcmpiW (lpString1="NVFJq19nmq29JD.mp4", lpString2="System Volume Information") returned -1 [0158.371] lstrcmpiW (lpString1="NVFJq19nmq29JD.mp4", lpString2=".") returned 1 [0158.371] lstrcmpiW (lpString1="NVFJq19nmq29JD.mp4", lpString2="..") returned 1 [0158.371] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4") returned 59 [0158.371] lstrcmpW (lpString1="NVFJq19nmq29JD.mp4", lpString2="PUSSY.TXT") returned -1 [0158.371] PathFindExtensionW (pszPath="NVFJq19nmq29JD.mp4") returned=".mp4" [0158.372] lstrlenW (lpString=".mp4") returned 4 [0158.372] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0158.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\nvfjq19nmq29jd.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0158.373] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2711) returned 1 [0158.373] GetProcessHeap () returned 0x4c0000 [0158.373] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.385] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="32") returned 2 [0158.385] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="CF") returned 2 [0158.385] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="CD") returned 2 [0158.385] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="DE") returned 2 [0158.385] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="7A") returned 2 [0158.385] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="EE") returned 2 [0158.385] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="81") returned 2 [0158.385] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="63") returned 2 [0158.385] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="EF") returned 2 [0158.385] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="03") returned 2 [0158.385] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="16") returned 2 [0158.385] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="E1") returned 2 [0158.385] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="5F") returned 2 [0158.385] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="41") returned 2 [0158.385] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="35") returned 2 [0158.385] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="24") returned 2 [0158.385] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="21") returned 2 [0158.385] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="B8") returned 2 [0158.385] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="BD") returned 2 [0158.385] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="C9") returned 2 [0158.385] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="E6") returned 2 [0158.385] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="15") returned 2 [0158.385] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="36") returned 2 [0158.385] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E1") returned 2 [0158.385] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="01") returned 2 [0158.385] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="32") returned 2 [0158.385] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="BD") returned 2 [0158.385] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="59") returned 2 [0158.386] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="63") returned 2 [0158.386] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="65") returned 2 [0158.386] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="0E") returned 2 [0158.386] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="10") returned 2 [0158.397] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4" [0158.397] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4" [0158.397] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4", lpString2=".32CFCDDE7AEE8163EF0316E15F41352421B8BDC9E61536E10132BD5963650E10" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4.32CFCDDE7AEE8163EF0316E15F41352421B8BDC9E61536E10132BD5963650E10") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4.32CFCDDE7AEE8163EF0316E15F41352421B8BDC9E61536E10132BD5963650E10" [0158.397] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.397] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.409] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca92bbe0, ftCreationTime.dwHighDateTime=0x1d5dfe0, ftLastAccessTime.dwLowDateTime=0x3d346f50, ftLastAccessTime.dwHighDateTime=0x1d5d81f, ftLastWriteTime.dwLowDateTime=0x3d346f50, ftLastWriteTime.dwHighDateTime=0x1d5d81f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PC2jgCOVtBpyatg1ezC", cAlternateFileName="PC2JGC~1")) returned 1 [0158.409] lstrcmpiW (lpString1="PC2jgCOVtBpyatg1ezC", lpString2="Windows") returned -1 [0158.409] lstrcmpiW (lpString1="PC2jgCOVtBpyatg1ezC", lpString2="Program Files") returned -1 [0158.409] lstrcmpiW (lpString1="PC2jgCOVtBpyatg1ezC", lpString2="Program Files (x86)") returned -1 [0158.409] lstrcmpiW (lpString1="PC2jgCOVtBpyatg1ezC", lpString2="$Recycle.bin") returned 1 [0158.409] lstrcmpiW (lpString1="PC2jgCOVtBpyatg1ezC", lpString2="System Volume Information") returned -1 [0158.409] lstrcmpiW (lpString1="PC2jgCOVtBpyatg1ezC", lpString2=".") returned 1 [0158.409] lstrcmpiW (lpString1="PC2jgCOVtBpyatg1ezC", lpString2="..") returned 1 [0158.409] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC") returned 60 [0158.409] GetProcessHeap () returned 0x4c0000 [0158.409] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0158.409] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC" [0158.409] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\*" [0158.409] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca92bbe0, ftCreationTime.dwHighDateTime=0x1d5dfe0, ftLastAccessTime.dwLowDateTime=0x3d346f50, ftLastAccessTime.dwHighDateTime=0x1d5d81f, ftLastWriteTime.dwLowDateTime=0x3d346f50, ftLastWriteTime.dwHighDateTime=0x1d5d81f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0158.409] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0158.409] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0158.409] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0158.410] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0158.410] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0158.410] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0158.410] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca92bbe0, ftCreationTime.dwHighDateTime=0x1d5dfe0, ftLastAccessTime.dwLowDateTime=0x3d346f50, ftLastAccessTime.dwHighDateTime=0x1d5d81f, ftLastWriteTime.dwLowDateTime=0x3d346f50, ftLastWriteTime.dwHighDateTime=0x1d5d81f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0158.410] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0158.410] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0158.410] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0158.410] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0158.410] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0158.410] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0158.410] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0158.410] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76c61e20, ftCreationTime.dwHighDateTime=0x1d5e17b, ftLastAccessTime.dwLowDateTime=0xd522640, ftLastAccessTime.dwHighDateTime=0x1d5dd99, ftLastWriteTime.dwLowDateTime=0xd522640, ftLastWriteTime.dwHighDateTime=0x1d5dd99, nFileSizeHigh=0x0, nFileSizeLow=0x2ef4, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="-aDcN73SPkoNchDDC.mkv", cAlternateFileName="-ADCN7~1.MKV")) returned 1 [0158.410] lstrcmpiW (lpString1="-aDcN73SPkoNchDDC.mkv", lpString2="Windows") returned -1 [0158.410] lstrcmpiW (lpString1="-aDcN73SPkoNchDDC.mkv", lpString2="Program Files") returned -1 [0158.410] lstrcmpiW (lpString1="-aDcN73SPkoNchDDC.mkv", lpString2="Program Files (x86)") returned -1 [0158.410] lstrcmpiW (lpString1="-aDcN73SPkoNchDDC.mkv", lpString2="$Recycle.bin") returned 1 [0158.410] lstrcmpiW (lpString1="-aDcN73SPkoNchDDC.mkv", lpString2="System Volume Information") returned -1 [0158.410] lstrcmpiW (lpString1="-aDcN73SPkoNchDDC.mkv", lpString2=".") returned 1 [0158.410] lstrcmpiW (lpString1="-aDcN73SPkoNchDDC.mkv", lpString2="..") returned 1 [0158.410] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv") returned 82 [0158.410] lstrcmpW (lpString1="-aDcN73SPkoNchDDC.mkv", lpString2="PUSSY.TXT") returned -1 [0158.410] PathFindExtensionW (pszPath="-aDcN73SPkoNchDDC.mkv") returned=".mkv" [0158.410] lstrlenW (lpString=".mkv") returned 4 [0158.410] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0158.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\-adcn73spkonchddc.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0158.412] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=12020) returned 1 [0158.412] GetProcessHeap () returned 0x4c0000 [0158.412] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.424] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="C5") returned 2 [0158.424] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="08") returned 2 [0158.424] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="D0") returned 2 [0158.424] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="2A") returned 2 [0158.424] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="53") returned 2 [0158.424] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="61") returned 2 [0158.424] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="F5") returned 2 [0158.424] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="54") returned 2 [0158.424] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="78") returned 2 [0158.424] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="6E") returned 2 [0158.424] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="2A") returned 2 [0158.424] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="24") returned 2 [0158.424] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="D4") returned 2 [0158.424] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="F8") returned 2 [0158.424] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="A0") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="4F") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="E4") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="92") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="BF") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="7E") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="D4") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="FF") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="6B") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="34") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="FD") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="8C") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="56") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="9D") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="E7") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="F7") returned 2 [0158.425] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="CC") returned 2 [0158.425] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="7C") returned 2 [0158.436] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv" [0158.436] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv" [0158.436] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv", lpString2=".C508D02A5361F554786E2A24D4F8A04FE492BF7ED4FF6B34FD8C569DE7F7CC7C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv.C508D02A5361F554786E2A24D4F8A04FE492BF7ED4FF6B34FD8C569DE7F7CC7C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv.C508D02A5361F554786E2A24D4F8A04FE492BF7ED4FF6B34FD8C569DE7F7CC7C" [0158.437] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.437] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.457] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34df4db0, ftCreationTime.dwHighDateTime=0x1d5daf5, ftLastAccessTime.dwLowDateTime=0x97cf1910, ftLastAccessTime.dwHighDateTime=0x1d5e53f, ftLastWriteTime.dwLowDateTime=0x97cf1910, ftLastWriteTime.dwHighDateTime=0x1d5e53f, nFileSizeHigh=0x0, nFileSizeLow=0x1e39, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="5g4AdtfyonV.mp4", cAlternateFileName="5G4ADT~1.MP4")) returned 1 [0158.457] lstrcmpiW (lpString1="5g4AdtfyonV.mp4", lpString2="Windows") returned -1 [0158.457] lstrcmpiW (lpString1="5g4AdtfyonV.mp4", lpString2="Program Files") returned -1 [0158.457] lstrcmpiW (lpString1="5g4AdtfyonV.mp4", lpString2="Program Files (x86)") returned -1 [0158.457] lstrcmpiW (lpString1="5g4AdtfyonV.mp4", lpString2="$Recycle.bin") returned 1 [0158.457] lstrcmpiW (lpString1="5g4AdtfyonV.mp4", lpString2="System Volume Information") returned -1 [0158.457] lstrcmpiW (lpString1="5g4AdtfyonV.mp4", lpString2=".") returned 1 [0158.457] lstrcmpiW (lpString1="5g4AdtfyonV.mp4", lpString2="..") returned 1 [0158.457] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4") returned 76 [0158.457] lstrcmpW (lpString1="5g4AdtfyonV.mp4", lpString2="PUSSY.TXT") returned -1 [0158.457] PathFindExtensionW (pszPath="5g4AdtfyonV.mp4") returned=".mp4" [0158.457] lstrlenW (lpString=".mp4") returned 4 [0158.458] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0158.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\5g4adtfyonv.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0158.459] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=7737) returned 1 [0158.459] GetProcessHeap () returned 0x4c0000 [0158.459] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.471] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="5E") returned 2 [0158.471] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="1B") returned 2 [0158.471] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="1D") returned 2 [0158.471] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="E9") returned 2 [0158.471] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="4E") returned 2 [0158.471] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="A2") returned 2 [0158.471] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="20") returned 2 [0158.471] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="74") returned 2 [0158.471] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="C4") returned 2 [0158.471] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="0A") returned 2 [0158.471] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="ED") returned 2 [0158.471] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="A1") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="91") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="E1") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="DC") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="88") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="A0") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="C4") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="D1") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="33") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="5E") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="A2") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="8C") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="B7") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="F5") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="AC") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="A0") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="93") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="2D") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="EE") returned 2 [0158.472] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="AA") returned 2 [0158.472] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="25") returned 2 [0158.484] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4" [0158.484] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4" [0158.484] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4", lpString2=".5E1B1DE94EA22074C40AEDA191E1DC88A0C4D1335EA28CB7F5ACA0932DEEAA25" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4.5E1B1DE94EA22074C40AEDA191E1DC88A0C4D1335EA28CB7F5ACA0932DEEAA25") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4.5E1B1DE94EA22074C40AEDA191E1DC88A0C4D1335EA28CB7F5ACA0932DEEAA25" [0158.484] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.484] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.495] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bc09fc0, ftCreationTime.dwHighDateTime=0x1d5e1fe, ftLastAccessTime.dwLowDateTime=0x2c455e80, ftLastAccessTime.dwHighDateTime=0x1d5dfc6, ftLastWriteTime.dwLowDateTime=0x2c455e80, ftLastWriteTime.dwHighDateTime=0x1d5dfc6, nFileSizeHigh=0x0, nFileSizeLow=0x18fe8, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="hdDgWR1YXQc.avi", cAlternateFileName="HDDGWR~1.AVI")) returned 1 [0158.495] lstrcmpiW (lpString1="hdDgWR1YXQc.avi", lpString2="Windows") returned -1 [0158.495] lstrcmpiW (lpString1="hdDgWR1YXQc.avi", lpString2="Program Files") returned -1 [0158.495] lstrcmpiW (lpString1="hdDgWR1YXQc.avi", lpString2="Program Files (x86)") returned -1 [0158.495] lstrcmpiW (lpString1="hdDgWR1YXQc.avi", lpString2="$Recycle.bin") returned 1 [0158.495] lstrcmpiW (lpString1="hdDgWR1YXQc.avi", lpString2="System Volume Information") returned -1 [0158.495] lstrcmpiW (lpString1="hdDgWR1YXQc.avi", lpString2=".") returned 1 [0158.495] lstrcmpiW (lpString1="hdDgWR1YXQc.avi", lpString2="..") returned 1 [0158.495] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi") returned 76 [0158.495] lstrcmpW (lpString1="hdDgWR1YXQc.avi", lpString2="PUSSY.TXT") returned -1 [0158.495] PathFindExtensionW (pszPath="hdDgWR1YXQc.avi") returned=".avi" [0158.495] lstrlenW (lpString=".avi") returned 4 [0158.495] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0158.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\hddgwr1yxqc.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0158.504] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=102376) returned 1 [0158.504] GetProcessHeap () returned 0x4c0000 [0158.504] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.516] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="49") returned 2 [0158.516] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="CE") returned 2 [0158.516] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="38") returned 2 [0158.516] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="64") returned 2 [0158.516] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="02") returned 2 [0158.516] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="0C") returned 2 [0158.516] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="00") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="AB") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="40") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="AB") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="14") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="F7") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="1A") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="DD") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="A7") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="3E") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="16") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="E9") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="74") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="36") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="EA") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="B1") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="6E") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="4C") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="D4") returned 2 [0158.516] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="13") returned 2 [0158.517] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="34") returned 2 [0158.517] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="A6") returned 2 [0158.517] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="5E") returned 2 [0158.517] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="5D") returned 2 [0158.517] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="A7") returned 2 [0158.517] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="14") returned 2 [0158.529] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi" [0158.530] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi" [0158.530] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi", lpString2=".49CE3864020C00AB40AB14F71ADDA73E16E97436EAB16E4CD41334A65E5DA714" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi.49CE3864020C00AB40AB14F71ADDA73E16E97436EAB16E4CD41334A65E5DA714") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi.49CE3864020C00AB40AB14F71ADDA73E16E97436EAB16E4CD41334A65E5DA714" [0158.530] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.530] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.578] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31f39410, ftCreationTime.dwHighDateTime=0x1d5d8b3, ftLastAccessTime.dwLowDateTime=0x9ee33530, ftLastAccessTime.dwHighDateTime=0x1d5dad4, ftLastWriteTime.dwLowDateTime=0x9ee33530, ftLastWriteTime.dwHighDateTime=0x1d5dad4, nFileSizeHigh=0x0, nFileSizeLow=0x10397, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="J2yK.mkv", cAlternateFileName="")) returned 1 [0158.578] lstrcmpiW (lpString1="J2yK.mkv", lpString2="Windows") returned -1 [0158.578] lstrcmpiW (lpString1="J2yK.mkv", lpString2="Program Files") returned -1 [0158.578] lstrcmpiW (lpString1="J2yK.mkv", lpString2="Program Files (x86)") returned -1 [0158.578] lstrcmpiW (lpString1="J2yK.mkv", lpString2="$Recycle.bin") returned 1 [0158.578] lstrcmpiW (lpString1="J2yK.mkv", lpString2="System Volume Information") returned -1 [0158.578] lstrcmpiW (lpString1="J2yK.mkv", lpString2=".") returned 1 [0158.579] lstrcmpiW (lpString1="J2yK.mkv", lpString2="..") returned 1 [0158.579] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv") returned 69 [0158.579] lstrcmpW (lpString1="J2yK.mkv", lpString2="PUSSY.TXT") returned -1 [0158.579] PathFindExtensionW (pszPath="J2yK.mkv") returned=".mkv" [0158.579] lstrlenW (lpString=".mkv") returned 4 [0158.579] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0158.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\j2yk.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0158.580] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=66455) returned 1 [0158.580] GetProcessHeap () returned 0x4c0000 [0158.580] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.592] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="BC") returned 2 [0158.592] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="27") returned 2 [0158.592] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="98") returned 2 [0158.592] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="5B") returned 2 [0158.592] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="7E") returned 2 [0158.592] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="83") returned 2 [0158.592] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="19") returned 2 [0158.592] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="56") returned 2 [0158.592] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="18") returned 2 [0158.592] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="A8") returned 2 [0158.592] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="BC") returned 2 [0158.592] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="FD") returned 2 [0158.592] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="21") returned 2 [0158.592] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="BB") returned 2 [0158.592] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="94") returned 2 [0158.592] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="D2") returned 2 [0158.592] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="E0") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="3D") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="5A") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="75") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="0E") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="46") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="D2") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="96") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="D9") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="09") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="18") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="3C") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="63") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="11") returned 2 [0158.593] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="35") returned 2 [0158.593] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="09") returned 2 [0158.607] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv" [0158.607] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv" [0158.607] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv", lpString2=".BC27985B7E83195618A8BCFD21BB94D2E03D5A750E46D296D909183C63113509" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv.BC27985B7E83195618A8BCFD21BB94D2E03D5A750E46D296D909183C63113509") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv.BC27985B7E83195618A8BCFD21BB94D2E03D5A750E46D296D909183C63113509" [0158.607] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.608] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.653] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a5702b0, ftCreationTime.dwHighDateTime=0x1d5da25, ftLastAccessTime.dwLowDateTime=0x86fd450, ftLastAccessTime.dwHighDateTime=0x1d5db79, ftLastWriteTime.dwLowDateTime=0x86fd450, ftLastWriteTime.dwHighDateTime=0x1d5db79, nFileSizeHigh=0x0, nFileSizeLow=0x5b43, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="JGKa1oEpsvS.swf", cAlternateFileName="JGKA1O~1.SWF")) returned 1 [0158.653] lstrcmpiW (lpString1="JGKa1oEpsvS.swf", lpString2="Windows") returned -1 [0158.654] lstrcmpiW (lpString1="JGKa1oEpsvS.swf", lpString2="Program Files") returned -1 [0158.654] lstrcmpiW (lpString1="JGKa1oEpsvS.swf", lpString2="Program Files (x86)") returned -1 [0158.654] lstrcmpiW (lpString1="JGKa1oEpsvS.swf", lpString2="$Recycle.bin") returned 1 [0158.654] lstrcmpiW (lpString1="JGKa1oEpsvS.swf", lpString2="System Volume Information") returned -1 [0158.654] lstrcmpiW (lpString1="JGKa1oEpsvS.swf", lpString2=".") returned 1 [0158.654] lstrcmpiW (lpString1="JGKa1oEpsvS.swf", lpString2="..") returned 1 [0158.654] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf") returned 76 [0158.654] lstrcmpW (lpString1="JGKa1oEpsvS.swf", lpString2="PUSSY.TXT") returned -1 [0158.654] PathFindExtensionW (pszPath="JGKa1oEpsvS.swf") returned=".swf" [0158.654] lstrlenW (lpString=".swf") returned 4 [0158.654] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0158.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\jgka1oepsvs.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0158.655] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=23363) returned 1 [0158.655] GetProcessHeap () returned 0x4c0000 [0158.655] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.668] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="01") returned 2 [0158.668] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="F8") returned 2 [0158.668] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="6C") returned 2 [0158.668] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="EB") returned 2 [0158.668] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="B2") returned 2 [0158.668] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="62") returned 2 [0158.668] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="61") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="B3") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="59") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="BC") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="90") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="FE") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="31") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="58") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="CC") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="3C") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="6F") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="77") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="9B") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="89") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="D3") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="3C") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="43") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="B2") returned 2 [0158.668] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="82") returned 2 [0158.669] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="97") returned 2 [0158.669] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="08") returned 2 [0158.669] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="BB") returned 2 [0158.669] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="60") returned 2 [0158.669] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="FE") returned 2 [0158.669] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="F4") returned 2 [0158.669] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="0E") returned 2 [0158.682] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf" [0158.682] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf" [0158.682] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf", lpString2=".01F86CEBB26261B359BC90FE3158CC3C6F779B89D33C43B2829708BB60FEF40E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf.01F86CEBB26261B359BC90FE3158CC3C6F779B89D33C43B2829708BB60FEF40E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf.01F86CEBB26261B359BC90FE3158CC3C6F779B89D33C43B2829708BB60FEF40E" [0158.682] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.682] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.716] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29b28ac0, ftCreationTime.dwHighDateTime=0x1d5e02b, ftLastAccessTime.dwLowDateTime=0x3268acc0, ftLastAccessTime.dwHighDateTime=0x1d5d8a2, ftLastWriteTime.dwLowDateTime=0x3268acc0, ftLastWriteTime.dwHighDateTime=0x1d5d8a2, nFileSizeHigh=0x0, nFileSizeLow=0x6438, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="LQF0PGC57Cmaizj-b0q.mkv", cAlternateFileName="LQF0PG~1.MKV")) returned 1 [0158.717] lstrcmpiW (lpString1="LQF0PGC57Cmaizj-b0q.mkv", lpString2="Windows") returned -1 [0158.717] lstrcmpiW (lpString1="LQF0PGC57Cmaizj-b0q.mkv", lpString2="Program Files") returned -1 [0158.717] lstrcmpiW (lpString1="LQF0PGC57Cmaizj-b0q.mkv", lpString2="Program Files (x86)") returned -1 [0158.717] lstrcmpiW (lpString1="LQF0PGC57Cmaizj-b0q.mkv", lpString2="$Recycle.bin") returned 1 [0158.717] lstrcmpiW (lpString1="LQF0PGC57Cmaizj-b0q.mkv", lpString2="System Volume Information") returned -1 [0158.717] lstrcmpiW (lpString1="LQF0PGC57Cmaizj-b0q.mkv", lpString2=".") returned 1 [0158.717] lstrcmpiW (lpString1="LQF0PGC57Cmaizj-b0q.mkv", lpString2="..") returned 1 [0158.717] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv") returned 84 [0158.717] lstrcmpW (lpString1="LQF0PGC57Cmaizj-b0q.mkv", lpString2="PUSSY.TXT") returned -1 [0158.717] PathFindExtensionW (pszPath="LQF0PGC57Cmaizj-b0q.mkv") returned=".mkv" [0158.717] lstrlenW (lpString=".mkv") returned 4 [0158.717] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0158.717] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\lqf0pgc57cmaizj-b0q.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0158.718] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=25656) returned 1 [0158.718] GetProcessHeap () returned 0x4c0000 [0158.718] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.730] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="68") returned 2 [0158.730] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="BD") returned 2 [0158.730] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="78") returned 2 [0158.730] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="CA") returned 2 [0158.730] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="E5") returned 2 [0158.730] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="BF") returned 2 [0158.730] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="EC") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="3B") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="01") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="02") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="D9") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="7C") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="28") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="21") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="CF") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="87") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="00") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="78") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="2C") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="E7") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="BF") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="71") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="B6") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="B0") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="2F") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="52") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="08") returned 2 [0158.730] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="F4") returned 2 [0158.731] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="E4") returned 2 [0158.731] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="CC") returned 2 [0158.731] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="44") returned 2 [0158.731] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="67") returned 2 [0158.742] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv" [0158.742] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv" [0158.742] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv", lpString2=".68BD78CAE5BFEC3B0102D97C2821CF8700782CE7BF71B6B02F5208F4E4CC4467" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv.68BD78CAE5BFEC3B0102D97C2821CF8700782CE7BF71B6B02F5208F4E4CC4467") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv.68BD78CAE5BFEC3B0102D97C2821CF8700782CE7BF71B6B02F5208F4E4CC4467" [0158.742] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.742] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.779] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5bfef60, ftCreationTime.dwHighDateTime=0x1d5e034, ftLastAccessTime.dwLowDateTime=0x73f8e220, ftLastAccessTime.dwHighDateTime=0x1d5ddfe, ftLastWriteTime.dwLowDateTime=0x73f8e220, ftLastWriteTime.dwHighDateTime=0x1d5ddfe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="N9YU-4QR67BlXD", cAlternateFileName="N9YU-4~1")) returned 1 [0158.779] lstrcmpiW (lpString1="N9YU-4QR67BlXD", lpString2="Windows") returned -1 [0158.779] lstrcmpiW (lpString1="N9YU-4QR67BlXD", lpString2="Program Files") returned -1 [0158.779] lstrcmpiW (lpString1="N9YU-4QR67BlXD", lpString2="Program Files (x86)") returned -1 [0158.779] lstrcmpiW (lpString1="N9YU-4QR67BlXD", lpString2="$Recycle.bin") returned 1 [0158.779] lstrcmpiW (lpString1="N9YU-4QR67BlXD", lpString2="System Volume Information") returned -1 [0158.779] lstrcmpiW (lpString1="N9YU-4QR67BlXD", lpString2=".") returned 1 [0158.779] lstrcmpiW (lpString1="N9YU-4QR67BlXD", lpString2="..") returned 1 [0158.779] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD") returned 75 [0158.779] GetProcessHeap () returned 0x4c0000 [0158.779] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0158.780] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD" [0158.780] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\*" [0158.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5bfef60, ftCreationTime.dwHighDateTime=0x1d5e034, ftLastAccessTime.dwLowDateTime=0x73f8e220, ftLastAccessTime.dwHighDateTime=0x1d5ddfe, ftLastWriteTime.dwLowDateTime=0x73f8e220, ftLastWriteTime.dwHighDateTime=0x1d5ddfe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0158.780] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0158.780] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0158.780] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0158.780] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0158.780] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0158.780] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0158.780] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5bfef60, ftCreationTime.dwHighDateTime=0x1d5e034, ftLastAccessTime.dwLowDateTime=0x73f8e220, ftLastAccessTime.dwHighDateTime=0x1d5ddfe, ftLastWriteTime.dwLowDateTime=0x73f8e220, ftLastWriteTime.dwHighDateTime=0x1d5ddfe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0158.780] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0158.780] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0158.781] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0158.781] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0158.781] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0158.781] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0158.781] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0158.781] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8dc592b0, ftCreationTime.dwHighDateTime=0x1d5de3b, ftLastAccessTime.dwLowDateTime=0xb4005120, ftLastAccessTime.dwHighDateTime=0x1d5d884, ftLastWriteTime.dwLowDateTime=0xb4005120, ftLastWriteTime.dwHighDateTime=0x1d5d884, nFileSizeHigh=0x0, nFileSizeLow=0xacf7, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="60OhQ--5HxS9d-.swf", cAlternateFileName="60OHQ-~1.SWF")) returned 1 [0158.781] lstrcmpiW (lpString1="60OhQ--5HxS9d-.swf", lpString2="Windows") returned -1 [0158.781] lstrcmpiW (lpString1="60OhQ--5HxS9d-.swf", lpString2="Program Files") returned -1 [0158.781] lstrcmpiW (lpString1="60OhQ--5HxS9d-.swf", lpString2="Program Files (x86)") returned -1 [0158.781] lstrcmpiW (lpString1="60OhQ--5HxS9d-.swf", lpString2="$Recycle.bin") returned 1 [0158.781] lstrcmpiW (lpString1="60OhQ--5HxS9d-.swf", lpString2="System Volume Information") returned -1 [0158.781] lstrcmpiW (lpString1="60OhQ--5HxS9d-.swf", lpString2=".") returned 1 [0158.781] lstrcmpiW (lpString1="60OhQ--5HxS9d-.swf", lpString2="..") returned 1 [0158.781] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf") returned 94 [0158.781] lstrcmpW (lpString1="60OhQ--5HxS9d-.swf", lpString2="PUSSY.TXT") returned -1 [0158.781] PathFindExtensionW (pszPath="60OhQ--5HxS9d-.swf") returned=".swf" [0158.781] lstrlenW (lpString=".swf") returned 4 [0158.781] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0158.781] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\60ohq--5hxs9d-.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0158.782] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=44279) returned 1 [0158.782] GetProcessHeap () returned 0x4c0000 [0158.782] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0158.794] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="F3") returned 2 [0158.794] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="A1") returned 2 [0158.794] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="BA") returned 2 [0158.794] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="38") returned 2 [0158.794] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="30") returned 2 [0158.794] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="0C") returned 2 [0158.795] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="E9") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="FC") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="19") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="B3") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="E6") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="E6") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="BC") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="4F") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="6D") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="B6") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="21") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="75") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="CA") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="05") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="3C") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="EC") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="16") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="42") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="DF") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="D4") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="CF") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="20") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="DA") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="06") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="BA") returned 2 [0158.795] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="4A") returned 2 [0158.808] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf" [0158.808] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf" [0158.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf", lpString2=".F3A1BA38300CE9FC19B3E6E6BC4F6DB62175CA053CEC1642DFD4CF20DA06BA4A" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf.F3A1BA38300CE9FC19B3E6E6BC4F6DB62175CA053CEC1642DFD4CF20DA06BA4A") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf.F3A1BA38300CE9FC19B3E6E6BC4F6DB62175CA053CEC1642DFD4CF20DA06BA4A" [0158.808] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.808] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0158.849] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8502700, ftCreationTime.dwHighDateTime=0x1d5e553, ftLastAccessTime.dwLowDateTime=0x3396c210, ftLastAccessTime.dwHighDateTime=0x1d5e5bf, ftLastWriteTime.dwLowDateTime=0x3396c210, ftLastWriteTime.dwHighDateTime=0x1d5e5bf, nFileSizeHigh=0x0, nFileSizeLow=0x15033, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="a3aBkOAho3fZRpFt.mkv", cAlternateFileName="A3ABKO~1.MKV")) returned 1 [0158.849] lstrcmpiW (lpString1="a3aBkOAho3fZRpFt.mkv", lpString2="Windows") returned -1 [0158.849] lstrcmpiW (lpString1="a3aBkOAho3fZRpFt.mkv", lpString2="Program Files") returned -1 [0158.849] lstrcmpiW (lpString1="a3aBkOAho3fZRpFt.mkv", lpString2="Program Files (x86)") returned -1 [0158.849] lstrcmpiW (lpString1="a3aBkOAho3fZRpFt.mkv", lpString2="$Recycle.bin") returned 1 [0158.849] lstrcmpiW (lpString1="a3aBkOAho3fZRpFt.mkv", lpString2="System Volume Information") returned -1 [0158.849] lstrcmpiW (lpString1="a3aBkOAho3fZRpFt.mkv", lpString2=".") returned 1 [0158.849] lstrcmpiW (lpString1="a3aBkOAho3fZRpFt.mkv", lpString2="..") returned 1 [0158.849] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv") returned 96 [0158.849] lstrcmpW (lpString1="a3aBkOAho3fZRpFt.mkv", lpString2="PUSSY.TXT") returned -1 [0158.849] PathFindExtensionW (pszPath="a3aBkOAho3fZRpFt.mkv") returned=".mkv" [0158.849] lstrlenW (lpString=".mkv") returned 4 [0158.849] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0158.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\a3abkoaho3fzrpft.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0158.851] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=86067) returned 1 [0158.851] GetProcessHeap () returned 0x4c0000 [0158.851] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0158.876] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="99") returned 2 [0158.876] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="4F") returned 2 [0158.876] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="6A") returned 2 [0158.876] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="1F") returned 2 [0158.876] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="E5") returned 2 [0158.876] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="D9") returned 2 [0158.876] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="03") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="9F") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="3A") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="54") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="AD") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="14") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="E1") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="D4") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="33") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="97") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="39") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="B2") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="70") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="77") returned 2 [0158.876] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="FA") returned 2 [0158.877] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="27") returned 2 [0158.877] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="B8") returned 2 [0158.877] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="9E") returned 2 [0158.877] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="95") returned 2 [0158.877] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="4C") returned 2 [0158.877] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="D4") returned 2 [0158.877] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="F3") returned 2 [0158.877] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="2F") returned 2 [0158.877] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="5D") returned 2 [0158.877] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="31") returned 2 [0158.877] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="0F") returned 2 [0158.891] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv" [0158.891] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv" [0158.891] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv", lpString2=".994F6A1FE5D9039F3A54AD14E1D4339739B27077FA27B89E954CD4F32F5D310F" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv.994F6A1FE5D9039F3A54AD14E1D4339739B27077FA27B89E954CD4F32F5D310F") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv.994F6A1FE5D9039F3A54AD14E1D4339739B27077FA27B89E954CD4F32F5D310F" [0158.891] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.891] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0158.933] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x931192e0, ftCreationTime.dwHighDateTime=0x1d5e1cf, ftLastAccessTime.dwLowDateTime=0xb0cb3aa0, ftLastAccessTime.dwHighDateTime=0x1d5dfd3, ftLastWriteTime.dwLowDateTime=0xb0cb3aa0, ftLastWriteTime.dwHighDateTime=0x1d5dfd3, nFileSizeHigh=0x0, nFileSizeLow=0x723f, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="a_nlvHX1KkINBy.swf", cAlternateFileName="A_NLVH~1.SWF")) returned 1 [0158.933] lstrcmpiW (lpString1="a_nlvHX1KkINBy.swf", lpString2="Windows") returned -1 [0158.933] lstrcmpiW (lpString1="a_nlvHX1KkINBy.swf", lpString2="Program Files") returned -1 [0158.933] lstrcmpiW (lpString1="a_nlvHX1KkINBy.swf", lpString2="Program Files (x86)") returned -1 [0158.933] lstrcmpiW (lpString1="a_nlvHX1KkINBy.swf", lpString2="$Recycle.bin") returned 1 [0158.933] lstrcmpiW (lpString1="a_nlvHX1KkINBy.swf", lpString2="System Volume Information") returned -1 [0158.933] lstrcmpiW (lpString1="a_nlvHX1KkINBy.swf", lpString2=".") returned 1 [0158.933] lstrcmpiW (lpString1="a_nlvHX1KkINBy.swf", lpString2="..") returned 1 [0158.933] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf") returned 94 [0158.933] lstrcmpW (lpString1="a_nlvHX1KkINBy.swf", lpString2="PUSSY.TXT") returned -1 [0158.933] PathFindExtensionW (pszPath="a_nlvHX1KkINBy.swf") returned=".swf" [0158.933] lstrlenW (lpString=".swf") returned 4 [0158.933] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0158.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\a_nlvhx1kkinby.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0158.935] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=29247) returned 1 [0158.935] GetProcessHeap () returned 0x4c0000 [0158.935] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0158.948] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="88") returned 2 [0158.948] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="54") returned 2 [0158.948] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="AE") returned 2 [0158.948] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="02") returned 2 [0158.948] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="F3") returned 2 [0158.948] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="D6") returned 2 [0158.948] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="0C") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="EC") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="A7") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="04") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="53") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="C0") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="54") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="83") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="61") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="86") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="65") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="AE") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="32") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="88") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="92") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="2E") returned 2 [0158.948] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="DB") returned 2 [0158.949] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="2C") returned 2 [0158.949] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="76") returned 2 [0158.949] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="6E") returned 2 [0158.949] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="07") returned 2 [0158.949] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="3D") returned 2 [0158.949] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="37") returned 2 [0158.949] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="A6") returned 2 [0158.949] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="E8") returned 2 [0158.949] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="6C") returned 2 [0158.961] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf" [0158.961] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf" [0158.961] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf", lpString2=".8854AE02F3D60CECA70453C05483618665AE3288922EDB2C766E073D37A6E86C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf.8854AE02F3D60CECA70453C05483618665AE3288922EDB2C766E073D37A6E86C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf.8854AE02F3D60CECA70453C05483618665AE3288922EDB2C766E073D37A6E86C" [0158.961] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0158.961] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0159.021] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacf41750, ftCreationTime.dwHighDateTime=0x1d5e79c, ftLastAccessTime.dwLowDateTime=0xe8b79f0, ftLastAccessTime.dwHighDateTime=0x1d5dd33, ftLastWriteTime.dwLowDateTime=0xe8b79f0, ftLastWriteTime.dwHighDateTime=0x1d5dd33, nFileSizeHigh=0x0, nFileSizeLow=0xf2e1, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="BAkA.mp4", cAlternateFileName="")) returned 1 [0159.021] lstrcmpiW (lpString1="BAkA.mp4", lpString2="Windows") returned -1 [0159.021] lstrcmpiW (lpString1="BAkA.mp4", lpString2="Program Files") returned -1 [0159.021] lstrcmpiW (lpString1="BAkA.mp4", lpString2="Program Files (x86)") returned -1 [0159.021] lstrcmpiW (lpString1="BAkA.mp4", lpString2="$Recycle.bin") returned 1 [0159.021] lstrcmpiW (lpString1="BAkA.mp4", lpString2="System Volume Information") returned -1 [0159.021] lstrcmpiW (lpString1="BAkA.mp4", lpString2=".") returned 1 [0159.021] lstrcmpiW (lpString1="BAkA.mp4", lpString2="..") returned 1 [0159.021] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4") returned 84 [0159.021] lstrcmpW (lpString1="BAkA.mp4", lpString2="PUSSY.TXT") returned -1 [0159.021] PathFindExtensionW (pszPath="BAkA.mp4") returned=".mp4" [0159.021] lstrlenW (lpString=".mp4") returned 4 [0159.022] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0159.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\baka.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0159.023] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=62177) returned 1 [0159.023] GetProcessHeap () returned 0x4c0000 [0159.023] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0159.035] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="97") returned 2 [0159.035] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="F3") returned 2 [0159.035] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="B5") returned 2 [0159.035] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="79") returned 2 [0159.035] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="29") returned 2 [0159.035] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="9C") returned 2 [0159.035] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="BC") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="EA") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="36") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="9C") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="30") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="55") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="DF") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="BB") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="37") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="2C") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="AE") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="99") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="6F") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="99") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="C0") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="E7") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="70") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="6D") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="EF") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="51") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="C6") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="42") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="FB") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="0F") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="3E") returned 2 [0159.036] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="2E") returned 2 [0159.048] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4" [0159.048] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4" [0159.048] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4", lpString2=".97F3B579299CBCEA369C3055DFBB372CAE996F99C0E7706DEF51C642FB0F3E2E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4.97F3B579299CBCEA369C3055DFBB372CAE996F99C0E7706DEF51C642FB0F3E2E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4.97F3B579299CBCEA369C3055DFBB372CAE996F99C0E7706DEF51C642FB0F3E2E" [0159.049] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0159.049] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0159.100] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bcb1470, ftCreationTime.dwHighDateTime=0x1d5e11d, ftLastAccessTime.dwLowDateTime=0xad65a770, ftLastAccessTime.dwHighDateTime=0x1d5e473, ftLastWriteTime.dwLowDateTime=0xad65a770, ftLastWriteTime.dwHighDateTime=0x1d5e473, nFileSizeHigh=0x0, nFileSizeLow=0x4c89, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Dyakkb.swf", cAlternateFileName="")) returned 1 [0159.100] lstrcmpiW (lpString1="Dyakkb.swf", lpString2="Windows") returned -1 [0159.100] lstrcmpiW (lpString1="Dyakkb.swf", lpString2="Program Files") returned -1 [0159.100] lstrcmpiW (lpString1="Dyakkb.swf", lpString2="Program Files (x86)") returned -1 [0159.100] lstrcmpiW (lpString1="Dyakkb.swf", lpString2="$Recycle.bin") returned 1 [0159.100] lstrcmpiW (lpString1="Dyakkb.swf", lpString2="System Volume Information") returned -1 [0159.100] lstrcmpiW (lpString1="Dyakkb.swf", lpString2=".") returned 1 [0159.100] lstrcmpiW (lpString1="Dyakkb.swf", lpString2="..") returned 1 [0159.101] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf") returned 86 [0159.101] lstrcmpW (lpString1="Dyakkb.swf", lpString2="PUSSY.TXT") returned -1 [0159.101] PathFindExtensionW (pszPath="Dyakkb.swf") returned=".swf" [0159.101] lstrlenW (lpString=".swf") returned 4 [0159.101] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0159.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\dyakkb.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0159.102] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=19593) returned 1 [0159.102] GetProcessHeap () returned 0x4c0000 [0159.102] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0159.116] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="1E") returned 2 [0159.116] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="15") returned 2 [0159.116] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="BF") returned 2 [0159.116] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="DE") returned 2 [0159.116] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="18") returned 2 [0159.116] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="AA") returned 2 [0159.116] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="13") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="75") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="CB") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="D5") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="74") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="34") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="02") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="58") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="39") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="90") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="18") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="90") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="46") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="A8") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="29") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="2C") returned 2 [0159.116] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="23") returned 2 [0159.117] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="80") returned 2 [0159.117] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="84") returned 2 [0159.117] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="62") returned 2 [0159.117] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="23") returned 2 [0159.117] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="95") returned 2 [0159.117] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="EC") returned 2 [0159.117] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="DD") returned 2 [0159.117] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="2C") returned 2 [0159.117] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="79") returned 2 [0159.129] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf" [0159.129] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf" [0159.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf", lpString2=".1E15BFDE18AA1375CBD5743402583990189046A8292C238084622395ECDD2C79" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf.1E15BFDE18AA1375CBD5743402583990189046A8292C238084622395ECDD2C79") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf.1E15BFDE18AA1375CBD5743402583990189046A8292C238084622395ECDD2C79" [0159.129] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0159.129] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0159.181] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fd7b890, ftCreationTime.dwHighDateTime=0x1d5dbeb, ftLastAccessTime.dwLowDateTime=0x230684d0, ftLastAccessTime.dwHighDateTime=0x1d5e10a, ftLastWriteTime.dwLowDateTime=0x230684d0, ftLastWriteTime.dwHighDateTime=0x1d5e10a, nFileSizeHigh=0x0, nFileSizeLow=0xc0ef, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="ExjYex.swf", cAlternateFileName="")) returned 1 [0159.181] lstrcmpiW (lpString1="ExjYex.swf", lpString2="Windows") returned -1 [0159.181] lstrcmpiW (lpString1="ExjYex.swf", lpString2="Program Files") returned -1 [0159.182] lstrcmpiW (lpString1="ExjYex.swf", lpString2="Program Files (x86)") returned -1 [0159.182] lstrcmpiW (lpString1="ExjYex.swf", lpString2="$Recycle.bin") returned 1 [0159.182] lstrcmpiW (lpString1="ExjYex.swf", lpString2="System Volume Information") returned -1 [0159.182] lstrcmpiW (lpString1="ExjYex.swf", lpString2=".") returned 1 [0159.182] lstrcmpiW (lpString1="ExjYex.swf", lpString2="..") returned 1 [0159.182] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf") returned 86 [0159.182] lstrcmpW (lpString1="ExjYex.swf", lpString2="PUSSY.TXT") returned -1 [0159.182] PathFindExtensionW (pszPath="ExjYex.swf") returned=".swf" [0159.182] lstrlenW (lpString=".swf") returned 4 [0159.182] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0159.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\exjyex.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0159.183] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=49391) returned 1 [0159.183] GetProcessHeap () returned 0x4c0000 [0159.183] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0159.195] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="F7") returned 2 [0159.195] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="3A") returned 2 [0159.195] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="BE") returned 2 [0159.195] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="9D") returned 2 [0159.195] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="76") returned 2 [0159.195] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="7D") returned 2 [0159.196] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="3F") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="13") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="DF") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="23") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="A6") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="AA") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="B3") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="5B") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="2C") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="49") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="74") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="B9") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="6C") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="39") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="85") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="2E") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="E4") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="9A") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="5B") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="A4") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="B9") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="F3") returned 2 [0159.196] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="B5") returned 2 [0159.197] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="EB") returned 2 [0159.197] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="6E") returned 2 [0159.197] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="51") returned 2 [0159.208] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf" [0159.208] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf" [0159.208] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf", lpString2=".F73ABE9D767D3F13DF23A6AAB35B2C4974B96C39852EE49A5BA4B9F3B5EB6E51" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf.F73ABE9D767D3F13DF23A6AAB35B2C4974B96C39852EE49A5BA4B9F3B5EB6E51") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf.F73ABE9D767D3F13DF23A6AAB35B2C4974B96C39852EE49A5BA4B9F3B5EB6E51" [0159.208] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0159.209] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0160.788] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab257d0, ftCreationTime.dwHighDateTime=0x1d5e2ac, ftLastAccessTime.dwLowDateTime=0xbddbc2f0, ftLastAccessTime.dwHighDateTime=0x1d5dbb4, ftLastWriteTime.dwLowDateTime=0xbddbc2f0, ftLastWriteTime.dwHighDateTime=0x1d5dbb4, nFileSizeHigh=0x0, nFileSizeLow=0x16533, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="gqnhm2NPUuV.flv", cAlternateFileName="GQNHM2~1.FLV")) returned 1 [0160.788] lstrcmpiW (lpString1="gqnhm2NPUuV.flv", lpString2="Windows") returned -1 [0160.788] lstrcmpiW (lpString1="gqnhm2NPUuV.flv", lpString2="Program Files") returned -1 [0160.788] lstrcmpiW (lpString1="gqnhm2NPUuV.flv", lpString2="Program Files (x86)") returned -1 [0160.788] lstrcmpiW (lpString1="gqnhm2NPUuV.flv", lpString2="$Recycle.bin") returned 1 [0160.788] lstrcmpiW (lpString1="gqnhm2NPUuV.flv", lpString2="System Volume Information") returned -1 [0160.788] lstrcmpiW (lpString1="gqnhm2NPUuV.flv", lpString2=".") returned 1 [0160.788] lstrcmpiW (lpString1="gqnhm2NPUuV.flv", lpString2="..") returned 1 [0160.788] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv") returned 91 [0160.788] lstrcmpW (lpString1="gqnhm2NPUuV.flv", lpString2="PUSSY.TXT") returned -1 [0160.788] PathFindExtensionW (pszPath="gqnhm2NPUuV.flv") returned=".flv" [0160.788] lstrlenW (lpString=".flv") returned 4 [0160.788] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0160.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\gqnhm2npuuv.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0160.789] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=91443) returned 1 [0160.789] GetProcessHeap () returned 0x4c0000 [0160.789] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0160.801] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="8C") returned 2 [0160.801] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="12") returned 2 [0160.801] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="E2") returned 2 [0160.801] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="57") returned 2 [0160.802] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="33") returned 2 [0160.802] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="12") returned 2 [0160.802] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="BB") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="E7") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="08") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="1D") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="1B") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="67") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="39") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="71") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="73") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="07") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="DC") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="43") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="23") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="29") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="6C") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="FF") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="9B") returned 2 [0160.802] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="A3") returned 2 [0160.803] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="B8") returned 2 [0160.803] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="D4") returned 2 [0160.803] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="02") returned 2 [0160.803] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="09") returned 2 [0160.803] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="56") returned 2 [0160.803] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="C1") returned 2 [0160.803] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="A3") returned 2 [0160.803] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="75") returned 2 [0160.815] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv" [0160.815] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv" [0160.815] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv", lpString2=".8C12E2573312BBE7081D1B6739717307DC4323296CFF9BA3B8D4020956C1A375" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv.8C12E2573312BBE7081D1B6739717307DC4323296CFF9BA3B8D4020956C1A375") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv.8C12E2573312BBE7081D1B6739717307DC4323296CFF9BA3B8D4020956C1A375" [0160.815] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0160.815] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0160.861] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30959fc0, ftCreationTime.dwHighDateTime=0x1d5d979, ftLastAccessTime.dwLowDateTime=0x772732c0, ftLastAccessTime.dwHighDateTime=0x1d5db4d, ftLastWriteTime.dwLowDateTime=0x772732c0, ftLastWriteTime.dwHighDateTime=0x1d5db4d, nFileSizeHigh=0x0, nFileSizeLow=0x56b3, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="iDbeG07.flv", cAlternateFileName="")) returned 1 [0160.861] lstrcmpiW (lpString1="iDbeG07.flv", lpString2="Windows") returned -1 [0160.861] lstrcmpiW (lpString1="iDbeG07.flv", lpString2="Program Files") returned -1 [0160.861] lstrcmpiW (lpString1="iDbeG07.flv", lpString2="Program Files (x86)") returned -1 [0160.861] lstrcmpiW (lpString1="iDbeG07.flv", lpString2="$Recycle.bin") returned 1 [0160.861] lstrcmpiW (lpString1="iDbeG07.flv", lpString2="System Volume Information") returned -1 [0160.861] lstrcmpiW (lpString1="iDbeG07.flv", lpString2=".") returned 1 [0160.861] lstrcmpiW (lpString1="iDbeG07.flv", lpString2="..") returned 1 [0160.861] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv") returned 87 [0160.861] lstrcmpW (lpString1="iDbeG07.flv", lpString2="PUSSY.TXT") returned -1 [0160.861] PathFindExtensionW (pszPath="iDbeG07.flv") returned=".flv" [0160.861] lstrlenW (lpString=".flv") returned 4 [0160.861] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0160.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\idbeg07.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0160.862] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=22195) returned 1 [0160.862] GetProcessHeap () returned 0x4c0000 [0160.862] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0160.875] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="A5") returned 2 [0160.875] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="EC") returned 2 [0160.875] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="B7") returned 2 [0160.875] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="74") returned 2 [0160.875] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="E5") returned 2 [0160.875] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="E4") returned 2 [0160.875] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="CB") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="03") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="2E") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="7E") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="33") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="40") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="C8") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="74") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="D6") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="E4") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="77") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="35") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="9E") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="92") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="25") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="DF") returned 2 [0160.875] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="A6") returned 2 [0160.876] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="17") returned 2 [0160.876] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="7E") returned 2 [0160.876] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="D0") returned 2 [0160.876] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="B2") returned 2 [0160.876] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="3E") returned 2 [0160.876] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="BB") returned 2 [0160.876] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="0C") returned 2 [0160.876] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="C0") returned 2 [0160.876] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="5C") returned 2 [0160.888] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv" [0160.888] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv" [0160.888] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv", lpString2=".A5ECB774E5E4CB032E7E3340C874D6E477359E9225DFA6177ED0B23EBB0CC05C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv.A5ECB774E5E4CB032E7E3340C874D6E477359E9225DFA6177ED0B23EBB0CC05C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv.A5ECB774E5E4CB032E7E3340C874D6E477359E9225DFA6177ED0B23EBB0CC05C" [0160.888] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0160.888] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0160.920] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x630a1240, ftCreationTime.dwHighDateTime=0x1d5d9da, ftLastAccessTime.dwLowDateTime=0xe34eac60, ftLastAccessTime.dwHighDateTime=0x1d5e315, ftLastWriteTime.dwLowDateTime=0xe34eac60, ftLastWriteTime.dwHighDateTime=0x1d5e315, nFileSizeHigh=0x0, nFileSizeLow=0x6b45, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="IDMNP4en.mkv", cAlternateFileName="")) returned 1 [0160.921] lstrcmpiW (lpString1="IDMNP4en.mkv", lpString2="Windows") returned -1 [0160.921] lstrcmpiW (lpString1="IDMNP4en.mkv", lpString2="Program Files") returned -1 [0160.921] lstrcmpiW (lpString1="IDMNP4en.mkv", lpString2="Program Files (x86)") returned -1 [0160.921] lstrcmpiW (lpString1="IDMNP4en.mkv", lpString2="$Recycle.bin") returned 1 [0160.921] lstrcmpiW (lpString1="IDMNP4en.mkv", lpString2="System Volume Information") returned -1 [0160.921] lstrcmpiW (lpString1="IDMNP4en.mkv", lpString2=".") returned 1 [0160.921] lstrcmpiW (lpString1="IDMNP4en.mkv", lpString2="..") returned 1 [0160.921] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv") returned 88 [0160.921] lstrcmpW (lpString1="IDMNP4en.mkv", lpString2="PUSSY.TXT") returned -1 [0160.921] PathFindExtensionW (pszPath="IDMNP4en.mkv") returned=".mkv" [0160.921] lstrlenW (lpString=".mkv") returned 4 [0160.921] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0160.921] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\idmnp4en.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0160.922] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=27461) returned 1 [0160.922] GetProcessHeap () returned 0x4c0000 [0160.922] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0160.939] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="66") returned 2 [0160.939] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="1B") returned 2 [0160.939] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="DC") returned 2 [0160.939] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="04") returned 2 [0160.939] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="52") returned 2 [0160.939] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="79") returned 2 [0160.939] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="17") returned 2 [0160.939] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="80") returned 2 [0160.939] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="0B") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="3A") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="89") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="BF") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="E0") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="12") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="C3") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="09") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="53") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="3D") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="3B") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="D5") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="FF") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="45") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="30") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="66") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="F2") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="A5") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="2D") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="F4") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="BA") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="C0") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="D4") returned 2 [0160.940] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="01") returned 2 [0160.975] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv" [0160.975] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv" [0160.975] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv", lpString2=".661BDC04527917800B3A89BFE012C309533D3BD5FF453066F2A52DF4BAC0D401" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv.661BDC04527917800B3A89BFE012C309533D3BD5FF453066F2A52DF4BAC0D401") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv.661BDC04527917800B3A89BFE012C309533D3BD5FF453066F2A52DF4BAC0D401" [0160.975] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0160.975] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0161.013] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2cb5600, ftCreationTime.dwHighDateTime=0x1d5e6c1, ftLastAccessTime.dwLowDateTime=0xde318fb0, ftLastAccessTime.dwHighDateTime=0x1d5db34, ftLastWriteTime.dwLowDateTime=0xde318fb0, ftLastWriteTime.dwHighDateTime=0x1d5db34, nFileSizeHigh=0x0, nFileSizeLow=0xb53e, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="KRaEwd7cS3S2.mkv", cAlternateFileName="KRAEWD~1.MKV")) returned 1 [0161.013] lstrcmpiW (lpString1="KRaEwd7cS3S2.mkv", lpString2="Windows") returned -1 [0161.013] lstrcmpiW (lpString1="KRaEwd7cS3S2.mkv", lpString2="Program Files") returned -1 [0161.013] lstrcmpiW (lpString1="KRaEwd7cS3S2.mkv", lpString2="Program Files (x86)") returned -1 [0161.013] lstrcmpiW (lpString1="KRaEwd7cS3S2.mkv", lpString2="$Recycle.bin") returned 1 [0161.013] lstrcmpiW (lpString1="KRaEwd7cS3S2.mkv", lpString2="System Volume Information") returned -1 [0161.013] lstrcmpiW (lpString1="KRaEwd7cS3S2.mkv", lpString2=".") returned 1 [0161.013] lstrcmpiW (lpString1="KRaEwd7cS3S2.mkv", lpString2="..") returned 1 [0161.013] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv") returned 92 [0161.013] lstrcmpW (lpString1="KRaEwd7cS3S2.mkv", lpString2="PUSSY.TXT") returned -1 [0161.013] PathFindExtensionW (pszPath="KRaEwd7cS3S2.mkv") returned=".mkv" [0161.013] lstrlenW (lpString=".mkv") returned 4 [0161.013] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0161.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\kraewd7cs3s2.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0161.014] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=46398) returned 1 [0161.014] GetProcessHeap () returned 0x4c0000 [0161.014] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0161.027] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="CD") returned 2 [0161.027] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="B5") returned 2 [0161.027] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="7A") returned 2 [0161.027] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="E1") returned 2 [0161.027] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="68") returned 2 [0161.027] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="71") returned 2 [0161.027] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="58") returned 2 [0161.027] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="94") returned 2 [0161.027] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="A9") returned 2 [0161.027] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="5F") returned 2 [0161.027] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="1A") returned 2 [0161.027] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="32") returned 2 [0161.027] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="48") returned 2 [0161.027] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="00") returned 2 [0161.027] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="C4") returned 2 [0161.027] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="63") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="31") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="6E") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="A5") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="55") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="EF") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="48") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="BD") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="2B") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="EE") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="C5") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="6A") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="67") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="84") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="36") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="A0") returned 2 [0161.028] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="19") returned 2 [0161.040] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv" [0161.040] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv" [0161.040] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv", lpString2=".CDB57AE168715894A95F1A324800C463316EA555EF48BD2BEEC56A678436A019" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv.CDB57AE168715894A95F1A324800C463316EA555EF48BD2BEEC56A678436A019") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv.CDB57AE168715894A95F1A324800C463316EA555EF48BD2BEEC56A678436A019" [0161.040] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0161.041] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0161.080] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723b2ab0, ftCreationTime.dwHighDateTime=0x1d5e16e, ftLastAccessTime.dwLowDateTime=0xa0155800, ftLastAccessTime.dwHighDateTime=0x1d5e616, ftLastWriteTime.dwLowDateTime=0xa0155800, ftLastWriteTime.dwHighDateTime=0x1d5e616, nFileSizeHigh=0x0, nFileSizeLow=0xff9, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="lfTHoV.mp4", cAlternateFileName="")) returned 1 [0161.080] lstrcmpiW (lpString1="lfTHoV.mp4", lpString2="Windows") returned -1 [0161.080] lstrcmpiW (lpString1="lfTHoV.mp4", lpString2="Program Files") returned -1 [0161.080] lstrcmpiW (lpString1="lfTHoV.mp4", lpString2="Program Files (x86)") returned -1 [0161.080] lstrcmpiW (lpString1="lfTHoV.mp4", lpString2="$Recycle.bin") returned 1 [0161.080] lstrcmpiW (lpString1="lfTHoV.mp4", lpString2="System Volume Information") returned -1 [0161.080] lstrcmpiW (lpString1="lfTHoV.mp4", lpString2=".") returned 1 [0161.080] lstrcmpiW (lpString1="lfTHoV.mp4", lpString2="..") returned 1 [0161.080] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4") returned 86 [0161.080] lstrcmpW (lpString1="lfTHoV.mp4", lpString2="PUSSY.TXT") returned -1 [0161.080] PathFindExtensionW (pszPath="lfTHoV.mp4") returned=".mp4" [0161.080] lstrlenW (lpString=".mp4") returned 4 [0161.080] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0161.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\lfthov.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0161.082] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=4089) returned 1 [0161.082] GetProcessHeap () returned 0x4c0000 [0161.082] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0161.098] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="11") returned 2 [0161.098] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="2A") returned 2 [0161.098] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="ED") returned 2 [0161.098] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="6C") returned 2 [0161.098] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="61") returned 2 [0161.098] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="33") returned 2 [0161.098] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="EA") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="07") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="2A") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="52") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="1A") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="7A") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="96") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="7C") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="2A") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="6C") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="6A") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="68") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="F4") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="F0") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="80") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="5B") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="5A") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="EB") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="87") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="31") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="8E") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="4E") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="07") returned 2 [0161.099] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="A6") returned 2 [0161.100] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="D6") returned 2 [0161.100] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="19") returned 2 [0161.113] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4" [0161.113] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4" [0161.113] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4", lpString2=".112AED6C6133EA072A521A7A967C2A6C6A68F4F0805B5AEB87318E4E07A6D619" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4.112AED6C6133EA072A521A7A967C2A6C6A68F4F0805B5AEB87318E4E07A6D619") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4.112AED6C6133EA072A521A7A967C2A6C6A68F4F0805B5AEB87318E4E07A6D619" [0161.113] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0161.113] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0161.124] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb386420, ftCreationTime.dwHighDateTime=0x1d5d9bf, ftLastAccessTime.dwLowDateTime=0x306bd150, ftLastAccessTime.dwHighDateTime=0x1d5dd42, ftLastWriteTime.dwLowDateTime=0x306bd150, ftLastWriteTime.dwHighDateTime=0x1d5dd42, nFileSizeHigh=0x0, nFileSizeLow=0x5884, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="pIWuCKdDpSLBo.mkv", cAlternateFileName="PIWUCK~1.MKV")) returned 1 [0161.124] lstrcmpiW (lpString1="pIWuCKdDpSLBo.mkv", lpString2="Windows") returned -1 [0161.124] lstrcmpiW (lpString1="pIWuCKdDpSLBo.mkv", lpString2="Program Files") returned -1 [0161.124] lstrcmpiW (lpString1="pIWuCKdDpSLBo.mkv", lpString2="Program Files (x86)") returned -1 [0161.124] lstrcmpiW (lpString1="pIWuCKdDpSLBo.mkv", lpString2="$Recycle.bin") returned 1 [0161.124] lstrcmpiW (lpString1="pIWuCKdDpSLBo.mkv", lpString2="System Volume Information") returned -1 [0161.124] lstrcmpiW (lpString1="pIWuCKdDpSLBo.mkv", lpString2=".") returned 1 [0161.124] lstrcmpiW (lpString1="pIWuCKdDpSLBo.mkv", lpString2="..") returned 1 [0161.124] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv") returned 93 [0161.124] lstrcmpW (lpString1="pIWuCKdDpSLBo.mkv", lpString2="PUSSY.TXT") returned -1 [0161.124] PathFindExtensionW (pszPath="pIWuCKdDpSLBo.mkv") returned=".mkv" [0161.124] lstrlenW (lpString=".mkv") returned 4 [0161.124] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0161.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\piwuckddpslbo.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0161.125] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=22660) returned 1 [0161.125] GetProcessHeap () returned 0x4c0000 [0161.125] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0161.137] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="CB") returned 2 [0161.137] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="28") returned 2 [0161.137] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="D1") returned 2 [0161.137] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="AD") returned 2 [0161.137] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="44") returned 2 [0161.137] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="31") returned 2 [0161.137] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="F7") returned 2 [0161.137] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="A9") returned 2 [0161.137] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="82") returned 2 [0161.137] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="F5") returned 2 [0161.137] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="A0") returned 2 [0161.137] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="70") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="A4") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="5A") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="41") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="6B") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="45") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="91") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="CB") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="64") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="9C") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="8F") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="67") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="69") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="AE") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="DC") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="D0") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="7C") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="2A") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="14") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="C8") returned 2 [0161.138] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="62") returned 2 [0161.150] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv" [0161.150] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv" [0161.150] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv", lpString2=".CB28D1AD4431F7A982F5A070A45A416B4591CB649C8F6769AEDCD07C2A14C862" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv.CB28D1AD4431F7A982F5A070A45A416B4591CB649C8F6769AEDCD07C2A14C862") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv.CB28D1AD4431F7A982F5A070A45A416B4591CB649C8F6769AEDCD07C2A14C862" [0161.150] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0161.151] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0161.185] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ed2b10, ftCreationTime.dwHighDateTime=0x1d5e69a, ftLastAccessTime.dwLowDateTime=0x98495460, ftLastAccessTime.dwHighDateTime=0x1d5dd37, ftLastWriteTime.dwLowDateTime=0x98495460, ftLastWriteTime.dwHighDateTime=0x1d5dd37, nFileSizeHigh=0x0, nFileSizeLow=0x8068, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="wbfLFCHP i.avi", cAlternateFileName="WBFLFC~1.AVI")) returned 1 [0161.185] lstrcmpiW (lpString1="wbfLFCHP i.avi", lpString2="Windows") returned -1 [0161.185] lstrcmpiW (lpString1="wbfLFCHP i.avi", lpString2="Program Files") returned 1 [0161.185] lstrcmpiW (lpString1="wbfLFCHP i.avi", lpString2="Program Files (x86)") returned 1 [0161.185] lstrcmpiW (lpString1="wbfLFCHP i.avi", lpString2="$Recycle.bin") returned 1 [0161.185] lstrcmpiW (lpString1="wbfLFCHP i.avi", lpString2="System Volume Information") returned 1 [0161.185] lstrcmpiW (lpString1="wbfLFCHP i.avi", lpString2=".") returned 1 [0161.185] lstrcmpiW (lpString1="wbfLFCHP i.avi", lpString2="..") returned 1 [0161.185] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi") returned 90 [0161.185] lstrcmpW (lpString1="wbfLFCHP i.avi", lpString2="PUSSY.TXT") returned 1 [0161.185] PathFindExtensionW (pszPath="wbfLFCHP i.avi") returned=".avi" [0161.185] lstrlenW (lpString=".avi") returned 4 [0161.185] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0161.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\wbflfchp i.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0161.186] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=32872) returned 1 [0161.186] GetProcessHeap () returned 0x4c0000 [0161.186] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0161.202] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="47") returned 2 [0161.202] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="CD") returned 2 [0161.202] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="87") returned 2 [0161.202] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="A9") returned 2 [0161.202] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="71") returned 2 [0161.202] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="37") returned 2 [0161.202] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="9F") returned 2 [0161.202] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="B9") returned 2 [0161.202] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="FC") returned 2 [0161.202] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="F2") returned 2 [0161.202] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="05") returned 2 [0161.202] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="9D") returned 2 [0161.202] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="85") returned 2 [0161.202] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="25") returned 2 [0161.202] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="02") returned 2 [0161.202] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="E4") returned 2 [0161.202] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="3F") returned 2 [0161.202] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="B1") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="8F") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="0F") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="7E") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="B7") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="99") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="CB") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="15") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="3B") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="CD") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="12") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="57") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="80") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="30") returned 2 [0161.203] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="54") returned 2 [0161.215] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi" [0161.215] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi" [0161.215] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi", lpString2=".47CD87A971379FB9FCF2059D852502E43FB18F0F7EB799CB153BCD1257803054" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi.47CD87A971379FB9FCF2059D852502E43FB18F0F7EB799CB153BCD1257803054") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi.47CD87A971379FB9FCF2059D852502E43FB18F0F7EB799CB153BCD1257803054" [0161.215] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0161.215] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0161.260] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe11ac6d0, ftCreationTime.dwHighDateTime=0x1d5df6f, ftLastAccessTime.dwLowDateTime=0x5c187d80, ftLastAccessTime.dwHighDateTime=0x1d5e80f, ftLastWriteTime.dwLowDateTime=0x5c187d80, ftLastWriteTime.dwHighDateTime=0x1d5e80f, nFileSizeHigh=0x0, nFileSizeLow=0xf389, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="WmvS.mp4", cAlternateFileName="")) returned 1 [0161.260] lstrcmpiW (lpString1="WmvS.mp4", lpString2="Windows") returned 1 [0161.260] lstrcmpiW (lpString1="WmvS.mp4", lpString2="Program Files") returned 1 [0161.260] lstrcmpiW (lpString1="WmvS.mp4", lpString2="Program Files (x86)") returned 1 [0161.260] lstrcmpiW (lpString1="WmvS.mp4", lpString2="$Recycle.bin") returned 1 [0161.260] lstrcmpiW (lpString1="WmvS.mp4", lpString2="System Volume Information") returned 1 [0161.260] lstrcmpiW (lpString1="WmvS.mp4", lpString2=".") returned 1 [0161.260] lstrcmpiW (lpString1="WmvS.mp4", lpString2="..") returned 1 [0161.260] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4") returned 84 [0161.260] lstrcmpW (lpString1="WmvS.mp4", lpString2="PUSSY.TXT") returned 1 [0161.260] PathFindExtensionW (pszPath="WmvS.mp4") returned=".mp4" [0161.260] lstrlenW (lpString=".mp4") returned 4 [0161.260] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0161.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\wmvs.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0161.261] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=62345) returned 1 [0161.261] GetProcessHeap () returned 0x4c0000 [0161.261] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0161.273] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="2A") returned 2 [0161.273] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="37") returned 2 [0161.273] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="E6") returned 2 [0161.273] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="8D") returned 2 [0161.273] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="68") returned 2 [0161.273] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="55") returned 2 [0161.273] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="84") returned 2 [0161.273] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="B8") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="86") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="4E") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="D7") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="8D") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="5C") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="AB") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="DD") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="15") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="B1") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="8A") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="AF") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="37") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="D3") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="D9") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="4F") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="83") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="B7") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="F8") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="BD") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="DD") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="22") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="CD") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="7C") returned 2 [0161.274] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="3C") returned 2 [0161.286] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4" [0161.286] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4" [0161.287] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4", lpString2=".2A37E68D685584B8864ED78D5CABDD15B18AAF37D3D94F83B7F8BDDD22CD7C3C" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4.2A37E68D685584B8864ED78D5CABDD15B18AAF37D3D94F83B7F8BDDD22CD7C3C") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4.2A37E68D685584B8864ED78D5CABDD15B18AAF37D3D94F83B7F8BDDD22CD7C3C" [0161.287] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0161.287] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0161.332] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb787c9b0, ftCreationTime.dwHighDateTime=0x1d5d9c2, ftLastAccessTime.dwLowDateTime=0xeb99abb0, ftLastAccessTime.dwHighDateTime=0x1d5e33b, ftLastWriteTime.dwLowDateTime=0xeb99abb0, ftLastWriteTime.dwHighDateTime=0x1d5e33b, nFileSizeHigh=0x0, nFileSizeLow=0x17412, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="XCeZ_Wt nUE.mp4", cAlternateFileName="XCEZ_W~1.MP4")) returned 1 [0161.332] lstrcmpiW (lpString1="XCeZ_Wt nUE.mp4", lpString2="Windows") returned 1 [0161.332] lstrcmpiW (lpString1="XCeZ_Wt nUE.mp4", lpString2="Program Files") returned 1 [0161.332] lstrcmpiW (lpString1="XCeZ_Wt nUE.mp4", lpString2="Program Files (x86)") returned 1 [0161.332] lstrcmpiW (lpString1="XCeZ_Wt nUE.mp4", lpString2="$Recycle.bin") returned 1 [0161.332] lstrcmpiW (lpString1="XCeZ_Wt nUE.mp4", lpString2="System Volume Information") returned 1 [0161.332] lstrcmpiW (lpString1="XCeZ_Wt nUE.mp4", lpString2=".") returned 1 [0161.332] lstrcmpiW (lpString1="XCeZ_Wt nUE.mp4", lpString2="..") returned 1 [0161.332] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4") returned 91 [0161.332] lstrcmpW (lpString1="XCeZ_Wt nUE.mp4", lpString2="PUSSY.TXT") returned 1 [0161.332] PathFindExtensionW (pszPath="XCeZ_Wt nUE.mp4") returned=".mp4" [0161.332] lstrlenW (lpString=".mp4") returned 4 [0161.332] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0161.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\xcez_wt nue.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0161.333] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=95250) returned 1 [0161.333] GetProcessHeap () returned 0x4c0000 [0161.333] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0161.345] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="28") returned 2 [0161.346] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="AD") returned 2 [0161.346] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="86") returned 2 [0161.346] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="EB") returned 2 [0161.346] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="F2") returned 2 [0161.346] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="26") returned 2 [0161.346] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="EB") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="AF") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="D7") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="DF") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="C9") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="87") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="57") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="58") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="F4") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="D0") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="46") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="2B") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="60") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="E6") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="47") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="38") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="74") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="A9") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="12") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="51") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="23") returned 2 [0161.346] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="61") returned 2 [0161.347] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="18") returned 2 [0161.347] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="8B") returned 2 [0161.347] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="A3") returned 2 [0161.347] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="48") returned 2 [0161.369] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4" [0161.369] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4" [0161.369] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4", lpString2=".28AD86EBF226EBAFD7DFC9875758F4D0462B60E6473874A912512361188BA348" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4.28AD86EBF226EBAFD7DFC9875758F4D0462B60E6473874A912512361188BA348") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4.28AD86EBF226EBAFD7DFC9875758F4D0462B60E6473874A912512361188BA348" [0161.369] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0161.369] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0161.416] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89fae1d0, ftCreationTime.dwHighDateTime=0x1d5de09, ftLastAccessTime.dwLowDateTime=0x48983ba0, ftLastAccessTime.dwHighDateTime=0x1d5dd0c, ftLastWriteTime.dwLowDateTime=0x48983ba0, ftLastWriteTime.dwHighDateTime=0x1d5dd0c, nFileSizeHigh=0x0, nFileSizeLow=0xc3fc, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Z81L4A.mp4", cAlternateFileName="")) returned 1 [0161.416] lstrcmpiW (lpString1="Z81L4A.mp4", lpString2="Windows") returned 1 [0161.416] lstrcmpiW (lpString1="Z81L4A.mp4", lpString2="Program Files") returned 1 [0161.416] lstrcmpiW (lpString1="Z81L4A.mp4", lpString2="Program Files (x86)") returned 1 [0161.416] lstrcmpiW (lpString1="Z81L4A.mp4", lpString2="$Recycle.bin") returned 1 [0161.416] lstrcmpiW (lpString1="Z81L4A.mp4", lpString2="System Volume Information") returned 1 [0161.416] lstrcmpiW (lpString1="Z81L4A.mp4", lpString2=".") returned 1 [0161.416] lstrcmpiW (lpString1="Z81L4A.mp4", lpString2="..") returned 1 [0161.416] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4") returned 86 [0161.416] lstrcmpW (lpString1="Z81L4A.mp4", lpString2="PUSSY.TXT") returned 1 [0161.416] PathFindExtensionW (pszPath="Z81L4A.mp4") returned=".mp4" [0161.416] lstrlenW (lpString=".mp4") returned 4 [0161.416] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0161.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\z81l4a.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0161.417] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=50172) returned 1 [0161.417] GetProcessHeap () returned 0x4c0000 [0161.417] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0161.430] wsprintfW (in: param_1=0x28cbe6, param_2="%02X" | out: param_1="AC") returned 2 [0161.430] wsprintfW (in: param_1=0x28cbea, param_2="%02X" | out: param_1="7B") returned 2 [0161.430] wsprintfW (in: param_1=0x28cbee, param_2="%02X" | out: param_1="0B") returned 2 [0161.430] wsprintfW (in: param_1=0x28cbf2, param_2="%02X" | out: param_1="2F") returned 2 [0161.430] wsprintfW (in: param_1=0x28cbf6, param_2="%02X" | out: param_1="C9") returned 2 [0161.430] wsprintfW (in: param_1=0x28cbfa, param_2="%02X" | out: param_1="68") returned 2 [0161.430] wsprintfW (in: param_1=0x28cbfe, param_2="%02X" | out: param_1="CF") returned 2 [0161.430] wsprintfW (in: param_1=0x28cc02, param_2="%02X" | out: param_1="7C") returned 2 [0161.430] wsprintfW (in: param_1=0x28cc06, param_2="%02X" | out: param_1="C0") returned 2 [0161.430] wsprintfW (in: param_1=0x28cc0a, param_2="%02X" | out: param_1="A1") returned 2 [0161.430] wsprintfW (in: param_1=0x28cc0e, param_2="%02X" | out: param_1="4D") returned 2 [0161.430] wsprintfW (in: param_1=0x28cc12, param_2="%02X" | out: param_1="E3") returned 2 [0161.430] wsprintfW (in: param_1=0x28cc16, param_2="%02X" | out: param_1="D1") returned 2 [0161.430] wsprintfW (in: param_1=0x28cc1a, param_2="%02X" | out: param_1="A5") returned 2 [0161.430] wsprintfW (in: param_1=0x28cc1e, param_2="%02X" | out: param_1="BD") returned 2 [0161.430] wsprintfW (in: param_1=0x28cc22, param_2="%02X" | out: param_1="8C") returned 2 [0161.430] wsprintfW (in: param_1=0x28cc26, param_2="%02X" | out: param_1="0A") returned 2 [0161.430] wsprintfW (in: param_1=0x28cc2a, param_2="%02X" | out: param_1="3E") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc2e, param_2="%02X" | out: param_1="AB") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc32, param_2="%02X" | out: param_1="E0") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc36, param_2="%02X" | out: param_1="55") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc3a, param_2="%02X" | out: param_1="A9") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc3e, param_2="%02X" | out: param_1="E1") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc42, param_2="%02X" | out: param_1="17") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc46, param_2="%02X" | out: param_1="56") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc4a, param_2="%02X" | out: param_1="AF") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc4e, param_2="%02X" | out: param_1="64") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc52, param_2="%02X" | out: param_1="80") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc56, param_2="%02X" | out: param_1="54") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc5a, param_2="%02X" | out: param_1="DB") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc5e, param_2="%02X" | out: param_1="E7") returned 2 [0161.431] wsprintfW (in: param_1=0x28cc62, param_2="%02X" | out: param_1="15") returned 2 [0161.475] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4" [0161.475] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4" [0161.476] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4", lpString2=".AC7B0B2FC968CF7CC0A14DE3D1A5BD8C0A3EABE055A9E11756AF648054DBE715" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4.AC7B0B2FC968CF7CC0A14DE3D1A5BD8C0A3EABE055A9E11756AF648054DBE715") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4.AC7B0B2FC968CF7CC0A14DE3D1A5BD8C0A3EABE055A9E11756AF648054DBE715" [0161.476] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0161.476] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0161.524] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89fae1d0, ftCreationTime.dwHighDateTime=0x1d5de09, ftLastAccessTime.dwLowDateTime=0x48983ba0, ftLastAccessTime.dwHighDateTime=0x1d5dd0c, ftLastWriteTime.dwLowDateTime=0x48983ba0, ftLastWriteTime.dwHighDateTime=0x1d5dd0c, nFileSizeHigh=0x0, nFileSizeLow=0xc3fc, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Z81L4A.mp4", cAlternateFileName="")) returned 0 [0161.524] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0161.524] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\PUSSY.TXT") returned 85 [0161.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0161.526] lstrlenA (lpString="abcd") returned 4 [0161.526] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0161.527] CloseHandle (hObject=0x184) returned 1 [0161.527] GetProcessHeap () returned 0x4c0000 [0161.527] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0161.533] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a3bb3f0, ftCreationTime.dwHighDateTime=0x1d5e364, ftLastAccessTime.dwLowDateTime=0x575fb1c0, ftLastAccessTime.dwHighDateTime=0x1d5e5dd, ftLastWriteTime.dwLowDateTime=0x575fb1c0, ftLastWriteTime.dwHighDateTime=0x1d5e5dd, nFileSizeHigh=0x0, nFileSizeLow=0x139e0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="nb_78VpPeFHfy-4w6J5.swf", cAlternateFileName="NB_78V~1.SWF")) returned 1 [0161.533] lstrcmpiW (lpString1="nb_78VpPeFHfy-4w6J5.swf", lpString2="Windows") returned -1 [0161.533] lstrcmpiW (lpString1="nb_78VpPeFHfy-4w6J5.swf", lpString2="Program Files") returned -1 [0161.533] lstrcmpiW (lpString1="nb_78VpPeFHfy-4w6J5.swf", lpString2="Program Files (x86)") returned -1 [0161.533] lstrcmpiW (lpString1="nb_78VpPeFHfy-4w6J5.swf", lpString2="$Recycle.bin") returned 1 [0161.533] lstrcmpiW (lpString1="nb_78VpPeFHfy-4w6J5.swf", lpString2="System Volume Information") returned -1 [0161.533] lstrcmpiW (lpString1="nb_78VpPeFHfy-4w6J5.swf", lpString2=".") returned 1 [0161.533] lstrcmpiW (lpString1="nb_78VpPeFHfy-4w6J5.swf", lpString2="..") returned 1 [0161.533] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf") returned 84 [0161.533] lstrcmpW (lpString1="nb_78VpPeFHfy-4w6J5.swf", lpString2="PUSSY.TXT") returned -1 [0161.533] PathFindExtensionW (pszPath="nb_78VpPeFHfy-4w6J5.swf") returned=".swf" [0161.533] lstrlenW (lpString=".swf") returned 4 [0161.533] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0161.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\nb_78vppefhfy-4w6j5.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0161.535] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=80352) returned 1 [0161.535] GetProcessHeap () returned 0x4c0000 [0161.535] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0161.549] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="61") returned 2 [0161.549] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="96") returned 2 [0161.549] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="FB") returned 2 [0161.549] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="D6") returned 2 [0161.549] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="35") returned 2 [0161.549] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="09") returned 2 [0161.549] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="E8") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="B6") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="5B") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="7F") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="E9") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="DE") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="E9") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="62") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="AD") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="15") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="47") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="89") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="E0") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="46") returned 2 [0161.549] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="5A") returned 2 [0161.550] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="C0") returned 2 [0161.550] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="F1") returned 2 [0161.550] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="41") returned 2 [0161.550] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="2B") returned 2 [0161.550] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="94") returned 2 [0161.550] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="10") returned 2 [0161.550] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="F3") returned 2 [0161.550] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="E5") returned 2 [0161.550] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="7D") returned 2 [0161.550] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="0A") returned 2 [0161.550] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="62") returned 2 [0161.562] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf" [0161.563] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf" [0161.563] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf", lpString2=".6196FBD63509E8B65B7FE9DEE962AD154789E0465AC0F1412B9410F3E57D0A62" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf.6196FBD63509E8B65B7FE9DEE962AD154789E0465AC0F1412B9410F3E57D0A62") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf.6196FBD63509E8B65B7FE9DEE962AD154789E0465AC0F1412B9410F3E57D0A62" [0161.563] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0161.563] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0161.612] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bda2530, ftCreationTime.dwHighDateTime=0x1d5e401, ftLastAccessTime.dwLowDateTime=0x6773560, ftLastAccessTime.dwHighDateTime=0x1d5d9c8, ftLastWriteTime.dwLowDateTime=0x6773560, ftLastWriteTime.dwHighDateTime=0x1d5d9c8, nFileSizeHigh=0x0, nFileSizeLow=0x3411, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="NcloMJQBRZi2.mp4", cAlternateFileName="NCLOMJ~1.MP4")) returned 1 [0161.612] lstrcmpiW (lpString1="NcloMJQBRZi2.mp4", lpString2="Windows") returned -1 [0161.612] lstrcmpiW (lpString1="NcloMJQBRZi2.mp4", lpString2="Program Files") returned -1 [0161.612] lstrcmpiW (lpString1="NcloMJQBRZi2.mp4", lpString2="Program Files (x86)") returned -1 [0161.612] lstrcmpiW (lpString1="NcloMJQBRZi2.mp4", lpString2="$Recycle.bin") returned 1 [0161.612] lstrcmpiW (lpString1="NcloMJQBRZi2.mp4", lpString2="System Volume Information") returned -1 [0161.612] lstrcmpiW (lpString1="NcloMJQBRZi2.mp4", lpString2=".") returned 1 [0161.612] lstrcmpiW (lpString1="NcloMJQBRZi2.mp4", lpString2="..") returned 1 [0161.612] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4") returned 77 [0161.612] lstrcmpW (lpString1="NcloMJQBRZi2.mp4", lpString2="PUSSY.TXT") returned -1 [0161.612] PathFindExtensionW (pszPath="NcloMJQBRZi2.mp4") returned=".mp4" [0161.612] lstrlenW (lpString=".mp4") returned 4 [0161.613] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0161.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\nclomjqbrzi2.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0161.614] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=13329) returned 1 [0161.614] GetProcessHeap () returned 0x4c0000 [0161.614] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0161.627] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="41") returned 2 [0161.627] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="CA") returned 2 [0161.627] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="3B") returned 2 [0161.627] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="D1") returned 2 [0161.627] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="5E") returned 2 [0161.627] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="86") returned 2 [0161.627] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="39") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="98") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="83") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="B2") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="B4") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="41") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="F9") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="DA") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="A7") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="60") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="D3") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="54") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="16") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="76") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="37") returned 2 [0161.627] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="C9") returned 2 [0161.628] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="2C") returned 2 [0161.628] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="39") returned 2 [0161.628] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="EF") returned 2 [0161.628] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="12") returned 2 [0161.628] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="57") returned 2 [0161.628] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="7F") returned 2 [0161.628] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="EC") returned 2 [0161.628] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="B5") returned 2 [0161.628] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="82") returned 2 [0161.628] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="6D") returned 2 [0161.640] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4" [0161.640] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4" [0161.640] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4", lpString2=".41CA3BD15E86399883B2B441F9DAA760D354167637C92C39EF12577FECB5826D" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4.41CA3BD15E86399883B2B441F9DAA760D354167637C92C39EF12577FECB5826D") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4.41CA3BD15E86399883B2B441F9DAA760D354167637C92C39EF12577FECB5826D" [0161.640] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0161.640] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0161.663] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fae4b00, ftCreationTime.dwHighDateTime=0x1d5debf, ftLastAccessTime.dwLowDateTime=0x1c25e740, ftLastAccessTime.dwHighDateTime=0x1d5e48f, ftLastWriteTime.dwLowDateTime=0x1c25e740, ftLastWriteTime.dwHighDateTime=0x1d5e48f, nFileSizeHigh=0x0, nFileSizeLow=0x106d9, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="qSJc NnAlOS.swf", cAlternateFileName="QSJCNN~1.SWF")) returned 1 [0161.663] lstrcmpiW (lpString1="qSJc NnAlOS.swf", lpString2="Windows") returned -1 [0161.663] lstrcmpiW (lpString1="qSJc NnAlOS.swf", lpString2="Program Files") returned 1 [0161.663] lstrcmpiW (lpString1="qSJc NnAlOS.swf", lpString2="Program Files (x86)") returned 1 [0161.663] lstrcmpiW (lpString1="qSJc NnAlOS.swf", lpString2="$Recycle.bin") returned 1 [0161.663] lstrcmpiW (lpString1="qSJc NnAlOS.swf", lpString2="System Volume Information") returned -1 [0161.663] lstrcmpiW (lpString1="qSJc NnAlOS.swf", lpString2=".") returned 1 [0161.663] lstrcmpiW (lpString1="qSJc NnAlOS.swf", lpString2="..") returned 1 [0161.663] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf") returned 76 [0161.663] lstrcmpW (lpString1="qSJc NnAlOS.swf", lpString2="PUSSY.TXT") returned 1 [0161.664] PathFindExtensionW (pszPath="qSJc NnAlOS.swf") returned=".swf" [0161.664] lstrlenW (lpString=".swf") returned 4 [0161.664] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0161.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\qsjc nnalos.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0161.665] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=67289) returned 1 [0161.665] GetProcessHeap () returned 0x4c0000 [0161.665] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0161.678] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="90") returned 2 [0161.678] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="90") returned 2 [0161.678] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="13") returned 2 [0161.678] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="B6") returned 2 [0161.678] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="9B") returned 2 [0161.678] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="83") returned 2 [0161.678] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="4C") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="8A") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="4A") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="BE") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="3B") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="EA") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="EC") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="78") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="2F") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="EF") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="01") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="02") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="EC") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="A3") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="85") returned 2 [0161.678] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="45") returned 2 [0161.679] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="81") returned 2 [0161.679] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="CA") returned 2 [0161.679] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="AB") returned 2 [0161.679] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="4A") returned 2 [0161.679] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="74") returned 2 [0161.679] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="42") returned 2 [0161.679] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="D2") returned 2 [0161.679] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="D4") returned 2 [0161.679] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="F1") returned 2 [0161.679] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="71") returned 2 [0161.691] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf" [0161.691] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf" [0161.691] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf", lpString2=".909013B69B834C8A4ABE3BEAEC782FEF0102ECA3854581CAAB4A7442D2D4F171" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf.909013B69B834C8A4ABE3BEAEC782FEF0102ECA3854581CAAB4A7442D2D4F171") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf.909013B69B834C8A4ABE3BEAEC782FEF0102ECA3854581CAAB4A7442D2D4F171" [0161.691] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0161.715] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0161.778] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b62e30, ftCreationTime.dwHighDateTime=0x1d5e572, ftLastAccessTime.dwLowDateTime=0xe64add50, ftLastAccessTime.dwHighDateTime=0x1d5d9bd, ftLastWriteTime.dwLowDateTime=0xe64add50, ftLastWriteTime.dwHighDateTime=0x1d5d9bd, nFileSizeHigh=0x0, nFileSizeLow=0x10074, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="RfJ-z.flv", cAlternateFileName="")) returned 1 [0161.778] lstrcmpiW (lpString1="RfJ-z.flv", lpString2="Windows") returned -1 [0161.778] lstrcmpiW (lpString1="RfJ-z.flv", lpString2="Program Files") returned 1 [0161.778] lstrcmpiW (lpString1="RfJ-z.flv", lpString2="Program Files (x86)") returned 1 [0161.778] lstrcmpiW (lpString1="RfJ-z.flv", lpString2="$Recycle.bin") returned 1 [0161.778] lstrcmpiW (lpString1="RfJ-z.flv", lpString2="System Volume Information") returned -1 [0161.778] lstrcmpiW (lpString1="RfJ-z.flv", lpString2=".") returned 1 [0161.778] lstrcmpiW (lpString1="RfJ-z.flv", lpString2="..") returned 1 [0161.778] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv") returned 70 [0161.778] lstrcmpW (lpString1="RfJ-z.flv", lpString2="PUSSY.TXT") returned 1 [0161.778] PathFindExtensionW (pszPath="RfJ-z.flv") returned=".flv" [0161.778] lstrlenW (lpString=".flv") returned 4 [0161.778] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0161.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\rfj-z.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0161.780] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=65652) returned 1 [0161.780] GetProcessHeap () returned 0x4c0000 [0161.780] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0161.794] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="F7") returned 2 [0161.794] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="71") returned 2 [0161.794] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="85") returned 2 [0161.794] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="A9") returned 2 [0161.794] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="2B") returned 2 [0161.794] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="64") returned 2 [0161.794] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="21") returned 2 [0161.794] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="2A") returned 2 [0161.794] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="28") returned 2 [0161.794] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="7C") returned 2 [0161.794] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="5C") returned 2 [0161.794] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="A8") returned 2 [0161.794] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="5F") returned 2 [0161.794] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="C5") returned 2 [0161.794] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="8A") returned 2 [0161.794] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="F0") returned 2 [0161.794] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="00") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="2C") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="0A") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="BB") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="DD") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="58") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="12") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="48") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="BD") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="C3") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="4B") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="5D") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="B0") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="97") returned 2 [0161.795] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="FC") returned 2 [0161.795] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="16") returned 2 [0161.807] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv" [0161.807] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv" [0161.807] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv", lpString2=".F77185A92B64212A287C5CA85FC58AF0002C0ABBDD581248BDC34B5DB097FC16" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv.F77185A92B64212A287C5CA85FC58AF0002C0ABBDD581248BDC34B5DB097FC16") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv.F77185A92B64212A287C5CA85FC58AF0002C0ABBDD581248BDC34B5DB097FC16" [0161.807] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0161.807] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0161.856] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b62e30, ftCreationTime.dwHighDateTime=0x1d5e572, ftLastAccessTime.dwLowDateTime=0xe64add50, ftLastAccessTime.dwHighDateTime=0x1d5d9bd, ftLastWriteTime.dwLowDateTime=0xe64add50, ftLastWriteTime.dwHighDateTime=0x1d5d9bd, nFileSizeHigh=0x0, nFileSizeLow=0x10074, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="RfJ-z.flv", cAlternateFileName="")) returned 0 [0161.856] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0161.857] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\PUSSY.TXT") returned 70 [0161.857] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0162.641] lstrlenA (lpString="abcd") returned 4 [0162.641] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0162.642] CloseHandle (hObject=0x184) returned 1 [0162.642] GetProcessHeap () returned 0x4c0000 [0162.642] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0162.645] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1786580, ftCreationTime.dwHighDateTime=0x1d5e0ce, ftLastAccessTime.dwLowDateTime=0x38f9efb0, ftLastAccessTime.dwHighDateTime=0x1d5de0e, ftLastWriteTime.dwLowDateTime=0x38f9efb0, ftLastWriteTime.dwHighDateTime=0x1d5de0e, nFileSizeHigh=0x0, nFileSizeLow=0x162da, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="T1l4Ssm.swf", cAlternateFileName="")) returned 1 [0162.645] lstrcmpiW (lpString1="T1l4Ssm.swf", lpString2="Windows") returned -1 [0162.645] lstrcmpiW (lpString1="T1l4Ssm.swf", lpString2="Program Files") returned 1 [0162.645] lstrcmpiW (lpString1="T1l4Ssm.swf", lpString2="Program Files (x86)") returned 1 [0162.645] lstrcmpiW (lpString1="T1l4Ssm.swf", lpString2="$Recycle.bin") returned 1 [0162.645] lstrcmpiW (lpString1="T1l4Ssm.swf", lpString2="System Volume Information") returned 1 [0162.645] lstrcmpiW (lpString1="T1l4Ssm.swf", lpString2=".") returned 1 [0162.645] lstrcmpiW (lpString1="T1l4Ssm.swf", lpString2="..") returned 1 [0162.645] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf") returned 52 [0162.645] lstrcmpW (lpString1="T1l4Ssm.swf", lpString2="PUSSY.TXT") returned 1 [0162.645] PathFindExtensionW (pszPath="T1l4Ssm.swf") returned=".swf" [0162.645] lstrlenW (lpString=".swf") returned 4 [0162.645] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0162.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\t1l4ssm.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0162.646] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=90842) returned 1 [0162.646] GetProcessHeap () returned 0x4c0000 [0162.646] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0162.660] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="6E") returned 2 [0162.660] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="E2") returned 2 [0162.660] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="D0") returned 2 [0162.660] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="F4") returned 2 [0162.661] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="3F") returned 2 [0162.661] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="9B") returned 2 [0162.661] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="67") returned 2 [0162.661] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="80") returned 2 [0162.661] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="9D") returned 2 [0162.661] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="6C") returned 2 [0162.661] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="A9") returned 2 [0162.661] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="31") returned 2 [0162.661] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="71") returned 2 [0162.661] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="E6") returned 2 [0162.661] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="C0") returned 2 [0162.661] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="78") returned 2 [0162.661] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="0E") returned 2 [0162.661] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="A1") returned 2 [0162.661] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="55") returned 2 [0162.661] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="77") returned 2 [0162.661] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="60") returned 2 [0162.661] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="AA") returned 2 [0162.661] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="F7") returned 2 [0162.661] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="04") returned 2 [0162.661] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="7A") returned 2 [0162.661] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="0F") returned 2 [0162.661] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="4F") returned 2 [0162.661] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="DB") returned 2 [0162.662] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="3B") returned 2 [0162.662] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="FC") returned 2 [0162.662] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="8B") returned 2 [0162.662] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="30") returned 2 [0162.675] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf" [0162.675] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf" [0162.675] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf", lpString2=".6EE2D0F43F9B67809D6CA93171E6C0780EA1557760AAF7047A0F4FDB3BFC8B30" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf.6EE2D0F43F9B67809D6CA93171E6C0780EA1557760AAF7047A0F4FDB3BFC8B30") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf.6EE2D0F43F9B67809D6CA93171E6C0780EA1557760AAF7047A0F4FDB3BFC8B30" [0162.675] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0162.675] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0162.729] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aacc1a0, ftCreationTime.dwHighDateTime=0x1d5d953, ftLastAccessTime.dwLowDateTime=0x136e6d30, ftLastAccessTime.dwHighDateTime=0x1d5dbe7, ftLastWriteTime.dwLowDateTime=0x136e6d30, ftLastWriteTime.dwHighDateTime=0x1d5dbe7, nFileSizeHigh=0x0, nFileSizeLow=0x8ba0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="tg4y4m2lVj2YBRLTa.mp4", cAlternateFileName="TG4Y4M~1.MP4")) returned 1 [0162.729] lstrcmpiW (lpString1="tg4y4m2lVj2YBRLTa.mp4", lpString2="Windows") returned -1 [0162.729] lstrcmpiW (lpString1="tg4y4m2lVj2YBRLTa.mp4", lpString2="Program Files") returned 1 [0162.729] lstrcmpiW (lpString1="tg4y4m2lVj2YBRLTa.mp4", lpString2="Program Files (x86)") returned 1 [0162.729] lstrcmpiW (lpString1="tg4y4m2lVj2YBRLTa.mp4", lpString2="$Recycle.bin") returned 1 [0162.729] lstrcmpiW (lpString1="tg4y4m2lVj2YBRLTa.mp4", lpString2="System Volume Information") returned 1 [0162.729] lstrcmpiW (lpString1="tg4y4m2lVj2YBRLTa.mp4", lpString2=".") returned 1 [0162.729] lstrcmpiW (lpString1="tg4y4m2lVj2YBRLTa.mp4", lpString2="..") returned 1 [0162.729] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4") returned 62 [0162.729] lstrcmpW (lpString1="tg4y4m2lVj2YBRLTa.mp4", lpString2="PUSSY.TXT") returned 1 [0162.729] PathFindExtensionW (pszPath="tg4y4m2lVj2YBRLTa.mp4") returned=".mp4" [0162.729] lstrlenW (lpString=".mp4") returned 4 [0162.729] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0162.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\tg4y4m2lvj2ybrlta.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0162.730] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=35744) returned 1 [0162.730] GetProcessHeap () returned 0x4c0000 [0162.730] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0162.743] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="FE") returned 2 [0162.743] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="9C") returned 2 [0162.743] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="7F") returned 2 [0162.743] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="87") returned 2 [0162.743] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="4F") returned 2 [0162.743] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="04") returned 2 [0162.743] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="E0") returned 2 [0162.743] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="6D") returned 2 [0162.743] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="74") returned 2 [0162.743] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="00") returned 2 [0162.743] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="34") returned 2 [0162.743] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D3") returned 2 [0162.743] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="CB") returned 2 [0162.743] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="1A") returned 2 [0162.743] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="D6") returned 2 [0162.743] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="58") returned 2 [0162.743] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="1C") returned 2 [0162.743] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="81") returned 2 [0162.743] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="EC") returned 2 [0162.743] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="5F") returned 2 [0162.744] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="11") returned 2 [0162.744] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="14") returned 2 [0162.744] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="24") returned 2 [0162.744] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="67") returned 2 [0162.744] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="E6") returned 2 [0162.744] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="9D") returned 2 [0162.745] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="D1") returned 2 [0162.745] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="69") returned 2 [0162.745] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="11") returned 2 [0162.745] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="11") returned 2 [0162.745] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="83") returned 2 [0162.745] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="51") returned 2 [0162.757] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4" [0162.757] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4" [0162.757] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4", lpString2=".FE9C7F874F04E06D740034D3CB1AD6581C81EC5F11142467E69DD16911118351" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4.FE9C7F874F04E06D740034D3CB1AD6581C81EC5F11142467E69DD16911118351") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4.FE9C7F874F04E06D740034D3CB1AD6581C81EC5F11142467E69DD16911118351" [0162.758] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0162.758] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0162.758] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa834c420, ftCreationTime.dwHighDateTime=0x1d5e473, ftLastAccessTime.dwLowDateTime=0xeb196b50, ftLastAccessTime.dwHighDateTime=0x1d5db3c, ftLastWriteTime.dwLowDateTime=0xeb196b50, ftLastWriteTime.dwHighDateTime=0x1d5db3c, nFileSizeHigh=0x0, nFileSizeLow=0x1556d, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="uSXXvNIFbDtizULs74vR.swf", cAlternateFileName="USXXVN~1.SWF")) returned 1 [0162.758] lstrcmpiW (lpString1="uSXXvNIFbDtizULs74vR.swf", lpString2="Windows") returned -1 [0162.758] lstrcmpiW (lpString1="uSXXvNIFbDtizULs74vR.swf", lpString2="Program Files") returned 1 [0162.758] lstrcmpiW (lpString1="uSXXvNIFbDtizULs74vR.swf", lpString2="Program Files (x86)") returned 1 [0162.758] lstrcmpiW (lpString1="uSXXvNIFbDtizULs74vR.swf", lpString2="$Recycle.bin") returned 1 [0162.758] lstrcmpiW (lpString1="uSXXvNIFbDtizULs74vR.swf", lpString2="System Volume Information") returned 1 [0162.758] lstrcmpiW (lpString1="uSXXvNIFbDtizULs74vR.swf", lpString2=".") returned 1 [0162.758] lstrcmpiW (lpString1="uSXXvNIFbDtizULs74vR.swf", lpString2="..") returned 1 [0162.758] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf") returned 65 [0162.758] lstrcmpW (lpString1="uSXXvNIFbDtizULs74vR.swf", lpString2="PUSSY.TXT") returned 1 [0162.758] PathFindExtensionW (pszPath="uSXXvNIFbDtizULs74vR.swf") returned=".swf" [0162.758] lstrlenW (lpString=".swf") returned 4 [0162.758] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0162.758] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\usxxvnifbdtizuls74vr.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0162.759] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=87405) returned 1 [0162.760] GetProcessHeap () returned 0x4c0000 [0162.760] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0162.773] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="C0") returned 2 [0162.774] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="1F") returned 2 [0162.774] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="70") returned 2 [0162.774] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="C0") returned 2 [0162.774] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="24") returned 2 [0162.774] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="87") returned 2 [0162.774] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="FE") returned 2 [0162.774] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="D6") returned 2 [0162.774] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="C8") returned 2 [0162.774] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="C8") returned 2 [0162.774] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="F0") returned 2 [0162.774] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="43") returned 2 [0162.774] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="A0") returned 2 [0162.774] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="9F") returned 2 [0162.774] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="42") returned 2 [0162.774] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="51") returned 2 [0162.774] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="35") returned 2 [0162.774] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="4C") returned 2 [0162.774] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="3B") returned 2 [0162.774] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="C3") returned 2 [0162.774] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="8B") returned 2 [0162.774] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="C5") returned 2 [0162.774] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="4E") returned 2 [0162.774] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="C3") returned 2 [0162.774] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="50") returned 2 [0162.774] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="8A") returned 2 [0162.774] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="5C") returned 2 [0162.775] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="79") returned 2 [0162.775] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="6A") returned 2 [0162.775] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="A5") returned 2 [0162.775] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="E8") returned 2 [0162.775] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="0E") returned 2 [0162.787] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf" [0162.787] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf" [0162.788] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf", lpString2=".C01F70C02487FED6C8C8F043A09F4251354C3BC38BC54EC3508A5C796AA5E80E" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf.C01F70C02487FED6C8C8F043A09F4251354C3BC38BC54EC3508A5C796AA5E80E") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf.C01F70C02487FED6C8C8F043A09F4251354C3BC38BC54EC3508A5C796AA5E80E" [0162.788] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0162.788] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0162.788] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa834c420, ftCreationTime.dwHighDateTime=0x1d5e473, ftLastAccessTime.dwLowDateTime=0xeb196b50, ftLastAccessTime.dwHighDateTime=0x1d5db3c, ftLastWriteTime.dwLowDateTime=0xeb196b50, ftLastWriteTime.dwHighDateTime=0x1d5db3c, nFileSizeHigh=0x0, nFileSizeLow=0x1556d, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="uSXXvNIFbDtizULs74vR.swf", cAlternateFileName="USXXVN~1.SWF")) returned 0 [0162.788] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0162.788] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PUSSY.TXT") returned 50 [0162.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0162.789] lstrlenA (lpString="abcd") returned 4 [0162.789] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0162.790] CloseHandle (hObject=0x190) returned 1 [0162.791] GetProcessHeap () returned 0x4c0000 [0162.791] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57bb80 | out: hHeap=0x4c0000) returned 1 [0162.791] FindNextFileW (in: hFindFile=0x4ddbc8, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb115ba0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb115ba0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Videos", cAlternateFileName="")) returned 0 [0162.791] FindClose (in: hFindFile=0x4ddbc8 | out: hFindFile=0x4ddbc8) returned 1 [0162.791] wnsprintfW (in: pszDest=0x3b28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PUSSY.TXT") returned 43 [0162.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PUSSY.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0162.792] lstrlenA (lpString="abcd") returned 4 [0162.792] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0162.793] CloseHandle (hObject=0x1a4) returned 1 [0162.793] GetProcessHeap () returned 0x4c0000 [0162.793] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0162.797] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0xc0100080, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0162.797] lstrcmpiW (lpString1="All Users", lpString2="Windows") returned -1 [0162.797] lstrcmpiW (lpString1="All Users", lpString2="Program Files") returned -1 [0162.798] lstrcmpiW (lpString1="All Users", lpString2="Program Files (x86)") returned -1 [0162.798] lstrcmpiW (lpString1="All Users", lpString2="$Recycle.bin") returned 1 [0162.798] lstrcmpiW (lpString1="All Users", lpString2="System Volume Information") returned -1 [0162.798] lstrcmpiW (lpString1="All Users", lpString2=".") returned 1 [0162.798] lstrcmpiW (lpString1="All Users", lpString2="..") returned 1 [0162.798] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users") returned 22 [0162.798] GetProcessHeap () returned 0x4c0000 [0162.798] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x57bb80 [0162.798] lstrcpyW (in: lpString1=0x57bb80, lpString2="\\\\?\\C:\\Users\\All Users" | out: lpString1="\\\\?\\C:\\Users\\All Users") returned="\\\\?\\C:\\Users\\All Users" [0162.798] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*") returned="\\\\?\\C:\\Users\\All Users\\*" [0162.798] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0162.798] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.798] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.798] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.798] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.798] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.798] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.798] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0162.799] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.799] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.799] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.799] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.799] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.799] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.799] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.799] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Adobe", cAlternateFileName="")) returned 1 [0162.799] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0162.799] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0162.799] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0162.799] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0162.799] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0162.925] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0162.925] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0162.925] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe") returned 28 [0162.925] GetProcessHeap () returned 0x4c0000 [0162.925] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0162.926] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe") returned="\\\\?\\C:\\Users\\All Users\\Adobe" [0162.926] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\*" [0162.926] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0162.926] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.926] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.926] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.926] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.926] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.926] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.926] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0162.926] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.926] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.927] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.927] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.927] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.927] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.927] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.927] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0162.927] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0162.927] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0162.927] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0162.927] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0162.927] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0162.927] lstrcmpiW (lpString1="Acrobat", lpString2=".") returned 1 [0162.927] lstrcmpiW (lpString1="Acrobat", lpString2="..") returned 1 [0162.927] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat") returned 36 [0162.927] GetProcessHeap () returned 0x4c0000 [0162.927] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0162.928] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat" [0162.928] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\*" [0162.928] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0162.928] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.928] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.928] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.928] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.928] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.928] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.928] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0162.929] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.929] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.929] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.929] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.929] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.929] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.929] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.929] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="10.0", cAlternateFileName="")) returned 1 [0162.929] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0162.929] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0162.929] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0162.929] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0162.929] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0162.929] lstrcmpiW (lpString1="10.0", lpString2=".") returned 1 [0162.929] lstrcmpiW (lpString1="10.0", lpString2="..") returned 1 [0162.929] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0") returned 41 [0162.929] GetProcessHeap () returned 0x4c0000 [0162.929] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0162.930] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0" [0162.930] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*" [0162.930] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0162.931] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.931] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.931] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.931] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.931] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.931] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.931] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0162.931] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.931] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.931] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.931] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.931] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.931] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.931] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.931] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc30cf080, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.931] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.931] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.931] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.931] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.931] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.931] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.931] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.931] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\PUSSY.TXT") returned 51 [0162.931] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.931] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 1 [0162.932] lstrcmpiW (lpString1="Replicate", lpString2="Windows") returned -1 [0162.932] lstrcmpiW (lpString1="Replicate", lpString2="Program Files") returned 1 [0162.932] lstrcmpiW (lpString1="Replicate", lpString2="Program Files (x86)") returned 1 [0162.932] lstrcmpiW (lpString1="Replicate", lpString2="$Recycle.bin") returned 1 [0162.932] lstrcmpiW (lpString1="Replicate", lpString2="System Volume Information") returned -1 [0162.932] lstrcmpiW (lpString1="Replicate", lpString2=".") returned 1 [0162.932] lstrcmpiW (lpString1="Replicate", lpString2="..") returned 1 [0162.932] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate") returned 51 [0162.932] GetProcessHeap () returned 0x4c0000 [0162.932] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0162.932] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate" [0162.932] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*" [0162.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0162.933] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.933] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.933] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.933] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.933] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.933] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.933] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="..", cAlternateFileName="")) returned 1 [0162.933] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.933] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.933] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.933] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.933] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.933] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.933] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.933] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc30cf080, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.933] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.933] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.933] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.933] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.933] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.933] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.933] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.933] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\PUSSY.TXT") returned 61 [0162.934] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.934] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30a8f20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30a8f20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="Security", cAlternateFileName="")) returned 1 [0162.934] lstrcmpiW (lpString1="Security", lpString2="Windows") returned -1 [0162.934] lstrcmpiW (lpString1="Security", lpString2="Program Files") returned 1 [0162.934] lstrcmpiW (lpString1="Security", lpString2="Program Files (x86)") returned 1 [0162.934] lstrcmpiW (lpString1="Security", lpString2="$Recycle.bin") returned 1 [0162.934] lstrcmpiW (lpString1="Security", lpString2="System Volume Information") returned -1 [0162.934] lstrcmpiW (lpString1="Security", lpString2=".") returned 1 [0162.934] lstrcmpiW (lpString1="Security", lpString2="..") returned 1 [0162.934] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security") returned 60 [0162.934] GetProcessHeap () returned 0x4c0000 [0162.934] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0162.935] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security" [0162.935] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*" [0162.935] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30a8f20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30a8f20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0162.935] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.935] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.935] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.935] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.935] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.935] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.935] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30a8f20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30a8f20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="..", cAlternateFileName="")) returned 1 [0162.935] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.936] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.936] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.936] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.936] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.936] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.936] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.936] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 1 [0162.936] lstrcmpiW (lpString1="directories.acrodata", lpString2="Windows") returned -1 [0162.936] lstrcmpiW (lpString1="directories.acrodata", lpString2="Program Files") returned -1 [0162.936] lstrcmpiW (lpString1="directories.acrodata", lpString2="Program Files (x86)") returned -1 [0162.936] lstrcmpiW (lpString1="directories.acrodata", lpString2="$Recycle.bin") returned 1 [0162.936] lstrcmpiW (lpString1="directories.acrodata", lpString2="System Volume Information") returned -1 [0162.936] lstrcmpiW (lpString1="directories.acrodata", lpString2=".") returned 1 [0162.936] lstrcmpiW (lpString1="directories.acrodata", lpString2="..") returned 1 [0162.936] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned 81 [0162.936] lstrcmpW (lpString1="directories.acrodata", lpString2="PUSSY.TXT") returned -1 [0162.936] PathFindExtensionW (pszPath="directories.acrodata") returned=".acrodata" [0162.936] lstrlenW (lpString=".acrodata") returned 9 [0162.936] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0162.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0162.937] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=479) returned 1 [0162.937] CloseHandle (hObject=0x1b8) returned 1 [0162.937] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc30a8f20, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc30a8f20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30a8f20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.937] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.937] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.937] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.937] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.938] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.938] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.938] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.938] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\PUSSY.TXT") returned 70 [0162.938] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.938] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc30a8f20, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc30a8f20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30a8f20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.938] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0162.938] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\PUSSY.TXT") returned 70 [0162.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\PUSSY.TXT" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.938] GetProcessHeap () returned 0x4c0000 [0162.938] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0162.938] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30a8f20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30a8f20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="Security", cAlternateFileName="")) returned 0 [0162.938] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0162.938] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\PUSSY.TXT") returned 61 [0162.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\PUSSY.TXT" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.938] GetProcessHeap () returned 0x4c0000 [0162.938] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0162.943] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 0 [0162.943] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0162.943] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\PUSSY.TXT") returned 51 [0162.943] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\PUSSY.TXT" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.943] GetProcessHeap () returned 0x4c0000 [0162.943] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0162.944] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc30cf080, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.944] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.944] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.944] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.944] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.944] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.944] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.944] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.944] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\PUSSY.TXT") returned 46 [0162.944] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.944] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc30cf080, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc30cf080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc30cf080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.944] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0162.944] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\PUSSY.TXT") returned 46 [0162.944] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\PUSSY.TXT" (normalized: "c:\\users\\all users\\adobe\\acrobat\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.945] GetProcessHeap () returned 0x4c0000 [0162.945] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0162.946] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ARM", cAlternateFileName="")) returned 1 [0162.946] lstrcmpiW (lpString1="ARM", lpString2="Windows") returned -1 [0162.946] lstrcmpiW (lpString1="ARM", lpString2="Program Files") returned -1 [0162.946] lstrcmpiW (lpString1="ARM", lpString2="Program Files (x86)") returned -1 [0162.946] lstrcmpiW (lpString1="ARM", lpString2="$Recycle.bin") returned 1 [0162.946] lstrcmpiW (lpString1="ARM", lpString2="System Volume Information") returned -1 [0162.946] lstrcmpiW (lpString1="ARM", lpString2=".") returned 1 [0162.946] lstrcmpiW (lpString1="ARM", lpString2="..") returned 1 [0162.946] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM") returned 32 [0162.946] GetProcessHeap () returned 0x4c0000 [0162.946] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0162.947] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM" [0162.947] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*" [0162.947] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0162.948] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.948] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.948] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.948] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.948] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.948] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.948] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0162.948] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.948] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.948] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.948] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.948] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.948] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.948] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.948] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc33a2aa0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.948] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.948] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.948] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.948] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.948] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.948] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.948] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.948] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\PUSSY.TXT") returned 42 [0162.948] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.948] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc369c620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc369c620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 1 [0162.948] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Windows") returned -1 [0162.949] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Program Files") returned 1 [0162.949] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Program Files (x86)") returned 1 [0162.949] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="$Recycle.bin") returned 1 [0162.949] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="System Volume Information") returned -1 [0162.949] lstrcmpiW (lpString1="Reader_10.0.0", lpString2=".") returned 1 [0162.949] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="..") returned 1 [0162.949] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0") returned 46 [0162.949] GetProcessHeap () returned 0x4c0000 [0162.949] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0162.950] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0" [0162.950] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*" [0162.950] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc369c620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc369c620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0162.950] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.950] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.950] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.950] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.950] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.950] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.950] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc369c620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc369c620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0162.950] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.950] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.951] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.951] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.951] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.951] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.951] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.951] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e186d00, ftCreationTime.dwHighDateTime=0x1cfb543, ftLastAccessTime.dwLowDateTime=0x7e186d00, ftLastAccessTime.dwHighDateTime=0x1cfb543, ftLastWriteTime.dwLowDateTime=0xc36764c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3d800, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372", cAlternateFileName="ADBERD~1.6EF")) returned 1 [0162.951] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372", lpString2="Windows") returned -1 [0162.951] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372", lpString2="Program Files") returned -1 [0162.951] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372", lpString2="Program Files (x86)") returned -1 [0162.951] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372", lpString2="$Recycle.bin") returned 1 [0162.951] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372", lpString2="System Volume Information") returned -1 [0162.951] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372", lpString2=".") returned 1 [0162.951] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372", lpString2="..") returned 1 [0162.951] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372") returned 134 [0162.951] lstrcmpW (lpString1="AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372", lpString2="PUSSY.TXT") returned -1 [0162.951] PathFindExtensionW (pszPath="AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372") returned=".6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372" [0162.951] lstrlenW (lpString=".6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372") returned 65 [0162.951] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4450880, ftCreationTime.dwHighDateTime=0x1cf6c45, ftLastAccessTime.dwLowDateTime=0xb4450880, ftLastAccessTime.dwHighDateTime=0x1cf6c45, ftLastWriteTime.dwLowDateTime=0xc369c620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x10e3000, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159", cAlternateFileName="ADBERD~1.9B9")) returned 1 [0162.951] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159", lpString2="Windows") returned -1 [0162.951] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159", lpString2="Program Files") returned -1 [0162.951] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159", lpString2="Program Files (x86)") returned -1 [0162.951] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159", lpString2="$Recycle.bin") returned 1 [0162.951] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159", lpString2="System Volume Information") returned -1 [0162.951] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159", lpString2=".") returned 1 [0162.951] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159", lpString2="..") returned 1 [0162.951] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159") returned 135 [0162.951] lstrcmpW (lpString1="AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159", lpString2="PUSSY.TXT") returned -1 [0162.952] PathFindExtensionW (pszPath="AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159") returned=".9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159" [0162.952] lstrlenW (lpString=".9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159") returned 65 [0162.952] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0xc36764c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E", cAlternateFileName="ADBERD~1.D33")) returned 1 [0162.952] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E", lpString2="Windows") returned -1 [0162.952] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E", lpString2="Program Files") returned -1 [0162.952] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E", lpString2="Program Files (x86)") returned -1 [0162.952] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E", lpString2="$Recycle.bin") returned 1 [0162.952] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E", lpString2="System Volume Information") returned -1 [0162.952] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E", lpString2=".") returned 1 [0162.952] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E", lpString2="..") returned 1 [0162.952] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E") returned 135 [0162.952] lstrcmpW (lpString1="AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E", lpString2="PUSSY.TXT") returned -1 [0162.952] PathFindExtensionW (pszPath="AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E") returned=".D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E" [0162.952] lstrlenW (lpString=".D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E") returned 65 [0162.952] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc337c940, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc337c940, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc337c940, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.952] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.952] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.952] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.952] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.952] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.952] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.952] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.952] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\PUSSY.TXT") returned 56 [0162.952] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.952] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc337c940, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc337c940, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc337c940, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.952] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0162.952] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\PUSSY.TXT") returned 56 [0162.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\PUSSY.TXT" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.953] GetProcessHeap () returned 0x4c0000 [0162.953] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0162.953] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xc369c620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc369c620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d490, dwReserved1=0x77c61b06, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 0 [0162.953] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0162.953] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\PUSSY.TXT") returned 42 [0162.953] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\PUSSY.TXT" (normalized: "c:\\users\\all users\\adobe\\arm\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.953] GetProcessHeap () returned 0x4c0000 [0162.953] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0162.954] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc33a2aa0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.954] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.954] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.954] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.954] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.954] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.954] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.954] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.954] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\PUSSY.TXT") returned 38 [0162.954] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.954] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc33a2aa0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.954] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0162.954] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\PUSSY.TXT") returned 38 [0162.954] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\PUSSY.TXT" (normalized: "c:\\users\\all users\\adobe\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.955] GetProcessHeap () returned 0x4c0000 [0162.955] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0162.955] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0162.955] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0162.955] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0162.955] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0162.955] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0162.955] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0162.955] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0162.955] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0162.955] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Application Data") returned 39 [0162.955] GetProcessHeap () returned 0x4c0000 [0162.955] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0162.955] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data") returned="\\\\?\\C:\\Users\\All Users\\Application Data" [0162.955] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data\\*") returned="\\\\?\\C:\\Users\\All Users\\Application Data\\*" [0162.955] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Application Data\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc33a2aa0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="a")) returned 0xffffffff [0162.955] GetProcessHeap () returned 0x4c0000 [0162.955] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0162.956] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Desktop", cAlternateFileName="")) returned 1 [0162.956] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0162.956] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0162.956] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0162.956] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0162.956] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0162.956] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0162.956] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0162.956] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Desktop") returned 30 [0162.956] GetProcessHeap () returned 0x4c0000 [0162.956] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0162.956] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop") returned="\\\\?\\C:\\Users\\All Users\\Desktop" [0162.956] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop\\*") returned="\\\\?\\C:\\Users\\All Users\\Desktop\\*" [0162.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Desktop\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc33a2aa0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="p")) returned 0xffffffff [0162.956] GetProcessHeap () returned 0x4c0000 [0162.956] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0162.956] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0162.956] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0162.956] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0162.956] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0162.956] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0162.956] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0162.956] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0162.956] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0162.957] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Documents") returned 32 [0162.957] GetProcessHeap () returned 0x4c0000 [0162.957] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0162.957] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Documents" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Documents") returned="\\\\?\\C:\\Users\\All Users\\Documents" [0162.957] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Documents\\*") returned="\\\\?\\C:\\Users\\All Users\\Documents\\*" [0162.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Documents\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc33a2aa0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="s")) returned 0xffffffff [0162.957] GetProcessHeap () returned 0x4c0000 [0162.957] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0162.957] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0162.957] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0162.957] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0162.957] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0162.957] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0162.957] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0162.957] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0162.957] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0162.957] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Favorites") returned 32 [0162.957] GetProcessHeap () returned 0x4c0000 [0162.957] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0162.957] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Favorites" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Favorites") returned="\\\\?\\C:\\Users\\All Users\\Favorites" [0162.957] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Favorites\\*") returned="\\\\?\\C:\\Users\\All Users\\Favorites\\*" [0162.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Favorites\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc33a2aa0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc33a2aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc33a2aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="s")) returned 0xffffffff [0162.958] GetProcessHeap () returned 0x4c0000 [0162.958] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0162.958] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc734f720, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc734f720, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0162.958] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0162.958] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0162.958] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0162.958] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0162.958] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0162.958] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0162.958] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0162.958] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft") returned 32 [0162.958] GetProcessHeap () returned 0x4c0000 [0162.958] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0162.958] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft") returned="\\\\?\\C:\\Users\\All Users\\Microsoft" [0162.958] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*" [0162.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc734f720, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc734f720, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0162.958] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.958] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.958] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.958] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.958] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.958] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.959] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc734f720, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc734f720, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0162.959] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.959] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.959] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.959] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.959] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.959] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.959] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.959] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Assistance", cAlternateFileName="ASSIST~1")) returned 1 [0162.959] lstrcmpiW (lpString1="Assistance", lpString2="Windows") returned -1 [0162.959] lstrcmpiW (lpString1="Assistance", lpString2="Program Files") returned -1 [0162.959] lstrcmpiW (lpString1="Assistance", lpString2="Program Files (x86)") returned -1 [0162.959] lstrcmpiW (lpString1="Assistance", lpString2="$Recycle.bin") returned 1 [0162.959] lstrcmpiW (lpString1="Assistance", lpString2="System Volume Information") returned -1 [0162.959] lstrcmpiW (lpString1="Assistance", lpString2=".") returned 1 [0162.959] lstrcmpiW (lpString1="Assistance", lpString2="..") returned 1 [0162.959] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance") returned 43 [0162.959] GetProcessHeap () returned 0x4c0000 [0162.959] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0162.960] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance" [0162.960] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*" [0162.960] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0162.960] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.960] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.960] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.960] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.960] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.961] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.961] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0162.961] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.961] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.961] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.961] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.961] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.961] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.961] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.961] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Client", cAlternateFileName="")) returned 1 [0162.961] lstrcmpiW (lpString1="Client", lpString2="Windows") returned -1 [0162.961] lstrcmpiW (lpString1="Client", lpString2="Program Files") returned -1 [0162.961] lstrcmpiW (lpString1="Client", lpString2="Program Files (x86)") returned -1 [0162.961] lstrcmpiW (lpString1="Client", lpString2="$Recycle.bin") returned 1 [0162.961] lstrcmpiW (lpString1="Client", lpString2="System Volume Information") returned -1 [0162.961] lstrcmpiW (lpString1="Client", lpString2=".") returned 1 [0162.961] lstrcmpiW (lpString1="Client", lpString2="..") returned 1 [0162.961] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client") returned 50 [0162.961] GetProcessHeap () returned 0x4c0000 [0162.961] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0162.962] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client" [0162.962] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*" [0162.962] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0162.962] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.963] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.963] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.963] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.963] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.963] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.963] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0162.963] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.963] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.963] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.963] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.963] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.963] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.963] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.963] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="1.0", cAlternateFileName="")) returned 1 [0162.963] lstrcmpiW (lpString1="1.0", lpString2="Windows") returned -1 [0162.963] lstrcmpiW (lpString1="1.0", lpString2="Program Files") returned -1 [0162.963] lstrcmpiW (lpString1="1.0", lpString2="Program Files (x86)") returned -1 [0162.963] lstrcmpiW (lpString1="1.0", lpString2="$Recycle.bin") returned 1 [0162.963] lstrcmpiW (lpString1="1.0", lpString2="System Volume Information") returned -1 [0162.963] lstrcmpiW (lpString1="1.0", lpString2=".") returned 1 [0162.963] lstrcmpiW (lpString1="1.0", lpString2="..") returned 1 [0162.963] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0") returned 54 [0162.963] GetProcessHeap () returned 0x4c0000 [0162.963] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0162.964] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0" [0162.964] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*" [0162.964] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0162.964] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.964] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.964] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.964] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.964] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.964] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.964] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="..", cAlternateFileName="")) returned 1 [0162.964] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.964] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.964] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.964] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.964] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.965] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.965] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.965] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc38193e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38193e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="en-US", cAlternateFileName="")) returned 1 [0162.965] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0162.965] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0162.965] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0162.965] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0162.965] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0162.965] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0162.965] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0162.965] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned 60 [0162.965] GetProcessHeap () returned 0x4c0000 [0162.965] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0162.966] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US" [0162.966] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*" [0162.966] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc38193e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38193e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0162.966] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.966] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.966] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.966] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.966] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.966] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.967] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc38193e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38193e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="..", cAlternateFileName="")) returned 1 [0162.967] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.967] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.967] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.967] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.967] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.967] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.967] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.967] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x2436abaa, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xabde2c6f, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xc3461180, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x2f22, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68", cAlternateFileName="HELP_C~1.397")) returned 1 [0162.967] lstrcmpiW (lpString1="Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68", lpString2="Windows") returned -1 [0162.967] lstrcmpiW (lpString1="Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68", lpString2="Program Files") returned -1 [0162.967] lstrcmpiW (lpString1="Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68", lpString2="Program Files (x86)") returned -1 [0162.967] lstrcmpiW (lpString1="Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68", lpString2="$Recycle.bin") returned 1 [0162.967] lstrcmpiW (lpString1="Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68", lpString2="System Volume Information") returned -1 [0162.967] lstrcmpiW (lpString1="Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68", lpString2=".") returned 1 [0162.967] lstrcmpiW (lpString1="Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68", lpString2="..") returned 1 [0162.967] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68") returned 145 [0162.968] lstrcmpW (lpString1="Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68", lpString2="PUSSY.TXT") returned -1 [0162.968] PathFindExtensionW (pszPath="Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68") returned=".39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68" [0162.968] lstrlenW (lpString=".39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68") returned 65 [0162.968] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae2660aa, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xc34ad440, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x365fc, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753", cAlternateFileName="HELP_M~1.DF1")) returned 1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753", lpString2="Windows") returned -1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753", lpString2="Program Files") returned -1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753", lpString2="Program Files (x86)") returned -1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753", lpString2="$Recycle.bin") returned 1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753", lpString2="System Volume Information") returned -1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753", lpString2=".") returned 1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753", lpString2="..") returned 1 [0162.968] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753") returned 147 [0162.968] lstrcmpW (lpString1="Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753", lpString2="PUSSY.TXT") returned -1 [0162.968] PathFindExtensionW (pszPath="Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753") returned=".DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753" [0162.968] lstrlenW (lpString=".DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753") returned 65 [0162.968] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae409b6f, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xc38193e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x325ec, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C", cAlternateFileName="HELP_M~1.50F")) returned 1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C", lpString2="Windows") returned -1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C", lpString2="Program Files") returned -1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C", lpString2="Program Files (x86)") returned -1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C", lpString2="$Recycle.bin") returned 1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C", lpString2="System Volume Information") returned -1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C", lpString2=".") returned 1 [0162.968] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C", lpString2="..") returned 1 [0162.968] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C") returned 147 [0162.968] lstrcmpW (lpString1="Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C", lpString2="PUSSY.TXT") returned -1 [0162.969] PathFindExtensionW (pszPath="Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C") returned=".50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C" [0162.969] lstrlenW (lpString=".50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C") returned 65 [0162.969] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xc369c620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x79f1a, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44", cAlternateFileName="HELP_M~1.2F7")) returned 1 [0162.969] lstrcmpiW (lpString1="Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44", lpString2="Windows") returned -1 [0162.969] lstrcmpiW (lpString1="Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44", lpString2="Program Files") returned -1 [0162.969] lstrcmpiW (lpString1="Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44", lpString2="Program Files (x86)") returned -1 [0162.969] lstrcmpiW (lpString1="Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44", lpString2="$Recycle.bin") returned 1 [0162.969] lstrcmpiW (lpString1="Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44", lpString2="System Volume Information") returned -1 [0162.969] lstrcmpiW (lpString1="Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44", lpString2=".") returned 1 [0162.969] lstrcmpiW (lpString1="Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44", lpString2="..") returned 1 [0162.969] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44") returned 144 [0162.969] lstrcmpW (lpString1="Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44", lpString2="PUSSY.TXT") returned -1 [0162.969] PathFindExtensionW (pszPath="Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44") returned=".2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44" [0162.969] lstrlenW (lpString=".2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44") returned 65 [0162.969] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x26353250, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xc36764c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3944, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03", cAlternateFileName="HELP_M~1.FF5")) returned 1 [0162.969] lstrcmpiW (lpString1="Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03", lpString2="Windows") returned -1 [0162.969] lstrcmpiW (lpString1="Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03", lpString2="Program Files") returned -1 [0162.969] lstrcmpiW (lpString1="Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03", lpString2="Program Files (x86)") returned -1 [0162.969] lstrcmpiW (lpString1="Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03", lpString2="$Recycle.bin") returned 1 [0162.969] lstrcmpiW (lpString1="Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03", lpString2="System Volume Information") returned -1 [0162.969] lstrcmpiW (lpString1="Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03", lpString2=".") returned 1 [0162.969] lstrcmpiW (lpString1="Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03", lpString2="..") returned 1 [0162.969] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03") returned 145 [0162.969] lstrcmpW (lpString1="Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03", lpString2="PUSSY.TXT") returned -1 [0162.969] PathFindExtensionW (pszPath="Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03") returned=".FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03" [0162.969] lstrlenW (lpString=".FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03") returned 65 [0162.970] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="Help_MValidator.Lck", cAlternateFileName="HELP_M~1.LCK")) returned 1 [0162.970] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Windows") returned -1 [0162.970] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Program Files") returned -1 [0162.970] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Program Files (x86)") returned -1 [0162.970] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="$Recycle.bin") returned 1 [0162.970] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="System Volume Information") returned -1 [0162.970] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2=".") returned 1 [0162.970] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="..") returned 1 [0162.970] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 80 [0162.970] lstrcmpW (lpString1="Help_MValidator.Lck", lpString2="PUSSY.TXT") returned -1 [0162.970] PathFindExtensionW (pszPath="Help_MValidator.Lck") returned=".Lck" [0162.970] lstrlenW (lpString=".Lck") returned 4 [0162.970] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0162.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0162.971] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=4) returned 1 [0162.971] CloseHandle (hObject=0x1b8) returned 1 [0162.971] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x249fa376, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xc38193e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xd5310, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F", cAlternateFileName="HELP{9~1.684")) returned 1 [0162.971] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F", lpString2="Windows") returned -1 [0162.971] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F", lpString2="Program Files") returned -1 [0162.971] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F", lpString2="Program Files (x86)") returned -1 [0162.971] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F", lpString2="$Recycle.bin") returned 1 [0162.971] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F", lpString2="System Volume Information") returned -1 [0162.971] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F", lpString2=".") returned 1 [0162.971] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F", lpString2="..") returned 1 [0162.971] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F") returned 172 [0162.971] lstrcmpW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F", lpString2="PUSSY.TXT") returned -1 [0162.971] PathFindExtensionW (pszPath="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F") returned=".6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F" [0162.971] lstrlenW (lpString=".6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F") returned 65 [0162.971] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3734ba0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.972] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\PUSSY.TXT") returned 70 [0162.972] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.972] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3734ba0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x30b987c, dwReserved1=0xb470d3, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.972] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0162.972] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\PUSSY.TXT") returned 70 [0162.972] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.972] GetProcessHeap () returned 0x4c0000 [0162.972] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0162.972] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3734ba0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.972] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.973] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.973] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\PUSSY.TXT") returned 64 [0162.973] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.973] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3734ba0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.973] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0162.973] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\PUSSY.TXT") returned 64 [0162.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.973] GetProcessHeap () returned 0x4c0000 [0162.973] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0162.975] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3734ba0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.975] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.975] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.975] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.975] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.975] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.975] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.975] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.975] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\PUSSY.TXT") returned 60 [0162.975] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.975] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3734ba0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0xfe65b380, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.975] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0162.975] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\PUSSY.TXT") returned 60 [0162.975] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.975] GetProcessHeap () returned 0x4c0000 [0162.975] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0162.976] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3734ba0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.976] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.976] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.976] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.976] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.976] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.976] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.976] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.976] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\PUSSY.TXT") returned 53 [0162.976] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.976] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3734ba0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3734ba0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3734ba0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.976] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0162.976] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\PUSSY.TXT") returned 53 [0162.976] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\assistance\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.976] GetProcessHeap () returned 0x4c0000 [0162.976] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0162.978] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc37f3280, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37f3280, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Crypto", cAlternateFileName="")) returned 1 [0162.978] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0162.978] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0162.978] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0162.978] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0162.978] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0162.978] lstrcmpiW (lpString1="Crypto", lpString2=".") returned 1 [0162.978] lstrcmpiW (lpString1="Crypto", lpString2="..") returned 1 [0162.978] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto") returned 39 [0162.978] GetProcessHeap () returned 0x4c0000 [0162.978] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0162.979] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto" [0162.979] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*" [0162.979] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc37f3280, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37f3280, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0162.979] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.979] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.979] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.979] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.979] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.980] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.980] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc37f3280, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37f3280, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0162.980] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.980] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.980] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.980] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.980] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.980] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.980] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.980] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="DSS", cAlternateFileName="")) returned 1 [0162.980] lstrcmpiW (lpString1="DSS", lpString2="Windows") returned -1 [0162.980] lstrcmpiW (lpString1="DSS", lpString2="Program Files") returned -1 [0162.980] lstrcmpiW (lpString1="DSS", lpString2="Program Files (x86)") returned -1 [0162.980] lstrcmpiW (lpString1="DSS", lpString2="$Recycle.bin") returned 1 [0162.980] lstrcmpiW (lpString1="DSS", lpString2="System Volume Information") returned -1 [0162.980] lstrcmpiW (lpString1="DSS", lpString2=".") returned 1 [0162.980] lstrcmpiW (lpString1="DSS", lpString2="..") returned 1 [0162.980] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned 43 [0162.980] GetProcessHeap () returned 0x4c0000 [0162.980] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0162.981] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS" [0162.981] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*" [0162.981] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0162.982] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.982] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.982] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.982] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.982] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.982] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.982] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0162.982] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.982] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.982] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.982] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.982] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.982] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.982] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.982] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0162.982] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0162.982] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0162.982] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0162.982] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0162.982] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0162.982] lstrcmpiW (lpString1="MachineKeys", lpString2=".") returned 1 [0162.982] lstrcmpiW (lpString1="MachineKeys", lpString2="..") returned 1 [0162.982] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 55 [0162.982] GetProcessHeap () returned 0x4c0000 [0162.983] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0162.983] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys" [0162.983] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*" [0162.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0162.983] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.983] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.983] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.983] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.983] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.983] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.983] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="..", cAlternateFileName="")) returned 1 [0162.984] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.984] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.984] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.984] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.984] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.984] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.984] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.984] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc375ad00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.984] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.984] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.984] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.984] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.984] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.984] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.984] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.984] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\PUSSY.TXT") returned 65 [0162.984] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.984] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc375ad00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.984] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0162.984] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\PUSSY.TXT") returned 65 [0162.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.985] GetProcessHeap () returned 0x4c0000 [0162.985] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0162.985] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc375ad00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.985] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.985] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.985] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.985] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.985] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.985] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.985] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.985] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\PUSSY.TXT") returned 53 [0162.985] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.985] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc375ad00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.985] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0162.985] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\PUSSY.TXT") returned 53 [0162.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.985] GetProcessHeap () returned 0x4c0000 [0162.985] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0162.985] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Keys", cAlternateFileName="")) returned 1 [0162.985] lstrcmpiW (lpString1="Keys", lpString2="Windows") returned -1 [0162.986] lstrcmpiW (lpString1="Keys", lpString2="Program Files") returned -1 [0162.986] lstrcmpiW (lpString1="Keys", lpString2="Program Files (x86)") returned -1 [0162.986] lstrcmpiW (lpString1="Keys", lpString2="$Recycle.bin") returned 1 [0162.986] lstrcmpiW (lpString1="Keys", lpString2="System Volume Information") returned -1 [0162.986] lstrcmpiW (lpString1="Keys", lpString2=".") returned 1 [0162.986] lstrcmpiW (lpString1="Keys", lpString2="..") returned 1 [0162.986] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned 44 [0162.986] GetProcessHeap () returned 0x4c0000 [0162.986] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0162.986] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys" [0162.986] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*" [0162.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0162.986] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.986] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.986] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.987] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.987] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.987] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.987] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0162.987] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.987] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.987] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.987] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.987] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.987] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.987] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.987] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc375ad00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.987] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.987] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.987] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.987] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.987] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.988] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.988] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.988] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\PUSSY.TXT") returned 54 [0162.988] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.988] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc375ad00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc375ad00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc375ad00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.988] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0162.988] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\PUSSY.TXT") returned 54 [0162.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.988] GetProcessHeap () returned 0x4c0000 [0162.988] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0162.988] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc37f3280, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc37f3280, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37f3280, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.988] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.988] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.988] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.988] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.988] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.988] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.988] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.988] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PUSSY.TXT") returned 49 [0162.988] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.988] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc37f3280, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37f3280, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="RSA", cAlternateFileName="")) returned 1 [0162.988] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0162.989] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0162.989] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0162.989] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0162.989] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0162.989] lstrcmpiW (lpString1="RSA", lpString2=".") returned 1 [0162.989] lstrcmpiW (lpString1="RSA", lpString2="..") returned 1 [0162.989] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned 43 [0162.989] GetProcessHeap () returned 0x4c0000 [0162.989] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0162.989] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA" [0162.989] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*" [0162.989] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc37f3280, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37f3280, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0162.989] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.989] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.989] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.989] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.989] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.989] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.989] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc37f3280, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37f3280, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0162.989] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.989] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.990] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.990] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.990] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.990] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.990] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.990] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc3780e60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3780e60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0162.990] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0162.990] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0162.990] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0162.990] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0162.990] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0162.990] lstrcmpiW (lpString1="MachineKeys", lpString2=".") returned 1 [0162.990] lstrcmpiW (lpString1="MachineKeys", lpString2="..") returned 1 [0162.990] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 55 [0162.990] GetProcessHeap () returned 0x4c0000 [0162.990] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0162.990] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys" [0162.990] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*" [0162.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc3780e60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3780e60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0162.990] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.990] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.990] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.990] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.991] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.991] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.991] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc3780e60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3780e60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="..", cAlternateFileName="")) returned 1 [0162.991] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.991] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.991] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.991] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.991] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.991] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.991] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.991] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3780e60, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3780e60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3780e60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.991] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.991] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.991] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.991] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.991] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.991] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.991] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.991] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\PUSSY.TXT") returned 65 [0162.991] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.991] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3780e60, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3780e60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3780e60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.991] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0162.991] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\PUSSY.TXT") returned 65 [0162.991] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.992] GetProcessHeap () returned 0x4c0000 [0162.992] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0162.992] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc37f3280, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc37f3280, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37f3280, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.992] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.992] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.992] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.992] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.992] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.992] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.992] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.992] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\PUSSY.TXT") returned 53 [0162.992] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.992] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xc37cd120, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37cd120, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0162.992] lstrcmpiW (lpString1="S-1-5-18", lpString2="Windows") returned -1 [0162.992] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files") returned 1 [0162.992] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files (x86)") returned 1 [0162.992] lstrcmpiW (lpString1="S-1-5-18", lpString2="$Recycle.bin") returned 1 [0162.992] lstrcmpiW (lpString1="S-1-5-18", lpString2="System Volume Information") returned -1 [0162.992] lstrcmpiW (lpString1="S-1-5-18", lpString2=".") returned 1 [0162.992] lstrcmpiW (lpString1="S-1-5-18", lpString2="..") returned 1 [0162.992] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned 52 [0162.992] GetProcessHeap () returned 0x4c0000 [0162.992] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0162.992] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18" [0162.993] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*" [0162.993] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xc37cd120, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37cd120, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0162.993] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0162.993] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0162.993] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0162.993] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0162.993] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0162.993] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0162.993] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xc37cd120, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37cd120, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="..", cAlternateFileName="")) returned 1 [0162.993] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0162.993] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0162.993] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0162.993] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0162.993] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0162.993] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0162.993] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0162.993] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xfc767af0, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xfc767af0, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc767af0, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="6D14E4~1")) returned 1 [0162.993] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0162.993] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0162.993] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0162.993] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0162.993] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0162.994] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".") returned 1 [0162.994] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="..") returned 1 [0162.994] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 122 [0162.994] lstrcmpW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="PUSSY.TXT") returned -1 [0162.994] PathFindExtensionW (pszPath="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="" [0162.994] lstrlenW (lpString="") returned 0 [0162.994] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0162.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0162.995] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=47) returned 1 [0162.995] CloseHandle (hObject=0x18c) returned 1 [0162.995] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe5bc2f0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xc37cd120, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x41d, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934", cAlternateFileName="D42CC0~1.B56")) returned 1 [0162.995] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934", lpString2="Windows") returned -1 [0162.995] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934", lpString2="Program Files") returned -1 [0162.995] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934", lpString2="Program Files (x86)") returned -1 [0162.995] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934", lpString2="$Recycle.bin") returned 1 [0162.995] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934", lpString2="System Volume Information") returned -1 [0162.995] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934", lpString2=".") returned 1 [0162.995] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934", lpString2="..") returned 1 [0162.995] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934") returned 187 [0162.995] lstrcmpW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934", lpString2="PUSSY.TXT") returned -1 [0162.995] PathFindExtensionW (pszPath="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934") returned=".B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934" [0162.995] lstrlenW (lpString=".B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934") returned 65 [0162.995] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc37cd120, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc37cd120, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37f3280, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0162.995] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0162.995] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0162.995] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0162.995] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0162.995] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0162.995] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0162.996] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0162.996] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\PUSSY.TXT") returned 62 [0162.996] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0162.996] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc37cd120, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc37cd120, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37f3280, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0162.996] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0162.996] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\PUSSY.TXT") returned 62 [0162.996] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.996] GetProcessHeap () returned 0x4c0000 [0162.996] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0162.996] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xc37cd120, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37cd120, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="S-1-5-18", cAlternateFileName="")) returned 0 [0162.996] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0162.996] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\PUSSY.TXT") returned 53 [0162.996] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.996] GetProcessHeap () returned 0x4c0000 [0162.996] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0162.996] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc37f3280, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc37f3280, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="RSA", cAlternateFileName="")) returned 0 [0162.996] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0162.997] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PUSSY.TXT") returned 49 [0162.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.997] GetProcessHeap () returned 0x4c0000 [0162.997] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0162.998] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0162.998] lstrcmpiW (lpString1="Device Stage", lpString2="Windows") returned -1 [0162.998] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files") returned -1 [0162.998] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files (x86)") returned -1 [0162.999] lstrcmpiW (lpString1="Device Stage", lpString2="$Recycle.bin") returned 1 [0162.999] lstrcmpiW (lpString1="Device Stage", lpString2="System Volume Information") returned -1 [0162.999] lstrcmpiW (lpString1="Device Stage", lpString2=".") returned 1 [0162.999] lstrcmpiW (lpString1="Device Stage", lpString2="..") returned 1 [0162.999] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage") returned 45 [0162.999] GetProcessHeap () returned 0x4c0000 [0162.999] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.000] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage" [0163.000] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*" [0163.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.000] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.000] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.000] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.000] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.000] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.000] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.000] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.000] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.000] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.000] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.000] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.000] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.000] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.000] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.000] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Device", cAlternateFileName="")) returned 1 [0163.000] lstrcmpiW (lpString1="Device", lpString2="Windows") returned -1 [0163.000] lstrcmpiW (lpString1="Device", lpString2="Program Files") returned -1 [0163.000] lstrcmpiW (lpString1="Device", lpString2="Program Files (x86)") returned -1 [0163.001] lstrcmpiW (lpString1="Device", lpString2="$Recycle.bin") returned 1 [0163.001] lstrcmpiW (lpString1="Device", lpString2="System Volume Information") returned -1 [0163.001] lstrcmpiW (lpString1="Device", lpString2=".") returned 1 [0163.001] lstrcmpiW (lpString1="Device", lpString2="..") returned 1 [0163.001] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned 52 [0163.001] GetProcessHeap () returned 0x4c0000 [0163.001] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.002] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" [0163.002] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*" [0163.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.002] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.002] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.002] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.002] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.002] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.003] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.003] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.003] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.003] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.003] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.003] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.003] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.003] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.003] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.003] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc383f540, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.003] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.003] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.003] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.003] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.003] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.003] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.003] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.003] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\PUSSY.TXT") returned 62 [0163.003] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.003] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0163.003] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Windows") returned -1 [0163.003] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files") returned -1 [0163.003] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files (x86)") returned -1 [0163.003] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="$Recycle.bin") returned 1 [0163.003] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="System Volume Information") returned -1 [0163.003] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2=".") returned 1 [0163.003] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="..") returned 1 [0163.004] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 91 [0163.004] GetProcessHeap () returned 0x4c0000 [0163.004] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.004] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" [0163.004] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*" [0163.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.004] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.004] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.004] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.005] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.005] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.005] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.005] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="..", cAlternateFileName="")) returned 1 [0163.005] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.005] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.005] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.005] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.005] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.005] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.005] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.005] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="background.png", cAlternateFileName="")) returned 1 [0163.005] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0163.005] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0163.005] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0163.005] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0163.005] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0163.005] lstrcmpiW (lpString1="background.png", lpString2=".") returned 1 [0163.005] lstrcmpiW (lpString1="background.png", lpString2="..") returned 1 [0163.005] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 106 [0163.005] lstrcmpW (lpString1="background.png", lpString2="PUSSY.TXT") returned -1 [0163.005] PathFindExtensionW (pszPath="background.png") returned=".png" [0163.005] lstrlenW (lpString=".png") returned 4 [0163.005] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.005] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.006] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7c5b0d9, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xc7c5b0d9, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xc7c5b0d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0163.006] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0163.006] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0163.006] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0163.006] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0163.006] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0163.006] lstrcmpiW (lpString1="behavior.xml", lpString2=".") returned 1 [0163.006] lstrcmpiW (lpString1="behavior.xml", lpString2="..") returned 1 [0163.006] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 104 [0163.006] lstrcmpW (lpString1="behavior.xml", lpString2="PUSSY.TXT") returned -1 [0163.006] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0163.006] lstrlenW (lpString=".xml") returned 4 [0163.006] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.006] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="device.png", cAlternateFileName="")) returned 1 [0163.006] lstrcmpiW (lpString1="device.png", lpString2="Windows") returned -1 [0163.006] lstrcmpiW (lpString1="device.png", lpString2="Program Files") returned -1 [0163.006] lstrcmpiW (lpString1="device.png", lpString2="Program Files (x86)") returned -1 [0163.006] lstrcmpiW (lpString1="device.png", lpString2="$Recycle.bin") returned 1 [0163.006] lstrcmpiW (lpString1="device.png", lpString2="System Volume Information") returned -1 [0163.007] lstrcmpiW (lpString1="device.png", lpString2=".") returned 1 [0163.007] lstrcmpiW (lpString1="device.png", lpString2="..") returned 1 [0163.007] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 102 [0163.007] lstrcmpW (lpString1="device.png", lpString2="PUSSY.TXT") returned -1 [0163.007] PathFindExtensionW (pszPath="device.png") returned=".png" [0163.007] lstrlenW (lpString=".png") returned 4 [0163.007] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.007] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0a07cc, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0a07cc, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0163.007] lstrcmpiW (lpString1="overlay.png", lpString2="Windows") returned -1 [0163.007] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files") returned -1 [0163.007] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files (x86)") returned -1 [0163.007] lstrcmpiW (lpString1="overlay.png", lpString2="$Recycle.bin") returned 1 [0163.007] lstrcmpiW (lpString1="overlay.png", lpString2="System Volume Information") returned -1 [0163.007] lstrcmpiW (lpString1="overlay.png", lpString2=".") returned 1 [0163.007] lstrcmpiW (lpString1="overlay.png", lpString2="..") returned 1 [0163.007] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 103 [0163.007] lstrcmpW (lpString1="overlay.png", lpString2="PUSSY.TXT") returned -1 [0163.007] PathFindExtensionW (pszPath="overlay.png") returned=".png" [0163.007] lstrlenW (lpString=".png") returned 4 [0163.007] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.008] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc383f540, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.008] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.008] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.008] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.008] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.008] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.008] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.008] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.008] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\PUSSY.TXT") returned 101 [0163.008] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.008] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0c6929, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0c6929, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0163.008] lstrcmpiW (lpString1="superbar.png", lpString2="Windows") returned -1 [0163.008] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files") returned 1 [0163.008] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files (x86)") returned 1 [0163.008] lstrcmpiW (lpString1="superbar.png", lpString2="$Recycle.bin") returned 1 [0163.008] lstrcmpiW (lpString1="superbar.png", lpString2="System Volume Information") returned -1 [0163.008] lstrcmpiW (lpString1="superbar.png", lpString2=".") returned 1 [0163.008] lstrcmpiW (lpString1="superbar.png", lpString2="..") returned 1 [0163.008] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 104 [0163.008] lstrcmpW (lpString1="superbar.png", lpString2="PUSSY.TXT") returned 1 [0163.008] PathFindExtensionW (pszPath="superbar.png") returned=".png" [0163.008] lstrlenW (lpString=".png") returned 4 [0163.008] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.009] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0c6929, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0c6929, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="superbar.png", cAlternateFileName="")) returned 0 [0163.009] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.009] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\PUSSY.TXT") returned 101 [0163.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.009] GetProcessHeap () returned 0x4c0000 [0163.009] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.009] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0163.009] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Windows") returned -1 [0163.009] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files") returned -1 [0163.009] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files (x86)") returned -1 [0163.009] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="$Recycle.bin") returned 1 [0163.009] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="System Volume Information") returned -1 [0163.009] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2=".") returned 1 [0163.009] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="..") returned 1 [0163.009] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 91 [0163.009] GetProcessHeap () returned 0x4c0000 [0163.009] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.009] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" [0163.009] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*" [0163.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.010] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.010] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.010] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.010] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.010] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.010] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.010] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="..", cAlternateFileName="")) returned 1 [0163.010] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.010] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.010] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.010] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.010] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.010] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.010] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.010] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0af2f7, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x9c0af2f7, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x9c0af2f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="background.png", cAlternateFileName="")) returned 1 [0163.010] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0163.010] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0163.010] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0163.010] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0163.010] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0163.010] lstrcmpiW (lpString1="background.png", lpString2=".") returned 1 [0163.010] lstrcmpiW (lpString1="background.png", lpString2="..") returned 1 [0163.010] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 106 [0163.010] lstrcmpW (lpString1="background.png", lpString2="PUSSY.TXT") returned -1 [0163.010] PathFindExtensionW (pszPath="background.png") returned=".png" [0163.011] lstrlenW (lpString=".png") returned 4 [0163.011] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.011] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2feb941, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2feb941, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x769, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0163.011] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0163.011] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0163.011] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0163.011] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0163.011] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0163.011] lstrcmpiW (lpString1="behavior.xml", lpString2=".") returned 1 [0163.011] lstrcmpiW (lpString1="behavior.xml", lpString2="..") returned 1 [0163.011] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 104 [0163.011] lstrcmpW (lpString1="behavior.xml", lpString2="PUSSY.TXT") returned -1 [0163.011] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0163.011] lstrlenW (lpString=".xml") returned 4 [0163.011] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.011] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc383f540, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.011] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.011] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.012] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.012] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.012] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.012] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.012] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.012] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\PUSSY.TXT") returned 101 [0163.012] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.012] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0163.012] lstrcmpiW (lpString1="watermark.png", lpString2="Windows") returned -1 [0163.012] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files") returned 1 [0163.012] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files (x86)") returned 1 [0163.012] lstrcmpiW (lpString1="watermark.png", lpString2="$Recycle.bin") returned 1 [0163.012] lstrcmpiW (lpString1="watermark.png", lpString2="System Volume Information") returned 1 [0163.012] lstrcmpiW (lpString1="watermark.png", lpString2=".") returned 1 [0163.012] lstrcmpiW (lpString1="watermark.png", lpString2="..") returned 1 [0163.012] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 105 [0163.012] lstrcmpW (lpString1="watermark.png", lpString2="PUSSY.TXT") returned 1 [0163.012] PathFindExtensionW (pszPath="watermark.png") returned=".png" [0163.012] lstrlenW (lpString=".png") returned 4 [0163.012] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.012] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="watermark.png", cAlternateFileName="")) returned 0 [0163.013] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.013] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\PUSSY.TXT") returned 101 [0163.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.013] GetProcessHeap () returned 0x4c0000 [0163.013] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.013] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc383f540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc383f540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0163.013] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.013] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\PUSSY.TXT") returned 62 [0163.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.013] GetProcessHeap () returned 0x4c0000 [0163.013] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.013] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc38b1960, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.013] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.013] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.013] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.013] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.013] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.013] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.014] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.014] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\PUSSY.TXT") returned 55 [0163.014] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.014] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Task", cAlternateFileName="")) returned 1 [0163.014] lstrcmpiW (lpString1="Task", lpString2="Windows") returned -1 [0163.014] lstrcmpiW (lpString1="Task", lpString2="Program Files") returned 1 [0163.014] lstrcmpiW (lpString1="Task", lpString2="Program Files (x86)") returned 1 [0163.014] lstrcmpiW (lpString1="Task", lpString2="$Recycle.bin") returned 1 [0163.014] lstrcmpiW (lpString1="Task", lpString2="System Volume Information") returned 1 [0163.014] lstrcmpiW (lpString1="Task", lpString2=".") returned 1 [0163.014] lstrcmpiW (lpString1="Task", lpString2="..") returned 1 [0163.014] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned 50 [0163.014] GetProcessHeap () returned 0x4c0000 [0163.014] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.014] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" [0163.014] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*" [0163.014] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.014] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.014] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.014] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.014] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.014] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.014] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.015] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.015] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.015] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.015] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.015] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.015] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.015] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.015] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.015] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc38b1960, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.015] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.015] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.015] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.015] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.015] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.015] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.015] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.015] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\PUSSY.TXT") returned 60 [0163.015] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.015] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc388b800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc388b800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0163.015] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Windows") returned -1 [0163.015] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files") returned -1 [0163.015] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files (x86)") returned -1 [0163.015] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="$Recycle.bin") returned 1 [0163.015] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="System Volume Information") returned -1 [0163.015] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2=".") returned 1 [0163.015] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="..") returned 1 [0163.016] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 89 [0163.016] GetProcessHeap () returned 0x4c0000 [0163.016] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.016] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" [0163.016] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*" [0163.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc388b800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc388b800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.016] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.016] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.016] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.016] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.016] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.016] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.016] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc388b800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc388b800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="..", cAlternateFileName="")) returned 1 [0163.016] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.016] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.016] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.016] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.016] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.016] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.016] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.016] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc38656a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38656a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="en-US", cAlternateFileName="")) returned 1 [0163.016] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0163.016] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0163.017] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0163.017] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0163.017] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0163.017] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0163.017] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0163.017] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 95 [0163.017] GetProcessHeap () returned 0x4c0000 [0163.017] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0163.018] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" [0163.018] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*" [0163.018] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc38656a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38656a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0163.018] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.018] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.018] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.018] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.018] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.018] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.018] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc38656a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38656a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.018] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.018] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.018] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.018] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.018] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.018] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.019] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.019] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc38656a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38656a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38656a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.019] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.019] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.019] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.019] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.019] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.019] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.019] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.019] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\PUSSY.TXT") returned 105 [0163.019] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.019] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x932b6af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x932b6af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0163.019] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0163.019] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0163.019] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0163.019] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0163.019] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0163.019] lstrcmpiW (lpString1="resource.xml", lpString2=".") returned 1 [0163.019] lstrcmpiW (lpString1="resource.xml", lpString2="..") returned 1 [0163.019] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 108 [0163.019] lstrcmpW (lpString1="resource.xml", lpString2="PUSSY.TXT") returned 1 [0163.019] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0163.019] lstrlenW (lpString=".xml") returned 4 [0163.019] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0163.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.020] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x932b6af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x932b6af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0163.020] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0163.020] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\PUSSY.TXT") returned 105 [0163.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.020] GetProcessHeap () returned 0x4c0000 [0163.020] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0163.020] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c7f9e6, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2c7f9e6, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c0e93d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0163.020] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0163.020] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0163.020] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0163.020] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0163.020] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0163.020] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0163.020] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0163.020] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 100 [0163.020] lstrcmpW (lpString1="folder.ico", lpString2="PUSSY.TXT") returned -1 [0163.020] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0163.020] lstrlenW (lpString=".ico") returned 4 [0163.020] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.021] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2db04ce, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2db04ce, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c0e93d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0163.021] lstrcmpiW (lpString1="netfol.ico", lpString2="Windows") returned -1 [0163.021] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files") returned -1 [0163.021] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files (x86)") returned -1 [0163.021] lstrcmpiW (lpString1="netfol.ico", lpString2="$Recycle.bin") returned 1 [0163.021] lstrcmpiW (lpString1="netfol.ico", lpString2="System Volume Information") returned -1 [0163.021] lstrcmpiW (lpString1="netfol.ico", lpString2=".") returned 1 [0163.021] lstrcmpiW (lpString1="netfol.ico", lpString2="..") returned 1 [0163.021] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 100 [0163.021] lstrcmpW (lpString1="netfol.ico", lpString2="PUSSY.TXT") returned -1 [0163.021] PathFindExtensionW (pszPath="netfol.ico") returned=".ico" [0163.021] lstrlenW (lpString=".ico") returned 4 [0163.021] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.021] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2ca5b43, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2ca5b43, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c10f535, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0163.021] lstrcmpiW (lpString1="pictures.ico", lpString2="Windows") returned -1 [0163.021] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files") returned -1 [0163.021] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files (x86)") returned -1 [0163.021] lstrcmpiW (lpString1="pictures.ico", lpString2="$Recycle.bin") returned 1 [0163.021] lstrcmpiW (lpString1="pictures.ico", lpString2="System Volume Information") returned -1 [0163.021] lstrcmpiW (lpString1="pictures.ico", lpString2=".") returned 1 [0163.021] lstrcmpiW (lpString1="pictures.ico", lpString2="..") returned 1 [0163.022] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 102 [0163.022] lstrcmpW (lpString1="pictures.ico", lpString2="PUSSY.TXT") returned -1 [0163.022] PathFindExtensionW (pszPath="pictures.ico") returned=".ico" [0163.022] lstrlenW (lpString=".ico") returned 4 [0163.022] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.022] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc388b800, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc388b800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc388b800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.022] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.022] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.022] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.022] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.022] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.022] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.022] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.022] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\PUSSY.TXT") returned 99 [0163.022] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.022] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c59889, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2c59889, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1cdc0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0163.022] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0163.022] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0163.022] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0163.022] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0163.022] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0163.022] lstrcmpiW (lpString1="resource.xml", lpString2=".") returned 1 [0163.023] lstrcmpiW (lpString1="resource.xml", lpString2="..") returned 1 [0163.023] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 102 [0163.023] lstrcmpW (lpString1="resource.xml", lpString2="PUSSY.TXT") returned 1 [0163.023] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0163.023] lstrlenW (lpString=".xml") returned 4 [0163.023] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.023] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2cf1dfd, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2cf1dfd, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1f3d69, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0163.023] lstrcmpiW (lpString1="ringtones.ico", lpString2="Windows") returned -1 [0163.023] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files") returned 1 [0163.023] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files (x86)") returned 1 [0163.023] lstrcmpiW (lpString1="ringtones.ico", lpString2="$Recycle.bin") returned 1 [0163.023] lstrcmpiW (lpString1="ringtones.ico", lpString2="System Volume Information") returned -1 [0163.023] lstrcmpiW (lpString1="ringtones.ico", lpString2=".") returned 1 [0163.023] lstrcmpiW (lpString1="ringtones.ico", lpString2="..") returned 1 [0163.023] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 103 [0163.023] lstrcmpW (lpString1="ringtones.ico", lpString2="PUSSY.TXT") returned 1 [0163.023] PathFindExtensionW (pszPath="ringtones.ico") returned=".ico" [0163.023] lstrlenW (lpString=".ico") returned 4 [0163.023] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.024] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d17f5a, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d17f5a, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1f3d69, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0163.024] lstrcmpiW (lpString1="settings.ico", lpString2="Windows") returned -1 [0163.024] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files") returned 1 [0163.024] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files (x86)") returned 1 [0163.024] lstrcmpiW (lpString1="settings.ico", lpString2="$Recycle.bin") returned 1 [0163.024] lstrcmpiW (lpString1="settings.ico", lpString2="System Volume Information") returned -1 [0163.024] lstrcmpiW (lpString1="settings.ico", lpString2=".") returned 1 [0163.024] lstrcmpiW (lpString1="settings.ico", lpString2="..") returned 1 [0163.024] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 102 [0163.024] lstrcmpW (lpString1="settings.ico", lpString2="PUSSY.TXT") returned 1 [0163.024] PathFindExtensionW (pszPath="settings.ico") returned=".ico" [0163.024] lstrlenW (lpString=".ico") returned 4 [0163.024] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.024] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d3e0b7, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d3e0b7, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0163.024] lstrcmpiW (lpString1="sync.ico", lpString2="Windows") returned -1 [0163.024] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files") returned 1 [0163.024] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files (x86)") returned 1 [0163.024] lstrcmpiW (lpString1="sync.ico", lpString2="$Recycle.bin") returned 1 [0163.024] lstrcmpiW (lpString1="sync.ico", lpString2="System Volume Information") returned -1 [0163.024] lstrcmpiW (lpString1="sync.ico", lpString2=".") returned 1 [0163.024] lstrcmpiW (lpString1="sync.ico", lpString2="..") returned 1 [0163.024] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 98 [0163.025] lstrcmpW (lpString1="sync.ico", lpString2="PUSSY.TXT") returned 1 [0163.025] PathFindExtensionW (pszPath="sync.ico") returned=".ico" [0163.025] lstrlenW (lpString=".ico") returned 4 [0163.025] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.025] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c219ec7, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x7c219ec7, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3473, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0163.025] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0163.025] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0163.025] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0163.025] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0163.025] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0163.025] lstrcmpiW (lpString1="tasks.xml", lpString2=".") returned 1 [0163.025] lstrcmpiW (lpString1="tasks.xml", lpString2="..") returned 1 [0163.025] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 99 [0163.025] lstrcmpW (lpString1="tasks.xml", lpString2="PUSSY.TXT") returned 1 [0163.025] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0163.025] lstrlenW (lpString=".xml") returned 4 [0163.025] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.025] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d64214, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d64214, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0163.026] lstrcmpiW (lpString1="wmp.ico", lpString2="Windows") returned 1 [0163.026] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files") returned 1 [0163.026] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files (x86)") returned 1 [0163.026] lstrcmpiW (lpString1="wmp.ico", lpString2="$Recycle.bin") returned 1 [0163.026] lstrcmpiW (lpString1="wmp.ico", lpString2="System Volume Information") returned 1 [0163.026] lstrcmpiW (lpString1="wmp.ico", lpString2=".") returned 1 [0163.026] lstrcmpiW (lpString1="wmp.ico", lpString2="..") returned 1 [0163.026] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 97 [0163.026] lstrcmpW (lpString1="wmp.ico", lpString2="PUSSY.TXT") returned 1 [0163.026] PathFindExtensionW (pszPath="wmp.ico") returned=".ico" [0163.026] lstrlenW (lpString=".ico") returned 4 [0163.026] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.026] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.026] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d64214, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d64214, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="wmp.ico", cAlternateFileName="")) returned 0 [0163.026] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.026] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\PUSSY.TXT") returned 99 [0163.026] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.026] GetProcessHeap () returned 0x4c0000 [0163.027] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.028] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0163.028] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Windows") returned -1 [0163.028] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files") returned -1 [0163.028] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files (x86)") returned -1 [0163.028] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="$Recycle.bin") returned 1 [0163.028] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="System Volume Information") returned -1 [0163.028] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2=".") returned 1 [0163.028] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="..") returned 1 [0163.028] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 89 [0163.028] GetProcessHeap () returned 0x4c0000 [0163.029] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.029] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" [0163.029] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*" [0163.029] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.030] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.030] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.030] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.030] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.030] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.030] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.030] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="..", cAlternateFileName="")) returned 1 [0163.030] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.030] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.030] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.030] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.030] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.030] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.030] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.030] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc388b800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc388b800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="en-US", cAlternateFileName="")) returned 1 [0163.030] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0163.030] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0163.030] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0163.030] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0163.030] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0163.030] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0163.030] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0163.030] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 95 [0163.031] GetProcessHeap () returned 0x4c0000 [0163.031] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0163.032] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" [0163.032] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*" [0163.032] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc388b800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc388b800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0163.032] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.032] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.032] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.032] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.032] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.032] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.032] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc388b800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc388b800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.033] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.033] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.033] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.033] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.033] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.033] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.033] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.033] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc388b800, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc388b800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc388b800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.033] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.033] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.033] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.033] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.034] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.034] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.034] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.034] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\PUSSY.TXT") returned 105 [0163.034] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.034] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0163.034] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0163.034] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0163.034] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0163.034] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0163.034] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0163.034] lstrcmpiW (lpString1="resource.xml", lpString2=".") returned 1 [0163.034] lstrcmpiW (lpString1="resource.xml", lpString2="..") returned 1 [0163.034] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 108 [0163.034] lstrcmpW (lpString1="resource.xml", lpString2="PUSSY.TXT") returned 1 [0163.034] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0163.034] lstrlenW (lpString=".xml") returned 4 [0163.034] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0163.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.034] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0163.034] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0163.035] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\PUSSY.TXT") returned 105 [0163.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.035] GetProcessHeap () returned 0x4c0000 [0163.035] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0163.035] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f15ee9d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f15ee9d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78a2eab, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0163.035] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0163.035] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0163.035] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0163.035] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0163.035] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0163.035] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0163.035] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0163.035] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 100 [0163.035] lstrcmpW (lpString1="folder.ico", lpString2="PUSSY.TXT") returned -1 [0163.035] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0163.035] lstrlenW (lpString=".ico") returned 4 [0163.035] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.035] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0eca86, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0eca86, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78c9009, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0163.036] lstrcmpiW (lpString1="print_pref.ico", lpString2="Windows") returned -1 [0163.036] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files") returned -1 [0163.036] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files (x86)") returned -1 [0163.036] lstrcmpiW (lpString1="print_pref.ico", lpString2="$Recycle.bin") returned 1 [0163.036] lstrcmpiW (lpString1="print_pref.ico", lpString2="System Volume Information") returned -1 [0163.036] lstrcmpiW (lpString1="print_pref.ico", lpString2=".") returned 1 [0163.036] lstrcmpiW (lpString1="print_pref.ico", lpString2="..") returned 1 [0163.036] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 104 [0163.036] lstrcmpW (lpString1="print_pref.ico", lpString2="PUSSY.TXT") returned -1 [0163.036] PathFindExtensionW (pszPath="print_pref.ico") returned=".ico" [0163.036] lstrlenW (lpString=".ico") returned 4 [0163.036] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.036] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0eca86, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0eca86, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78c9009, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0163.036] lstrcmpiW (lpString1="print_property.ico", lpString2="Windows") returned -1 [0163.036] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files") returned -1 [0163.036] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files (x86)") returned -1 [0163.036] lstrcmpiW (lpString1="print_property.ico", lpString2="$Recycle.bin") returned 1 [0163.036] lstrcmpiW (lpString1="print_property.ico", lpString2="System Volume Information") returned -1 [0163.036] lstrcmpiW (lpString1="print_property.ico", lpString2=".") returned 1 [0163.036] lstrcmpiW (lpString1="print_property.ico", lpString2="..") returned 1 [0163.036] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 108 [0163.037] lstrcmpW (lpString1="print_property.ico", lpString2="PUSSY.TXT") returned -1 [0163.037] PathFindExtensionW (pszPath="print_property.ico") returned=".ico" [0163.037] lstrlenW (lpString=".ico") returned 4 [0163.037] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.037] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f112be3, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f112be3, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7be8cbf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0163.037] lstrcmpiW (lpString1="print_queue.ico", lpString2="Windows") returned -1 [0163.037] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files") returned -1 [0163.037] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files (x86)") returned -1 [0163.037] lstrcmpiW (lpString1="print_queue.ico", lpString2="$Recycle.bin") returned 1 [0163.037] lstrcmpiW (lpString1="print_queue.ico", lpString2="System Volume Information") returned -1 [0163.037] lstrcmpiW (lpString1="print_queue.ico", lpString2=".") returned 1 [0163.037] lstrcmpiW (lpString1="print_queue.ico", lpString2="..") returned 1 [0163.037] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 105 [0163.037] lstrcmpW (lpString1="print_queue.ico", lpString2="PUSSY.TXT") returned -1 [0163.037] PathFindExtensionW (pszPath="print_queue.ico") returned=".ico" [0163.037] lstrlenW (lpString=".ico") returned 4 [0163.037] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.038] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc38b1960, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.038] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.038] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.038] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.038] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.038] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.038] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.038] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.038] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\PUSSY.TXT") returned 99 [0163.038] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.038] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f138d40, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f138d40, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c0ee1d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0163.038] lstrcmpiW (lpString1="scan_.ico", lpString2="Windows") returned -1 [0163.038] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files") returned 1 [0163.038] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files (x86)") returned 1 [0163.038] lstrcmpiW (lpString1="scan_.ico", lpString2="$Recycle.bin") returned 1 [0163.038] lstrcmpiW (lpString1="scan_.ico", lpString2="System Volume Information") returned -1 [0163.038] lstrcmpiW (lpString1="scan_.ico", lpString2=".") returned 1 [0163.038] lstrcmpiW (lpString1="scan_.ico", lpString2="..") returned 1 [0163.038] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 99 [0163.038] lstrcmpW (lpString1="scan_.ico", lpString2="PUSSY.TXT") returned 1 [0163.038] PathFindExtensionW (pszPath="scan_.ico") returned=".ico" [0163.038] lstrlenW (lpString=".ico") returned 4 [0163.038] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.039] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f15ee9d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f15ee9d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c0ee1d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0163.039] lstrcmpiW (lpString1="scan_property.ico", lpString2="Windows") returned -1 [0163.039] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files") returned 1 [0163.039] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files (x86)") returned 1 [0163.039] lstrcmpiW (lpString1="scan_property.ico", lpString2="$Recycle.bin") returned 1 [0163.039] lstrcmpiW (lpString1="scan_property.ico", lpString2="System Volume Information") returned -1 [0163.039] lstrcmpiW (lpString1="scan_property.ico", lpString2=".") returned 1 [0163.039] lstrcmpiW (lpString1="scan_property.ico", lpString2="..") returned 1 [0163.039] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 107 [0163.039] lstrcmpW (lpString1="scan_property.ico", lpString2="PUSSY.TXT") returned 1 [0163.039] PathFindExtensionW (pszPath="scan_property.ico") returned=".ico" [0163.039] lstrlenW (lpString=".ico") returned 4 [0163.039] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.039] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f138d40, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f138d40, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c34f7b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0163.039] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Windows") returned -1 [0163.039] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files") returned 1 [0163.039] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files (x86)") returned 1 [0163.039] lstrcmpiW (lpString1="scan_settings.ico", lpString2="$Recycle.bin") returned 1 [0163.039] lstrcmpiW (lpString1="scan_settings.ico", lpString2="System Volume Information") returned -1 [0163.039] lstrcmpiW (lpString1="scan_settings.ico", lpString2=".") returned 1 [0163.039] lstrcmpiW (lpString1="scan_settings.ico", lpString2="..") returned 1 [0163.039] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 107 [0163.040] lstrcmpW (lpString1="scan_settings.ico", lpString2="PUSSY.TXT") returned 1 [0163.040] PathFindExtensionW (pszPath="scan_settings.ico") returned=".ico" [0163.040] lstrlenW (lpString=".ico") returned 4 [0163.040] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.040] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f054512, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f054512, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7d3f90d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0163.040] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0163.040] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0163.040] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0163.040] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0163.040] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0163.040] lstrcmpiW (lpString1="tasks.xml", lpString2=".") returned 1 [0163.040] lstrcmpiW (lpString1="tasks.xml", lpString2="..") returned 1 [0163.040] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 99 [0163.040] lstrcmpW (lpString1="tasks.xml", lpString2="PUSSY.TXT") returned 1 [0163.040] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0163.040] lstrlenW (lpString=".xml") returned 4 [0163.040] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.040] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f054512, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f054512, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7d3f90d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="tasks.xml", cAlternateFileName="")) returned 0 [0163.041] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.041] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\PUSSY.TXT") returned 99 [0163.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.041] GetProcessHeap () returned 0x4c0000 [0163.041] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.042] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0163.042] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.043] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\PUSSY.TXT") returned 60 [0163.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.043] GetProcessHeap () returned 0x4c0000 [0163.043] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.043] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Task", cAlternateFileName="")) returned 0 [0163.043] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.043] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\PUSSY.TXT") returned 55 [0163.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.044] GetProcessHeap () returned 0x4c0000 [0163.044] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.045] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0163.045] lstrcmpiW (lpString1="DeviceSync", lpString2="Windows") returned -1 [0163.045] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files") returned -1 [0163.045] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files (x86)") returned -1 [0163.045] lstrcmpiW (lpString1="DeviceSync", lpString2="$Recycle.bin") returned 1 [0163.045] lstrcmpiW (lpString1="DeviceSync", lpString2="System Volume Information") returned -1 [0163.045] lstrcmpiW (lpString1="DeviceSync", lpString2=".") returned 1 [0163.045] lstrcmpiW (lpString1="DeviceSync", lpString2="..") returned 1 [0163.045] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync") returned 43 [0163.045] GetProcessHeap () returned 0x4c0000 [0163.045] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.046] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync" [0163.046] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*" [0163.046] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.046] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.046] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.047] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.047] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.047] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.047] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.047] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.047] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.047] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.047] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.047] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.047] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.047] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.047] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.047] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc38b1960, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.047] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.047] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.047] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.047] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.047] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.047] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.047] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.047] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\PUSSY.TXT") returned 53 [0163.047] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.047] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc38b1960, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38b1960, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38b1960, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.047] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.048] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\PUSSY.TXT") returned 53 [0163.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.048] GetProcessHeap () returned 0x4c0000 [0163.048] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.048] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="DRM", cAlternateFileName="")) returned 1 [0163.048] lstrcmpiW (lpString1="DRM", lpString2="Windows") returned -1 [0163.048] lstrcmpiW (lpString1="DRM", lpString2="Program Files") returned -1 [0163.048] lstrcmpiW (lpString1="DRM", lpString2="Program Files (x86)") returned -1 [0163.048] lstrcmpiW (lpString1="DRM", lpString2="$Recycle.bin") returned 1 [0163.048] lstrcmpiW (lpString1="DRM", lpString2="System Volume Information") returned -1 [0163.048] lstrcmpiW (lpString1="DRM", lpString2=".") returned 1 [0163.048] lstrcmpiW (lpString1="DRM", lpString2="..") returned 1 [0163.048] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM") returned 36 [0163.048] GetProcessHeap () returned 0x4c0000 [0163.048] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.048] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM" [0163.048] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*" [0163.048] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.048] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.048] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.049] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.049] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.049] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.049] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.049] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.049] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.049] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.049] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.049] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.049] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.049] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.049] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.049] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc38d7ac0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.049] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.049] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.049] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.049] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.049] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.049] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.050] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.050] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\PUSSY.TXT") returned 46 [0163.050] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.050] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Server", cAlternateFileName="")) returned 1 [0163.050] lstrcmpiW (lpString1="Server", lpString2="Windows") returned -1 [0163.050] lstrcmpiW (lpString1="Server", lpString2="Program Files") returned 1 [0163.050] lstrcmpiW (lpString1="Server", lpString2="Program Files (x86)") returned 1 [0163.050] lstrcmpiW (lpString1="Server", lpString2="$Recycle.bin") returned 1 [0163.050] lstrcmpiW (lpString1="Server", lpString2="System Volume Information") returned -1 [0163.050] lstrcmpiW (lpString1="Server", lpString2=".") returned 1 [0163.050] lstrcmpiW (lpString1="Server", lpString2="..") returned 1 [0163.050] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned 43 [0163.050] GetProcessHeap () returned 0x4c0000 [0163.050] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.051] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server" [0163.051] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*" [0163.051] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.051] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.051] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.051] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.051] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.051] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.052] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.052] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.052] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.052] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.052] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.052] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.052] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.052] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.052] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.052] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc38d7ac0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.052] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.052] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.052] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.052] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.052] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.052] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.052] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.052] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\PUSSY.TXT") returned 53 [0163.052] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.052] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc38d7ac0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.052] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.052] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\PUSSY.TXT") returned 53 [0163.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.053] GetProcessHeap () returned 0x4c0000 [0163.053] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.053] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Server", cAlternateFileName="")) returned 0 [0163.053] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.053] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\PUSSY.TXT") returned 46 [0163.053] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\drm\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.053] GetProcessHeap () returned 0x4c0000 [0163.053] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.054] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="eHome", cAlternateFileName="")) returned 1 [0163.054] lstrcmpiW (lpString1="eHome", lpString2="Windows") returned -1 [0163.054] lstrcmpiW (lpString1="eHome", lpString2="Program Files") returned -1 [0163.054] lstrcmpiW (lpString1="eHome", lpString2="Program Files (x86)") returned -1 [0163.054] lstrcmpiW (lpString1="eHome", lpString2="$Recycle.bin") returned 1 [0163.055] lstrcmpiW (lpString1="eHome", lpString2="System Volume Information") returned -1 [0163.055] lstrcmpiW (lpString1="eHome", lpString2=".") returned 1 [0163.055] lstrcmpiW (lpString1="eHome", lpString2="..") returned 1 [0163.055] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome") returned 38 [0163.055] GetProcessHeap () returned 0x4c0000 [0163.055] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.056] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome" [0163.056] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*" [0163.056] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.056] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.056] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.056] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.056] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.056] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.056] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.056] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.056] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.056] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.056] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.056] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.056] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.056] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.056] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.056] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="logs", cAlternateFileName="")) returned 1 [0163.056] lstrcmpiW (lpString1="logs", lpString2="Windows") returned -1 [0163.056] lstrcmpiW (lpString1="logs", lpString2="Program Files") returned -1 [0163.056] lstrcmpiW (lpString1="logs", lpString2="Program Files (x86)") returned -1 [0163.057] lstrcmpiW (lpString1="logs", lpString2="$Recycle.bin") returned 1 [0163.057] lstrcmpiW (lpString1="logs", lpString2="System Volume Information") returned -1 [0163.057] lstrcmpiW (lpString1="logs", lpString2=".") returned 1 [0163.057] lstrcmpiW (lpString1="logs", lpString2="..") returned 1 [0163.057] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs") returned 43 [0163.057] GetProcessHeap () returned 0x4c0000 [0163.057] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.058] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs" [0163.058] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*" [0163.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.058] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.058] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.058] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.058] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.058] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.058] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.058] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.058] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.058] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.058] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.058] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.058] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.058] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.058] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.058] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc38d7ac0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.059] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\PUSSY.TXT") returned 53 [0163.059] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.059] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc38d7ac0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.059] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.059] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\PUSSY.TXT") returned 53 [0163.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\ehome\\logs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.059] GetProcessHeap () returned 0x4c0000 [0163.059] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.059] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc38d7ac0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.059] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.060] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.060] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\PUSSY.TXT") returned 48 [0163.060] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.060] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc38d7ac0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38d7ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38d7ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.060] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.060] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\PUSSY.TXT") returned 48 [0163.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\ehome\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.060] GetProcessHeap () returned 0x4c0000 [0163.060] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.061] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0xc3923d80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3923d80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0163.061] lstrcmpiW (lpString1="Event Viewer", lpString2="Windows") returned -1 [0163.061] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files") returned -1 [0163.061] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files (x86)") returned -1 [0163.061] lstrcmpiW (lpString1="Event Viewer", lpString2="$Recycle.bin") returned 1 [0163.061] lstrcmpiW (lpString1="Event Viewer", lpString2="System Volume Information") returned -1 [0163.061] lstrcmpiW (lpString1="Event Viewer", lpString2=".") returned 1 [0163.061] lstrcmpiW (lpString1="Event Viewer", lpString2="..") returned 1 [0163.062] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer") returned 45 [0163.062] GetProcessHeap () returned 0x4c0000 [0163.062] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.062] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer" [0163.062] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*" [0163.062] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0xc3923d80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3923d80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.063] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.063] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.063] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.063] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.063] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.063] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.063] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0xc3923d80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3923d80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.063] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.063] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.063] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.063] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.063] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.063] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.063] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.063] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc38fdc20, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38fdc20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3923d80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.063] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.063] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.063] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.063] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.063] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.063] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.064] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.064] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\PUSSY.TXT") returned 55 [0163.064] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.064] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0xc38fdc20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38fdc20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Views", cAlternateFileName="")) returned 1 [0163.064] lstrcmpiW (lpString1="Views", lpString2="Windows") returned -1 [0163.064] lstrcmpiW (lpString1="Views", lpString2="Program Files") returned 1 [0163.064] lstrcmpiW (lpString1="Views", lpString2="Program Files (x86)") returned 1 [0163.064] lstrcmpiW (lpString1="Views", lpString2="$Recycle.bin") returned 1 [0163.064] lstrcmpiW (lpString1="Views", lpString2="System Volume Information") returned 1 [0163.064] lstrcmpiW (lpString1="Views", lpString2=".") returned 1 [0163.064] lstrcmpiW (lpString1="Views", lpString2="..") returned 1 [0163.064] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views") returned 51 [0163.064] GetProcessHeap () returned 0x4c0000 [0163.064] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.065] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views" [0163.065] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*" [0163.065] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0xc38fdc20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38fdc20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.065] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.065] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.065] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.065] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.066] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.066] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.066] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0xc38fdc20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38fdc20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.066] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.066] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.066] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.066] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.066] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.066] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.066] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.066] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0xc38fdc20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38fdc20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 1 [0163.066] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Windows") returned -1 [0163.066] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files") returned -1 [0163.066] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files (x86)") returned -1 [0163.066] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="$Recycle.bin") returned 1 [0163.066] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="System Volume Information") returned -1 [0163.066] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2=".") returned 1 [0163.066] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="..") returned 1 [0163.066] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned 76 [0163.066] GetProcessHeap () returned 0x4c0000 [0163.066] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.067] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode" [0163.067] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*" [0163.067] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0xc38fdc20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38fdc20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.067] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.067] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.067] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.067] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.067] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.067] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.067] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0xc38fdc20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38fdc20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="..", cAlternateFileName="")) returned 1 [0163.067] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.067] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.067] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.067] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.067] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.067] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.067] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.068] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc38fdc20, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38fdc20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38fdc20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.068] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.068] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.068] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.068] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.068] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.068] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.068] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.068] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\PUSSY.TXT") returned 86 [0163.068] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.068] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc38fdc20, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38fdc20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38fdc20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.068] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.068] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\PUSSY.TXT") returned 86 [0163.068] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\views\\applicationviewsrootnode\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.068] GetProcessHeap () returned 0x4c0000 [0163.068] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.068] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc38fdc20, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38fdc20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38fdc20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.068] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.068] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.068] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.069] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.069] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.069] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.069] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.069] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\PUSSY.TXT") returned 61 [0163.069] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.069] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc38fdc20, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc38fdc20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38fdc20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.069] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.069] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\PUSSY.TXT") returned 61 [0163.069] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\views\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.069] GetProcessHeap () returned 0x4c0000 [0163.069] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.069] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0xc38fdc20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc38fdc20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Views", cAlternateFileName="")) returned 0 [0163.069] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.069] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\PUSSY.TXT") returned 55 [0163.069] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.069] GetProcessHeap () returned 0x4c0000 [0163.069] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.071] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc3e7ef00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3e7ef00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0163.071] lstrcmpiW (lpString1="IdentityCRL", lpString2="Windows") returned -1 [0163.071] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files") returned -1 [0163.071] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files (x86)") returned -1 [0163.071] lstrcmpiW (lpString1="IdentityCRL", lpString2="$Recycle.bin") returned 1 [0163.071] lstrcmpiW (lpString1="IdentityCRL", lpString2="System Volume Information") returned -1 [0163.071] lstrcmpiW (lpString1="IdentityCRL", lpString2=".") returned 1 [0163.071] lstrcmpiW (lpString1="IdentityCRL", lpString2="..") returned 1 [0163.071] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned 44 [0163.071] GetProcessHeap () returned 0x4c0000 [0163.071] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.072] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL" [0163.072] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*" [0163.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc3e7ef00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3e7ef00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.072] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.073] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.073] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.073] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.073] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.073] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.073] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc3e7ef00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3e7ef00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.073] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.073] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.073] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.073] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.073] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.073] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.073] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.073] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd591378b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd591378b, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xc3aece00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3d00, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E", cAlternateFileName="PPCRLC~1.113")) returned 1 [0163.073] lstrcmpiW (lpString1="ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E", lpString2="Windows") returned -1 [0163.073] lstrcmpiW (lpString1="ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E", lpString2="Program Files") returned -1 [0163.073] lstrcmpiW (lpString1="ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E", lpString2="Program Files (x86)") returned -1 [0163.073] lstrcmpiW (lpString1="ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E", lpString2="$Recycle.bin") returned 1 [0163.073] lstrcmpiW (lpString1="ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E", lpString2="System Volume Information") returned -1 [0163.073] lstrcmpiW (lpString1="ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E", lpString2=".") returned 1 [0163.073] lstrcmpiW (lpString1="ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E", lpString2="..") returned 1 [0163.073] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E") returned 125 [0163.073] lstrcmpW (lpString1="ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E", lpString2="PUSSY.TXT") returned -1 [0163.073] PathFindExtensionW (pszPath="ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E") returned=".1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E" [0163.073] lstrlenW (lpString=".1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E") returned 65 [0163.073] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xc3e7ef00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51", cAlternateFileName="")) returned 1 [0163.074] lstrcmpiW (lpString1="ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51", lpString2="Windows") returned -1 [0163.074] lstrcmpiW (lpString1="ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51", lpString2="Program Files") returned -1 [0163.074] lstrcmpiW (lpString1="ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51", lpString2="Program Files (x86)") returned -1 [0163.074] lstrcmpiW (lpString1="ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51", lpString2="$Recycle.bin") returned 1 [0163.074] lstrcmpiW (lpString1="ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51", lpString2="System Volume Information") returned -1 [0163.074] lstrcmpiW (lpString1="ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51", lpString2=".") returned 1 [0163.074] lstrcmpiW (lpString1="ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51", lpString2="..") returned 1 [0163.074] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51") returned 121 [0163.074] lstrcmpW (lpString1="ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51", lpString2="PUSSY.TXT") returned -1 [0163.074] PathFindExtensionW (pszPath="ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51") returned=".1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51" [0163.074] lstrlenW (lpString=".1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51") returned 65 [0163.074] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3a54880, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3a54880, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3a54880, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.074] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.074] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.074] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.074] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.074] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.074] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.074] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.074] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\PUSSY.TXT") returned 54 [0163.074] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.074] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3a54880, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3a54880, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3a54880, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.074] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.074] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\PUSSY.TXT") returned 54 [0163.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.075] GetProcessHeap () returned 0x4c0000 [0163.075] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.075] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xc3a54880, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3a54880, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0163.075] lstrcmpiW (lpString1="Media Player", lpString2="Windows") returned -1 [0163.075] lstrcmpiW (lpString1="Media Player", lpString2="Program Files") returned -1 [0163.075] lstrcmpiW (lpString1="Media Player", lpString2="Program Files (x86)") returned -1 [0163.075] lstrcmpiW (lpString1="Media Player", lpString2="$Recycle.bin") returned 1 [0163.075] lstrcmpiW (lpString1="Media Player", lpString2="System Volume Information") returned -1 [0163.075] lstrcmpiW (lpString1="Media Player", lpString2=".") returned 1 [0163.076] lstrcmpiW (lpString1="Media Player", lpString2="..") returned 1 [0163.076] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player") returned 45 [0163.076] GetProcessHeap () returned 0x4c0000 [0163.076] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.076] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player" [0163.076] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\*" [0163.076] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xc3a54880, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3a54880, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.076] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.076] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.077] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.077] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.077] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.077] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.077] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xc3a54880, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3a54880, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.077] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.077] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.077] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.077] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.077] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.077] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.077] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.077] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3a54880, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3a54880, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3a54880, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.077] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.077] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.077] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.077] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.077] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.077] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.077] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.077] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\PUSSY.TXT") returned 55 [0163.077] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.077] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3a54880, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3a54880, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3a54880, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.077] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.077] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\PUSSY.TXT") returned 55 [0163.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\media player\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.078] GetProcessHeap () returned 0x4c0000 [0163.078] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.078] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc40e0500, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc40e0500, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MF", cAlternateFileName="")) returned 1 [0163.078] lstrcmpiW (lpString1="MF", lpString2="Windows") returned -1 [0163.078] lstrcmpiW (lpString1="MF", lpString2="Program Files") returned -1 [0163.078] lstrcmpiW (lpString1="MF", lpString2="Program Files (x86)") returned -1 [0163.078] lstrcmpiW (lpString1="MF", lpString2="$Recycle.bin") returned 1 [0163.078] lstrcmpiW (lpString1="MF", lpString2="System Volume Information") returned -1 [0163.078] lstrcmpiW (lpString1="MF", lpString2=".") returned 1 [0163.078] lstrcmpiW (lpString1="MF", lpString2="..") returned 1 [0163.078] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF") returned 35 [0163.078] GetProcessHeap () returned 0x4c0000 [0163.078] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.078] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF" [0163.078] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*" [0163.078] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc40e0500, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc40e0500, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.078] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.078] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.078] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.078] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.079] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.079] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.079] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc40e0500, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc40e0500, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.079] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.079] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.079] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.079] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.079] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.079] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.079] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.079] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0xc40e0500, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873", cAlternateFileName="")) returned 1 [0163.079] lstrcmpiW (lpString1="Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873", lpString2="Windows") returned -1 [0163.079] lstrcmpiW (lpString1="Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873", lpString2="Program Files") returned -1 [0163.079] lstrcmpiW (lpString1="Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873", lpString2="Program Files (x86)") returned -1 [0163.079] lstrcmpiW (lpString1="Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873", lpString2="$Recycle.bin") returned 1 [0163.079] lstrcmpiW (lpString1="Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873", lpString2="System Volume Information") returned -1 [0163.079] lstrcmpiW (lpString1="Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873", lpString2=".") returned 1 [0163.079] lstrcmpiW (lpString1="Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873", lpString2="..") returned 1 [0163.079] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873") returned 111 [0163.079] lstrcmpW (lpString1="Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873", lpString2="PUSSY.TXT") returned -1 [0163.079] PathFindExtensionW (pszPath="Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873") returned=".8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873" [0163.079] lstrlenW (lpString=".8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873") returned 65 [0163.079] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0xc3d9a6c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E", cAlternateFileName="")) returned 1 [0163.079] lstrcmpiW (lpString1="Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E", lpString2="Windows") returned -1 [0163.079] lstrcmpiW (lpString1="Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E", lpString2="Program Files") returned -1 [0163.079] lstrcmpiW (lpString1="Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E", lpString2="Program Files (x86)") returned -1 [0163.079] lstrcmpiW (lpString1="Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E", lpString2="$Recycle.bin") returned 1 [0163.080] lstrcmpiW (lpString1="Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E", lpString2="System Volume Information") returned -1 [0163.080] lstrcmpiW (lpString1="Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E", lpString2=".") returned 1 [0163.080] lstrcmpiW (lpString1="Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E", lpString2="..") returned 1 [0163.080] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E") returned 112 [0163.080] lstrcmpW (lpString1="Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E", lpString2="PUSSY.TXT") returned -1 [0163.080] PathFindExtensionW (pszPath="Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E") returned=".F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E" [0163.080] lstrlenW (lpString=".F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E") returned 65 [0163.080] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3ac6ca0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3ac6ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3ac6ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.080] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.080] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.080] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.080] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.080] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.080] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.080] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.080] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\PUSSY.TXT") returned 45 [0163.080] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.080] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3ac6ca0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3ac6ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3ac6ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.080] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.080] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\PUSSY.TXT") returned 45 [0163.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\mf\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.080] GetProcessHeap () returned 0x4c0000 [0163.081] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.081] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc3aece00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3aece00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSDN", cAlternateFileName="")) returned 1 [0163.081] lstrcmpiW (lpString1="MSDN", lpString2="Windows") returned -1 [0163.081] lstrcmpiW (lpString1="MSDN", lpString2="Program Files") returned -1 [0163.081] lstrcmpiW (lpString1="MSDN", lpString2="Program Files (x86)") returned -1 [0163.081] lstrcmpiW (lpString1="MSDN", lpString2="$Recycle.bin") returned 1 [0163.081] lstrcmpiW (lpString1="MSDN", lpString2="System Volume Information") returned -1 [0163.081] lstrcmpiW (lpString1="MSDN", lpString2=".") returned 1 [0163.081] lstrcmpiW (lpString1="MSDN", lpString2="..") returned 1 [0163.081] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN") returned 37 [0163.081] GetProcessHeap () returned 0x4c0000 [0163.081] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.081] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN" [0163.081] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\*" [0163.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc3aece00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3aece00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.081] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.081] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.081] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.081] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.081] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.081] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.081] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc3aece00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3aece00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.081] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.081] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.082] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.082] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.082] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.082] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.082] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.082] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc3ac6ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3ac6ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="8.0", cAlternateFileName="")) returned 1 [0163.082] lstrcmpiW (lpString1="8.0", lpString2="Windows") returned -1 [0163.082] lstrcmpiW (lpString1="8.0", lpString2="Program Files") returned -1 [0163.082] lstrcmpiW (lpString1="8.0", lpString2="Program Files (x86)") returned -1 [0163.082] lstrcmpiW (lpString1="8.0", lpString2="$Recycle.bin") returned 1 [0163.082] lstrcmpiW (lpString1="8.0", lpString2="System Volume Information") returned -1 [0163.082] lstrcmpiW (lpString1="8.0", lpString2=".") returned 1 [0163.082] lstrcmpiW (lpString1="8.0", lpString2="..") returned 1 [0163.082] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0") returned 41 [0163.082] GetProcessHeap () returned 0x4c0000 [0163.082] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.083] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0" [0163.083] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\*" [0163.083] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc3ac6ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3ac6ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.083] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.083] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.083] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.083] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.083] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.083] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.084] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc3ac6ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3ac6ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.084] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.084] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.084] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.084] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.084] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.084] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.084] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.084] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3ac6ca0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3ac6ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3aece00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.084] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.084] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.084] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.084] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.084] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.084] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.084] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.084] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\PUSSY.TXT") returned 51 [0163.084] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.084] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3ac6ca0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3ac6ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3aece00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.084] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.084] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\PUSSY.TXT") returned 51 [0163.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\msdn\\8.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.085] GetProcessHeap () returned 0x4c0000 [0163.085] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.085] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3aece00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3aece00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3aece00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.085] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.085] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.085] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.085] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.085] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.085] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.085] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.085] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\PUSSY.TXT") returned 47 [0163.085] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.085] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3aece00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3aece00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3aece00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.085] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.085] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\PUSSY.TXT") returned 47 [0163.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\msdn\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.085] GetProcessHeap () returned 0x4c0000 [0163.085] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.087] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0163.087] lstrcmpiW (lpString1="NetFramework", lpString2="Windows") returned -1 [0163.087] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files") returned -1 [0163.087] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files (x86)") returned -1 [0163.087] lstrcmpiW (lpString1="NetFramework", lpString2="$Recycle.bin") returned 1 [0163.087] lstrcmpiW (lpString1="NetFramework", lpString2="System Volume Information") returned -1 [0163.087] lstrcmpiW (lpString1="NetFramework", lpString2=".") returned 1 [0163.087] lstrcmpiW (lpString1="NetFramework", lpString2="..") returned 1 [0163.087] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework") returned 45 [0163.087] GetProcessHeap () returned 0x4c0000 [0163.087] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.088] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework" [0163.088] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*" [0163.088] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.088] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.088] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.088] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.088] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.088] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.088] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.088] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.088] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.088] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.088] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.089] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.089] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.089] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.089] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.089] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0163.089] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Windows") returned -1 [0163.089] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files") returned -1 [0163.089] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files (x86)") returned -1 [0163.089] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="$Recycle.bin") returned 1 [0163.089] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="System Volume Information") returned -1 [0163.089] lstrcmpiW (lpString1="BreadcrumbStore", lpString2=".") returned 1 [0163.089] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="..") returned 1 [0163.089] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned 61 [0163.089] GetProcessHeap () returned 0x4c0000 [0163.089] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.090] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore" [0163.090] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*" [0163.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.090] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.090] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.090] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.090] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.090] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.090] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.090] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.091] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.091] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.091] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.091] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.091] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.091] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.091] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.091] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3aece00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3aece00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.091] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.091] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.091] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.091] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.091] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.091] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.091] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.091] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\PUSSY.TXT") returned 71 [0163.091] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.091] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3aece00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3aece00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.091] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.091] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\PUSSY.TXT") returned 71 [0163.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.091] GetProcessHeap () returned 0x4c0000 [0163.091] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.091] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3b5f220, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.092] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.092] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.092] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.092] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.092] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.092] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.092] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.092] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\PUSSY.TXT") returned 55 [0163.092] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.092] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3b5f220, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.092] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.092] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\PUSSY.TXT") returned 55 [0163.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\netframework\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.092] GetProcessHeap () returned 0x4c0000 [0163.092] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.094] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc3c1d900, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3c1d900, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Network", cAlternateFileName="")) returned 1 [0163.094] lstrcmpiW (lpString1="Network", lpString2="Windows") returned -1 [0163.094] lstrcmpiW (lpString1="Network", lpString2="Program Files") returned -1 [0163.094] lstrcmpiW (lpString1="Network", lpString2="Program Files (x86)") returned -1 [0163.094] lstrcmpiW (lpString1="Network", lpString2="$Recycle.bin") returned 1 [0163.094] lstrcmpiW (lpString1="Network", lpString2="System Volume Information") returned -1 [0163.094] lstrcmpiW (lpString1="Network", lpString2=".") returned 1 [0163.094] lstrcmpiW (lpString1="Network", lpString2="..") returned 1 [0163.094] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network") returned 40 [0163.094] GetProcessHeap () returned 0x4c0000 [0163.094] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.095] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network" [0163.095] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*" [0163.095] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc3c1d900, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3c1d900, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.095] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.095] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.095] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.095] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.095] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.095] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.095] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc3c1d900, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3c1d900, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.095] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.095] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.095] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.095] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.096] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.096] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.096] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.096] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0163.096] lstrcmpiW (lpString1="Connections", lpString2="Windows") returned -1 [0163.096] lstrcmpiW (lpString1="Connections", lpString2="Program Files") returned -1 [0163.096] lstrcmpiW (lpString1="Connections", lpString2="Program Files (x86)") returned -1 [0163.096] lstrcmpiW (lpString1="Connections", lpString2="$Recycle.bin") returned 1 [0163.096] lstrcmpiW (lpString1="Connections", lpString2="System Volume Information") returned -1 [0163.096] lstrcmpiW (lpString1="Connections", lpString2=".") returned 1 [0163.096] lstrcmpiW (lpString1="Connections", lpString2="..") returned 1 [0163.096] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned 52 [0163.096] GetProcessHeap () returned 0x4c0000 [0163.096] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.097] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections" [0163.097] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*" [0163.097] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.097] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.097] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.097] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.097] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.097] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.098] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.098] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.098] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.098] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.098] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.098] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.098] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.098] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.098] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.098] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3b5f220, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.098] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.098] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.098] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.098] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.098] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.098] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.098] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.098] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\PUSSY.TXT") returned 62 [0163.098] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.098] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3b5f220, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3b5f220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3b5f220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.098] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.098] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\PUSSY.TXT") returned 62 [0163.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.099] GetProcessHeap () returned 0x4c0000 [0163.099] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.099] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc40e0500, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc40e0500, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0163.099] lstrcmpiW (lpString1="Downloader", lpString2="Windows") returned -1 [0163.099] lstrcmpiW (lpString1="Downloader", lpString2="Program Files") returned -1 [0163.099] lstrcmpiW (lpString1="Downloader", lpString2="Program Files (x86)") returned -1 [0163.099] lstrcmpiW (lpString1="Downloader", lpString2="$Recycle.bin") returned 1 [0163.099] lstrcmpiW (lpString1="Downloader", lpString2="System Volume Information") returned -1 [0163.099] lstrcmpiW (lpString1="Downloader", lpString2=".") returned 1 [0163.099] lstrcmpiW (lpString1="Downloader", lpString2="..") returned 1 [0163.099] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned 51 [0163.099] GetProcessHeap () returned 0x4c0000 [0163.099] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.099] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader" [0163.099] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*" [0163.099] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc40e0500, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc40e0500, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.099] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.099] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.099] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.100] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.100] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.100] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.100] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc40e0500, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc40e0500, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.100] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.100] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.100] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.100] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.100] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.100] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.100] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.100] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3bf77a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3bf77a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3bf77a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.100] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.100] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.100] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.100] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.100] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.100] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.100] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.100] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\PUSSY.TXT") returned 61 [0163.100] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.100] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xc40e0500, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448", cAlternateFileName="")) returned 1 [0163.100] lstrcmpiW (lpString1="qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448", lpString2="Windows") returned -1 [0163.100] lstrcmpiW (lpString1="qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448", lpString2="Program Files") returned 1 [0163.100] lstrcmpiW (lpString1="qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448", lpString2="Program Files (x86)") returned 1 [0163.100] lstrcmpiW (lpString1="qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448", lpString2="$Recycle.bin") returned 1 [0163.101] lstrcmpiW (lpString1="qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448", lpString2="System Volume Information") returned -1 [0163.101] lstrcmpiW (lpString1="qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448", lpString2=".") returned 1 [0163.101] lstrcmpiW (lpString1="qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448", lpString2="..") returned 1 [0163.101] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448") returned 126 [0163.101] lstrcmpW (lpString1="qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448", lpString2="PUSSY.TXT") returned 1 [0163.101] PathFindExtensionW (pszPath="qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448") returned=".C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448" [0163.101] lstrlenW (lpString=".C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448") returned 65 [0163.101] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xc40e0500, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71", cAlternateFileName="")) returned 1 [0163.101] lstrcmpiW (lpString1="qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71", lpString2="Windows") returned -1 [0163.101] lstrcmpiW (lpString1="qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71", lpString2="Program Files") returned 1 [0163.101] lstrcmpiW (lpString1="qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71", lpString2="Program Files (x86)") returned 1 [0163.101] lstrcmpiW (lpString1="qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71", lpString2="$Recycle.bin") returned 1 [0163.101] lstrcmpiW (lpString1="qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71", lpString2="System Volume Information") returned -1 [0163.101] lstrcmpiW (lpString1="qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71", lpString2=".") returned 1 [0163.101] lstrcmpiW (lpString1="qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71", lpString2="..") returned 1 [0163.101] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71") returned 126 [0163.101] lstrcmpW (lpString1="qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71", lpString2="PUSSY.TXT") returned 1 [0163.101] PathFindExtensionW (pszPath="qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71") returned=".E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71" [0163.101] lstrlenW (lpString=".E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71") returned 65 [0163.101] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xc40e0500, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71", cAlternateFileName="")) returned 0 [0163.101] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.101] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\PUSSY.TXT") returned 61 [0163.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.102] GetProcessHeap () returned 0x4c0000 [0163.102] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.102] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3c1d900, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3c1d900, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3c1d900, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.102] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.102] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.102] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.102] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.102] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.102] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.102] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.102] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\PUSSY.TXT") returned 50 [0163.102] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.102] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3c1d900, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc3c1d900, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc3c1d900, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.102] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.102] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\PUSSY.TXT") returned 50 [0163.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\network\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.102] GetProcessHeap () returned 0x4c0000 [0163.102] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.104] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc68bf580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc68bf580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="OFFICE", cAlternateFileName="")) returned 1 [0163.104] lstrcmpiW (lpString1="OFFICE", lpString2="Windows") returned -1 [0163.104] lstrcmpiW (lpString1="OFFICE", lpString2="Program Files") returned -1 [0163.104] lstrcmpiW (lpString1="OFFICE", lpString2="Program Files (x86)") returned -1 [0163.104] lstrcmpiW (lpString1="OFFICE", lpString2="$Recycle.bin") returned 1 [0163.104] lstrcmpiW (lpString1="OFFICE", lpString2="System Volume Information") returned -1 [0163.104] lstrcmpiW (lpString1="OFFICE", lpString2=".") returned 1 [0163.104] lstrcmpiW (lpString1="OFFICE", lpString2="..") returned 1 [0163.104] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE") returned 39 [0163.104] GetProcessHeap () returned 0x4c0000 [0163.104] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.105] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE" [0163.105] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*" [0163.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc68bf580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc68bf580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.105] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.105] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.105] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.105] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.105] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.105] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.105] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc68bf580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc68bf580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.105] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.106] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.106] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.106] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.106] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.106] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.106] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.106] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5011dd00, ftCreationTime.dwHighDateTime=0x1ca04ff, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc3ef1320, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C", cAlternateFileName="ASSETL~1.974")) returned 1 [0163.106] lstrcmpiW (lpString1="AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C", lpString2="Windows") returned -1 [0163.106] lstrcmpiW (lpString1="AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C", lpString2="Program Files") returned -1 [0163.106] lstrcmpiW (lpString1="AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C", lpString2="Program Files (x86)") returned -1 [0163.106] lstrcmpiW (lpString1="AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C", lpString2="$Recycle.bin") returned 1 [0163.106] lstrcmpiW (lpString1="AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C", lpString2="System Volume Information") returned -1 [0163.106] lstrcmpiW (lpString1="AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C", lpString2=".") returned 1 [0163.106] lstrcmpiW (lpString1="AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C", lpString2="..") returned 1 [0163.106] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C") returned 121 [0163.106] lstrcmpW (lpString1="AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C", lpString2="PUSSY.TXT") returned -1 [0163.106] PathFindExtensionW (pszPath="AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C") returned=".97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C" [0163.106] lstrlenW (lpString=".97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C") returned 65 [0163.106] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabeeea00, ftCreationTime.dwHighDateTime=0x1c63848, ftLastAccessTime.dwLowDateTime=0x51e19d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc3fd5b60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A", cAlternateFileName="DOCUME~1.1C3")) returned 1 [0163.106] lstrcmpiW (lpString1="DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A", lpString2="Windows") returned -1 [0163.106] lstrcmpiW (lpString1="DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A", lpString2="Program Files") returned -1 [0163.106] lstrcmpiW (lpString1="DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A", lpString2="Program Files (x86)") returned -1 [0163.106] lstrcmpiW (lpString1="DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A", lpString2="$Recycle.bin") returned 1 [0163.106] lstrcmpiW (lpString1="DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A", lpString2="System Volume Information") returned -1 [0163.106] lstrcmpiW (lpString1="DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A", lpString2=".") returned 1 [0163.106] lstrcmpiW (lpString1="DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A", lpString2="..") returned 1 [0163.107] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A") returned 127 [0163.107] lstrcmpW (lpString1="DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A", lpString2="PUSSY.TXT") returned -1 [0163.107] PathFindExtensionW (pszPath="DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A") returned=".1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A" [0163.107] lstrlenW (lpString=".1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A") returned 65 [0163.107] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2bfbd800, ftCreationTime.dwHighDateTime=0x1c9facb, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc41eaea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x5532e, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356", cAlternateFileName="MYSHAR~1.559")) returned 1 [0163.107] lstrcmpiW (lpString1="MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356", lpString2="Windows") returned -1 [0163.107] lstrcmpiW (lpString1="MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356", lpString2="Program Files") returned -1 [0163.107] lstrcmpiW (lpString1="MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356", lpString2="Program Files (x86)") returned -1 [0163.107] lstrcmpiW (lpString1="MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356", lpString2="$Recycle.bin") returned 1 [0163.107] lstrcmpiW (lpString1="MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356", lpString2="System Volume Information") returned -1 [0163.107] lstrcmpiW (lpString1="MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356", lpString2=".") returned 1 [0163.107] lstrcmpiW (lpString1="MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356", lpString2="..") returned 1 [0163.107] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356") returned 122 [0163.107] lstrcmpW (lpString1="MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356", lpString2="PUSSY.TXT") returned -1 [0163.107] PathFindExtensionW (pszPath="MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356") returned=".55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356" [0163.107] lstrlenW (lpString=".55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356") returned 65 [0163.107] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc92d1d00, ftCreationTime.dwHighDateTime=0x1c627a2, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc40ba3a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C", cAlternateFileName="MYSITE~1.5AB")) returned 1 [0163.107] lstrcmpiW (lpString1="MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C", lpString2="Windows") returned -1 [0163.107] lstrcmpiW (lpString1="MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C", lpString2="Program Files") returned -1 [0163.107] lstrcmpiW (lpString1="MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C", lpString2="Program Files (x86)") returned -1 [0163.107] lstrcmpiW (lpString1="MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C", lpString2="$Recycle.bin") returned 1 [0163.107] lstrcmpiW (lpString1="MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C", lpString2="System Volume Information") returned -1 [0163.107] lstrcmpiW (lpString1="MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C", lpString2=".") returned 1 [0163.107] lstrcmpiW (lpString1="MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C", lpString2="..") returned 1 [0163.107] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C") returned 115 [0163.107] lstrcmpW (lpString1="MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C", lpString2="PUSSY.TXT") returned -1 [0163.108] PathFindExtensionW (pszPath="MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C") returned=".5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C" [0163.108] lstrlenW (lpString=".5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C") returned 65 [0163.108] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc68bf580, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc68bf580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc68bf580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.108] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.108] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.108] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.108] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.108] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.108] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.108] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.108] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\PUSSY.TXT") returned 49 [0163.108] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.108] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf2444900, ftCreationTime.dwHighDateTime=0x1c63848, ftLastAccessTime.dwLowDateTime=0x5ab49610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc42cf6e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49", cAlternateFileName="SHAREP~1.F64")) returned 1 [0163.108] lstrcmpiW (lpString1="SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49", lpString2="Windows") returned -1 [0163.108] lstrcmpiW (lpString1="SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49", lpString2="Program Files") returned 1 [0163.108] lstrcmpiW (lpString1="SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49", lpString2="Program Files (x86)") returned 1 [0163.108] lstrcmpiW (lpString1="SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49", lpString2="$Recycle.bin") returned 1 [0163.108] lstrcmpiW (lpString1="SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49", lpString2="System Volume Information") returned -1 [0163.108] lstrcmpiW (lpString1="SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49", lpString2=".") returned 1 [0163.108] lstrcmpiW (lpString1="SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49", lpString2="..") returned 1 [0163.108] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49") returned 129 [0163.108] lstrcmpW (lpString1="SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49", lpString2="PUSSY.TXT") returned 1 [0163.108] PathFindExtensionW (pszPath="SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49") returned=".F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49" [0163.108] lstrlenW (lpString=".F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49") returned 65 [0163.108] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad743900, ftCreationTime.dwHighDateTime=0x1c62706, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc41eaea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D", cAlternateFileName="SHAREP~1.393")) returned 1 [0163.108] lstrcmpiW (lpString1="SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D", lpString2="Windows") returned -1 [0163.109] lstrcmpiW (lpString1="SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D", lpString2="Program Files") returned 1 [0163.109] lstrcmpiW (lpString1="SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D", lpString2="Program Files (x86)") returned 1 [0163.109] lstrcmpiW (lpString1="SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D", lpString2="$Recycle.bin") returned 1 [0163.109] lstrcmpiW (lpString1="SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D", lpString2="System Volume Information") returned -1 [0163.109] lstrcmpiW (lpString1="SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D", lpString2=".") returned 1 [0163.109] lstrcmpiW (lpString1="SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D", lpString2="..") returned 1 [0163.109] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D") returned 127 [0163.109] lstrcmpW (lpString1="SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D", lpString2="PUSSY.TXT") returned 1 [0163.109] PathFindExtensionW (pszPath="SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D") returned=".3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D" [0163.109] lstrlenW (lpString=".3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D") returned 65 [0163.109] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc68bf580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc68bf580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="UICaptions", cAlternateFileName="UICAPT~1")) returned 1 [0163.109] lstrcmpiW (lpString1="UICaptions", lpString2="Windows") returned -1 [0163.109] lstrcmpiW (lpString1="UICaptions", lpString2="Program Files") returned 1 [0163.109] lstrcmpiW (lpString1="UICaptions", lpString2="Program Files (x86)") returned 1 [0163.109] lstrcmpiW (lpString1="UICaptions", lpString2="$Recycle.bin") returned 1 [0163.109] lstrcmpiW (lpString1="UICaptions", lpString2="System Volume Information") returned 1 [0163.109] lstrcmpiW (lpString1="UICaptions", lpString2=".") returned 1 [0163.109] lstrcmpiW (lpString1="UICaptions", lpString2="..") returned 1 [0163.109] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions") returned 50 [0163.109] GetProcessHeap () returned 0x4c0000 [0163.109] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.110] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions" [0163.110] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\*" [0163.110] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc68bf580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc68bf580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.111] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.111] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.111] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.111] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.111] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.111] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.111] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc68bf580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc68bf580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.111] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.111] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.111] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.111] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.112] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.112] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.112] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.112] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc5946680, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc5946680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="1036", cAlternateFileName="")) returned 1 [0163.112] lstrcmpiW (lpString1="1036", lpString2="Windows") returned -1 [0163.112] lstrcmpiW (lpString1="1036", lpString2="Program Files") returned -1 [0163.112] lstrcmpiW (lpString1="1036", lpString2="Program Files (x86)") returned -1 [0163.112] lstrcmpiW (lpString1="1036", lpString2="$Recycle.bin") returned 1 [0163.112] lstrcmpiW (lpString1="1036", lpString2="System Volume Information") returned -1 [0163.112] lstrcmpiW (lpString1="1036", lpString2=".") returned 1 [0163.112] lstrcmpiW (lpString1="1036", lpString2="..") returned 1 [0163.112] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036") returned 55 [0163.112] GetProcessHeap () returned 0x4c0000 [0163.112] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.113] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036" [0163.113] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\*" [0163.113] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc5946680, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc5946680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.113] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.113] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.113] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.113] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.113] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.113] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.113] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc5946680, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc5946680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="..", cAlternateFileName="")) returned 1 [0163.113] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.113] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.113] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.114] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.114] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.114] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.114] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.114] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc42cf6e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79", cAlternateFileName="ENVELO~1.387")) returned 1 [0163.114] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79", lpString2="Windows") returned -1 [0163.114] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79", lpString2="Program Files") returned -1 [0163.114] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79", lpString2="Program Files (x86)") returned -1 [0163.114] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79", lpString2="$Recycle.bin") returned 1 [0163.114] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79", lpString2="System Volume Information") returned -1 [0163.114] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79", lpString2=".") returned 1 [0163.114] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79", lpString2="..") returned 1 [0163.114] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79") returned 141 [0163.114] lstrcmpW (lpString1="ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79", lpString2="PUSSY.TXT") returned -1 [0163.114] PathFindExtensionW (pszPath="ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79") returned=".3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79" [0163.114] lstrlenW (lpString=".3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79") returned 65 [0163.114] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd48e100, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc47de5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xbf60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17", cAlternateFileName="GRINTL~1.511")) returned 1 [0163.114] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17", lpString2="Windows") returned -1 [0163.114] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17", lpString2="Program Files") returned -1 [0163.114] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17", lpString2="Program Files (x86)") returned -1 [0163.114] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17", lpString2="$Recycle.bin") returned 1 [0163.114] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17", lpString2="System Volume Information") returned -1 [0163.114] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17", lpString2=".") returned 1 [0163.114] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17", lpString2="..") returned 1 [0163.114] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17") returned 141 [0163.115] lstrcmpW (lpString1="GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17", lpString2="PUSSY.TXT") returned -1 [0163.115] PathFindExtensionW (pszPath="GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17") returned=".51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17" [0163.115] lstrlenW (lpString=".51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17") returned 65 [0163.115] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd48e100, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc47de5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3d960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C", cAlternateFileName="GRINTL~1.C3F")) returned 1 [0163.115] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C", lpString2="Windows") returned -1 [0163.115] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C", lpString2="Program Files") returned -1 [0163.115] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C", lpString2="Program Files (x86)") returned -1 [0163.115] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C", lpString2="$Recycle.bin") returned 1 [0163.115] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C", lpString2="System Volume Information") returned -1 [0163.115] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C", lpString2=".") returned 1 [0163.115] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C", lpString2="..") returned 1 [0163.115] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C") returned 142 [0163.115] lstrcmpW (lpString1="GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C", lpString2="PUSSY.TXT") returned -1 [0163.115] PathFindExtensionW (pszPath="GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C") returned=".C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C" [0163.115] lstrlenW (lpString=".C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C") returned 65 [0163.115] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc4ab1fc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x49f60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E", cAlternateFileName="MAPIRD~1.57E")) returned 1 [0163.115] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E", lpString2="Windows") returned -1 [0163.115] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E", lpString2="Program Files") returned -1 [0163.115] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E", lpString2="Program Files (x86)") returned -1 [0163.115] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E", lpString2="$Recycle.bin") returned 1 [0163.115] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E", lpString2="System Volume Information") returned -1 [0163.115] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E", lpString2=".") returned 1 [0163.115] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E", lpString2="..") returned 1 [0163.115] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E") returned 138 [0163.115] lstrcmpW (lpString1="MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E", lpString2="PUSSY.TXT") returned -1 [0163.115] PathFindExtensionW (pszPath="MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E") returned=".57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E" [0163.116] lstrlenW (lpString=".57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E") returned 65 [0163.116] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa27f6800, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc482a860, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xc160, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40", cAlternateFileName="MOR6IN~1.8DB")) returned 1 [0163.116] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40", lpString2="Windows") returned -1 [0163.116] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40", lpString2="Program Files") returned -1 [0163.116] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40", lpString2="Program Files (x86)") returned -1 [0163.116] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40", lpString2="$Recycle.bin") returned 1 [0163.116] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40", lpString2="System Volume Information") returned -1 [0163.116] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40", lpString2=".") returned 1 [0163.116] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40", lpString2="..") returned 1 [0163.116] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40") returned 141 [0163.116] lstrcmpW (lpString1="MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40", lpString2="PUSSY.TXT") returned -1 [0163.116] PathFindExtensionW (pszPath="MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40") returned=".8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40" [0163.116] lstrlenW (lpString=".8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40") returned 65 [0163.116] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9f53ca00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc4804700, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x17960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123", cAlternateFileName="MSOINT~1.628")) returned 1 [0163.116] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123", lpString2="Windows") returned -1 [0163.116] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123", lpString2="Program Files") returned -1 [0163.116] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123", lpString2="Program Files (x86)") returned -1 [0163.116] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123", lpString2="$Recycle.bin") returned 1 [0163.116] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123", lpString2="System Volume Information") returned -1 [0163.116] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123", lpString2=".") returned 1 [0163.116] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123", lpString2="..") returned 1 [0163.116] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123") returned 140 [0163.116] lstrcmpW (lpString1="MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123", lpString2="PUSSY.TXT") returned -1 [0163.116] PathFindExtensionW (pszPath="MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123") returned=".62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123" [0163.116] lstrlenW (lpString=".62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123") returned 65 [0163.116] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9f53ca00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc4804700, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x2ced60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35", cAlternateFileName="MSOINT~1.EE7")) returned 1 [0163.117] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35", lpString2="Windows") returned -1 [0163.117] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35", lpString2="Program Files") returned -1 [0163.117] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35", lpString2="Program Files (x86)") returned -1 [0163.117] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35", lpString2="$Recycle.bin") returned 1 [0163.117] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35", lpString2="System Volume Information") returned -1 [0163.117] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35", lpString2=".") returned 1 [0163.117] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35", lpString2="..") returned 1 [0163.117] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35") returned 141 [0163.117] lstrcmpW (lpString1="MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35", lpString2="PUSSY.TXT") returned -1 [0163.117] PathFindExtensionW (pszPath="MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35") returned=".EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35" [0163.117] lstrlenW (lpString=".EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35") returned 65 [0163.117] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa381000, ftCreationTime.dwHighDateTime=0x1cac7fb, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc4804700, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31", cAlternateFileName="OMSINT~1.F9C")) returned 1 [0163.117] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31", lpString2="Windows") returned -1 [0163.117] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31", lpString2="Program Files") returned -1 [0163.117] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31", lpString2="Program Files (x86)") returned -1 [0163.117] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31", lpString2="$Recycle.bin") returned 1 [0163.117] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31", lpString2="System Volume Information") returned -1 [0163.117] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31", lpString2=".") returned 1 [0163.117] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31", lpString2="..") returned 1 [0163.117] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31") returned 140 [0163.117] lstrcmpW (lpString1="OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31", lpString2="PUSSY.TXT") returned -1 [0163.117] PathFindExtensionW (pszPath="OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31") returned=".F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31" [0163.117] lstrlenW (lpString=".F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31") returned 65 [0163.117] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7337cc00, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc482a860, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x7b60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402", cAlternateFileName="ONINTL~1.912")) returned 1 [0163.117] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402", lpString2="Windows") returned -1 [0163.117] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402", lpString2="Program Files") returned -1 [0163.118] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402", lpString2="Program Files (x86)") returned -1 [0163.118] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402", lpString2="$Recycle.bin") returned 1 [0163.118] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402", lpString2="System Volume Information") returned -1 [0163.118] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402", lpString2=".") returned 1 [0163.118] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402", lpString2="..") returned 1 [0163.118] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402") returned 139 [0163.118] lstrcmpW (lpString1="ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402", lpString2="PUSSY.TXT") returned -1 [0163.118] PathFindExtensionW (pszPath="ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402") returned=".912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402" [0163.118] lstrlenW (lpString=".912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402") returned 65 [0163.118] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7337cc00, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc4ab1fc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3fb60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755", cAlternateFileName="ONINTL~1.1AC")) returned 1 [0163.118] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755", lpString2="Windows") returned -1 [0163.118] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755", lpString2="Program Files") returned -1 [0163.118] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755", lpString2="Program Files (x86)") returned -1 [0163.118] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755", lpString2="$Recycle.bin") returned 1 [0163.118] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755", lpString2="System Volume Information") returned -1 [0163.118] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755", lpString2=".") returned 1 [0163.118] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755", lpString2="..") returned 1 [0163.118] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755") returned 140 [0163.118] lstrcmpW (lpString1="ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755", lpString2="PUSSY.TXT") returned -1 [0163.118] PathFindExtensionW (pszPath="ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755") returned=".1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755" [0163.118] lstrlenW (lpString=".1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755") returned 65 [0163.118] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ab87a00, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc4ab1fc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x37560, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509", cAlternateFileName="OUTLLI~1.0D7")) returned 1 [0163.118] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509", lpString2="Windows") returned -1 [0163.118] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509", lpString2="Program Files") returned -1 [0163.118] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509", lpString2="Program Files (x86)") returned -1 [0163.119] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509", lpString2="$Recycle.bin") returned 1 [0163.119] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509", lpString2="System Volume Information") returned -1 [0163.119] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509", lpString2=".") returned 1 [0163.119] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509", lpString2="..") returned 1 [0163.119] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509") returned 141 [0163.119] lstrcmpW (lpString1="OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509", lpString2="PUSSY.TXT") returned -1 [0163.119] PathFindExtensionW (pszPath="OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509") returned=".0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509" [0163.119] lstrlenW (lpString=".0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509") returned 65 [0163.119] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ab87a00, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc4ab1fc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xa6560, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C", cAlternateFileName="OUTLLI~1.45F")) returned 1 [0163.119] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C", lpString2="Windows") returned -1 [0163.119] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C", lpString2="Program Files") returned -1 [0163.119] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C", lpString2="Program Files (x86)") returned -1 [0163.119] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C", lpString2="$Recycle.bin") returned 1 [0163.119] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C", lpString2="System Volume Information") returned -1 [0163.119] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C", lpString2=".") returned 1 [0163.119] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C", lpString2="..") returned 1 [0163.119] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C") returned 142 [0163.119] lstrcmpW (lpString1="OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C", lpString2="PUSSY.TXT") returned -1 [0163.119] PathFindExtensionW (pszPath="OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C") returned=".45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C" [0163.119] lstrlenW (lpString=".45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C") returned 65 [0163.119] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc4d39720, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x2b60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B", cAlternateFileName="OUTLWV~1.52F")) returned 1 [0163.119] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B", lpString2="Windows") returned -1 [0163.119] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B", lpString2="Program Files") returned -1 [0163.119] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B", lpString2="Program Files (x86)") returned -1 [0163.119] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B", lpString2="$Recycle.bin") returned 1 [0163.120] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B", lpString2="System Volume Information") returned -1 [0163.120] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B", lpString2=".") returned 1 [0163.120] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B", lpString2="..") returned 1 [0163.120] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B") returned 140 [0163.120] lstrcmpW (lpString1="OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B", lpString2="PUSSY.TXT") returned -1 [0163.120] PathFindExtensionW (pszPath="OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B") returned=".52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B" [0163.120] lstrlenW (lpString=".52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B") returned 65 [0163.120] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cef6000, ftCreationTime.dwHighDateTime=0x1cac803, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc4d39720, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xcd60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E", cAlternateFileName="PPINTL~1.155")) returned 1 [0163.120] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E", lpString2="Windows") returned -1 [0163.120] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E", lpString2="Program Files") returned -1 [0163.120] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E", lpString2="Program Files (x86)") returned -1 [0163.120] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E", lpString2="$Recycle.bin") returned 1 [0163.120] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E", lpString2="System Volume Information") returned -1 [0163.120] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E", lpString2=".") returned 1 [0163.120] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E", lpString2="..") returned 1 [0163.120] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E") returned 139 [0163.120] lstrcmpW (lpString1="PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E", lpString2="PUSSY.TXT") returned -1 [0163.120] PathFindExtensionW (pszPath="PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E") returned=".15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E" [0163.120] lstrlenW (lpString=".15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E") returned 65 [0163.120] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cef6000, ftCreationTime.dwHighDateTime=0x1cac803, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc4d39720, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x45f60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72", cAlternateFileName="PPINTL~1.52F")) returned 1 [0163.120] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72", lpString2="Windows") returned -1 [0163.120] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72", lpString2="Program Files") returned -1 [0163.120] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72", lpString2="Program Files (x86)") returned -1 [0163.120] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72", lpString2="$Recycle.bin") returned 1 [0163.120] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72", lpString2="System Volume Information") returned -1 [0163.121] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72", lpString2=".") returned 1 [0163.121] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72", lpString2="..") returned 1 [0163.121] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72") returned 140 [0163.121] lstrcmpW (lpString1="PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72", lpString2="PUSSY.TXT") returned -1 [0163.121] PathFindExtensionW (pszPath="PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72") returned=".52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72" [0163.121] lstrlenW (lpString=".52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72") returned 65 [0163.121] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3b09500, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc4f74bc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x1a360, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973", cAlternateFileName="PUB6IN~1.4D3")) returned 1 [0163.121] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973", lpString2="Windows") returned -1 [0163.121] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973", lpString2="Program Files") returned 1 [0163.121] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973", lpString2="Program Files (x86)") returned 1 [0163.121] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973", lpString2="$Recycle.bin") returned 1 [0163.121] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973", lpString2="System Volume Information") returned -1 [0163.121] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973", lpString2=".") returned 1 [0163.121] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973", lpString2="..") returned 1 [0163.121] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973") returned 141 [0163.121] lstrcmpW (lpString1="PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973", lpString2="PUSSY.TXT") returned -1 [0163.121] PathFindExtensionW (pszPath="PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973") returned=".4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973" [0163.121] lstrlenW (lpString=".4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973") returned 65 [0163.121] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa27f6800, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5163da0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x8e160, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316", cAlternateFileName="PUB6IN~1.59F")) returned 1 [0163.121] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316", lpString2="Windows") returned -1 [0163.121] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316", lpString2="Program Files") returned 1 [0163.121] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316", lpString2="Program Files (x86)") returned 1 [0163.121] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316", lpString2="$Recycle.bin") returned 1 [0163.121] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316", lpString2="System Volume Information") returned -1 [0163.122] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316", lpString2=".") returned 1 [0163.122] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316", lpString2="..") returned 1 [0163.122] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316") returned 142 [0163.122] lstrcmpW (lpString1="PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316", lpString2="PUSSY.TXT") returned -1 [0163.122] PathFindExtensionW (pszPath="PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316") returned=".59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316" [0163.122] lstrlenW (lpString=".59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316") returned 65 [0163.122] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749d2200, ftCreationTime.dwHighDateTime=0x1cac80f, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5189f00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x5ab60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911", cAlternateFileName="PUBWZI~1.6C8")) returned 1 [0163.122] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911", lpString2="Windows") returned -1 [0163.122] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911", lpString2="Program Files") returned 1 [0163.122] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911", lpString2="Program Files (x86)") returned 1 [0163.122] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911", lpString2="$Recycle.bin") returned 1 [0163.122] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911", lpString2="System Volume Information") returned -1 [0163.122] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911", lpString2=".") returned 1 [0163.122] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911", lpString2="..") returned 1 [0163.122] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911") returned 142 [0163.122] lstrcmpW (lpString1="PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911", lpString2="PUSSY.TXT") returned -1 [0163.122] PathFindExtensionW (pszPath="PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911") returned=".6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911" [0163.122] lstrlenW (lpString=".6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911") returned 65 [0163.122] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc558e420, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc558e420, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc558e420, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.122] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.122] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.122] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.122] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.122] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.122] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.122] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.123] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUSSY.TXT") returned 65 [0163.123] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.123] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d7a1200, ftCreationTime.dwHighDateTime=0x1cac817, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5189f00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3360, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D", cAlternateFileName="SGRESD~1.5BA")) returned 1 [0163.123] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D", lpString2="Windows") returned -1 [0163.123] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D", lpString2="Program Files") returned 1 [0163.123] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D", lpString2="Program Files (x86)") returned 1 [0163.123] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D", lpString2="$Recycle.bin") returned 1 [0163.123] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D", lpString2="System Volume Information") returned -1 [0163.123] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D", lpString2=".") returned 1 [0163.123] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D", lpString2="..") returned 1 [0163.123] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D") returned 138 [0163.123] lstrcmpW (lpString1="SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D", lpString2="PUSSY.TXT") returned 1 [0163.123] PathFindExtensionW (pszPath="SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D") returned=".5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D" [0163.123] lstrlenW (lpString=".5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D") returned 65 [0163.123] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8e7d800, ftCreationTime.dwHighDateTime=0x1cac7f6, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc51d61c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4160, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="STINTL.DLL.trx_dll.7D1264631E14A1169A6F1FA8CF6F0B043E59742FFECE864F943CA2F6C85E692E", cAlternateFileName="STINTL~1.7D1")) returned 1 [0163.123] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.7D1264631E14A1169A6F1FA8CF6F0B043E59742FFECE864F943CA2F6C85E692E") returned 139 [0163.124] lstrcmpW (lpString1="STINTL.DLL.trx_dll.7D1264631E14A1169A6F1FA8CF6F0B043E59742FFECE864F943CA2F6C85E692E", lpString2="PUSSY.TXT") returned 1 [0163.124] PathFindExtensionW (pszPath="STINTL.DLL.trx_dll.7D1264631E14A1169A6F1FA8CF6F0B043E59742FFECE864F943CA2F6C85E692E") returned=".7D1264631E14A1169A6F1FA8CF6F0B043E59742FFECE864F943CA2F6C85E692E" [0163.124] lstrlenW (lpString=".7D1264631E14A1169A6F1FA8CF6F0B043E59742FFECE864F943CA2F6C85E692E") returned 65 [0163.124] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf706700, ftCreationTime.dwHighDateTime=0x1cac81a, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc51b0060, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x6960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="VISBRRES.DLL.trx_dll.FC89A10265746106232DF85C10605477A344DB3EC9BEC9BCB0A352D6077EAD51", cAlternateFileName="VISBRR~1.FC8")) returned 1 [0163.124] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.FC89A10265746106232DF85C10605477A344DB3EC9BEC9BCB0A352D6077EAD51") returned 141 [0163.124] lstrcmpW (lpString1="VISBRRES.DLL.trx_dll.FC89A10265746106232DF85C10605477A344DB3EC9BEC9BCB0A352D6077EAD51", lpString2="PUSSY.TXT") returned 1 [0163.124] PathFindExtensionW (pszPath="VISBRRES.DLL.trx_dll.FC89A10265746106232DF85C10605477A344DB3EC9BEC9BCB0A352D6077EAD51") returned=".FC89A10265746106232DF85C10605477A344DB3EC9BEC9BCB0A352D6077EAD51" [0163.124] lstrlenW (lpString=".FC89A10265746106232DF85C10605477A344DB3EC9BEC9BCB0A352D6077EAD51") returned 65 [0163.124] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a315700, ftCreationTime.dwHighDateTime=0x1cac814, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc545d920, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x77560, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="VISINTL.DLL.trx_dll.789F4CD51AFF4729781E1549FCAB1EAD9C578589130F15EFC95727C4CBA29143", cAlternateFileName="VISINT~1.789")) returned 1 [0163.124] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.789F4CD51AFF4729781E1549FCAB1EAD9C578589130F15EFC95727C4CBA29143") returned 140 [0163.124] lstrcmpW (lpString1="VISINTL.DLL.trx_dll.789F4CD51AFF4729781E1549FCAB1EAD9C578589130F15EFC95727C4CBA29143", lpString2="PUSSY.TXT") returned 1 [0163.124] PathFindExtensionW (pszPath="VISINTL.DLL.trx_dll.789F4CD51AFF4729781E1549FCAB1EAD9C578589130F15EFC95727C4CBA29143") returned=".789F4CD51AFF4729781E1549FCAB1EAD9C578589130F15EFC95727C4CBA29143" [0163.124] lstrlenW (lpString=".789F4CD51AFF4729781E1549FCAB1EAD9C578589130F15EFC95727C4CBA29143") returned 65 [0163.124] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb31c100, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0ca650, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc58fa3c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25b60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="WWINTL.DLL.trx_dll.6014F040976C99B5533BF6FF844114B5BA1927CD709BEFBD1DDB59E31FFFE05C", cAlternateFileName="WWINTL~1.601")) returned 1 [0163.124] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.6014F040976C99B5533BF6FF844114B5BA1927CD709BEFBD1DDB59E31FFFE05C") returned 139 [0163.124] lstrcmpW (lpString1="WWINTL.DLL.trx_dll.6014F040976C99B5533BF6FF844114B5BA1927CD709BEFBD1DDB59E31FFFE05C", lpString2="PUSSY.TXT") returned 1 [0163.124] PathFindExtensionW (pszPath="WWINTL.DLL.trx_dll.6014F040976C99B5533BF6FF844114B5BA1927CD709BEFBD1DDB59E31FFFE05C") returned=".6014F040976C99B5533BF6FF844114B5BA1927CD709BEFBD1DDB59E31FFFE05C" [0163.124] lstrlenW (lpString=".6014F040976C99B5533BF6FF844114B5BA1927CD709BEFBD1DDB59E31FFFE05C") returned 65 [0163.124] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb31c100, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5920520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x115b60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="WWINTL.REST.trx_dll.377D793FC7DE28BDE10A25D7E84BFA2DA264EB5006FED223E1C2A296C75D2D04", cAlternateFileName="WWINTL~1.377")) returned 1 [0163.124] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.377D793FC7DE28BDE10A25D7E84BFA2DA264EB5006FED223E1C2A296C75D2D04") returned 140 [0163.124] lstrcmpW (lpString1="WWINTL.REST.trx_dll.377D793FC7DE28BDE10A25D7E84BFA2DA264EB5006FED223E1C2A296C75D2D04", lpString2="PUSSY.TXT") returned 1 [0163.124] PathFindExtensionW (pszPath="WWINTL.REST.trx_dll.377D793FC7DE28BDE10A25D7E84BFA2DA264EB5006FED223E1C2A296C75D2D04") returned=".377D793FC7DE28BDE10A25D7E84BFA2DA264EB5006FED223E1C2A296C75D2D04" [0163.124] lstrlenW (lpString=".377D793FC7DE28BDE10A25D7E84BFA2DA264EB5006FED223E1C2A296C75D2D04") returned 65 [0163.125] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6b688100, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5920520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25360, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="XLINTL32.DLL.trx_dll.63F47ACF67111D280A1DFC89EFA7504F90667687D54754CD80F76F45D66B5833", cAlternateFileName="XLINTL~1.63F")) returned 1 [0163.125] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.63F47ACF67111D280A1DFC89EFA7504F90667687D54754CD80F76F45D66B5833") returned 141 [0163.125] lstrcmpW (lpString1="XLINTL32.DLL.trx_dll.63F47ACF67111D280A1DFC89EFA7504F90667687D54754CD80F76F45D66B5833", lpString2="PUSSY.TXT") returned 1 [0163.125] PathFindExtensionW (pszPath="XLINTL32.DLL.trx_dll.63F47ACF67111D280A1DFC89EFA7504F90667687D54754CD80F76F45D66B5833") returned=".63F47ACF67111D280A1DFC89EFA7504F90667687D54754CD80F76F45D66B5833" [0163.125] lstrlenW (lpString=".63F47ACF67111D280A1DFC89EFA7504F90667687D54754CD80F76F45D66B5833") returned 65 [0163.125] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a375400, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5920520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x137960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="XLINTL32.REST.trx_dll.35F1923C7D729FE9412F77BF79EFC5E7E8BADB9F517213186541B7D94FA4AC0E", cAlternateFileName="XLINTL~1.35F")) returned 1 [0163.125] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.35F1923C7D729FE9412F77BF79EFC5E7E8BADB9F517213186541B7D94FA4AC0E") returned 142 [0163.125] lstrcmpW (lpString1="XLINTL32.REST.trx_dll.35F1923C7D729FE9412F77BF79EFC5E7E8BADB9F517213186541B7D94FA4AC0E", lpString2="PUSSY.TXT") returned 1 [0163.125] PathFindExtensionW (pszPath="XLINTL32.REST.trx_dll.35F1923C7D729FE9412F77BF79EFC5E7E8BADB9F517213186541B7D94FA4AC0E") returned=".35F1923C7D729FE9412F77BF79EFC5E7E8BADB9F517213186541B7D94FA4AC0E" [0163.125] lstrlenW (lpString=".35F1923C7D729FE9412F77BF79EFC5E7E8BADB9F517213186541B7D94FA4AC0E") returned 65 [0163.125] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe092000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5946680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="XLSLICER.DLL.trx_dll.1162F7C175D9F22652FCF6C6E2FB80BF3D31D2813B182F0352AD204DDF8C473E", cAlternateFileName="XLSLIC~1.116")) returned 1 [0163.125] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.1162F7C175D9F22652FCF6C6E2FB80BF3D31D2813B182F0352AD204DDF8C473E") returned 141 [0163.125] lstrcmpW (lpString1="XLSLICER.DLL.trx_dll.1162F7C175D9F22652FCF6C6E2FB80BF3D31D2813B182F0352AD204DDF8C473E", lpString2="PUSSY.TXT") returned 1 [0163.125] PathFindExtensionW (pszPath="XLSLICER.DLL.trx_dll.1162F7C175D9F22652FCF6C6E2FB80BF3D31D2813B182F0352AD204DDF8C473E") returned=".1162F7C175D9F22652FCF6C6E2FB80BF3D31D2813B182F0352AD204DDF8C473E" [0163.125] lstrlenW (lpString=".1162F7C175D9F22652FCF6C6E2FB80BF3D31D2813B182F0352AD204DDF8C473E") returned 65 [0163.125] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe092000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5946680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="XLSLICER.DLL.trx_dll.1162F7C175D9F22652FCF6C6E2FB80BF3D31D2813B182F0352AD204DDF8C473E", cAlternateFileName="XLSLIC~1.116")) returned 0 [0163.125] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.125] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUSSY.TXT") returned 65 [0163.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.126] GetProcessHeap () returned 0x4c0000 [0163.126] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.126] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc6d82180, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6d82180, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="3082", cAlternateFileName="")) returned 1 [0163.126] lstrcmpiW (lpString1="3082", lpString2="Windows") returned -1 [0163.126] lstrcmpiW (lpString1="3082", lpString2="Program Files") returned -1 [0163.126] lstrcmpiW (lpString1="3082", lpString2="Program Files (x86)") returned -1 [0163.126] lstrcmpiW (lpString1="3082", lpString2="$Recycle.bin") returned 1 [0163.126] lstrcmpiW (lpString1="3082", lpString2="System Volume Information") returned -1 [0163.126] lstrcmpiW (lpString1="3082", lpString2=".") returned 1 [0163.126] lstrcmpiW (lpString1="3082", lpString2="..") returned 1 [0163.126] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082") returned 55 [0163.126] GetProcessHeap () returned 0x4c0000 [0163.126] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.126] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082" [0163.126] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\*" [0163.126] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc6d82180, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6d82180, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.126] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.126] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.126] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.127] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.127] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.127] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.127] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc6d82180, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6d82180, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="..", cAlternateFileName="")) returned 1 [0163.127] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.127] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.127] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.127] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.127] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.127] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.127] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.127] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5946680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3760, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64", cAlternateFileName="ENVELO~1.765")) returned 1 [0163.128] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64", lpString2="Windows") returned -1 [0163.128] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64", lpString2="Program Files") returned -1 [0163.128] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64", lpString2="Program Files (x86)") returned -1 [0163.128] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64", lpString2="$Recycle.bin") returned 1 [0163.128] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64", lpString2="System Volume Information") returned -1 [0163.128] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64", lpString2=".") returned 1 [0163.128] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64", lpString2="..") returned 1 [0163.128] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64") returned 141 [0163.128] lstrcmpW (lpString1="ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64", lpString2="PUSSY.TXT") returned -1 [0163.128] PathFindExtensionW (pszPath="ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64") returned=".76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64" [0163.128] lstrlenW (lpString=".76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64") returned 65 [0163.128] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x74912800, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5946680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xb960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C", cAlternateFileName="GRINTL~1.F11")) returned 1 [0163.128] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C", lpString2="Windows") returned -1 [0163.128] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C", lpString2="Program Files") returned -1 [0163.128] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C", lpString2="Program Files (x86)") returned -1 [0163.128] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C", lpString2="$Recycle.bin") returned 1 [0163.128] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C", lpString2="System Volume Information") returned -1 [0163.128] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C", lpString2=".") returned 1 [0163.128] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C", lpString2="..") returned 1 [0163.128] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C") returned 141 [0163.128] lstrcmpW (lpString1="GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C", lpString2="PUSSY.TXT") returned -1 [0163.128] PathFindExtensionW (pszPath="GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C") returned=".F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C" [0163.128] lstrlenW (lpString=".F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C") returned 65 [0163.129] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x74912800, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc596c7e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x39960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957", cAlternateFileName="GRINTL~1.AB3")) returned 1 [0163.129] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957", lpString2="Windows") returned -1 [0163.129] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957", lpString2="Program Files") returned -1 [0163.129] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957", lpString2="Program Files (x86)") returned -1 [0163.129] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957", lpString2="$Recycle.bin") returned 1 [0163.129] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957", lpString2="System Volume Information") returned -1 [0163.129] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957", lpString2=".") returned 1 [0163.129] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957", lpString2="..") returned 1 [0163.129] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957") returned 142 [0163.129] lstrcmpW (lpString1="GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957", lpString2="PUSSY.TXT") returned -1 [0163.129] PathFindExtensionW (pszPath="GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957") returned=".AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957" [0163.129] lstrlenW (lpString=".AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957") returned 65 [0163.129] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc596c7e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x47d60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F", cAlternateFileName="MAPIRD~1.35C")) returned 1 [0163.129] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F", lpString2="Windows") returned -1 [0163.129] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F", lpString2="Program Files") returned -1 [0163.129] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F", lpString2="Program Files (x86)") returned -1 [0163.129] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F", lpString2="$Recycle.bin") returned 1 [0163.129] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F", lpString2="System Volume Information") returned -1 [0163.129] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F", lpString2=".") returned 1 [0163.129] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F", lpString2="..") returned 1 [0163.129] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F") returned 138 [0163.129] lstrcmpW (lpString1="MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F", lpString2="PUSSY.TXT") returned -1 [0163.129] PathFindExtensionW (pszPath="MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F") returned=".35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F" [0163.129] lstrlenW (lpString=".35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F") returned 65 [0163.129] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58968200, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5c66360, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xc160, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A", cAlternateFileName="MOR6IN~1.933")) returned 1 [0163.129] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A", lpString2="Windows") returned -1 [0163.130] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A", lpString2="Program Files") returned -1 [0163.130] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A", lpString2="Program Files (x86)") returned -1 [0163.130] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A", lpString2="$Recycle.bin") returned 1 [0163.130] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A", lpString2="System Volume Information") returned -1 [0163.130] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A", lpString2=".") returned 1 [0163.130] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A", lpString2="..") returned 1 [0163.130] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A") returned 141 [0163.130] lstrcmpW (lpString1="MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A", lpString2="PUSSY.TXT") returned -1 [0163.130] PathFindExtensionW (pszPath="MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A") returned=".93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A" [0163.130] lstrlenW (lpString=".93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A") returned 65 [0163.130] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x248aaf00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5c66360, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x16f60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677", cAlternateFileName="MSOINT~1.FEB")) returned 1 [0163.130] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677", lpString2="Windows") returned -1 [0163.130] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677", lpString2="Program Files") returned -1 [0163.130] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677", lpString2="Program Files (x86)") returned -1 [0163.130] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677", lpString2="$Recycle.bin") returned 1 [0163.130] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677", lpString2="System Volume Information") returned -1 [0163.130] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677", lpString2=".") returned 1 [0163.130] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677", lpString2="..") returned 1 [0163.130] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677") returned 140 [0163.130] lstrcmpW (lpString1="MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677", lpString2="PUSSY.TXT") returned -1 [0163.130] PathFindExtensionW (pszPath="MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677") returned=".FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677" [0163.130] lstrlenW (lpString=".FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677") returned 65 [0163.130] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x25bbdc00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5c8c4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x2b2560, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307", cAlternateFileName="MSOINT~1.9F5")) returned 1 [0163.130] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307", lpString2="Windows") returned -1 [0163.130] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307", lpString2="Program Files") returned -1 [0163.131] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307", lpString2="Program Files (x86)") returned -1 [0163.131] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307", lpString2="$Recycle.bin") returned 1 [0163.131] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307", lpString2="System Volume Information") returned -1 [0163.131] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307", lpString2=".") returned 1 [0163.131] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307", lpString2="..") returned 1 [0163.131] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307") returned 141 [0163.131] lstrcmpW (lpString1="MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307", lpString2="PUSSY.TXT") returned -1 [0163.131] PathFindExtensionW (pszPath="MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307") returned=".9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307" [0163.131] lstrlenW (lpString=".9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307") returned 65 [0163.131] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3564d600, ftCreationTime.dwHighDateTime=0x1cac7fb, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5eedac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113", cAlternateFileName="OMSINT~1.B24")) returned 1 [0163.131] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113", lpString2="Windows") returned -1 [0163.131] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113", lpString2="Program Files") returned -1 [0163.131] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113", lpString2="Program Files (x86)") returned -1 [0163.131] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113", lpString2="$Recycle.bin") returned 1 [0163.131] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113", lpString2="System Volume Information") returned -1 [0163.131] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113", lpString2=".") returned 1 [0163.131] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113", lpString2="..") returned 1 [0163.131] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113") returned 140 [0163.131] lstrcmpW (lpString1="OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113", lpString2="PUSSY.TXT") returned -1 [0163.131] PathFindExtensionW (pszPath="OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113") returned=".B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113" [0163.131] lstrlenW (lpString=".B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113") returned 65 [0163.131] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x63b88300, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5eedac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x7b60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D", cAlternateFileName="ONINTL~1.FA5")) returned 1 [0163.131] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D", lpString2="Windows") returned -1 [0163.131] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D", lpString2="Program Files") returned -1 [0163.131] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D", lpString2="Program Files (x86)") returned -1 [0163.131] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D", lpString2="$Recycle.bin") returned 1 [0163.132] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D", lpString2="System Volume Information") returned -1 [0163.132] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D", lpString2=".") returned 1 [0163.132] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D", lpString2="..") returned 1 [0163.132] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D") returned 139 [0163.132] lstrcmpW (lpString1="ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D", lpString2="PUSSY.TXT") returned -1 [0163.132] PathFindExtensionW (pszPath="ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D") returned=".FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D" [0163.132] lstrlenW (lpString=".FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D") returned 65 [0163.132] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x62875600, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc614f0c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3d960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009", cAlternateFileName="ONINTL~1.141")) returned 1 [0163.132] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009", lpString2="Windows") returned -1 [0163.132] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009", lpString2="Program Files") returned -1 [0163.132] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009", lpString2="Program Files (x86)") returned -1 [0163.132] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009", lpString2="$Recycle.bin") returned 1 [0163.132] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009", lpString2="System Volume Information") returned -1 [0163.132] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009", lpString2=".") returned 1 [0163.132] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009", lpString2="..") returned 1 [0163.132] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009") returned 140 [0163.132] lstrcmpW (lpString1="ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009", lpString2="PUSSY.TXT") returned -1 [0163.132] PathFindExtensionW (pszPath="ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009") returned=".141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009" [0163.132] lstrlenW (lpString=".141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009") returned 65 [0163.132] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc5eedac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x35960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037", cAlternateFileName="OUTLLI~1.909")) returned 1 [0163.132] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037", lpString2="Windows") returned -1 [0163.132] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037", lpString2="Program Files") returned -1 [0163.132] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037", lpString2="Program Files (x86)") returned -1 [0163.132] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037", lpString2="$Recycle.bin") returned 1 [0163.132] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037", lpString2="System Volume Information") returned -1 [0163.132] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037", lpString2=".") returned 1 [0163.133] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037", lpString2="..") returned 1 [0163.133] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037") returned 141 [0163.133] lstrcmpW (lpString1="OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037", lpString2="PUSSY.TXT") returned -1 [0163.133] PathFindExtensionW (pszPath="OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037") returned=".909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037" [0163.133] lstrlenW (lpString=".909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037") returned 65 [0163.133] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc614f0c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x9f560, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41", cAlternateFileName="OUTLLI~1.A7A")) returned 1 [0163.133] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41", lpString2="Windows") returned -1 [0163.133] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41", lpString2="Program Files") returned -1 [0163.133] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41", lpString2="Program Files (x86)") returned -1 [0163.133] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41", lpString2="$Recycle.bin") returned 1 [0163.133] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41", lpString2="System Volume Information") returned -1 [0163.133] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41", lpString2=".") returned 1 [0163.133] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41", lpString2="..") returned 1 [0163.133] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41") returned 142 [0163.133] lstrcmpW (lpString1="OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41", lpString2="PUSSY.TXT") returned -1 [0163.133] PathFindExtensionW (pszPath="OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41") returned=".A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41" [0163.133] lstrlenW (lpString=".A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41") returned 65 [0163.133] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x315ed100, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc6448c40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357", cAlternateFileName="OUTLWV~1.63E")) returned 1 [0163.133] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357", lpString2="Windows") returned -1 [0163.133] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357", lpString2="Program Files") returned -1 [0163.133] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357", lpString2="Program Files (x86)") returned -1 [0163.133] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357", lpString2="$Recycle.bin") returned 1 [0163.133] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357", lpString2="System Volume Information") returned -1 [0163.133] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357", lpString2=".") returned 1 [0163.133] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357", lpString2="..") returned 1 [0163.134] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357") returned 140 [0163.134] lstrcmpW (lpString1="OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357", lpString2="PUSSY.TXT") returned -1 [0163.134] PathFindExtensionW (pszPath="OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357") returned=".63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357" [0163.134] lstrlenW (lpString=".63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357") returned 65 [0163.134] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1a4a9400, ftCreationTime.dwHighDateTime=0x1cac804, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc6448c40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xd160, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149", cAlternateFileName="PPINTL~1.50D")) returned 1 [0163.134] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149", lpString2="Windows") returned -1 [0163.134] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149", lpString2="Program Files") returned -1 [0163.134] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149", lpString2="Program Files (x86)") returned -1 [0163.134] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149", lpString2="$Recycle.bin") returned 1 [0163.134] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149", lpString2="System Volume Information") returned -1 [0163.134] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149", lpString2=".") returned 1 [0163.134] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149", lpString2="..") returned 1 [0163.134] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149") returned 139 [0163.134] lstrcmpW (lpString1="PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149", lpString2="PUSSY.TXT") returned -1 [0163.134] PathFindExtensionW (pszPath="PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149") returned=".50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149" [0163.134] lstrlenW (lpString=".50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149") returned 65 [0163.134] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x19196700, ftCreationTime.dwHighDateTime=0x1cac804, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc6128f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x43560, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B", cAlternateFileName="PPINTL~1.D69")) returned 1 [0163.134] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B", lpString2="Windows") returned -1 [0163.134] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B", lpString2="Program Files") returned -1 [0163.134] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B", lpString2="Program Files (x86)") returned -1 [0163.134] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B", lpString2="$Recycle.bin") returned 1 [0163.134] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B", lpString2="System Volume Information") returned -1 [0163.134] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B", lpString2=".") returned 1 [0163.134] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B", lpString2="..") returned 1 [0163.134] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B") returned 140 [0163.134] lstrcmpW (lpString1="PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B", lpString2="PUSSY.TXT") returned -1 [0163.135] PathFindExtensionW (pszPath="PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B") returned=".D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B" [0163.135] lstrlenW (lpString=".D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B") returned 65 [0163.135] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58968200, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc6448c40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x1a560, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072", cAlternateFileName="PUB6IN~1.4C8")) returned 1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072", lpString2="Windows") returned -1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072", lpString2="Program Files") returned 1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072", lpString2="Program Files (x86)") returned 1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072", lpString2="$Recycle.bin") returned 1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072", lpString2="System Volume Information") returned -1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072", lpString2=".") returned 1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072", lpString2="..") returned 1 [0163.135] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072") returned 141 [0163.135] lstrcmpW (lpString1="PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072", lpString2="PUSSY.TXT") returned -1 [0163.135] PathFindExtensionW (pszPath="PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072") returned=".4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072" [0163.135] lstrlenW (lpString=".4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072") returned 65 [0163.135] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x57655500, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc646eda0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x87f60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E", cAlternateFileName="PUB6IN~1.350")) returned 1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E", lpString2="Windows") returned -1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E", lpString2="Program Files") returned 1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E", lpString2="Program Files (x86)") returned 1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E", lpString2="$Recycle.bin") returned 1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E", lpString2="System Volume Information") returned -1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E", lpString2=".") returned 1 [0163.135] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E", lpString2="..") returned 1 [0163.135] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E") returned 142 [0163.135] lstrcmpW (lpString1="PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E", lpString2="PUSSY.TXT") returned -1 [0163.136] PathFindExtensionW (pszPath="PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E") returned=".350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E" [0163.136] lstrlenW (lpString=".350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E") returned 65 [0163.136] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2720b500, ftCreationTime.dwHighDateTime=0x1cac80f, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc66aa240, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x57f60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371", cAlternateFileName="PUBWZI~1.7FF")) returned 1 [0163.136] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371", lpString2="Windows") returned -1 [0163.136] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371", lpString2="Program Files") returned 1 [0163.136] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371", lpString2="Program Files (x86)") returned 1 [0163.136] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371", lpString2="$Recycle.bin") returned 1 [0163.136] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371", lpString2="System Volume Information") returned -1 [0163.136] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371", lpString2=".") returned 1 [0163.136] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371", lpString2="..") returned 1 [0163.136] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371") returned 142 [0163.136] lstrcmpW (lpString1="PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371", lpString2="PUSSY.TXT") returned -1 [0163.136] PathFindExtensionW (pszPath="PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371") returned=".7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371" [0163.136] lstrlenW (lpString=".7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371") returned 65 [0163.136] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc68bf580, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc68bf580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc68bf580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.136] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.136] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.136] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.136] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.136] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.136] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.136] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.136] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUSSY.TXT") returned 65 [0163.136] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.136] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x94d0df00, ftCreationTime.dwHighDateTime=0x1cac817, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc66aa240, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3360, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C", cAlternateFileName="SGRESD~1.0B7")) returned 1 [0163.137] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C", lpString2="Windows") returned -1 [0163.137] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C", lpString2="Program Files") returned 1 [0163.137] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C", lpString2="Program Files (x86)") returned 1 [0163.137] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C", lpString2="$Recycle.bin") returned 1 [0163.137] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C", lpString2="System Volume Information") returned -1 [0163.137] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C", lpString2=".") returned 1 [0163.137] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C", lpString2="..") returned 1 [0163.137] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C") returned 138 [0163.137] lstrcmpW (lpString1="SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C", lpString2="PUSSY.TXT") returned 1 [0163.137] PathFindExtensionW (pszPath="SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C") returned=".0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C" [0163.137] lstrlenW (lpString=".0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C") returned 65 [0163.137] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xca190500, ftCreationTime.dwHighDateTime=0x1cac7f6, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc652d480, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263", cAlternateFileName="STINTL~1.AEE")) returned 1 [0163.137] lstrcmpiW (lpString1="STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263", lpString2="Windows") returned -1 [0163.137] lstrcmpiW (lpString1="STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263", lpString2="Program Files") returned 1 [0163.137] lstrcmpiW (lpString1="STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263", lpString2="Program Files (x86)") returned 1 [0163.137] lstrcmpiW (lpString1="STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263", lpString2="$Recycle.bin") returned 1 [0163.137] lstrcmpiW (lpString1="STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263", lpString2="System Volume Information") returned -1 [0163.137] lstrcmpiW (lpString1="STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263", lpString2=".") returned 1 [0163.137] lstrcmpiW (lpString1="STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263", lpString2="..") returned 1 [0163.137] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263") returned 139 [0163.137] lstrcmpW (lpString1="STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263", lpString2="PUSSY.TXT") returned 1 [0163.137] PathFindExtensionW (pszPath="STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263") returned=".AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263" [0163.137] lstrlenW (lpString=".AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263") returned 65 [0163.137] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf706700, ftCreationTime.dwHighDateTime=0x1cac81a, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc66aa240, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x6960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325", cAlternateFileName="VISBRR~1.2B2")) returned 1 [0163.137] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325", lpString2="Windows") returned -1 [0163.137] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325", lpString2="Program Files") returned 1 [0163.138] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325", lpString2="Program Files (x86)") returned 1 [0163.138] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325", lpString2="$Recycle.bin") returned 1 [0163.138] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325", lpString2="System Volume Information") returned 1 [0163.138] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325", lpString2=".") returned 1 [0163.138] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325", lpString2="..") returned 1 [0163.138] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325") returned 141 [0163.138] lstrcmpW (lpString1="VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325", lpString2="PUSSY.TXT") returned 1 [0163.138] PathFindExtensionW (pszPath="VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325") returned=".2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325" [0163.138] lstrlenW (lpString=".2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325") returned 65 [0163.138] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x70273800, ftCreationTime.dwHighDateTime=0x1cac814, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc6a3c340, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x73960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A", cAlternateFileName="VISINT~1.B7C")) returned 1 [0163.138] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A", lpString2="Windows") returned -1 [0163.138] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A", lpString2="Program Files") returned 1 [0163.138] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A", lpString2="Program Files (x86)") returned 1 [0163.138] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A", lpString2="$Recycle.bin") returned 1 [0163.138] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A", lpString2="System Volume Information") returned 1 [0163.138] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A", lpString2=".") returned 1 [0163.138] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A", lpString2="..") returned 1 [0163.138] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A") returned 140 [0163.138] lstrcmpW (lpString1="VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A", lpString2="PUSSY.TXT") returned 1 [0163.138] PathFindExtensionW (pszPath="VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A") returned=".B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A" [0163.138] lstrlenW (lpString=".B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A") returned 65 [0163.138] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa1789a00, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0ca650, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc69c9f20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x24360, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112", cAlternateFileName="WWINTL~1.9EB")) returned 1 [0163.138] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112", lpString2="Windows") returned 1 [0163.138] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112", lpString2="Program Files") returned 1 [0163.138] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112", lpString2="Program Files (x86)") returned 1 [0163.138] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112", lpString2="$Recycle.bin") returned 1 [0163.139] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112", lpString2="System Volume Information") returned 1 [0163.139] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112", lpString2=".") returned 1 [0163.139] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112", lpString2="..") returned 1 [0163.139] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112") returned 139 [0163.139] lstrcmpW (lpString1="WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112", lpString2="PUSSY.TXT") returned 1 [0163.139] PathFindExtensionW (pszPath="WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112") returned=".9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112" [0163.139] lstrlenW (lpString=".9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112") returned 65 [0163.139] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa2a9c700, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc6bdf260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x110b60, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303", cAlternateFileName="WWINTL~1.D51")) returned 1 [0163.139] lstrcmpiW (lpString1="WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303", lpString2="Windows") returned 1 [0163.139] lstrcmpiW (lpString1="WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303", lpString2="Program Files") returned 1 [0163.139] lstrcmpiW (lpString1="WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303", lpString2="Program Files (x86)") returned 1 [0163.139] lstrcmpiW (lpString1="WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303", lpString2="$Recycle.bin") returned 1 [0163.139] lstrcmpiW (lpString1="WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303", lpString2="System Volume Information") returned 1 [0163.139] lstrcmpiW (lpString1="WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303", lpString2=".") returned 1 [0163.139] lstrcmpiW (lpString1="WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303", lpString2="..") returned 1 [0163.139] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303") returned 140 [0163.139] lstrcmpW (lpString1="WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303", lpString2="PUSSY.TXT") returned 1 [0163.139] PathFindExtensionW (pszPath="WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303") returned=".D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303" [0163.139] lstrlenW (lpString=".D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303") returned 65 [0163.139] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x61df1900, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc6ce9c00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23", cAlternateFileName="XLINTL~1.7B4")) returned 1 [0163.139] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23", lpString2="Windows") returned 1 [0163.139] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23", lpString2="Program Files") returned 1 [0163.139] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23", lpString2="Program Files (x86)") returned 1 [0163.139] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23", lpString2="$Recycle.bin") returned 1 [0163.139] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23", lpString2="System Volume Information") returned 1 [0163.139] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23", lpString2=".") returned 1 [0163.140] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23", lpString2="..") returned 1 [0163.140] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23") returned 141 [0163.140] lstrcmpW (lpString1="XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23", lpString2="PUSSY.TXT") returned 1 [0163.140] PathFindExtensionW (pszPath="XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23") returned=".7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23" [0163.140] lstrlenW (lpString=".7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23") returned 65 [0163.140] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x61df1900, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc6ce9c00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x126760, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E", cAlternateFileName="XLINTL~1.A08")) returned 1 [0163.140] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E", lpString2="Windows") returned 1 [0163.140] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E", lpString2="Program Files") returned 1 [0163.140] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E", lpString2="Program Files (x86)") returned 1 [0163.140] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E", lpString2="$Recycle.bin") returned 1 [0163.140] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E", lpString2="System Volume Information") returned 1 [0163.140] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E", lpString2=".") returned 1 [0163.140] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E", lpString2="..") returned 1 [0163.140] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E") returned 142 [0163.140] lstrcmpW (lpString1="XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E", lpString2="PUSSY.TXT") returned 1 [0163.140] PathFindExtensionW (pszPath="XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E") returned=".A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E" [0163.140] lstrlenW (lpString=".A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E") returned 65 [0163.140] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7e38000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc6bdf260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531", cAlternateFileName="XLSLIC~1.488")) returned 1 [0163.140] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531", lpString2="Windows") returned 1 [0163.140] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531", lpString2="Program Files") returned 1 [0163.140] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531", lpString2="Program Files (x86)") returned 1 [0163.140] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531", lpString2="$Recycle.bin") returned 1 [0163.140] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531", lpString2="System Volume Information") returned 1 [0163.140] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531", lpString2=".") returned 1 [0163.140] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531", lpString2="..") returned 1 [0163.140] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531") returned 141 [0163.141] lstrcmpW (lpString1="XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531", lpString2="PUSSY.TXT") returned 1 [0163.141] PathFindExtensionW (pszPath="XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531") returned=".48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531" [0163.141] lstrlenW (lpString=".48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531") returned 65 [0163.141] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7e38000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc6bdf260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x4e29d8, dwReserved1=0x2c3e059c, cFileName="XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531", cAlternateFileName="XLSLIC~1.488")) returned 0 [0163.141] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.141] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUSSY.TXT") returned 65 [0163.141] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.141] GetProcessHeap () returned 0x4c0000 [0163.141] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.141] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc68bf580, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc68bf580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc68bf580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.141] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.141] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.141] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.141] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.141] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.141] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.141] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.141] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\PUSSY.TXT") returned 60 [0163.142] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.142] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc68bf580, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc68bf580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc68bf580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.142] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.142] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\PUSSY.TXT") returned 60 [0163.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.142] GetProcessHeap () returned 0x4c0000 [0163.142] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.142] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc68bf580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc68bf580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="UICaptions", cAlternateFileName="UICAPT~1")) returned 0 [0163.142] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.142] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\PUSSY.TXT") returned 49 [0163.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\office\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.143] GetProcessHeap () returned 0x4c0000 [0163.143] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.145] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc6d82180, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6d82180, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0163.145] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Windows") returned -1 [0163.145] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Program Files") returned -1 [0163.145] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Program Files (x86)") returned -1 [0163.145] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="$Recycle.bin") returned 1 [0163.145] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="System Volume Information") returned -1 [0163.145] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0163.145] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0163.145] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform") returned 65 [0163.145] GetProcessHeap () returned 0x4c0000 [0163.145] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.146] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform" [0163.146] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*" [0163.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc6d82180, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6d82180, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.146] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.146] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.146] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.146] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.146] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.146] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.146] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc6d82180, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6d82180, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.146] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.146] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.146] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.147] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.147] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.147] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.147] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.147] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc6aae760, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6aae760, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Cache", cAlternateFileName="")) returned 1 [0163.147] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0163.147] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0163.147] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0163.147] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0163.147] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0163.147] lstrcmpiW (lpString1="Cache", lpString2=".") returned 1 [0163.147] lstrcmpiW (lpString1="Cache", lpString2="..") returned 1 [0163.147] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned 71 [0163.147] GetProcessHeap () returned 0x4c0000 [0163.147] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.148] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache" [0163.148] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*" [0163.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc6aae760, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6aae760, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.148] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.148] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.148] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.148] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.148] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.148] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.148] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc6aae760, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6aae760, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.148] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.148] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.148] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.148] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.148] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.148] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.148] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.149] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6aae760, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A", cAlternateFileName="CACHED~1.276")) returned 1 [0163.149] lstrcmpiW (lpString1="cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A", lpString2="Windows") returned -1 [0163.149] lstrcmpiW (lpString1="cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A", lpString2="Program Files") returned -1 [0163.149] lstrcmpiW (lpString1="cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A", lpString2="Program Files (x86)") returned -1 [0163.149] lstrcmpiW (lpString1="cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A", lpString2="$Recycle.bin") returned 1 [0163.149] lstrcmpiW (lpString1="cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A", lpString2="System Volume Information") returned -1 [0163.149] lstrcmpiW (lpString1="cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A", lpString2=".") returned 1 [0163.149] lstrcmpiW (lpString1="cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A", lpString2="..") returned 1 [0163.149] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A") returned 146 [0163.149] lstrcmpW (lpString1="cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A", lpString2="PUSSY.TXT") returned -1 [0163.149] PathFindExtensionW (pszPath="cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A") returned=".27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A" [0163.149] lstrlenW (lpString=".27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A") returned 65 [0163.149] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6a3c340, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6a3c340, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6ad48c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.149] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.149] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.149] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.149] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.149] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.149] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.149] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.149] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\PUSSY.TXT") returned 81 [0163.149] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.149] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6a3c340, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6a3c340, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6ad48c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.149] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.151] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\PUSSY.TXT") returned 81 [0163.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.151] GetProcessHeap () returned 0x4c0000 [0163.151] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.151] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6b20b80, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6b20b80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6b20b80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.151] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.151] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.151] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.151] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.152] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.152] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.152] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.152] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\PUSSY.TXT") returned 75 [0163.152] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.152] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xc6ce9c00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B", cAlternateFileName="TOKENS~1.7E8")) returned 1 [0163.152] lstrcmpiW (lpString1="tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B", lpString2="Windows") returned -1 [0163.152] lstrcmpiW (lpString1="tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B", lpString2="Program Files") returned 1 [0163.152] lstrcmpiW (lpString1="tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B", lpString2="Program Files (x86)") returned 1 [0163.152] lstrcmpiW (lpString1="tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B", lpString2="$Recycle.bin") returned 1 [0163.152] lstrcmpiW (lpString1="tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B", lpString2="System Volume Information") returned 1 [0163.152] lstrcmpiW (lpString1="tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B", lpString2=".") returned 1 [0163.152] lstrcmpiW (lpString1="tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B", lpString2="..") returned 1 [0163.152] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B") returned 141 [0163.152] lstrcmpW (lpString1="tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B", lpString2="PUSSY.TXT") returned 1 [0163.152] PathFindExtensionW (pszPath="tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B") returned=".7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B" [0163.152] lstrlenW (lpString=".7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B") returned 65 [0163.152] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xc6ce9c00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B", cAlternateFileName="TOKENS~1.7E8")) returned 0 [0163.152] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.152] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\PUSSY.TXT") returned 75 [0163.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.152] GetProcessHeap () returned 0x4c0000 [0163.153] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.154] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc734f720, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc734f720, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc734f720, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.154] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.154] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.154] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.154] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.154] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.154] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.154] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.154] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\PUSSY.TXT") returned 42 [0163.154] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.154] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6c053c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c053c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="RAC", cAlternateFileName="")) returned 1 [0163.154] lstrcmpiW (lpString1="RAC", lpString2="Windows") returned -1 [0163.154] lstrcmpiW (lpString1="RAC", lpString2="Program Files") returned 1 [0163.154] lstrcmpiW (lpString1="RAC", lpString2="Program Files (x86)") returned 1 [0163.154] lstrcmpiW (lpString1="RAC", lpString2="$Recycle.bin") returned 1 [0163.154] lstrcmpiW (lpString1="RAC", lpString2="System Volume Information") returned -1 [0163.154] lstrcmpiW (lpString1="RAC", lpString2=".") returned 1 [0163.154] lstrcmpiW (lpString1="RAC", lpString2="..") returned 1 [0163.154] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC") returned 36 [0163.155] GetProcessHeap () returned 0x4c0000 [0163.155] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.155] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC" [0163.155] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*" [0163.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6c053c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c053c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.156] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.156] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.156] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.156] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.156] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.156] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.156] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6c053c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c053c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.156] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.156] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.156] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.156] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.156] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.156] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.156] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.156] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6b20b80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6b20b80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Outbound", cAlternateFileName="")) returned 1 [0163.156] lstrcmpiW (lpString1="Outbound", lpString2="Windows") returned -1 [0163.156] lstrcmpiW (lpString1="Outbound", lpString2="Program Files") returned -1 [0163.156] lstrcmpiW (lpString1="Outbound", lpString2="Program Files (x86)") returned -1 [0163.156] lstrcmpiW (lpString1="Outbound", lpString2="$Recycle.bin") returned 1 [0163.156] lstrcmpiW (lpString1="Outbound", lpString2="System Volume Information") returned -1 [0163.156] lstrcmpiW (lpString1="Outbound", lpString2=".") returned 1 [0163.157] lstrcmpiW (lpString1="Outbound", lpString2="..") returned 1 [0163.157] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound") returned 45 [0163.157] GetProcessHeap () returned 0x4c0000 [0163.157] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.158] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound" [0163.158] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*" [0163.158] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6b20b80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6b20b80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.158] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.158] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.158] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.158] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.158] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.158] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.158] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6b20b80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6b20b80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.158] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.158] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.158] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.158] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.158] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.158] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6b20b80, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6b20b80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6b20b80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.159] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.159] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.159] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.159] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.159] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.159] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.159] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.159] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\PUSSY.TXT") returned 55 [0163.159] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.159] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6b20b80, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6b20b80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6b20b80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.159] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.159] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\PUSSY.TXT") returned 55 [0163.159] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\rac\\outbound\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.159] GetProcessHeap () returned 0x4c0000 [0163.159] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.159] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6b92fa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6b92fa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PublishedData", cAlternateFileName="PUBLIS~1")) returned 1 [0163.159] lstrcmpiW (lpString1="PublishedData", lpString2="Windows") returned -1 [0163.159] lstrcmpiW (lpString1="PublishedData", lpString2="Program Files") returned 1 [0163.159] lstrcmpiW (lpString1="PublishedData", lpString2="Program Files (x86)") returned 1 [0163.159] lstrcmpiW (lpString1="PublishedData", lpString2="$Recycle.bin") returned 1 [0163.159] lstrcmpiW (lpString1="PublishedData", lpString2="System Volume Information") returned -1 [0163.160] lstrcmpiW (lpString1="PublishedData", lpString2=".") returned 1 [0163.160] lstrcmpiW (lpString1="PublishedData", lpString2="..") returned 1 [0163.160] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData") returned 50 [0163.160] GetProcessHeap () returned 0x4c0000 [0163.160] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.160] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData" [0163.160] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*" [0163.160] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6b92fa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6b92fa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.160] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.160] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.160] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.160] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.160] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.160] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.160] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6b92fa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6b92fa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.160] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.160] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.160] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.160] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.160] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.161] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.161] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.161] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6b92fa0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6b92fa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6bdf260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.161] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.161] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.161] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.161] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.161] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.161] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.161] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.161] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\PUSSY.TXT") returned 60 [0163.161] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.161] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xa6414be0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xcc7f6580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 1 [0163.161] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Windows") returned -1 [0163.161] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Program Files") returned 1 [0163.161] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Program Files (x86)") returned 1 [0163.161] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="$Recycle.bin") returned 1 [0163.161] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="System Volume Information") returned -1 [0163.161] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2=".") returned 1 [0163.161] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="..") returned 1 [0163.161] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned 69 [0163.161] lstrcmpW (lpString1="RacWmiDatabase.sdf", lpString2="PUSSY.TXT") returned 1 [0163.161] PathFindExtensionW (pszPath="RacWmiDatabase.sdf") returned=".sdf" [0163.161] lstrlenW (lpString=".sdf") returned 4 [0163.161] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.162] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xa6414be0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xcc7f6580, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 0 [0163.162] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.162] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\PUSSY.TXT") returned 60 [0163.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.162] GetProcessHeap () returned 0x4c0000 [0163.162] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.162] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6c053c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6c053c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c053c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.162] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.162] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.162] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.162] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.162] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.162] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.162] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.162] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PUSSY.TXT") returned 46 [0163.162] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.163] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6bdf260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6bdf260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="StateData", cAlternateFileName="STATED~1")) returned 1 [0163.163] lstrcmpiW (lpString1="StateData", lpString2="Windows") returned -1 [0163.163] lstrcmpiW (lpString1="StateData", lpString2="Program Files") returned 1 [0163.163] lstrcmpiW (lpString1="StateData", lpString2="Program Files (x86)") returned 1 [0163.163] lstrcmpiW (lpString1="StateData", lpString2="$Recycle.bin") returned 1 [0163.163] lstrcmpiW (lpString1="StateData", lpString2="System Volume Information") returned -1 [0163.163] lstrcmpiW (lpString1="StateData", lpString2=".") returned 1 [0163.163] lstrcmpiW (lpString1="StateData", lpString2="..") returned 1 [0163.163] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData") returned 46 [0163.163] GetProcessHeap () returned 0x4c0000 [0163.163] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.163] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData" [0163.163] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*" [0163.163] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6bdf260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6bdf260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.163] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.163] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.163] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.163] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.163] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.163] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.163] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6bdf260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6bdf260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.164] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.164] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.164] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.164] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.164] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.164] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.164] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.164] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6bdf260, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6bdf260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6bdf260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.164] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.164] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.164] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.164] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.164] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.164] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.164] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.164] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\PUSSY.TXT") returned 56 [0163.164] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.164] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb35800, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xecb35800, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcbd40280, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="RacDatabase.sdf", cAlternateFileName="RACDAT~1.SDF")) returned 1 [0163.164] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Windows") returned -1 [0163.164] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Program Files") returned 1 [0163.164] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Program Files (x86)") returned 1 [0163.164] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="$Recycle.bin") returned 1 [0163.164] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="System Volume Information") returned -1 [0163.164] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2=".") returned 1 [0163.164] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="..") returned 1 [0163.164] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned 62 [0163.164] lstrcmpW (lpString1="RacDatabase.sdf", lpString2="PUSSY.TXT") returned 1 [0163.165] PathFindExtensionW (pszPath="RacDatabase.sdf") returned=".sdf" [0163.165] lstrlenW (lpString=".sdf") returned 4 [0163.165] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.165] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0xbddddec0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 1 [0163.165] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Windows") returned -1 [0163.165] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Program Files") returned 1 [0163.165] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Program Files (x86)") returned 1 [0163.165] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="$Recycle.bin") returned 1 [0163.165] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="System Volume Information") returned -1 [0163.165] lstrcmpiW (lpString1="RacMetaData.dat", lpString2=".") returned 1 [0163.165] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="..") returned 1 [0163.165] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat") returned 62 [0163.165] lstrcmpW (lpString1="RacMetaData.dat", lpString2="PUSSY.TXT") returned 1 [0163.165] PathFindExtensionW (pszPath="RacMetaData.dat") returned=".dat" [0163.165] lstrlenW (lpString=".dat") returned 4 [0163.165] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.166] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0xbddddec0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 0 [0163.166] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.166] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\PUSSY.TXT") returned 56 [0163.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.166] GetProcessHeap () returned 0x4c0000 [0163.166] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.166] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6bdf260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6bdf260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Temp", cAlternateFileName="")) returned 1 [0163.166] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0163.166] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0163.166] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0163.166] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0163.166] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0163.166] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0163.167] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0163.167] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp") returned 41 [0163.167] GetProcessHeap () returned 0x4c0000 [0163.167] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.167] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp" [0163.167] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*" [0163.167] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6bdf260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6bdf260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.167] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.167] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.167] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.167] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.167] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.167] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.167] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6bdf260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6bdf260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.167] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.167] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.167] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.167] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.167] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.167] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.167] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.168] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6bdf260, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6bdf260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c053c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.168] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.168] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.168] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.168] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.168] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.168] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.168] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.168] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\PUSSY.TXT") returned 51 [0163.168] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.168] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa64f9420, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xa64f9420, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa64f9420, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="sqlA553.tmp", cAlternateFileName="")) returned 1 [0163.168] lstrcmpiW (lpString1="sqlA553.tmp", lpString2="Windows") returned -1 [0163.168] lstrcmpiW (lpString1="sqlA553.tmp", lpString2="Program Files") returned 1 [0163.168] lstrcmpiW (lpString1="sqlA553.tmp", lpString2="Program Files (x86)") returned 1 [0163.168] lstrcmpiW (lpString1="sqlA553.tmp", lpString2="$Recycle.bin") returned 1 [0163.168] lstrcmpiW (lpString1="sqlA553.tmp", lpString2="System Volume Information") returned -1 [0163.168] lstrcmpiW (lpString1="sqlA553.tmp", lpString2=".") returned 1 [0163.168] lstrcmpiW (lpString1="sqlA553.tmp", lpString2="..") returned 1 [0163.168] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sqlA553.tmp") returned 53 [0163.168] lstrcmpW (lpString1="sqlA553.tmp", lpString2="PUSSY.TXT") returned 1 [0163.168] PathFindExtensionW (pszPath="sqlA553.tmp") returned=".tmp" [0163.168] lstrlenW (lpString=".tmp") returned 4 [0163.168] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sqlA553.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sqla553.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.169] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa651f580, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xa651f580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa65456e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="sqlA563.tmp", cAlternateFileName="")) returned 1 [0163.169] lstrcmpiW (lpString1="sqlA563.tmp", lpString2="Windows") returned -1 [0163.169] lstrcmpiW (lpString1="sqlA563.tmp", lpString2="Program Files") returned 1 [0163.169] lstrcmpiW (lpString1="sqlA563.tmp", lpString2="Program Files (x86)") returned 1 [0163.169] lstrcmpiW (lpString1="sqlA563.tmp", lpString2="$Recycle.bin") returned 1 [0163.169] lstrcmpiW (lpString1="sqlA563.tmp", lpString2="System Volume Information") returned -1 [0163.169] lstrcmpiW (lpString1="sqlA563.tmp", lpString2=".") returned 1 [0163.169] lstrcmpiW (lpString1="sqlA563.tmp", lpString2="..") returned 1 [0163.169] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sqlA563.tmp") returned 53 [0163.169] lstrcmpW (lpString1="sqlA563.tmp", lpString2="PUSSY.TXT") returned 1 [0163.169] PathFindExtensionW (pszPath="sqlA563.tmp") returned=".tmp" [0163.169] lstrlenW (lpString=".tmp") returned 4 [0163.169] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sqlA563.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sqla563.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.169] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa651f580, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xa651f580, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xa65456e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="sqlA563.tmp", cAlternateFileName="")) returned 0 [0163.169] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.170] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\PUSSY.TXT") returned 51 [0163.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.170] GetProcessHeap () returned 0x4c0000 [0163.170] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.170] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6bdf260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6bdf260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Temp", cAlternateFileName="")) returned 0 [0163.170] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.170] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PUSSY.TXT") returned 46 [0163.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\rac\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.170] GetProcessHeap () returned 0x4c0000 [0163.170] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.172] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c51680, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c51680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Search", cAlternateFileName="")) returned 1 [0163.172] lstrcmpiW (lpString1="Search", lpString2="Windows") returned -1 [0163.172] lstrcmpiW (lpString1="Search", lpString2="Program Files") returned 1 [0163.172] lstrcmpiW (lpString1="Search", lpString2="Program Files (x86)") returned 1 [0163.172] lstrcmpiW (lpString1="Search", lpString2="$Recycle.bin") returned 1 [0163.172] lstrcmpiW (lpString1="Search", lpString2="System Volume Information") returned -1 [0163.172] lstrcmpiW (lpString1="Search", lpString2=".") returned 1 [0163.172] lstrcmpiW (lpString1="Search", lpString2="..") returned 1 [0163.172] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search") returned 39 [0163.172] GetProcessHeap () returned 0x4c0000 [0163.172] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.173] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search" [0163.173] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*" [0163.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c51680, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c51680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.173] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.173] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.173] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.173] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.173] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.173] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.173] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c51680, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c51680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.174] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.174] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.174] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.174] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.174] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.174] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.174] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.174] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c51680, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c51680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Data", cAlternateFileName="")) returned 1 [0163.174] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0163.174] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0163.174] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0163.174] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0163.174] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0163.174] lstrcmpiW (lpString1="Data", lpString2=".") returned 1 [0163.174] lstrcmpiW (lpString1="Data", lpString2="..") returned 1 [0163.174] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data") returned 44 [0163.174] GetProcessHeap () returned 0x4c0000 [0163.174] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.175] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data" [0163.175] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*" [0163.175] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c51680, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c51680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.176] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.176] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.176] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.176] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.176] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.176] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.176] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c51680, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c51680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.176] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.176] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.176] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.176] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.176] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.176] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.176] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.176] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c2b520, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c2b520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0163.176] lstrcmpiW (lpString1="Applications", lpString2="Windows") returned -1 [0163.176] lstrcmpiW (lpString1="Applications", lpString2="Program Files") returned -1 [0163.176] lstrcmpiW (lpString1="Applications", lpString2="Program Files (x86)") returned -1 [0163.176] lstrcmpiW (lpString1="Applications", lpString2="$Recycle.bin") returned 1 [0163.176] lstrcmpiW (lpString1="Applications", lpString2="System Volume Information") returned -1 [0163.176] lstrcmpiW (lpString1="Applications", lpString2=".") returned 1 [0163.176] lstrcmpiW (lpString1="Applications", lpString2="..") returned 1 [0163.176] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned 57 [0163.176] GetProcessHeap () returned 0x4c0000 [0163.177] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.177] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications" [0163.177] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*" [0163.177] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c2b520, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c2b520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.177] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.177] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.177] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.177] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.177] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.177] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.177] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c2b520, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c2b520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.178] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.178] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.178] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.178] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.178] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.178] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.178] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.178] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6c2b520, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6c2b520, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c2b520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.178] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.178] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.178] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.178] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.178] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.178] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.178] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.178] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\PUSSY.TXT") returned 67 [0163.178] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.178] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="Windows", cAlternateFileName="")) returned 1 [0163.178] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0163.178] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="Windows", cAlternateFileName="")) returned 0 [0163.178] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.178] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\PUSSY.TXT") returned 67 [0163.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.179] GetProcessHeap () returned 0x4c0000 [0163.179] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.179] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6c51680, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6c51680, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c51680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.179] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.179] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.179] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.179] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.179] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.179] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.179] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.179] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\PUSSY.TXT") returned 54 [0163.179] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.179] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c2b520, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c2b520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="Temp", cAlternateFileName="")) returned 1 [0163.179] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0163.179] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0163.179] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0163.179] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0163.179] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0163.179] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0163.179] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0163.179] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned 49 [0163.179] GetProcessHeap () returned 0x4c0000 [0163.179] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.179] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp" [0163.179] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*" [0163.180] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c2b520, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c2b520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.180] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.180] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.180] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.180] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.180] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.180] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.180] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c2b520, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c2b520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.180] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.180] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.180] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.180] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.180] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.180] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.180] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.180] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6c2b520, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6c2b520, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c2b520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.180] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.180] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.180] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.180] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.180] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.181] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.181] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.181] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\PUSSY.TXT") returned 59 [0163.181] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.181] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6c2b520, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6c2b520, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c2b520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.181] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.181] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\PUSSY.TXT") returned 59 [0163.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\temp\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.181] GetProcessHeap () returned 0x4c0000 [0163.181] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.181] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc6c2b520, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c2b520, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xfe000000, cFileName="Temp", cAlternateFileName="")) returned 0 [0163.181] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.181] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\PUSSY.TXT") returned 54 [0163.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.181] GetProcessHeap () returned 0x4c0000 [0163.181] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.181] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6c51680, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6c51680, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c51680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.182] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.182] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.182] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.182] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.182] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.182] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.182] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.182] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\PUSSY.TXT") returned 49 [0163.182] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.182] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6c51680, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6c51680, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6c51680, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.182] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.182] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\PUSSY.TXT") returned 49 [0163.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.182] GetProcessHeap () returned 0x4c0000 [0163.182] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.184] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc7291040, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0163.184] lstrcmpiW (lpString1="User Account Pictures", lpString2="Windows") returned -1 [0163.184] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files") returned 1 [0163.184] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files (x86)") returned 1 [0163.184] lstrcmpiW (lpString1="User Account Pictures", lpString2="$Recycle.bin") returned 1 [0163.184] lstrcmpiW (lpString1="User Account Pictures", lpString2="System Volume Information") returned 1 [0163.184] lstrcmpiW (lpString1="User Account Pictures", lpString2=".") returned 1 [0163.184] lstrcmpiW (lpString1="User Account Pictures", lpString2="..") returned 1 [0163.184] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned 54 [0163.184] GetProcessHeap () returned 0x4c0000 [0163.184] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.185] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures" [0163.185] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*" [0163.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc7291040, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.185] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.185] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.185] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.185] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.185] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.186] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.186] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc7291040, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.186] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.186] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.186] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.186] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.186] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.186] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.186] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.186] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29423840, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="5p5NrGJn0jS HALPmcxz.dat", cAlternateFileName="5P5NRG~1.DAT")) returned 1 [0163.186] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Windows") returned -1 [0163.186] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Program Files") returned -1 [0163.186] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Program Files (x86)") returned -1 [0163.186] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="$Recycle.bin") returned 1 [0163.186] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="System Volume Information") returned -1 [0163.186] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2=".") returned 1 [0163.186] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="..") returned 1 [0163.186] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned 79 [0163.186] lstrcmpW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="PUSSY.TXT") returned -1 [0163.186] PathFindExtensionW (pszPath="5p5NrGJn0jS HALPmcxz.dat") returned=".dat" [0163.186] lstrlenW (lpString=".dat") returned 4 [0163.186] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0163.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0163.187] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=0) returned 1 [0163.187] CloseHandle (hObject=0x120) returned 1 [0163.187] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc6cc3aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6cc3aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Default Pictures", cAlternateFileName="DEFAUL~1")) returned 1 [0163.187] lstrcmpiW (lpString1="Default Pictures", lpString2="Windows") returned -1 [0163.187] lstrcmpiW (lpString1="Default Pictures", lpString2="Program Files") returned -1 [0163.187] lstrcmpiW (lpString1="Default Pictures", lpString2="Program Files (x86)") returned -1 [0163.187] lstrcmpiW (lpString1="Default Pictures", lpString2="$Recycle.bin") returned 1 [0163.187] lstrcmpiW (lpString1="Default Pictures", lpString2="System Volume Information") returned -1 [0163.188] lstrcmpiW (lpString1="Default Pictures", lpString2=".") returned 1 [0163.188] lstrcmpiW (lpString1="Default Pictures", lpString2="..") returned 1 [0163.188] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures") returned 71 [0163.188] GetProcessHeap () returned 0x4c0000 [0163.188] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.189] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures" [0163.189] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*" [0163.189] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc6cc3aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6cc3aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.189] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.189] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.189] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.189] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.189] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.189] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.189] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc6cc3aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6cc3aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.189] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.189] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.189] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.189] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.190] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.190] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.190] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.190] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6cc3aa0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6cc3aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6cc3aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.190] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.190] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.190] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.190] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.190] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.190] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.190] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.190] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\PUSSY.TXT") returned 81 [0163.190] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.190] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xda0a8861, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile10.bmp", cAlternateFileName="")) returned 1 [0163.190] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Windows") returned -1 [0163.190] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Program Files") returned 1 [0163.190] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Program Files (x86)") returned 1 [0163.190] lstrcmpiW (lpString1="usertile10.bmp", lpString2="$Recycle.bin") returned 1 [0163.190] lstrcmpiW (lpString1="usertile10.bmp", lpString2="System Volume Information") returned 1 [0163.190] lstrcmpiW (lpString1="usertile10.bmp", lpString2=".") returned 1 [0163.190] lstrcmpiW (lpString1="usertile10.bmp", lpString2="..") returned 1 [0163.190] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned 86 [0163.190] lstrcmpW (lpString1="usertile10.bmp", lpString2="PUSSY.TXT") returned 1 [0163.190] PathFindExtensionW (pszPath="usertile10.bmp") returned=".bmp" [0163.190] lstrlenW (lpString=".bmp") returned 4 [0163.190] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.191] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb5a2927, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile11.bmp", cAlternateFileName="")) returned 1 [0163.191] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Windows") returned -1 [0163.191] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Program Files") returned 1 [0163.191] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Program Files (x86)") returned 1 [0163.191] lstrcmpiW (lpString1="usertile11.bmp", lpString2="$Recycle.bin") returned 1 [0163.191] lstrcmpiW (lpString1="usertile11.bmp", lpString2="System Volume Information") returned 1 [0163.191] lstrcmpiW (lpString1="usertile11.bmp", lpString2=".") returned 1 [0163.191] lstrcmpiW (lpString1="usertile11.bmp", lpString2="..") returned 1 [0163.191] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned 86 [0163.191] lstrcmpW (lpString1="usertile11.bmp", lpString2="PUSSY.TXT") returned 1 [0163.191] PathFindExtensionW (pszPath="usertile11.bmp") returned=".bmp" [0163.191] lstrlenW (lpString=".bmp") returned 4 [0163.191] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.191] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2755d1, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2755d1, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb6d3417, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile12.bmp", cAlternateFileName="")) returned 1 [0163.191] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Windows") returned -1 [0163.191] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Program Files") returned 1 [0163.191] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Program Files (x86)") returned 1 [0163.191] lstrcmpiW (lpString1="usertile12.bmp", lpString2="$Recycle.bin") returned 1 [0163.192] lstrcmpiW (lpString1="usertile12.bmp", lpString2="System Volume Information") returned 1 [0163.192] lstrcmpiW (lpString1="usertile12.bmp", lpString2=".") returned 1 [0163.192] lstrcmpiW (lpString1="usertile12.bmp", lpString2="..") returned 1 [0163.192] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned 86 [0163.192] lstrcmpW (lpString1="usertile12.bmp", lpString2="PUSSY.TXT") returned 1 [0163.192] PathFindExtensionW (pszPath="usertile12.bmp") returned=".bmp" [0163.192] lstrlenW (lpString=".bmp") returned 4 [0163.192] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.192] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae29b72e, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae29b72e, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb76b98f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xbeb8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile13.bmp", cAlternateFileName="")) returned 1 [0163.192] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Windows") returned -1 [0163.192] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Program Files") returned 1 [0163.192] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Program Files (x86)") returned 1 [0163.192] lstrcmpiW (lpString1="usertile13.bmp", lpString2="$Recycle.bin") returned 1 [0163.192] lstrcmpiW (lpString1="usertile13.bmp", lpString2="System Volume Information") returned 1 [0163.192] lstrcmpiW (lpString1="usertile13.bmp", lpString2=".") returned 1 [0163.192] lstrcmpiW (lpString1="usertile13.bmp", lpString2="..") returned 1 [0163.192] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned 86 [0163.192] lstrcmpW (lpString1="usertile13.bmp", lpString2="PUSSY.TXT") returned 1 [0163.192] PathFindExtensionW (pszPath="usertile13.bmp") returned=".bmp" [0163.192] lstrlenW (lpString=".bmp") returned 4 [0163.192] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.193] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb82a065, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile14.bmp", cAlternateFileName="")) returned 1 [0163.193] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Windows") returned -1 [0163.193] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Program Files") returned 1 [0163.193] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Program Files (x86)") returned 1 [0163.193] lstrcmpiW (lpString1="usertile14.bmp", lpString2="$Recycle.bin") returned 1 [0163.193] lstrcmpiW (lpString1="usertile14.bmp", lpString2="System Volume Information") returned 1 [0163.193] lstrcmpiW (lpString1="usertile14.bmp", lpString2=".") returned 1 [0163.193] lstrcmpiW (lpString1="usertile14.bmp", lpString2="..") returned 1 [0163.193] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned 86 [0163.193] lstrcmpW (lpString1="usertile14.bmp", lpString2="PUSSY.TXT") returned 1 [0163.193] PathFindExtensionW (pszPath="usertile14.bmp") returned=".bmp" [0163.193] lstrlenW (lpString=".bmp") returned 4 [0163.193] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.193] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.193] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdbb95fd7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile15.bmp", cAlternateFileName="")) returned 1 [0163.193] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Windows") returned -1 [0163.193] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Program Files") returned 1 [0163.193] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Program Files (x86)") returned 1 [0163.193] lstrcmpiW (lpString1="usertile15.bmp", lpString2="$Recycle.bin") returned 1 [0163.193] lstrcmpiW (lpString1="usertile15.bmp", lpString2="System Volume Information") returned 1 [0163.194] lstrcmpiW (lpString1="usertile15.bmp", lpString2=".") returned 1 [0163.194] lstrcmpiW (lpString1="usertile15.bmp", lpString2="..") returned 1 [0163.194] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned 86 [0163.194] lstrcmpW (lpString1="usertile15.bmp", lpString2="PUSSY.TXT") returned 1 [0163.194] PathFindExtensionW (pszPath="usertile15.bmp") returned=".bmp" [0163.194] lstrlenW (lpString=".bmp") returned 4 [0163.194] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.194] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae30db45, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae30db45, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdca9c9ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile16.bmp", cAlternateFileName="")) returned 1 [0163.194] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Windows") returned -1 [0163.194] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Program Files") returned 1 [0163.194] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Program Files (x86)") returned 1 [0163.194] lstrcmpiW (lpString1="usertile16.bmp", lpString2="$Recycle.bin") returned 1 [0163.194] lstrcmpiW (lpString1="usertile16.bmp", lpString2="System Volume Information") returned 1 [0163.194] lstrcmpiW (lpString1="usertile16.bmp", lpString2=".") returned 1 [0163.194] lstrcmpiW (lpString1="usertile16.bmp", lpString2="..") returned 1 [0163.194] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned 86 [0163.194] lstrcmpW (lpString1="usertile16.bmp", lpString2="PUSSY.TXT") returned 1 [0163.194] PathFindExtensionW (pszPath="usertile16.bmp") returned=".bmp" [0163.194] lstrlenW (lpString=".bmp") returned 4 [0163.194] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.195] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc3f8f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile17.bmp", cAlternateFileName="")) returned 1 [0163.195] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Windows") returned -1 [0163.195] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Program Files") returned 1 [0163.195] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Program Files (x86)") returned 1 [0163.195] lstrcmpiW (lpString1="usertile17.bmp", lpString2="$Recycle.bin") returned 1 [0163.195] lstrcmpiW (lpString1="usertile17.bmp", lpString2="System Volume Information") returned 1 [0163.195] lstrcmpiW (lpString1="usertile17.bmp", lpString2=".") returned 1 [0163.195] lstrcmpiW (lpString1="usertile17.bmp", lpString2="..") returned 1 [0163.195] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned 86 [0163.195] lstrcmpW (lpString1="usertile17.bmp", lpString2="PUSSY.TXT") returned 1 [0163.195] PathFindExtensionW (pszPath="usertile17.bmp") returned=".bmp" [0163.195] lstrlenW (lpString=".bmp") returned 4 [0163.195] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.195] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc65a55, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile18.bmp", cAlternateFileName="")) returned 1 [0163.195] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Windows") returned -1 [0163.195] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Program Files") returned 1 [0163.195] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Program Files (x86)") returned 1 [0163.195] lstrcmpiW (lpString1="usertile18.bmp", lpString2="$Recycle.bin") returned 1 [0163.195] lstrcmpiW (lpString1="usertile18.bmp", lpString2="System Volume Information") returned 1 [0163.195] lstrcmpiW (lpString1="usertile18.bmp", lpString2=".") returned 1 [0163.195] lstrcmpiW (lpString1="usertile18.bmp", lpString2="..") returned 1 [0163.195] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned 86 [0163.196] lstrcmpW (lpString1="usertile18.bmp", lpString2="PUSSY.TXT") returned 1 [0163.196] PathFindExtensionW (pszPath="usertile18.bmp") returned=".bmp" [0163.196] lstrlenW (lpString=".bmp") returned 4 [0163.196] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.196] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae359dff, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae359dff, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc8bbb3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile19.bmp", cAlternateFileName="")) returned 1 [0163.196] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Windows") returned -1 [0163.196] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Program Files") returned 1 [0163.196] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Program Files (x86)") returned 1 [0163.196] lstrcmpiW (lpString1="usertile19.bmp", lpString2="$Recycle.bin") returned 1 [0163.196] lstrcmpiW (lpString1="usertile19.bmp", lpString2="System Volume Information") returned 1 [0163.196] lstrcmpiW (lpString1="usertile19.bmp", lpString2=".") returned 1 [0163.196] lstrcmpiW (lpString1="usertile19.bmp", lpString2="..") returned 1 [0163.196] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned 86 [0163.196] lstrcmpW (lpString1="usertile19.bmp", lpString2="PUSSY.TXT") returned 1 [0163.196] PathFindExtensionW (pszPath="usertile19.bmp") returned=".bmp" [0163.196] lstrlenW (lpString=".bmp") returned 4 [0163.196] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.197] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae37ff5c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae37ff5c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdccb1d11, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile20.bmp", cAlternateFileName="")) returned 1 [0163.197] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Windows") returned -1 [0163.197] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Program Files") returned 1 [0163.197] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Program Files (x86)") returned 1 [0163.197] lstrcmpiW (lpString1="usertile20.bmp", lpString2="$Recycle.bin") returned 1 [0163.197] lstrcmpiW (lpString1="usertile20.bmp", lpString2="System Volume Information") returned 1 [0163.197] lstrcmpiW (lpString1="usertile20.bmp", lpString2=".") returned 1 [0163.197] lstrcmpiW (lpString1="usertile20.bmp", lpString2="..") returned 1 [0163.197] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned 86 [0163.197] lstrcmpW (lpString1="usertile20.bmp", lpString2="PUSSY.TXT") returned 1 [0163.197] PathFindExtensionW (pszPath="usertile20.bmp") returned=".bmp" [0163.197] lstrlenW (lpString=".bmp") returned 4 [0163.197] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.197] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd069f3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile21.bmp", cAlternateFileName="")) returned 1 [0163.197] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Windows") returned -1 [0163.197] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Program Files") returned 1 [0163.197] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Program Files (x86)") returned 1 [0163.197] lstrcmpiW (lpString1="usertile21.bmp", lpString2="$Recycle.bin") returned 1 [0163.197] lstrcmpiW (lpString1="usertile21.bmp", lpString2="System Volume Information") returned 1 [0163.197] lstrcmpiW (lpString1="usertile21.bmp", lpString2=".") returned 1 [0163.197] lstrcmpiW (lpString1="usertile21.bmp", lpString2="..") returned 1 [0163.197] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned 86 [0163.197] lstrcmpW (lpString1="usertile21.bmp", lpString2="PUSSY.TXT") returned 1 [0163.198] PathFindExtensionW (pszPath="usertile21.bmp") returned=".bmp" [0163.198] lstrlenW (lpString=".bmp") returned 4 [0163.198] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.198] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd09009d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile22.bmp", cAlternateFileName="")) returned 1 [0163.198] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Windows") returned -1 [0163.198] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Program Files") returned 1 [0163.198] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Program Files (x86)") returned 1 [0163.198] lstrcmpiW (lpString1="usertile22.bmp", lpString2="$Recycle.bin") returned 1 [0163.198] lstrcmpiW (lpString1="usertile22.bmp", lpString2="System Volume Information") returned 1 [0163.198] lstrcmpiW (lpString1="usertile22.bmp", lpString2=".") returned 1 [0163.198] lstrcmpiW (lpString1="usertile22.bmp", lpString2="..") returned 1 [0163.198] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned 86 [0163.198] lstrcmpW (lpString1="usertile22.bmp", lpString2="PUSSY.TXT") returned 1 [0163.198] PathFindExtensionW (pszPath="usertile22.bmp") returned=".bmp" [0163.198] lstrlenW (lpString=".bmp") returned 4 [0163.198] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.198] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3cc216, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3cc216, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd0b61fb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile23.bmp", cAlternateFileName="")) returned 1 [0163.199] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Windows") returned -1 [0163.199] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Program Files") returned 1 [0163.199] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Program Files (x86)") returned 1 [0163.199] lstrcmpiW (lpString1="usertile23.bmp", lpString2="$Recycle.bin") returned 1 [0163.199] lstrcmpiW (lpString1="usertile23.bmp", lpString2="System Volume Information") returned 1 [0163.199] lstrcmpiW (lpString1="usertile23.bmp", lpString2=".") returned 1 [0163.199] lstrcmpiW (lpString1="usertile23.bmp", lpString2="..") returned 1 [0163.199] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned 86 [0163.199] lstrcmpW (lpString1="usertile23.bmp", lpString2="PUSSY.TXT") returned 1 [0163.199] PathFindExtensionW (pszPath="usertile23.bmp") returned=".bmp" [0163.199] lstrlenW (lpString=".bmp") returned 4 [0163.199] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.199] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd232fa7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile24.bmp", cAlternateFileName="")) returned 1 [0163.199] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Windows") returned -1 [0163.199] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Program Files") returned 1 [0163.199] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Program Files (x86)") returned 1 [0163.199] lstrcmpiW (lpString1="usertile24.bmp", lpString2="$Recycle.bin") returned 1 [0163.199] lstrcmpiW (lpString1="usertile24.bmp", lpString2="System Volume Information") returned 1 [0163.199] lstrcmpiW (lpString1="usertile24.bmp", lpString2=".") returned 1 [0163.199] lstrcmpiW (lpString1="usertile24.bmp", lpString2="..") returned 1 [0163.199] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned 86 [0163.199] lstrcmpW (lpString1="usertile24.bmp", lpString2="PUSSY.TXT") returned 1 [0163.199] PathFindExtensionW (pszPath="usertile24.bmp") returned=".bmp" [0163.200] lstrlenW (lpString=".bmp") returned 4 [0163.200] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.200] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd259105, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile25.bmp", cAlternateFileName="")) returned 1 [0163.200] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Windows") returned -1 [0163.200] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Program Files") returned 1 [0163.200] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Program Files (x86)") returned 1 [0163.200] lstrcmpiW (lpString1="usertile25.bmp", lpString2="$Recycle.bin") returned 1 [0163.200] lstrcmpiW (lpString1="usertile25.bmp", lpString2="System Volume Information") returned 1 [0163.200] lstrcmpiW (lpString1="usertile25.bmp", lpString2=".") returned 1 [0163.200] lstrcmpiW (lpString1="usertile25.bmp", lpString2="..") returned 1 [0163.200] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned 86 [0163.200] lstrcmpW (lpString1="usertile25.bmp", lpString2="PUSSY.TXT") returned 1 [0163.200] PathFindExtensionW (pszPath="usertile25.bmp") returned=".bmp" [0163.200] lstrlenW (lpString=".bmp") returned 4 [0163.200] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.200] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd27f263, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile26.bmp", cAlternateFileName="")) returned 1 [0163.200] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Windows") returned -1 [0163.200] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Program Files") returned 1 [0163.201] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Program Files (x86)") returned 1 [0163.201] lstrcmpiW (lpString1="usertile26.bmp", lpString2="$Recycle.bin") returned 1 [0163.201] lstrcmpiW (lpString1="usertile26.bmp", lpString2="System Volume Information") returned 1 [0163.201] lstrcmpiW (lpString1="usertile26.bmp", lpString2=".") returned 1 [0163.201] lstrcmpiW (lpString1="usertile26.bmp", lpString2="..") returned 1 [0163.201] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned 86 [0163.201] lstrcmpW (lpString1="usertile26.bmp", lpString2="PUSSY.TXT") returned 1 [0163.201] PathFindExtensionW (pszPath="usertile26.bmp") returned=".bmp" [0163.201] lstrlenW (lpString=".bmp") returned 4 [0163.201] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.201] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4184d0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4184d0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd2a53c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile27.bmp", cAlternateFileName="")) returned 1 [0163.201] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Windows") returned -1 [0163.201] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Program Files") returned 1 [0163.201] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Program Files (x86)") returned 1 [0163.201] lstrcmpiW (lpString1="usertile27.bmp", lpString2="$Recycle.bin") returned 1 [0163.201] lstrcmpiW (lpString1="usertile27.bmp", lpString2="System Volume Information") returned 1 [0163.201] lstrcmpiW (lpString1="usertile27.bmp", lpString2=".") returned 1 [0163.201] lstrcmpiW (lpString1="usertile27.bmp", lpString2="..") returned 1 [0163.201] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned 86 [0163.201] lstrcmpW (lpString1="usertile27.bmp", lpString2="PUSSY.TXT") returned 1 [0163.201] PathFindExtensionW (pszPath="usertile27.bmp") returned=".bmp" [0163.201] lstrlenW (lpString=".bmp") returned 4 [0163.201] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.202] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3177db, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile28.bmp", cAlternateFileName="")) returned 1 [0163.202] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Windows") returned -1 [0163.202] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Program Files") returned 1 [0163.202] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Program Files (x86)") returned 1 [0163.202] lstrcmpiW (lpString1="usertile28.bmp", lpString2="$Recycle.bin") returned 1 [0163.202] lstrcmpiW (lpString1="usertile28.bmp", lpString2="System Volume Information") returned 1 [0163.202] lstrcmpiW (lpString1="usertile28.bmp", lpString2=".") returned 1 [0163.202] lstrcmpiW (lpString1="usertile28.bmp", lpString2="..") returned 1 [0163.202] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned 86 [0163.202] lstrcmpW (lpString1="usertile28.bmp", lpString2="PUSSY.TXT") returned 1 [0163.202] PathFindExtensionW (pszPath="usertile28.bmp") returned=".bmp" [0163.202] lstrlenW (lpString=".bmp") returned 4 [0163.202] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.202] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd33d939, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile29.bmp", cAlternateFileName="")) returned 1 [0163.202] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Windows") returned -1 [0163.202] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Program Files") returned 1 [0163.202] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Program Files (x86)") returned 1 [0163.202] lstrcmpiW (lpString1="usertile29.bmp", lpString2="$Recycle.bin") returned 1 [0163.202] lstrcmpiW (lpString1="usertile29.bmp", lpString2="System Volume Information") returned 1 [0163.202] lstrcmpiW (lpString1="usertile29.bmp", lpString2=".") returned 1 [0163.203] lstrcmpiW (lpString1="usertile29.bmp", lpString2="..") returned 1 [0163.203] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned 86 [0163.203] lstrcmpW (lpString1="usertile29.bmp", lpString2="PUSSY.TXT") returned 1 [0163.203] PathFindExtensionW (pszPath="usertile29.bmp") returned=".bmp" [0163.203] lstrlenW (lpString=".bmp") returned 4 [0163.203] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.203] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae46478a, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae46478a, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile30.bmp", cAlternateFileName="")) returned 1 [0163.203] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Windows") returned -1 [0163.203] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Program Files") returned 1 [0163.203] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Program Files (x86)") returned 1 [0163.203] lstrcmpiW (lpString1="usertile30.bmp", lpString2="$Recycle.bin") returned 1 [0163.203] lstrcmpiW (lpString1="usertile30.bmp", lpString2="System Volume Information") returned 1 [0163.203] lstrcmpiW (lpString1="usertile30.bmp", lpString2=".") returned 1 [0163.203] lstrcmpiW (lpString1="usertile30.bmp", lpString2="..") returned 1 [0163.203] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned 86 [0163.203] lstrcmpW (lpString1="usertile30.bmp", lpString2="PUSSY.TXT") returned 1 [0163.203] PathFindExtensionW (pszPath="usertile30.bmp") returned=".bmp" [0163.203] lstrlenW (lpString=".bmp") returned 4 [0163.203] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.204] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile31.bmp", cAlternateFileName="")) returned 1 [0163.204] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Windows") returned -1 [0163.204] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Program Files") returned 1 [0163.204] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Program Files (x86)") returned 1 [0163.204] lstrcmpiW (lpString1="usertile31.bmp", lpString2="$Recycle.bin") returned 1 [0163.204] lstrcmpiW (lpString1="usertile31.bmp", lpString2="System Volume Information") returned 1 [0163.204] lstrcmpiW (lpString1="usertile31.bmp", lpString2=".") returned 1 [0163.204] lstrcmpiW (lpString1="usertile31.bmp", lpString2="..") returned 1 [0163.204] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned 86 [0163.204] lstrcmpW (lpString1="usertile31.bmp", lpString2="PUSSY.TXT") returned 1 [0163.204] PathFindExtensionW (pszPath="usertile31.bmp") returned=".bmp" [0163.204] lstrlenW (lpString=".bmp") returned 4 [0163.204] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.204] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd42216d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile32.bmp", cAlternateFileName="")) returned 1 [0163.204] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Windows") returned -1 [0163.204] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Program Files") returned 1 [0163.204] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Program Files (x86)") returned 1 [0163.204] lstrcmpiW (lpString1="usertile32.bmp", lpString2="$Recycle.bin") returned 1 [0163.204] lstrcmpiW (lpString1="usertile32.bmp", lpString2="System Volume Information") returned 1 [0163.204] lstrcmpiW (lpString1="usertile32.bmp", lpString2=".") returned 1 [0163.204] lstrcmpiW (lpString1="usertile32.bmp", lpString2="..") returned 1 [0163.205] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned 86 [0163.205] lstrcmpW (lpString1="usertile32.bmp", lpString2="PUSSY.TXT") returned 1 [0163.205] PathFindExtensionW (pszPath="usertile32.bmp") returned=".bmp" [0163.205] lstrlenW (lpString=".bmp") returned 4 [0163.205] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.205] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4b0a44, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4b0a44, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd4482cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile33.bmp", cAlternateFileName="")) returned 1 [0163.205] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Windows") returned -1 [0163.205] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Program Files") returned 1 [0163.205] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Program Files (x86)") returned 1 [0163.205] lstrcmpiW (lpString1="usertile33.bmp", lpString2="$Recycle.bin") returned 1 [0163.205] lstrcmpiW (lpString1="usertile33.bmp", lpString2="System Volume Information") returned 1 [0163.205] lstrcmpiW (lpString1="usertile33.bmp", lpString2=".") returned 1 [0163.205] lstrcmpiW (lpString1="usertile33.bmp", lpString2="..") returned 1 [0163.205] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned 86 [0163.205] lstrcmpW (lpString1="usertile33.bmp", lpString2="PUSSY.TXT") returned 1 [0163.205] PathFindExtensionW (pszPath="usertile33.bmp") returned=".bmp" [0163.205] lstrlenW (lpString=".bmp") returned 4 [0163.205] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.205] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9c9561, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile34.bmp", cAlternateFileName="")) returned 1 [0163.206] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Windows") returned -1 [0163.206] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Program Files") returned 1 [0163.206] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Program Files (x86)") returned 1 [0163.206] lstrcmpiW (lpString1="usertile34.bmp", lpString2="$Recycle.bin") returned 1 [0163.206] lstrcmpiW (lpString1="usertile34.bmp", lpString2="System Volume Information") returned 1 [0163.206] lstrcmpiW (lpString1="usertile34.bmp", lpString2=".") returned 1 [0163.206] lstrcmpiW (lpString1="usertile34.bmp", lpString2="..") returned 1 [0163.206] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned 86 [0163.206] lstrcmpW (lpString1="usertile34.bmp", lpString2="PUSSY.TXT") returned 1 [0163.206] PathFindExtensionW (pszPath="usertile34.bmp") returned=".bmp" [0163.206] lstrlenW (lpString=".bmp") returned 4 [0163.206] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.206] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile35.bmp", cAlternateFileName="")) returned 1 [0163.206] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Windows") returned -1 [0163.206] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Program Files") returned 1 [0163.206] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Program Files (x86)") returned 1 [0163.206] lstrcmpiW (lpString1="usertile35.bmp", lpString2="$Recycle.bin") returned 1 [0163.206] lstrcmpiW (lpString1="usertile35.bmp", lpString2="System Volume Information") returned 1 [0163.206] lstrcmpiW (lpString1="usertile35.bmp", lpString2=".") returned 1 [0163.206] lstrcmpiW (lpString1="usertile35.bmp", lpString2="..") returned 1 [0163.206] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned 86 [0163.206] lstrcmpW (lpString1="usertile35.bmp", lpString2="PUSSY.TXT") returned 1 [0163.207] PathFindExtensionW (pszPath="usertile35.bmp") returned=".bmp" [0163.207] lstrlenW (lpString=".bmp") returned 4 [0163.207] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.207] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae548fb8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae548fb8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile36.bmp", cAlternateFileName="")) returned 1 [0163.207] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Windows") returned -1 [0163.207] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Program Files") returned 1 [0163.207] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Program Files (x86)") returned 1 [0163.207] lstrcmpiW (lpString1="usertile36.bmp", lpString2="$Recycle.bin") returned 1 [0163.207] lstrcmpiW (lpString1="usertile36.bmp", lpString2="System Volume Information") returned 1 [0163.207] lstrcmpiW (lpString1="usertile36.bmp", lpString2=".") returned 1 [0163.207] lstrcmpiW (lpString1="usertile36.bmp", lpString2="..") returned 1 [0163.207] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned 86 [0163.207] lstrcmpW (lpString1="usertile36.bmp", lpString2="PUSSY.TXT") returned 1 [0163.207] PathFindExtensionW (pszPath="usertile36.bmp") returned=".bmp" [0163.207] lstrlenW (lpString=".bmp") returned 4 [0163.207] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.207] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae595272, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae595272, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile37.bmp", cAlternateFileName="")) returned 1 [0163.207] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Windows") returned -1 [0163.207] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Program Files") returned 1 [0163.207] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Program Files (x86)") returned 1 [0163.208] lstrcmpiW (lpString1="usertile37.bmp", lpString2="$Recycle.bin") returned 1 [0163.208] lstrcmpiW (lpString1="usertile37.bmp", lpString2="System Volume Information") returned 1 [0163.208] lstrcmpiW (lpString1="usertile37.bmp", lpString2=".") returned 1 [0163.208] lstrcmpiW (lpString1="usertile37.bmp", lpString2="..") returned 1 [0163.208] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned 86 [0163.208] lstrcmpW (lpString1="usertile37.bmp", lpString2="PUSSY.TXT") returned 1 [0163.208] PathFindExtensionW (pszPath="usertile37.bmp") returned=".bmp" [0163.208] lstrlenW (lpString=".bmp") returned 4 [0163.208] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.208] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5bb3cf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5bb3cf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile38.bmp", cAlternateFileName="")) returned 1 [0163.208] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Windows") returned -1 [0163.208] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Program Files") returned 1 [0163.208] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Program Files (x86)") returned 1 [0163.208] lstrcmpiW (lpString1="usertile38.bmp", lpString2="$Recycle.bin") returned 1 [0163.208] lstrcmpiW (lpString1="usertile38.bmp", lpString2="System Volume Information") returned 1 [0163.208] lstrcmpiW (lpString1="usertile38.bmp", lpString2=".") returned 1 [0163.208] lstrcmpiW (lpString1="usertile38.bmp", lpString2="..") returned 1 [0163.208] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned 86 [0163.208] lstrcmpW (lpString1="usertile38.bmp", lpString2="PUSSY.TXT") returned 1 [0163.208] PathFindExtensionW (pszPath="usertile38.bmp") returned=".bmp" [0163.208] lstrlenW (lpString=".bmp") returned 4 [0163.208] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.209] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5e152c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5e152c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc2ab41, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile39.bmp", cAlternateFileName="")) returned 1 [0163.209] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Windows") returned -1 [0163.209] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Program Files") returned 1 [0163.209] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Program Files (x86)") returned 1 [0163.209] lstrcmpiW (lpString1="usertile39.bmp", lpString2="$Recycle.bin") returned 1 [0163.209] lstrcmpiW (lpString1="usertile39.bmp", lpString2="System Volume Information") returned 1 [0163.209] lstrcmpiW (lpString1="usertile39.bmp", lpString2=".") returned 1 [0163.209] lstrcmpiW (lpString1="usertile39.bmp", lpString2="..") returned 1 [0163.209] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned 86 [0163.209] lstrcmpW (lpString1="usertile39.bmp", lpString2="PUSSY.TXT") returned 1 [0163.209] PathFindExtensionW (pszPath="usertile39.bmp") returned=".bmp" [0163.209] lstrlenW (lpString=".bmp") returned 4 [0163.209] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.209] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.209] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae607689, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae607689, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc50c9f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile40.bmp", cAlternateFileName="")) returned 1 [0163.209] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Windows") returned -1 [0163.209] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Program Files") returned 1 [0163.209] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Program Files (x86)") returned 1 [0163.209] lstrcmpiW (lpString1="usertile40.bmp", lpString2="$Recycle.bin") returned 1 [0163.209] lstrcmpiW (lpString1="usertile40.bmp", lpString2="System Volume Information") returned 1 [0163.209] lstrcmpiW (lpString1="usertile40.bmp", lpString2=".") returned 1 [0163.210] lstrcmpiW (lpString1="usertile40.bmp", lpString2="..") returned 1 [0163.210] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned 86 [0163.210] lstrcmpW (lpString1="usertile40.bmp", lpString2="PUSSY.TXT") returned 1 [0163.210] PathFindExtensionW (pszPath="usertile40.bmp") returned=".bmp" [0163.210] lstrlenW (lpString=".bmp") returned 4 [0163.210] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.210] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae62d7e6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae62d7e6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddcc30b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile41.bmp", cAlternateFileName="")) returned 1 [0163.210] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Windows") returned -1 [0163.210] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Program Files") returned 1 [0163.210] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Program Files (x86)") returned 1 [0163.210] lstrcmpiW (lpString1="usertile41.bmp", lpString2="$Recycle.bin") returned 1 [0163.210] lstrcmpiW (lpString1="usertile41.bmp", lpString2="System Volume Information") returned 1 [0163.210] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned 86 [0163.210] lstrcmpW (lpString1="usertile41.bmp", lpString2="PUSSY.TXT") returned 1 [0163.210] PathFindExtensionW (pszPath="usertile41.bmp") returned=".bmp" [0163.211] lstrlenW (lpString=".bmp") returned 4 [0163.211] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.211] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddce9217, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile42.bmp", cAlternateFileName="")) returned 1 [0163.211] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned 86 [0163.211] lstrcmpW (lpString1="usertile42.bmp", lpString2="PUSSY.TXT") returned 1 [0163.211] PathFindExtensionW (pszPath="usertile42.bmp") returned=".bmp" [0163.211] lstrlenW (lpString=".bmp") returned 4 [0163.211] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.211] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd0f375, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile43.bmp", cAlternateFileName="")) returned 1 [0163.211] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned 86 [0163.211] lstrcmpW (lpString1="usertile43.bmp", lpString2="PUSSY.TXT") returned 1 [0163.211] PathFindExtensionW (pszPath="usertile43.bmp") returned=".bmp" [0163.211] lstrlenW (lpString=".bmp") returned 4 [0163.211] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.212] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile44.bmp", cAlternateFileName="")) returned 1 [0163.212] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned 86 [0163.212] lstrcmpW (lpString1="usertile44.bmp", lpString2="PUSSY.TXT") returned 1 [0163.212] PathFindExtensionW (pszPath="usertile44.bmp") returned=".bmp" [0163.212] lstrlenW (lpString=".bmp") returned 4 [0163.212] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.212] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="usertile44.bmp", cAlternateFileName="")) returned 0 [0163.212] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.212] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\PUSSY.TXT") returned 81 [0163.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.212] GetProcessHeap () returned 0x4c0000 [0163.212] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.212] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A", cAlternateFileName="")) returned 1 [0163.212] lstrcmpiW (lpString1="guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A", lpString2="Windows") returned -1 [0163.212] lstrcmpiW (lpString1="guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A", lpString2="Program Files") returned -1 [0163.212] lstrcmpiW (lpString1="guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A", lpString2="Program Files (x86)") returned -1 [0163.212] lstrcmpiW (lpString1="guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A", lpString2="$Recycle.bin") returned 1 [0163.212] lstrcmpiW (lpString1="guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A", lpString2="System Volume Information") returned -1 [0163.212] lstrcmpiW (lpString1="guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A", lpString2=".") returned 1 [0163.213] lstrcmpiW (lpString1="guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A", lpString2="..") returned 1 [0163.213] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A") returned 129 [0163.213] lstrcmpW (lpString1="guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A", lpString2="PUSSY.TXT") returned -1 [0163.213] PathFindExtensionW (pszPath="guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A") returned=".C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A" [0163.213] lstrlenW (lpString=".C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A") returned 65 [0163.213] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6fbd620, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6fbd620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fbd620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.213] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.213] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.213] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.213] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.213] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.213] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.213] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.213] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\PUSSY.TXT") returned 64 [0163.213] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.213] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13", cAlternateFileName="")) returned 1 [0163.213] lstrcmpiW (lpString1="user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13", lpString2="Windows") returned -1 [0163.213] lstrcmpiW (lpString1="user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13", lpString2="Program Files") returned 1 [0163.213] lstrcmpiW (lpString1="user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13", lpString2="Program Files (x86)") returned 1 [0163.213] lstrcmpiW (lpString1="user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13", lpString2="$Recycle.bin") returned 1 [0163.213] lstrcmpiW (lpString1="user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13", lpString2="System Volume Information") returned 1 [0163.213] lstrcmpiW (lpString1="user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13", lpString2=".") returned 1 [0163.213] lstrcmpiW (lpString1="user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13", lpString2="..") returned 1 [0163.213] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13") returned 128 [0163.213] lstrcmpW (lpString1="user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13", lpString2="PUSSY.TXT") returned 1 [0163.213] PathFindExtensionW (pszPath="user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13") returned=".0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13" [0163.213] lstrlenW (lpString=".0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13") returned 65 [0163.213] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13", cAlternateFileName="")) returned 0 [0163.213] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.213] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\PUSSY.TXT") returned 64 [0163.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.214] GetProcessHeap () returned 0x4c0000 [0163.214] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.215] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6fbd620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fbd620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Vault", cAlternateFileName="")) returned 1 [0163.215] lstrcmpiW (lpString1="Vault", lpString2="Windows") returned -1 [0163.215] lstrcmpiW (lpString1="Vault", lpString2="Program Files") returned 1 [0163.215] lstrcmpiW (lpString1="Vault", lpString2="Program Files (x86)") returned 1 [0163.215] lstrcmpiW (lpString1="Vault", lpString2="$Recycle.bin") returned 1 [0163.215] lstrcmpiW (lpString1="Vault", lpString2="System Volume Information") returned 1 [0163.215] lstrcmpiW (lpString1="Vault", lpString2=".") returned 1 [0163.215] lstrcmpiW (lpString1="Vault", lpString2="..") returned 1 [0163.215] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault") returned 38 [0163.215] GetProcessHeap () returned 0x4c0000 [0163.215] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.216] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault" [0163.216] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*" [0163.216] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6fbd620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fbd620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.216] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.216] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.216] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.216] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.216] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.216] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.217] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xc6fbd620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fbd620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.217] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.217] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.217] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.217] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.217] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.217] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.217] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.217] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6fbd620, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6fbd620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fbd620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.217] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.217] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.217] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.217] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.217] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.217] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.217] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.217] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\PUSSY.TXT") returned 48 [0163.217] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.217] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6fbd620, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6fbd620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fbd620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.217] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.217] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\PUSSY.TXT") returned 48 [0163.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\vault\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.218] GetProcessHeap () returned 0x4c0000 [0163.218] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.218] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc6fbd620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fbd620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="VISIO", cAlternateFileName="")) returned 1 [0163.218] lstrcmpiW (lpString1="VISIO", lpString2="Windows") returned -1 [0163.218] lstrcmpiW (lpString1="VISIO", lpString2="Program Files") returned 1 [0163.218] lstrcmpiW (lpString1="VISIO", lpString2="Program Files (x86)") returned 1 [0163.218] lstrcmpiW (lpString1="VISIO", lpString2="$Recycle.bin") returned 1 [0163.218] lstrcmpiW (lpString1="VISIO", lpString2="System Volume Information") returned 1 [0163.218] lstrcmpiW (lpString1="VISIO", lpString2=".") returned 1 [0163.218] lstrcmpiW (lpString1="VISIO", lpString2="..") returned 1 [0163.218] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO") returned 38 [0163.218] GetProcessHeap () returned 0x4c0000 [0163.218] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.218] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO" [0163.218] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\*" [0163.218] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc6fbd620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fbd620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.218] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.218] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.218] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.218] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.218] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.219] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.219] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc6fbd620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fbd620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.219] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.219] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.219] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.219] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.219] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.219] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.219] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.219] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6fbd620, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6fbd620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fbd620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.219] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.219] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.219] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.219] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.219] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.219] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.219] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.219] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\PUSSY.TXT") returned 48 [0163.219] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.219] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6fbd620, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6fbd620, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fbd620, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.219] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.219] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\PUSSY.TXT") returned 48 [0163.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\visio\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.220] GetProcessHeap () returned 0x4c0000 [0163.220] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.220] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60ae73a0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x60ae73a0, ftLastWriteTime.dwHighDateTime=0x1d2de2a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Windows", cAlternateFileName="")) returned 1 [0163.220] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0163.220] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc72b71a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72b71a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0163.220] lstrcmpiW (lpString1="Windows Defender", lpString2="Windows") returned 1 [0163.220] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files") returned 1 [0163.220] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files (x86)") returned 1 [0163.220] lstrcmpiW (lpString1="Windows Defender", lpString2="$Recycle.bin") returned 1 [0163.220] lstrcmpiW (lpString1="Windows Defender", lpString2="System Volume Information") returned 1 [0163.220] lstrcmpiW (lpString1="Windows Defender", lpString2=".") returned 1 [0163.220] lstrcmpiW (lpString1="Windows Defender", lpString2="..") returned 1 [0163.220] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender") returned 49 [0163.220] GetProcessHeap () returned 0x4c0000 [0163.220] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.220] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender" [0163.220] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*" [0163.220] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc72b71a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72b71a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.221] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.221] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.221] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.221] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.221] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.221] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.221] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc72b71a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72b71a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.221] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.221] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.221] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.221] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.221] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.221] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.221] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.221] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0163.221] lstrcmpiW (lpString1="Definition Updates", lpString2="Windows") returned -1 [0163.221] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files") returned -1 [0163.221] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files (x86)") returned -1 [0163.221] lstrcmpiW (lpString1="Definition Updates", lpString2="$Recycle.bin") returned 1 [0163.221] lstrcmpiW (lpString1="Definition Updates", lpString2="System Volume Information") returned -1 [0163.221] lstrcmpiW (lpString1="Definition Updates", lpString2=".") returned 1 [0163.221] lstrcmpiW (lpString1="Definition Updates", lpString2="..") returned 1 [0163.221] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates") returned 68 [0163.221] GetProcessHeap () returned 0x4c0000 [0163.221] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.223] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates" [0163.223] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*" [0163.223] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.223] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.223] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.223] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.223] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.223] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.223] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.223] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.223] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.223] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.223] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.223] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.223] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.223] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.223] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.223] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc6fe3780, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fe3780, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x77c5f9e2, cFileName="Backup", cAlternateFileName="")) returned 1 [0163.223] lstrcmpiW (lpString1="Backup", lpString2="Windows") returned -1 [0163.223] lstrcmpiW (lpString1="Backup", lpString2="Program Files") returned -1 [0163.223] lstrcmpiW (lpString1="Backup", lpString2="Program Files (x86)") returned -1 [0163.224] lstrcmpiW (lpString1="Backup", lpString2="$Recycle.bin") returned 1 [0163.224] lstrcmpiW (lpString1="Backup", lpString2="System Volume Information") returned -1 [0163.224] lstrcmpiW (lpString1="Backup", lpString2=".") returned 1 [0163.224] lstrcmpiW (lpString1="Backup", lpString2="..") returned 1 [0163.224] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned 75 [0163.224] GetProcessHeap () returned 0x4c0000 [0163.224] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.224] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup" [0163.224] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*" [0163.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc6fe3780, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fe3780, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.225] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.225] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.225] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.225] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.225] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.225] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.225] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc6fe3780, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fe3780, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.225] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.225] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.225] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.225] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.225] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.225] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.225] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.225] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6fe3780, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6fe3780, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fe3780, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.225] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.225] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.225] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.225] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.225] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.225] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.225] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.225] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\PUSSY.TXT") returned 85 [0163.225] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.225] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6fe3780, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6fe3780, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fe3780, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.226] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.226] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\PUSSY.TXT") returned 85 [0163.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\backup\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.226] GetProcessHeap () returned 0x4c0000 [0163.226] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.226] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc71866a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4dbf68, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.226] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.226] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.226] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.226] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.226] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.226] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.226] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.226] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\PUSSY.TXT") returned 78 [0163.226] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.226] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc6fe3780, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fe3780, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x77c5f9e2, cFileName="Updates", cAlternateFileName="")) returned 1 [0163.226] lstrcmpiW (lpString1="Updates", lpString2="Windows") returned -1 [0163.226] lstrcmpiW (lpString1="Updates", lpString2="Program Files") returned 1 [0163.226] lstrcmpiW (lpString1="Updates", lpString2="Program Files (x86)") returned 1 [0163.226] lstrcmpiW (lpString1="Updates", lpString2="$Recycle.bin") returned 1 [0163.226] lstrcmpiW (lpString1="Updates", lpString2="System Volume Information") returned 1 [0163.226] lstrcmpiW (lpString1="Updates", lpString2=".") returned 1 [0163.226] lstrcmpiW (lpString1="Updates", lpString2="..") returned 1 [0163.227] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned 76 [0163.227] GetProcessHeap () returned 0x4c0000 [0163.227] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.227] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates" [0163.227] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*" [0163.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc6fe3780, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fe3780, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.227] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.227] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.227] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.227] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.227] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.227] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.227] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc6fe3780, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fe3780, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.227] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.227] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.227] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.227] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.227] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.227] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.227] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.227] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6fe3780, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6fe3780, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fe3780, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.227] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.228] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.228] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.228] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.228] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.228] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.228] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.228] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\PUSSY.TXT") returned 86 [0163.228] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.228] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc6fe3780, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc6fe3780, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc6fe3780, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.228] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.228] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\PUSSY.TXT") returned 86 [0163.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\updates\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.228] GetProcessHeap () returned 0x4c0000 [0163.228] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.228] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xc73e7ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73e7ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x77c5f9e2, cFileName="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", cAlternateFileName="{D2B0B~1")) returned 1 [0163.228] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Windows") returned -1 [0163.228] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Program Files") returned -1 [0163.228] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Program Files (x86)") returned -1 [0163.228] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="$Recycle.bin") returned 1 [0163.228] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="System Volume Information") returned -1 [0163.228] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2=".") returned 1 [0163.229] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="..") returned 1 [0163.229] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned 107 [0163.229] GetProcessHeap () returned 0x4c0000 [0163.229] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.229] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}" [0163.229] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*" [0163.229] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xc73e7ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73e7ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.229] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.229] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.229] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.229] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.229] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.229] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.229] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xc73e7ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73e7ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.229] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.229] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.229] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.229] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.229] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.229] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.229] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.229] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fd91f9, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fd91f9, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0xc72b71a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xb17190, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29", cAlternateFileName="")) returned 1 [0163.230] lstrcmpiW (lpString1="mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29", lpString2="Windows") returned -1 [0163.230] lstrcmpiW (lpString1="mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29", lpString2="Program Files") returned -1 [0163.230] lstrcmpiW (lpString1="mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29", lpString2="Program Files (x86)") returned -1 [0163.230] lstrcmpiW (lpString1="mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29", lpString2="$Recycle.bin") returned 1 [0163.230] lstrcmpiW (lpString1="mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29", lpString2="System Volume Information") returned -1 [0163.230] lstrcmpiW (lpString1="mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29", lpString2=".") returned 1 [0163.230] lstrcmpiW (lpString1="mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29", lpString2="..") returned 1 [0163.230] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29") returned 185 [0163.230] lstrcmpW (lpString1="mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29", lpString2="PUSSY.TXT") returned -1 [0163.230] PathFindExtensionW (pszPath="mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29") returned=".436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29" [0163.230] lstrlenW (lpString=".436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29") returned 65 [0163.230] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fff35a, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0xc72b71a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x52d90, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C", cAlternateFileName="")) returned 1 [0163.230] lstrcmpiW (lpString1="mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C", lpString2="Windows") returned -1 [0163.230] lstrcmpiW (lpString1="mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C", lpString2="Program Files") returned -1 [0163.230] lstrcmpiW (lpString1="mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C", lpString2="Program Files (x86)") returned -1 [0163.230] lstrcmpiW (lpString1="mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C", lpString2="$Recycle.bin") returned 1 [0163.230] lstrcmpiW (lpString1="mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C", lpString2="System Volume Information") returned -1 [0163.230] lstrcmpiW (lpString1="mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C", lpString2=".") returned 1 [0163.230] lstrcmpiW (lpString1="mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C", lpString2="..") returned 1 [0163.230] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C") returned 185 [0163.230] lstrcmpW (lpString1="mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C", lpString2="PUSSY.TXT") returned -1 [0163.230] PathFindExtensionW (pszPath="mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C") returned=".CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C" [0163.230] lstrlenW (lpString=".CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C") returned 65 [0163.230] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x93b6800, ftLastWriteTime.dwHighDateTime=0x1cb85c9, nFileSizeHigh=0x0, nFileSizeLow=0x7d1d50, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="mpengine.dll", cAlternateFileName="")) returned 1 [0163.230] lstrcmpiW (lpString1="mpengine.dll", lpString2="Windows") returned -1 [0163.230] lstrcmpiW (lpString1="mpengine.dll", lpString2="Program Files") returned -1 [0163.230] lstrcmpiW (lpString1="mpengine.dll", lpString2="Program Files (x86)") returned -1 [0163.231] lstrcmpiW (lpString1="mpengine.dll", lpString2="$Recycle.bin") returned 1 [0163.231] lstrcmpiW (lpString1="mpengine.dll", lpString2="System Volume Information") returned -1 [0163.231] lstrcmpiW (lpString1="mpengine.dll", lpString2=".") returned 1 [0163.231] lstrcmpiW (lpString1="mpengine.dll", lpString2="..") returned 1 [0163.231] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned 120 [0163.231] lstrcmpW (lpString1="mpengine.dll", lpString2="PUSSY.TXT") returned -1 [0163.231] PathFindExtensionW (pszPath="mpengine.dll") returned=".dll" [0163.231] lstrlenW (lpString=".dll") returned 4 [0163.231] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.232] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7160540, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7160540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.232] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.232] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.232] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.232] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.232] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.232] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.232] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.232] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\PUSSY.TXT") returned 117 [0163.232] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.232] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7160540, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7160540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.232] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.232] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\PUSSY.TXT") returned 117 [0163.232] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.233] GetProcessHeap () returned 0x4c0000 [0163.233] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.233] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xc73e7ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73e7ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0x77c5f9e2, cFileName="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", cAlternateFileName="{D2B0B~1")) returned 0 [0163.233] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.233] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\PUSSY.TXT") returned 78 [0163.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.233] GetProcessHeap () returned 0x4c0000 [0163.233] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.233] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xb9b4aaa0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xb9b4aaa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xb9b4aaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", cAlternateFileName="IMPSER~1.LOC")) returned 1 [0163.233] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="Windows") returned -1 [0163.233] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="Program Files") returned -1 [0163.233] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="Program Files (x86)") returned -1 [0163.233] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="$Recycle.bin") returned 1 [0163.233] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="System Volume Information") returned -1 [0163.233] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2=".") returned 1 [0163.233] lstrcmpiW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="..") returned 1 [0163.233] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock") returned 101 [0163.233] lstrcmpW (lpString1="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock", lpString2="PUSSY.TXT") returned -1 [0163.233] PathFindExtensionW (pszPath="IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock") returned=".lock" [0163.234] lstrlenW (lpString=".lock") returned 5 [0163.234] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0163.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\impservice925a3aca-c353-458a-ac8d-a7e5eb378092.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.234] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0163.234] lstrcmpiW (lpString1="LocalCopy", lpString2="Windows") returned -1 [0163.234] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files") returned -1 [0163.234] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files (x86)") returned -1 [0163.234] lstrcmpiW (lpString1="LocalCopy", lpString2="$Recycle.bin") returned 1 [0163.234] lstrcmpiW (lpString1="LocalCopy", lpString2="System Volume Information") returned -1 [0163.234] lstrcmpiW (lpString1="LocalCopy", lpString2=".") returned 1 [0163.234] lstrcmpiW (lpString1="LocalCopy", lpString2="..") returned 1 [0163.234] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy") returned 59 [0163.234] GetProcessHeap () returned 0x4c0000 [0163.234] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.234] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy" [0163.234] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*" [0163.234] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.235] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.235] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.235] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.235] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.235] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.235] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.235] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.235] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.235] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.235] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.235] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.235] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.235] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.235] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.235] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc71866a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.235] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.235] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.235] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.235] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.235] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.235] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.235] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.235] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\PUSSY.TXT") returned 69 [0163.235] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.235] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc71866a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.235] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.236] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\PUSSY.TXT") returned 69 [0163.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\localcopy\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.236] GetProcessHeap () returned 0x4c0000 [0163.236] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.236] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc72b71a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc72b71a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72b71a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.236] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.236] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.236] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.236] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.236] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.236] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.236] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.236] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\PUSSY.TXT") returned 59 [0163.236] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.236] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0163.236] lstrcmpiW (lpString1="Quarantine", lpString2="Windows") returned -1 [0163.236] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files") returned 1 [0163.237] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files (x86)") returned 1 [0163.237] lstrcmpiW (lpString1="Quarantine", lpString2="$Recycle.bin") returned 1 [0163.237] lstrcmpiW (lpString1="Quarantine", lpString2="System Volume Information") returned -1 [0163.237] lstrcmpiW (lpString1="Quarantine", lpString2=".") returned 1 [0163.237] lstrcmpiW (lpString1="Quarantine", lpString2="..") returned 1 [0163.237] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine") returned 60 [0163.237] GetProcessHeap () returned 0x4c0000 [0163.237] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.237] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine" [0163.237] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*" [0163.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.237] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.237] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.237] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.237] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.237] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.237] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.237] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.237] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.238] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.238] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.238] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.238] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc71866a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.238] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.238] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.238] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.238] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.238] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.238] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.238] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.238] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\PUSSY.TXT") returned 70 [0163.238] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.238] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc71866a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc71866a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71866a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.238] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.238] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\PUSSY.TXT") returned 70 [0163.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\quarantine\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.238] GetProcessHeap () returned 0x4c0000 [0163.238] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.238] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Scans", cAlternateFileName="")) returned 1 [0163.238] lstrcmpiW (lpString1="Scans", lpString2="Windows") returned -1 [0163.238] lstrcmpiW (lpString1="Scans", lpString2="Program Files") returned 1 [0163.238] lstrcmpiW (lpString1="Scans", lpString2="Program Files (x86)") returned 1 [0163.238] lstrcmpiW (lpString1="Scans", lpString2="$Recycle.bin") returned 1 [0163.239] lstrcmpiW (lpString1="Scans", lpString2="System Volume Information") returned -1 [0163.239] lstrcmpiW (lpString1="Scans", lpString2=".") returned 1 [0163.239] lstrcmpiW (lpString1="Scans", lpString2="..") returned 1 [0163.239] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans") returned 55 [0163.239] GetProcessHeap () returned 0x4c0000 [0163.239] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.239] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans" [0163.239] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*" [0163.239] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.239] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.239] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.239] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.239] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.239] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.239] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.239] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.239] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.239] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.239] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.239] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.239] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.239] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.239] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.240] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="History", cAlternateFileName="")) returned 1 [0163.240] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0163.240] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0163.240] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0163.240] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0163.240] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0163.240] lstrcmpiW (lpString1="History", lpString2=".") returned 1 [0163.240] lstrcmpiW (lpString1="History", lpString2="..") returned 1 [0163.240] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History") returned 63 [0163.240] GetProcessHeap () returned 0x4c0000 [0163.240] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.240] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History" [0163.240] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*" [0163.240] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.240] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.240] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.240] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.240] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.240] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.240] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.240] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.240] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.240] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.241] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.241] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.241] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.241] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.241] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.241] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xc71ac800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71ac800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="CacheManager", cAlternateFileName="CACHEM~1")) returned 1 [0163.241] lstrcmpiW (lpString1="CacheManager", lpString2="Windows") returned -1 [0163.241] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files") returned -1 [0163.241] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files (x86)") returned -1 [0163.241] lstrcmpiW (lpString1="CacheManager", lpString2="$Recycle.bin") returned 1 [0163.241] lstrcmpiW (lpString1="CacheManager", lpString2="System Volume Information") returned -1 [0163.241] lstrcmpiW (lpString1="CacheManager", lpString2=".") returned 1 [0163.241] lstrcmpiW (lpString1="CacheManager", lpString2="..") returned 1 [0163.241] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned 76 [0163.241] GetProcessHeap () returned 0x4c0000 [0163.241] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0163.242] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" [0163.242] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*" [0163.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xc71ac800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71ac800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0163.242] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.242] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.242] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.243] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.243] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.243] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.243] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xc71ac800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71ac800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.243] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.243] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.243] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.243] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.243] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.243] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.243] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.243] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcfc0a7e0, ftCreationTime.dwHighDateTime=0x1d2faf9, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc30940, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x33b60, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="MpSfc.bin", cAlternateFileName="")) returned 1 [0163.243] lstrcmpiW (lpString1="MpSfc.bin", lpString2="Windows") returned -1 [0163.243] lstrcmpiW (lpString1="MpSfc.bin", lpString2="Program Files") returned -1 [0163.243] lstrcmpiW (lpString1="MpSfc.bin", lpString2="Program Files (x86)") returned -1 [0163.243] lstrcmpiW (lpString1="MpSfc.bin", lpString2="$Recycle.bin") returned 1 [0163.243] lstrcmpiW (lpString1="MpSfc.bin", lpString2="System Volume Information") returned -1 [0163.243] lstrcmpiW (lpString1="MpSfc.bin", lpString2=".") returned 1 [0163.244] lstrcmpiW (lpString1="MpSfc.bin", lpString2="..") returned 1 [0163.244] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned 86 [0163.244] lstrcmpW (lpString1="MpSfc.bin", lpString2="PUSSY.TXT") returned -1 [0163.244] PathFindExtensionW (pszPath="MpSfc.bin") returned=".bin" [0163.244] lstrlenW (lpString=".bin") returned 4 [0163.244] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0163.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.244] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc71ac800, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc71ac800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71ac800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.244] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.244] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.244] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.244] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.244] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.244] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.244] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.244] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\PUSSY.TXT") returned 86 [0163.244] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.244] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc71ac800, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc71ac800, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71ac800, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.244] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0163.245] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\PUSSY.TXT") returned 86 [0163.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.245] GetProcessHeap () returned 0x4c0000 [0163.245] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0163.245] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc726aee0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.245] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.245] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.245] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.245] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.245] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.245] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.245] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.245] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\PUSSY.TXT") returned 73 [0163.245] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.245] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xc71f8ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71f8ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="Results", cAlternateFileName="")) returned 1 [0163.245] lstrcmpiW (lpString1="Results", lpString2="Windows") returned -1 [0163.245] lstrcmpiW (lpString1="Results", lpString2="Program Files") returned 1 [0163.245] lstrcmpiW (lpString1="Results", lpString2="Program Files (x86)") returned 1 [0163.245] lstrcmpiW (lpString1="Results", lpString2="$Recycle.bin") returned 1 [0163.245] lstrcmpiW (lpString1="Results", lpString2="System Volume Information") returned -1 [0163.245] lstrcmpiW (lpString1="Results", lpString2=".") returned 1 [0163.245] lstrcmpiW (lpString1="Results", lpString2="..") returned 1 [0163.245] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned 71 [0163.245] GetProcessHeap () returned 0x4c0000 [0163.246] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0163.246] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results" [0163.246] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*" [0163.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xc71f8ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71f8ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0163.246] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.246] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.246] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.246] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.246] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.246] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.246] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xc71f8ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71f8ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.246] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.246] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.246] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.246] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.246] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.246] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.246] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.246] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc71f8ac0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc71f8ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71f8ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.246] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.246] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.247] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.247] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.247] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.247] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.247] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.247] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\PUSSY.TXT") returned 81 [0163.247] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.247] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0xc721ec20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc721ec20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="Resource", cAlternateFileName="")) returned 1 [0163.247] lstrcmpiW (lpString1="Resource", lpString2="Windows") returned -1 [0163.247] lstrcmpiW (lpString1="Resource", lpString2="Program Files") returned 1 [0163.247] lstrcmpiW (lpString1="Resource", lpString2="Program Files (x86)") returned 1 [0163.247] lstrcmpiW (lpString1="Resource", lpString2="$Recycle.bin") returned 1 [0163.247] lstrcmpiW (lpString1="Resource", lpString2="System Volume Information") returned -1 [0163.247] lstrcmpiW (lpString1="Resource", lpString2=".") returned 1 [0163.247] lstrcmpiW (lpString1="Resource", lpString2="..") returned 1 [0163.247] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource") returned 80 [0163.247] GetProcessHeap () returned 0x4c0000 [0163.247] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0163.248] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource" [0163.248] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*" [0163.248] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0xc721ec20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc721ec20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0163.248] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.248] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.248] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.248] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.248] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.248] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.248] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0xc721ec20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc721ec20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.248] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.248] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.248] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.248] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.248] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.248] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.248] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.248] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc71f8ac0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc71f8ac0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc71f8ac0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.248] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.249] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.249] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.249] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.249] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.249] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.249] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.249] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\PUSSY.TXT") returned 90 [0163.249] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.249] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80be8ad0, ftCreationTime.dwHighDateTime=0x1d33740, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0xc721ec20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x1a60, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047", cAlternateFileName="{1D1DB~1.C75")) returned 1 [0163.249] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047", lpString2="Windows") returned -1 [0163.249] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047", lpString2="Program Files") returned -1 [0163.249] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047", lpString2="Program Files (x86)") returned -1 [0163.249] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047", lpString2="$Recycle.bin") returned 1 [0163.249] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047", lpString2="System Volume Information") returned -1 [0163.249] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047", lpString2=".") returned 1 [0163.249] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047", lpString2="..") returned 1 [0163.249] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047") returned 184 [0163.249] lstrcmpW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047", lpString2="PUSSY.TXT") returned -1 [0163.249] PathFindExtensionW (pszPath="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047") returned=".C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047" [0163.249] lstrlenW (lpString=".C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047") returned 65 [0163.249] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80be8ad0, ftCreationTime.dwHighDateTime=0x1d33740, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0xc721ec20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x1a60, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047", cAlternateFileName="{1D1DB~1.C75")) returned 0 [0163.249] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0163.249] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\PUSSY.TXT") returned 90 [0163.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\resource\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.250] GetProcessHeap () returned 0x4c0000 [0163.250] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0163.250] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0xc721ec20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc721ec20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="Resource", cAlternateFileName="")) returned 0 [0163.250] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0163.250] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\PUSSY.TXT") returned 81 [0163.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.250] GetProcessHeap () returned 0x4c0000 [0163.250] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0163.250] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="Service", cAlternateFileName="")) returned 1 [0163.250] lstrcmpiW (lpString1="Service", lpString2="Windows") returned -1 [0163.250] lstrcmpiW (lpString1="Service", lpString2="Program Files") returned 1 [0163.250] lstrcmpiW (lpString1="Service", lpString2="Program Files (x86)") returned 1 [0163.250] lstrcmpiW (lpString1="Service", lpString2="$Recycle.bin") returned 1 [0163.250] lstrcmpiW (lpString1="Service", lpString2="System Volume Information") returned -1 [0163.250] lstrcmpiW (lpString1="Service", lpString2=".") returned 1 [0163.250] lstrcmpiW (lpString1="Service", lpString2="..") returned 1 [0163.250] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned 71 [0163.250] GetProcessHeap () returned 0x4c0000 [0163.250] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0163.250] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service" [0163.250] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*" [0163.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0163.251] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.251] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.251] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.251] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.251] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.251] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.251] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.251] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.251] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.251] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.251] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.251] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.251] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.251] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.251] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb9820270, ftCreationTime.dwHighDateTime=0x1d2faf0, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0x7de6c9b0, ftLastWriteTime.dwHighDateTime=0x1d3373d, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="History.Log", cAlternateFileName="")) returned 1 [0163.251] lstrcmpiW (lpString1="History.Log", lpString2="Windows") returned -1 [0163.251] lstrcmpiW (lpString1="History.Log", lpString2="Program Files") returned -1 [0163.251] lstrcmpiW (lpString1="History.Log", lpString2="Program Files (x86)") returned -1 [0163.251] lstrcmpiW (lpString1="History.Log", lpString2="$Recycle.bin") returned 1 [0163.252] lstrcmpiW (lpString1="History.Log", lpString2="System Volume Information") returned -1 [0163.252] lstrcmpiW (lpString1="History.Log", lpString2=".") returned 1 [0163.252] lstrcmpiW (lpString1="History.Log", lpString2="..") returned 1 [0163.252] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned 83 [0163.252] lstrcmpW (lpString1="History.Log", lpString2="PUSSY.TXT") returned -1 [0163.252] PathFindExtensionW (pszPath="History.Log") returned=".Log" [0163.252] lstrlenW (lpString=".Log") returned 4 [0163.252] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0163.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\service\\history.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0163.253] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=2) returned 1 [0163.253] CloseHandle (hObject=0x1b8) returned 1 [0163.253] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7244d80, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7244d80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.253] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.253] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.253] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.253] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.253] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.253] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.253] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.253] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\PUSSY.TXT") returned 81 [0163.253] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.253] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xadeed740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xadeed740, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xc7244d80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x1a86, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B", cAlternateFileName="UNKNOW~1.B3A")) returned 1 [0163.253] lstrcmpiW (lpString1="Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B", lpString2="Windows") returned -1 [0163.253] lstrcmpiW (lpString1="Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B", lpString2="Program Files") returned 1 [0163.253] lstrcmpiW (lpString1="Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B", lpString2="Program Files (x86)") returned 1 [0163.253] lstrcmpiW (lpString1="Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B", lpString2="$Recycle.bin") returned 1 [0163.253] lstrcmpiW (lpString1="Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B", lpString2="System Volume Information") returned 1 [0163.253] lstrcmpiW (lpString1="Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B", lpString2=".") returned 1 [0163.253] lstrcmpiW (lpString1="Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B", lpString2="..") returned 1 [0163.253] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B") returned 148 [0163.254] lstrcmpW (lpString1="Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B", lpString2="PUSSY.TXT") returned 1 [0163.254] PathFindExtensionW (pszPath="Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B") returned=".B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B" [0163.254] lstrlenW (lpString=".B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B") returned 65 [0163.254] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xadeed740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xadeed740, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xc7244d80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x1a86, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B", cAlternateFileName="UNKNOW~1.B3A")) returned 0 [0163.254] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0163.254] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\PUSSY.TXT") returned 81 [0163.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\service\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.254] GetProcessHeap () returned 0x4c0000 [0163.254] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0163.254] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="Store", cAlternateFileName="")) returned 1 [0163.254] lstrcmpiW (lpString1="Store", lpString2="Windows") returned -1 [0163.254] lstrcmpiW (lpString1="Store", lpString2="Program Files") returned 1 [0163.254] lstrcmpiW (lpString1="Store", lpString2="Program Files (x86)") returned 1 [0163.254] lstrcmpiW (lpString1="Store", lpString2="$Recycle.bin") returned 1 [0163.254] lstrcmpiW (lpString1="Store", lpString2="System Volume Information") returned -1 [0163.254] lstrcmpiW (lpString1="Store", lpString2=".") returned 1 [0163.254] lstrcmpiW (lpString1="Store", lpString2="..") returned 1 [0163.254] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned 69 [0163.254] GetProcessHeap () returned 0x4c0000 [0163.254] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0163.254] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store" [0163.255] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*" [0163.255] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0163.255] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.255] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.255] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.255] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.255] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.255] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.255] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.255] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.255] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.255] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.255] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.255] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.255] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.255] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.255] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc726aee0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.255] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.255] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.255] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.255] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.255] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.255] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.256] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.256] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\PUSSY.TXT") returned 79 [0163.256] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.256] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc726aee0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.256] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0163.256] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\PUSSY.TXT") returned 79 [0163.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\store\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.256] GetProcessHeap () returned 0x4c0000 [0163.256] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0163.256] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc726aee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="Store", cAlternateFileName="")) returned 0 [0163.256] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.256] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\PUSSY.TXT") returned 73 [0163.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.256] GetProcessHeap () returned 0x4c0000 [0163.256] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.258] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc726aee0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.258] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.258] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.258] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.258] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.258] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.259] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.259] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.259] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\PUSSY.TXT") returned 65 [0163.259] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.259] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc726aee0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc726aee0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.259] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.259] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\PUSSY.TXT") returned 65 [0163.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.259] GetProcessHeap () returned 0x4c0000 [0163.259] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.259] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7291040, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Support", cAlternateFileName="")) returned 1 [0163.260] lstrcmpiW (lpString1="Support", lpString2="Windows") returned -1 [0163.260] lstrcmpiW (lpString1="Support", lpString2="Program Files") returned 1 [0163.260] lstrcmpiW (lpString1="Support", lpString2="Program Files (x86)") returned 1 [0163.260] lstrcmpiW (lpString1="Support", lpString2="$Recycle.bin") returned 1 [0163.260] lstrcmpiW (lpString1="Support", lpString2="System Volume Information") returned -1 [0163.260] lstrcmpiW (lpString1="Support", lpString2=".") returned 1 [0163.260] lstrcmpiW (lpString1="Support", lpString2="..") returned 1 [0163.260] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support") returned 57 [0163.260] GetProcessHeap () returned 0x4c0000 [0163.260] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.260] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support" [0163.260] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*" [0163.260] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7291040, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.260] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.260] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.260] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.260] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.260] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.260] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.260] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7291040, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.260] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.261] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.261] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.261] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.261] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.261] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.261] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.261] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x76792c22, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xbaa9d840, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x31196, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="MPLog-07132009-221054.log", cAlternateFileName="MPLOG-~1.LOG")) returned 1 [0163.261] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="Windows") returned -1 [0163.261] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="Program Files") returned -1 [0163.261] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="Program Files (x86)") returned -1 [0163.261] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="$Recycle.bin") returned 1 [0163.261] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="System Volume Information") returned -1 [0163.261] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2=".") returned 1 [0163.261] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="..") returned 1 [0163.261] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned 83 [0163.261] lstrcmpW (lpString1="MPLog-07132009-221054.log", lpString2="PUSSY.TXT") returned -1 [0163.261] PathFindExtensionW (pszPath="MPLog-07132009-221054.log") returned=".log" [0163.261] lstrlenW (lpString=".log") returned 4 [0163.261] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\support\\mplog-07132009-221054.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.262] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7291040, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7291040, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.262] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.262] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.262] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.262] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.262] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.262] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.262] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.262] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\PUSSY.TXT") returned 67 [0163.262] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.262] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7291040, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7291040, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.262] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.262] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\PUSSY.TXT") returned 67 [0163.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\support\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.262] GetProcessHeap () returned 0x4c0000 [0163.262] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.262] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7291040, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7291040, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Support", cAlternateFileName="")) returned 0 [0163.262] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.263] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\PUSSY.TXT") returned 59 [0163.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.263] GetProcessHeap () returned 0x4c0000 [0163.263] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.264] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0163.264] lstrcmpiW (lpString1="Windows NT", lpString2="Windows") returned 1 [0163.264] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files") returned 1 [0163.264] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files (x86)") returned 1 [0163.264] lstrcmpiW (lpString1="Windows NT", lpString2="$Recycle.bin") returned 1 [0163.264] lstrcmpiW (lpString1="Windows NT", lpString2="System Volume Information") returned 1 [0163.264] lstrcmpiW (lpString1="Windows NT", lpString2=".") returned 1 [0163.264] lstrcmpiW (lpString1="Windows NT", lpString2="..") returned 1 [0163.264] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT") returned 43 [0163.264] GetProcessHeap () returned 0x4c0000 [0163.264] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.265] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT" [0163.265] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*" [0163.265] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.266] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.266] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.266] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.266] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.266] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.266] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.266] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.266] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.266] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.266] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.266] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.266] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.266] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.266] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.266] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="MSFax", cAlternateFileName="")) returned 1 [0163.266] lstrcmpiW (lpString1="MSFax", lpString2="Windows") returned -1 [0163.266] lstrcmpiW (lpString1="MSFax", lpString2="Program Files") returned -1 [0163.266] lstrcmpiW (lpString1="MSFax", lpString2="Program Files (x86)") returned -1 [0163.266] lstrcmpiW (lpString1="MSFax", lpString2="$Recycle.bin") returned 1 [0163.266] lstrcmpiW (lpString1="MSFax", lpString2="System Volume Information") returned -1 [0163.266] lstrcmpiW (lpString1="MSFax", lpString2=".") returned 1 [0163.266] lstrcmpiW (lpString1="MSFax", lpString2="..") returned 1 [0163.266] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax") returned 49 [0163.267] GetProcessHeap () returned 0x4c0000 [0163.267] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.268] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax" [0163.268] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*" [0163.268] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.268] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.268] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.268] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.268] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.268] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.268] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.268] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.268] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.268] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.268] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.268] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.268] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.268] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.268] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.268] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc72dd300, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72dd300, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="ActivityLog", cAlternateFileName="ACTIVI~1")) returned 1 [0163.269] lstrcmpiW (lpString1="ActivityLog", lpString2="Windows") returned -1 [0163.269] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files") returned -1 [0163.269] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files (x86)") returned -1 [0163.269] lstrcmpiW (lpString1="ActivityLog", lpString2="$Recycle.bin") returned 1 [0163.269] lstrcmpiW (lpString1="ActivityLog", lpString2="System Volume Information") returned -1 [0163.269] lstrcmpiW (lpString1="ActivityLog", lpString2=".") returned 1 [0163.269] lstrcmpiW (lpString1="ActivityLog", lpString2="..") returned 1 [0163.269] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned 61 [0163.269] GetProcessHeap () returned 0x4c0000 [0163.269] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.269] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog" [0163.269] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*" [0163.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc72dd300, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72dd300, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.270] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.270] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.270] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.270] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.270] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.270] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.270] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc72dd300, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72dd300, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.270] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.270] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.270] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.270] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.270] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.270] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.270] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.270] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc72dd300, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc72dd300, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72dd300, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.270] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.270] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.270] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.270] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.270] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.270] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.270] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.270] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\PUSSY.TXT") returned 71 [0163.271] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.271] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc72dd300, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc72dd300, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72dd300, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.271] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.271] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\PUSSY.TXT") returned 71 [0163.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\activitylog\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.271] GetProcessHeap () returned 0x4c0000 [0163.271] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.271] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="Common Coverpages", cAlternateFileName="COMMON~1")) returned 1 [0163.271] lstrcmpiW (lpString1="Common Coverpages", lpString2="Windows") returned -1 [0163.271] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files") returned -1 [0163.271] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files (x86)") returned -1 [0163.271] lstrcmpiW (lpString1="Common Coverpages", lpString2="$Recycle.bin") returned 1 [0163.271] lstrcmpiW (lpString1="Common Coverpages", lpString2="System Volume Information") returned -1 [0163.271] lstrcmpiW (lpString1="Common Coverpages", lpString2=".") returned 1 [0163.271] lstrcmpiW (lpString1="Common Coverpages", lpString2="..") returned 1 [0163.271] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned 67 [0163.271] GetProcessHeap () returned 0x4c0000 [0163.271] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.271] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" [0163.271] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*" [0163.271] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.272] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.272] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.272] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.272] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.272] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.272] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.272] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.272] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.272] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.272] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.272] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.272] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.272] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.272] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.272] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc72dd300, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72dd300, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="en-US", cAlternateFileName="")) returned 1 [0163.272] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0163.272] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0163.272] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0163.272] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0163.272] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0163.272] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0163.273] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0163.273] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned 73 [0163.273] GetProcessHeap () returned 0x4c0000 [0163.273] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0163.274] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" [0163.274] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*" [0163.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc72dd300, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72dd300, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0163.274] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.274] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.274] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.274] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.274] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.274] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.274] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc72dd300, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72dd300, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.275] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.275] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.275] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.275] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x28aa, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="confident.cov", cAlternateFileName="")) returned 1 [0163.275] lstrcmpiW (lpString1="confident.cov", lpString2="Windows") returned -1 [0163.275] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files") returned -1 [0163.275] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files (x86)") returned -1 [0163.275] lstrcmpiW (lpString1="confident.cov", lpString2="$Recycle.bin") returned 1 [0163.275] lstrcmpiW (lpString1="confident.cov", lpString2="System Volume Information") returned -1 [0163.275] lstrcmpiW (lpString1="confident.cov", lpString2=".") returned 1 [0163.275] lstrcmpiW (lpString1="confident.cov", lpString2="..") returned 1 [0163.275] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned 87 [0163.275] lstrcmpW (lpString1="confident.cov", lpString2="PUSSY.TXT") returned -1 [0163.275] PathFindExtensionW (pszPath="confident.cov") returned=".cov" [0163.275] lstrlenW (lpString=".cov") returned 4 [0163.275] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0163.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\confident.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.276] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2a09, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="fyi.cov", cAlternateFileName="")) returned 1 [0163.276] lstrcmpiW (lpString1="fyi.cov", lpString2="Windows") returned -1 [0163.276] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files") returned -1 [0163.276] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files (x86)") returned -1 [0163.276] lstrcmpiW (lpString1="fyi.cov", lpString2="$Recycle.bin") returned 1 [0163.276] lstrcmpiW (lpString1="fyi.cov", lpString2="System Volume Information") returned -1 [0163.276] lstrcmpiW (lpString1="fyi.cov", lpString2=".") returned 1 [0163.276] lstrcmpiW (lpString1="fyi.cov", lpString2="..") returned 1 [0163.276] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned 81 [0163.276] lstrcmpW (lpString1="fyi.cov", lpString2="PUSSY.TXT") returned -1 [0163.276] PathFindExtensionW (pszPath="fyi.cov") returned=".cov" [0163.276] lstrlenW (lpString=".cov") returned 4 [0163.276] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0163.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\fyi.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.276] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3aa0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="generic.cov", cAlternateFileName="")) returned 1 [0163.276] lstrcmpiW (lpString1="generic.cov", lpString2="Windows") returned -1 [0163.276] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files") returned -1 [0163.276] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files (x86)") returned -1 [0163.276] lstrcmpiW (lpString1="generic.cov", lpString2="$Recycle.bin") returned 1 [0163.276] lstrcmpiW (lpString1="generic.cov", lpString2="System Volume Information") returned -1 [0163.276] lstrcmpiW (lpString1="generic.cov", lpString2=".") returned 1 [0163.276] lstrcmpiW (lpString1="generic.cov", lpString2="..") returned 1 [0163.277] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned 85 [0163.277] lstrcmpW (lpString1="generic.cov", lpString2="PUSSY.TXT") returned -1 [0163.277] PathFindExtensionW (pszPath="generic.cov") returned=".cov" [0163.277] lstrlenW (lpString=".cov") returned 4 [0163.277] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0163.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\generic.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.277] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc72dd300, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc72dd300, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc72dd300, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.277] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.277] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.277] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.277] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.277] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.277] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.277] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.277] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\PUSSY.TXT") returned 83 [0163.277] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.277] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="urgent.cov", cAlternateFileName="")) returned 1 [0163.277] lstrcmpiW (lpString1="urgent.cov", lpString2="Windows") returned -1 [0163.277] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files") returned 1 [0163.277] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files (x86)") returned 1 [0163.277] lstrcmpiW (lpString1="urgent.cov", lpString2="$Recycle.bin") returned 1 [0163.277] lstrcmpiW (lpString1="urgent.cov", lpString2="System Volume Information") returned 1 [0163.277] lstrcmpiW (lpString1="urgent.cov", lpString2=".") returned 1 [0163.277] lstrcmpiW (lpString1="urgent.cov", lpString2="..") returned 1 [0163.278] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned 84 [0163.278] lstrcmpW (lpString1="urgent.cov", lpString2="PUSSY.TXT") returned 1 [0163.278] PathFindExtensionW (pszPath="urgent.cov") returned=".cov" [0163.278] lstrlenW (lpString=".cov") returned 4 [0163.278] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0163.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\urgent.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.278] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="urgent.cov", cAlternateFileName="")) returned 0 [0163.278] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0163.278] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\PUSSY.TXT") returned 83 [0163.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.278] GetProcessHeap () returned 0x4c0000 [0163.278] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0163.278] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7303460, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.278] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.278] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.278] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.278] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.278] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.278] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.278] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.279] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\PUSSY.TXT") returned 77 [0163.279] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.279] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7303460, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.279] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.279] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\PUSSY.TXT") returned 77 [0163.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.279] GetProcessHeap () returned 0x4c0000 [0163.279] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.281] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="Inbox", cAlternateFileName="")) returned 1 [0163.281] lstrcmpiW (lpString1="Inbox", lpString2="Windows") returned -1 [0163.281] lstrcmpiW (lpString1="Inbox", lpString2="Program Files") returned -1 [0163.281] lstrcmpiW (lpString1="Inbox", lpString2="Program Files (x86)") returned -1 [0163.281] lstrcmpiW (lpString1="Inbox", lpString2="$Recycle.bin") returned 1 [0163.281] lstrcmpiW (lpString1="Inbox", lpString2="System Volume Information") returned -1 [0163.281] lstrcmpiW (lpString1="Inbox", lpString2=".") returned 1 [0163.281] lstrcmpiW (lpString1="Inbox", lpString2="..") returned 1 [0163.281] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox") returned 55 [0163.281] GetProcessHeap () returned 0x4c0000 [0163.281] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.282] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox" [0163.282] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*" [0163.282] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.282] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.282] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.282] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.282] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.282] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.282] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.282] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.282] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.282] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.282] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.282] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.282] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.283] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.283] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.283] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7303460, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.283] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.283] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.283] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.283] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.283] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.283] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.283] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.283] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\PUSSY.TXT") returned 65 [0163.283] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.283] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7303460, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.283] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.283] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\PUSSY.TXT") returned 65 [0163.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\inbox\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.283] GetProcessHeap () returned 0x4c0000 [0163.283] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.283] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc73295c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.283] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.284] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.284] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.284] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.284] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.284] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.284] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.284] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\PUSSY.TXT") returned 59 [0163.284] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.284] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="Queue", cAlternateFileName="")) returned 1 [0163.284] lstrcmpiW (lpString1="Queue", lpString2="Windows") returned -1 [0163.284] lstrcmpiW (lpString1="Queue", lpString2="Program Files") returned 1 [0163.284] lstrcmpiW (lpString1="Queue", lpString2="Program Files (x86)") returned 1 [0163.284] lstrcmpiW (lpString1="Queue", lpString2="$Recycle.bin") returned 1 [0163.284] lstrcmpiW (lpString1="Queue", lpString2="System Volume Information") returned -1 [0163.284] lstrcmpiW (lpString1="Queue", lpString2=".") returned 1 [0163.284] lstrcmpiW (lpString1="Queue", lpString2="..") returned 1 [0163.284] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue") returned 55 [0163.284] GetProcessHeap () returned 0x4c0000 [0163.284] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.284] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue" [0163.284] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*" [0163.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.285] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.285] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.285] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.285] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.285] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.285] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.285] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.285] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.285] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.285] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.285] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.285] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.285] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.285] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.285] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7303460, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.285] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.285] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.285] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.285] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.285] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.285] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.285] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.285] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\PUSSY.TXT") returned 65 [0163.285] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.285] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7303460, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.285] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.286] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\PUSSY.TXT") returned 65 [0163.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\queue\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.286] GetProcessHeap () returned 0x4c0000 [0163.286] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.286] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="SentItems", cAlternateFileName="SENTIT~1")) returned 1 [0163.286] lstrcmpiW (lpString1="SentItems", lpString2="Windows") returned -1 [0163.286] lstrcmpiW (lpString1="SentItems", lpString2="Program Files") returned 1 [0163.286] lstrcmpiW (lpString1="SentItems", lpString2="Program Files (x86)") returned 1 [0163.286] lstrcmpiW (lpString1="SentItems", lpString2="$Recycle.bin") returned 1 [0163.286] lstrcmpiW (lpString1="SentItems", lpString2="System Volume Information") returned -1 [0163.286] lstrcmpiW (lpString1="SentItems", lpString2=".") returned 1 [0163.286] lstrcmpiW (lpString1="SentItems", lpString2="..") returned 1 [0163.286] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems") returned 59 [0163.286] GetProcessHeap () returned 0x4c0000 [0163.286] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.286] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems" [0163.286] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*" [0163.286] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.286] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.287] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.287] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.287] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.287] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.287] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.287] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.287] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.287] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.287] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.287] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.287] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.287] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.287] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.287] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7303460, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.287] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.287] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.287] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.287] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.287] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.287] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.287] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.287] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\PUSSY.TXT") returned 69 [0163.287] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.287] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7303460, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7303460, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7303460, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.287] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.288] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\PUSSY.TXT") returned 69 [0163.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\sentitems\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.288] GetProcessHeap () returned 0x4c0000 [0163.288] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.288] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 1 [0163.288] lstrcmpiW (lpString1="VirtualInbox", lpString2="Windows") returned -1 [0163.288] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files") returned 1 [0163.288] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files (x86)") returned 1 [0163.288] lstrcmpiW (lpString1="VirtualInbox", lpString2="$Recycle.bin") returned 1 [0163.288] lstrcmpiW (lpString1="VirtualInbox", lpString2="System Volume Information") returned 1 [0163.288] lstrcmpiW (lpString1="VirtualInbox", lpString2=".") returned 1 [0163.288] lstrcmpiW (lpString1="VirtualInbox", lpString2="..") returned 1 [0163.288] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned 62 [0163.288] GetProcessHeap () returned 0x4c0000 [0163.288] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.288] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" [0163.288] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*" [0163.288] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.288] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.288] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.288] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.289] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.289] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.289] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.289] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.289] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.289] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.289] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.289] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.289] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.289] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.289] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.289] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="en-US", cAlternateFileName="")) returned 1 [0163.289] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0163.289] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0163.289] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0163.289] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0163.289] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0163.289] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0163.289] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0163.289] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned 68 [0163.289] GetProcessHeap () returned 0x4c0000 [0163.289] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0163.290] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" [0163.290] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*" [0163.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0163.291] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.291] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.291] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.291] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.291] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.291] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.291] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.291] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.291] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.291] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.291] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.291] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.291] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.292] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.292] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc73295c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.292] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.292] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.292] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.292] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.292] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.292] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.292] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.292] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\PUSSY.TXT") returned 78 [0163.292] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.292] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 1 [0163.292] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Windows") returned -1 [0163.292] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files") returned 1 [0163.292] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files (x86)") returned 1 [0163.292] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="$Recycle.bin") returned 1 [0163.292] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="System Volume Information") returned 1 [0163.292] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2=".") returned 1 [0163.292] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="..") returned 1 [0163.292] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned 83 [0163.292] lstrcmpW (lpString1="WelcomeFax.tif", lpString2="PUSSY.TXT") returned 1 [0163.292] PathFindExtensionW (pszPath="WelcomeFax.tif") returned=".tif" [0163.292] lstrlenW (lpString=".tif") returned 4 [0163.292] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0163.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.293] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x4e29d8, dwReserved1=0xc0100080, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 0 [0163.293] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0163.293] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\PUSSY.TXT") returned 78 [0163.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.293] GetProcessHeap () returned 0x4c0000 [0163.293] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0163.293] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc73295c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.293] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.293] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.293] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.293] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.293] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.293] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.293] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.293] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\PUSSY.TXT") returned 72 [0163.293] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.293] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc73295c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.293] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.294] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\PUSSY.TXT") returned 72 [0163.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.294] GetProcessHeap () returned 0x4c0000 [0163.294] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.295] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 0 [0163.295] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.295] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\PUSSY.TXT") returned 59 [0163.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.296] GetProcessHeap () returned 0x4c0000 [0163.296] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.296] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="MSScan", cAlternateFileName="")) returned 1 [0163.296] lstrcmpiW (lpString1="MSScan", lpString2="Windows") returned -1 [0163.296] lstrcmpiW (lpString1="MSScan", lpString2="Program Files") returned -1 [0163.296] lstrcmpiW (lpString1="MSScan", lpString2="Program Files (x86)") returned -1 [0163.296] lstrcmpiW (lpString1="MSScan", lpString2="$Recycle.bin") returned 1 [0163.296] lstrcmpiW (lpString1="MSScan", lpString2="System Volume Information") returned -1 [0163.296] lstrcmpiW (lpString1="MSScan", lpString2=".") returned 1 [0163.296] lstrcmpiW (lpString1="MSScan", lpString2="..") returned 1 [0163.296] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan") returned 50 [0163.296] GetProcessHeap () returned 0x4c0000 [0163.296] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.296] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan" [0163.297] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*" [0163.297] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.297] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.297] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.297] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.297] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.297] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.297] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.297] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.297] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.297] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.297] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.297] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.297] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.297] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.297] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.297] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc73295c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.297] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.297] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.297] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.297] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.297] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.297] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.297] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.298] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\PUSSY.TXT") returned 60 [0163.298] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.298] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea12c467, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xea12c467, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xea1525c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 1 [0163.298] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Windows") returned -1 [0163.298] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files") returned 1 [0163.298] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files (x86)") returned 1 [0163.298] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="$Recycle.bin") returned 1 [0163.298] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="System Volume Information") returned 1 [0163.298] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2=".") returned 1 [0163.298] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="..") returned 1 [0163.298] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned 66 [0163.298] lstrcmpW (lpString1="WelcomeScan.jpg", lpString2="PUSSY.TXT") returned 1 [0163.298] PathFindExtensionW (pszPath="WelcomeScan.jpg") returned=".jpg" [0163.298] lstrlenW (lpString=".jpg") returned 4 [0163.298] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.298] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0163.298] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea12c467, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xea12c467, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xea1525c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 0 [0163.299] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.299] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\PUSSY.TXT") returned 60 [0163.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.299] GetProcessHeap () returned 0x4c0000 [0163.299] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.299] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc73295c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.299] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.299] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.299] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.299] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.299] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.299] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.299] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.299] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\PUSSY.TXT") returned 53 [0163.299] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.299] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc73295c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.299] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.299] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\PUSSY.TXT") returned 53 [0163.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.299] GetProcessHeap () returned 0x4c0000 [0163.300] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.301] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0163.301] lstrcmpiW (lpString1="WwanSvc", lpString2="Windows") returned 1 [0163.301] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files") returned 1 [0163.301] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files (x86)") returned 1 [0163.301] lstrcmpiW (lpString1="WwanSvc", lpString2="$Recycle.bin") returned 1 [0163.301] lstrcmpiW (lpString1="WwanSvc", lpString2="System Volume Information") returned 1 [0163.301] lstrcmpiW (lpString1="WwanSvc", lpString2=".") returned 1 [0163.301] lstrcmpiW (lpString1="WwanSvc", lpString2="..") returned 1 [0163.301] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc") returned 40 [0163.301] GetProcessHeap () returned 0x4c0000 [0163.301] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.302] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc" [0163.302] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*" [0163.302] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.302] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.302] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.302] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.302] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.302] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.302] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.302] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.303] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.303] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.303] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.303] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.303] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.303] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.303] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.303] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="Profiles", cAlternateFileName="")) returned 1 [0163.303] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0163.303] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0163.303] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0163.303] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0163.303] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0163.303] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0163.303] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0163.303] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned 49 [0163.303] GetProcessHeap () returned 0x4c0000 [0163.303] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.304] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles" [0163.304] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*" [0163.304] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.305] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.305] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.305] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.305] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.305] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.305] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.305] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.305] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.305] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.305] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.305] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.305] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.305] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.305] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.305] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dbf68, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 0 [0163.305] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.305] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\PUSSY.TXT") returned 59 [0163.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.305] GetProcessHeap () returned 0x4c0000 [0163.305] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.306] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc73295c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc734f720, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.306] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.306] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.306] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.306] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.306] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.306] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.306] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.306] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\PUSSY.TXT") returned 50 [0163.306] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.306] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc73295c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc734f720, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x4ce3c8, dwReserved1=0x77c61b06, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.306] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.306] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\PUSSY.TXT") returned 50 [0163.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.306] GetProcessHeap () returned 0x4c0000 [0163.306] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.308] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xc73295c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc73295c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="WwanSvc", cAlternateFileName="")) returned 0 [0163.308] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0163.308] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\PUSSY.TXT") returned 42 [0163.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.308] GetProcessHeap () returned 0x4c0000 [0163.308] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0163.308] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xc740de00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc740de00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0163.308] lstrcmpiW (lpString1="Microsoft Help", lpString2="Windows") returned -1 [0163.308] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files") returned -1 [0163.308] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files (x86)") returned -1 [0163.308] lstrcmpiW (lpString1="Microsoft Help", lpString2="$Recycle.bin") returned 1 [0163.308] lstrcmpiW (lpString1="Microsoft Help", lpString2="System Volume Information") returned -1 [0163.308] lstrcmpiW (lpString1="Microsoft Help", lpString2=".") returned 1 [0163.308] lstrcmpiW (lpString1="Microsoft Help", lpString2="..") returned 1 [0163.308] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help") returned 37 [0163.308] GetProcessHeap () returned 0x4c0000 [0163.308] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0163.308] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help" [0163.308] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*" [0163.308] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xc740de00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc740de00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0163.309] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.309] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.309] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.309] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.309] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.309] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.309] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xc740de00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc740de00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.309] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.309] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.310] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.310] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.310] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.310] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.310] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.310] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x896b9210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x896b9210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Hx.hxn", cAlternateFileName="")) returned 1 [0163.310] lstrcmpiW (lpString1="Hx.hxn", lpString2="Windows") returned -1 [0163.310] lstrcmpiW (lpString1="Hx.hxn", lpString2="Program Files") returned -1 [0163.310] lstrcmpiW (lpString1="Hx.hxn", lpString2="Program Files (x86)") returned -1 [0163.310] lstrcmpiW (lpString1="Hx.hxn", lpString2="$Recycle.bin") returned 1 [0163.310] lstrcmpiW (lpString1="Hx.hxn", lpString2="System Volume Information") returned -1 [0163.310] lstrcmpiW (lpString1="Hx.hxn", lpString2=".") returned 1 [0163.310] lstrcmpiW (lpString1="Hx.hxn", lpString2="..") returned 1 [0163.310] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Hx.hxn") returned 44 [0163.310] lstrcmpW (lpString1="Hx.hxn", lpString2="PUSSY.TXT") returned -1 [0163.310] PathFindExtensionW (pszPath="Hx.hxn") returned=".hxn" [0163.310] lstrlenW (lpString=".hxn") returned 4 [0163.310] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Hx.hxn" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.311] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=390) returned 1 [0163.311] CloseHandle (hObject=0x184) returned 1 [0163.311] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa72fc10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa72fc10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.EXCEL.14.1033.hxn", cAlternateFileName="MSEXCE~1.HXN")) returned 1 [0163.311] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="Windows") returned -1 [0163.311] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="Program Files") returned -1 [0163.311] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.311] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.311] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.311] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2=".") returned 1 [0163.311] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="..") returned 1 [0163.311] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 58 [0163.311] lstrcmpW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.311] PathFindExtensionW (pszPath="MS.EXCEL.14.1033.hxn") returned=".hxn" [0163.311] lstrlenW (lpString=".hxn") returned 4 [0163.312] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.312] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.312] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=326) returned 1 [0163.312] CloseHandle (hObject=0x184) returned 1 [0163.312] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa755d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa755d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.EXCEL.DEV.14.1033.hxn", cAlternateFileName="MSEXCE~2.HXN")) returned 1 [0163.312] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0163.312] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0163.312] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.312] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.313] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.313] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2=".") returned 1 [0163.313] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="..") returned 1 [0163.313] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 62 [0163.313] lstrcmpW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.313] PathFindExtensionW (pszPath="MS.EXCEL.DEV.14.1033.hxn") returned=".hxn" [0163.313] lstrlenW (lpString=".hxn") returned 4 [0163.313] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.313] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=350) returned 1 [0163.313] CloseHandle (hObject=0x184) returned 1 [0163.313] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.GRAPH.14.1033.hxn", cAlternateFileName="MSGRAP~1.HXN")) returned 1 [0163.313] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="Windows") returned -1 [0163.314] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="Program Files") returned -1 [0163.314] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.314] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.314] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.314] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2=".") returned 1 [0163.314] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="..") returned 1 [0163.314] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 58 [0163.314] lstrcmpW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.314] PathFindExtensionW (pszPath="MS.GRAPH.14.1033.hxn") returned=".hxn" [0163.314] lstrlenW (lpString=".hxn") returned 4 [0163.314] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.314] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=326) returned 1 [0163.314] CloseHandle (hObject=0x184) returned 1 [0163.315] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfd789af0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd789af0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd822070, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.GROOVE.14.1033.hxn", cAlternateFileName="MSGROO~1.HXN")) returned 1 [0163.315] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="Windows") returned -1 [0163.315] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="Program Files") returned -1 [0163.315] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.315] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.315] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.315] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2=".") returned 1 [0163.315] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="..") returned 1 [0163.315] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 59 [0163.315] lstrcmpW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.315] PathFindExtensionW (pszPath="MS.GROOVE.14.1033.hxn") returned=".hxn" [0163.315] lstrlenW (lpString=".hxn") returned 4 [0163.315] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.315] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.315] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=332) returned 1 [0163.316] CloseHandle (hObject=0x184) returned 1 [0163.316] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11446a50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.INFOPATH.14.1033.hxn", cAlternateFileName="MSINFO~1.HXN")) returned 1 [0163.316] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="Windows") returned -1 [0163.316] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="Program Files") returned -1 [0163.316] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.316] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.316] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.316] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2=".") returned 1 [0163.316] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="..") returned 1 [0163.316] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 61 [0163.316] lstrcmpW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.316] PathFindExtensionW (pszPath="MS.INFOPATH.14.1033.hxn") returned=".hxn" [0163.316] lstrlenW (lpString=".hxn") returned 4 [0163.316] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.316] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=344) returned 1 [0163.317] CloseHandle (hObject=0x184) returned 1 [0163.317] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1146cbb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.INFOPATHEDITOR.14.1033.hxn", cAlternateFileName="MSINFO~2.HXN")) returned 1 [0163.317] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="Windows") returned -1 [0163.317] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="Program Files") returned -1 [0163.317] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.317] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.317] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.317] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2=".") returned 1 [0163.317] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="..") returned 1 [0163.317] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 67 [0163.317] lstrcmpW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.317] PathFindExtensionW (pszPath="MS.INFOPATHEDITOR.14.1033.hxn") returned=".hxn" [0163.317] lstrlenW (lpString=".hxn") returned 4 [0163.317] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.317] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=380) returned 1 [0163.318] CloseHandle (hObject=0x184) returned 1 [0163.318] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.MSACCESS.14.1033.hxn", cAlternateFileName="MSMSAC~1.HXN")) returned 1 [0163.318] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="Windows") returned -1 [0163.318] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="Program Files") returned -1 [0163.318] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.318] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.318] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.318] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2=".") returned 1 [0163.318] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="..") returned 1 [0163.318] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 61 [0163.318] lstrcmpW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.318] PathFindExtensionW (pszPath="MS.MSACCESS.14.1033.hxn") returned=".hxn" [0163.318] lstrlenW (lpString=".hxn") returned 4 [0163.318] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.318] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=344) returned 1 [0163.319] CloseHandle (hObject=0x184) returned 1 [0163.319] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.MSACCESS.DEV.14.1033.hxn", cAlternateFileName="MSMSAC~2.HXN")) returned 1 [0163.319] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0163.319] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0163.319] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.319] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.319] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.319] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2=".") returned 1 [0163.319] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="..") returned 1 [0163.319] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 65 [0163.319] lstrcmpW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.319] PathFindExtensionW (pszPath="MS.MSACCESS.DEV.14.1033.hxn") returned=".hxn" [0163.319] lstrlenW (lpString=".hxn") returned 4 [0163.319] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.319] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=368) returned 1 [0163.319] CloseHandle (hObject=0x184) returned 1 [0163.320] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.MSOUC.14.1033.hxn", cAlternateFileName="MSMSOU~1.HXN")) returned 1 [0163.320] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="Windows") returned -1 [0163.320] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="Program Files") returned -1 [0163.320] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.320] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.320] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.320] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2=".") returned 1 [0163.320] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="..") returned 1 [0163.320] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 58 [0163.320] lstrcmpW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.320] PathFindExtensionW (pszPath="MS.MSOUC.14.1033.hxn") returned=".hxn" [0163.320] lstrlenW (lpString=".hxn") returned 4 [0163.320] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.320] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=326) returned 1 [0163.320] CloseHandle (hObject=0x184) returned 1 [0163.321] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.MSPUB.14.1033.hxn", cAlternateFileName="MSMSPU~1.HXN")) returned 1 [0163.321] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="Windows") returned -1 [0163.321] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="Program Files") returned -1 [0163.321] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.321] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.321] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.321] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2=".") returned 1 [0163.321] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="..") returned 1 [0163.321] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 58 [0163.321] lstrcmpW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.321] PathFindExtensionW (pszPath="MS.MSPUB.14.1033.hxn") returned=".hxn" [0163.321] lstrlenW (lpString=".hxn") returned 4 [0163.321] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.321] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=326) returned 1 [0163.321] CloseHandle (hObject=0x184) returned 1 [0163.321] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.MSPUB.DEV.14.1033.hxn", cAlternateFileName="MSMSPU~2.HXN")) returned 1 [0163.322] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0163.322] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0163.322] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.322] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.322] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.322] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2=".") returned 1 [0163.322] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="..") returned 1 [0163.322] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 62 [0163.322] lstrcmpW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.322] PathFindExtensionW (pszPath="MS.MSPUB.DEV.14.1033.hxn") returned=".hxn" [0163.322] lstrlenW (lpString=".hxn") returned 4 [0163.322] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.322] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=350) returned 1 [0163.322] CloseHandle (hObject=0x184) returned 1 [0163.322] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.MSTORE.14.1033.hxn", cAlternateFileName="MSMSTO~1.HXN")) returned 1 [0163.322] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="Windows") returned -1 [0163.322] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="Program Files") returned -1 [0163.323] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.323] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.323] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.323] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2=".") returned 1 [0163.323] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="..") returned 1 [0163.323] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 59 [0163.323] lstrcmpW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.323] PathFindExtensionW (pszPath="MS.MSTORE.14.1033.hxn") returned=".hxn" [0163.323] lstrlenW (lpString=".hxn") returned 4 [0163.323] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.323] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=332) returned 1 [0163.323] CloseHandle (hObject=0x184) returned 1 [0163.323] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.OIS.14.1033.hxn", cAlternateFileName="MSOIS1~1.HXN")) returned 1 [0163.323] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="Windows") returned -1 [0163.323] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="Program Files") returned -1 [0163.323] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.324] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.324] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.324] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2=".") returned 1 [0163.324] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="..") returned 1 [0163.324] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 56 [0163.324] lstrcmpW (lpString1="MS.OIS.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.324] PathFindExtensionW (pszPath="MS.OIS.14.1033.hxn") returned=".hxn" [0163.324] lstrlenW (lpString=".hxn") returned 4 [0163.324] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.324] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=314) returned 1 [0163.324] CloseHandle (hObject=0x184) returned 1 [0163.324] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xc997810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc997810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc9e3ad0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.ONENOTE.14.1033.hxn", cAlternateFileName="MSONEN~1.HXN")) returned 1 [0163.324] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="Windows") returned -1 [0163.324] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="Program Files") returned -1 [0163.324] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.325] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.325] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.325] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2=".") returned 1 [0163.325] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="..") returned 1 [0163.325] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 60 [0163.325] lstrcmpW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.325] PathFindExtensionW (pszPath="MS.ONENOTE.14.1033.hxn") returned=".hxn" [0163.325] lstrlenW (lpString=".hxn") returned 4 [0163.325] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.325] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=338) returned 1 [0163.325] CloseHandle (hObject=0x184) returned 1 [0163.325] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2689510, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.OUTLOOK.14.1033.hxn", cAlternateFileName="MSOUTL~1.HXN")) returned 1 [0163.325] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="Windows") returned -1 [0163.325] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="Program Files") returned -1 [0163.325] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.325] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.326] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.326] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2=".") returned 1 [0163.326] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="..") returned 1 [0163.326] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 60 [0163.326] lstrcmpW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.326] PathFindExtensionW (pszPath="MS.OUTLOOK.14.1033.hxn") returned=".hxn" [0163.326] lstrlenW (lpString=".hxn") returned 4 [0163.326] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.326] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=338) returned 1 [0163.326] CloseHandle (hObject=0x184) returned 1 [0163.326] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x26af670, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.OUTLOOK.DEV.14.1033.hxn", cAlternateFileName="MSOUTL~2.HXN")) returned 1 [0163.326] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0163.326] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0163.326] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.326] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.326] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.326] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2=".") returned 1 [0163.327] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="..") returned 1 [0163.327] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 64 [0163.327] lstrcmpW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.327] PathFindExtensionW (pszPath="MS.OUTLOOK.DEV.14.1033.hxn") returned=".hxn" [0163.327] lstrlenW (lpString=".hxn") returned 4 [0163.327] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.327] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=362) returned 1 [0163.327] CloseHandle (hObject=0x184) returned 1 [0163.327] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.POWERPNT.14.1033.hxn", cAlternateFileName="MSPOWE~1.HXN")) returned 1 [0163.327] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="Windows") returned -1 [0163.327] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="Program Files") returned -1 [0163.327] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.327] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.327] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.327] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2=".") returned 1 [0163.327] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="..") returned 1 [0163.327] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 61 [0163.328] lstrcmpW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.328] PathFindExtensionW (pszPath="MS.POWERPNT.14.1033.hxn") returned=".hxn" [0163.328] lstrlenW (lpString=".hxn") returned 4 [0163.328] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.328] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=344) returned 1 [0163.328] CloseHandle (hObject=0x184) returned 1 [0163.328] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.POWERPNT.DEV.14.1033.hxn", cAlternateFileName="MSPOWE~2.HXN")) returned 1 [0163.328] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0163.328] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0163.328] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.328] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.328] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.328] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2=".") returned 1 [0163.328] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="..") returned 1 [0163.328] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 65 [0163.328] lstrcmpW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.329] PathFindExtensionW (pszPath="MS.POWERPNT.DEV.14.1033.hxn") returned=".hxn" [0163.329] lstrlenW (lpString=".hxn") returned 4 [0163.329] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.329] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=368) returned 1 [0163.329] CloseHandle (hObject=0x184) returned 1 [0163.330] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.SETLANG.14.1033.hxn", cAlternateFileName="MSSETL~1.HXN")) returned 1 [0163.330] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="Windows") returned -1 [0163.331] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="Program Files") returned -1 [0163.331] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.331] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.331] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.331] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2=".") returned 1 [0163.331] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="..") returned 1 [0163.331] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 60 [0163.331] lstrcmpW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.331] PathFindExtensionW (pszPath="MS.SETLANG.14.1033.hxn") returned=".hxn" [0163.331] lstrlenW (lpString=".hxn") returned 4 [0163.331] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.331] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=338) returned 1 [0163.331] CloseHandle (hObject=0x184) returned 1 [0163.331] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x5269fec0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.VISIO.14.1033.hxn", cAlternateFileName="MSVISI~1.HXN")) returned 1 [0163.331] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="Windows") returned -1 [0163.331] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="Program Files") returned -1 [0163.332] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.332] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.332] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.332] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2=".") returned 1 [0163.332] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="..") returned 1 [0163.332] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 58 [0163.332] lstrcmpW (lpString1="MS.VISIO.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.332] PathFindExtensionW (pszPath="MS.VISIO.14.1033.hxn") returned=".hxn" [0163.332] lstrlenW (lpString=".hxn") returned 4 [0163.332] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.332] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=326) returned 1 [0163.332] CloseHandle (hObject=0x184) returned 1 [0163.332] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.VISIO.DEV.14.1033.hxn", cAlternateFileName="MSVISI~3.HXN")) returned 1 [0163.333] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0163.333] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0163.333] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.333] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.333] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.333] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2=".") returned 1 [0163.333] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="..") returned 1 [0163.333] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 62 [0163.333] lstrcmpW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.333] PathFindExtensionW (pszPath="MS.VISIO.DEV.14.1033.hxn") returned=".hxn" [0163.333] lstrlenW (lpString=".hxn") returned 4 [0163.333] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.333] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=350) returned 1 [0163.333] CloseHandle (hObject=0x184) returned 1 [0163.333] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52738440, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.VISIO.SHAPESHEET.14.1033.hxn", cAlternateFileName="MSVISI~4.HXN")) returned 1 [0163.334] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="Windows") returned -1 [0163.334] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="Program Files") returned -1 [0163.334] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.334] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.334] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.334] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2=".") returned 1 [0163.334] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="..") returned 1 [0163.334] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 69 [0163.334] lstrcmpW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.334] PathFindExtensionW (pszPath="MS.VISIO.SHAPESHEET.14.1033.hxn") returned=".hxn" [0163.334] lstrlenW (lpString=".hxn") returned 4 [0163.334] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.334] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=392) returned 1 [0163.334] CloseHandle (hObject=0x184) returned 1 [0163.334] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52738440, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.VISIO_PRM.14.1033.hxn", cAlternateFileName="MSE1C9~1.HXN")) returned 1 [0163.334] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="Windows") returned -1 [0163.334] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="Program Files") returned -1 [0163.335] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.335] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.335] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.335] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2=".") returned 1 [0163.335] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="..") returned 1 [0163.335] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 62 [0163.335] lstrcmpW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.335] PathFindExtensionW (pszPath="MS.VISIO_PRM.14.1033.hxn") returned=".hxn" [0163.335] lstrlenW (lpString=".hxn") returned 4 [0163.335] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.335] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=350) returned 1 [0163.335] CloseHandle (hObject=0x184) returned 1 [0163.335] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.VISIO_STD.14.1033.hxn", cAlternateFileName="MSVISI~2.HXN")) returned 1 [0163.335] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="Windows") returned -1 [0163.335] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="Program Files") returned -1 [0163.335] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.335] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.336] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.336] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2=".") returned 1 [0163.336] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="..") returned 1 [0163.336] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 62 [0163.336] lstrcmpW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.336] PathFindExtensionW (pszPath="MS.VISIO_STD.14.1033.hxn") returned=".hxn" [0163.336] lstrlenW (lpString=".hxn") returned 4 [0163.336] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.336] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=350) returned 1 [0163.336] CloseHandle (hObject=0x184) returned 1 [0163.336] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xaf766ee0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf766ee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf7d9300, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.WINPROJ.14.1033.hxn", cAlternateFileName="MSWINP~1.HXN")) returned 1 [0163.336] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="Windows") returned -1 [0163.336] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="Program Files") returned -1 [0163.336] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.336] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.336] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.336] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2=".") returned 1 [0163.337] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="..") returned 1 [0163.337] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 60 [0163.337] lstrcmpW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.337] PathFindExtensionW (pszPath="MS.WINPROJ.14.1033.hxn") returned=".hxn" [0163.337] lstrlenW (lpString=".hxn") returned 4 [0163.337] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.337] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.337] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=338) returned 1 [0163.337] CloseHandle (hObject=0x184) returned 1 [0163.337] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xaf766ee0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf766ee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf7d9300, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.WINPROJ.DEV.14.1033.hxn", cAlternateFileName="MSWINP~2.HXN")) returned 1 [0163.337] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0163.337] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0163.337] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.337] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.337] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.337] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2=".") returned 1 [0163.337] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="..") returned 1 [0163.338] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 64 [0163.338] lstrcmpW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.338] PathFindExtensionW (pszPath="MS.WINPROJ.DEV.14.1033.hxn") returned=".hxn" [0163.338] lstrlenW (lpString=".hxn") returned 4 [0163.338] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.338] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=362) returned 1 [0163.338] CloseHandle (hObject=0x184) returned 1 [0163.338] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1e67e130, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e67e130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e6f0550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.WINWORD.14.1033.hxn", cAlternateFileName="MSWINW~1.HXN")) returned 1 [0163.338] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="Windows") returned -1 [0163.338] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="Program Files") returned -1 [0163.338] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.338] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.338] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.338] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2=".") returned 1 [0163.338] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="..") returned 1 [0163.338] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 60 [0163.339] lstrcmpW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.339] PathFindExtensionW (pszPath="MS.WINWORD.14.1033.hxn") returned=".hxn" [0163.339] lstrlenW (lpString=".hxn") returned 4 [0163.339] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.339] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=338) returned 1 [0163.339] CloseHandle (hObject=0x184) returned 1 [0163.339] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1e67e130, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e67e130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e6f0550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MS.WINWORD.DEV.14.1033.hxn", cAlternateFileName="MSWINW~2.HXN")) returned 1 [0163.339] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0163.339] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0163.339] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0163.339] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0163.339] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0163.339] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2=".") returned 1 [0163.339] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="..") returned 1 [0163.340] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 64 [0163.340] lstrcmpW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="PUSSY.TXT") returned -1 [0163.340] PathFindExtensionW (pszPath="MS.WINWORD.DEV.14.1033.hxn") returned=".hxn" [0163.340] lstrlenW (lpString=".hxn") returned 4 [0163.340] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0163.340] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0163.340] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=362) returned 1 [0163.340] CloseHandle (hObject=0x184) returned 1 [0163.340] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xc740de00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x21dc, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E", cAlternateFileName="NSLIST~1.CC6")) returned 1 [0163.340] lstrcmpiW (lpString1="nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E", lpString2="Windows") returned -1 [0163.340] lstrcmpiW (lpString1="nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E", lpString2="Program Files") returned -1 [0163.340] lstrcmpiW (lpString1="nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E", lpString2="Program Files (x86)") returned -1 [0163.340] lstrcmpiW (lpString1="nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E", lpString2="$Recycle.bin") returned 1 [0163.340] lstrcmpiW (lpString1="nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E", lpString2="System Volume Information") returned -1 [0163.340] lstrcmpiW (lpString1="nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E", lpString2=".") returned 1 [0163.340] lstrcmpiW (lpString1="nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E", lpString2="..") returned 1 [0163.340] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E") returned 113 [0163.341] lstrcmpW (lpString1="nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E", lpString2="PUSSY.TXT") returned -1 [0163.341] PathFindExtensionW (pszPath="nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E") returned=".CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E" [0163.341] lstrlenW (lpString=".CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E") returned 65 [0163.341] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc740de00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc740de00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.341] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.341] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.341] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.341] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.341] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.341] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.341] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.341] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\PUSSY.TXT") returned 47 [0163.341] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.341] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc740de00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc740de00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.341] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0163.341] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\PUSSY.TXT") returned 47 [0163.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\PUSSY.TXT" (normalized: "c:\\users\\all users\\microsoft help\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.341] GetProcessHeap () returned 0x4c0000 [0163.341] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0163.341] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0163.341] lstrcmpiW (lpString1="Mozilla", lpString2="Windows") returned -1 [0163.341] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files") returned -1 [0163.342] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files (x86)") returned -1 [0163.342] lstrcmpiW (lpString1="Mozilla", lpString2="$Recycle.bin") returned 1 [0163.342] lstrcmpiW (lpString1="Mozilla", lpString2="System Volume Information") returned -1 [0163.342] lstrcmpiW (lpString1="Mozilla", lpString2=".") returned 1 [0163.342] lstrcmpiW (lpString1="Mozilla", lpString2="..") returned 1 [0163.342] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla") returned 30 [0163.342] GetProcessHeap () returned 0x4c0000 [0163.342] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0163.342] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Mozilla" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla") returned="\\\\?\\C:\\Users\\All Users\\Mozilla" [0163.342] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\*") returned="\\\\?\\C:\\Users\\All Users\\Mozilla\\*" [0163.342] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0163.342] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.342] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.342] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.342] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.342] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.342] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.342] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.342] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.342] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.342] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.342] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.343] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.343] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.343] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.343] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="logs", cAlternateFileName="")) returned 1 [0163.343] lstrcmpiW (lpString1="logs", lpString2="Windows") returned -1 [0163.343] lstrcmpiW (lpString1="logs", lpString2="Program Files") returned -1 [0163.343] lstrcmpiW (lpString1="logs", lpString2="Program Files (x86)") returned -1 [0163.343] lstrcmpiW (lpString1="logs", lpString2="$Recycle.bin") returned 1 [0163.343] lstrcmpiW (lpString1="logs", lpString2="System Volume Information") returned -1 [0163.343] lstrcmpiW (lpString1="logs", lpString2=".") returned 1 [0163.343] lstrcmpiW (lpString1="logs", lpString2="..") returned 1 [0163.343] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs") returned 35 [0163.343] GetProcessHeap () returned 0x4c0000 [0163.343] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.344] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs") returned="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs" [0163.344] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*") returned="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*" [0163.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.344] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.344] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.344] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.344] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.344] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.344] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.344] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.344] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.344] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.344] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.344] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.344] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.344] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.344] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.344] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb07822e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="maintenanceservice-install.log", cAlternateFileName="MAINTE~1.LOG")) returned 1 [0163.344] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="Windows") returned -1 [0163.344] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="Program Files") returned -1 [0163.344] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="Program Files (x86)") returned -1 [0163.345] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="$Recycle.bin") returned 1 [0163.345] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="System Volume Information") returned -1 [0163.345] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2=".") returned 1 [0163.345] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="..") returned 1 [0163.345] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log") returned 66 [0163.345] lstrcmpW (lpString1="maintenanceservice-install.log", lpString2="PUSSY.TXT") returned -1 [0163.345] PathFindExtensionW (pszPath="maintenanceservice-install.log") returned=".log" [0163.345] lstrlenW (lpString=".log") returned 4 [0163.345] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0163.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log" (normalized: "c:\\users\\all users\\mozilla\\logs\\maintenanceservice-install.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0163.355] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=164) returned 1 [0163.355] CloseHandle (hObject=0x120) returned 1 [0163.355] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7433f60, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.355] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.355] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.355] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.356] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.356] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.356] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.356] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.356] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\PUSSY.TXT") returned 45 [0163.356] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.356] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7433f60, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.356] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.356] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\PUSSY.TXT") returned 45 [0163.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\PUSSY.TXT" (normalized: "c:\\users\\all users\\mozilla\\logs\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.356] GetProcessHeap () returned 0x4c0000 [0163.356] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.356] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7433f60, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.356] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.356] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.356] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.356] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.356] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.356] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.356] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.356] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\PUSSY.TXT") returned 40 [0163.356] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.356] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7433f60, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.357] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0163.357] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\PUSSY.TXT") returned 40 [0163.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\PUSSY.TXT" (normalized: "c:\\users\\all users\\mozilla\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.357] GetProcessHeap () returned 0x4c0000 [0163.357] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0163.358] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Oracle", cAlternateFileName="")) returned 1 [0163.358] lstrcmpiW (lpString1="Oracle", lpString2="Windows") returned -1 [0163.358] lstrcmpiW (lpString1="Oracle", lpString2="Program Files") returned -1 [0163.358] lstrcmpiW (lpString1="Oracle", lpString2="Program Files (x86)") returned -1 [0163.358] lstrcmpiW (lpString1="Oracle", lpString2="$Recycle.bin") returned 1 [0163.358] lstrcmpiW (lpString1="Oracle", lpString2="System Volume Information") returned -1 [0163.358] lstrcmpiW (lpString1="Oracle", lpString2=".") returned 1 [0163.358] lstrcmpiW (lpString1="Oracle", lpString2="..") returned 1 [0163.358] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle") returned 29 [0163.358] GetProcessHeap () returned 0x4c0000 [0163.358] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0163.359] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Oracle" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle") returned="\\\\?\\C:\\Users\\All Users\\Oracle" [0163.359] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\*" [0163.359] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0163.359] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.359] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.359] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.360] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.360] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.360] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.360] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.360] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.360] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.360] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.360] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.360] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.360] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.360] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.360] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7433f60, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.360] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.360] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.360] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.360] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.360] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.360] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.360] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.360] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\PUSSY.TXT") returned 39 [0163.360] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.360] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7433f60, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7433f60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7433f60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.360] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0163.360] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\PUSSY.TXT") returned 39 [0163.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\PUSSY.TXT" (normalized: "c:\\users\\all users\\oracle\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.361] GetProcessHeap () returned 0x4c0000 [0163.361] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0163.361] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc940a5a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc940a5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0163.361] lstrcmpiW (lpString1="Package Cache", lpString2="Windows") returned -1 [0163.361] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files") returned -1 [0163.361] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files (x86)") returned -1 [0163.361] lstrcmpiW (lpString1="Package Cache", lpString2="$Recycle.bin") returned 1 [0163.361] lstrcmpiW (lpString1="Package Cache", lpString2="System Volume Information") returned -1 [0163.361] lstrcmpiW (lpString1="Package Cache", lpString2=".") returned 1 [0163.361] lstrcmpiW (lpString1="Package Cache", lpString2="..") returned 1 [0163.361] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache") returned 36 [0163.361] GetProcessHeap () returned 0x4c0000 [0163.361] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0163.361] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache") returned="\\\\?\\C:\\Users\\All Users\\Package Cache" [0163.361] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*" [0163.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc940a5a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc940a5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0163.362] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.362] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.362] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.362] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.362] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.362] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.362] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc940a5a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc940a5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.362] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.362] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.362] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.362] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.362] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.362] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.362] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.362] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc74cc4e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74cc4e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="42D5BEC7DDFBD49E76467529CBC2868987BF8460", cAlternateFileName="42D5BE~1")) returned 1 [0163.362] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="Windows") returned -1 [0163.362] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="Program Files") returned -1 [0163.362] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="Program Files (x86)") returned -1 [0163.362] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="$Recycle.bin") returned 1 [0163.362] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="System Volume Information") returned -1 [0163.362] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2=".") returned 1 [0163.362] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="..") returned 1 [0163.362] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned 77 [0163.362] GetProcessHeap () returned 0x4c0000 [0163.363] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.363] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460" [0163.363] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*" [0163.363] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc74cc4e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74cc4e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.364] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.364] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.364] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.364] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.364] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.364] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.364] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc74cc4e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74cc4e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.364] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.364] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.364] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.364] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.364] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.364] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.364] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.364] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc74cc4e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74cc4e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.364] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.364] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.364] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.364] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.364] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.364] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.364] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.364] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages") returned 86 [0163.365] GetProcessHeap () returned 0x4c0000 [0163.365] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.366] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages" [0163.366] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*" [0163.366] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc74cc4e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74cc4e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.366] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.366] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.366] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.366] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.366] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.366] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.366] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc74cc4e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74cc4e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.366] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.366] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.366] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.366] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.366] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.366] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.366] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.366] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc74a6380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74a6380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Patch", cAlternateFileName="")) returned 1 [0163.366] lstrcmpiW (lpString1="Patch", lpString2="Windows") returned -1 [0163.366] lstrcmpiW (lpString1="Patch", lpString2="Program Files") returned -1 [0163.366] lstrcmpiW (lpString1="Patch", lpString2="Program Files (x86)") returned -1 [0163.367] lstrcmpiW (lpString1="Patch", lpString2="$Recycle.bin") returned 1 [0163.367] lstrcmpiW (lpString1="Patch", lpString2="System Volume Information") returned -1 [0163.367] lstrcmpiW (lpString1="Patch", lpString2=".") returned 1 [0163.367] lstrcmpiW (lpString1="Patch", lpString2="..") returned 1 [0163.367] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch") returned 92 [0163.367] GetProcessHeap () returned 0x4c0000 [0163.367] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.367] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch" [0163.367] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*" [0163.367] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc74a6380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74a6380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.367] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.367] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.367] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.367] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.368] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.368] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.368] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc74a6380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74a6380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.368] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.368] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.368] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.368] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.368] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.368] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.368] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.368] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74a6380, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc74a6380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74a6380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.368] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.368] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.368] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.368] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.368] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.368] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.368] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.368] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\PUSSY.TXT") returned 102 [0163.368] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.368] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc77c6060, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc77c6060, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="x64", cAlternateFileName="")) returned 1 [0163.368] lstrcmpiW (lpString1="x64", lpString2="Windows") returned 1 [0163.368] lstrcmpiW (lpString1="x64", lpString2="Program Files") returned 1 [0163.368] lstrcmpiW (lpString1="x64", lpString2="Program Files (x86)") returned 1 [0163.368] lstrcmpiW (lpString1="x64", lpString2="$Recycle.bin") returned 1 [0163.368] lstrcmpiW (lpString1="x64", lpString2="System Volume Information") returned 1 [0163.369] lstrcmpiW (lpString1="x64", lpString2=".") returned 1 [0163.369] lstrcmpiW (lpString1="x64", lpString2="..") returned 1 [0163.369] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64") returned 96 [0163.369] GetProcessHeap () returned 0x4c0000 [0163.369] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0163.370] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64" [0163.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*" [0163.370] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc77c6060, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc77c6060, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0163.370] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.370] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.370] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.370] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.370] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.370] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.370] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc77c6060, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc77c6060, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.371] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.371] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.371] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.371] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.371] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.371] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.371] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.371] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74a6380, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc74a6380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74a6380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.371] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.371] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.371] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.371] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.371] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.371] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.371] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.371] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\PUSSY.TXT") returned 106 [0163.371] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.371] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0xc77c6060, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067", cAlternateFileName="WINDOW~1.BCF")) returned 1 [0163.371] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067", lpString2="Windows") returned 1 [0163.371] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067", lpString2="Program Files") returned 1 [0163.371] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067", lpString2="Program Files (x86)") returned 1 [0163.371] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067", lpString2="$Recycle.bin") returned 1 [0163.371] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067", lpString2="System Volume Information") returned 1 [0163.371] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067", lpString2=".") returned 1 [0163.371] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067", lpString2="..") returned 1 [0163.372] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067") returned 190 [0163.372] lstrcmpW (lpString1="Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067", lpString2="PUSSY.TXT") returned 1 [0163.372] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067") returned=".BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067" [0163.372] lstrlenW (lpString=".BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067") returned 65 [0163.372] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0xc77c6060, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067", cAlternateFileName="WINDOW~1.BCF")) returned 0 [0163.372] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0163.372] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\PUSSY.TXT") returned 106 [0163.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.372] GetProcessHeap () returned 0x4c0000 [0163.372] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0163.372] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc77c6060, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc77c6060, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="x64", cAlternateFileName="")) returned 0 [0163.372] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.372] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\PUSSY.TXT") returned 102 [0163.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.372] GetProcessHeap () returned 0x4c0000 [0163.372] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.374] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74cc4e0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc74cc4e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74cc4e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.374] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.374] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.374] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.374] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.374] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.374] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.374] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.374] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\PUSSY.TXT") returned 96 [0163.374] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.374] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74cc4e0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc74cc4e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74cc4e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.374] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.375] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\PUSSY.TXT") returned 96 [0163.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.375] GetProcessHeap () returned 0x4c0000 [0163.375] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.375] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74cc4e0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc74cc4e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74cc4e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.375] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.375] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.375] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.375] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.375] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.375] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.375] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.375] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\PUSSY.TXT") returned 87 [0163.375] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.376] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74cc4e0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc74cc4e0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc74cc4e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.376] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.376] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\PUSSY.TXT") returned 87 [0163.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.376] GetProcessHeap () returned 0x4c0000 [0163.376] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.377] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", cAlternateFileName="54050A~1")) returned 1 [0163.377] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Windows") returned -1 [0163.377] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Program Files") returned -1 [0163.377] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Program Files (x86)") returned -1 [0163.377] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="$Recycle.bin") returned 1 [0163.378] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="System Volume Information") returned -1 [0163.378] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2=".") returned 1 [0163.378] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="..") returned 1 [0163.378] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned 77 [0163.378] GetProcessHeap () returned 0x4c0000 [0163.378] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.379] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D" [0163.379] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*" [0163.379] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.379] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.379] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.379] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.379] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.379] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.379] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.379] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.379] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.379] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.379] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.379] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.379] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.379] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.379] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.379] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.379] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.379] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.380] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.380] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.380] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.380] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.380] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.380] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages") returned 86 [0163.380] GetProcessHeap () returned 0x4c0000 [0163.380] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.381] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages" [0163.381] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*" [0163.381] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.381] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.381] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.381] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.381] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.381] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.381] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.381] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.381] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.381] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.381] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.381] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.381] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.381] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.381] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.382] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Patch", cAlternateFileName="")) returned 1 [0163.382] lstrcmpiW (lpString1="Patch", lpString2="Windows") returned -1 [0163.382] lstrcmpiW (lpString1="Patch", lpString2="Program Files") returned -1 [0163.382] lstrcmpiW (lpString1="Patch", lpString2="Program Files (x86)") returned -1 [0163.382] lstrcmpiW (lpString1="Patch", lpString2="$Recycle.bin") returned 1 [0163.382] lstrcmpiW (lpString1="Patch", lpString2="System Volume Information") returned -1 [0163.382] lstrcmpiW (lpString1="Patch", lpString2=".") returned 1 [0163.382] lstrcmpiW (lpString1="Patch", lpString2="..") returned 1 [0163.382] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch") returned 92 [0163.382] GetProcessHeap () returned 0x4c0000 [0163.382] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.382] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch" [0163.382] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*" [0163.382] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.383] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.383] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.383] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.383] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.383] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.383] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.383] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.383] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.383] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.383] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.383] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.383] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.383] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.383] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.383] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc76492a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.383] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.383] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.383] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.383] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.383] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.383] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.383] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.383] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\PUSSY.TXT") returned 102 [0163.383] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.383] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc7a4d7c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7a4d7c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="x64", cAlternateFileName="")) returned 1 [0163.384] lstrcmpiW (lpString1="x64", lpString2="Windows") returned 1 [0163.384] lstrcmpiW (lpString1="x64", lpString2="Program Files") returned 1 [0163.384] lstrcmpiW (lpString1="x64", lpString2="Program Files (x86)") returned 1 [0163.384] lstrcmpiW (lpString1="x64", lpString2="$Recycle.bin") returned 1 [0163.384] lstrcmpiW (lpString1="x64", lpString2="System Volume Information") returned 1 [0163.384] lstrcmpiW (lpString1="x64", lpString2=".") returned 1 [0163.384] lstrcmpiW (lpString1="x64", lpString2="..") returned 1 [0163.384] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64") returned 96 [0163.384] GetProcessHeap () returned 0x4c0000 [0163.384] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0163.385] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64" [0163.385] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*" [0163.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc7a4d7c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7a4d7c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0163.385] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.385] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.385] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.385] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.385] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.385] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.385] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc7a4d7c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7a4d7c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.386] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.386] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.386] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.386] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.386] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.386] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.386] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.386] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc76492a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.386] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.386] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.386] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.386] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.386] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.386] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.386] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.386] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\PUSSY.TXT") returned 106 [0163.386] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.386] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ab54b00, ftCreationTime.dwHighDateTime=0x1d1a02d, ftLastAccessTime.dwLowDateTime=0x9ab54b00, ftLastAccessTime.dwHighDateTime=0x1d1a02d, ftLastWriteTime.dwLowDateTime=0xc7a4d7c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xfc93c, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51", cAlternateFileName="WINDOW~1.2EF")) returned 1 [0163.386] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51", lpString2="Windows") returned 1 [0163.386] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51", lpString2="Program Files") returned 1 [0163.386] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51", lpString2="Program Files (x86)") returned 1 [0163.386] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51", lpString2="$Recycle.bin") returned 1 [0163.387] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51", lpString2="System Volume Information") returned 1 [0163.387] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51", lpString2=".") returned 1 [0163.387] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51", lpString2="..") returned 1 [0163.387] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51") returned 190 [0163.387] lstrcmpW (lpString1="Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51", lpString2="PUSSY.TXT") returned 1 [0163.387] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51") returned=".2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51" [0163.387] lstrlenW (lpString=".2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51") returned 65 [0163.387] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ab54b00, ftCreationTime.dwHighDateTime=0x1d1a02d, ftLastAccessTime.dwLowDateTime=0x9ab54b00, ftLastAccessTime.dwHighDateTime=0x1d1a02d, ftLastWriteTime.dwLowDateTime=0xc7a4d7c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xfc93c, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51", cAlternateFileName="WINDOW~1.2EF")) returned 0 [0163.387] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0163.387] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\PUSSY.TXT") returned 106 [0163.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.387] GetProcessHeap () returned 0x4c0000 [0163.387] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0163.387] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc7a4d7c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7a4d7c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2004a, dwReserved1=0xc0100080, cFileName="x64", cAlternateFileName="")) returned 0 [0163.387] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.387] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\PUSSY.TXT") returned 102 [0163.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.387] GetProcessHeap () returned 0x4c0000 [0163.388] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.389] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc76492a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.389] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.389] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.389] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.389] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.389] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.389] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.389] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.389] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\PUSSY.TXT") returned 96 [0163.389] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.389] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc76492a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.390] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.390] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\PUSSY.TXT") returned 96 [0163.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.390] GetProcessHeap () returned 0x4c0000 [0163.390] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.390] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc76492a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.390] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.390] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.390] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.390] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.390] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.390] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.390] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.390] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\PUSSY.TXT") returned 87 [0163.391] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.391] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc76492a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc76492a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76492a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.391] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.391] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\PUSSY.TXT") returned 87 [0163.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.391] GetProcessHeap () returned 0x4c0000 [0163.391] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.392] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc940a5a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc940a5a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc940a5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.392] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.392] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.392] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.392] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.392] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.392] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.392] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.393] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\PUSSY.TXT") returned 46 [0163.393] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.393] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc7707980, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7707980, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0163.393] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Windows") returned -1 [0163.393] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files") returned -1 [0163.393] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0163.393] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0163.393] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="System Volume Information") returned -1 [0163.393] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2=".") returned 1 [0163.393] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="..") returned 1 [0163.393] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 86 [0163.393] GetProcessHeap () returned 0x4c0000 [0163.393] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.394] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" [0163.394] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*" [0163.394] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc7707980, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7707980, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.394] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.394] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.394] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.394] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.394] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.394] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.394] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc7707980, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7707980, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.394] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.394] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.394] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.394] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.394] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.395] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.395] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.395] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc76e1820, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76e1820, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.395] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.395] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.395] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.395] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.395] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.395] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.395] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.395] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned 95 [0163.395] GetProcessHeap () returned 0x4c0000 [0163.395] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.396] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" [0163.396] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*" [0163.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc76e1820, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76e1820, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.396] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.396] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.396] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.396] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.396] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.396] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.396] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc76e1820, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76e1820, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.396] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.397] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.397] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.397] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.397] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.397] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.397] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.397] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc76e1820, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc76e1820, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7707980, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.397] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.397] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.397] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.397] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.397] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.397] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.397] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.397] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\PUSSY.TXT") returned 105 [0163.397] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.397] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc7c88c60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7c88c60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0163.397] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0163.397] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0163.397] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0163.397] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0163.397] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0163.397] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0163.397] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0163.397] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned 116 [0163.397] GetProcessHeap () returned 0x4c0000 [0163.397] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.398] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" [0163.398] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*" [0163.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc7c88c60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7c88c60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.398] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.398] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.398] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.398] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.398] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.398] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.398] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc7c88c60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7c88c60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.398] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.398] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.398] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.399] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.399] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.399] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.399] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.399] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0xc7968f80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51", cAlternateFileName="CAB1CA~1.991")) returned 1 [0163.399] lstrcmpiW (lpString1="cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51", lpString2="Windows") returned -1 [0163.399] lstrcmpiW (lpString1="cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51", lpString2="Program Files") returned -1 [0163.399] lstrcmpiW (lpString1="cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51", lpString2="Program Files (x86)") returned -1 [0163.399] lstrcmpiW (lpString1="cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51", lpString2="$Recycle.bin") returned 1 [0163.399] lstrcmpiW (lpString1="cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51", lpString2="System Volume Information") returned -1 [0163.399] lstrcmpiW (lpString1="cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51", lpString2=".") returned 1 [0163.399] lstrcmpiW (lpString1="cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51", lpString2="..") returned 1 [0163.399] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51") returned 190 [0163.399] lstrcmpW (lpString1="cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51", lpString2="PUSSY.TXT") returned -1 [0163.399] PathFindExtensionW (pszPath="cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51") returned=".991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51" [0163.399] lstrlenW (lpString=".991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51") returned 65 [0163.399] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc76e1820, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc76e1820, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc76e1820, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.399] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.399] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.399] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.399] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.399] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.399] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.399] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.399] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT") returned 126 [0163.399] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.399] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0xc7c88c60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917", cAlternateFileName="VC_RUN~1.09C")) returned 1 [0163.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917", lpString2="Windows") returned -1 [0163.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917", lpString2="Program Files") returned 1 [0163.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917", lpString2="Program Files (x86)") returned 1 [0163.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917", lpString2="$Recycle.bin") returned 1 [0163.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917", lpString2="System Volume Information") returned 1 [0163.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917", lpString2=".") returned 1 [0163.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917", lpString2="..") returned 1 [0163.400] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917") returned 207 [0163.400] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917", lpString2="PUSSY.TXT") returned 1 [0163.400] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917") returned=".09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917" [0163.400] lstrlenW (lpString=".09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917") returned 65 [0163.400] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0xc7c88c60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917", cAlternateFileName="VC_RUN~1.09C")) returned 0 [0163.400] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.400] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT") returned 126 [0163.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.400] GetProcessHeap () returned 0x4c0000 [0163.400] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.400] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc7c88c60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7c88c60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0163.400] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.400] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\PUSSY.TXT") returned 105 [0163.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.401] GetProcessHeap () returned 0x4c0000 [0163.401] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.401] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7707980, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7707980, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7707980, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.401] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.401] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.401] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.401] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.401] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.401] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.401] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.401] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\PUSSY.TXT") returned 96 [0163.401] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.401] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7707980, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7707980, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7707980, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.401] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.401] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\PUSSY.TXT") returned 96 [0163.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.401] GetProcessHeap () returned 0x4c0000 [0163.401] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.403] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7caedc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7caedc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0163.403] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Windows") returned -1 [0163.403] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files") returned -1 [0163.403] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files (x86)") returned -1 [0163.403] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="$Recycle.bin") returned 1 [0163.403] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="System Volume Information") returned -1 [0163.403] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2=".") returned 1 [0163.403] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="..") returned 1 [0163.403] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 75 [0163.403] GetProcessHeap () returned 0x4c0000 [0163.403] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.404] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" [0163.404] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*" [0163.404] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7caedc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7caedc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.404] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.404] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.404] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.404] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.404] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.405] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.405] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7caedc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7caedc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.405] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.405] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.405] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.405] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.405] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.405] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.405] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.405] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc779ff00, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc779ff00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc779ff00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.405] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.405] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.405] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.405] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.405] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.405] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.405] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.405] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\PUSSY.TXT") returned 85 [0163.405] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.405] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd314a0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xc78f6b60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31", cAlternateFileName="STATER~1.BAD")) returned 1 [0163.405] lstrcmpiW (lpString1="state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31", lpString2="Windows") returned -1 [0163.405] lstrcmpiW (lpString1="state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31", lpString2="Program Files") returned 1 [0163.405] lstrcmpiW (lpString1="state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31", lpString2="Program Files (x86)") returned 1 [0163.405] lstrcmpiW (lpString1="state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31", lpString2="$Recycle.bin") returned 1 [0163.405] lstrcmpiW (lpString1="state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31", lpString2="System Volume Information") returned -1 [0163.405] lstrcmpiW (lpString1="state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31", lpString2=".") returned 1 [0163.405] lstrcmpiW (lpString1="state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31", lpString2="..") returned 1 [0163.406] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31") returned 150 [0163.406] lstrcmpW (lpString1="state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31", lpString2="PUSSY.TXT") returned 1 [0163.406] PathFindExtensionW (pszPath="state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31") returned=".BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31" [0163.406] lstrlenW (lpString=".BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31") returned 65 [0163.406] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd0b340, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xc7caedc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55", cAlternateFileName="VCREDI~1.FD8")) returned 1 [0163.406] lstrcmpiW (lpString1="vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55", lpString2="Windows") returned -1 [0163.406] lstrcmpiW (lpString1="vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55", lpString2="Program Files") returned 1 [0163.406] lstrcmpiW (lpString1="vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55", lpString2="Program Files (x86)") returned 1 [0163.406] lstrcmpiW (lpString1="vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55", lpString2="$Recycle.bin") returned 1 [0163.406] lstrcmpiW (lpString1="vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55", lpString2="System Volume Information") returned 1 [0163.406] lstrcmpiW (lpString1="vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55", lpString2=".") returned 1 [0163.406] lstrcmpiW (lpString1="vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55", lpString2="..") returned 1 [0163.406] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55") returned 157 [0163.406] lstrcmpW (lpString1="vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55", lpString2="PUSSY.TXT") returned 1 [0163.406] PathFindExtensionW (pszPath="vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55") returned=".FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55" [0163.406] lstrlenW (lpString=".FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55") returned 65 [0163.406] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd0b340, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xc7caedc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55", cAlternateFileName="VCREDI~1.FD8")) returned 0 [0163.406] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.406] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\PUSSY.TXT") returned 85 [0163.406] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.406] GetProcessHeap () returned 0x4c0000 [0163.406] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.407] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7b32000, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7b32000, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0163.407] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Windows") returned -1 [0163.407] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files") returned -1 [0163.407] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0163.407] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0163.407] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="System Volume Information") returned -1 [0163.407] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2=".") returned 1 [0163.407] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="..") returned 1 [0163.407] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 86 [0163.407] GetProcessHeap () returned 0x4c0000 [0163.407] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.407] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" [0163.407] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*" [0163.407] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7b32000, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7b32000, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.407] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.407] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.407] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.407] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.407] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.407] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.407] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7b32000, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7b32000, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.408] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.408] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.408] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.408] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.408] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.408] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.408] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.408] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7b32000, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7b32000, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.408] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.408] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.408] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.408] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.408] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.408] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.408] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.408] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned 95 [0163.408] GetProcessHeap () returned 0x4c0000 [0163.408] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.409] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" [0163.409] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*" [0163.409] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7b32000, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7b32000, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.409] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.409] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.409] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.409] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.409] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.410] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.410] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7b32000, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7b32000, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.410] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.410] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.410] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.410] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.410] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.410] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.410] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.410] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7b32000, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7b32000, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7b32000, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.410] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.410] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.410] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.410] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.410] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.410] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.410] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.410] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\PUSSY.TXT") returned 105 [0163.410] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.410] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7cfb080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7cfb080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0163.410] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0163.410] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0163.410] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0163.410] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0163.410] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0163.410] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0163.411] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0163.411] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned 121 [0163.411] GetProcessHeap () returned 0x4c0000 [0163.411] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.411] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" [0163.411] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*" [0163.411] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7cfb080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7cfb080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.411] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.411] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.411] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.411] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.411] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.412] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.412] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7cfb080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7cfb080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.412] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.412] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.412] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.412] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.412] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.412] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.412] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.412] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa87bcb00, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0xa87bcb00, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0xc7caedc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x588124, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209", cAlternateFileName="CAB1CA~1.A67")) returned 1 [0163.412] lstrcmpiW (lpString1="cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209", lpString2="Windows") returned -1 [0163.412] lstrcmpiW (lpString1="cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209", lpString2="Program Files") returned -1 [0163.412] lstrcmpiW (lpString1="cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209", lpString2="Program Files (x86)") returned -1 [0163.412] lstrcmpiW (lpString1="cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209", lpString2="$Recycle.bin") returned 1 [0163.412] lstrcmpiW (lpString1="cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209", lpString2="System Volume Information") returned -1 [0163.412] lstrcmpiW (lpString1="cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209", lpString2=".") returned 1 [0163.412] lstrcmpiW (lpString1="cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209", lpString2="..") returned 1 [0163.412] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209") returned 195 [0163.412] lstrcmpW (lpString1="cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209", lpString2="PUSSY.TXT") returned -1 [0163.412] PathFindExtensionW (pszPath="cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209") returned=".A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209" [0163.412] lstrlenW (lpString=".A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209") returned 65 [0163.412] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7b0bea0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7b0bea0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7b32000, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.412] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.412] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.412] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.412] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.412] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.413] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.413] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.413] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT") returned 131 [0163.413] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.413] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4374a500, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x4374a500, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0xc7cfb080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C", cAlternateFileName="VC_RUN~1.EDD")) returned 1 [0163.413] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C", lpString2="Windows") returned -1 [0163.413] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C", lpString2="Program Files") returned 1 [0163.413] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C", lpString2="Program Files (x86)") returned 1 [0163.413] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C", lpString2="$Recycle.bin") returned 1 [0163.413] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C", lpString2="System Volume Information") returned 1 [0163.413] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C", lpString2=".") returned 1 [0163.413] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C", lpString2="..") returned 1 [0163.413] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C") returned 215 [0163.413] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C", lpString2="PUSSY.TXT") returned 1 [0163.413] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C") returned=".EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C" [0163.413] lstrlenW (lpString=".EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C") returned 65 [0163.413] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4374a500, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x4374a500, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0xc7cfb080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C", cAlternateFileName="VC_RUN~1.EDD")) returned 0 [0163.413] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.413] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT") returned 131 [0163.413] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.413] GetProcessHeap () returned 0x4c0000 [0163.413] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.413] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc7cfb080, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7cfb080, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0163.414] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.414] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\PUSSY.TXT") returned 105 [0163.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.414] GetProcessHeap () returned 0x4c0000 [0163.414] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.414] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7b32000, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7b32000, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7b32000, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.414] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.414] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.414] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.414] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.414] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.414] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.414] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.414] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\PUSSY.TXT") returned 96 [0163.414] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.414] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7b32000, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7b32000, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7b32000, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.414] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.414] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\PUSSY.TXT") returned 96 [0163.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.414] GetProcessHeap () returned 0x4c0000 [0163.414] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.416] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc7fceaa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7fceaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0163.416] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Windows") returned -1 [0163.416] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Program Files") returned -1 [0163.416] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Program Files (x86)") returned -1 [0163.416] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="$Recycle.bin") returned 1 [0163.416] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="System Volume Information") returned -1 [0163.416] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2=".") returned 1 [0163.416] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="..") returned 1 [0163.416] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 75 [0163.416] GetProcessHeap () returned 0x4c0000 [0163.416] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.417] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" [0163.417] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*" [0163.417] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc7fceaa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7fceaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.418] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.418] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.418] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.418] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.418] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.418] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.418] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc7fceaa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7fceaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.418] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.418] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.418] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.418] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.418] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.418] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.418] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.418] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7c3c9a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7c3c9a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7c3c9a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.418] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.418] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.418] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.418] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.418] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.418] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.418] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.418] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\PUSSY.TXT") returned 85 [0163.419] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.419] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a127460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xc7c88c60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E", cAlternateFileName="STATER~1.A62")) returned 1 [0163.419] lstrcmpiW (lpString1="state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E", lpString2="Windows") returned -1 [0163.419] lstrcmpiW (lpString1="state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E", lpString2="Program Files") returned 1 [0163.419] lstrcmpiW (lpString1="state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E", lpString2="Program Files (x86)") returned 1 [0163.419] lstrcmpiW (lpString1="state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E", lpString2="$Recycle.bin") returned 1 [0163.419] lstrcmpiW (lpString1="state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E", lpString2="System Volume Information") returned -1 [0163.419] lstrcmpiW (lpString1="state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E", lpString2=".") returned 1 [0163.419] lstrcmpiW (lpString1="state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E", lpString2="..") returned 1 [0163.419] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E") returned 150 [0163.419] lstrcmpW (lpString1="state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E", lpString2="PUSSY.TXT") returned 1 [0163.419] PathFindExtensionW (pszPath="state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E") returned=".A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E" [0163.419] lstrlenW (lpString=".A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E") returned 65 [0163.419] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a0db1a0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xc7fceaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76", cAlternateFileName="VCREDI~1.DD8")) returned 1 [0163.419] lstrcmpiW (lpString1="vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76", lpString2="Windows") returned -1 [0163.419] lstrcmpiW (lpString1="vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76", lpString2="Program Files") returned 1 [0163.419] lstrcmpiW (lpString1="vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76", lpString2="Program Files (x86)") returned 1 [0163.419] lstrcmpiW (lpString1="vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76", lpString2="$Recycle.bin") returned 1 [0163.419] lstrcmpiW (lpString1="vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76", lpString2="System Volume Information") returned 1 [0163.419] lstrcmpiW (lpString1="vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76", lpString2=".") returned 1 [0163.419] lstrcmpiW (lpString1="vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76", lpString2="..") returned 1 [0163.419] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76") returned 157 [0163.419] lstrcmpW (lpString1="vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76", lpString2="PUSSY.TXT") returned 1 [0163.419] PathFindExtensionW (pszPath="vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76") returned=".DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76" [0163.419] lstrlenW (lpString=".DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76") returned 65 [0163.419] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a0db1a0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xc7fceaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76", cAlternateFileName="VCREDI~1.DD8")) returned 0 [0163.420] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.420] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\PUSSY.TXT") returned 85 [0163.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.420] GetProcessHeap () returned 0x4c0000 [0163.420] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.420] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7d6d4a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7d6d4a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0163.420] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Windows") returned -1 [0163.420] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Program Files") returned -1 [0163.420] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0163.420] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0163.420] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="System Volume Information") returned -1 [0163.420] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2=".") returned 1 [0163.420] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="..") returned 1 [0163.420] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned 87 [0163.420] GetProcessHeap () returned 0x4c0000 [0163.420] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.420] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017" [0163.420] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*" [0163.421] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7d6d4a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7d6d4a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.421] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.421] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.421] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.421] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.421] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.421] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.421] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7d6d4a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7d6d4a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.421] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.421] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.421] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.421] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.421] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.421] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.421] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.421] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7d6d4a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7d6d4a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.421] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.421] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.421] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.421] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.422] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.422] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.422] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.422] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned 96 [0163.422] GetProcessHeap () returned 0x4c0000 [0163.422] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.423] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages" [0163.423] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*" [0163.423] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7d6d4a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7d6d4a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.437] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.437] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.437] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.437] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.437] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.437] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.437] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7d6d4a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7d6d4a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.437] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.437] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.437] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.437] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.437] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.437] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.438] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.438] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7d6d4a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7d6d4a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7d6d4a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.438] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.438] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.438] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.438] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.438] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.438] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.438] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.438] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\PUSSY.TXT") returned 106 [0163.438] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.438] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7fceaa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7fceaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0163.438] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0163.438] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0163.438] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0163.438] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0163.438] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0163.438] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0163.438] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0163.438] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned 117 [0163.438] GetProcessHeap () returned 0x4c0000 [0163.438] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.439] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86" [0163.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*" [0163.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7fceaa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7fceaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.439] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.439] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.439] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.439] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.439] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.439] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.440] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7fceaa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7fceaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.440] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.440] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.440] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.440] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.440] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.440] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.440] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.440] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd15e8b00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd15e8b00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xc7fceaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x13babb, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552", cAlternateFileName="CAB1CA~1.73F")) returned 1 [0163.440] lstrcmpiW (lpString1="cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552", lpString2="Windows") returned -1 [0163.440] lstrcmpiW (lpString1="cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552", lpString2="Program Files") returned -1 [0163.440] lstrcmpiW (lpString1="cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552", lpString2="Program Files (x86)") returned -1 [0163.440] lstrcmpiW (lpString1="cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552", lpString2="$Recycle.bin") returned 1 [0163.440] lstrcmpiW (lpString1="cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552", lpString2="System Volume Information") returned -1 [0163.440] lstrcmpiW (lpString1="cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552", lpString2=".") returned 1 [0163.440] lstrcmpiW (lpString1="cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552", lpString2="..") returned 1 [0163.440] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552") returned 191 [0163.440] lstrcmpW (lpString1="cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552", lpString2="PUSSY.TXT") returned -1 [0163.440] PathFindExtensionW (pszPath="cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552") returned=".73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552" [0163.440] lstrlenW (lpString=".73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552") returned 65 [0163.440] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7d6d4a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7d6d4a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7d6d4a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.440] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.440] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.440] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.440] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.441] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.441] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.441] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.441] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT") returned 127 [0163.441] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.441] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb17b200, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfb17b200, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xc7fceaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866", cAlternateFileName="VC_RUN~1.B1F")) returned 1 [0163.441] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866", lpString2="Windows") returned -1 [0163.441] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866", lpString2="Program Files") returned 1 [0163.441] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866", lpString2="Program Files (x86)") returned 1 [0163.441] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866", lpString2="$Recycle.bin") returned 1 [0163.441] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866", lpString2="System Volume Information") returned 1 [0163.441] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866", lpString2=".") returned 1 [0163.441] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866", lpString2="..") returned 1 [0163.441] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866") returned 208 [0163.441] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866", lpString2="PUSSY.TXT") returned 1 [0163.441] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866") returned=".B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866" [0163.441] lstrlenW (lpString=".B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866") returned 65 [0163.441] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb17b200, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfb17b200, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xc7fceaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866", cAlternateFileName="VC_RUN~1.B1F")) returned 0 [0163.441] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.441] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT") returned 127 [0163.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.442] GetProcessHeap () returned 0x4c0000 [0163.442] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.442] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7fceaa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7fceaa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0163.442] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.442] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\PUSSY.TXT") returned 106 [0163.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.442] GetProcessHeap () returned 0x4c0000 [0163.442] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.443] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7d6d4a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7d6d4a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7d6d4a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.443] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.443] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.443] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.443] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.443] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.443] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.443] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.443] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\PUSSY.TXT") returned 97 [0163.443] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.443] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7d6d4a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7d6d4a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7d6d4a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.443] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.443] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\PUSSY.TXT") returned 97 [0163.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.443] GetProcessHeap () returned 0x4c0000 [0163.443] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.445] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7eea260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7eea260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0163.445] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Windows") returned -1 [0163.445] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Program Files") returned -1 [0163.445] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0163.445] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0163.445] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="System Volume Information") returned -1 [0163.445] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2=".") returned 1 [0163.445] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="..") returned 1 [0163.445] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned 87 [0163.445] GetProcessHeap () returned 0x4c0000 [0163.445] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.446] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017" [0163.446] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*" [0163.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7eea260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7eea260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.446] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.447] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.447] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.447] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.447] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.447] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.447] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7eea260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7eea260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.447] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.447] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.447] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.447] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.447] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.447] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.447] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.447] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7eea260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7eea260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.447] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.447] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.447] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.447] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.447] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.447] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.447] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.447] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned 96 [0163.447] GetProcessHeap () returned 0x4c0000 [0163.447] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.448] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages" [0163.448] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*" [0163.449] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7eea260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7eea260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.449] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.449] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.449] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.449] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.449] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.449] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.449] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc7eea260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7eea260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.449] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.449] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.449] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.449] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.449] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.449] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.449] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.449] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7eea260, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7eea260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7eea260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.449] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.449] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.449] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.449] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.449] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.450] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.450] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.450] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\PUSSY.TXT") returned 106 [0163.450] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.450] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc83ace60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc83ace60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0163.450] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0163.450] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0163.450] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0163.450] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0163.450] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0163.450] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0163.450] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0163.450] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned 120 [0163.450] GetProcessHeap () returned 0x4c0000 [0163.450] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.451] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86" [0163.451] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*" [0163.451] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc83ace60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc83ace60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.451] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.451] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.451] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.451] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.451] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.451] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.451] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc83ace60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc83ace60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.451] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.451] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.451] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.451] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.451] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.451] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.451] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.451] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c0e500, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd3c0e500, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xc8386d00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4f699e, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E", cAlternateFileName="CAB1CA~1.B59")) returned 1 [0163.451] lstrcmpiW (lpString1="cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E", lpString2="Windows") returned -1 [0163.451] lstrcmpiW (lpString1="cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E", lpString2="Program Files") returned -1 [0163.452] lstrcmpiW (lpString1="cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E", lpString2="Program Files (x86)") returned -1 [0163.452] lstrcmpiW (lpString1="cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E", lpString2="$Recycle.bin") returned 1 [0163.452] lstrcmpiW (lpString1="cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E", lpString2="System Volume Information") returned -1 [0163.452] lstrcmpiW (lpString1="cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E", lpString2=".") returned 1 [0163.452] lstrcmpiW (lpString1="cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E", lpString2="..") returned 1 [0163.452] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E") returned 194 [0163.452] lstrcmpW (lpString1="cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E", lpString2="PUSSY.TXT") returned -1 [0163.452] PathFindExtensionW (pszPath="cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E") returned=".B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E" [0163.452] lstrlenW (lpString=".B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E") returned 65 [0163.452] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7eea260, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7eea260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7eea260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.452] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.452] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.452] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.452] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.452] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.452] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.452] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.452] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT") returned 130 [0163.452] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.452] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeab3900, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfeab3900, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xc83ace60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25", cAlternateFileName="VC_RUN~1.705")) returned 1 [0163.452] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25", lpString2="Windows") returned -1 [0163.452] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25", lpString2="Program Files") returned 1 [0163.452] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25", lpString2="Program Files (x86)") returned 1 [0163.452] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25", lpString2="$Recycle.bin") returned 1 [0163.452] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25", lpString2="System Volume Information") returned 1 [0163.452] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25", lpString2=".") returned 1 [0163.453] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25", lpString2="..") returned 1 [0163.453] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25") returned 214 [0163.453] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25", lpString2="PUSSY.TXT") returned 1 [0163.453] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25") returned=".705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25" [0163.453] lstrlenW (lpString=".705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25") returned 65 [0163.453] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeab3900, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfeab3900, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xc83ace60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25", cAlternateFileName="VC_RUN~1.705")) returned 0 [0163.453] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.453] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT") returned 130 [0163.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.453] GetProcessHeap () returned 0x4c0000 [0163.453] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.453] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc83ace60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc83ace60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0163.453] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.453] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\PUSSY.TXT") returned 106 [0163.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.453] GetProcessHeap () returned 0x4c0000 [0163.453] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.454] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7eea260, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7eea260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7eea260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.454] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.454] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.454] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.454] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.454] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.454] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.454] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.454] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\PUSSY.TXT") returned 97 [0163.454] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.454] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7eea260, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc7eea260, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc7eea260, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.454] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.454] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\PUSSY.TXT") returned 97 [0163.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.454] GetProcessHeap () returned 0x4c0000 [0163.454] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.456] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc8040ec0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8040ec0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0163.456] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Windows") returned -1 [0163.456] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Program Files") returned -1 [0163.456] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0163.456] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0163.456] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="System Volume Information") returned -1 [0163.456] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2=".") returned 1 [0163.456] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="..") returned 1 [0163.456] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned 87 [0163.456] GetProcessHeap () returned 0x4c0000 [0163.456] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.458] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" [0163.458] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*" [0163.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc8040ec0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8040ec0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.459] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.459] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.459] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.459] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.459] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.459] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.459] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc8040ec0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8040ec0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.459] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.459] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.459] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.459] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.459] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.459] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.459] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.459] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc8040ec0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8040ec0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.459] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.459] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.459] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.459] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.459] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.459] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.459] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.459] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned 96 [0163.460] GetProcessHeap () returned 0x4c0000 [0163.460] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.461] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages" [0163.461] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*" [0163.461] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc8040ec0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8040ec0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.461] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.461] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.461] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.461] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.461] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.461] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.461] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc8040ec0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8040ec0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.461] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.461] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.461] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.461] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.461] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.461] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.461] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.461] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8040ec0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8040ec0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8040ec0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.462] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.462] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.462] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.462] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.462] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.462] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.462] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.462] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\PUSSY.TXT") returned 106 [0163.462] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.462] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc83d2fc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc83d2fc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0163.462] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0163.462] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0163.462] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0163.462] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0163.462] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0163.462] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0163.462] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0163.462] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned 119 [0163.462] GetProcessHeap () returned 0x4c0000 [0163.462] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.463] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64" [0163.463] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*" [0163.463] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc83d2fc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc83d2fc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.463] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.463] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.463] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.463] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.463] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.463] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.463] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc83d2fc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc83d2fc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.463] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.463] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.463] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.463] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.463] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.464] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.464] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.464] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c0e500, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd3c0e500, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xc83d2fc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x165257, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16", cAlternateFileName="CAB1CA~1.E1A")) returned 1 [0163.464] lstrcmpiW (lpString1="cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16", lpString2="Windows") returned -1 [0163.464] lstrcmpiW (lpString1="cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16", lpString2="Program Files") returned -1 [0163.464] lstrcmpiW (lpString1="cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16", lpString2="Program Files (x86)") returned -1 [0163.464] lstrcmpiW (lpString1="cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16", lpString2="$Recycle.bin") returned 1 [0163.464] lstrcmpiW (lpString1="cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16", lpString2="System Volume Information") returned -1 [0163.464] lstrcmpiW (lpString1="cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16", lpString2=".") returned 1 [0163.464] lstrcmpiW (lpString1="cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16", lpString2="..") returned 1 [0163.464] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16") returned 193 [0163.464] lstrcmpW (lpString1="cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16", lpString2="PUSSY.TXT") returned -1 [0163.464] PathFindExtensionW (pszPath="cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16") returned=".E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16" [0163.464] lstrlenW (lpString=".E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16") returned 65 [0163.464] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc801ad60, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc801ad60, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8040ec0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.464] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.464] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.464] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.464] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.464] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.464] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.464] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.464] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT") returned 129 [0163.464] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.464] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7a0c00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfd7a0c00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xc83ace60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F", cAlternateFileName="VC_RUN~1.B0C")) returned 1 [0163.465] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F", lpString2="Windows") returned -1 [0163.465] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F", lpString2="Program Files") returned 1 [0163.465] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F", lpString2="Program Files (x86)") returned 1 [0163.465] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F", lpString2="$Recycle.bin") returned 1 [0163.465] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F", lpString2="System Volume Information") returned 1 [0163.465] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F", lpString2=".") returned 1 [0163.465] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F", lpString2="..") returned 1 [0163.465] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F") returned 210 [0163.465] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F", lpString2="PUSSY.TXT") returned 1 [0163.465] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F") returned=".B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F" [0163.465] lstrlenW (lpString=".B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F") returned 65 [0163.465] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7a0c00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfd7a0c00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xc83ace60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F", cAlternateFileName="VC_RUN~1.B0C")) returned 0 [0163.465] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.465] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT") returned 129 [0163.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.465] GetProcessHeap () returned 0x4c0000 [0163.465] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.465] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc83d2fc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc83d2fc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0163.465] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.466] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\PUSSY.TXT") returned 106 [0163.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.466] GetProcessHeap () returned 0x4c0000 [0163.466] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.466] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8040ec0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8040ec0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8040ec0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.466] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.466] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.466] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.466] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.466] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.466] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.466] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.466] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\PUSSY.TXT") returned 97 [0163.466] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.466] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8040ec0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8040ec0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8040ec0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.466] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.466] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\PUSSY.TXT") returned 97 [0163.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.466] GetProcessHeap () returned 0x4c0000 [0163.466] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.468] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc8209f40, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8209f40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0163.468] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Windows") returned -1 [0163.468] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Program Files") returned -1 [0163.468] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0163.468] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0163.468] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="System Volume Information") returned -1 [0163.468] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2=".") returned 1 [0163.468] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="..") returned 1 [0163.468] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 86 [0163.468] GetProcessHeap () returned 0x4c0000 [0163.468] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.469] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" [0163.469] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*" [0163.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc8209f40, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8209f40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.470] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.470] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.470] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.470] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.470] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.470] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.471] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc8209f40, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8209f40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.471] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.471] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.471] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.471] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.471] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.471] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.471] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.471] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc81e3de0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc81e3de0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.471] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.471] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.471] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.471] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.471] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.471] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.471] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.471] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned 95 [0163.471] GetProcessHeap () returned 0x4c0000 [0163.471] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.472] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" [0163.472] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*" [0163.472] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc81e3de0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc81e3de0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.473] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.473] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.473] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.473] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.473] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.473] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.473] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc81e3de0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc81e3de0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.473] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.473] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.473] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.473] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.473] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.473] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.473] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.473] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc81e3de0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc81e3de0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8209f40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.473] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.473] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.473] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.473] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.473] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.473] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.474] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.474] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\PUSSY.TXT") returned 105 [0163.474] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.474] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc86f2ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc86f2ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0163.474] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0163.474] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0163.474] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0163.474] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0163.474] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0163.474] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0163.474] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0163.474] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned 121 [0163.474] GetProcessHeap () returned 0x4c0000 [0163.474] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.474] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" [0163.475] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*" [0163.475] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc86f2ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc86f2ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.475] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.475] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.475] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.475] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.475] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.475] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.475] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc86f2ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc86f2ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.475] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.475] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.475] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.475] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.475] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.475] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.475] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.475] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c9b1b00, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7c9b1b00, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0xc83d2fc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x554520, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D", cAlternateFileName="CAB1CA~1.4C9")) returned 1 [0163.475] lstrcmpiW (lpString1="cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D", lpString2="Windows") returned -1 [0163.475] lstrcmpiW (lpString1="cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D", lpString2="Program Files") returned -1 [0163.475] lstrcmpiW (lpString1="cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D", lpString2="Program Files (x86)") returned -1 [0163.475] lstrcmpiW (lpString1="cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D", lpString2="$Recycle.bin") returned 1 [0163.476] lstrcmpiW (lpString1="cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D", lpString2="System Volume Information") returned -1 [0163.476] lstrcmpiW (lpString1="cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D", lpString2=".") returned 1 [0163.476] lstrcmpiW (lpString1="cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D", lpString2="..") returned 1 [0163.476] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D") returned 195 [0163.476] lstrcmpW (lpString1="cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D", lpString2="PUSSY.TXT") returned -1 [0163.476] PathFindExtensionW (pszPath="cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D") returned=".4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D" [0163.476] lstrlenW (lpString=".4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D") returned 65 [0163.476] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc81e3de0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc81e3de0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc81e3de0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.476] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.476] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.476] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.476] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.476] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.476] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.476] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.476] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT") returned 131 [0163.476] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.476] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0xc8680880, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24", cAlternateFileName="VC_RUN~1.221")) returned 1 [0163.476] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24", lpString2="Windows") returned -1 [0163.476] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24", lpString2="Program Files") returned 1 [0163.476] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24", lpString2="Program Files (x86)") returned 1 [0163.476] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24", lpString2="$Recycle.bin") returned 1 [0163.476] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24", lpString2="System Volume Information") returned 1 [0163.476] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24", lpString2=".") returned 1 [0163.476] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24", lpString2="..") returned 1 [0163.476] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24") returned 215 [0163.477] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24", lpString2="PUSSY.TXT") returned 1 [0163.477] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24") returned=".2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24" [0163.477] lstrlenW (lpString=".2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24") returned 65 [0163.477] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0xc8680880, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24", cAlternateFileName="VC_RUN~1.221")) returned 0 [0163.477] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.477] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT") returned 131 [0163.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.477] GetProcessHeap () returned 0x4c0000 [0163.477] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.477] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc86f2ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc86f2ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0163.477] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.477] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\PUSSY.TXT") returned 105 [0163.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.477] GetProcessHeap () returned 0x4c0000 [0163.477] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.477] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8209f40, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8209f40, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8209f40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.478] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.478] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.478] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.478] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.478] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.478] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.478] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.478] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\PUSSY.TXT") returned 96 [0163.478] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.478] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8209f40, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8209f40, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8209f40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.478] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.478] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\PUSSY.TXT") returned 96 [0163.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.478] GetProcessHeap () returned 0x4c0000 [0163.478] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.480] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc84916a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc84916a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0163.480] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Windows") returned -1 [0163.480] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Program Files") returned -1 [0163.480] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0163.480] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0163.480] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="System Volume Information") returned -1 [0163.480] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2=".") returned 1 [0163.480] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="..") returned 1 [0163.480] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 86 [0163.480] GetProcessHeap () returned 0x4c0000 [0163.480] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.481] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" [0163.481] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*" [0163.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc84916a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc84916a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.481] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.481] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.481] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.481] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.482] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.482] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.482] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc84916a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc84916a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.482] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.482] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.482] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.482] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.482] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.482] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.482] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.482] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc84916a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc84916a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.482] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.482] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.482] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.482] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.482] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.482] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.482] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.482] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned 95 [0163.482] GetProcessHeap () returned 0x4c0000 [0163.482] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.483] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" [0163.483] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*" [0163.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc84916a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc84916a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.484] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.484] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.484] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.484] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.484] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.484] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.484] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc84916a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc84916a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.484] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.484] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.484] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.484] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.484] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.484] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.484] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.484] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84916a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc84916a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc84916a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.484] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.484] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.484] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.484] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.484] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.484] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.484] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.484] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\PUSSY.TXT") returned 105 [0163.484] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.484] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc86f2ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc86f2ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0163.485] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0163.485] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0163.485] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0163.485] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0163.485] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0163.485] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0163.485] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0163.485] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned 118 [0163.485] GetProcessHeap () returned 0x4c0000 [0163.485] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.485] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" [0163.485] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*" [0163.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc86f2ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc86f2ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.488] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.488] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.488] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.488] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.488] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.488] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.488] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc86f2ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc86f2ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.488] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.488] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.488] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.488] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.488] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.488] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.488] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.488] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b69ee00, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7b69ee00, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0xc83f9120, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148", cAlternateFileName="CAB1CA~1.3D6")) returned 1 [0163.489] lstrcmpiW (lpString1="cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148", lpString2="Windows") returned -1 [0163.489] lstrcmpiW (lpString1="cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148", lpString2="Program Files") returned -1 [0163.489] lstrcmpiW (lpString1="cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148", lpString2="Program Files (x86)") returned -1 [0163.489] lstrcmpiW (lpString1="cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148", lpString2="$Recycle.bin") returned 1 [0163.489] lstrcmpiW (lpString1="cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148", lpString2="System Volume Information") returned -1 [0163.489] lstrcmpiW (lpString1="cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148", lpString2=".") returned 1 [0163.489] lstrcmpiW (lpString1="cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148", lpString2="..") returned 1 [0163.489] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148") returned 192 [0163.489] lstrcmpW (lpString1="cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148", lpString2="PUSSY.TXT") returned -1 [0163.489] PathFindExtensionW (pszPath="cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148") returned=".3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148" [0163.489] lstrlenW (lpString=".3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148") returned 65 [0163.489] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc846b540, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc846b540, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc846b540, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.489] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.489] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.489] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.489] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.489] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.489] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.489] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.489] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT") returned 128 [0163.489] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.489] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0xc8575ee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60", cAlternateFileName="VC_RUN~1.37A")) returned 1 [0163.489] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60", lpString2="Windows") returned -1 [0163.489] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60", lpString2="Program Files") returned 1 [0163.489] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60", lpString2="Program Files (x86)") returned 1 [0163.489] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60", lpString2="$Recycle.bin") returned 1 [0163.489] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60", lpString2="System Volume Information") returned 1 [0163.489] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60", lpString2=".") returned 1 [0163.490] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60", lpString2="..") returned 1 [0163.490] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60") returned 209 [0163.490] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60", lpString2="PUSSY.TXT") returned 1 [0163.490] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60") returned=".37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60" [0163.490] lstrlenW (lpString=".37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60") returned 65 [0163.490] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0xc8575ee0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60", cAlternateFileName="VC_RUN~1.37A")) returned 0 [0163.490] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.490] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT") returned 128 [0163.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.490] GetProcessHeap () returned 0x4c0000 [0163.490] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.490] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc86f2ca0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc86f2ca0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0163.490] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.490] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\PUSSY.TXT") returned 105 [0163.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.490] GetProcessHeap () returned 0x4c0000 [0163.490] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.491] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84916a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc84916a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc84916a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.491] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.491] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.491] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.491] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.491] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.491] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.491] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.491] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\PUSSY.TXT") returned 96 [0163.491] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.491] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84916a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc84916a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc84916a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.491] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.491] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\PUSSY.TXT") returned 96 [0163.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.491] GetProcessHeap () returned 0x4c0000 [0163.491] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.493] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc854fd80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc854fd80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0163.493] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Windows") returned -1 [0163.493] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Program Files") returned -1 [0163.493] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0163.493] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0163.493] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="System Volume Information") returned -1 [0163.493] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2=".") returned 1 [0163.493] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="..") returned 1 [0163.493] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 86 [0163.493] GetProcessHeap () returned 0x4c0000 [0163.493] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.494] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" [0163.494] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*" [0163.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc854fd80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc854fd80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.494] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.494] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.495] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.495] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.495] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.495] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.495] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc854fd80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc854fd80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.495] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.495] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.495] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.495] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.495] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.495] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.495] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.495] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc854fd80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc854fd80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.495] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.495] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.495] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.495] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.495] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.495] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.495] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.495] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned 95 [0163.495] GetProcessHeap () returned 0x4c0000 [0163.495] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.496] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" [0163.496] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*" [0163.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc854fd80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc854fd80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.497] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.497] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.497] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.497] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.497] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.497] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.497] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc854fd80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc854fd80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.497] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.497] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.497] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.497] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.497] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.497] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.497] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.497] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc854fd80, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc854fd80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc854fd80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.497] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.497] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.497] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.497] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.497] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.498] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.498] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.498] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\PUSSY.TXT") returned 105 [0163.498] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.498] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8a5ec40, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8a5ec40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0163.498] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0163.498] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0163.498] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0163.498] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0163.498] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0163.498] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0163.498] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0163.498] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned 119 [0163.498] GetProcessHeap () returned 0x4c0000 [0163.498] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.498] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" [0163.499] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*" [0163.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8a5ec40, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8a5ec40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.499] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.499] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.499] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.499] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.499] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.499] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.499] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8a5ec40, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8a5ec40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.499] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.499] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.499] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.499] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.499] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.499] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.499] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.499] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aae6600, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x8aae6600, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0xc8a38ae0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A", cAlternateFileName="CAB1CA~1.EE1")) returned 1 [0163.499] lstrcmpiW (lpString1="cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A", lpString2="Windows") returned -1 [0163.499] lstrcmpiW (lpString1="cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A", lpString2="Program Files") returned -1 [0163.499] lstrcmpiW (lpString1="cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A", lpString2="Program Files (x86)") returned -1 [0163.499] lstrcmpiW (lpString1="cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A", lpString2="$Recycle.bin") returned 1 [0163.499] lstrcmpiW (lpString1="cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A", lpString2="System Volume Information") returned -1 [0163.499] lstrcmpiW (lpString1="cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A", lpString2=".") returned 1 [0163.500] lstrcmpiW (lpString1="cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A", lpString2="..") returned 1 [0163.500] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A") returned 193 [0163.500] lstrcmpW (lpString1="cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A", lpString2="PUSSY.TXT") returned -1 [0163.500] PathFindExtensionW (pszPath="cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A") returned=".EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A" [0163.500] lstrlenW (lpString=".EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A") returned 65 [0163.500] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc854fd80, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc854fd80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc854fd80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.500] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.500] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.500] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.500] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.500] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.500] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.500] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.500] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT") returned 129 [0163.500] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.500] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0xc89ec820, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F", cAlternateFileName="VC_RUN~1.894")) returned 1 [0163.500] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F", lpString2="Windows") returned -1 [0163.500] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F", lpString2="Program Files") returned 1 [0163.500] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F", lpString2="Program Files (x86)") returned 1 [0163.500] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F", lpString2="$Recycle.bin") returned 1 [0163.500] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F", lpString2="System Volume Information") returned 1 [0163.500] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F", lpString2=".") returned 1 [0163.500] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F", lpString2="..") returned 1 [0163.500] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F") returned 213 [0163.500] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F", lpString2="PUSSY.TXT") returned 1 [0163.500] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F") returned=".89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F" [0163.500] lstrlenW (lpString=".89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F") returned 65 [0163.501] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0xc89ec820, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F", cAlternateFileName="VC_RUN~1.894")) returned 0 [0163.501] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.501] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT") returned 129 [0163.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.501] GetProcessHeap () returned 0x4c0000 [0163.501] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.501] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8a5ec40, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8a5ec40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0163.501] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.501] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\PUSSY.TXT") returned 105 [0163.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.501] GetProcessHeap () returned 0x4c0000 [0163.501] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.501] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc854fd80, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc854fd80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc854fd80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.501] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.501] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.501] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.501] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.502] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.502] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.502] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.502] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\PUSSY.TXT") returned 96 [0163.502] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.502] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc854fd80, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc854fd80, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc854fd80, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.502] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.502] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\PUSSY.TXT") returned 96 [0163.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.502] GetProcessHeap () returned 0x4c0000 [0163.502] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.504] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc87b1380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc87b1380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0163.504] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Windows") returned -1 [0163.504] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Program Files") returned -1 [0163.504] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0163.504] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0163.504] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="System Volume Information") returned -1 [0163.504] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2=".") returned 1 [0163.504] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="..") returned 1 [0163.504] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 86 [0163.504] GetProcessHeap () returned 0x4c0000 [0163.504] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.505] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" [0163.505] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*" [0163.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc87b1380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc87b1380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.505] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.505] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.505] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.505] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.505] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.505] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.505] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc87b1380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc87b1380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.505] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.505] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.505] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.505] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.505] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.505] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.505] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.505] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc87b1380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc87b1380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.506] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.506] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.506] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.506] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.506] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.506] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.506] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.506] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned 95 [0163.506] GetProcessHeap () returned 0x4c0000 [0163.506] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.507] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" [0163.507] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*" [0163.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc87b1380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc87b1380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.507] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.507] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.507] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.507] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.507] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.507] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.507] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc87b1380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc87b1380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.507] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.507] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.507] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.508] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.508] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.508] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.508] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.508] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc87b1380, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc87b1380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc87b1380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.508] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.508] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.508] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.508] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.508] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.508] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.508] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.508] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\PUSSY.TXT") returned 105 [0163.508] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.508] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8ad1060, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8ad1060, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0163.508] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0163.508] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0163.508] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0163.508] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0163.508] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0163.508] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0163.508] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0163.508] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned 116 [0163.508] GetProcessHeap () returned 0x4c0000 [0163.508] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.509] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" [0163.509] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*" [0163.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8ad1060, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8ad1060, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.509] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.509] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.509] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.509] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.509] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.509] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.509] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8ad1060, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8ad1060, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.509] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.509] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.510] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.510] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.510] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.510] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.510] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.510] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x884c0c00, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x884c0c00, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0xc8a38ae0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29", cAlternateFileName="CAB1CA~1.CEF")) returned 1 [0163.510] lstrcmpiW (lpString1="cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29", lpString2="Windows") returned -1 [0163.510] lstrcmpiW (lpString1="cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29", lpString2="Program Files") returned -1 [0163.510] lstrcmpiW (lpString1="cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29", lpString2="Program Files (x86)") returned -1 [0163.510] lstrcmpiW (lpString1="cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29", lpString2="$Recycle.bin") returned 1 [0163.510] lstrcmpiW (lpString1="cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29", lpString2="System Volume Information") returned -1 [0163.510] lstrcmpiW (lpString1="cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29", lpString2=".") returned 1 [0163.510] lstrcmpiW (lpString1="cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29", lpString2="..") returned 1 [0163.510] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29") returned 190 [0163.510] lstrcmpW (lpString1="cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29", lpString2="PUSSY.TXT") returned -1 [0163.510] PathFindExtensionW (pszPath="cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29") returned=".CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29" [0163.510] lstrlenW (lpString=".CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29") returned 65 [0163.510] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc878b220, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc878b220, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc878b220, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.510] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.510] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.510] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.510] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.510] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.510] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.510] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.511] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT") returned 126 [0163.511] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.511] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0xc8a38ae0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52", cAlternateFileName="VC_RUN~1.F6E")) returned 1 [0163.511] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52", lpString2="Windows") returned -1 [0163.511] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52", lpString2="Program Files") returned 1 [0163.511] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52", lpString2="Program Files (x86)") returned 1 [0163.511] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52", lpString2="$Recycle.bin") returned 1 [0163.511] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52", lpString2="System Volume Information") returned 1 [0163.511] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52", lpString2=".") returned 1 [0163.511] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52", lpString2="..") returned 1 [0163.511] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52") returned 207 [0163.511] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52", lpString2="PUSSY.TXT") returned 1 [0163.511] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52") returned=".F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52" [0163.511] lstrlenW (lpString=".F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52") returned 65 [0163.511] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0xc8a38ae0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52", cAlternateFileName="VC_RUN~1.F6E")) returned 0 [0163.511] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.511] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT") returned 126 [0163.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.511] GetProcessHeap () returned 0x4c0000 [0163.511] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.511] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8ad1060, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8ad1060, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0163.511] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.512] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\PUSSY.TXT") returned 105 [0163.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.512] GetProcessHeap () returned 0x4c0000 [0163.512] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.512] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc87b1380, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc87b1380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc87b1380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.512] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.512] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.512] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.512] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.512] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.512] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.512] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.512] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\PUSSY.TXT") returned 96 [0163.512] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.512] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc87b1380, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc87b1380, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc87b1380, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.512] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.512] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\PUSSY.TXT") returned 96 [0163.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.512] GetProcessHeap () returned 0x4c0000 [0163.513] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.514] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8c27cc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c27cc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0163.514] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Windows") returned -1 [0163.514] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Program Files") returned -1 [0163.514] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Program Files (x86)") returned -1 [0163.514] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="$Recycle.bin") returned 1 [0163.514] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="System Volume Information") returned -1 [0163.514] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2=".") returned 1 [0163.514] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="..") returned 1 [0163.514] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 75 [0163.514] GetProcessHeap () returned 0x4c0000 [0163.514] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.515] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" [0163.515] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*" [0163.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8c27cc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c27cc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.515] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.516] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.516] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.516] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.516] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.516] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.516] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8c27cc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c27cc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.516] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.516] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.516] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.516] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.516] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.516] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.516] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.516] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc897a400, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc897a400, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8a12980, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.516] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.516] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.516] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.516] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.516] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.516] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.516] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.516] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\PUSSY.TXT") returned 85 [0163.516] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.516] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xc8af71c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C", cAlternateFileName="STATER~1.B6D")) returned 1 [0163.516] lstrcmpiW (lpString1="state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C", lpString2="Windows") returned -1 [0163.517] lstrcmpiW (lpString1="state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C", lpString2="Program Files") returned 1 [0163.517] lstrcmpiW (lpString1="state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C", lpString2="Program Files (x86)") returned 1 [0163.517] lstrcmpiW (lpString1="state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C", lpString2="$Recycle.bin") returned 1 [0163.517] lstrcmpiW (lpString1="state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C", lpString2="System Volume Information") returned -1 [0163.517] lstrcmpiW (lpString1="state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C", lpString2=".") returned 1 [0163.517] lstrcmpiW (lpString1="state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C", lpString2="..") returned 1 [0163.517] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C") returned 150 [0163.517] lstrcmpW (lpString1="state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C", lpString2="PUSSY.TXT") returned 1 [0163.517] PathFindExtensionW (pszPath="state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C") returned=".B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C" [0163.517] lstrlenW (lpString=".B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C") returned 65 [0163.517] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xc8b1d320, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C", cAlternateFileName="VCREDI~1.6F9")) returned 1 [0163.517] lstrcmpiW (lpString1="vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C", lpString2="Windows") returned -1 [0163.517] lstrcmpiW (lpString1="vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C", lpString2="Program Files") returned 1 [0163.517] lstrcmpiW (lpString1="vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C", lpString2="Program Files (x86)") returned 1 [0163.517] lstrcmpiW (lpString1="vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C", lpString2="$Recycle.bin") returned 1 [0163.517] lstrcmpiW (lpString1="vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C", lpString2="System Volume Information") returned 1 [0163.517] lstrcmpiW (lpString1="vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C", lpString2=".") returned 1 [0163.517] lstrcmpiW (lpString1="vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C", lpString2="..") returned 1 [0163.518] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C") returned 157 [0163.518] lstrcmpW (lpString1="vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C", lpString2="PUSSY.TXT") returned 1 [0163.518] PathFindExtensionW (pszPath="vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C") returned=".6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C" [0163.518] lstrlenW (lpString=".6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C") returned 65 [0163.518] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xc8b1d320, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C", cAlternateFileName="VCREDI~1.6F9")) returned 0 [0163.518] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.518] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\PUSSY.TXT") returned 85 [0163.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.518] GetProcessHeap () returned 0x4c0000 [0163.518] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.518] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8c4de20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c4de20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0163.518] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Windows") returned -1 [0163.518] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Program Files") returned -1 [0163.518] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0163.518] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0163.518] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="System Volume Information") returned -1 [0163.518] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2=".") returned 1 [0163.518] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="..") returned 1 [0163.518] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 86 [0163.518] GetProcessHeap () returned 0x4c0000 [0163.518] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.519] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" [0163.519] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*" [0163.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8c4de20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c4de20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.519] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.519] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.519] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.519] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.519] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.519] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.519] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8c4de20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c4de20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.519] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.519] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.519] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.519] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.519] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.519] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.519] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.519] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8c27cc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c27cc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.519] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.520] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.520] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.520] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.520] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.520] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.520] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.520] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned 95 [0163.520] GetProcessHeap () returned 0x4c0000 [0163.520] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.521] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" [0163.521] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*" [0163.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8c27cc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c27cc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.521] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.521] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.521] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.521] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.521] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.521] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.521] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8c27cc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c27cc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.521] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.521] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.521] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.521] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.521] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.522] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.522] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.522] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8c27cc0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8c27cc0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c4de20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.522] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.522] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.522] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.522] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.522] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.522] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.522] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.522] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\PUSSY.TXT") returned 105 [0163.522] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.522] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8e16ea0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8e16ea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0163.522] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0163.522] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0163.522] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0163.522] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0163.522] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0163.522] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0163.522] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0163.522] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned 118 [0163.522] GetProcessHeap () returned 0x4c0000 [0163.522] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.523] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" [0163.523] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*" [0163.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8e16ea0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8e16ea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.523] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.523] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.523] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.523] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.523] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.523] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.523] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8e16ea0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8e16ea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.523] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.523] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.523] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.524] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.524] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.524] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.524] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.524] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x969a2800, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x969a2800, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0xc8e16ea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D", cAlternateFileName="CAB1CA~1.859")) returned 1 [0163.524] lstrcmpiW (lpString1="cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D", lpString2="Windows") returned -1 [0163.524] lstrcmpiW (lpString1="cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D", lpString2="Program Files") returned -1 [0163.524] lstrcmpiW (lpString1="cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D", lpString2="Program Files (x86)") returned -1 [0163.524] lstrcmpiW (lpString1="cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D", lpString2="$Recycle.bin") returned 1 [0163.524] lstrcmpiW (lpString1="cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D", lpString2="System Volume Information") returned -1 [0163.524] lstrcmpiW (lpString1="cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D", lpString2=".") returned 1 [0163.524] lstrcmpiW (lpString1="cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D", lpString2="..") returned 1 [0163.524] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D") returned 192 [0163.524] lstrcmpW (lpString1="cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D", lpString2="PUSSY.TXT") returned -1 [0163.524] PathFindExtensionW (pszPath="cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D") returned=".859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D" [0163.524] lstrlenW (lpString=".859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D") returned 65 [0163.524] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8b1d320, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8b1d320, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c27cc0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.524] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.524] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.524] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.524] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.524] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.524] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.524] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.524] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT") returned 128 [0163.524] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.524] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1afc00, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x5a1afc00, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0xc8e16ea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131", cAlternateFileName="VC_RUN~1.B3B")) returned 1 [0163.524] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131", lpString2="Windows") returned -1 [0163.525] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131", lpString2="Program Files") returned 1 [0163.525] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131", lpString2="Program Files (x86)") returned 1 [0163.525] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131", lpString2="$Recycle.bin") returned 1 [0163.525] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131", lpString2="System Volume Information") returned 1 [0163.525] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131", lpString2=".") returned 1 [0163.525] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131", lpString2="..") returned 1 [0163.525] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131") returned 209 [0163.525] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131", lpString2="PUSSY.TXT") returned 1 [0163.525] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131") returned=".B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131" [0163.525] lstrlenW (lpString=".B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131") returned 65 [0163.525] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1afc00, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x5a1afc00, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0xc8e16ea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131", cAlternateFileName="VC_RUN~1.B3B")) returned 0 [0163.525] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.525] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT") returned 128 [0163.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.525] GetProcessHeap () returned 0x4c0000 [0163.525] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.525] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xc8e16ea0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8e16ea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0163.525] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.525] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\PUSSY.TXT") returned 105 [0163.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.526] GetProcessHeap () returned 0x4c0000 [0163.526] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.526] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8c4de20, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8c4de20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c4de20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.526] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.526] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.526] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.526] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.526] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.526] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.526] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.526] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\PUSSY.TXT") returned 96 [0163.526] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.526] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8c4de20, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8c4de20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8c4de20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.526] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.526] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\PUSSY.TXT") returned 96 [0163.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.526] GetProcessHeap () returned 0x4c0000 [0163.526] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.528] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc8d7e920, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8d7e920, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0163.528] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Windows") returned -1 [0163.528] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Program Files") returned -1 [0163.528] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0163.528] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0163.528] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="System Volume Information") returned -1 [0163.528] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2=".") returned 1 [0163.528] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="..") returned 1 [0163.528] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned 87 [0163.528] GetProcessHeap () returned 0x4c0000 [0163.528] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.529] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" [0163.529] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*" [0163.529] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc8d7e920, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8d7e920, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.530] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.530] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.530] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.530] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.530] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.530] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.530] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc8d7e920, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8d7e920, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.530] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.530] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.530] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.530] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.530] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.530] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.530] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.530] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc8d7e920, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8d7e920, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.530] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.530] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.530] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.530] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.530] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.530] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.530] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.530] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned 96 [0163.530] GetProcessHeap () returned 0x4c0000 [0163.530] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.531] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages" [0163.532] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*" [0163.532] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc8d7e920, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8d7e920, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.532] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.532] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.532] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.532] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.532] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.532] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.532] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc8d7e920, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8d7e920, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.532] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.532] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.532] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.532] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.532] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.532] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.532] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.532] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8d7e920, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8d7e920, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8d7e920, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.532] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.532] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.533] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.533] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.533] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.533] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.533] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.533] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\PUSSY.TXT") returned 106 [0163.533] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.533] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc90784a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc90784a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0163.533] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0163.533] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0163.533] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0163.533] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0163.533] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0163.533] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0163.533] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0163.533] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64") returned 122 [0163.533] GetProcessHeap () returned 0x4c0000 [0163.533] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.534] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64" [0163.534] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*" [0163.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc90784a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc90784a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.534] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.534] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.534] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.534] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.534] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.534] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.534] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc90784a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc90784a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.534] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.534] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.534] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.534] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.534] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.534] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.534] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.534] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdae7f300, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xdae7f300, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xc90784a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x59bde5, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C", cAlternateFileName="CAB1CA~1.450")) returned 1 [0163.534] lstrcmpiW (lpString1="cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C", lpString2="Windows") returned -1 [0163.535] lstrcmpiW (lpString1="cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C", lpString2="Program Files") returned -1 [0163.535] lstrcmpiW (lpString1="cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C", lpString2="Program Files (x86)") returned -1 [0163.535] lstrcmpiW (lpString1="cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C", lpString2="$Recycle.bin") returned 1 [0163.535] lstrcmpiW (lpString1="cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C", lpString2="System Volume Information") returned -1 [0163.535] lstrcmpiW (lpString1="cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C", lpString2=".") returned 1 [0163.535] lstrcmpiW (lpString1="cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C", lpString2="..") returned 1 [0163.535] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C") returned 196 [0163.535] lstrcmpW (lpString1="cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C", lpString2="PUSSY.TXT") returned -1 [0163.535] PathFindExtensionW (pszPath="cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C") returned=".45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C" [0163.535] lstrlenW (lpString=".45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C") returned 65 [0163.535] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8d7e920, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8d7e920, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8d7e920, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.535] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.535] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.535] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.535] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.535] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.535] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.535] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.535] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT") returned 132 [0163.535] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.535] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36fed00, ftCreationTime.dwHighDateTime=0x1d28825, ftLastAccessTime.dwLowDateTime=0x36fed00, ftLastAccessTime.dwHighDateTime=0x1d28825, ftLastWriteTime.dwLowDateTime=0xc8e16ea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315", cAlternateFileName="VC_RUN~1.27E")) returned 1 [0163.535] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315", lpString2="Windows") returned -1 [0163.535] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315", lpString2="Program Files") returned 1 [0163.535] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315", lpString2="Program Files (x86)") returned 1 [0163.535] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315", lpString2="$Recycle.bin") returned 1 [0163.536] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315", lpString2="System Volume Information") returned 1 [0163.536] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315", lpString2=".") returned 1 [0163.536] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315", lpString2="..") returned 1 [0163.536] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315") returned 216 [0163.536] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315", lpString2="PUSSY.TXT") returned 1 [0163.536] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315") returned=".27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315" [0163.536] lstrlenW (lpString=".27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315") returned 65 [0163.536] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36fed00, ftCreationTime.dwHighDateTime=0x1d28825, ftLastAccessTime.dwLowDateTime=0x36fed00, ftLastAccessTime.dwHighDateTime=0x1d28825, ftLastWriteTime.dwLowDateTime=0xc8e16ea0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315", cAlternateFileName="VC_RUN~1.27E")) returned 0 [0163.536] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.536] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT") returned 132 [0163.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.536] GetProcessHeap () returned 0x4c0000 [0163.536] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.536] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc90784a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc90784a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0163.536] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.536] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\PUSSY.TXT") returned 106 [0163.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.537] GetProcessHeap () returned 0x4c0000 [0163.537] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.537] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8d7e920, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8d7e920, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8d7e920, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.537] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.537] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.537] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.537] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.537] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.537] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.537] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.537] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\PUSSY.TXT") returned 97 [0163.537] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.537] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8d7e920, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8d7e920, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8d7e920, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.537] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.537] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\PUSSY.TXT") returned 97 [0163.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.537] GetProcessHeap () returned 0x4c0000 [0163.537] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.539] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc92d9aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc92d9aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0163.539] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Windows") returned -1 [0163.539] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Program Files") returned -1 [0163.539] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Program Files (x86)") returned -1 [0163.539] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="$Recycle.bin") returned 1 [0163.539] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="System Volume Information") returned -1 [0163.539] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2=".") returned 1 [0163.539] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="..") returned 1 [0163.539] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned 75 [0163.539] GetProcessHeap () returned 0x4c0000 [0163.539] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.540] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}" [0163.540] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*" [0163.540] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc92d9aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc92d9aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.540] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.540] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.540] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.540] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.540] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.540] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.540] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xc92d9aa0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc92d9aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.540] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.540] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.540] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.540] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.540] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.540] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.540] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.541] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8f479a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8f479a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8f479a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.541] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.541] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.541] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.541] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.541] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.541] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.541] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.541] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\PUSSY.TXT") returned 85 [0163.541] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.541] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xc8e892c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870", cAlternateFileName="STATER~1.787")) returned 1 [0163.541] lstrcmpiW (lpString1="state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870", lpString2="Windows") returned -1 [0163.541] lstrcmpiW (lpString1="state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870", lpString2="Program Files") returned 1 [0163.541] lstrcmpiW (lpString1="state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870", lpString2="Program Files (x86)") returned 1 [0163.541] lstrcmpiW (lpString1="state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870", lpString2="$Recycle.bin") returned 1 [0163.541] lstrcmpiW (lpString1="state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870", lpString2="System Volume Information") returned -1 [0163.541] lstrcmpiW (lpString1="state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870", lpString2=".") returned 1 [0163.541] lstrcmpiW (lpString1="state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870", lpString2="..") returned 1 [0163.541] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870") returned 150 [0163.541] lstrcmpW (lpString1="state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870", lpString2="PUSSY.TXT") returned 1 [0163.541] PathFindExtensionW (pszPath="state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870") returned=".787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870" [0163.541] lstrlenW (lpString=".787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870") returned 65 [0163.541] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xc90c4760, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C", cAlternateFileName="VC_RED~1.861")) returned 1 [0163.541] lstrcmpiW (lpString1="VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C", lpString2="Windows") returned -1 [0163.541] lstrcmpiW (lpString1="VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C", lpString2="Program Files") returned 1 [0163.541] lstrcmpiW (lpString1="VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C", lpString2="Program Files (x86)") returned 1 [0163.542] lstrcmpiW (lpString1="VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C", lpString2="$Recycle.bin") returned 1 [0163.542] lstrcmpiW (lpString1="VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C", lpString2="System Volume Information") returned 1 [0163.542] lstrcmpiW (lpString1="VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C", lpString2=".") returned 1 [0163.542] lstrcmpiW (lpString1="VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C", lpString2="..") returned 1 [0163.542] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C") returned 158 [0163.542] lstrcmpW (lpString1="VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C", lpString2="PUSSY.TXT") returned 1 [0163.542] PathFindExtensionW (pszPath="VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C") returned=".861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C" [0163.542] lstrlenW (lpString=".861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C") returned 65 [0163.542] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xc90c4760, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C", cAlternateFileName="VC_RED~1.861")) returned 0 [0163.542] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.542] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\PUSSY.TXT") returned 85 [0163.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.542] GetProcessHeap () returned 0x4c0000 [0163.542] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.542] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc90784a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc90784a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0163.542] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Windows") returned -1 [0163.542] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Program Files") returned -1 [0163.542] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Program Files (x86)") returned -1 [0163.542] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="$Recycle.bin") returned 1 [0163.542] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="System Volume Information") returned -1 [0163.542] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2=".") returned 1 [0163.542] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="..") returned 1 [0163.543] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 75 [0163.543] GetProcessHeap () returned 0x4c0000 [0163.543] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.543] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" [0163.543] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*" [0163.543] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc90784a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc90784a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.543] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.543] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.543] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.543] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.543] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.543] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.543] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc90784a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc90784a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.543] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.543] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.543] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.543] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.543] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.543] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.543] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.544] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8fdff20, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc8fdff20, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc8fdff20, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.544] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.544] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.544] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.544] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.544] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.544] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.544] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.544] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\PUSSY.TXT") returned 85 [0163.544] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.544] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcad7040, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xc8f93c60, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E", cAlternateFileName="STATER~1.26F")) returned 1 [0163.544] lstrcmpiW (lpString1="state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E", lpString2="Windows") returned -1 [0163.544] lstrcmpiW (lpString1="state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E", lpString2="Program Files") returned 1 [0163.544] lstrcmpiW (lpString1="state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E", lpString2="Program Files (x86)") returned 1 [0163.544] lstrcmpiW (lpString1="state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E", lpString2="$Recycle.bin") returned 1 [0163.544] lstrcmpiW (lpString1="state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E", lpString2="System Volume Information") returned -1 [0163.544] lstrcmpiW (lpString1="state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E", lpString2=".") returned 1 [0163.544] lstrcmpiW (lpString1="state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E", lpString2="..") returned 1 [0163.544] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E") returned 150 [0163.544] lstrcmpW (lpString1="state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E", lpString2="PUSSY.TXT") returned 1 [0163.544] PathFindExtensionW (pszPath="state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E") returned=".26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E" [0163.544] lstrlenW (lpString=".26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E") returned 65 [0163.544] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca64c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xc90784a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605", cAlternateFileName="VCREDI~1.07A")) returned 1 [0163.544] lstrcmpiW (lpString1="vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605", lpString2="Windows") returned -1 [0163.545] lstrcmpiW (lpString1="vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605", lpString2="Program Files") returned 1 [0163.545] lstrcmpiW (lpString1="vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605", lpString2="Program Files (x86)") returned 1 [0163.545] lstrcmpiW (lpString1="vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605", lpString2="$Recycle.bin") returned 1 [0163.545] lstrcmpiW (lpString1="vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605", lpString2="System Volume Information") returned 1 [0163.545] lstrcmpiW (lpString1="vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605", lpString2=".") returned 1 [0163.545] lstrcmpiW (lpString1="vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605", lpString2="..") returned 1 [0163.545] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605") returned 157 [0163.545] lstrcmpW (lpString1="vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605", lpString2="PUSSY.TXT") returned 1 [0163.545] PathFindExtensionW (pszPath="vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605") returned=".07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605" [0163.545] lstrlenW (lpString=".07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605") returned 65 [0163.545] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca64c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xc90784a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605", cAlternateFileName="VCREDI~1.07A")) returned 0 [0163.545] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.545] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\PUSSY.TXT") returned 85 [0163.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.545] GetProcessHeap () returned 0x4c0000 [0163.545] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.545] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc9691d00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc9691d00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0163.545] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Windows") returned -1 [0163.545] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Program Files") returned -1 [0163.545] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Program Files (x86)") returned -1 [0163.545] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="$Recycle.bin") returned 1 [0163.545] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="System Volume Information") returned -1 [0163.545] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2=".") returned 1 [0163.546] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="..") returned 1 [0163.546] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned 75 [0163.546] GetProcessHeap () returned 0x4c0000 [0163.546] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.546] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}" [0163.546] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*" [0163.546] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc9691d00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc9691d00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.546] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.546] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.546] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.546] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.546] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.546] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.546] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xc9691d00, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc9691d00, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.546] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.546] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.546] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.546] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.546] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.546] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.547] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.547] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc915cce0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc915cce0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc934bec0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.547] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.547] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.547] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.547] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.547] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.547] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.547] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.547] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\PUSSY.TXT") returned 85 [0163.547] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.547] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf93efac0, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xc92d9aa0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30", cAlternateFileName="STATER~1.A0C")) returned 1 [0163.547] lstrcmpiW (lpString1="state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30", lpString2="Windows") returned -1 [0163.547] lstrcmpiW (lpString1="state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30", lpString2="Program Files") returned 1 [0163.547] lstrcmpiW (lpString1="state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30", lpString2="Program Files (x86)") returned 1 [0163.547] lstrcmpiW (lpString1="state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30", lpString2="$Recycle.bin") returned 1 [0163.547] lstrcmpiW (lpString1="state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30", lpString2="System Volume Information") returned -1 [0163.547] lstrcmpiW (lpString1="state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30", lpString2=".") returned 1 [0163.547] lstrcmpiW (lpString1="state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30", lpString2="..") returned 1 [0163.547] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30") returned 150 [0163.547] lstrcmpW (lpString1="state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30", lpString2="PUSSY.TXT") returned 1 [0163.547] PathFindExtensionW (pszPath="state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30") returned=".A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30" [0163.547] lstrlenW (lpString=".A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30") returned 65 [0163.547] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93c9960, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xc9514f40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521", cAlternateFileName="VC_RED~1.DC5")) returned 1 [0163.547] lstrcmpiW (lpString1="VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521", lpString2="Windows") returned -1 [0163.547] lstrcmpiW (lpString1="VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521", lpString2="Program Files") returned 1 [0163.548] lstrcmpiW (lpString1="VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521", lpString2="Program Files (x86)") returned 1 [0163.548] lstrcmpiW (lpString1="VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521", lpString2="$Recycle.bin") returned 1 [0163.548] lstrcmpiW (lpString1="VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521", lpString2="System Volume Information") returned 1 [0163.548] lstrcmpiW (lpString1="VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521", lpString2=".") returned 1 [0163.548] lstrcmpiW (lpString1="VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521", lpString2="..") returned 1 [0163.548] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521") returned 158 [0163.548] lstrcmpW (lpString1="VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521", lpString2="PUSSY.TXT") returned 1 [0163.548] PathFindExtensionW (pszPath="VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521") returned=".DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521" [0163.563] lstrlenW (lpString=".DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521") returned 65 [0163.595] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93c9960, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xc9514f40, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521", cAlternateFileName="VC_RED~1.DC5")) returned 0 [0163.595] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.595] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\PUSSY.TXT") returned 85 [0163.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.595] GetProcessHeap () returned 0x4c0000 [0163.595] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.595] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc940a5a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc940a5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0163.595] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Windows") returned -1 [0163.595] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Program Files") returned -1 [0163.595] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0163.595] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0163.595] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="System Volume Information") returned -1 [0163.595] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2=".") returned 1 [0163.596] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="..") returned 1 [0163.596] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 86 [0163.596] GetProcessHeap () returned 0x4c0000 [0163.596] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.596] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" [0163.596] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*" [0163.596] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc940a5a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc940a5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.596] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.596] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.596] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.596] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.596] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.596] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.596] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc940a5a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc940a5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.596] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.596] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.596] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.596] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.596] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.596] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.596] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.596] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc93e4440, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc93e4440, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="packages", cAlternateFileName="")) returned 1 [0163.596] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0163.596] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0163.596] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0163.597] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0163.597] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0163.597] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0163.597] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0163.597] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned 95 [0163.597] GetProcessHeap () returned 0x4c0000 [0163.597] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.598] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" [0163.598] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*" [0163.598] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc93e4440, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc93e4440, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.598] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.598] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.598] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.598] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.598] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.598] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.598] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc93e4440, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc93e4440, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.598] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.598] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.598] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.598] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.598] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.598] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.598] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.598] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93e4440, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc93e4440, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc940a5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.598] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.598] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.598] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.598] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.598] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.599] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.599] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.599] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\PUSSY.TXT") returned 105 [0163.599] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.599] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca1ba420, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xca1ba420, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0163.599] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0163.599] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0163.599] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0163.599] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0163.599] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0163.599] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0163.599] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0163.599] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned 119 [0163.599] GetProcessHeap () returned 0x4c0000 [0163.599] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.599] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" [0163.599] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*" [0163.599] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca1ba420, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xca1ba420, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.600] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.600] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.600] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.600] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.600] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.600] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.600] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca1ba420, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xca1ba420, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.600] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.600] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.600] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.600] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.600] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.600] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.600] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.600] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x532ebf00, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x532ebf00, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0xc9e745e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C", cAlternateFileName="CAB1CA~1.9F8")) returned 1 [0163.600] lstrcmpiW (lpString1="cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C", lpString2="Windows") returned -1 [0163.600] lstrcmpiW (lpString1="cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C", lpString2="Program Files") returned -1 [0163.600] lstrcmpiW (lpString1="cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C", lpString2="Program Files (x86)") returned -1 [0163.600] lstrcmpiW (lpString1="cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C", lpString2="$Recycle.bin") returned 1 [0163.600] lstrcmpiW (lpString1="cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C", lpString2="System Volume Information") returned -1 [0163.600] lstrcmpiW (lpString1="cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C", lpString2=".") returned 1 [0163.600] lstrcmpiW (lpString1="cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C", lpString2="..") returned 1 [0163.600] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C") returned 193 [0163.600] lstrcmpW (lpString1="cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C", lpString2="PUSSY.TXT") returned -1 [0163.600] PathFindExtensionW (pszPath="cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C") returned=".9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C" [0163.600] lstrlenW (lpString=".9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C") returned 65 [0163.600] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93e4440, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc93e4440, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc93e4440, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.601] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.601] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.601] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.601] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.601] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.601] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.601] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.601] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT") returned 129 [0163.601] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.601] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9b3800, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x4f9b3800, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0xc9e745e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634", cAlternateFileName="VC_RUN~1.409")) returned 1 [0163.601] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634", lpString2="Windows") returned -1 [0163.601] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634", lpString2="Program Files") returned 1 [0163.601] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634", lpString2="Program Files (x86)") returned 1 [0163.601] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634", lpString2="$Recycle.bin") returned 1 [0163.601] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634", lpString2="System Volume Information") returned 1 [0163.601] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634", lpString2=".") returned 1 [0163.601] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634", lpString2="..") returned 1 [0163.601] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634") returned 213 [0163.601] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634", lpString2="PUSSY.TXT") returned 1 [0163.601] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634") returned=".4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634" [0163.601] lstrlenW (lpString=".4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634") returned 65 [0163.601] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9b3800, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x4f9b3800, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0xc9e745e0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x3bf1228, dwReserved1=0xc0100080, cFileName="vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634", cAlternateFileName="VC_RUN~1.409")) returned 0 [0163.601] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.601] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT") returned 129 [0163.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.602] GetProcessHeap () returned 0x4c0000 [0163.602] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.602] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca1ba420, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xca1ba420, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0163.602] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.602] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\PUSSY.TXT") returned 105 [0163.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.602] GetProcessHeap () returned 0x4c0000 [0163.602] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.602] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc940a5a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc940a5a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc940a5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.602] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.602] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.602] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.602] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.602] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.602] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.602] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.602] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\PUSSY.TXT") returned 96 [0163.602] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.602] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc940a5a0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc940a5a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc940a5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.602] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.602] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\PUSSY.TXT") returned 96 [0163.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.602] GetProcessHeap () returned 0x4c0000 [0163.602] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.604] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc940a5a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc940a5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0163.604] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0163.604] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\PUSSY.TXT") returned 46 [0163.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\PUSSY.TXT" (normalized: "c:\\users\\all users\\package cache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.604] GetProcessHeap () returned 0x4c0000 [0163.604] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0163.604] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc95ad4c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.604] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.604] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.604] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.604] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.604] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.604] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.604] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.604] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\PUSSY.TXT") returned 32 [0163.604] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.604] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0163.604] lstrcmpiW (lpString1="Start Menu", lpString2="Windows") returned -1 [0163.605] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files") returned 1 [0163.605] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files (x86)") returned 1 [0163.605] lstrcmpiW (lpString1="Start Menu", lpString2="$Recycle.bin") returned 1 [0163.605] lstrcmpiW (lpString1="Start Menu", lpString2="System Volume Information") returned -1 [0163.605] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0163.605] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0163.605] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Start Menu") returned 33 [0163.605] GetProcessHeap () returned 0x4c0000 [0163.605] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0163.605] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Start Menu" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu") returned="\\\\?\\C:\\Users\\All Users\\Start Menu" [0163.605] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu\\*") returned="\\\\?\\C:\\Users\\All Users\\Start Menu\\*" [0163.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Start Menu\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xc940a5a0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc940a5a0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="u")) returned 0xffffffff [0163.605] GetProcessHeap () returned 0x4c0000 [0163.605] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0163.605] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Sun", cAlternateFileName="")) returned 1 [0163.605] lstrcmpiW (lpString1="Sun", lpString2="Windows") returned -1 [0163.605] lstrcmpiW (lpString1="Sun", lpString2="Program Files") returned 1 [0163.605] lstrcmpiW (lpString1="Sun", lpString2="Program Files (x86)") returned 1 [0163.605] lstrcmpiW (lpString1="Sun", lpString2="$Recycle.bin") returned 1 [0163.605] lstrcmpiW (lpString1="Sun", lpString2="System Volume Information") returned -1 [0163.605] lstrcmpiW (lpString1="Sun", lpString2=".") returned 1 [0163.605] lstrcmpiW (lpString1="Sun", lpString2="..") returned 1 [0163.605] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Sun") returned 26 [0163.605] GetProcessHeap () returned 0x4c0000 [0163.605] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0163.605] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Sun" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun") returned="\\\\?\\C:\\Users\\All Users\\Sun" [0163.605] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Sun", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\*") returned="\\\\?\\C:\\Users\\All Users\\Sun\\*" [0163.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Sun\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0163.606] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.606] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.606] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.606] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.606] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.606] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.606] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.606] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.606] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.606] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.606] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.606] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.606] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.606] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.606] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Java", cAlternateFileName="")) returned 1 [0163.606] lstrcmpiW (lpString1="Java", lpString2="Windows") returned -1 [0163.606] lstrcmpiW (lpString1="Java", lpString2="Program Files") returned -1 [0163.606] lstrcmpiW (lpString1="Java", lpString2="Program Files (x86)") returned -1 [0163.606] lstrcmpiW (lpString1="Java", lpString2="$Recycle.bin") returned 1 [0163.606] lstrcmpiW (lpString1="Java", lpString2="System Volume Information") returned -1 [0163.606] lstrcmpiW (lpString1="Java", lpString2=".") returned 1 [0163.606] lstrcmpiW (lpString1="Java", lpString2="..") returned 1 [0163.606] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Sun\\Java") returned 31 [0163.606] GetProcessHeap () returned 0x4c0000 [0163.606] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.607] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\All Users\\Sun\\Java" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java" [0163.607] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\*") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\*" [0163.607] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.607] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.607] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.607] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.607] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.607] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.608] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.608] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.608] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.608] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.608] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.608] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.608] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.608] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.608] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.608] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xc9561200, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc9561200, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 1 [0163.608] lstrcmpiW (lpString1="Java Update", lpString2="Windows") returned -1 [0163.608] lstrcmpiW (lpString1="Java Update", lpString2="Program Files") returned -1 [0163.608] lstrcmpiW (lpString1="Java Update", lpString2="Program Files (x86)") returned -1 [0163.608] lstrcmpiW (lpString1="Java Update", lpString2="$Recycle.bin") returned 1 [0163.608] lstrcmpiW (lpString1="Java Update", lpString2="System Volume Information") returned -1 [0163.608] lstrcmpiW (lpString1="Java Update", lpString2=".") returned 1 [0163.608] lstrcmpiW (lpString1="Java Update", lpString2="..") returned 1 [0163.608] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update") returned 43 [0163.608] GetProcessHeap () returned 0x4c0000 [0163.608] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.609] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update" [0163.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*" [0163.609] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xc9561200, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc9561200, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.609] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.609] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.609] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.609] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.609] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.609] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.609] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xc9561200, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc9561200, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.609] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.609] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.609] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.610] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.610] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.610] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.610] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.610] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x77, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="jaureglist.xml", cAlternateFileName="JAUREG~1.XML")) returned 1 [0163.610] lstrcmpiW (lpString1="jaureglist.xml", lpString2="Windows") returned -1 [0163.610] lstrcmpiW (lpString1="jaureglist.xml", lpString2="Program Files") returned -1 [0163.610] lstrcmpiW (lpString1="jaureglist.xml", lpString2="Program Files (x86)") returned -1 [0163.610] lstrcmpiW (lpString1="jaureglist.xml", lpString2="$Recycle.bin") returned 1 [0163.610] lstrcmpiW (lpString1="jaureglist.xml", lpString2="System Volume Information") returned -1 [0163.610] lstrcmpiW (lpString1="jaureglist.xml", lpString2=".") returned 1 [0163.610] lstrcmpiW (lpString1="jaureglist.xml", lpString2="..") returned 1 [0163.610] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml") returned 58 [0163.610] lstrcmpW (lpString1="jaureglist.xml", lpString2="PUSSY.TXT") returned -1 [0163.610] PathFindExtensionW (pszPath="jaureglist.xml") returned=".xml" [0163.610] lstrlenW (lpString=".xml") returned 4 [0163.610] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0163.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\users\\all users\\sun\\java\\java update\\jaureglist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0163.611] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=119) returned 1 [0163.611] CloseHandle (hObject=0x190) returned 1 [0163.611] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9561200, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc9561200, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.611] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.611] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.611] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.611] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.611] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.611] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.611] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.611] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\PUSSY.TXT") returned 53 [0163.611] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.611] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9561200, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc9561200, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.611] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0163.611] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\PUSSY.TXT") returned 53 [0163.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\PUSSY.TXT" (normalized: "c:\\users\\all users\\sun\\java\\java update\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.612] GetProcessHeap () returned 0x4c0000 [0163.612] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0163.612] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc95ad4c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.612] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.612] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.612] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.612] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.612] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.612] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.612] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.612] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\PUSSY.TXT") returned 41 [0163.612] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.612] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc95ad4c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.612] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0163.612] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\PUSSY.TXT") returned 41 [0163.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\PUSSY.TXT" (normalized: "c:\\users\\all users\\sun\\java\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.612] GetProcessHeap () returned 0x4c0000 [0163.612] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0163.613] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc95ad4c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 1 [0163.613] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Windows") returned -1 [0163.613] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files") returned 1 [0163.613] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="Program Files (x86)") returned 1 [0163.613] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="$Recycle.bin") returned 1 [0163.613] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="System Volume Information") returned -1 [0163.613] lstrcmpiW (lpString1="PUSSY.TXT", lpString2=".") returned 1 [0163.613] lstrcmpiW (lpString1="PUSSY.TXT", lpString2="..") returned 1 [0163.613] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Sun\\PUSSY.TXT") returned 36 [0163.614] lstrcmpW (lpString1="PUSSY.TXT", lpString2="PUSSY.TXT") returned 0 [0163.614] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc95ad4c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="")) returned 0 [0163.614] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0163.614] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Sun\\PUSSY.TXT") returned 36 [0163.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Sun\\PUSSY.TXT" (normalized: "c:\\users\\all users\\sun\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.614] GetProcessHeap () returned 0x4c0000 [0163.614] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0163.614] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0163.614] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0163.614] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0163.614] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0163.614] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0163.614] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0163.614] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0163.614] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0163.614] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Templates") returned 32 [0163.614] GetProcessHeap () returned 0x4c0000 [0163.614] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0163.614] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\All Users\\Templates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Templates") returned="\\\\?\\C:\\Users\\All Users\\Templates" [0163.614] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Templates\\*") returned="\\\\?\\C:\\Users\\All Users\\Templates\\*" [0163.614] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Templates\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc95ad4c0, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc95ad4c0, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="s")) returned 0xffffffff [0163.614] GetProcessHeap () returned 0x4c0000 [0163.614] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0163.614] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0163.615] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0163.616] wnsprintfW (in: pszDest=0x57bb80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\PUSSY.TXT") returned 32 [0163.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\PUSSY.TXT" (normalized: "c:\\users\\all users\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.616] GetProcessHeap () returned 0x4c0000 [0163.616] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57bb80 | out: hHeap=0x4c0000) returned 1 [0163.618] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0xc0100080, cFileName="Default", cAlternateFileName="")) returned 1 [0163.618] lstrcmpiW (lpString1="Default", lpString2="Windows") returned -1 [0163.618] lstrcmpiW (lpString1="Default", lpString2="Program Files") returned -1 [0163.618] lstrcmpiW (lpString1="Default", lpString2="Program Files (x86)") returned -1 [0163.618] lstrcmpiW (lpString1="Default", lpString2="$Recycle.bin") returned 1 [0163.618] lstrcmpiW (lpString1="Default", lpString2="System Volume Information") returned -1 [0163.618] lstrcmpiW (lpString1="Default", lpString2=".") returned 1 [0163.618] lstrcmpiW (lpString1="Default", lpString2="..") returned 1 [0163.618] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default") returned 20 [0163.618] GetProcessHeap () returned 0x4c0000 [0163.618] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0163.618] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\Default" | out: lpString1="\\\\?\\C:\\Users\\Default") returned="\\\\?\\C:\\Users\\Default" [0163.618] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*") returned="\\\\?\\C:\\Users\\Default\\*" [0163.618] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0163.618] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.618] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.618] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.618] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.618] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.618] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.618] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="..", cAlternateFileName="")) returned 1 [0163.618] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.618] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.618] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.619] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.619] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.619] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.619] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.619] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="AppData", cAlternateFileName="")) returned 1 [0163.619] lstrcmpiW (lpString1="AppData", lpString2="Windows") returned -1 [0163.619] lstrcmpiW (lpString1="AppData", lpString2="Program Files") returned -1 [0163.619] lstrcmpiW (lpString1="AppData", lpString2="Program Files (x86)") returned -1 [0163.619] lstrcmpiW (lpString1="AppData", lpString2="$Recycle.bin") returned 1 [0163.619] lstrcmpiW (lpString1="AppData", lpString2="System Volume Information") returned -1 [0163.619] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0163.619] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0163.619] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData") returned 28 [0163.619] GetProcessHeap () returned 0x4c0000 [0163.619] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0163.620] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\AppData" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData") returned="\\\\?\\C:\\Users\\Default\\AppData" [0163.620] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\*" [0163.620] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0163.620] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.620] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.620] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.620] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.620] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.620] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.620] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.620] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.620] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.620] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.620] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.620] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.620] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.620] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.620] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x66fe9c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x93e4774a, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="Local", cAlternateFileName="")) returned 1 [0163.620] lstrcmpiW (lpString1="Local", lpString2="Windows") returned -1 [0163.620] lstrcmpiW (lpString1="Local", lpString2="Program Files") returned -1 [0163.620] lstrcmpiW (lpString1="Local", lpString2="Program Files (x86)") returned -1 [0163.621] lstrcmpiW (lpString1="Local", lpString2="$Recycle.bin") returned 1 [0163.621] lstrcmpiW (lpString1="Local", lpString2="System Volume Information") returned -1 [0163.621] lstrcmpiW (lpString1="Local", lpString2=".") returned 1 [0163.621] lstrcmpiW (lpString1="Local", lpString2="..") returned 1 [0163.621] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local") returned 34 [0163.621] GetProcessHeap () returned 0x4c0000 [0163.621] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0163.621] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local" [0163.622] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*" [0163.622] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x66fe9c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x93e4774a, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0163.622] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.622] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.622] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.623] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.623] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.623] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.623] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x66fe9c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x93e4774a, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0163.623] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.623] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.623] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.623] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.623] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.623] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.623] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.623] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0163.623] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0163.623] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0163.623] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0163.623] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0163.623] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0163.623] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0163.623] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0163.623] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data") returned 51 [0163.623] GetProcessHeap () returned 0x4c0000 [0163.623] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.624] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data" [0163.624] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*" [0163.624] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9561200, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc9561200, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="a")) returned 0xffffffff [0163.624] GetProcessHeap () returned 0x4c0000 [0163.624] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.624] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="History", cAlternateFileName="")) returned 1 [0163.624] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0163.624] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0163.624] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0163.624] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0163.624] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0163.624] lstrcmpiW (lpString1="History", lpString2=".") returned 1 [0163.624] lstrcmpiW (lpString1="History", lpString2="..") returned 1 [0163.624] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History") returned 42 [0163.625] GetProcessHeap () returned 0x4c0000 [0163.625] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.625] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History" [0163.625] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*" [0163.625] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9561200, ftCreationTime.dwHighDateTime=0x1d6b806, ftLastAccessTime.dwLowDateTime=0xc9561200, ftLastAccessTime.dwHighDateTime=0x1d6b806, ftLastWriteTime.dwLowDateTime=0xc95ad4c0, ftLastWriteTime.dwHighDateTime=0x1d6b806, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="PUSSY.TXT", cAlternateFileName="y")) returned 0xffffffff [0163.625] GetProcessHeap () returned 0x4c0000 [0163.625] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0163.625] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x66b2700, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xddd35f67, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0xbd7f0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0163.625] lstrcmpiW (lpString1="IconCache.db", lpString2="Windows") returned -1 [0163.625] lstrcmpiW (lpString1="IconCache.db", lpString2="Program Files") returned -1 [0163.625] lstrcmpiW (lpString1="IconCache.db", lpString2="Program Files (x86)") returned -1 [0163.626] lstrcmpiW (lpString1="IconCache.db", lpString2="$Recycle.bin") returned 1 [0163.626] lstrcmpiW (lpString1="IconCache.db", lpString2="System Volume Information") returned -1 [0163.626] lstrcmpiW (lpString1="IconCache.db", lpString2=".") returned 1 [0163.626] lstrcmpiW (lpString1="IconCache.db", lpString2="..") returned 1 [0163.626] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db") returned 47 [0163.626] lstrcmpW (lpString1="IconCache.db", lpString2="PUSSY.TXT") returned -1 [0163.626] PathFindExtensionW (pszPath="IconCache.db") returned=".db" [0163.626] lstrlenW (lpString=".db") returned 3 [0163.626] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0163.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0163.664] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=776176) returned 1 [0163.664] GetProcessHeap () returned 0x4c0000 [0163.664] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0163.675] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="74") returned 2 [0163.675] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="17") returned 2 [0163.675] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="8E") returned 2 [0163.675] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="44") returned 2 [0163.675] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="FB") returned 2 [0163.675] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="9C") returned 2 [0163.675] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="10") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="E8") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="DB") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="DB") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="9B") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="A8") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="38") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="D2") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="21") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="08") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="71") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="D6") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="BA") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="C5") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="99") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="F2") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="61") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="23") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="DF") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="F6") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="F1") returned 2 [0163.675] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="FC") returned 2 [0163.676] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="97") returned 2 [0163.676] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="2B") returned 2 [0163.676] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="4B") returned 2 [0163.676] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="4F") returned 2 [0163.684] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" [0163.684] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" [0163.684] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db", lpString2=".74178E44FB9C10E8DBDB9BA838D2210871D6BAC599F26123DFF6F1FC972B4B4F" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db.74178E44FB9C10E8DBDB9BA838D2210871D6BAC599F26123DFF6F1FC972B4B4F") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db.74178E44FB9C10E8DBDB9BA838D2210871D6BAC599F26123DFF6F1FC972B4B4F" [0163.684] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0163.684] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0163.684] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0163.684] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0163.684] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0163.684] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0163.684] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0163.684] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0163.685] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0163.685] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0163.685] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft") returned 44 [0163.685] GetProcessHeap () returned 0x4c0000 [0163.685] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0163.685] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft" [0163.685] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*" [0163.685] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0163.738] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.738] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.738] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.738] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.738] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.738] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.738] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.738] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.738] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.739] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.739] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.739] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.739] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.739] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.739] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0163.739] lstrcmpiW (lpString1="Credentials", lpString2="Windows") returned -1 [0163.739] lstrcmpiW (lpString1="Credentials", lpString2="Program Files") returned -1 [0163.739] lstrcmpiW (lpString1="Credentials", lpString2="Program Files (x86)") returned -1 [0163.739] lstrcmpiW (lpString1="Credentials", lpString2="$Recycle.bin") returned 1 [0163.739] lstrcmpiW (lpString1="Credentials", lpString2="System Volume Information") returned -1 [0163.739] lstrcmpiW (lpString1="Credentials", lpString2=".") returned 1 [0163.739] lstrcmpiW (lpString1="Credentials", lpString2="..") returned 1 [0163.739] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials") returned 56 [0163.739] GetProcessHeap () returned 0x4c0000 [0163.739] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0163.740] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials" [0163.740] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\*" [0163.740] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.741] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.741] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.741] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.741] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.741] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.741] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.741] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.741] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.741] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.741] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.741] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.741] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.742] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.742] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.742] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0163.742] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.742] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\PUSSY.TXT") returned 66 [0163.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\credentials\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0163.743] lstrlenA (lpString="abcd") returned 4 [0163.743] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0163.744] CloseHandle (hObject=0x18c) returned 1 [0163.744] GetProcessHeap () returned 0x4c0000 [0163.744] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0163.744] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Feeds", cAlternateFileName="")) returned 1 [0163.744] lstrcmpiW (lpString1="Feeds", lpString2="Windows") returned -1 [0163.745] lstrcmpiW (lpString1="Feeds", lpString2="Program Files") returned -1 [0163.745] lstrcmpiW (lpString1="Feeds", lpString2="Program Files (x86)") returned -1 [0163.745] lstrcmpiW (lpString1="Feeds", lpString2="$Recycle.bin") returned 1 [0163.745] lstrcmpiW (lpString1="Feeds", lpString2="System Volume Information") returned -1 [0163.745] lstrcmpiW (lpString1="Feeds", lpString2=".") returned 1 [0163.745] lstrcmpiW (lpString1="Feeds", lpString2="..") returned 1 [0163.745] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds") returned 50 [0163.745] GetProcessHeap () returned 0x4c0000 [0163.745] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0163.745] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds" [0163.745] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\*" [0163.745] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0163.832] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.832] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.832] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.832] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.832] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.832] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.832] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0163.832] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.832] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.832] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.832] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.832] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.832] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.832] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.832] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff107f92, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="FeedsStore.feedsdb-ms", cAlternateFileName="FEEDSS~1.FEE")) returned 1 [0163.832] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="Windows") returned -1 [0163.832] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="Program Files") returned -1 [0163.832] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="Program Files (x86)") returned -1 [0163.833] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="$Recycle.bin") returned 1 [0163.833] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="System Volume Information") returned -1 [0163.833] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2=".") returned 1 [0163.833] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="..") returned 1 [0163.833] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 72 [0163.833] lstrcmpW (lpString1="FeedsStore.feedsdb-ms", lpString2="PUSSY.TXT") returned -1 [0163.833] PathFindExtensionW (pszPath="FeedsStore.feedsdb-ms") returned=".feedsdb-ms" [0163.833] lstrlenW (lpString=".feedsdb-ms") returned 11 [0163.833] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0163.833] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0163.834] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=6656) returned 1 [0163.834] GetProcessHeap () returned 0x4c0000 [0163.834] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0163.843] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="D4") returned 2 [0163.843] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="F0") returned 2 [0163.843] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="00") returned 2 [0163.843] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="72") returned 2 [0163.843] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="95") returned 2 [0163.843] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="16") returned 2 [0163.843] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="D6") returned 2 [0163.843] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="5D") returned 2 [0163.843] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="1F") returned 2 [0163.843] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="88") returned 2 [0163.843] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="5C") returned 2 [0163.843] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="17") returned 2 [0163.843] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="26") returned 2 [0163.843] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="94") returned 2 [0163.843] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="1E") returned 2 [0163.843] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="1F") returned 2 [0163.843] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="44") returned 2 [0163.843] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="09") returned 2 [0163.843] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="56") returned 2 [0163.843] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="26") returned 2 [0163.843] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="DA") returned 2 [0163.843] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="22") returned 2 [0163.843] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="36") returned 2 [0163.843] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="FD") returned 2 [0163.844] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="06") returned 2 [0163.844] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="32") returned 2 [0163.844] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="76") returned 2 [0163.844] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="C5") returned 2 [0163.844] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="14") returned 2 [0163.844] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="19") returned 2 [0163.844] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="90") returned 2 [0163.844] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="48") returned 2 [0163.852] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" [0163.853] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" [0163.853] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms", lpString2=".D4F000729516D65D1F885C1726941E1F44095626DA2236FD063276C514199048" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.D4F000729516D65D1F885C1726941E1F44095626DA2236FD063276C514199048") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.D4F000729516D65D1F885C1726941E1F44095626DA2236FD063276C514199048" [0163.853] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0163.853] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0163.853] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee3456d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="Microsoft Feeds~", cAlternateFileName="MICROS~1")) returned 1 [0163.853] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="Windows") returned -1 [0163.853] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="Program Files") returned -1 [0163.853] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="Program Files (x86)") returned -1 [0163.853] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="$Recycle.bin") returned 1 [0163.853] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="System Volume Information") returned -1 [0163.853] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2=".") returned 1 [0163.853] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="..") returned 1 [0163.853] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 67 [0163.853] GetProcessHeap () returned 0x4c0000 [0163.853] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0163.854] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~" [0163.854] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*" [0163.854] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee3456d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0163.885] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.885] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.885] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.885] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.885] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.885] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.885] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee3456d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.885] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.885] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.885] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.885] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.885] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.885] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.885] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.885] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeaa2466, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="Microsoft at Home~.feed-ms", cAlternateFileName="MICROS~2.FEE")) returned 1 [0163.885] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="Windows") returned -1 [0163.885] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="Program Files") returned -1 [0163.886] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="Program Files (x86)") returned -1 [0163.886] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="$Recycle.bin") returned 1 [0163.886] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="System Volume Information") returned -1 [0163.886] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2=".") returned 1 [0163.886] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="..") returned 1 [0163.886] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 94 [0163.886] lstrcmpW (lpString1="Microsoft at Home~.feed-ms", lpString2="PUSSY.TXT") returned -1 [0163.886] PathFindExtensionW (pszPath="Microsoft at Home~.feed-ms") returned=".feed-ms" [0163.886] lstrlenW (lpString=".feed-ms") returned 8 [0163.886] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0163.886] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0163.887] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=28672) returned 1 [0163.887] GetProcessHeap () returned 0x4c0000 [0163.887] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28068 [0163.897] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="B7") returned 2 [0163.897] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="61") returned 2 [0163.897] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="16") returned 2 [0163.897] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="1D") returned 2 [0163.897] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="A9") returned 2 [0163.897] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="3F") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="71") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="61") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="AF") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="14") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="2B") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="E6") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="77") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="41") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="CB") returned 2 [0163.898] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="36") returned 2 [0163.898] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="80") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="54") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="9E") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="64") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="0C") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="9D") returned 2 [0163.898] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="09") returned 2 [0163.898] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="34") returned 2 [0163.898] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="69") returned 2 [0163.898] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="96") returned 2 [0163.898] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="06") returned 2 [0163.898] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="F3") returned 2 [0163.898] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="EF") returned 2 [0163.898] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="66") returned 2 [0163.898] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="4C") returned 2 [0163.898] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="3D") returned 2 [0163.906] lstrcpyW (in: lpString1=0x3b3809c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" [0163.906] lstrcpyW (in: lpString1=0x3b2809c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" [0163.906] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms", lpString2=".B761161DA93F7161AF142BE67741CB3680549E640C9D0934699606F3EF664C3D" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.B761161DA93F7161AF142BE67741CB3680549E640C9D0934699606F3EF664C3D") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.B761161DA93F7161AF142BE67741CB3680549E640C9D0934699606F3EF664C3D" [0163.907] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x3b28068, NumberOfConcurrentThreads=0x0) returned 0x94 [0163.907] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28068, lpOverlapped=0x3b28068) returned 1 [0163.907] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="Microsoft at Work~.feed-ms", cAlternateFileName="MICROS~1.FEE")) returned 1 [0163.907] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="Windows") returned -1 [0163.907] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="Program Files") returned -1 [0163.907] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="Program Files (x86)") returned -1 [0163.907] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="$Recycle.bin") returned 1 [0163.907] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="System Volume Information") returned -1 [0163.907] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2=".") returned 1 [0163.907] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="..") returned 1 [0163.907] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 94 [0163.907] lstrcmpW (lpString1="Microsoft at Work~.feed-ms", lpString2="PUSSY.TXT") returned -1 [0163.907] PathFindExtensionW (pszPath="Microsoft at Work~.feed-ms") returned=".feed-ms" [0163.907] lstrlenW (lpString=".feed-ms") returned 8 [0163.907] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0163.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0163.908] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=28672) returned 1 [0163.908] GetProcessHeap () returned 0x4c0000 [0163.908] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500b8 [0163.918] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="BE") returned 2 [0163.918] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="DA") returned 2 [0163.918] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="93") returned 2 [0163.918] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="D4") returned 2 [0163.918] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="F8") returned 2 [0163.918] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="2E") returned 2 [0163.918] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="6B") returned 2 [0163.918] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="15") returned 2 [0163.918] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="EF") returned 2 [0163.918] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="EE") returned 2 [0163.918] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="57") returned 2 [0163.918] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="E2") returned 2 [0163.918] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="5D") returned 2 [0163.919] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="82") returned 2 [0163.919] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="EF") returned 2 [0163.919] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="92") returned 2 [0163.919] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="60") returned 2 [0163.919] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="57") returned 2 [0163.919] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="7C") returned 2 [0163.919] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="A7") returned 2 [0163.919] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="14") returned 2 [0163.919] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="4B") returned 2 [0163.919] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="DA") returned 2 [0163.919] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="34") returned 2 [0163.919] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="60") returned 2 [0163.919] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="22") returned 2 [0163.919] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="F2") returned 2 [0163.919] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="41") returned 2 [0163.919] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="FC") returned 2 [0163.919] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="E0") returned 2 [0163.919] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="32") returned 2 [0163.919] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="7A") returned 2 [0163.930] lstrcpyW (in: lpString1=0x3b600ec, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" [0163.931] lstrcpyW (in: lpString1=0x3b500ec, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" [0163.931] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms", lpString2=".BEDA93D4F82E6B15EFEE57E25D82EF9260577CA7144BDA346022F241FCE0327A" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.BEDA93D4F82E6B15EFEE57E25D82EF9260577CA7144BDA346022F241FCE0327A") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.BEDA93D4F82E6B15EFEE57E25D82EF9260577CA7144BDA346022F241FCE0327A" [0163.931] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3b500b8, NumberOfConcurrentThreads=0x0) returned 0x94 [0163.931] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500b8, lpOverlapped=0x3b500b8) returned 1 [0163.931] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="MSNBC News~.feed-ms", cAlternateFileName="MSNBCN~1.FEE")) returned 1 [0163.931] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="Windows") returned -1 [0163.931] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="Program Files") returned -1 [0163.931] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="Program Files (x86)") returned -1 [0163.931] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="$Recycle.bin") returned 1 [0163.931] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="System Volume Information") returned -1 [0163.931] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2=".") returned 1 [0163.931] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="..") returned 1 [0163.931] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 87 [0163.931] lstrcmpW (lpString1="MSNBC News~.feed-ms", lpString2="PUSSY.TXT") returned -1 [0163.931] PathFindExtensionW (pszPath="MSNBC News~.feed-ms") returned=".feed-ms" [0163.931] lstrlenW (lpString=".feed-ms") returned 8 [0163.931] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0163.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0163.941] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=28672) returned 1 [0163.941] GetProcessHeap () returned 0x4c0000 [0163.941] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b78108 [0163.951] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="22") returned 2 [0163.951] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="B2") returned 2 [0163.951] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="19") returned 2 [0163.951] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="B6") returned 2 [0163.951] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="27") returned 2 [0163.951] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="13") returned 2 [0163.951] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="28") returned 2 [0163.951] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="00") returned 2 [0163.951] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="35") returned 2 [0163.951] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="F6") returned 2 [0163.951] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="15") returned 2 [0163.951] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="70") returned 2 [0163.951] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="8B") returned 2 [0163.952] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="5E") returned 2 [0163.952] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="0B") returned 2 [0163.952] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="4C") returned 2 [0163.952] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="5E") returned 2 [0163.952] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="DA") returned 2 [0163.952] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="E0") returned 2 [0163.952] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="C9") returned 2 [0163.952] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="87") returned 2 [0163.952] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="7B") returned 2 [0163.952] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="80") returned 2 [0163.952] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="33") returned 2 [0163.952] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="8E") returned 2 [0163.952] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="BB") returned 2 [0163.952] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="C5") returned 2 [0163.952] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="23") returned 2 [0163.952] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="13") returned 2 [0163.952] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="5C") returned 2 [0163.952] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="9D") returned 2 [0163.952] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="1E") returned 2 [0163.960] lstrcpyW (in: lpString1=0x3b8813c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" [0163.960] lstrcpyW (in: lpString1=0x3b7813c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" [0163.960] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms", lpString2=".22B219B62713280035F615708B5E0B4C5EDAE0C9877B80338EBBC523135C9D1E" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.22B219B62713280035F615708B5E0B4C5EDAE0C9877B80338EBBC523135C9D1E") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.22B219B62713280035F615708B5E0B4C5EDAE0C9877B80338EBBC523135C9D1E" [0163.960] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3b78108, NumberOfConcurrentThreads=0x0) returned 0x94 [0163.960] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b78108, lpOverlapped=0x3b78108) returned 1 [0163.960] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="MSNBC News~.feed-ms", cAlternateFileName="MSNBCN~1.FEE")) returned 0 [0163.961] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0163.961] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\PUSSY.TXT") returned 77 [0163.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0163.962] lstrlenA (lpString="abcd") returned 4 [0163.962] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0163.962] CloseHandle (hObject=0x19c) returned 1 [0163.963] GetProcessHeap () returned 0x4c0000 [0163.963] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0163.963] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 1 [0163.963] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="Windows") returned -1 [0163.963] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="Program Files") returned -1 [0163.963] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="Program Files (x86)") returned -1 [0163.963] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="$Recycle.bin") returned 1 [0163.963] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="System Volume Information") returned -1 [0163.963] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2=".") returned 1 [0163.963] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="..") returned 1 [0163.963] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 90 [0163.963] GetProcessHeap () returned 0x4c0000 [0163.963] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0163.963] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~" [0163.963] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*" [0163.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0163.963] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.963] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.963] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.964] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.964] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.964] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.964] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.964] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.964] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.964] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.964] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.964] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.964] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.964] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.964] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="WebSlices~", cAlternateFileName="WEBSLI~1")) returned 1 [0163.964] lstrcmpiW (lpString1="WebSlices~", lpString2="Windows") returned -1 [0163.964] lstrcmpiW (lpString1="WebSlices~", lpString2="Program Files") returned 1 [0163.964] lstrcmpiW (lpString1="WebSlices~", lpString2="Program Files (x86)") returned 1 [0163.964] lstrcmpiW (lpString1="WebSlices~", lpString2="$Recycle.bin") returned 1 [0163.964] lstrcmpiW (lpString1="WebSlices~", lpString2="System Volume Information") returned 1 [0163.964] lstrcmpiW (lpString1="WebSlices~", lpString2=".") returned 1 [0163.964] lstrcmpiW (lpString1="WebSlices~", lpString2="..") returned 1 [0163.964] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 101 [0163.964] GetProcessHeap () returned 0x4c0000 [0163.964] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0163.965] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~" [0163.965] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*" [0163.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0163.965] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0163.965] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0163.965] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0163.965] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0163.965] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0163.965] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0163.965] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0163.965] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0163.965] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0163.966] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0163.966] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0163.966] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0163.966] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0163.966] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0163.966] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName="Web Slice Gallery~.feed-ms", cAlternateFileName="WEBSLI~1.FEE")) returned 1 [0163.966] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="Windows") returned -1 [0163.966] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="Program Files") returned 1 [0163.966] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="Program Files (x86)") returned 1 [0163.966] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="$Recycle.bin") returned 1 [0163.966] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="System Volume Information") returned 1 [0163.966] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2=".") returned 1 [0163.966] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="..") returned 1 [0163.966] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 128 [0163.966] lstrcmpW (lpString1="Web Slice Gallery~.feed-ms", lpString2="PUSSY.TXT") returned 1 [0163.966] PathFindExtensionW (pszPath="Web Slice Gallery~.feed-ms") returned=".feed-ms" [0163.966] lstrlenW (lpString=".feed-ms") returned 8 [0163.966] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0163.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0163.967] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=28672) returned 1 [0163.967] GetProcessHeap () returned 0x4c0000 [0163.967] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0163.977] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="E5") returned 2 [0163.977] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="B0") returned 2 [0163.978] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="1A") returned 2 [0163.978] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="DF") returned 2 [0163.978] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="7D") returned 2 [0163.978] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="24") returned 2 [0163.978] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="55") returned 2 [0163.978] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="74") returned 2 [0163.978] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="60") returned 2 [0163.978] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="9B") returned 2 [0163.978] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="3A") returned 2 [0163.978] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="F4") returned 2 [0163.978] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="74") returned 2 [0163.978] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="4A") returned 2 [0163.978] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="74") returned 2 [0163.978] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="5D") returned 2 [0163.978] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="09") returned 2 [0163.978] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="BF") returned 2 [0163.978] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="84") returned 2 [0163.978] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="76") returned 2 [0163.978] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="5B") returned 2 [0163.978] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="F0") returned 2 [0163.979] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="1B") returned 2 [0163.979] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="20") returned 2 [0163.979] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="8B") returned 2 [0163.979] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="F5") returned 2 [0163.979] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="90") returned 2 [0163.979] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="24") returned 2 [0163.979] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="7A") returned 2 [0163.979] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="9E") returned 2 [0163.979] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="1D") returned 2 [0163.979] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="4C") returned 2 [0163.990] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" [0163.991] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" [0163.991] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms", lpString2=".E5B01ADF7D245574609B3AF4744A745D09BF84765BF01B208BF590247A9E1D4C" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.E5B01ADF7D245574609B3AF4744A745D09BF84765BF01B208BF590247A9E1D4C") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.E5B01ADF7D245574609B3AF4744A745D09BF84765BF01B208BF590247A9E1D4C" [0163.991] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0163.991] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0163.991] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x3bf1228, dwReserved1=0x77c61b06, cFileName="Web Slice Gallery~.feed-ms", cAlternateFileName="WEBSLI~1.FEE")) returned 0 [0163.991] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0163.991] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\PUSSY.TXT") returned 111 [0163.991] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0163.992] lstrlenA (lpString="abcd") returned 4 [0163.992] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0163.993] CloseHandle (hObject=0xec) returned 1 [0163.993] GetProcessHeap () returned 0x4c0000 [0163.994] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0163.994] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="WebSlices~", cAlternateFileName="WEBSLI~1")) returned 0 [0163.994] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0163.996] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\PUSSY.TXT") returned 100 [0163.996] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0163.996] lstrlenA (lpString="abcd") returned 4 [0163.997] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0163.998] CloseHandle (hObject=0x19c) returned 1 [0163.998] GetProcessHeap () returned 0x4c0000 [0163.998] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0163.998] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 0 [0163.998] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0163.998] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\PUSSY.TXT") returned 60 [0163.998] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0163.998] lstrlenA (lpString="abcd") returned 4 [0163.999] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0163.999] CloseHandle (hObject=0x18c) returned 1 [0163.999] GetProcessHeap () returned 0x4c0000 [0164.000] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0164.002] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Feeds Cache", cAlternateFileName="FEEDSC~1")) returned 1 [0164.002] lstrcmpiW (lpString1="Feeds Cache", lpString2="Windows") returned -1 [0164.002] lstrcmpiW (lpString1="Feeds Cache", lpString2="Program Files") returned -1 [0164.002] lstrcmpiW (lpString1="Feeds Cache", lpString2="Program Files (x86)") returned -1 [0164.002] lstrcmpiW (lpString1="Feeds Cache", lpString2="$Recycle.bin") returned 1 [0164.002] lstrcmpiW (lpString1="Feeds Cache", lpString2="System Volume Information") returned -1 [0164.002] lstrcmpiW (lpString1="Feeds Cache", lpString2=".") returned 1 [0164.002] lstrcmpiW (lpString1="Feeds Cache", lpString2="..") returned 1 [0164.002] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache") returned 56 [0164.002] GetProcessHeap () returned 0x4c0000 [0164.003] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0164.004] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache" [0164.004] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\*" [0164.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0164.247] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0164.247] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0164.247] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0164.247] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0164.247] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0164.247] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0164.247] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0164.247] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0164.247] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0164.247] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0164.247] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0164.247] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0164.247] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0164.247] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0164.247] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="1NBUR4HR", cAlternateFileName="")) returned 1 [0164.247] lstrcmpiW (lpString1="1NBUR4HR", lpString2="Windows") returned -1 [0164.247] lstrcmpiW (lpString1="1NBUR4HR", lpString2="Program Files") returned -1 [0164.247] lstrcmpiW (lpString1="1NBUR4HR", lpString2="Program Files (x86)") returned -1 [0164.247] lstrcmpiW (lpString1="1NBUR4HR", lpString2="$Recycle.bin") returned 1 [0164.248] lstrcmpiW (lpString1="1NBUR4HR", lpString2="System Volume Information") returned -1 [0164.248] lstrcmpiW (lpString1="1NBUR4HR", lpString2=".") returned 1 [0164.248] lstrcmpiW (lpString1="1NBUR4HR", lpString2="..") returned 1 [0164.248] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR") returned 65 [0164.248] GetProcessHeap () returned 0x4c0000 [0164.248] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0164.248] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR" [0164.248] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\*" [0164.248] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0164.248] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0164.248] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0164.248] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0164.248] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0164.249] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0164.249] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0164.249] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0164.249] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0164.249] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0164.249] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0164.249] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0164.249] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0164.249] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0164.249] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0164.249] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0164.249] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0164.249] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0164.249] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0164.249] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0164.249] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0164.249] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0164.249] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0164.249] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini") returned 77 [0164.249] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0164.249] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0164.249] lstrlenW (lpString=".ini") returned 4 [0164.249] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0164.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0164.250] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=67) returned 1 [0164.250] CloseHandle (hObject=0x19c) returned 1 [0164.250] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0164.250] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0164.250] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0164.250] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0164.251] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0164.251] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0164.251] lstrcmpiW (lpString1="fwlink[1]", lpString2=".") returned 1 [0164.251] lstrcmpiW (lpString1="fwlink[1]", lpString2="..") returned 1 [0164.251] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]") returned 75 [0164.251] lstrcmpW (lpString1="fwlink[1]", lpString2="PUSSY.TXT") returned -1 [0164.251] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0164.251] lstrlenW (lpString="") returned 0 [0164.251] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0164.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0164.252] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0164.252] CloseHandle (hObject=0x19c) returned 1 [0164.252] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0164.252] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0164.252] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\PUSSY.TXT") returned 75 [0164.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0164.348] lstrlenA (lpString="abcd") returned 4 [0164.348] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0164.349] CloseHandle (hObject=0x1b8) returned 1 [0164.349] GetProcessHeap () returned 0x4c0000 [0164.349] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0164.351] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="6ASVN7J7", cAlternateFileName="")) returned 1 [0164.351] lstrcmpiW (lpString1="6ASVN7J7", lpString2="Windows") returned -1 [0164.351] lstrcmpiW (lpString1="6ASVN7J7", lpString2="Program Files") returned -1 [0164.351] lstrcmpiW (lpString1="6ASVN7J7", lpString2="Program Files (x86)") returned -1 [0164.351] lstrcmpiW (lpString1="6ASVN7J7", lpString2="$Recycle.bin") returned 1 [0164.351] lstrcmpiW (lpString1="6ASVN7J7", lpString2="System Volume Information") returned -1 [0164.351] lstrcmpiW (lpString1="6ASVN7J7", lpString2=".") returned 1 [0164.352] lstrcmpiW (lpString1="6ASVN7J7", lpString2="..") returned 1 [0164.352] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7") returned 65 [0164.352] GetProcessHeap () returned 0x4c0000 [0164.352] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0164.353] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7" [0164.353] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\*" [0164.353] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0164.353] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0164.353] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0164.353] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0164.353] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0164.353] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0164.353] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0164.353] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0164.354] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0164.354] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0164.354] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0164.354] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0164.354] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0164.354] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0164.354] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0164.354] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0164.354] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0164.354] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0164.354] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0164.354] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0164.354] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0164.354] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0164.354] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0164.354] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini") returned 77 [0164.355] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0164.355] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0164.355] lstrlenW (lpString=".ini") returned 4 [0164.355] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0164.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0164.355] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=67) returned 1 [0164.355] CloseHandle (hObject=0x19c) returned 1 [0164.356] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0164.356] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0164.356] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0164.356] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0164.356] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0164.356] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0164.356] lstrcmpiW (lpString1="fwlink[1]", lpString2=".") returned 1 [0164.356] lstrcmpiW (lpString1="fwlink[1]", lpString2="..") returned 1 [0164.356] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]") returned 75 [0164.356] lstrcmpW (lpString1="fwlink[1]", lpString2="PUSSY.TXT") returned -1 [0164.356] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0164.356] lstrlenW (lpString="") returned 0 [0164.356] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0164.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0164.357] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0164.357] CloseHandle (hObject=0x19c) returned 1 [0164.357] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0164.357] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0164.357] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\PUSSY.TXT") returned 75 [0164.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0164.358] lstrlenA (lpString="abcd") returned 4 [0164.358] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0164.359] CloseHandle (hObject=0x1b8) returned 1 [0164.359] GetProcessHeap () returned 0x4c0000 [0164.359] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0164.359] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="D68G7BIJ", cAlternateFileName="")) returned 1 [0164.359] lstrcmpiW (lpString1="D68G7BIJ", lpString2="Windows") returned -1 [0164.378] lstrcmpiW (lpString1="D68G7BIJ", lpString2="Program Files") returned -1 [0164.378] lstrcmpiW (lpString1="D68G7BIJ", lpString2="Program Files (x86)") returned -1 [0164.378] lstrcmpiW (lpString1="D68G7BIJ", lpString2="$Recycle.bin") returned 1 [0164.378] lstrcmpiW (lpString1="D68G7BIJ", lpString2="System Volume Information") returned -1 [0164.378] lstrcmpiW (lpString1="D68G7BIJ", lpString2=".") returned 1 [0164.378] lstrcmpiW (lpString1="D68G7BIJ", lpString2="..") returned 1 [0164.378] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ") returned 65 [0164.378] GetProcessHeap () returned 0x4c0000 [0164.378] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0164.378] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ" [0164.378] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\*" [0164.378] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0164.379] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0164.379] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0164.379] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0164.379] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0164.379] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0164.379] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0164.379] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0164.379] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0164.379] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0164.379] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0164.379] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0164.379] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0164.379] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0164.379] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0164.379] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0164.380] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0164.380] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0164.380] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0164.380] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0164.380] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0164.380] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0164.380] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0164.380] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini") returned 77 [0164.380] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0164.380] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0164.380] lstrlenW (lpString=".ini") returned 4 [0164.380] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0164.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0164.382] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=67) returned 1 [0164.382] CloseHandle (hObject=0x19c) returned 1 [0164.382] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0164.382] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0164.382] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0164.382] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0164.382] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0164.382] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0164.382] lstrcmpiW (lpString1="fwlink[1]", lpString2=".") returned 1 [0164.382] lstrcmpiW (lpString1="fwlink[1]", lpString2="..") returned 1 [0164.382] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]") returned 75 [0164.382] lstrcmpW (lpString1="fwlink[1]", lpString2="PUSSY.TXT") returned -1 [0164.382] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0164.383] lstrlenW (lpString="") returned 0 [0164.383] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0164.383] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0164.383] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0164.383] CloseHandle (hObject=0x19c) returned 1 [0164.384] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0164.384] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0164.384] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\PUSSY.TXT") returned 75 [0164.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0164.384] lstrlenA (lpString="abcd") returned 4 [0164.384] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0164.385] CloseHandle (hObject=0x1b8) returned 1 [0164.386] GetProcessHeap () returned 0x4c0000 [0164.386] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0164.386] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe9e3d85, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0164.386] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0164.386] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0164.386] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0164.386] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0164.386] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0164.386] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0164.386] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0164.386] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 68 [0164.386] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0164.386] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0164.386] lstrlenW (lpString=".ini") returned 4 [0164.386] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0164.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0164.387] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=67) returned 1 [0164.387] CloseHandle (hObject=0x1b8) returned 1 [0164.387] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa9d0d0, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="index.dat", cAlternateFileName="")) returned 1 [0164.387] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0164.387] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0164.387] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0164.387] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0164.387] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0164.387] lstrcmpiW (lpString1="index.dat", lpString2=".") returned 1 [0164.388] lstrcmpiW (lpString1="index.dat", lpString2="..") returned 1 [0164.388] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 66 [0164.388] lstrcmpW (lpString1="index.dat", lpString2="PUSSY.TXT") returned -1 [0164.388] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0164.388] lstrlenW (lpString=".dat") returned 4 [0164.388] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0164.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0164.389] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=32768) returned 1 [0164.389] GetProcessHeap () returned 0x4c0000 [0164.389] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0164.403] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="4D") returned 2 [0164.403] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="40") returned 2 [0164.403] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="44") returned 2 [0164.403] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="39") returned 2 [0164.403] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="9C") returned 2 [0164.403] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="55") returned 2 [0164.403] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="8D") returned 2 [0164.403] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="37") returned 2 [0164.403] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="88") returned 2 [0164.404] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="29") returned 2 [0164.404] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="61") returned 2 [0164.404] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="B5") returned 2 [0164.404] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="00") returned 2 [0164.404] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="2E") returned 2 [0164.404] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="6B") returned 2 [0164.404] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="9A") returned 2 [0164.404] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="CA") returned 2 [0164.404] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="CA") returned 2 [0164.404] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="A5") returned 2 [0164.404] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="AD") returned 2 [0164.404] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="6B") returned 2 [0164.404] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="70") returned 2 [0164.404] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="14") returned 2 [0164.404] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="76") returned 2 [0164.404] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="30") returned 2 [0164.404] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="DE") returned 2 [0164.404] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="73") returned 2 [0164.404] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="16") returned 2 [0164.405] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="98") returned 2 [0164.405] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="77") returned 2 [0164.405] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="01") returned 2 [0164.405] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="3C") returned 2 [0164.444] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" [0164.444] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" [0164.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat", lpString2=".4D4044399C558D37882961B5002E6B9ACACAA5AD6B70147630DE73169877013C" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.4D4044399C558D37882961B5002E6B9ACACAA5AD6B70147630DE73169877013C") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.4D4044399C558D37882961B5002E6B9ACACAA5AD6B70147630DE73169877013C" [0164.444] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0164.445] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0164.488] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfed03a6b, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="KQMHSVKD", cAlternateFileName="")) returned 1 [0164.489] lstrcmpiW (lpString1="KQMHSVKD", lpString2="Windows") returned -1 [0164.489] lstrcmpiW (lpString1="KQMHSVKD", lpString2="Program Files") returned -1 [0164.489] lstrcmpiW (lpString1="KQMHSVKD", lpString2="Program Files (x86)") returned -1 [0164.489] lstrcmpiW (lpString1="KQMHSVKD", lpString2="$Recycle.bin") returned 1 [0164.489] lstrcmpiW (lpString1="KQMHSVKD", lpString2="System Volume Information") returned -1 [0164.489] lstrcmpiW (lpString1="KQMHSVKD", lpString2=".") returned 1 [0164.489] lstrcmpiW (lpString1="KQMHSVKD", lpString2="..") returned 1 [0164.489] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD") returned 65 [0164.489] GetProcessHeap () returned 0x4c0000 [0164.489] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0164.490] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD" [0164.490] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\*" [0164.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfed03a6b, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0164.490] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0164.490] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0164.490] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0164.490] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0164.491] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0164.491] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0164.491] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfed03a6b, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0164.491] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0164.491] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0164.491] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0164.491] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0164.491] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0164.491] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0164.491] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0164.491] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x668c5a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe9e3d85, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0164.491] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0164.491] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0164.491] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0164.491] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0164.492] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0164.492] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0164.492] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0164.492] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini") returned 77 [0164.492] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0164.492] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0164.492] lstrlenW (lpString=".ini") returned 4 [0164.492] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0164.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0164.493] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=67) returned 1 [0164.493] CloseHandle (hObject=0x128) returned 1 [0164.498] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfed03a6b, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0164.498] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0164.498] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0164.499] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0164.499] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0164.499] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0164.499] lstrcmpiW (lpString1="fwlink[1]", lpString2=".") returned 1 [0164.499] lstrcmpiW (lpString1="fwlink[1]", lpString2="..") returned 1 [0164.499] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]") returned 75 [0164.499] lstrcmpW (lpString1="fwlink[1]", lpString2="PUSSY.TXT") returned -1 [0164.499] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0164.499] lstrlenW (lpString="") returned 0 [0164.499] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0164.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0164.500] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0164.500] CloseHandle (hObject=0x120) returned 1 [0164.500] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfed03a6b, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0164.500] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0164.500] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\PUSSY.TXT") returned 75 [0164.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0164.501] lstrlenA (lpString="abcd") returned 4 [0164.501] WriteFile (in: hFile=0x1d0, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0164.502] CloseHandle (hObject=0x1d0) returned 1 [0164.502] GetProcessHeap () returned 0x4c0000 [0164.502] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0164.502] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfed03a6b, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="KQMHSVKD", cAlternateFileName="")) returned 0 [0164.502] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0164.503] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\PUSSY.TXT") returned 66 [0164.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0164.504] lstrlenA (lpString="abcd") returned 4 [0164.504] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0164.505] CloseHandle (hObject=0x18c) returned 1 [0164.505] GetProcessHeap () returned 0x4c0000 [0164.505] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0164.507] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96e13f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0164.507] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0164.507] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files") returned -1 [0164.507] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files (x86)") returned -1 [0164.507] lstrcmpiW (lpString1="Internet Explorer", lpString2="$Recycle.bin") returned 1 [0164.507] lstrcmpiW (lpString1="Internet Explorer", lpString2="System Volume Information") returned -1 [0164.507] lstrcmpiW (lpString1="Internet Explorer", lpString2=".") returned 1 [0164.507] lstrcmpiW (lpString1="Internet Explorer", lpString2="..") returned 1 [0164.507] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer") returned 62 [0164.507] GetProcessHeap () returned 0x4c0000 [0164.507] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0164.508] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer" [0164.508] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\*" [0164.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96e13f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0164.509] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0164.509] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0164.509] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0164.509] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0164.509] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0164.509] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0164.509] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x668c5a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96e13f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0164.509] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0164.509] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0164.510] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0164.510] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0164.510] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0164.510] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0164.510] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0164.510] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff12e0f2, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x2fa9, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="brndlog.bak", cAlternateFileName="")) returned 1 [0164.510] lstrcmpiW (lpString1="brndlog.bak", lpString2="Windows") returned -1 [0164.510] lstrcmpiW (lpString1="brndlog.bak", lpString2="Program Files") returned -1 [0164.510] lstrcmpiW (lpString1="brndlog.bak", lpString2="Program Files (x86)") returned -1 [0164.510] lstrcmpiW (lpString1="brndlog.bak", lpString2="$Recycle.bin") returned 1 [0164.510] lstrcmpiW (lpString1="brndlog.bak", lpString2="System Volume Information") returned -1 [0164.510] lstrcmpiW (lpString1="brndlog.bak", lpString2=".") returned 1 [0164.510] lstrcmpiW (lpString1="brndlog.bak", lpString2="..") returned 1 [0164.510] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 74 [0164.510] lstrcmpW (lpString1="brndlog.bak", lpString2="PUSSY.TXT") returned -1 [0164.510] PathFindExtensionW (pszPath="brndlog.bak") returned=".bak" [0164.510] lstrlenW (lpString=".bak") returned 4 [0164.510] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0164.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d0 [0164.512] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=12201) returned 1 [0164.512] GetProcessHeap () returned 0x4c0000 [0164.512] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0164.525] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="B4") returned 2 [0164.525] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="29") returned 2 [0164.525] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="B0") returned 2 [0164.525] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="A6") returned 2 [0164.525] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="29") returned 2 [0164.525] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="33") returned 2 [0164.525] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="CD") returned 2 [0164.525] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="39") returned 2 [0164.525] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="D0") returned 2 [0164.525] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="62") returned 2 [0164.525] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="CB") returned 2 [0164.525] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="19") returned 2 [0164.525] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="F9") returned 2 [0164.525] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="43") returned 2 [0164.525] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="B0") returned 2 [0164.525] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="35") returned 2 [0164.525] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="CC") returned 2 [0164.525] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="CE") returned 2 [0164.526] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="0E") returned 2 [0164.526] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="13") returned 2 [0164.526] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="9A") returned 2 [0164.526] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="BC") returned 2 [0164.526] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="3F") returned 2 [0164.526] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="9F") returned 2 [0164.526] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="54") returned 2 [0164.526] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="8A") returned 2 [0164.526] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="A7") returned 2 [0164.526] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="9E") returned 2 [0164.526] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="90") returned 2 [0164.526] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="D3") returned 2 [0164.526] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="C3") returned 2 [0164.526] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="4B") returned 2 [0164.539] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" [0164.539] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" [0164.539] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak", lpString2=".B429B0A62933CD39D062CB19F943B035CCCE0E139ABC3F9F548AA79E90D3C34B" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.B429B0A62933CD39D062CB19F943B035CCCE0E139ABC3F9F548AA79E90D3C34B") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.B429B0A62933CD39D062CB19F943B035CCCE0E139ABC3F9F548AA79E90D3C34B" [0164.539] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0164.539] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0164.539] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb371c2, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x2fa9, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="brndlog.txt", cAlternateFileName="")) returned 1 [0164.539] lstrcmpiW (lpString1="brndlog.txt", lpString2="Windows") returned -1 [0164.539] lstrcmpiW (lpString1="brndlog.txt", lpString2="Program Files") returned -1 [0164.539] lstrcmpiW (lpString1="brndlog.txt", lpString2="Program Files (x86)") returned -1 [0164.539] lstrcmpiW (lpString1="brndlog.txt", lpString2="$Recycle.bin") returned 1 [0164.539] lstrcmpiW (lpString1="brndlog.txt", lpString2="System Volume Information") returned -1 [0164.539] lstrcmpiW (lpString1="brndlog.txt", lpString2=".") returned 1 [0164.539] lstrcmpiW (lpString1="brndlog.txt", lpString2="..") returned 1 [0164.539] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned 74 [0164.539] lstrcmpW (lpString1="brndlog.txt", lpString2="PUSSY.TXT") returned -1 [0164.539] PathFindExtensionW (pszPath="brndlog.txt") returned=".txt" [0164.539] lstrlenW (lpString=".txt") returned 4 [0164.539] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0164.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x120 [0164.540] GetFileSizeEx (in: hFile=0x120, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=12201) returned 1 [0164.540] GetProcessHeap () returned 0x4c0000 [0164.541] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0164.555] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="3F") returned 2 [0164.555] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="CC") returned 2 [0164.555] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="8E") returned 2 [0164.555] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="5E") returned 2 [0164.555] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="D2") returned 2 [0164.555] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="00") returned 2 [0164.555] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="55") returned 2 [0164.555] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="58") returned 2 [0164.555] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="17") returned 2 [0164.555] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="44") returned 2 [0164.555] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="FB") returned 2 [0164.555] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="E5") returned 2 [0164.555] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="98") returned 2 [0164.555] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="19") returned 2 [0164.556] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="4B") returned 2 [0164.556] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="79") returned 2 [0164.556] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="2B") returned 2 [0164.556] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="07") returned 2 [0164.556] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="25") returned 2 [0164.556] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="CC") returned 2 [0164.556] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="36") returned 2 [0164.556] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="68") returned 2 [0164.556] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="8A") returned 2 [0164.556] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="74") returned 2 [0164.556] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="95") returned 2 [0164.556] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="6B") returned 2 [0164.556] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="C8") returned 2 [0164.556] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="5D") returned 2 [0164.556] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="0B") returned 2 [0164.556] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="70") returned 2 [0164.556] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="03") returned 2 [0164.556] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="2F") returned 2 [0164.568] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" [0164.568] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" [0164.568] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt", lpString2=".3FCC8E5ED20055581744FBE598194B792B0725CC36688A74956BC85D0B70032F" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.3FCC8E5ED20055581744FBE598194B792B0725CC36688A74956BC85D0B70032F") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.3FCC8E5ED20055581744FBE598194B792B0725CC36688A74956BC85D0B70032F" [0164.568] CreateIoCompletionPort (FileHandle=0x120, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0164.569] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0164.569] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb371c2, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x2fa9, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="brndlog.txt", cAlternateFileName="")) returned 0 [0164.569] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0164.569] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\PUSSY.TXT") returned 72 [0164.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0164.570] lstrlenA (lpString="abcd") returned 4 [0164.570] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0164.571] CloseHandle (hObject=0x18c) returned 1 [0164.571] GetProcessHeap () returned 0x4c0000 [0164.571] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0164.571] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd856f385, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0164.571] lstrcmpiW (lpString1="Media Player", lpString2="Windows") returned -1 [0164.571] lstrcmpiW (lpString1="Media Player", lpString2="Program Files") returned -1 [0164.571] lstrcmpiW (lpString1="Media Player", lpString2="Program Files (x86)") returned -1 [0164.571] lstrcmpiW (lpString1="Media Player", lpString2="$Recycle.bin") returned 1 [0164.572] lstrcmpiW (lpString1="Media Player", lpString2="System Volume Information") returned -1 [0164.572] lstrcmpiW (lpString1="Media Player", lpString2=".") returned 1 [0164.572] lstrcmpiW (lpString1="Media Player", lpString2="..") returned 1 [0164.572] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player") returned 57 [0164.572] GetProcessHeap () returned 0x4c0000 [0164.572] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0164.572] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player" [0164.572] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\*" [0164.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd856f385, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0164.704] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0164.704] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0164.704] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0164.704] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0164.704] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0164.704] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0164.704] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd856f385, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0164.704] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0164.704] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0164.704] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0164.704] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0164.704] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0164.704] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0164.704] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0164.704] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8679d27, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x105000, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="CurrentDatabase_372.wmdb", cAlternateFileName="CURREN~1.WMD")) returned 1 [0164.704] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="Windows") returned -1 [0164.704] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="Program Files") returned -1 [0164.704] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="Program Files (x86)") returned -1 [0164.705] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="$Recycle.bin") returned 1 [0164.705] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="System Volume Information") returned -1 [0164.705] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2=".") returned 1 [0164.705] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="..") returned 1 [0164.705] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 82 [0164.705] lstrcmpW (lpString1="CurrentDatabase_372.wmdb", lpString2="PUSSY.TXT") returned -1 [0164.705] PathFindExtensionW (pszPath="CurrentDatabase_372.wmdb") returned=".wmdb" [0164.705] lstrlenW (lpString=".wmdb") returned 5 [0164.705] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0164.705] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0164.706] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=1069056) returned 1 [0164.706] GetProcessHeap () returned 0x4c0000 [0164.706] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500b8 [0164.730] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="7B") returned 2 [0164.730] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="8E") returned 2 [0164.730] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="6C") returned 2 [0164.730] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="F5") returned 2 [0164.730] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="A0") returned 2 [0164.731] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="A1") returned 2 [0164.731] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="84") returned 2 [0164.731] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="AB") returned 2 [0164.731] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="D2") returned 2 [0164.731] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="81") returned 2 [0164.731] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="3C") returned 2 [0164.731] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="97") returned 2 [0164.731] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="64") returned 2 [0164.731] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="CD") returned 2 [0164.731] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="3D") returned 2 [0164.731] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="E0") returned 2 [0164.731] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="CA") returned 2 [0164.731] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="B6") returned 2 [0164.731] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="86") returned 2 [0164.731] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="26") returned 2 [0164.731] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="E1") returned 2 [0164.731] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="19") returned 2 [0164.731] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="69") returned 2 [0164.731] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="CD") returned 2 [0164.731] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="52") returned 2 [0164.731] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="C4") returned 2 [0164.731] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="76") returned 2 [0164.731] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="D2") returned 2 [0164.732] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="CF") returned 2 [0164.732] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="0F") returned 2 [0164.732] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="07") returned 2 [0164.732] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="54") returned 2 [0164.744] lstrcpyW (in: lpString1=0x3b600ec, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" [0164.744] lstrcpyW (in: lpString1=0x3b500ec, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" [0164.744] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb", lpString2=".7B8E6CF5A0A184ABD2813C9764CD3DE0CAB68626E11969CD52C476D2CF0F0754" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.7B8E6CF5A0A184ABD2813C9764CD3DE0CAB68626E11969CD52C476D2CF0F0754") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.7B8E6CF5A0A184ABD2813C9764CD3DE0CAB68626E11969CD52C476D2CF0F0754" [0164.744] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x3b500b8, NumberOfConcurrentThreads=0x0) returned 0x94 [0164.744] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500b8, lpOverlapped=0x3b500b8) returned 1 [0164.744] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd856f385, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1106c, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="LocalMLS_3.wmdb", cAlternateFileName="LOCALM~1.WMD")) returned 1 [0164.744] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="Windows") returned -1 [0164.744] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="Program Files") returned -1 [0164.790] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="Program Files (x86)") returned -1 [0164.790] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="$Recycle.bin") returned 1 [0164.790] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="System Volume Information") returned -1 [0164.790] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2=".") returned 1 [0164.790] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="..") returned 1 [0164.790] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 73 [0164.790] lstrcmpW (lpString1="LocalMLS_3.wmdb", lpString2="PUSSY.TXT") returned -1 [0164.790] PathFindExtensionW (pszPath="LocalMLS_3.wmdb") returned=".wmdb" [0164.790] lstrlenW (lpString=".wmdb") returned 5 [0164.790] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0164.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0164.792] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=69740) returned 1 [0164.792] GetProcessHeap () returned 0x4c0000 [0164.792] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0164.806] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="4A") returned 2 [0164.806] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="C4") returned 2 [0164.806] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="D6") returned 2 [0164.806] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="8B") returned 2 [0164.806] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="02") returned 2 [0164.806] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="A9") returned 2 [0164.806] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="30") returned 2 [0164.806] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="D5") returned 2 [0164.806] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="9D") returned 2 [0164.806] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="51") returned 2 [0164.806] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="47") returned 2 [0164.806] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="DE") returned 2 [0164.806] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="AB") returned 2 [0164.806] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="39") returned 2 [0164.806] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="31") returned 2 [0164.806] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="3E") returned 2 [0164.806] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="8B") returned 2 [0164.807] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="13") returned 2 [0164.807] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="D2") returned 2 [0164.807] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="7E") returned 2 [0164.807] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="FF") returned 2 [0164.807] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="1C") returned 2 [0164.807] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="40") returned 2 [0164.807] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="70") returned 2 [0164.807] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="12") returned 2 [0164.807] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="CD") returned 2 [0164.807] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="1D") returned 2 [0164.807] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="F9") returned 2 [0164.807] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="4D") returned 2 [0164.807] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="E6") returned 2 [0164.807] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="5A") returned 2 [0164.807] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="06") returned 2 [0164.817] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" [0164.817] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" [0164.817] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb", lpString2=".4AC4D68B02A930D59D5147DEAB39313E8B13D27EFF1C407012CD1DF94DE65A06" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.4AC4D68B02A930D59D5147DEAB39313E8B13D27EFF1C407012CD1DF94DE65A06") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.4AC4D68B02A930D59D5147DEAB39313E8B13D27EFF1C407012CD1DF94DE65A06" [0164.817] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0164.817] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0164.817] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="Sync Playlists", cAlternateFileName="SYNCPL~1")) returned 1 [0164.817] lstrcmpiW (lpString1="Sync Playlists", lpString2="Windows") returned -1 [0164.817] lstrcmpiW (lpString1="Sync Playlists", lpString2="Program Files") returned 1 [0164.817] lstrcmpiW (lpString1="Sync Playlists", lpString2="Program Files (x86)") returned 1 [0164.817] lstrcmpiW (lpString1="Sync Playlists", lpString2="$Recycle.bin") returned 1 [0164.817] lstrcmpiW (lpString1="Sync Playlists", lpString2="System Volume Information") returned -1 [0164.817] lstrcmpiW (lpString1="Sync Playlists", lpString2=".") returned 1 [0164.817] lstrcmpiW (lpString1="Sync Playlists", lpString2="..") returned 1 [0164.817] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists") returned 72 [0164.817] GetProcessHeap () returned 0x4c0000 [0164.817] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0164.818] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists" [0164.818] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*" [0164.818] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0164.819] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0164.819] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0164.819] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0164.819] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0164.819] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0164.819] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0164.819] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0164.819] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0164.819] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0164.819] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0164.819] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0164.819] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0164.819] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0164.820] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0164.820] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="en-US", cAlternateFileName="")) returned 1 [0164.820] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0164.820] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0164.820] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0164.820] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0164.820] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0164.820] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0164.820] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0164.820] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US") returned 78 [0164.820] GetProcessHeap () returned 0x4c0000 [0164.820] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0164.821] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US" [0164.821] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*" [0164.821] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0164.821] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0164.821] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0164.821] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0164.821] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0164.821] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0164.821] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0164.821] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0164.821] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0164.821] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0164.822] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0164.822] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0164.822] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0164.822] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0164.822] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0164.822] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="00010C6E", cAlternateFileName="")) returned 1 [0164.822] lstrcmpiW (lpString1="00010C6E", lpString2="Windows") returned -1 [0164.822] lstrcmpiW (lpString1="00010C6E", lpString2="Program Files") returned -1 [0164.822] lstrcmpiW (lpString1="00010C6E", lpString2="Program Files (x86)") returned -1 [0164.822] lstrcmpiW (lpString1="00010C6E", lpString2="$Recycle.bin") returned 1 [0164.822] lstrcmpiW (lpString1="00010C6E", lpString2="System Volume Information") returned -1 [0164.822] lstrcmpiW (lpString1="00010C6E", lpString2=".") returned 1 [0164.822] lstrcmpiW (lpString1="00010C6E", lpString2="..") returned 1 [0164.822] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E") returned 87 [0164.822] GetProcessHeap () returned 0x4c0000 [0164.822] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0164.822] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E" [0164.823] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\*" [0164.823] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0164.849] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0164.879] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0164.880] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0164.880] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0164.880] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0164.880] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0164.880] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="..", cAlternateFileName="")) returned 1 [0164.880] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0164.880] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0164.880] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0164.880] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0164.880] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0164.880] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0164.880] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0164.880] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="01_Music_auto_rated_at_5_stars.wpl", cAlternateFileName="01_MUS~1.WPL")) returned 1 [0164.880] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Windows") returned -1 [0164.880] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Program Files") returned -1 [0164.880] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0164.880] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0164.880] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="System Volume Information") returned -1 [0164.880] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2=".") returned 1 [0164.880] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="..") returned 1 [0164.880] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned 122 [0164.881] lstrcmpW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="PUSSY.TXT") returned -1 [0164.881] PathFindExtensionW (pszPath="01_Music_auto_rated_at_5_stars.wpl") returned=".wpl" [0164.881] lstrlenW (lpString=".wpl") returned 4 [0164.881] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0164.881] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0164.882] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1044) returned 1 [0164.882] GetProcessHeap () returned 0x4c0000 [0164.882] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28068 [0164.892] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="59") returned 2 [0164.892] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="EA") returned 2 [0164.892] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="8C") returned 2 [0164.892] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="A6") returned 2 [0164.892] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="75") returned 2 [0164.893] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="59") returned 2 [0164.893] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="99") returned 2 [0164.893] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="EF") returned 2 [0164.893] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="4C") returned 2 [0164.893] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="E5") returned 2 [0164.893] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="2D") returned 2 [0164.893] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="C2") returned 2 [0164.893] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="84") returned 2 [0164.893] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="AB") returned 2 [0164.893] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="94") returned 2 [0164.893] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="77") returned 2 [0164.893] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="E3") returned 2 [0164.893] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="06") returned 2 [0164.893] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="09") returned 2 [0164.893] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="E5") returned 2 [0164.893] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="5E") returned 2 [0164.893] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="B3") returned 2 [0164.893] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="06") returned 2 [0164.893] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="E4") returned 2 [0164.893] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="4C") returned 2 [0164.893] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="93") returned 2 [0164.893] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="88") returned 2 [0164.893] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="0F") returned 2 [0164.894] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="6D") returned 2 [0164.894] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="17") returned 2 [0164.894] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="01") returned 2 [0164.894] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="7F") returned 2 [0164.902] lstrcpyW (in: lpString1=0x3b3809c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" [0164.902] lstrcpyW (in: lpString1=0x3b2809c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" [0164.902] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl", lpString2=".59EA8CA6755999EF4CE52DC284AB9477E30609E55EB306E44C93880F6D17017F" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.59EA8CA6755999EF4CE52DC284AB9477E30609E55EB306E44C93880F6D17017F") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.59EA8CA6755999EF4CE52DC284AB9477E30609E55EB306E44C93880F6D17017F" [0164.902] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3b28068, NumberOfConcurrentThreads=0x0) returned 0x94 [0164.902] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28068, lpOverlapped=0x3b28068) returned 1 [0164.903] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x4ff, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="02_Music_added_in_the_last_month.wpl", cAlternateFileName="02_MUS~1.WPL")) returned 1 [0164.903] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Windows") returned -1 [0164.905] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0164.905] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0164.905] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0164.905] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0164.905] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2=".") returned 1 [0164.905] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="..") returned 1 [0164.905] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned 124 [0164.905] lstrcmpW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="PUSSY.TXT") returned -1 [0164.905] PathFindExtensionW (pszPath="02_Music_added_in_the_last_month.wpl") returned=".wpl" [0164.905] lstrlenW (lpString=".wpl") returned 4 [0164.905] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0164.905] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0164.906] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1279) returned 1 [0164.906] GetProcessHeap () returned 0x4c0000 [0164.906] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b78108 [0164.917] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="BD") returned 2 [0164.917] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="E3") returned 2 [0164.917] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="24") returned 2 [0164.917] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="26") returned 2 [0164.917] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="CD") returned 2 [0164.917] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="64") returned 2 [0164.917] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="7D") returned 2 [0164.917] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="69") returned 2 [0164.917] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="8C") returned 2 [0164.917] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="8B") returned 2 [0164.918] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="97") returned 2 [0164.918] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="A2") returned 2 [0164.918] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="EB") returned 2 [0164.918] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="A9") returned 2 [0164.918] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="89") returned 2 [0164.918] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="84") returned 2 [0164.918] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="8D") returned 2 [0164.918] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="01") returned 2 [0164.918] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="40") returned 2 [0164.918] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="46") returned 2 [0164.918] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="D7") returned 2 [0164.918] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="7D") returned 2 [0164.918] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="CD") returned 2 [0164.918] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="5C") returned 2 [0164.918] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="C1") returned 2 [0164.918] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="1D") returned 2 [0164.918] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="77") returned 2 [0164.918] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="06") returned 2 [0164.918] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="8C") returned 2 [0164.918] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="65") returned 2 [0164.918] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="4D") returned 2 [0164.918] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="38") returned 2 [0164.927] lstrcpyW (in: lpString1=0x3b8813c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" [0164.927] lstrcpyW (in: lpString1=0x3b7813c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" [0164.927] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl", lpString2=".BDE32426CD647D698C8B97A2EBA989848D014046D77DCD5CC11D77068C654D38" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.BDE32426CD647D698C8B97A2EBA989848D014046D77DCD5CC11D77068C654D38") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.BDE32426CD647D698C8B97A2EBA989848D014046D77DCD5CC11D77068C654D38" [0164.927] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3b78108, NumberOfConcurrentThreads=0x0) returned 0x94 [0164.927] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b78108, lpOverlapped=0x3b78108) returned 1 [0164.927] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x4f3, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="03_Music_rated_at_4_or_5_stars.wpl", cAlternateFileName="03_MUS~1.WPL")) returned 1 [0164.927] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0164.927] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0164.927] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0164.927] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0164.927] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0164.927] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2=".") returned 1 [0164.927] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="..") returned 1 [0164.927] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned 122 [0164.927] lstrcmpW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="PUSSY.TXT") returned -1 [0164.927] PathFindExtensionW (pszPath="03_Music_rated_at_4_or_5_stars.wpl") returned=".wpl" [0164.927] lstrlenW (lpString=".wpl") returned 4 [0164.927] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0164.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x154 [0164.928] GetFileSizeEx (in: hFile=0x154, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1267) returned 1 [0164.928] GetProcessHeap () returned 0x4c0000 [0164.928] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52bae0 [0164.939] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="0D") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="B5") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="70") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="98") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="47") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="CD") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="8F") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="B3") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="3E") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="7F") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="BA") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="A9") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="D6") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="12") returned 2 [0164.939] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="DA") returned 2 [0164.939] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="16") returned 2 [0164.939] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="B4") returned 2 [0164.939] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="00") returned 2 [0164.939] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="4C") returned 2 [0164.940] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="5F") returned 2 [0164.940] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="6C") returned 2 [0164.940] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="D2") returned 2 [0164.940] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="76") returned 2 [0164.940] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="D0") returned 2 [0164.940] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="B9") returned 2 [0164.940] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="A7") returned 2 [0164.940] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="8C") returned 2 [0164.940] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="2D") returned 2 [0164.940] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="04") returned 2 [0164.940] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="E4") returned 2 [0164.940] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="20") returned 2 [0164.940] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="0C") returned 2 [0164.948] lstrcpyW (in: lpString1=0x53bb14, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" [0164.948] lstrcpyW (in: lpString1=0x52bb14, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" [0164.948] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl", lpString2=".0DB5709847CD8FB33E7FBAA9D612DA16B4004C5F6CD276D0B9A78C2D04E4200C" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.0DB5709847CD8FB33E7FBAA9D612DA16B4004C5F6CD276D0B9A78C2D04E4200C") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.0DB5709847CD8FB33E7FBAA9D612DA16B4004C5F6CD276D0B9A78C2D04E4200C" [0164.948] CreateIoCompletionPort (FileHandle=0x154, ExistingCompletionPort=0x94, CompletionKey=0x52bae0, NumberOfConcurrentThreads=0x0) returned 0x94 [0164.948] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52bae0, lpOverlapped=0x52bae0) returned 1 [0164.949] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="04_Music_played_in_the_last_month.wpl", cAlternateFileName="04_MUS~1.WPL")) returned 1 [0164.949] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Windows") returned -1 [0164.949] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0164.949] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0164.949] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0164.949] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0164.949] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2=".") returned 1 [0164.949] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="..") returned 1 [0164.949] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned 125 [0164.949] lstrcmpW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="PUSSY.TXT") returned -1 [0164.949] PathFindExtensionW (pszPath="04_Music_played_in_the_last_month.wpl") returned=".wpl" [0164.949] lstrlenW (lpString=".wpl") returned 4 [0164.949] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0164.949] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0164.951] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1284) returned 1 [0164.951] GetProcessHeap () returned 0x4c0000 [0164.951] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x553b30 [0164.965] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="2C") returned 2 [0164.965] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="C2") returned 2 [0164.965] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="48") returned 2 [0164.965] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="C5") returned 2 [0164.965] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="3A") returned 2 [0164.966] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="E3") returned 2 [0164.966] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="D7") returned 2 [0164.966] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="61") returned 2 [0164.966] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="FA") returned 2 [0164.966] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="7E") returned 2 [0164.966] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="6C") returned 2 [0164.966] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="0D") returned 2 [0164.966] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="12") returned 2 [0164.966] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="9C") returned 2 [0164.966] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="31") returned 2 [0164.966] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="E4") returned 2 [0164.966] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="3D") returned 2 [0164.966] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="50") returned 2 [0164.966] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="58") returned 2 [0164.966] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="77") returned 2 [0164.966] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="5E") returned 2 [0164.966] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="16") returned 2 [0164.966] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="9D") returned 2 [0164.966] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="30") returned 2 [0164.966] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="E3") returned 2 [0164.966] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="A5") returned 2 [0164.966] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="E3") returned 2 [0164.966] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="5C") returned 2 [0164.966] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="9A") returned 2 [0164.966] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="33") returned 2 [0164.966] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="27") returned 2 [0164.966] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="54") returned 2 [0164.975] lstrcpyW (in: lpString1=0x563b64, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" [0164.975] lstrcpyW (in: lpString1=0x553b64, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" [0164.975] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl", lpString2=".2CC248C53AE3D761FA7E6C0D129C31E43D5058775E169D30E3A5E35C9A332754" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.2CC248C53AE3D761FA7E6C0D129C31E43D5058775E169D30E3A5E35C9A332754") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.2CC248C53AE3D761FA7E6C0D129C31E43D5058775E169D30E3A5E35C9A332754" [0164.975] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x553b30, NumberOfConcurrentThreads=0x0) returned 0x94 [0164.975] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x553b30, lpOverlapped=0x553b30) returned 1 [0164.975] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x31d, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="05_Pictures_taken_in_the_last_month.wpl", cAlternateFileName="05_PIC~1.WPL")) returned 1 [0164.975] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Windows") returned -1 [0164.977] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0164.977] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0164.977] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0164.977] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0164.977] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2=".") returned 1 [0164.977] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="..") returned 1 [0164.977] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned 127 [0164.978] lstrcmpW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="PUSSY.TXT") returned -1 [0164.978] PathFindExtensionW (pszPath="05_Pictures_taken_in_the_last_month.wpl") returned=".wpl" [0164.978] lstrlenW (lpString=".wpl") returned 4 [0164.978] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0164.978] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0164.978] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=797) returned 1 [0164.978] GetProcessHeap () returned 0x4c0000 [0164.979] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0164.989] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="D4") returned 2 [0164.989] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="A2") returned 2 [0164.989] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="6A") returned 2 [0164.989] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="2E") returned 2 [0164.989] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="7F") returned 2 [0164.989] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="8E") returned 2 [0164.989] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="2E") returned 2 [0164.989] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="70") returned 2 [0164.989] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="87") returned 2 [0164.990] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="7E") returned 2 [0164.990] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="2A") returned 2 [0164.990] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="77") returned 2 [0164.990] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="B8") returned 2 [0164.990] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="99") returned 2 [0164.990] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="3A") returned 2 [0164.990] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="4D") returned 2 [0164.990] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="9F") returned 2 [0164.990] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="17") returned 2 [0164.990] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="34") returned 2 [0164.990] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="5D") returned 2 [0164.990] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="E4") returned 2 [0164.990] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="48") returned 2 [0164.990] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="26") returned 2 [0164.990] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="6D") returned 2 [0164.990] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="0C") returned 2 [0164.990] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="46") returned 2 [0164.990] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="EE") returned 2 [0164.990] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="73") returned 2 [0164.990] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="1D") returned 2 [0164.990] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="76") returned 2 [0164.990] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="44") returned 2 [0164.990] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="62") returned 2 [0164.998] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" [0164.998] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" [0164.999] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl", lpString2=".D4A26A2E7F8E2E70877E2A77B8993A4D9F17345DE448266D0C46EE731D764462" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.D4A26A2E7F8E2E70877E2A77B8993A4D9F17345DE448266D0C46EE731D764462") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.D4A26A2E7F8E2E70877E2A77B8993A4D9F17345DE448266D0C46EE731D764462" [0164.999] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0164.999] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0164.999] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x311, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="06_Pictures_rated_4_or_5_stars.wpl", cAlternateFileName="06_PIC~1.WPL")) returned 1 [0164.999] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0164.999] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0164.999] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0164.999] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0164.999] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0164.999] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2=".") returned 1 [0164.999] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="..") returned 1 [0164.999] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned 122 [0164.999] lstrcmpW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="PUSSY.TXT") returned -1 [0164.999] PathFindExtensionW (pszPath="06_Pictures_rated_4_or_5_stars.wpl") returned=".wpl" [0164.999] lstrlenW (lpString=".wpl") returned 4 [0164.999] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0164.999] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0165.000] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=785) returned 1 [0165.000] GetProcessHeap () returned 0x4c0000 [0165.000] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0165.010] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="1F") returned 2 [0165.010] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="A0") returned 2 [0165.010] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="07") returned 2 [0165.010] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="C0") returned 2 [0165.010] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="B3") returned 2 [0165.010] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="3A") returned 2 [0165.010] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="FA") returned 2 [0165.010] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="3F") returned 2 [0165.010] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="E6") returned 2 [0165.010] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="87") returned 2 [0165.010] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="83") returned 2 [0165.010] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="FA") returned 2 [0165.010] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="4A") returned 2 [0165.011] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="28") returned 2 [0165.011] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="EC") returned 2 [0165.011] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="14") returned 2 [0165.011] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="C7") returned 2 [0165.011] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="22") returned 2 [0165.011] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="C2") returned 2 [0165.011] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="D1") returned 2 [0165.011] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="69") returned 2 [0165.011] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="79") returned 2 [0165.011] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="35") returned 2 [0165.011] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="B3") returned 2 [0165.011] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="79") returned 2 [0165.011] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="C6") returned 2 [0165.011] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="87") returned 2 [0165.011] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="51") returned 2 [0165.011] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="08") returned 2 [0165.011] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="9E") returned 2 [0165.011] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="84") returned 2 [0165.011] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="2D") returned 2 [0165.069] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" [0165.069] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" [0165.069] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl", lpString2=".1FA007C0B33AFA3FE68783FA4A28EC14C722C2D1697935B379C68751089E842D" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.1FA007C0B33AFA3FE68783FA4A28EC14C722C2D1697935B379C68751089E842D") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.1FA007C0B33AFA3FE68783FA4A28EC14C722C2D1697935B379C68751089E842D" [0165.069] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.069] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0165.073] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x66402e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66402e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x410, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="07_TV_recorded_in_the_last_week.wpl", cAlternateFileName="07_TV_~1.WPL")) returned 1 [0165.073] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Windows") returned -1 [0165.073] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Program Files") returned -1 [0165.073] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Program Files (x86)") returned -1 [0165.073] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="$Recycle.bin") returned 1 [0165.073] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="System Volume Information") returned -1 [0165.073] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2=".") returned 1 [0165.073] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="..") returned 1 [0165.073] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned 123 [0165.073] lstrcmpW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="PUSSY.TXT") returned -1 [0165.073] PathFindExtensionW (pszPath="07_TV_recorded_in_the_last_week.wpl") returned=".wpl" [0165.073] lstrlenW (lpString=".wpl") returned 4 [0165.073] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0165.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0165.074] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1040) returned 1 [0165.074] GetProcessHeap () returned 0x4c0000 [0165.074] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500b8 [0165.088] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="F3") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="52") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="90") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="EE") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="EA") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="54") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="2D") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="4D") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="75") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="58") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="FF") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="54") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="9D") returned 2 [0165.088] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="82") returned 2 [0165.089] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="7D") returned 2 [0165.089] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="02") returned 2 [0165.089] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="F5") returned 2 [0165.089] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="19") returned 2 [0165.089] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="F3") returned 2 [0165.089] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="4B") returned 2 [0165.089] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="3F") returned 2 [0165.089] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="A6") returned 2 [0165.089] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="9D") returned 2 [0165.089] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="F5") returned 2 [0165.089] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="DF") returned 2 [0165.089] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="5B") returned 2 [0165.089] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="10") returned 2 [0165.089] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="76") returned 2 [0165.089] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="C2") returned 2 [0165.089] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="54") returned 2 [0165.089] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="2D") returned 2 [0165.090] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="2D") returned 2 [0165.103] lstrcpyW (in: lpString1=0x3b600ec, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" [0165.103] lstrcpyW (in: lpString1=0x3b500ec, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" [0165.103] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl", lpString2=".F35290EEEA542D4D7558FF549D827D02F519F34B3FA69DF5DF5B1076C2542D2D" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.F35290EEEA542D4D7558FF549D827D02F519F34B3FA69DF5DF5B1076C2542D2D") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.F35290EEEA542D4D7558FF549D827D02F519F34B3FA69DF5DF5B1076C2542D2D" [0165.103] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3b500b8, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.103] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500b8, lpOverlapped=0x3b500b8) returned 1 [0165.106] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6666440, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x3fc, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="08_Video_rated_at_4_or_5_stars.wpl", cAlternateFileName="08_VID~1.WPL")) returned 1 [0165.107] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0165.107] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0165.107] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0165.107] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0165.107] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0165.107] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2=".") returned 1 [0165.107] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="..") returned 1 [0165.107] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned 122 [0165.107] lstrcmpW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="PUSSY.TXT") returned -1 [0165.107] PathFindExtensionW (pszPath="08_Video_rated_at_4_or_5_stars.wpl") returned=".wpl" [0165.107] lstrlenW (lpString=".wpl") returned 4 [0165.107] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0165.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0165.108] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1020) returned 1 [0165.108] GetProcessHeap () returned 0x4c0000 [0165.108] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0165.123] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="53") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="3B") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="AD") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="D0") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="08") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="54") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="86") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="2A") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="B5") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="A8") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="81") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="E7") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="67") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="49") returned 2 [0165.123] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="F4") returned 2 [0165.123] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="AF") returned 2 [0165.123] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="B4") returned 2 [0165.123] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="FA") returned 2 [0165.124] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="54") returned 2 [0165.124] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="46") returned 2 [0165.124] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="2D") returned 2 [0165.124] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="AF") returned 2 [0165.124] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="B1") returned 2 [0165.124] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="A3") returned 2 [0165.124] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="98") returned 2 [0165.124] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="0A") returned 2 [0165.124] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="C3") returned 2 [0165.124] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="00") returned 2 [0165.124] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="A0") returned 2 [0165.124] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="03") returned 2 [0165.124] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="B6") returned 2 [0165.124] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="59") returned 2 [0165.136] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" [0165.136] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" [0165.136] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl", lpString2=".533BADD00854862AB5A881E76749F4AFB4FA54462DAFB1A3980AC300A003B659" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.533BADD00854862AB5A881E76749F4AFB4FA54462DAFB1A3980AC300A003B659") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.533BADD00854862AB5A881E76749F4AFB4FA54462DAFB1A3980AC300A003B659" [0165.136] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.136] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0165.143] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x66402e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66402e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x401, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="09_Music_played_the_most.wpl", cAlternateFileName="09_MUS~1.WPL")) returned 1 [0165.143] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Windows") returned -1 [0165.143] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Program Files") returned -1 [0165.143] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Program Files (x86)") returned -1 [0165.143] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="$Recycle.bin") returned 1 [0165.143] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="System Volume Information") returned -1 [0165.143] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2=".") returned 1 [0165.143] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="..") returned 1 [0165.143] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned 116 [0165.143] lstrcmpW (lpString1="09_Music_played_the_most.wpl", lpString2="PUSSY.TXT") returned -1 [0165.143] PathFindExtensionW (pszPath="09_Music_played_the_most.wpl") returned=".wpl" [0165.143] lstrlenW (lpString=".wpl") returned 4 [0165.143] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0165.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x180 [0165.145] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1025) returned 1 [0165.145] GetProcessHeap () returned 0x4c0000 [0165.145] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0165.158] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="1E") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="D9") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="40") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="28") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="11") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="24") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="A6") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="0E") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="54") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="87") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="E9") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="9A") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="8C") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="63") returned 2 [0165.158] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="7D") returned 2 [0165.158] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="57") returned 2 [0165.158] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="B1") returned 2 [0165.158] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="AF") returned 2 [0165.158] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="41") returned 2 [0165.158] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="7A") returned 2 [0165.158] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="B9") returned 2 [0165.158] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="C3") returned 2 [0165.158] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="8B") returned 2 [0165.158] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="F8") returned 2 [0165.158] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="AC") returned 2 [0165.158] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="E5") returned 2 [0165.159] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="F5") returned 2 [0165.159] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="E2") returned 2 [0165.159] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="FC") returned 2 [0165.159] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="FF") returned 2 [0165.159] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="E9") returned 2 [0165.159] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="6D") returned 2 [0165.194] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" [0165.194] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" [0165.194] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl", lpString2=".1ED940281124A60E5487E99A8C637D57B1AF417AB9C38BF8ACE5F5E2FCFFE96D" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.1ED940281124A60E5487E99A8C637D57B1AF417AB9C38BF8ACE5F5E2FCFFE96D") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.1ED940281124A60E5487E99A8C637D57B1AF417AB9C38BF8ACE5F5E2FCFFE96D" [0165.194] CreateIoCompletionPort (FileHandle=0x180, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.194] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0165.197] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x66402e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66402e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x427, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="10_All_Music.wpl", cAlternateFileName="10_ALL~1.WPL")) returned 1 [0165.197] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Windows") returned -1 [0165.197] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Program Files") returned -1 [0165.197] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Program Files (x86)") returned -1 [0165.197] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="$Recycle.bin") returned 1 [0165.197] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="System Volume Information") returned -1 [0165.197] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2=".") returned 1 [0165.197] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="..") returned 1 [0165.198] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned 104 [0165.198] lstrcmpW (lpString1="10_All_Music.wpl", lpString2="PUSSY.TXT") returned -1 [0165.198] PathFindExtensionW (pszPath="10_All_Music.wpl") returned=".wpl" [0165.198] lstrlenW (lpString=".wpl") returned 4 [0165.198] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0165.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0165.245] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1063) returned 1 [0165.245] GetProcessHeap () returned 0x4c0000 [0165.245] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0165.260] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="F7") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="55") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="8C") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="D4") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="0F") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="DC") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="D8") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="1A") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="48") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="E8") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="4E") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="13") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="DB") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="4C") returned 2 [0165.260] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="C5") returned 2 [0165.260] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="75") returned 2 [0165.260] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="90") returned 2 [0165.260] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="1B") returned 2 [0165.260] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="05") returned 2 [0165.260] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="97") returned 2 [0165.260] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="04") returned 2 [0165.260] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="3E") returned 2 [0165.260] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="0C") returned 2 [0165.260] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="B2") returned 2 [0165.261] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="53") returned 2 [0165.261] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="7A") returned 2 [0165.261] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="0D") returned 2 [0165.261] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="CA") returned 2 [0165.261] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="A5") returned 2 [0165.261] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="28") returned 2 [0165.261] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="8D") returned 2 [0165.261] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="17") returned 2 [0165.272] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" [0165.272] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" [0165.272] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl", lpString2=".F7558CD40FDCD81A48E84E13DB4CC575901B0597043E0CB2537A0DCAA5288D17" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.F7558CD40FDCD81A48E84E13DB4CC575901B0597043E0CB2537A0DCAA5288D17") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.F7558CD40FDCD81A48E84E13DB4CC575901B0597043E0CB2537A0DCAA5288D17" [0165.272] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.272] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0165.272] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x66402e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66402e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x249, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="11_All_Pictures.wpl", cAlternateFileName="11_ALL~1.WPL")) returned 1 [0165.272] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Windows") returned -1 [0165.272] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Program Files") returned -1 [0165.272] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Program Files (x86)") returned -1 [0165.272] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="$Recycle.bin") returned 1 [0165.273] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="System Volume Information") returned -1 [0165.273] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2=".") returned 1 [0165.273] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="..") returned 1 [0165.273] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned 107 [0165.273] lstrcmpW (lpString1="11_All_Pictures.wpl", lpString2="PUSSY.TXT") returned -1 [0165.273] PathFindExtensionW (pszPath="11_All_Pictures.wpl") returned=".wpl" [0165.273] lstrlenW (lpString=".wpl") returned 4 [0165.273] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0165.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0165.274] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=585) returned 1 [0165.274] GetProcessHeap () returned 0x4c0000 [0165.274] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0165.311] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="22") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="25") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="91") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="E9") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="FC") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="B5") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="F4") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="C3") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="85") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="F6") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="2F") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="85") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="30") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="6A") returned 2 [0165.311] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="72") returned 2 [0165.311] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="37") returned 2 [0165.311] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="13") returned 2 [0165.311] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="28") returned 2 [0165.311] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="40") returned 2 [0165.311] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="62") returned 2 [0165.311] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="58") returned 2 [0165.311] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="CB") returned 2 [0165.311] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="7B") returned 2 [0165.311] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="D1") returned 2 [0165.312] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="47") returned 2 [0165.312] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="11") returned 2 [0165.312] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="05") returned 2 [0165.312] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="22") returned 2 [0165.312] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="AA") returned 2 [0165.312] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="1F") returned 2 [0165.312] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="F5") returned 2 [0165.312] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="0E") returned 2 [0165.325] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" [0165.325] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" [0165.326] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl", lpString2=".222591E9FCB5F4C385F62F85306A72371328406258CB7BD147110522AA1FF50E" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.222591E9FCB5F4C385F62F85306A72371328406258CB7BD147110522AA1FF50E") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.222591E9FCB5F4C385F62F85306A72371328406258CB7BD147110522AA1FF50E" [0165.326] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.326] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0165.326] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x66402e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66402e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 1 [0165.326] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Windows") returned -1 [0165.327] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Program Files") returned -1 [0165.327] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Program Files (x86)") returned -1 [0165.327] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="$Recycle.bin") returned 1 [0165.327] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="System Volume Information") returned -1 [0165.327] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2=".") returned 1 [0165.327] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="..") returned 1 [0165.327] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned 104 [0165.327] lstrcmpW (lpString1="12_All_Video.wpl", lpString2="PUSSY.TXT") returned -1 [0165.327] PathFindExtensionW (pszPath="12_All_Video.wpl") returned=".wpl" [0165.327] lstrlenW (lpString=".wpl") returned 4 [0165.327] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0165.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0165.333] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1079) returned 1 [0165.333] GetProcessHeap () returned 0x4c0000 [0165.333] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0165.346] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="55") returned 2 [0165.346] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="07") returned 2 [0165.346] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="66") returned 2 [0165.346] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="85") returned 2 [0165.346] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="D3") returned 2 [0165.347] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="06") returned 2 [0165.347] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="77") returned 2 [0165.347] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="7A") returned 2 [0165.347] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="F0") returned 2 [0165.347] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="C1") returned 2 [0165.347] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="F3") returned 2 [0165.347] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="AC") returned 2 [0165.347] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="7A") returned 2 [0165.347] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="70") returned 2 [0165.347] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="BC") returned 2 [0165.347] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="37") returned 2 [0165.347] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="9B") returned 2 [0165.347] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="29") returned 2 [0165.347] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="5B") returned 2 [0165.347] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="59") returned 2 [0165.347] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="5A") returned 2 [0165.347] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="B8") returned 2 [0165.347] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="8F") returned 2 [0165.347] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="21") returned 2 [0165.347] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="65") returned 2 [0165.347] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="8E") returned 2 [0165.347] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="64") returned 2 [0165.347] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="DC") returned 2 [0165.347] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="05") returned 2 [0165.347] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="B7") returned 2 [0165.347] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="41") returned 2 [0165.347] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="49") returned 2 [0165.360] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" [0165.360] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" [0165.360] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl", lpString2=".55076685D306777AF0C1F3AC7A70BC379B295B595AB88F21658E64DC05B74149" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.55076685D306777AF0C1F3AC7A70BC379B295B595AB88F21658E64DC05B74149") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.55076685D306777AF0C1F3AC7A70BC379B295B595AB88F21658E64DC05B74149" [0165.360] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.360] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0165.362] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x66402e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66402e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x4e29d8, dwReserved1=0x2d6a1199, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 0 [0165.365] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0165.365] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\PUSSY.TXT") returned 97 [0165.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0165.366] lstrlenA (lpString="abcd") returned 4 [0165.366] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0165.368] CloseHandle (hObject=0x19c) returned 1 [0165.368] GetProcessHeap () returned 0x4c0000 [0165.368] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0165.368] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6666440, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf740fbac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="00010C6E", cAlternateFileName="")) returned 0 [0165.368] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0165.369] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\PUSSY.TXT") returned 88 [0165.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0165.369] lstrlenA (lpString="abcd") returned 4 [0165.370] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0165.371] CloseHandle (hObject=0x178) returned 1 [0165.371] GetProcessHeap () returned 0x4c0000 [0165.371] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0165.371] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="en-US", cAlternateFileName="")) returned 0 [0165.371] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0165.371] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\PUSSY.TXT") returned 82 [0165.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0165.372] lstrlenA (lpString="abcd") returned 4 [0165.372] WriteFile (in: hFile=0x128, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0165.396] CloseHandle (hObject=0x128) returned 1 [0165.396] GetProcessHeap () returned 0x4c0000 [0165.397] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0165.400] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="Sync Playlists", cAlternateFileName="SYNCPL~1")) returned 0 [0165.400] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0165.401] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\PUSSY.TXT") returned 67 [0165.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0165.402] lstrlenA (lpString="abcd") returned 4 [0165.402] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0165.404] CloseHandle (hObject=0x18c) returned 1 [0165.404] GetProcessHeap () returned 0x4c0000 [0165.404] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0165.406] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x66d8860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x4d1d5e4e, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows", cAlternateFileName="")) returned 1 [0165.406] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0165.406] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd774d0cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows Mail", cAlternateFileName="WINDOW~3")) returned 1 [0165.406] lstrcmpiW (lpString1="Windows Mail", lpString2="Windows") returned 1 [0165.406] lstrcmpiW (lpString1="Windows Mail", lpString2="Program Files") returned 1 [0165.406] lstrcmpiW (lpString1="Windows Mail", lpString2="Program Files (x86)") returned 1 [0165.406] lstrcmpiW (lpString1="Windows Mail", lpString2="$Recycle.bin") returned 1 [0165.406] lstrcmpiW (lpString1="Windows Mail", lpString2="System Volume Information") returned 1 [0165.407] lstrcmpiW (lpString1="Windows Mail", lpString2=".") returned 1 [0165.407] lstrcmpiW (lpString1="Windows Mail", lpString2="..") returned 1 [0165.407] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail") returned 57 [0165.407] GetProcessHeap () returned 0x4c0000 [0165.407] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0165.408] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail" [0165.408] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\*" [0165.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd774d0cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0165.451] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0165.451] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0165.451] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0165.452] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0165.452] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0165.452] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0165.452] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd774d0cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0165.452] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0165.452] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0165.452] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0165.452] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0165.452] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0165.452] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0165.452] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0165.452] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6535940, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6535940, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf67dcad6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x5e4, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", cAlternateFileName="ACCOUN~3.OEA")) returned 1 [0165.452] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="Windows") returned -1 [0165.452] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="Program Files") returned -1 [0165.453] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="Program Files (x86)") returned -1 [0165.453] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="$Recycle.bin") returned 1 [0165.453] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="System Volume Information") returned -1 [0165.453] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2=".") returned 1 [0165.453] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="..") returned 1 [0165.453] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned 113 [0165.453] lstrcmpW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="PUSSY.TXT") returned -1 [0165.453] PathFindExtensionW (pszPath="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned=".oeaccount" [0165.453] lstrlenW (lpString=".oeaccount") returned 10 [0165.453] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0165.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0165.454] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=1508) returned 1 [0165.454] GetProcessHeap () returned 0x4c0000 [0165.454] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0165.468] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="77") returned 2 [0165.468] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="AD") returned 2 [0165.468] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="B0") returned 2 [0165.468] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="CC") returned 2 [0165.468] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="0D") returned 2 [0165.468] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="08") returned 2 [0165.468] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="E2") returned 2 [0165.468] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="85") returned 2 [0165.468] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="4D") returned 2 [0165.468] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="D1") returned 2 [0165.468] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="AB") returned 2 [0165.468] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="6F") returned 2 [0165.468] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="1F") returned 2 [0165.468] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="3C") returned 2 [0165.468] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="4E") returned 2 [0165.468] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="43") returned 2 [0165.468] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="6D") returned 2 [0165.468] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="3E") returned 2 [0165.468] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="B0") returned 2 [0165.468] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="76") returned 2 [0165.468] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="82") returned 2 [0165.468] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="23") returned 2 [0165.468] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="D2") returned 2 [0165.469] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="EC") returned 2 [0165.469] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="C5") returned 2 [0165.469] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="23") returned 2 [0165.469] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="CF") returned 2 [0165.469] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="F8") returned 2 [0165.469] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="3E") returned 2 [0165.469] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="E3") returned 2 [0165.469] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="C3") returned 2 [0165.469] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="1D") returned 2 [0165.481] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" [0165.481] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" [0165.481] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2=".77ADB0CC0D08E2854DD1AB6F1F3C4E436D3EB0768223D2ECC523CFF83EE3C31D" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.77ADB0CC0D08E2854DD1AB6F1F3C4E436D3EB0768223D2ECC523CFF83EE3C31D") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.77ADB0CC0D08E2854DD1AB6F1F3C4E436D3EB0768223D2ECC523CFF83EE3C31D" [0165.481] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.482] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0165.482] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6535940, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6535940, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf657b4d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x2a0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", cAlternateFileName="ACCOUN~2.OEA")) returned 1 [0165.482] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="Windows") returned -1 [0165.482] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="Program Files") returned -1 [0165.482] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="Program Files (x86)") returned -1 [0165.482] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="$Recycle.bin") returned 1 [0165.482] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="System Volume Information") returned -1 [0165.482] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2=".") returned 1 [0165.482] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="..") returned 1 [0165.482] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned 113 [0165.482] lstrcmpW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="PUSSY.TXT") returned -1 [0165.482] PathFindExtensionW (pszPath="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned=".oeaccount" [0165.482] lstrlenW (lpString=".oeaccount") returned 10 [0165.482] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0165.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0165.483] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=672) returned 1 [0165.483] GetProcessHeap () returned 0x4c0000 [0165.483] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0165.496] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="4A") returned 2 [0165.496] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="88") returned 2 [0165.496] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="AA") returned 2 [0165.496] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="12") returned 2 [0165.496] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="B4") returned 2 [0165.496] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="57") returned 2 [0165.496] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="FB") returned 2 [0165.496] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="7D") returned 2 [0165.496] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="41") returned 2 [0165.496] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="80") returned 2 [0165.496] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="2F") returned 2 [0165.496] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="32") returned 2 [0165.496] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="BE") returned 2 [0165.496] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="78") returned 2 [0165.496] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="3D") returned 2 [0165.496] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="FC") returned 2 [0165.496] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="55") returned 2 [0165.496] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="B3") returned 2 [0165.496] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="DE") returned 2 [0165.496] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="5A") returned 2 [0165.496] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="28") returned 2 [0165.496] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="94") returned 2 [0165.496] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="D6") returned 2 [0165.497] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="63") returned 2 [0165.497] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="0B") returned 2 [0165.497] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="78") returned 2 [0165.497] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="C6") returned 2 [0165.497] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="D4") returned 2 [0165.497] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="DC") returned 2 [0165.497] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="52") returned 2 [0165.497] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="56") returned 2 [0165.497] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="39") returned 2 [0165.509] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" [0165.509] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" [0165.509] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2=".4A88AA12B457FB7D41802F32BE783DFC55B3DE5A2894D6630B78C6D4DC525639" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.4A88AA12B457FB7D41802F32BE783DFC55B3DE5A2894D6630B78C6D4DC525639") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.4A88AA12B457FB7D41802F32BE783DFC55B3DE5A2894D6630B78C6D4DC525639" [0165.509] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.510] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0165.510] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6535940, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6535940, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf67b6975, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x6c8, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", cAlternateFileName="ACCOUN~1.OEA")) returned 1 [0165.510] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="Windows") returned -1 [0165.510] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="Program Files") returned -1 [0165.510] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="Program Files (x86)") returned -1 [0165.510] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="$Recycle.bin") returned 1 [0165.510] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="System Volume Information") returned -1 [0165.510] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2=".") returned 1 [0165.510] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="..") returned 1 [0165.510] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned 113 [0165.510] lstrcmpW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="PUSSY.TXT") returned -1 [0165.510] PathFindExtensionW (pszPath="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned=".oeaccount" [0165.510] lstrlenW (lpString=".oeaccount") returned 10 [0165.510] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0165.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0165.511] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=1736) returned 1 [0165.511] GetProcessHeap () returned 0x4c0000 [0165.511] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0165.526] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="08") returned 2 [0165.526] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="C3") returned 2 [0165.526] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="45") returned 2 [0165.527] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="A9") returned 2 [0165.527] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="53") returned 2 [0165.527] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="3C") returned 2 [0165.527] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="BC") returned 2 [0165.527] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="B8") returned 2 [0165.527] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="9F") returned 2 [0165.527] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="D0") returned 2 [0165.527] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="CB") returned 2 [0165.527] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="B4") returned 2 [0165.527] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="6E") returned 2 [0165.527] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="1B") returned 2 [0165.527] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="5D") returned 2 [0165.527] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="DA") returned 2 [0165.527] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="D1") returned 2 [0165.527] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="0E") returned 2 [0165.527] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="30") returned 2 [0165.527] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="DF") returned 2 [0165.527] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="13") returned 2 [0165.527] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="B4") returned 2 [0165.527] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="EB") returned 2 [0165.527] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="E9") returned 2 [0165.527] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="D9") returned 2 [0165.527] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="6F") returned 2 [0165.527] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="45") returned 2 [0165.527] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="F1") returned 2 [0165.528] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="FF") returned 2 [0165.528] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="79") returned 2 [0165.528] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="D4") returned 2 [0165.528] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="51") returned 2 [0165.540] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" [0165.540] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" [0165.540] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2=".08C345A9533CBCB89FD0CBB46E1B5DDAD10E30DF13B4EBE9D96F45F1FF79D451" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.08C345A9533CBCB89FD0CBB46E1B5DDAD10E30DF13B4EBE9D96F45F1FF79D451") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.08C345A9533CBCB89FD0CBB46E1B5DDAD10E30DF13B4EBE9D96F45F1FF79D451" [0165.540] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.540] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0165.540] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf303882f, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="Backup", cAlternateFileName="")) returned 1 [0165.540] lstrcmpiW (lpString1="Backup", lpString2="Windows") returned -1 [0165.540] lstrcmpiW (lpString1="Backup", lpString2="Program Files") returned -1 [0165.540] lstrcmpiW (lpString1="Backup", lpString2="Program Files (x86)") returned -1 [0165.540] lstrcmpiW (lpString1="Backup", lpString2="$Recycle.bin") returned 1 [0165.540] lstrcmpiW (lpString1="Backup", lpString2="System Volume Information") returned -1 [0165.540] lstrcmpiW (lpString1="Backup", lpString2=".") returned 1 [0165.540] lstrcmpiW (lpString1="Backup", lpString2="..") returned 1 [0165.540] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup") returned 64 [0165.540] GetProcessHeap () returned 0x4c0000 [0165.540] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0165.541] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup" [0165.541] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*" [0165.541] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf303882f, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0165.541] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0165.541] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0165.541] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0165.541] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0165.542] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0165.542] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0165.542] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf303882f, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0165.542] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0165.542] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0165.542] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0165.542] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0165.542] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0165.542] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0165.542] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0165.542] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2f7a14e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="new", cAlternateFileName="")) returned 1 [0165.542] lstrcmpiW (lpString1="new", lpString2="Windows") returned -1 [0165.542] lstrcmpiW (lpString1="new", lpString2="Program Files") returned -1 [0165.542] lstrcmpiW (lpString1="new", lpString2="Program Files (x86)") returned -1 [0165.542] lstrcmpiW (lpString1="new", lpString2="$Recycle.bin") returned 1 [0165.542] lstrcmpiW (lpString1="new", lpString2="System Volume Information") returned -1 [0165.542] lstrcmpiW (lpString1="new", lpString2=".") returned 1 [0165.542] lstrcmpiW (lpString1="new", lpString2="..") returned 1 [0165.542] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new") returned 68 [0165.542] GetProcessHeap () returned 0x4c0000 [0165.542] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0165.543] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new" [0165.543] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*" [0165.543] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2f7a14e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0165.556] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0165.556] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0165.556] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0165.556] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0165.556] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0165.556] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0165.556] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2f7a14e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0165.557] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0165.557] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0165.557] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0165.557] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0165.557] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0165.557] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0165.557] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0165.557] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x650f7e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x650f7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2f2de8d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="edb00001.log", cAlternateFileName="")) returned 1 [0165.557] lstrcmpiW (lpString1="edb00001.log", lpString2="Windows") returned -1 [0165.557] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files") returned -1 [0165.557] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files (x86)") returned -1 [0165.557] lstrcmpiW (lpString1="edb00001.log", lpString2="$Recycle.bin") returned 1 [0165.557] lstrcmpiW (lpString1="edb00001.log", lpString2="System Volume Information") returned -1 [0165.557] lstrcmpiW (lpString1="edb00001.log", lpString2=".") returned 1 [0165.557] lstrcmpiW (lpString1="edb00001.log", lpString2="..") returned 1 [0165.557] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log") returned 81 [0165.557] lstrcmpW (lpString1="edb00001.log", lpString2="PUSSY.TXT") returned -1 [0165.557] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0165.557] lstrlenW (lpString=".log") returned 4 [0165.557] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0165.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0165.558] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=2097152) returned 1 [0165.558] GetProcessHeap () returned 0x4c0000 [0165.558] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0165.573] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="FD") returned 2 [0165.573] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="9F") returned 2 [0165.573] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="DE") returned 2 [0165.573] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="1A") returned 2 [0165.574] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="94") returned 2 [0165.574] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="C2") returned 2 [0165.574] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="A6") returned 2 [0165.574] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="FC") returned 2 [0165.574] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="50") returned 2 [0165.574] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="39") returned 2 [0165.574] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="C6") returned 2 [0165.574] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="69") returned 2 [0165.574] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="C6") returned 2 [0165.574] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="1E") returned 2 [0165.574] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="36") returned 2 [0165.574] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="A7") returned 2 [0165.574] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="4E") returned 2 [0165.574] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="82") returned 2 [0165.574] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="77") returned 2 [0165.574] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="D8") returned 2 [0165.574] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="0A") returned 2 [0165.574] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="88") returned 2 [0165.574] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="DF") returned 2 [0165.574] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="92") returned 2 [0165.574] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="E3") returned 2 [0165.574] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="96") returned 2 [0165.574] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="92") returned 2 [0165.574] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="8E") returned 2 [0165.574] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="8E") returned 2 [0165.574] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="0E") returned 2 [0165.574] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="44") returned 2 [0165.575] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="3E") returned 2 [0165.588] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" [0165.588] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" [0165.588] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log", lpString2=".FD9FDE1A94C2A6FC5039C669C61E36A74E8277D80A88DF92E396928E8E0E443E" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log.FD9FDE1A94C2A6FC5039C669C61E36A74E8277D80A88DF92E396928E8E0E443E") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log.FD9FDE1A94C2A6FC5039C669C61E36A74E8277D80A88DF92E396928E8E0E443E" [0165.588] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.588] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0165.589] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64e9680, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64e9680, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2ab7545, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x206000, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="WindowsMail.MSMessageStore", cAlternateFileName="WINDOW~1.MSM")) returned 1 [0165.589] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Windows") returned 1 [0165.589] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files") returned 1 [0165.589] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files (x86)") returned 1 [0165.589] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="$Recycle.bin") returned 1 [0165.589] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="System Volume Information") returned 1 [0165.589] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2=".") returned 1 [0165.589] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="..") returned 1 [0165.589] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore") returned 95 [0165.589] lstrcmpW (lpString1="WindowsMail.MSMessageStore", lpString2="PUSSY.TXT") returned 1 [0165.589] PathFindExtensionW (pszPath="WindowsMail.MSMessageStore") returned=".MSMessageStore" [0165.635] lstrlenW (lpString=".MSMessageStore") returned 15 [0165.635] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0165.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.msmessagestore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0165.636] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=2121728) returned 1 [0165.636] GetProcessHeap () returned 0x4c0000 [0165.636] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0165.648] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="33") returned 2 [0165.648] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="21") returned 2 [0165.648] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="F4") returned 2 [0165.648] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="3F") returned 2 [0165.648] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="DD") returned 2 [0165.648] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="A5") returned 2 [0165.648] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="48") returned 2 [0165.648] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="AF") returned 2 [0165.648] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="0E") returned 2 [0165.648] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="71") returned 2 [0165.648] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="A9") returned 2 [0165.648] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="5B") returned 2 [0165.648] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="5B") returned 2 [0165.648] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="B8") returned 2 [0165.648] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="CB") returned 2 [0165.648] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="EA") returned 2 [0165.648] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="22") returned 2 [0165.648] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="6B") returned 2 [0165.648] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="DE") returned 2 [0165.648] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="1B") returned 2 [0165.648] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="2A") returned 2 [0165.648] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="A1") returned 2 [0165.648] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="63") returned 2 [0165.648] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="A9") returned 2 [0165.649] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="D5") returned 2 [0165.649] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="F6") returned 2 [0165.649] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="A8") returned 2 [0165.649] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="21") returned 2 [0165.649] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="F4") returned 2 [0165.649] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="E9") returned 2 [0165.649] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="35") returned 2 [0165.649] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="35") returned 2 [0165.661] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore" [0165.661] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore" [0165.661] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore", lpString2=".3321F43FDDA548AF0E71A95B5BB8CBEA226BDE1B2AA163A9D5F6A821F4E93535" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore.3321F43FDDA548AF0E71A95B5BB8CBEA226BDE1B2AA163A9D5F6A821F4E93535") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore.3321F43FDDA548AF0E71A95B5BB8CBEA226BDE1B2AA163A9D5F6A821F4E93535" [0165.661] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.661] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0165.662] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64e9680, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64e9680, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2fec56f, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 1 [0165.662] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Windows") returned 1 [0165.662] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files") returned 1 [0165.662] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files (x86)") returned 1 [0165.706] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="$Recycle.bin") returned 1 [0165.706] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="System Volume Information") returned 1 [0165.706] lstrcmpiW (lpString1="WindowsMail.pat", lpString2=".") returned 1 [0165.706] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="..") returned 1 [0165.706] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat") returned 84 [0165.706] lstrcmpW (lpString1="WindowsMail.pat", lpString2="PUSSY.TXT") returned 1 [0165.706] PathFindExtensionW (pszPath="WindowsMail.pat") returned=".pat" [0165.706] lstrlenW (lpString=".pat") returned 4 [0165.706] SystemFunction036 (in: RandomBuffer=0x28b4c4, RandomBufferLength=0x20 | out: RandomBuffer=0x28b4c4) returned 1 [0165.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.pat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0165.707] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x28b4b8 | out: lpFileSize=0x28b4b8*=16384) returned 1 [0165.707] GetProcessHeap () returned 0x4c0000 [0165.707] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52aad8 [0165.721] wsprintfW (in: param_1=0x28b506, param_2="%02X" | out: param_1="DA") returned 2 [0165.721] wsprintfW (in: param_1=0x28b50a, param_2="%02X" | out: param_1="F3") returned 2 [0165.721] wsprintfW (in: param_1=0x28b50e, param_2="%02X" | out: param_1="80") returned 2 [0165.721] wsprintfW (in: param_1=0x28b512, param_2="%02X" | out: param_1="44") returned 2 [0165.721] wsprintfW (in: param_1=0x28b516, param_2="%02X" | out: param_1="2D") returned 2 [0165.721] wsprintfW (in: param_1=0x28b51a, param_2="%02X" | out: param_1="4D") returned 2 [0165.721] wsprintfW (in: param_1=0x28b51e, param_2="%02X" | out: param_1="DA") returned 2 [0165.721] wsprintfW (in: param_1=0x28b522, param_2="%02X" | out: param_1="55") returned 2 [0165.722] wsprintfW (in: param_1=0x28b526, param_2="%02X" | out: param_1="25") returned 2 [0165.722] wsprintfW (in: param_1=0x28b52a, param_2="%02X" | out: param_1="D0") returned 2 [0165.722] wsprintfW (in: param_1=0x28b52e, param_2="%02X" | out: param_1="D5") returned 2 [0165.722] wsprintfW (in: param_1=0x28b532, param_2="%02X" | out: param_1="47") returned 2 [0165.722] wsprintfW (in: param_1=0x28b536, param_2="%02X" | out: param_1="C7") returned 2 [0165.722] wsprintfW (in: param_1=0x28b53a, param_2="%02X" | out: param_1="2D") returned 2 [0165.722] wsprintfW (in: param_1=0x28b53e, param_2="%02X" | out: param_1="06") returned 2 [0165.722] wsprintfW (in: param_1=0x28b542, param_2="%02X" | out: param_1="66") returned 2 [0165.722] wsprintfW (in: param_1=0x28b546, param_2="%02X" | out: param_1="A3") returned 2 [0165.722] wsprintfW (in: param_1=0x28b54a, param_2="%02X" | out: param_1="4F") returned 2 [0165.722] wsprintfW (in: param_1=0x28b54e, param_2="%02X" | out: param_1="B3") returned 2 [0165.722] wsprintfW (in: param_1=0x28b552, param_2="%02X" | out: param_1="5C") returned 2 [0165.722] wsprintfW (in: param_1=0x28b556, param_2="%02X" | out: param_1="08") returned 2 [0165.722] wsprintfW (in: param_1=0x28b55a, param_2="%02X" | out: param_1="02") returned 2 [0165.722] wsprintfW (in: param_1=0x28b55e, param_2="%02X" | out: param_1="1C") returned 2 [0165.722] wsprintfW (in: param_1=0x28b562, param_2="%02X" | out: param_1="F3") returned 2 [0165.722] wsprintfW (in: param_1=0x28b566, param_2="%02X" | out: param_1="0C") returned 2 [0165.722] wsprintfW (in: param_1=0x28b56a, param_2="%02X" | out: param_1="6A") returned 2 [0165.722] wsprintfW (in: param_1=0x28b56e, param_2="%02X" | out: param_1="5E") returned 2 [0165.722] wsprintfW (in: param_1=0x28b572, param_2="%02X" | out: param_1="DD") returned 2 [0165.722] wsprintfW (in: param_1=0x28b576, param_2="%02X" | out: param_1="9A") returned 2 [0165.722] wsprintfW (in: param_1=0x28b57a, param_2="%02X" | out: param_1="0B") returned 2 [0165.722] wsprintfW (in: param_1=0x28b57e, param_2="%02X" | out: param_1="DA") returned 2 [0165.722] wsprintfW (in: param_1=0x28b582, param_2="%02X" | out: param_1="76") returned 2 [0165.735] lstrcpyW (in: lpString1=0x53ab0c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat" [0165.735] lstrcpyW (in: lpString1=0x52ab0c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat" [0165.735] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat", lpString2=".DAF380442D4DDA5525D0D547C72D0666A34FB35C08021CF30C6A5EDD9A0BDA76" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.DAF380442D4DDA5525D0D547C72D0666A34FB35C08021CF30C6A5EDD9A0BDA76") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.DAF380442D4DDA5525D0D547C72D0666A34FB35C08021CF30C6A5EDD9A0BDA76" [0165.735] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x94, CompletionKey=0x52aad8, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.735] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52aad8, lpOverlapped=0x52aad8) returned 1 [0165.736] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64e9680, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64e9680, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2fec56f, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x4e29d8, dwReserved1=0xfe000000, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 0 [0165.759] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0165.759] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\PUSSY.TXT") returned 78 [0165.759] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0165.760] lstrlenA (lpString="abcd") returned 4 [0165.760] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0165.761] CloseHandle (hObject=0x178) returned 1 [0165.762] GetProcessHeap () returned 0x4c0000 [0165.762] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0165.762] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2f7a14e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28bdb0, dwReserved1=0x77c61b06, cFileName="new", cAlternateFileName="")) returned 0 [0165.762] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0165.762] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\PUSSY.TXT") returned 74 [0165.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0165.763] lstrlenA (lpString="abcd") returned 4 [0165.763] WriteFile (in: hFile=0x128, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0165.764] CloseHandle (hObject=0x128) returned 1 [0165.764] GetProcessHeap () returned 0x4c0000 [0165.764] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0165.764] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd7bc3a13, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0165.764] lstrcmpiW (lpString1="edb.chk", lpString2="Windows") returned -1 [0165.765] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files") returned -1 [0165.765] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files (x86)") returned -1 [0165.765] lstrcmpiW (lpString1="edb.chk", lpString2="$Recycle.bin") returned 1 [0165.765] lstrcmpiW (lpString1="edb.chk", lpString2="System Volume Information") returned -1 [0165.765] lstrcmpiW (lpString1="edb.chk", lpString2=".") returned 1 [0165.765] lstrcmpiW (lpString1="edb.chk", lpString2="..") returned 1 [0165.765] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 65 [0165.765] lstrcmpW (lpString1="edb.chk", lpString2="PUSSY.TXT") returned -1 [0165.765] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0165.765] lstrlenW (lpString=".chk") returned 4 [0165.765] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0165.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0165.766] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=8192) returned 1 [0165.766] GetProcessHeap () returned 0x4c0000 [0165.766] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x552b28 [0165.779] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="29") returned 2 [0165.813] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="D3") returned 2 [0165.813] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="54") returned 2 [0165.813] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="01") returned 2 [0165.813] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="25") returned 2 [0165.813] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="32") returned 2 [0165.813] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="D1") returned 2 [0165.814] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="32") returned 2 [0165.814] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="8E") returned 2 [0165.814] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="93") returned 2 [0165.814] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="8D") returned 2 [0165.814] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="90") returned 2 [0165.814] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="14") returned 2 [0165.814] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="6B") returned 2 [0165.814] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="E3") returned 2 [0165.814] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="AD") returned 2 [0165.814] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="9A") returned 2 [0165.814] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="DF") returned 2 [0165.814] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="4C") returned 2 [0165.814] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="9D") returned 2 [0165.814] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="16") returned 2 [0165.814] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="65") returned 2 [0165.814] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="06") returned 2 [0165.814] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="7C") returned 2 [0165.814] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="38") returned 2 [0165.814] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="2C") returned 2 [0165.815] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="CF") returned 2 [0165.815] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="79") returned 2 [0165.815] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="9E") returned 2 [0165.815] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="FD") returned 2 [0165.815] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="A1") returned 2 [0165.815] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="7E") returned 2 [0165.828] lstrcpyW (in: lpString1=0x562b5c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" [0165.828] lstrcpyW (in: lpString1=0x552b5c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" [0165.828] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk", lpString2=".29D354012532D1328E938D90146BE3AD9ADF4C9D1665067C382CCF799EFDA17E" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.29D354012532D1328E938D90146BE3AD9ADF4C9D1665067C382CCF799EFDA17E") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.29D354012532D1328E938D90146BE3AD9ADF4C9D1665067C382CCF799EFDA17E" [0165.828] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x552b28, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.828] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x552b28, lpOverlapped=0x552b28) returned 1 [0165.856] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd7bc3a13, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="edb.log", cAlternateFileName="")) returned 1 [0165.856] lstrcmpiW (lpString1="edb.log", lpString2="Windows") returned -1 [0165.856] lstrcmpiW (lpString1="edb.log", lpString2="Program Files") returned -1 [0165.856] lstrcmpiW (lpString1="edb.log", lpString2="Program Files (x86)") returned -1 [0165.856] lstrcmpiW (lpString1="edb.log", lpString2="$Recycle.bin") returned 1 [0165.856] lstrcmpiW (lpString1="edb.log", lpString2="System Volume Information") returned -1 [0165.856] lstrcmpiW (lpString1="edb.log", lpString2=".") returned 1 [0165.856] lstrcmpiW (lpString1="edb.log", lpString2="..") returned 1 [0165.856] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 65 [0165.856] lstrcmpW (lpString1="edb.log", lpString2="PUSSY.TXT") returned -1 [0165.856] PathFindExtensionW (pszPath="edb.log") returned=".log" [0165.856] lstrlenW (lpString=".log") returned 4 [0165.856] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0165.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0165.857] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2097152) returned 1 [0165.857] GetProcessHeap () returned 0x4c0000 [0165.858] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0165.871] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="9E") returned 2 [0165.871] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="B5") returned 2 [0165.871] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="95") returned 2 [0165.871] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="D6") returned 2 [0165.872] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="AA") returned 2 [0165.872] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="25") returned 2 [0165.872] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="96") returned 2 [0165.872] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="15") returned 2 [0165.872] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="CA") returned 2 [0165.872] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="E5") returned 2 [0165.872] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="97") returned 2 [0165.872] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="FC") returned 2 [0165.872] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="08") returned 2 [0165.872] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="AB") returned 2 [0165.872] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="4F") returned 2 [0165.872] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="EB") returned 2 [0165.872] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="A5") returned 2 [0165.872] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="49") returned 2 [0165.872] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="A0") returned 2 [0165.872] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="87") returned 2 [0165.872] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="9D") returned 2 [0165.872] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="19") returned 2 [0165.872] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="37") returned 2 [0165.872] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="D0") returned 2 [0165.872] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="F9") returned 2 [0165.873] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="23") returned 2 [0165.873] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="88") returned 2 [0165.873] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="6B") returned 2 [0165.873] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="77") returned 2 [0165.873] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="C9") returned 2 [0165.873] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="37") returned 2 [0165.873] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="21") returned 2 [0165.885] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" [0165.885] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" [0165.885] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log", lpString2=".9EB595D6AA259615CAE597FC08AB4FEBA549A0879D1937D0F923886B77C93721" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.9EB595D6AA259615CAE597FC08AB4FEBA549A0879D1937D0F923886B77C93721") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.9EB595D6AA259615CAE597FC08AB4FEBA549A0879D1937D0F923886B77C93721" [0165.885] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.885] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0165.886] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2b29966, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="edb00001.log", cAlternateFileName="")) returned 1 [0165.886] lstrcmpiW (lpString1="edb00001.log", lpString2="Windows") returned -1 [0165.886] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files") returned -1 [0165.931] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files (x86)") returned -1 [0165.931] lstrcmpiW (lpString1="edb00001.log", lpString2="$Recycle.bin") returned 1 [0165.931] lstrcmpiW (lpString1="edb00001.log", lpString2="System Volume Information") returned -1 [0165.931] lstrcmpiW (lpString1="edb00001.log", lpString2=".") returned 1 [0165.931] lstrcmpiW (lpString1="edb00001.log", lpString2="..") returned 1 [0165.931] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 70 [0165.931] lstrcmpW (lpString1="edb00001.log", lpString2="PUSSY.TXT") returned -1 [0165.931] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0165.931] lstrlenW (lpString=".log") returned 4 [0165.931] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0165.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0165.932] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2097152) returned 1 [0165.932] GetProcessHeap () returned 0x4c0000 [0165.932] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0165.946] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="C6") returned 2 [0165.946] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="8C") returned 2 [0165.946] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="05") returned 2 [0165.946] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="29") returned 2 [0165.946] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="4F") returned 2 [0165.947] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="CA") returned 2 [0165.947] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="02") returned 2 [0165.947] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="31") returned 2 [0165.947] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="94") returned 2 [0165.947] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="3C") returned 2 [0165.947] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="7B") returned 2 [0165.947] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="A0") returned 2 [0165.947] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="5D") returned 2 [0165.947] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="95") returned 2 [0165.947] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="95") returned 2 [0165.947] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="97") returned 2 [0165.947] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="AB") returned 2 [0165.947] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="2F") returned 2 [0165.947] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="65") returned 2 [0165.947] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="17") returned 2 [0165.947] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="F4") returned 2 [0165.947] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="DF") returned 2 [0165.947] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="37") returned 2 [0165.947] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="AC") returned 2 [0165.947] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="44") returned 2 [0165.947] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="3E") returned 2 [0165.947] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="5A") returned 2 [0165.947] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="67") returned 2 [0165.947] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="14") returned 2 [0165.948] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="65") returned 2 [0165.948] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="1A") returned 2 [0165.948] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="01") returned 2 [0165.960] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" [0165.960] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" [0165.960] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log", lpString2=".C68C05294FCA0231943C7BA05D959597AB2F6517F4DF37AC443E5A6714651A01" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.C68C05294FCA0231943C7BA05D959597AB2F6517F4DF37AC443E5A6714651A01") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.C68C05294FCA0231943C7BA05D959597AB2F6517F4DF37AC443E5A6714651A01" [0165.960] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0165.961] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0166.004] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2027392, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0166.004] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Windows") returned -1 [0166.004] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files") returned -1 [0166.004] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files (x86)") returned -1 [0166.005] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="$Recycle.bin") returned 1 [0166.005] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="System Volume Information") returned -1 [0166.005] lstrcmpiW (lpString1="edbres00001.jrs", lpString2=".") returned 1 [0166.005] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="..") returned 1 [0166.005] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 73 [0166.005] lstrcmpW (lpString1="edbres00001.jrs", lpString2="PUSSY.TXT") returned -1 [0166.005] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0166.005] lstrlenW (lpString=".jrs") returned 4 [0166.005] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0166.005] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0166.006] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2097152) returned 1 [0166.006] GetProcessHeap () returned 0x4c0000 [0166.006] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0166.019] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="B1") returned 2 [0166.019] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="6B") returned 2 [0166.019] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="2A") returned 2 [0166.019] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="32") returned 2 [0166.020] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="D5") returned 2 [0166.020] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="1F") returned 2 [0166.020] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="23") returned 2 [0166.020] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="10") returned 2 [0166.020] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="27") returned 2 [0166.020] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="D4") returned 2 [0166.020] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="AE") returned 2 [0166.020] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="D0") returned 2 [0166.020] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="A8") returned 2 [0166.020] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="A3") returned 2 [0166.020] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="F8") returned 2 [0166.020] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="FB") returned 2 [0166.020] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="E7") returned 2 [0166.020] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="03") returned 2 [0166.020] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="D7") returned 2 [0166.020] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="22") returned 2 [0166.020] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="E1") returned 2 [0166.020] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="5A") returned 2 [0166.020] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="0E") returned 2 [0166.020] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="E8") returned 2 [0166.020] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="84") returned 2 [0166.020] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="66") returned 2 [0166.020] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="07") returned 2 [0166.021] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="82") returned 2 [0166.021] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="D8") returned 2 [0166.021] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="A5") returned 2 [0166.021] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="E5") returned 2 [0166.021] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="6A") returned 2 [0166.046] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" [0166.046] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" [0166.046] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs", lpString2=".B16B2A32D51F231027D4AED0A8A3F8FBE703D722E15A0EE884660782D8A5E56A" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.B16B2A32D51F231027D4AED0A8A3F8FBE703D722E15A0EE884660782D8A5E56A") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.B16B2A32D51F231027D4AED0A8A3F8FBE703D722E15A0EE884660782D8A5E56A" [0166.046] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.046] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0166.047] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2216575, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0166.047] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Windows") returned -1 [0166.047] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files") returned -1 [0166.047] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files (x86)") returned -1 [0166.091] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="$Recycle.bin") returned 1 [0166.091] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="System Volume Information") returned -1 [0166.091] lstrcmpiW (lpString1="edbres00002.jrs", lpString2=".") returned 1 [0166.091] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="..") returned 1 [0166.091] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 73 [0166.091] lstrcmpW (lpString1="edbres00002.jrs", lpString2="PUSSY.TXT") returned -1 [0166.092] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0166.092] lstrlenW (lpString=".jrs") returned 4 [0166.092] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0166.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0166.093] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2097152) returned 1 [0166.093] GetProcessHeap () returned 0x4c0000 [0166.093] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0166.109] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="15") returned 2 [0166.109] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="7E") returned 2 [0166.109] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="88") returned 2 [0166.109] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="DE") returned 2 [0166.109] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="48") returned 2 [0166.109] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="6C") returned 2 [0166.109] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="7C") returned 2 [0166.109] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="5A") returned 2 [0166.109] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="24") returned 2 [0166.109] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="A6") returned 2 [0166.109] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="D6") returned 2 [0166.109] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="65") returned 2 [0166.109] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="81") returned 2 [0166.109] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="11") returned 2 [0166.109] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="EF") returned 2 [0166.109] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="96") returned 2 [0166.109] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="C3") returned 2 [0166.110] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="6B") returned 2 [0166.110] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="0C") returned 2 [0166.110] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="AB") returned 2 [0166.110] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="50") returned 2 [0166.110] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="57") returned 2 [0166.110] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="98") returned 2 [0166.110] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="2E") returned 2 [0166.110] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="3B") returned 2 [0166.110] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="54") returned 2 [0166.110] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="F2") returned 2 [0166.110] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="30") returned 2 [0166.110] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="6C") returned 2 [0166.110] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="9C") returned 2 [0166.110] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="45") returned 2 [0166.110] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="2D") returned 2 [0166.123] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" [0166.123] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" [0166.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs", lpString2=".157E88DE486C7C5A24A6D6658111EF96C36B0CAB5057982E3B54F2306C9C452D" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.157E88DE486C7C5A24A6D6658111EF96C36B0CAB5057982E3B54F2306C9C452D") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.157E88DE486C7C5A24A6D6658111EF96C36B0CAB5057982E3B54F2306C9C452D" [0166.123] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.123] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0166.125] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf67dcad6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="oeold.xml", cAlternateFileName="")) returned 1 [0166.125] lstrcmpiW (lpString1="oeold.xml", lpString2="Windows") returned -1 [0166.125] lstrcmpiW (lpString1="oeold.xml", lpString2="Program Files") returned -1 [0166.125] lstrcmpiW (lpString1="oeold.xml", lpString2="Program Files (x86)") returned -1 [0166.125] lstrcmpiW (lpString1="oeold.xml", lpString2="$Recycle.bin") returned 1 [0166.125] lstrcmpiW (lpString1="oeold.xml", lpString2="System Volume Information") returned -1 [0166.125] lstrcmpiW (lpString1="oeold.xml", lpString2=".") returned 1 [0166.125] lstrcmpiW (lpString1="oeold.xml", lpString2="..") returned 1 [0166.125] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 67 [0166.125] lstrcmpW (lpString1="oeold.xml", lpString2="PUSSY.TXT") returned -1 [0166.125] PathFindExtensionW (pszPath="oeold.xml") returned=".xml" [0166.126] lstrlenW (lpString=".xml") returned 4 [0166.126] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0166.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\oeold.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0166.127] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=260) returned 1 [0166.127] CloseHandle (hObject=0x128) returned 1 [0166.127] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x650f7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf690d5d8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0166.127] lstrcmpiW (lpString1="Stationery", lpString2="Windows") returned -1 [0166.127] lstrcmpiW (lpString1="Stationery", lpString2="Program Files") returned 1 [0166.127] lstrcmpiW (lpString1="Stationery", lpString2="Program Files (x86)") returned 1 [0166.127] lstrcmpiW (lpString1="Stationery", lpString2="$Recycle.bin") returned 1 [0166.127] lstrcmpiW (lpString1="Stationery", lpString2="System Volume Information") returned -1 [0166.127] lstrcmpiW (lpString1="Stationery", lpString2=".") returned 1 [0166.127] lstrcmpiW (lpString1="Stationery", lpString2="..") returned 1 [0166.127] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery") returned 68 [0166.127] GetProcessHeap () returned 0x4c0000 [0166.127] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0166.128] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery" [0166.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*" [0166.128] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x650f7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf690d5d8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0166.187] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0166.187] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0166.187] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0166.187] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0166.187] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0166.187] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0166.187] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x650f7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf690d5d8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0166.187] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0166.187] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0166.187] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0166.188] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0166.188] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0166.188] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0166.188] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0166.188] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xcdfff30e, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xff, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Bears.htm", cAlternateFileName="")) returned 1 [0166.188] lstrcmpiW (lpString1="Bears.htm", lpString2="Windows") returned -1 [0166.188] lstrcmpiW (lpString1="Bears.htm", lpString2="Program Files") returned -1 [0166.188] lstrcmpiW (lpString1="Bears.htm", lpString2="Program Files (x86)") returned -1 [0166.188] lstrcmpiW (lpString1="Bears.htm", lpString2="$Recycle.bin") returned 1 [0166.188] lstrcmpiW (lpString1="Bears.htm", lpString2="System Volume Information") returned -1 [0166.188] lstrcmpiW (lpString1="Bears.htm", lpString2=".") returned 1 [0166.188] lstrcmpiW (lpString1="Bears.htm", lpString2="..") returned 1 [0166.188] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 78 [0166.188] lstrcmpW (lpString1="Bears.htm", lpString2="PUSSY.TXT") returned -1 [0166.188] PathFindExtensionW (pszPath="Bears.htm") returned=".htm" [0166.188] lstrlenW (lpString=".htm") returned 4 [0166.188] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0166.189] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=255) returned 1 [0166.189] CloseHandle (hObject=0x19c) returned 1 [0166.189] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa352261, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Bears.jpg", cAlternateFileName="")) returned 1 [0166.189] lstrcmpiW (lpString1="Bears.jpg", lpString2="Windows") returned -1 [0166.190] lstrcmpiW (lpString1="Bears.jpg", lpString2="Program Files") returned -1 [0166.190] lstrcmpiW (lpString1="Bears.jpg", lpString2="Program Files (x86)") returned -1 [0166.190] lstrcmpiW (lpString1="Bears.jpg", lpString2="$Recycle.bin") returned 1 [0166.190] lstrcmpiW (lpString1="Bears.jpg", lpString2="System Volume Information") returned -1 [0166.190] lstrcmpiW (lpString1="Bears.jpg", lpString2=".") returned 1 [0166.190] lstrcmpiW (lpString1="Bears.jpg", lpString2="..") returned 1 [0166.190] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 78 [0166.190] lstrcmpW (lpString1="Bears.jpg", lpString2="PUSSY.TXT") returned -1 [0166.190] PathFindExtensionW (pszPath="Bears.jpg") returned=".jpg" [0166.190] lstrlenW (lpString=".jpg") returned 4 [0166.190] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0166.191] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1074) returned 1 [0166.191] GetProcessHeap () returned 0x4c0000 [0166.191] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0166.207] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="86") returned 2 [0166.207] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="DF") returned 2 [0166.207] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="CF") returned 2 [0166.207] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="04") returned 2 [0166.207] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="FA") returned 2 [0166.207] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="A8") returned 2 [0166.207] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="34") returned 2 [0166.207] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="B3") returned 2 [0166.207] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="52") returned 2 [0166.208] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="56") returned 2 [0166.208] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="19") returned 2 [0166.208] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="B5") returned 2 [0166.208] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="7B") returned 2 [0166.208] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="AC") returned 2 [0166.208] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="D1") returned 2 [0166.208] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="8D") returned 2 [0166.208] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="D2") returned 2 [0166.208] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="8D") returned 2 [0166.208] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="4D") returned 2 [0166.208] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="A6") returned 2 [0166.208] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="8A") returned 2 [0166.208] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="BA") returned 2 [0166.208] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="15") returned 2 [0166.208] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="57") returned 2 [0166.208] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="77") returned 2 [0166.208] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="96") returned 2 [0166.208] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="B4") returned 2 [0166.208] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="ED") returned 2 [0166.208] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="F0") returned 2 [0166.208] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="E0") returned 2 [0166.208] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="8A") returned 2 [0166.208] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="78") returned 2 [0166.222] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" [0166.222] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" [0166.222] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg", lpString2=".86DFCF04FAA834B3525619B57BACD18DD28D4DA68ABA15577796B4EDF0E08A78" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.86DFCF04FAA834B3525619B57BACD18DD28D4DA68ABA15577796B4EDF0E08A78") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.86DFCF04FAA834B3525619B57BACD18DD28D4DA68ABA15577796B4EDF0E08A78" [0166.222] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.222] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0166.222] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7bf1d2d9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0166.223] lstrcmpiW (lpString1="Desktop.ini", lpString2="Windows") returned -1 [0166.223] lstrcmpiW (lpString1="Desktop.ini", lpString2="Program Files") returned -1 [0166.223] lstrcmpiW (lpString1="Desktop.ini", lpString2="Program Files (x86)") returned -1 [0166.223] lstrcmpiW (lpString1="Desktop.ini", lpString2="$Recycle.bin") returned 1 [0166.223] lstrcmpiW (lpString1="Desktop.ini", lpString2="System Volume Information") returned -1 [0166.223] lstrcmpiW (lpString1="Desktop.ini", lpString2=".") returned 1 [0166.223] lstrcmpiW (lpString1="Desktop.ini", lpString2="..") returned 1 [0166.223] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 80 [0166.223] lstrcmpW (lpString1="Desktop.ini", lpString2="PUSSY.TXT") returned -1 [0166.223] PathFindExtensionW (pszPath="Desktop.ini") returned=".ini" [0166.223] lstrlenW (lpString=".ini") returned 4 [0166.223] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0166.225] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=645) returned 1 [0166.225] GetProcessHeap () returned 0x4c0000 [0166.225] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0166.237] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="D4") returned 2 [0166.237] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="62") returned 2 [0166.237] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="21") returned 2 [0166.237] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="21") returned 2 [0166.237] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="42") returned 2 [0166.237] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="71") returned 2 [0166.237] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="A5") returned 2 [0166.237] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="4A") returned 2 [0166.237] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="1D") returned 2 [0166.237] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="09") returned 2 [0166.238] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="95") returned 2 [0166.238] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="04") returned 2 [0166.238] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="F2") returned 2 [0166.238] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="92") returned 2 [0166.238] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="95") returned 2 [0166.238] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="3F") returned 2 [0166.238] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="6A") returned 2 [0166.238] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="31") returned 2 [0166.238] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="AD") returned 2 [0166.238] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="73") returned 2 [0166.238] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="11") returned 2 [0166.238] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="0E") returned 2 [0166.238] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="4E") returned 2 [0166.238] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="A5") returned 2 [0166.238] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="40") returned 2 [0166.238] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="24") returned 2 [0166.238] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="5C") returned 2 [0166.238] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="6D") returned 2 [0166.238] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="9C") returned 2 [0166.238] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="6D") returned 2 [0166.238] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="D3") returned 2 [0166.238] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="4F") returned 2 [0166.246] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" [0166.246] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" [0166.246] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini", lpString2=".D46221214271A54A1D099504F292953F6A31AD73110E4EA540245C6D9C6DD34F" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.D46221214271A54A1D099504F292953F6A31AD73110E4EA540245C6D9C6DD34F") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.D46221214271A54A1D099504F292953F6A31AD73110E4EA540245C6D9C6DD34F" [0166.246] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.247] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0166.261] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x650f7e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x650f7e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce04b5c8, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe7, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Garden.htm", cAlternateFileName="")) returned 1 [0166.261] lstrcmpiW (lpString1="Garden.htm", lpString2="Windows") returned -1 [0166.261] lstrcmpiW (lpString1="Garden.htm", lpString2="Program Files") returned -1 [0166.261] lstrcmpiW (lpString1="Garden.htm", lpString2="Program Files (x86)") returned -1 [0166.261] lstrcmpiW (lpString1="Garden.htm", lpString2="$Recycle.bin") returned 1 [0166.261] lstrcmpiW (lpString1="Garden.htm", lpString2="System Volume Information") returned -1 [0166.261] lstrcmpiW (lpString1="Garden.htm", lpString2=".") returned 1 [0166.261] lstrcmpiW (lpString1="Garden.htm", lpString2="..") returned 1 [0166.261] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 79 [0166.261] lstrcmpW (lpString1="Garden.htm", lpString2="PUSSY.TXT") returned -1 [0166.261] PathFindExtensionW (pszPath="Garden.htm") returned=".htm" [0166.261] lstrlenW (lpString=".htm") returned 4 [0166.261] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0166.262] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=231) returned 1 [0166.262] CloseHandle (hObject=0x19c) returned 1 [0166.262] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa410937, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x5d3f, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Garden.jpg", cAlternateFileName="")) returned 1 [0166.262] lstrcmpiW (lpString1="Garden.jpg", lpString2="Windows") returned -1 [0166.262] lstrcmpiW (lpString1="Garden.jpg", lpString2="Program Files") returned -1 [0166.262] lstrcmpiW (lpString1="Garden.jpg", lpString2="Program Files (x86)") returned -1 [0166.262] lstrcmpiW (lpString1="Garden.jpg", lpString2="$Recycle.bin") returned 1 [0166.262] lstrcmpiW (lpString1="Garden.jpg", lpString2="System Volume Information") returned -1 [0166.263] lstrcmpiW (lpString1="Garden.jpg", lpString2=".") returned 1 [0166.263] lstrcmpiW (lpString1="Garden.jpg", lpString2="..") returned 1 [0166.263] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 79 [0166.263] lstrcmpW (lpString1="Garden.jpg", lpString2="PUSSY.TXT") returned -1 [0166.263] PathFindExtensionW (pszPath="Garden.jpg") returned=".jpg" [0166.263] lstrlenW (lpString=".jpg") returned 4 [0166.263] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0166.263] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=23871) returned 1 [0166.263] GetProcessHeap () returned 0x4c0000 [0166.264] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0166.273] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="DA") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="DB") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="F5") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="0D") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="16") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="81") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="C9") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="40") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="1C") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="52") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="8F") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="50") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="FD") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="19") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="0D") returned 2 [0166.273] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="52") returned 2 [0166.273] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="75") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="EF") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="5D") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="5B") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="A9") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="45") returned 2 [0166.273] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="6C") returned 2 [0166.274] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="82") returned 2 [0166.274] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="C5") returned 2 [0166.274] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="72") returned 2 [0166.274] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="21") returned 2 [0166.274] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="36") returned 2 [0166.274] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="BA") returned 2 [0166.274] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="78") returned 2 [0166.274] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="F5") returned 2 [0166.274] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="74") returned 2 [0166.283] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" [0166.283] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" [0166.283] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg", lpString2=".DADBF50D1681C9401C528F50FD190D5275EF5D5BA9456C82C5722136BA78F574" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.DADBF50D1681C9401C528F50FD190D5275EF5D5BA9456C82C5722136BA78F574") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.DADBF50D1681C9401C528F50FD190D5275EF5D5BA9456C82C5722136BA78F574" [0166.283] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.283] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0166.283] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce071725, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Green Bubbles.htm", cAlternateFileName="GREENB~1.HTM")) returned 1 [0166.284] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Windows") returned -1 [0166.284] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Program Files") returned -1 [0166.284] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Program Files (x86)") returned -1 [0166.284] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="$Recycle.bin") returned 1 [0166.311] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="System Volume Information") returned -1 [0166.311] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2=".") returned 1 [0166.311] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="..") returned 1 [0166.311] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 86 [0166.311] lstrcmpW (lpString1="Green Bubbles.htm", lpString2="PUSSY.TXT") returned -1 [0166.311] PathFindExtensionW (pszPath="Green Bubbles.htm") returned=".htm" [0166.311] lstrlenW (lpString=".htm") returned 4 [0166.311] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0166.312] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=237) returned 1 [0166.312] CloseHandle (hObject=0x1d8) returned 1 [0166.312] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa436a95, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1906, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="GreenBubbles.jpg", cAlternateFileName="GREENB~1.JPG")) returned 1 [0166.312] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Windows") returned -1 [0166.312] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Program Files") returned -1 [0166.313] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Program Files (x86)") returned -1 [0166.313] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="$Recycle.bin") returned 1 [0166.313] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="System Volume Information") returned -1 [0166.313] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2=".") returned 1 [0166.313] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="..") returned 1 [0166.313] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 85 [0166.313] lstrcmpW (lpString1="GreenBubbles.jpg", lpString2="PUSSY.TXT") returned -1 [0166.313] PathFindExtensionW (pszPath="GreenBubbles.jpg") returned=".jpg" [0166.313] lstrlenW (lpString=".jpg") returned 4 [0166.313] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0166.314] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=6406) returned 1 [0166.314] GetProcessHeap () returned 0x4c0000 [0166.314] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0166.330] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="4B") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="9B") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="8C") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="E5") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="D2") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="A5") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="64") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="1B") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="10") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="1C") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="98") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="8E") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="EB") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="39") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="59") returned 2 [0166.330] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="E3") returned 2 [0166.330] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="08") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="BE") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="6C") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="E3") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="C8") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="5B") returned 2 [0166.330] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="F7") returned 2 [0166.330] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="A8") returned 2 [0166.330] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="45") returned 2 [0166.330] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="B3") returned 2 [0166.331] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="07") returned 2 [0166.331] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="3B") returned 2 [0166.331] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="E9") returned 2 [0166.331] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="68") returned 2 [0166.331] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="F8") returned 2 [0166.331] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="55") returned 2 [0166.342] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" [0166.342] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" [0166.342] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg", lpString2=".4B9B8CE5D2A5641B101C988EEB3959E308BE6CE3C85BF7A845B3073BE968F855" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.4B9B8CE5D2A5641B101C988EEB3959E308BE6CE3C85BF7A845B3073BE968F855") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.4B9B8CE5D2A5641B101C988EEB3959E308BE6CE3C85BF7A845B3073BE968F855" [0166.343] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.343] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0166.343] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce0bd9df, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Hand Prints.htm", cAlternateFileName="HANDPR~1.HTM")) returned 1 [0166.343] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Windows") returned -1 [0166.343] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Program Files") returned -1 [0166.343] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Program Files (x86)") returned -1 [0166.343] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="$Recycle.bin") returned 1 [0166.343] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="System Volume Information") returned -1 [0166.344] lstrcmpiW (lpString1="Hand Prints.htm", lpString2=".") returned 1 [0166.344] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="..") returned 1 [0166.344] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 84 [0166.344] lstrcmpW (lpString1="Hand Prints.htm", lpString2="PUSSY.TXT") returned -1 [0166.344] PathFindExtensionW (pszPath="Hand Prints.htm") returned=".htm" [0166.344] lstrlenW (lpString=".htm") returned 4 [0166.344] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.344] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0166.345] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=235) returned 1 [0166.345] CloseHandle (hObject=0x194) returned 1 [0166.345] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa45cbf3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x107e, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="HandPrints.jpg", cAlternateFileName="HANDPR~1.JPG")) returned 1 [0166.345] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Windows") returned -1 [0166.345] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Program Files") returned -1 [0166.345] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Program Files (x86)") returned -1 [0166.345] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="$Recycle.bin") returned 1 [0166.345] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="System Volume Information") returned -1 [0166.345] lstrcmpiW (lpString1="HandPrints.jpg", lpString2=".") returned 1 [0166.345] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="..") returned 1 [0166.345] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 83 [0166.345] lstrcmpW (lpString1="HandPrints.jpg", lpString2="PUSSY.TXT") returned -1 [0166.345] PathFindExtensionW (pszPath="HandPrints.jpg") returned=".jpg" [0166.345] lstrlenW (lpString=".jpg") returned 4 [0166.345] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x194 [0166.346] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=4222) returned 1 [0166.346] GetProcessHeap () returned 0x4c0000 [0166.346] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52aad8 [0166.358] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="5E") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="C2") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="76") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="64") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="72") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="81") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="10") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="91") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="9B") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="02") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="04") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="A6") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="B8") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="58") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="C4") returned 2 [0166.359] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="7D") returned 2 [0166.359] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="BA") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="A0") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="5E") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="47") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="4C") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="FF") returned 2 [0166.359] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="61") returned 2 [0166.359] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="E2") returned 2 [0166.359] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="CF") returned 2 [0166.359] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="6C") returned 2 [0166.359] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="1D") returned 2 [0166.360] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="AB") returned 2 [0166.360] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="4B") returned 2 [0166.360] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="1F") returned 2 [0166.360] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="9D") returned 2 [0166.360] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="37") returned 2 [0166.368] lstrcpyW (in: lpString1=0x53ab0c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" [0166.368] lstrcpyW (in: lpString1=0x52ab0c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" [0166.368] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg", lpString2=".5EC27664728110919B0204A6B858C47DBAA05E474CFF61E2CF6C1DAB4B1F9D37" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.5EC27664728110919B0204A6B858C47DBAA05E474CFF61E2CF6C1DAB4B1F9D37") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.5EC27664728110919B0204A6B858C47DBAA05E474CFF61E2CF6C1DAB4B1F9D37" [0166.368] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x94, CompletionKey=0x52aad8, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.368] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52aad8, lpOverlapped=0x52aad8) returned 1 [0166.369] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce0e3b3c, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Orange Circles.htm", cAlternateFileName="ORANGE~1.HTM")) returned 1 [0166.369] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Windows") returned -1 [0166.369] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Program Files") returned -1 [0166.369] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Program Files (x86)") returned -1 [0166.369] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="$Recycle.bin") returned 1 [0166.369] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="System Volume Information") returned -1 [0166.369] lstrcmpiW (lpString1="Orange Circles.htm", lpString2=".") returned 1 [0166.369] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="..") returned 1 [0166.369] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 87 [0166.369] lstrcmpW (lpString1="Orange Circles.htm", lpString2="PUSSY.TXT") returned -1 [0166.369] PathFindExtensionW (pszPath="Orange Circles.htm") returned=".htm" [0166.369] lstrlenW (lpString=".htm") returned 4 [0166.370] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0166.370] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=237) returned 1 [0166.370] CloseHandle (hObject=0x178) returned 1 [0166.371] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x649d3c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x649d3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa4cf00d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x18ed, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="OrangeCircles.jpg", cAlternateFileName="ORANGE~1.JPG")) returned 1 [0166.371] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Windows") returned -1 [0166.371] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Program Files") returned -1 [0166.371] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Program Files (x86)") returned -1 [0166.371] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="$Recycle.bin") returned 1 [0166.371] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="System Volume Information") returned -1 [0166.371] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2=".") returned 1 [0166.371] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="..") returned 1 [0166.371] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 86 [0166.371] lstrcmpW (lpString1="OrangeCircles.jpg", lpString2="PUSSY.TXT") returned -1 [0166.371] PathFindExtensionW (pszPath="OrangeCircles.jpg") returned=".jpg" [0166.371] lstrlenW (lpString=".jpg") returned 4 [0166.371] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0166.390] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=6381) returned 1 [0166.390] GetProcessHeap () returned 0x4c0000 [0166.390] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x552b28 [0166.400] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="D9") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="84") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="C8") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="9F") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="19") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="ED") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="F9") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="9C") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="EF") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="3E") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="19") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="A6") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="C2") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="72") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="56") returned 2 [0166.400] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="02") returned 2 [0166.400] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="50") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="BD") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="45") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="C7") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="55") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="3D") returned 2 [0166.400] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="84") returned 2 [0166.400] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="55") returned 2 [0166.400] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="BC") returned 2 [0166.400] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="37") returned 2 [0166.401] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="3B") returned 2 [0166.401] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="12") returned 2 [0166.401] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="F5") returned 2 [0166.401] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="BF") returned 2 [0166.401] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="33") returned 2 [0166.401] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="4A") returned 2 [0166.421] lstrcpyW (in: lpString1=0x562b5c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" [0166.421] lstrcpyW (in: lpString1=0x552b5c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" [0166.421] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg", lpString2=".D984C89F19EDF99CEF3E19A6C272560250BD45C7553D8455BC373B12F5BF334A" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.D984C89F19EDF99CEF3E19A6C272560250BD45C7553D8455BC373B12F5BF334A") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.D984C89F19EDF99CEF3E19A6C272560250BD45C7553D8455BC373B12F5BF334A" [0166.421] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x552b28, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.421] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x552b28, lpOverlapped=0x552b28) returned 1 [0166.422] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x649d3c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x649d3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce109c99, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Peacock.htm", cAlternateFileName="")) returned 1 [0166.422] lstrcmpiW (lpString1="Peacock.htm", lpString2="Windows") returned -1 [0166.422] lstrcmpiW (lpString1="Peacock.htm", lpString2="Program Files") returned -1 [0166.422] lstrcmpiW (lpString1="Peacock.htm", lpString2="Program Files (x86)") returned -1 [0166.422] lstrcmpiW (lpString1="Peacock.htm", lpString2="$Recycle.bin") returned 1 [0166.422] lstrcmpiW (lpString1="Peacock.htm", lpString2="System Volume Information") returned -1 [0166.422] lstrcmpiW (lpString1="Peacock.htm", lpString2=".") returned 1 [0166.422] lstrcmpiW (lpString1="Peacock.htm", lpString2="..") returned 1 [0166.422] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 80 [0166.422] lstrcmpW (lpString1="Peacock.htm", lpString2="PUSSY.TXT") returned -1 [0166.422] PathFindExtensionW (pszPath="Peacock.htm") returned=".htm" [0166.422] lstrlenW (lpString=".htm") returned 4 [0166.422] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0166.423] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=232) returned 1 [0166.423] CloseHandle (hObject=0x1d4) returned 1 [0166.423] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x649d3c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x649d3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa51b2c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Peacock.jpg", cAlternateFileName="")) returned 1 [0166.423] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Windows") returned -1 [0166.423] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Program Files") returned -1 [0166.423] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Program Files (x86)") returned -1 [0166.423] lstrcmpiW (lpString1="Peacock.jpg", lpString2="$Recycle.bin") returned 1 [0166.423] lstrcmpiW (lpString1="Peacock.jpg", lpString2="System Volume Information") returned -1 [0166.424] lstrcmpiW (lpString1="Peacock.jpg", lpString2=".") returned 1 [0166.424] lstrcmpiW (lpString1="Peacock.jpg", lpString2="..") returned 1 [0166.424] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 80 [0166.424] lstrcmpW (lpString1="Peacock.jpg", lpString2="PUSSY.TXT") returned -1 [0166.424] PathFindExtensionW (pszPath="Peacock.jpg") returned=".jpg" [0166.424] lstrlenW (lpString=".jpg") returned 4 [0166.424] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d4 [0166.424] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=5115) returned 1 [0166.425] GetProcessHeap () returned 0x4c0000 [0166.425] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0166.435] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="59") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="18") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="CE") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="3F") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="C2") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="AF") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="3C") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="AD") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="FC") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="85") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="21") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="A5") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="8C") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="69") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="18") returned 2 [0166.435] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="27") returned 2 [0166.435] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="A2") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="22") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="00") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="23") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="52") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="38") returned 2 [0166.435] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="0A") returned 2 [0166.435] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="DC") returned 2 [0166.436] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="F2") returned 2 [0166.436] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="EF") returned 2 [0166.436] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="E6") returned 2 [0166.436] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="1A") returned 2 [0166.436] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="37") returned 2 [0166.436] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="B9") returned 2 [0166.436] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="5D") returned 2 [0166.436] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="41") returned 2 [0166.444] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" [0166.444] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" [0166.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg", lpString2=".5918CE3FC2AF3CADFC8521A58C691827A222002352380ADCF2EFE61A37B95D41" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.5918CE3FC2AF3CADFC8521A58C691827A222002352380ADCF2EFE61A37B95D41") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.5918CE3FC2AF3CADFC8521A58C691827A222002352380ADCF2EFE61A37B95D41" [0166.444] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.444] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0166.445] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x649d3c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x649d3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce12fdf6, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe9, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Roses.htm", cAlternateFileName="")) returned 1 [0166.445] lstrcmpiW (lpString1="Roses.htm", lpString2="Windows") returned -1 [0166.445] lstrcmpiW (lpString1="Roses.htm", lpString2="Program Files") returned 1 [0166.445] lstrcmpiW (lpString1="Roses.htm", lpString2="Program Files (x86)") returned 1 [0166.445] lstrcmpiW (lpString1="Roses.htm", lpString2="$Recycle.bin") returned 1 [0166.445] lstrcmpiW (lpString1="Roses.htm", lpString2="System Volume Information") returned -1 [0166.445] lstrcmpiW (lpString1="Roses.htm", lpString2=".") returned 1 [0166.445] lstrcmpiW (lpString1="Roses.htm", lpString2="..") returned 1 [0166.445] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 78 [0166.445] lstrcmpW (lpString1="Roses.htm", lpString2="PUSSY.TXT") returned 1 [0166.445] PathFindExtensionW (pszPath="Roses.htm") returned=".htm" [0166.445] lstrlenW (lpString=".htm") returned 4 [0166.445] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.445] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0166.446] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=233) returned 1 [0166.446] CloseHandle (hObject=0x1c0) returned 1 [0166.446] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x649d3c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x649d3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa567585, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x780, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Roses.jpg", cAlternateFileName="")) returned 1 [0166.446] lstrcmpiW (lpString1="Roses.jpg", lpString2="Windows") returned -1 [0166.446] lstrcmpiW (lpString1="Roses.jpg", lpString2="Program Files") returned 1 [0166.446] lstrcmpiW (lpString1="Roses.jpg", lpString2="Program Files (x86)") returned 1 [0166.446] lstrcmpiW (lpString1="Roses.jpg", lpString2="$Recycle.bin") returned 1 [0166.447] lstrcmpiW (lpString1="Roses.jpg", lpString2="System Volume Information") returned -1 [0166.447] lstrcmpiW (lpString1="Roses.jpg", lpString2=".") returned 1 [0166.447] lstrcmpiW (lpString1="Roses.jpg", lpString2="..") returned 1 [0166.447] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 78 [0166.447] lstrcmpW (lpString1="Roses.jpg", lpString2="PUSSY.TXT") returned 1 [0166.447] PathFindExtensionW (pszPath="Roses.jpg") returned=".jpg" [0166.447] lstrlenW (lpString=".jpg") returned 4 [0166.447] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.447] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1c0 [0166.447] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=1920) returned 1 [0166.448] GetProcessHeap () returned 0x4c0000 [0166.448] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0166.459] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="B1") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="33") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="D5") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="4F") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="9F") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="14") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="E5") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="5D") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="54") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="6A") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="22") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="6C") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="E0") returned 2 [0166.459] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="4F") returned 2 [0166.460] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="22") returned 2 [0166.460] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="5B") returned 2 [0166.460] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="88") returned 2 [0166.460] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="86") returned 2 [0166.460] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="EC") returned 2 [0166.460] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="63") returned 2 [0166.460] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="99") returned 2 [0166.460] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="33") returned 2 [0166.460] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="DB") returned 2 [0166.460] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="9D") returned 2 [0166.460] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="54") returned 2 [0166.460] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="C6") returned 2 [0166.460] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="78") returned 2 [0166.460] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="C6") returned 2 [0166.460] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="EA") returned 2 [0166.460] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="25") returned 2 [0166.460] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="67") returned 2 [0166.460] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="1F") returned 2 [0166.483] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" [0166.483] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" [0166.483] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg", lpString2=".B133D54F9F14E55D546A226CE04F225B8886EC639933DB9D54C678C6EA25671F" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.B133D54F9F14E55D546A226CE04F225B8886EC639933DB9D54C678C6EA25671F") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.B133D54F9F14E55D546A226CE04F225B8886EC639933DB9D54C678C6EA25671F" [0166.483] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.483] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0166.484] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64c3520, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64c3520, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce17c0b0, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Shades of Blue.htm", cAlternateFileName="SHADES~1.HTM")) returned 1 [0166.484] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Windows") returned -1 [0166.484] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Program Files") returned 1 [0166.484] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Program Files (x86)") returned 1 [0166.484] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="$Recycle.bin") returned 1 [0166.484] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="System Volume Information") returned -1 [0166.484] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2=".") returned 1 [0166.484] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="..") returned 1 [0166.484] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 87 [0166.484] lstrcmpW (lpString1="Shades of Blue.htm", lpString2="PUSSY.TXT") returned 1 [0166.484] PathFindExtensionW (pszPath="Shades of Blue.htm") returned=".htm" [0166.484] lstrlenW (lpString=".htm") returned 4 [0166.484] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0166.485] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=237) returned 1 [0166.485] CloseHandle (hObject=0xec) returned 1 [0166.485] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x649d3c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x649d3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa58d6e3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x127e, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ShadesOfBlue.jpg", cAlternateFileName="SHADES~1.JPG")) returned 1 [0166.485] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Windows") returned -1 [0166.485] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Program Files") returned 1 [0166.485] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Program Files (x86)") returned 1 [0166.485] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="$Recycle.bin") returned 1 [0166.485] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="System Volume Information") returned -1 [0166.485] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2=".") returned 1 [0166.485] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="..") returned 1 [0166.486] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 85 [0166.486] lstrcmpW (lpString1="ShadesOfBlue.jpg", lpString2="PUSSY.TXT") returned 1 [0166.486] PathFindExtensionW (pszPath="ShadesOfBlue.jpg") returned=".jpg" [0166.486] lstrlenW (lpString=".jpg") returned 4 [0166.486] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0166.486] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=4734) returned 1 [0166.486] GetProcessHeap () returned 0x4c0000 [0166.486] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0166.498] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="4E") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="5E") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="81") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="86") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="BB") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="87") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="38") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="07") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="10") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="2F") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="F8") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="EE") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="0E") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="83") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="C4") returned 2 [0166.498] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="B7") returned 2 [0166.498] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="1C") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="5D") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="A0") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="BA") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="26") returned 2 [0166.498] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="CD") returned 2 [0166.499] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="1C") returned 2 [0166.499] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="F6") returned 2 [0166.499] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="01") returned 2 [0166.499] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="B2") returned 2 [0166.499] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="1F") returned 2 [0166.499] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="A7") returned 2 [0166.499] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="6B") returned 2 [0166.499] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="DB") returned 2 [0166.499] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="94") returned 2 [0166.499] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="79") returned 2 [0166.507] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" [0166.507] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" [0166.507] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg", lpString2=".4E5E8186BB873807102FF8EE0E83C4B71C5DA0BA26CD1CF601B21FA76BDB9479" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.4E5E8186BB873807102FF8EE0E83C4B71C5DA0BA26CD1CF601B21FA76BDB9479") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.4E5E8186BB873807102FF8EE0E83C4B71C5DA0BA26CD1CF601B21FA76BDB9479" [0166.507] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.507] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0166.508] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6477260, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6477260, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce1a220d, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Soft Blue.htm", cAlternateFileName="SOFTBL~1.HTM")) returned 1 [0166.508] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Windows") returned -1 [0166.516] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Program Files") returned 1 [0166.516] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Program Files (x86)") returned 1 [0166.516] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="$Recycle.bin") returned 1 [0166.516] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="System Volume Information") returned -1 [0166.516] lstrcmpiW (lpString1="Soft Blue.htm", lpString2=".") returned 1 [0166.516] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="..") returned 1 [0166.517] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 82 [0166.517] lstrcmpW (lpString1="Soft Blue.htm", lpString2="PUSSY.TXT") returned 1 [0166.517] PathFindExtensionW (pszPath="Soft Blue.htm") returned=".htm" [0166.517] lstrlenW (lpString=".htm") returned 4 [0166.517] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0166.518] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=232) returned 1 [0166.518] CloseHandle (hObject=0x1b8) returned 1 [0166.518] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64e9680, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x64e9680, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa5b3841, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2949, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="SoftBlue.jpg", cAlternateFileName="")) returned 1 [0166.518] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Windows") returned -1 [0166.518] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Program Files") returned 1 [0166.518] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Program Files (x86)") returned 1 [0166.518] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="$Recycle.bin") returned 1 [0166.518] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="System Volume Information") returned -1 [0166.518] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2=".") returned 1 [0166.518] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="..") returned 1 [0166.518] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 81 [0166.518] lstrcmpW (lpString1="SoftBlue.jpg", lpString2="PUSSY.TXT") returned 1 [0166.518] PathFindExtensionW (pszPath="SoftBlue.jpg") returned=".jpg" [0166.518] lstrlenW (lpString=".jpg") returned 4 [0166.518] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0166.519] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=10569) returned 1 [0166.519] GetProcessHeap () returned 0x4c0000 [0166.519] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28068 [0166.530] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="F9") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="4C") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="B1") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="2F") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="21") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="8A") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="E6") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="29") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="51") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="5E") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="91") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="57") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="E8") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="DD") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="73") returned 2 [0166.530] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="A8") returned 2 [0166.530] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="69") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="64") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="24") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="7C") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="F4") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="34") returned 2 [0166.530] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="DA") returned 2 [0166.531] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="E7") returned 2 [0166.531] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="6F") returned 2 [0166.531] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="3F") returned 2 [0166.531] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="F3") returned 2 [0166.531] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="CF") returned 2 [0166.531] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="D3") returned 2 [0166.531] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="A6") returned 2 [0166.531] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="84") returned 2 [0166.531] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="16") returned 2 [0166.539] lstrcpyW (in: lpString1=0x3b3809c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" [0166.539] lstrcpyW (in: lpString1=0x3b2809c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" [0166.539] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg", lpString2=".F94CB12F218AE629515E9157E8DD73A86964247CF434DAE76F3FF3CFD3A68416" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.F94CB12F218AE629515E9157E8DD73A86964247CF434DAE76F3FF3CFD3A68416") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.F94CB12F218AE629515E9157E8DD73A86964247CF434DAE76F3FF3CFD3A68416" [0166.539] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3b28068, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.539] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28068, lpOverlapped=0x3b28068) returned 1 [0166.561] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x649d3c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x649d3c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xce1c836a, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Stars.htm", cAlternateFileName="")) returned 1 [0166.561] lstrcmpiW (lpString1="Stars.htm", lpString2="Windows") returned -1 [0166.561] lstrcmpiW (lpString1="Stars.htm", lpString2="Program Files") returned 1 [0166.561] lstrcmpiW (lpString1="Stars.htm", lpString2="Program Files (x86)") returned 1 [0166.561] lstrcmpiW (lpString1="Stars.htm", lpString2="$Recycle.bin") returned 1 [0166.561] lstrcmpiW (lpString1="Stars.htm", lpString2="System Volume Information") returned -1 [0166.561] lstrcmpiW (lpString1="Stars.htm", lpString2=".") returned 1 [0166.561] lstrcmpiW (lpString1="Stars.htm", lpString2="..") returned 1 [0166.561] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 78 [0166.561] lstrcmpW (lpString1="Stars.htm", lpString2="PUSSY.TXT") returned 1 [0166.561] PathFindExtensionW (pszPath="Stars.htm") returned=".htm" [0166.561] lstrlenW (lpString=".htm") returned 4 [0166.561] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0166.595] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=230) returned 1 [0166.595] CloseHandle (hObject=0xec) returned 1 [0166.595] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6477260, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6477260, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa5ffafd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Stars.jpg", cAlternateFileName="")) returned 1 [0166.595] lstrcmpiW (lpString1="Stars.jpg", lpString2="Windows") returned -1 [0166.595] lstrcmpiW (lpString1="Stars.jpg", lpString2="Program Files") returned 1 [0166.595] lstrcmpiW (lpString1="Stars.jpg", lpString2="Program Files (x86)") returned 1 [0166.595] lstrcmpiW (lpString1="Stars.jpg", lpString2="$Recycle.bin") returned 1 [0166.595] lstrcmpiW (lpString1="Stars.jpg", lpString2="System Volume Information") returned -1 [0166.595] lstrcmpiW (lpString1="Stars.jpg", lpString2=".") returned 1 [0166.595] lstrcmpiW (lpString1="Stars.jpg", lpString2="..") returned 1 [0166.596] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 78 [0166.596] lstrcmpW (lpString1="Stars.jpg", lpString2="PUSSY.TXT") returned 1 [0166.596] PathFindExtensionW (pszPath="Stars.jpg") returned=".jpg" [0166.596] lstrlenW (lpString=".jpg") returned 4 [0166.596] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0166.596] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=7505) returned 1 [0166.596] GetProcessHeap () returned 0x4c0000 [0166.596] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0166.609] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="85") returned 2 [0166.609] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="72") returned 2 [0166.609] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="66") returned 2 [0166.609] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="0F") returned 2 [0166.609] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="40") returned 2 [0166.609] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="3D") returned 2 [0166.609] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="13") returned 2 [0166.609] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="D9") returned 2 [0166.609] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="56") returned 2 [0166.609] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="98") returned 2 [0166.609] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="82") returned 2 [0166.610] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="50") returned 2 [0166.610] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="CE") returned 2 [0166.610] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="83") returned 2 [0166.610] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="A5") returned 2 [0166.610] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="C1") returned 2 [0166.610] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="8D") returned 2 [0166.610] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="4D") returned 2 [0166.610] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="20") returned 2 [0166.610] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="81") returned 2 [0166.610] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="70") returned 2 [0166.610] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="55") returned 2 [0166.610] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="F5") returned 2 [0166.610] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="9F") returned 2 [0166.610] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="E9") returned 2 [0166.610] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="F4") returned 2 [0166.610] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="CA") returned 2 [0166.610] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="19") returned 2 [0166.610] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="5E") returned 2 [0166.610] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="3D") returned 2 [0166.610] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="B2") returned 2 [0166.610] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="5F") returned 2 [0166.623] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" [0166.623] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" [0166.623] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg", lpString2=".8572660F403D13D956988250CE83A5C18D4D20817055F59FE9F4CA195E3DB25F" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.8572660F403D13D956988250CE83A5C18D4D20817055F59FE9F4CA195E3DB25F") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.8572660F403D13D956988250CE83A5C18D4D20817055F59FE9F4CA195E3DB25F" [0166.623] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.623] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0166.623] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6477260, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6477260, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xaa5ffafd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Stars.jpg", cAlternateFileName="")) returned 0 [0166.623] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0166.631] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\PUSSY.TXT") returned 78 [0166.631] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0166.632] lstrlenA (lpString="abcd") returned 4 [0166.632] WriteFile (in: hFile=0x128, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0166.634] CloseHandle (hObject=0x128) returned 1 [0166.634] GetProcessHeap () returned 0x4c0000 [0166.634] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0166.634] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd7b05332, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x204000, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="WindowsMail.MSMessageStore", cAlternateFileName="WINDOW~1.MSM")) returned 1 [0166.634] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Windows") returned 1 [0166.634] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files") returned 1 [0166.634] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files (x86)") returned 1 [0166.634] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="$Recycle.bin") returned 1 [0166.634] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="System Volume Information") returned 1 [0166.634] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2=".") returned 1 [0166.634] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="..") returned 1 [0166.634] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 84 [0166.634] lstrcmpW (lpString1="WindowsMail.MSMessageStore", lpString2="PUSSY.TXT") returned 1 [0166.634] PathFindExtensionW (pszPath="WindowsMail.MSMessageStore") returned=".MSMessageStore" [0166.634] lstrlenW (lpString=".MSMessageStore") returned 15 [0166.634] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0166.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0166.635] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=2113536) returned 1 [0166.635] GetProcessHeap () returned 0x4c0000 [0166.635] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0166.650] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="06") returned 2 [0166.650] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="F1") returned 2 [0166.650] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="0B") returned 2 [0166.650] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="DA") returned 2 [0166.650] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="AC") returned 2 [0166.650] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="9D") returned 2 [0166.650] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="C1") returned 2 [0166.650] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="CF") returned 2 [0166.650] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="9C") returned 2 [0166.650] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="A3") returned 2 [0166.650] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="2E") returned 2 [0166.650] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="03") returned 2 [0166.651] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="AD") returned 2 [0166.651] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="D5") returned 2 [0166.651] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="68") returned 2 [0166.651] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="BC") returned 2 [0166.651] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="DB") returned 2 [0166.651] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="03") returned 2 [0166.651] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="FE") returned 2 [0166.651] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="E4") returned 2 [0166.651] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="9F") returned 2 [0166.651] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="BA") returned 2 [0166.651] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="38") returned 2 [0166.651] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="21") returned 2 [0166.651] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="60") returned 2 [0166.651] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="D0") returned 2 [0166.651] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="79") returned 2 [0166.651] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="64") returned 2 [0166.651] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="46") returned 2 [0166.651] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="A0") returned 2 [0166.651] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="F2") returned 2 [0166.651] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="0C") returned 2 [0166.664] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" [0166.664] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" [0166.664] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore", lpString2=".06F10BDAAC9DC1CF9CA32E03ADD568BCDB03FEE49FBA382160D0796446A0F20C" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.06F10BDAAC9DC1CF9CA32E03ADD568BCDB03FEE49FBA382160D0796446A0F20C") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.06F10BDAAC9DC1CF9CA32E03ADD568BCDB03FEE49FBA382160D0796446A0F20C" [0166.664] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.664] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0166.664] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2e234eb, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 1 [0166.664] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Windows") returned 1 [0166.664] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files") returned 1 [0166.664] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files (x86)") returned 1 [0166.664] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="$Recycle.bin") returned 1 [0166.664] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="System Volume Information") returned 1 [0166.664] lstrcmpiW (lpString1="WindowsMail.pat", lpString2=".") returned 1 [0166.664] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="..") returned 1 [0166.664] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 73 [0166.664] lstrcmpW (lpString1="WindowsMail.pat", lpString2="PUSSY.TXT") returned 1 [0166.664] PathFindExtensionW (pszPath="WindowsMail.pat") returned=".pat" [0166.664] lstrlenW (lpString=".pat") returned 4 [0166.664] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0166.665] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0166.665] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=16384) returned 1 [0166.666] GetProcessHeap () returned 0x4c0000 [0166.666] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0166.680] wsprintfW (in: param_1=0x28c446, param_2="%02X" | out: param_1="C3") returned 2 [0166.680] wsprintfW (in: param_1=0x28c44a, param_2="%02X" | out: param_1="FD") returned 2 [0166.680] wsprintfW (in: param_1=0x28c44e, param_2="%02X" | out: param_1="89") returned 2 [0166.680] wsprintfW (in: param_1=0x28c452, param_2="%02X" | out: param_1="E7") returned 2 [0166.680] wsprintfW (in: param_1=0x28c456, param_2="%02X" | out: param_1="A2") returned 2 [0166.680] wsprintfW (in: param_1=0x28c45a, param_2="%02X" | out: param_1="99") returned 2 [0166.680] wsprintfW (in: param_1=0x28c45e, param_2="%02X" | out: param_1="F2") returned 2 [0166.680] wsprintfW (in: param_1=0x28c462, param_2="%02X" | out: param_1="BD") returned 2 [0166.680] wsprintfW (in: param_1=0x28c466, param_2="%02X" | out: param_1="E4") returned 2 [0166.680] wsprintfW (in: param_1=0x28c46a, param_2="%02X" | out: param_1="C2") returned 2 [0166.680] wsprintfW (in: param_1=0x28c46e, param_2="%02X" | out: param_1="6A") returned 2 [0166.681] wsprintfW (in: param_1=0x28c472, param_2="%02X" | out: param_1="D6") returned 2 [0166.681] wsprintfW (in: param_1=0x28c476, param_2="%02X" | out: param_1="B1") returned 2 [0166.681] wsprintfW (in: param_1=0x28c47a, param_2="%02X" | out: param_1="D2") returned 2 [0166.681] wsprintfW (in: param_1=0x28c47e, param_2="%02X" | out: param_1="C1") returned 2 [0166.681] wsprintfW (in: param_1=0x28c482, param_2="%02X" | out: param_1="0B") returned 2 [0166.681] wsprintfW (in: param_1=0x28c486, param_2="%02X" | out: param_1="42") returned 2 [0166.681] wsprintfW (in: param_1=0x28c48a, param_2="%02X" | out: param_1="67") returned 2 [0166.681] wsprintfW (in: param_1=0x28c48e, param_2="%02X" | out: param_1="90") returned 2 [0166.681] wsprintfW (in: param_1=0x28c492, param_2="%02X" | out: param_1="43") returned 2 [0166.681] wsprintfW (in: param_1=0x28c496, param_2="%02X" | out: param_1="07") returned 2 [0166.681] wsprintfW (in: param_1=0x28c49a, param_2="%02X" | out: param_1="4D") returned 2 [0166.681] wsprintfW (in: param_1=0x28c49e, param_2="%02X" | out: param_1="D4") returned 2 [0166.681] wsprintfW (in: param_1=0x28c4a2, param_2="%02X" | out: param_1="A2") returned 2 [0166.681] wsprintfW (in: param_1=0x28c4a6, param_2="%02X" | out: param_1="99") returned 2 [0166.681] wsprintfW (in: param_1=0x28c4aa, param_2="%02X" | out: param_1="1D") returned 2 [0166.681] wsprintfW (in: param_1=0x28c4ae, param_2="%02X" | out: param_1="3E") returned 2 [0166.681] wsprintfW (in: param_1=0x28c4b2, param_2="%02X" | out: param_1="E1") returned 2 [0166.681] wsprintfW (in: param_1=0x28c4b6, param_2="%02X" | out: param_1="C0") returned 2 [0166.681] wsprintfW (in: param_1=0x28c4ba, param_2="%02X" | out: param_1="C7") returned 2 [0166.681] wsprintfW (in: param_1=0x28c4be, param_2="%02X" | out: param_1="68") returned 2 [0166.681] wsprintfW (in: param_1=0x28c4c2, param_2="%02X" | out: param_1="2D") returned 2 [0166.693] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" [0166.694] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" [0166.694] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat", lpString2=".C3FD89E7A299F2BDE4C26AD6B1D2C10B42679043074DD4A2991D3EE1C0C7682D" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.C3FD89E7A299F2BDE4C26AD6B1D2C10B42679043074DD4A2991D3EE1C0C7682D") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.C3FD89E7A299F2BDE4C26AD6B1D2C10B42679043074DD4A2991D3EE1C0C7682D" [0166.694] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.694] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0166.740] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2e234eb, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 0 [0166.740] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0166.797] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\PUSSY.TXT") returned 67 [0166.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0166.807] lstrlenA (lpString="abcd") returned 4 [0166.807] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0166.809] CloseHandle (hObject=0x18c) returned 1 [0166.809] GetProcessHeap () returned 0x4c0000 [0166.809] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0166.809] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows Media", cAlternateFileName="WINDOW~2")) returned 1 [0166.809] lstrcmpiW (lpString1="Windows Media", lpString2="Windows") returned 1 [0166.809] lstrcmpiW (lpString1="Windows Media", lpString2="Program Files") returned 1 [0166.809] lstrcmpiW (lpString1="Windows Media", lpString2="Program Files (x86)") returned 1 [0166.810] lstrcmpiW (lpString1="Windows Media", lpString2="$Recycle.bin") returned 1 [0166.810] lstrcmpiW (lpString1="Windows Media", lpString2="System Volume Information") returned 1 [0166.810] lstrcmpiW (lpString1="Windows Media", lpString2=".") returned 1 [0166.810] lstrcmpiW (lpString1="Windows Media", lpString2="..") returned 1 [0166.810] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media") returned 58 [0166.810] GetProcessHeap () returned 0x4c0000 [0166.810] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0166.810] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media" [0166.810] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\*" [0166.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0166.810] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0166.810] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0166.810] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0166.810] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0166.810] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0166.810] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0166.811] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0166.811] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0166.811] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0166.811] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0166.811] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0166.811] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0166.811] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0166.811] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0166.811] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf928f5c4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="12.0", cAlternateFileName="")) returned 1 [0166.811] lstrcmpiW (lpString1="12.0", lpString2="Windows") returned -1 [0166.811] lstrcmpiW (lpString1="12.0", lpString2="Program Files") returned -1 [0166.811] lstrcmpiW (lpString1="12.0", lpString2="Program Files (x86)") returned -1 [0166.811] lstrcmpiW (lpString1="12.0", lpString2="$Recycle.bin") returned 1 [0166.811] lstrcmpiW (lpString1="12.0", lpString2="System Volume Information") returned -1 [0166.812] lstrcmpiW (lpString1="12.0", lpString2=".") returned 1 [0166.812] lstrcmpiW (lpString1="12.0", lpString2="..") returned 1 [0166.812] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0") returned 63 [0166.812] GetProcessHeap () returned 0x4c0000 [0166.812] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0166.812] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0" [0166.812] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*" [0166.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf928f5c4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0166.812] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0166.812] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0166.812] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0166.813] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0166.813] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0166.813] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0166.813] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf928f5c4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0166.813] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0166.813] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0166.813] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0166.813] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0166.813] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0166.813] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0166.813] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0166.813] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x1f2, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="WMSDKNS.DTD", cAlternateFileName="")) returned 1 [0166.813] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="Windows") returned 1 [0166.813] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="Program Files") returned 1 [0166.813] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="Program Files (x86)") returned 1 [0166.813] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="$Recycle.bin") returned 1 [0166.813] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="System Volume Information") returned 1 [0166.813] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2=".") returned 1 [0166.813] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="..") returned 1 [0166.813] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 75 [0166.813] lstrcmpW (lpString1="WMSDKNS.DTD", lpString2="PUSSY.TXT") returned 1 [0166.813] PathFindExtensionW (pszPath="WMSDKNS.DTD") returned=".DTD" [0166.813] lstrlenW (lpString=".DTD") returned 4 [0166.813] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0166.814] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=498) returned 1 [0166.814] CloseHandle (hObject=0x1d8) returned 1 [0166.815] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf9269464, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x27cf, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="WMSDKNS.XML", cAlternateFileName="")) returned 1 [0166.815] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="Windows") returned 1 [0166.815] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="Program Files") returned 1 [0166.815] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="Program Files (x86)") returned 1 [0166.815] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="$Recycle.bin") returned 1 [0166.815] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="System Volume Information") returned 1 [0166.815] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2=".") returned 1 [0166.815] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="..") returned 1 [0166.815] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 75 [0166.815] lstrcmpW (lpString1="WMSDKNS.XML", lpString2="PUSSY.TXT") returned 1 [0166.815] PathFindExtensionW (pszPath="WMSDKNS.XML") returned=".XML" [0166.815] lstrlenW (lpString=".XML") returned 4 [0166.815] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0166.816] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=10191) returned 1 [0166.816] GetProcessHeap () returned 0x4c0000 [0166.816] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0166.830] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="1F") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="B8") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="13") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="59") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="5B") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="71") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="95") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="FB") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="E2") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="F3") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="37") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="2C") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="D7") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="D0") returned 2 [0166.830] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="1B") returned 2 [0166.830] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="6C") returned 2 [0166.830] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="6D") returned 2 [0166.831] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="69") returned 2 [0166.831] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="A1") returned 2 [0166.831] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="D9") returned 2 [0166.831] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="C4") returned 2 [0166.831] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="87") returned 2 [0166.831] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="EA") returned 2 [0166.831] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="C6") returned 2 [0166.831] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="F9") returned 2 [0166.831] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="A4") returned 2 [0166.831] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="37") returned 2 [0166.831] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="24") returned 2 [0166.831] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="C3") returned 2 [0166.831] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="4B") returned 2 [0166.831] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="ED") returned 2 [0166.831] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="16") returned 2 [0166.859] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" [0166.859] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" [0166.859] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML", lpString2=".1FB813595B7195FBE2F3372CD7D01B6C6D69A1D9C487EAC6F9A43724C34BED16" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.1FB813595B7195FBE2F3372CD7D01B6C6D69A1D9C487EAC6F9A43724C34BED16") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.1FB813595B7195FBE2F3372CD7D01B6C6D69A1D9C487EAC6F9A43724C34BED16" [0166.859] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.860] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0166.860] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf9269464, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x27cf, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="WMSDKNS.XML", cAlternateFileName="")) returned 0 [0166.860] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0166.860] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\PUSSY.TXT") returned 73 [0166.860] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0166.861] lstrlenA (lpString="abcd") returned 4 [0166.861] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0166.862] CloseHandle (hObject=0xec) returned 1 [0166.862] GetProcessHeap () returned 0x4c0000 [0166.862] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0166.862] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf928f5c4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="12.0", cAlternateFileName="")) returned 0 [0166.862] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0166.862] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\PUSSY.TXT") returned 68 [0166.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0166.863] lstrlenA (lpString="abcd") returned 4 [0166.863] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0166.864] CloseHandle (hObject=0x18c) returned 1 [0166.864] GetProcessHeap () returned 0x4c0000 [0166.865] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0166.865] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0166.865] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Windows") returned 1 [0166.865] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Program Files") returned 1 [0166.865] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Program Files (x86)") returned 1 [0166.865] lstrcmpiW (lpString1="Windows Sidebar", lpString2="$Recycle.bin") returned 1 [0166.865] lstrcmpiW (lpString1="Windows Sidebar", lpString2="System Volume Information") returned 1 [0166.865] lstrcmpiW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0166.865] lstrcmpiW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0166.865] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned 60 [0166.865] GetProcessHeap () returned 0x4c0000 [0166.865] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0166.865] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" [0166.865] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*" [0166.865] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0166.865] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0166.865] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0166.865] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0166.866] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0166.866] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0166.866] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0166.866] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0166.866] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0166.866] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0166.866] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0166.866] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0166.866] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0166.866] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0166.866] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0166.866] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0166.866] lstrcmpiW (lpString1="Gadgets", lpString2="Windows") returned -1 [0166.866] lstrcmpiW (lpString1="Gadgets", lpString2="Program Files") returned -1 [0166.866] lstrcmpiW (lpString1="Gadgets", lpString2="Program Files (x86)") returned -1 [0166.866] lstrcmpiW (lpString1="Gadgets", lpString2="$Recycle.bin") returned 1 [0166.866] lstrcmpiW (lpString1="Gadgets", lpString2="System Volume Information") returned -1 [0166.866] lstrcmpiW (lpString1="Gadgets", lpString2=".") returned 1 [0166.866] lstrcmpiW (lpString1="Gadgets", lpString2="..") returned 1 [0166.866] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned 68 [0166.866] GetProcessHeap () returned 0x4c0000 [0166.866] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0166.866] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" [0166.866] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*" [0166.867] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0166.867] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0166.867] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0166.867] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0166.867] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0166.867] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0166.867] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0166.867] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0166.867] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0166.867] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0166.867] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0166.867] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0166.867] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0166.867] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0166.867] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0166.867] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 0 [0166.867] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0166.868] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\PUSSY.TXT") returned 78 [0166.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0166.868] lstrlenA (lpString="abcd") returned 4 [0166.868] WriteFile (in: hFile=0xec, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0166.869] CloseHandle (hObject=0xec) returned 1 [0166.870] GetProcessHeap () returned 0x4c0000 [0166.870] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0166.870] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x54, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="Settings.ini", cAlternateFileName="")) returned 1 [0166.870] lstrcmpiW (lpString1="Settings.ini", lpString2="Windows") returned -1 [0166.870] lstrcmpiW (lpString1="Settings.ini", lpString2="Program Files") returned 1 [0166.870] lstrcmpiW (lpString1="Settings.ini", lpString2="Program Files (x86)") returned 1 [0166.870] lstrcmpiW (lpString1="Settings.ini", lpString2="$Recycle.bin") returned 1 [0166.870] lstrcmpiW (lpString1="Settings.ini", lpString2="System Volume Information") returned -1 [0166.870] lstrcmpiW (lpString1="Settings.ini", lpString2=".") returned 1 [0166.870] lstrcmpiW (lpString1="Settings.ini", lpString2="..") returned 1 [0166.870] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 73 [0166.870] lstrcmpW (lpString1="Settings.ini", lpString2="PUSSY.TXT") returned 1 [0166.870] PathFindExtensionW (pszPath="Settings.ini") returned=".ini" [0166.870] lstrlenW (lpString=".ini") returned 4 [0166.870] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0166.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0166.871] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=84) returned 1 [0166.871] CloseHandle (hObject=0xec) returned 1 [0166.871] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x54, dwReserved0=0xfe96ce1c, dwReserved1=0xfe000000, cFileName="Settings.ini", cAlternateFileName="")) returned 0 [0166.871] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0166.871] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\PUSSY.TXT") returned 70 [0166.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0166.872] lstrlenA (lpString="abcd") returned 4 [0166.872] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0166.873] CloseHandle (hObject=0x18c) returned 1 [0166.873] GetProcessHeap () returned 0x4c0000 [0166.873] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0166.873] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 0 [0166.873] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0166.873] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\PUSSY.TXT") returned 54 [0166.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0166.874] lstrlenA (lpString="abcd") returned 4 [0166.874] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0166.875] CloseHandle (hObject=0x190) returned 1 [0166.875] GetProcessHeap () returned 0x4c0000 [0166.875] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0166.877] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3b34dcb8, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Temp", cAlternateFileName="")) returned 1 [0166.877] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0166.877] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0166.877] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0166.877] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0166.877] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0166.877] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0166.877] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0166.877] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp") returned 39 [0166.877] GetProcessHeap () returned 0x4c0000 [0166.877] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0166.878] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp" [0166.878] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*" [0166.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3b34dcb8, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0166.898] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0166.898] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0166.899] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0166.899] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0166.899] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0166.899] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0166.899] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3b34dcb8, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0166.899] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0166.899] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0166.899] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0166.899] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0166.899] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0166.899] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0166.899] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0166.899] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x77398c9, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="FXSAPI~1.TXT")) returned 1 [0166.899] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="Windows") returned -1 [0166.899] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="Program Files") returned -1 [0166.899] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="Program Files (x86)") returned -1 [0166.899] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="$Recycle.bin") returned 1 [0166.899] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="System Volume Information") returned -1 [0166.899] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2=".") returned 1 [0166.899] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="..") returned 1 [0166.899] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt") returned 62 [0166.899] lstrcmpW (lpString1="FXSAPIDebugLogFile.txt", lpString2="PUSSY.TXT") returned -1 [0166.899] PathFindExtensionW (pszPath="FXSAPIDebugLogFile.txt") returned=".txt" [0166.899] lstrlenW (lpString=".txt") returned 4 [0166.899] SystemFunction036 (in: RandomBuffer=0x28cba4, RandomBufferLength=0x20 | out: RandomBuffer=0x28cba4) returned 1 [0166.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\fxsapidebuglogfile.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0166.900] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28cb98 | out: lpFileSize=0x28cb98*=0) returned 1 [0166.900] CloseHandle (hObject=0x190) returned 1 [0166.900] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x77398c9, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="FXSAPI~1.TXT")) returned 0 [0166.900] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0166.901] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\PUSSY.TXT") returned 49 [0166.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\temp\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0166.901] lstrlenA (lpString="abcd") returned 4 [0166.901] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0166.902] CloseHandle (hObject=0x1d8) returned 1 [0166.902] GetProcessHeap () returned 0x4c0000 [0166.903] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0166.904] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0166.904] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Windows") returned -1 [0166.904] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files") returned 1 [0166.904] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files (x86)") returned 1 [0166.904] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="$Recycle.bin") returned 1 [0166.905] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="System Volume Information") returned 1 [0166.905] lstrcmpiW (lpString1="Temporary Internet Files", lpString2=".") returned 1 [0166.905] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="..") returned 1 [0166.905] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files") returned 59 [0166.905] GetProcessHeap () returned 0x4c0000 [0166.905] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0166.906] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" [0166.906] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*" [0166.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x77398c9, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="s")) returned 0xffffffff [0166.906] GetProcessHeap () returned 0x4c0000 [0166.906] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0166.906] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 0 [0166.906] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0166.906] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\PUSSY.TXT") returned 44 [0166.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\local\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0166.907] lstrlenA (lpString="abcd") returned 4 [0166.907] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0166.908] CloseHandle (hObject=0x184) returned 1 [0166.908] GetProcessHeap () returned 0x4c0000 [0166.908] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0166.909] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0166.909] lstrcmpiW (lpString1="LocalLow", lpString2="Windows") returned -1 [0166.909] lstrcmpiW (lpString1="LocalLow", lpString2="Program Files") returned -1 [0166.909] lstrcmpiW (lpString1="LocalLow", lpString2="Program Files (x86)") returned -1 [0166.909] lstrcmpiW (lpString1="LocalLow", lpString2="$Recycle.bin") returned 1 [0166.909] lstrcmpiW (lpString1="LocalLow", lpString2="System Volume Information") returned -1 [0166.909] lstrcmpiW (lpString1="LocalLow", lpString2=".") returned 1 [0166.909] lstrcmpiW (lpString1="LocalLow", lpString2="..") returned 1 [0166.909] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow") returned 37 [0166.910] GetProcessHeap () returned 0x4c0000 [0166.910] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0166.910] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow" [0166.911] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*" [0166.911] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0166.911] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0166.911] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0166.911] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0166.911] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0166.911] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0166.911] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0166.911] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0166.911] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0166.911] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0166.911] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0166.911] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0166.911] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0166.911] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0166.911] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0166.911] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0166.911] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0166.912] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0166.912] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0166.912] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0166.912] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0166.912] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0166.912] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0166.912] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft") returned 47 [0166.912] GetProcessHeap () returned 0x4c0000 [0166.912] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0166.912] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft" [0166.912] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*" [0166.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0166.912] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0166.912] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0166.912] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0166.912] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0166.913] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0166.913] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0166.913] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0166.913] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0166.913] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0166.913] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0166.913] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0166.913] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0166.913] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0166.913] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0166.913] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0166.913] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Windows") returned -1 [0166.913] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Program Files") returned -1 [0166.913] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Program Files (x86)") returned -1 [0166.913] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="$Recycle.bin") returned 1 [0166.913] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="System Volume Information") returned -1 [0166.913] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2=".") returned 1 [0166.913] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="..") returned 1 [0166.913] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned 64 [0166.913] GetProcessHeap () returned 0x4c0000 [0166.913] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c500e8 [0166.914] lstrcpyW (in: lpString1=0x3c500e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" [0166.914] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*" [0166.914] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0166.915] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0166.915] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0166.915] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0166.915] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0166.915] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0166.915] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0166.915] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0166.915] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0166.916] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0166.916] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0166.916] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0166.916] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0166.916] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0166.916] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0166.916] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="Content", cAlternateFileName="")) returned 1 [0166.916] lstrcmpiW (lpString1="Content", lpString2="Windows") returned -1 [0166.916] lstrcmpiW (lpString1="Content", lpString2="Program Files") returned -1 [0166.916] lstrcmpiW (lpString1="Content", lpString2="Program Files (x86)") returned -1 [0166.916] lstrcmpiW (lpString1="Content", lpString2="$Recycle.bin") returned 1 [0166.916] lstrcmpiW (lpString1="Content", lpString2="System Volume Information") returned -1 [0166.916] lstrcmpiW (lpString1="Content", lpString2=".") returned 1 [0166.916] lstrcmpiW (lpString1="Content", lpString2="..") returned 1 [0166.916] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned 72 [0166.916] GetProcessHeap () returned 0x4c0000 [0166.916] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0166.917] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" [0166.917] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*" [0166.917] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0166.917] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0166.917] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0166.917] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0166.917] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0166.917] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0166.917] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0166.917] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0166.917] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0166.917] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0166.917] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0166.917] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0166.918] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0166.918] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0166.918] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0166.918] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x228, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="7B2238AACCEDC3F1FFE8E7EB5F575EC9", cAlternateFileName="7B2238~1")) returned 1 [0166.918] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Windows") returned -1 [0166.918] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files") returned -1 [0166.918] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files (x86)") returned -1 [0166.918] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="$Recycle.bin") returned 1 [0166.918] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="System Volume Information") returned -1 [0166.918] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2=".") returned 1 [0166.918] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="..") returned 1 [0166.918] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 105 [0166.918] lstrcmpW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="PUSSY.TXT") returned -1 [0166.918] PathFindExtensionW (pszPath="7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned="" [0166.918] lstrlenW (lpString="") returned 0 [0166.918] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.918] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0166.919] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=552) returned 1 [0166.919] GetProcessHeap () returned 0x4c0000 [0166.919] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0166.933] wsprintfW (in: param_1=0x28bca6, param_2="%02X" | out: param_1="F1") returned 2 [0166.933] wsprintfW (in: param_1=0x28bcaa, param_2="%02X" | out: param_1="CB") returned 2 [0166.933] wsprintfW (in: param_1=0x28bcae, param_2="%02X" | out: param_1="AD") returned 2 [0166.933] wsprintfW (in: param_1=0x28bcb2, param_2="%02X" | out: param_1="1B") returned 2 [0166.933] wsprintfW (in: param_1=0x28bcb6, param_2="%02X" | out: param_1="F0") returned 2 [0166.933] wsprintfW (in: param_1=0x28bcba, param_2="%02X" | out: param_1="64") returned 2 [0166.933] wsprintfW (in: param_1=0x28bcbe, param_2="%02X" | out: param_1="38") returned 2 [0166.933] wsprintfW (in: param_1=0x28bcc2, param_2="%02X" | out: param_1="B3") returned 2 [0166.957] wsprintfW (in: param_1=0x28bcc6, param_2="%02X" | out: param_1="59") returned 2 [0166.957] wsprintfW (in: param_1=0x28bcca, param_2="%02X" | out: param_1="CD") returned 2 [0166.957] wsprintfW (in: param_1=0x28bcce, param_2="%02X" | out: param_1="2B") returned 2 [0166.957] wsprintfW (in: param_1=0x28bcd2, param_2="%02X" | out: param_1="2B") returned 2 [0166.957] wsprintfW (in: param_1=0x28bcd6, param_2="%02X" | out: param_1="09") returned 2 [0166.957] wsprintfW (in: param_1=0x28bcda, param_2="%02X" | out: param_1="AB") returned 2 [0166.957] wsprintfW (in: param_1=0x28bcde, param_2="%02X" | out: param_1="17") returned 2 [0166.957] wsprintfW (in: param_1=0x28bce2, param_2="%02X" | out: param_1="18") returned 2 [0166.957] wsprintfW (in: param_1=0x28bce6, param_2="%02X" | out: param_1="3D") returned 2 [0166.957] wsprintfW (in: param_1=0x28bcea, param_2="%02X" | out: param_1="6B") returned 2 [0166.958] wsprintfW (in: param_1=0x28bcee, param_2="%02X" | out: param_1="58") returned 2 [0166.958] wsprintfW (in: param_1=0x28bcf2, param_2="%02X" | out: param_1="A4") returned 2 [0166.958] wsprintfW (in: param_1=0x28bcf6, param_2="%02X" | out: param_1="94") returned 2 [0166.958] wsprintfW (in: param_1=0x28bcfa, param_2="%02X" | out: param_1="DA") returned 2 [0166.958] wsprintfW (in: param_1=0x28bcfe, param_2="%02X" | out: param_1="CC") returned 2 [0166.958] wsprintfW (in: param_1=0x28bd02, param_2="%02X" | out: param_1="09") returned 2 [0166.958] wsprintfW (in: param_1=0x28bd06, param_2="%02X" | out: param_1="53") returned 2 [0166.958] wsprintfW (in: param_1=0x28bd0a, param_2="%02X" | out: param_1="56") returned 2 [0166.958] wsprintfW (in: param_1=0x28bd0e, param_2="%02X" | out: param_1="78") returned 2 [0166.958] wsprintfW (in: param_1=0x28bd12, param_2="%02X" | out: param_1="A3") returned 2 [0166.958] wsprintfW (in: param_1=0x28bd16, param_2="%02X" | out: param_1="3C") returned 2 [0166.958] wsprintfW (in: param_1=0x28bd1a, param_2="%02X" | out: param_1="4D") returned 2 [0166.958] wsprintfW (in: param_1=0x28bd1e, param_2="%02X" | out: param_1="64") returned 2 [0166.958] wsprintfW (in: param_1=0x28bd22, param_2="%02X" | out: param_1="43") returned 2 [0166.970] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" [0166.970] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" [0166.970] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2=".F1CBAD1BF06438B359CD2B2B09AB17183D6B58A494DACC09535678A33C4D6443" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.F1CBAD1BF06438B359CD2B2B09AB17183D6B58A494DACC09535678A33C4D6443") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.F1CBAD1BF06438B359CD2B2B09AB17183D6B58A494DACC09535678A33C4D6443" [0166.970] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0166.970] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0166.972] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 1 [0166.972] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Windows") returned -1 [0166.972] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files") returned -1 [0166.972] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files (x86)") returned -1 [0166.972] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="$Recycle.bin") returned 1 [0166.972] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="System Volume Information") returned -1 [0166.972] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2=".") returned 1 [0166.972] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="..") returned 1 [0166.972] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 105 [0166.972] lstrcmpW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="PUSSY.TXT") returned -1 [0166.972] PathFindExtensionW (pszPath="94308059B57B3142E455B38A6EB92015") returned="" [0166.972] lstrlenW (lpString="") returned 0 [0166.972] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0166.972] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1b8 [0166.973] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=0) returned 1 [0166.973] CloseHandle (hObject=0x1b8) returned 1 [0166.973] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 0 [0166.973] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0166.973] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\PUSSY.TXT") returned 82 [0166.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0167.042] lstrlenA (lpString="abcd") returned 4 [0167.042] WriteFile (in: hFile=0x128, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0167.043] CloseHandle (hObject=0x128) returned 1 [0167.044] GetProcessHeap () returned 0x4c0000 [0167.044] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0167.048] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="MetaData", cAlternateFileName="")) returned 1 [0167.048] lstrcmpiW (lpString1="MetaData", lpString2="Windows") returned -1 [0167.048] lstrcmpiW (lpString1="MetaData", lpString2="Program Files") returned -1 [0167.048] lstrcmpiW (lpString1="MetaData", lpString2="Program Files (x86)") returned -1 [0167.048] lstrcmpiW (lpString1="MetaData", lpString2="$Recycle.bin") returned 1 [0167.048] lstrcmpiW (lpString1="MetaData", lpString2="System Volume Information") returned -1 [0167.048] lstrcmpiW (lpString1="MetaData", lpString2=".") returned 1 [0167.048] lstrcmpiW (lpString1="MetaData", lpString2="..") returned 1 [0167.048] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned 73 [0167.048] GetProcessHeap () returned 0x4c0000 [0167.048] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c600f0 [0167.049] lstrcpyW (in: lpString1=0x3c600f0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" [0167.049] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*" [0167.049] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0167.049] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.049] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.049] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.049] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.049] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.049] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.049] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.050] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.050] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.050] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.050] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.050] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.050] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.050] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.050] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="7B2238AACCEDC3F1FFE8E7EB5F575EC9", cAlternateFileName="7B2238~1")) returned 1 [0167.050] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Windows") returned -1 [0167.050] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files") returned -1 [0167.050] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files (x86)") returned -1 [0167.050] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="$Recycle.bin") returned 1 [0167.050] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="System Volume Information") returned -1 [0167.050] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2=".") returned 1 [0167.050] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="..") returned 1 [0167.050] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 106 [0167.050] lstrcmpW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="PUSSY.TXT") returned -1 [0167.050] PathFindExtensionW (pszPath="7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned="" [0167.050] lstrlenW (lpString="") returned 0 [0167.050] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0167.050] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0167.051] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=260) returned 1 [0167.051] CloseHandle (hObject=0x18c) returned 1 [0167.051] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x130, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 1 [0167.051] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Windows") returned -1 [0167.051] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files") returned -1 [0167.051] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files (x86)") returned -1 [0167.052] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="$Recycle.bin") returned 1 [0167.052] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="System Volume Information") returned -1 [0167.052] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2=".") returned 1 [0167.052] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="..") returned 1 [0167.052] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 106 [0167.052] lstrcmpW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="PUSSY.TXT") returned -1 [0167.052] PathFindExtensionW (pszPath="94308059B57B3142E455B38A6EB92015") returned="" [0167.052] lstrlenW (lpString="") returned 0 [0167.052] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0167.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0167.053] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=304) returned 1 [0167.053] CloseHandle (hObject=0x18c) returned 1 [0167.053] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x130, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 0 [0167.053] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0167.053] wnsprintfW (in: pszDest=0x3c600f0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\PUSSY.TXT") returned 83 [0167.053] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0167.053] lstrlenA (lpString="abcd") returned 4 [0167.053] WriteFile (in: hFile=0x128, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0167.055] CloseHandle (hObject=0x128) returned 1 [0167.055] GetProcessHeap () returned 0x4c0000 [0167.055] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c600f0 | out: hHeap=0x4c0000) returned 1 [0167.055] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="MetaData", cAlternateFileName="")) returned 0 [0167.055] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0167.055] wnsprintfW (in: pszDest=0x3c500e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\PUSSY.TXT") returned 74 [0167.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0167.055] lstrlenA (lpString="abcd") returned 4 [0167.055] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0167.057] CloseHandle (hObject=0x190) returned 1 [0167.057] GetProcessHeap () returned 0x4c0000 [0167.057] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0167.057] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 0 [0167.057] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0167.057] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\PUSSY.TXT") returned 57 [0167.058] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0167.058] lstrlenA (lpString="abcd") returned 4 [0167.058] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0167.059] CloseHandle (hObject=0x1d8) returned 1 [0167.059] GetProcessHeap () returned 0x4c0000 [0167.059] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0167.062] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0167.062] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0167.062] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\PUSSY.TXT") returned 47 [0167.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\locallow\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0167.062] lstrlenA (lpString="abcd") returned 4 [0167.062] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0167.063] CloseHandle (hObject=0x184) returned 1 [0167.064] GetProcessHeap () returned 0x4c0000 [0167.064] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0167.064] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="Roaming", cAlternateFileName="")) returned 1 [0167.064] lstrcmpiW (lpString1="Roaming", lpString2="Windows") returned -1 [0167.064] lstrcmpiW (lpString1="Roaming", lpString2="Program Files") returned 1 [0167.064] lstrcmpiW (lpString1="Roaming", lpString2="Program Files (x86)") returned 1 [0167.064] lstrcmpiW (lpString1="Roaming", lpString2="$Recycle.bin") returned 1 [0167.064] lstrcmpiW (lpString1="Roaming", lpString2="System Volume Information") returned -1 [0167.064] lstrcmpiW (lpString1="Roaming", lpString2=".") returned 1 [0167.064] lstrcmpiW (lpString1="Roaming", lpString2="..") returned 1 [0167.064] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming") returned 36 [0167.064] GetProcessHeap () returned 0x4c0000 [0167.064] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0167.064] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming" [0167.065] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*" [0167.065] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0167.065] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.065] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.065] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.065] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.065] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.065] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.065] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.065] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.065] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.065] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.065] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.065] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.065] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.065] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.065] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Identities", cAlternateFileName="IDENTI~1")) returned 1 [0167.066] lstrcmpiW (lpString1="Identities", lpString2="Windows") returned -1 [0167.066] lstrcmpiW (lpString1="Identities", lpString2="Program Files") returned -1 [0167.066] lstrcmpiW (lpString1="Identities", lpString2="Program Files (x86)") returned -1 [0167.066] lstrcmpiW (lpString1="Identities", lpString2="$Recycle.bin") returned 1 [0167.066] lstrcmpiW (lpString1="Identities", lpString2="System Volume Information") returned -1 [0167.066] lstrcmpiW (lpString1="Identities", lpString2=".") returned 1 [0167.066] lstrcmpiW (lpString1="Identities", lpString2="..") returned 1 [0167.066] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities") returned 47 [0167.066] GetProcessHeap () returned 0x4c0000 [0167.066] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0167.066] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities" [0167.066] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*" [0167.066] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0167.066] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.066] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.066] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.067] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.067] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.067] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.067] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0167.067] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.067] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.067] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.067] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.067] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.067] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.067] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.067] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 1 [0167.067] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="Windows") returned -1 [0167.067] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="Program Files") returned -1 [0167.067] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="Program Files (x86)") returned -1 [0167.067] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="$Recycle.bin") returned 1 [0167.067] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="System Volume Information") returned -1 [0167.067] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2=".") returned 1 [0167.067] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="..") returned 1 [0167.067] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned 86 [0167.067] GetProcessHeap () returned 0x4c0000 [0167.067] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0167.068] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" [0167.068] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*" [0167.068] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0167.069] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.069] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.069] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.069] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.069] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.069] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.069] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.069] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.069] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.069] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.069] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.069] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.069] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.069] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.069] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0167.069] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0167.070] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\PUSSY.TXT") returned 96 [0167.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\identities\\{31810c36-5d23-4cce-a3b4-316ded195c38}\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0167.070] lstrlenA (lpString="abcd") returned 4 [0167.070] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0167.072] CloseHandle (hObject=0x190) returned 1 [0167.072] GetProcessHeap () returned 0x4c0000 [0167.072] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0167.072] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 0 [0167.072] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0167.072] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\PUSSY.TXT") returned 57 [0167.072] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\identities\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0167.073] lstrlenA (lpString="abcd") returned 4 [0167.073] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0167.074] CloseHandle (hObject=0x1d8) returned 1 [0167.074] GetProcessHeap () returned 0x4c0000 [0167.074] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0167.076] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0167.076] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0167.076] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0167.076] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0167.076] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0167.076] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0167.076] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0167.076] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0167.076] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned 46 [0167.076] GetProcessHeap () returned 0x4c0000 [0167.076] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b10050 [0167.077] lstrcpyW (in: lpString1=0x3b10050, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft" [0167.077] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*" [0167.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName=".", cAlternateFileName="")) returned 0x3bb70e0 [0167.079] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.079] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.079] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.079] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.079] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.079] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.079] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="..", cAlternateFileName="")) returned 1 [0167.080] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.080] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.080] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.080] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.080] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.080] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.080] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.080] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0167.080] lstrcmpiW (lpString1="Credentials", lpString2="Windows") returned -1 [0167.080] lstrcmpiW (lpString1="Credentials", lpString2="Program Files") returned -1 [0167.080] lstrcmpiW (lpString1="Credentials", lpString2="Program Files (x86)") returned -1 [0167.080] lstrcmpiW (lpString1="Credentials", lpString2="$Recycle.bin") returned 1 [0167.080] lstrcmpiW (lpString1="Credentials", lpString2="System Volume Information") returned -1 [0167.080] lstrcmpiW (lpString1="Credentials", lpString2=".") returned 1 [0167.080] lstrcmpiW (lpString1="Credentials", lpString2="..") returned 1 [0167.080] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials") returned 58 [0167.080] GetProcessHeap () returned 0x4c0000 [0167.080] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0167.081] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials" [0167.081] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0167.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0167.081] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.081] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.082] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.082] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.082] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.082] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.082] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.082] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.082] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.082] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.082] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.082] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.082] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.082] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.082] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0167.082] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0167.083] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\PUSSY.TXT") returned 68 [0167.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\credentials\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0167.083] lstrlenA (lpString="abcd") returned 4 [0167.084] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0167.085] CloseHandle (hObject=0x190) returned 1 [0167.085] GetProcessHeap () returned 0x4c0000 [0167.085] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0167.085] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Crypto", cAlternateFileName="")) returned 1 [0167.085] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0167.085] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0167.085] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0167.085] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0167.085] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0167.085] lstrcmpiW (lpString1="Crypto", lpString2=".") returned 1 [0167.085] lstrcmpiW (lpString1="Crypto", lpString2="..") returned 1 [0167.085] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto") returned 53 [0167.085] GetProcessHeap () returned 0x4c0000 [0167.085] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0167.085] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto" [0167.085] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0167.085] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0167.086] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.086] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.086] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.086] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.086] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.086] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.086] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.086] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.086] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.086] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.086] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.086] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.086] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.086] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.086] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="RSA", cAlternateFileName="")) returned 1 [0167.086] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0167.086] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0167.086] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0167.086] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0167.086] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0167.086] lstrcmpiW (lpString1="RSA", lpString2=".") returned 1 [0167.086] lstrcmpiW (lpString1="RSA", lpString2="..") returned 1 [0167.087] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned 57 [0167.087] GetProcessHeap () returned 0x4c0000 [0167.087] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0167.087] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0167.087] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0167.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0167.087] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.087] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.087] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.087] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.087] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.087] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.087] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.088] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.088] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.088] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.088] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.088] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.088] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.088] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.088] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0167.088] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0167.088] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\PUSSY.TXT") returned 67 [0167.088] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\rsa\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0167.089] lstrlenA (lpString="abcd") returned 4 [0167.089] WriteFile (in: hFile=0x128, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0167.090] CloseHandle (hObject=0x128) returned 1 [0167.090] GetProcessHeap () returned 0x4c0000 [0167.090] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0167.091] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="RSA", cAlternateFileName="")) returned 0 [0167.091] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0167.091] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\PUSSY.TXT") returned 63 [0167.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0167.091] lstrlenA (lpString="abcd") returned 4 [0167.091] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0167.093] CloseHandle (hObject=0x190) returned 1 [0167.093] GetProcessHeap () returned 0x4c0000 [0167.093] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0167.093] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0167.093] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0167.093] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files") returned -1 [0167.093] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files (x86)") returned -1 [0167.093] lstrcmpiW (lpString1="Internet Explorer", lpString2="$Recycle.bin") returned 1 [0167.093] lstrcmpiW (lpString1="Internet Explorer", lpString2="System Volume Information") returned -1 [0167.093] lstrcmpiW (lpString1="Internet Explorer", lpString2=".") returned 1 [0167.093] lstrcmpiW (lpString1="Internet Explorer", lpString2="..") returned 1 [0167.093] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned 64 [0167.093] GetProcessHeap () returned 0x4c0000 [0167.093] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0167.093] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0167.093] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0167.094] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0167.094] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.094] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.094] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.094] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.094] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.094] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.094] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.094] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.094] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.095] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.095] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.095] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.095] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.095] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.095] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0167.095] lstrcmpiW (lpString1="Quick Launch", lpString2="Windows") returned -1 [0167.095] lstrcmpiW (lpString1="Quick Launch", lpString2="Program Files") returned 1 [0167.095] lstrcmpiW (lpString1="Quick Launch", lpString2="Program Files (x86)") returned 1 [0167.095] lstrcmpiW (lpString1="Quick Launch", lpString2="$Recycle.bin") returned 1 [0167.095] lstrcmpiW (lpString1="Quick Launch", lpString2="System Volume Information") returned -1 [0167.095] lstrcmpiW (lpString1="Quick Launch", lpString2=".") returned 1 [0167.095] lstrcmpiW (lpString1="Quick Launch", lpString2="..") returned 1 [0167.095] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned 77 [0167.095] GetProcessHeap () returned 0x4c0000 [0167.095] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bd80e8 [0167.095] lstrcpyW (in: lpString1=0x3bd80e8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0167.096] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0167.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0167.097] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.097] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.098] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.098] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.098] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.098] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.098] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.098] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.098] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.098] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.098] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.098] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.098] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.098] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.098] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7de4960a, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e1692f0, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x92, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.098] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.098] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.098] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.098] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.098] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.098] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.098] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.098] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 89 [0167.098] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.098] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.098] lstrlenW (lpString=".ini") returned 4 [0167.099] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0167.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0167.099] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=146) returned 1 [0167.099] CloseHandle (hObject=0x18c) returned 1 [0167.100] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7de234aa, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e11d030, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="Shows Desktop.lnk", cAlternateFileName="SHOWSD~1.LNK")) returned 1 [0167.100] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Windows") returned -1 [0167.100] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Program Files") returned 1 [0167.100] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Program Files (x86)") returned 1 [0167.100] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="$Recycle.bin") returned 1 [0167.100] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="System Volume Information") returned -1 [0167.100] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2=".") returned 1 [0167.100] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="..") returned 1 [0167.100] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 95 [0167.100] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="PUSSY.TXT") returned 1 [0167.100] PathFindExtensionW (pszPath="Shows Desktop.lnk") returned=".lnk" [0167.100] lstrlenW (lpString=".lnk") returned 4 [0167.100] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0167.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0167.101] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=290) returned 1 [0167.101] CloseHandle (hObject=0x18c) returned 1 [0167.101] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x119ccee, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="User Pinned", cAlternateFileName="USERPI~1")) returned 1 [0167.101] lstrcmpiW (lpString1="User Pinned", lpString2="Windows") returned -1 [0167.101] lstrcmpiW (lpString1="User Pinned", lpString2="Program Files") returned 1 [0167.101] lstrcmpiW (lpString1="User Pinned", lpString2="Program Files (x86)") returned 1 [0167.101] lstrcmpiW (lpString1="User Pinned", lpString2="$Recycle.bin") returned 1 [0167.101] lstrcmpiW (lpString1="User Pinned", lpString2="System Volume Information") returned 1 [0167.101] lstrcmpiW (lpString1="User Pinned", lpString2=".") returned 1 [0167.101] lstrcmpiW (lpString1="User Pinned", lpString2="..") returned 1 [0167.101] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned 89 [0167.101] GetProcessHeap () returned 0x4c0000 [0167.101] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c28098 [0167.103] lstrcpyW (in: lpString1=0x3c28098, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0167.103] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0167.103] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x119ccee, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0167.103] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.103] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.103] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.103] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.103] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.103] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.104] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x119ccee, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.104] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.104] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.104] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.104] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.104] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.104] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.104] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.104] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="ImplicitAppShortcuts", cAlternateFileName="IMPLIC~1")) returned 1 [0167.104] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Windows") returned -1 [0167.104] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Program Files") returned -1 [0167.104] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Program Files (x86)") returned -1 [0167.104] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="$Recycle.bin") returned 1 [0167.104] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="System Volume Information") returned -1 [0167.104] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2=".") returned 1 [0167.104] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="..") returned 1 [0167.104] wnsprintfW (in: pszDest=0x3c28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned 110 [0167.104] GetProcessHeap () returned 0x4c0000 [0167.104] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c380a0 [0167.105] lstrcpyW (in: lpString1=0x3c380a0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0167.105] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0167.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe7dfa89, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0167.105] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.105] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.105] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.105] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.105] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.105] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.105] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe7dfa89, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0167.105] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.106] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.106] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.106] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.106] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.106] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.106] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.106] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe7dfa89, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 0 [0167.106] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0167.106] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\PUSSY.TXT") returned 120 [0167.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0167.107] lstrlenA (lpString="abcd") returned 4 [0167.107] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0167.108] CloseHandle (hObject=0x1b8) returned 1 [0167.108] GetProcessHeap () returned 0x4c0000 [0167.108] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c380a0 | out: hHeap=0x4c0000) returned 1 [0167.108] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6477260, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x123526f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="TaskBar", cAlternateFileName="")) returned 1 [0167.108] lstrcmpiW (lpString1="TaskBar", lpString2="Windows") returned -1 [0167.108] lstrcmpiW (lpString1="TaskBar", lpString2="Program Files") returned 1 [0167.108] lstrcmpiW (lpString1="TaskBar", lpString2="Program Files (x86)") returned 1 [0167.108] lstrcmpiW (lpString1="TaskBar", lpString2="$Recycle.bin") returned 1 [0167.108] lstrcmpiW (lpString1="TaskBar", lpString2="System Volume Information") returned 1 [0167.109] lstrcmpiW (lpString1="TaskBar", lpString2=".") returned 1 [0167.109] lstrcmpiW (lpString1="TaskBar", lpString2="..") returned 1 [0167.109] wnsprintfW (in: pszDest=0x3c28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned 97 [0167.109] GetProcessHeap () returned 0x4c0000 [0167.109] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c380a0 [0167.109] lstrcpyW (in: lpString1=0x3c380a0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0167.109] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0167.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6477260, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x123526f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe7dfa89, dwReserved1=0xfe000000, cFileName=".", cAlternateFileName="")) returned 0x3bb71e0 [0167.112] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.112] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.112] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.112] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.112] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.112] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.112] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6477260, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x123526f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe7dfa89, dwReserved1=0xfe000000, cFileName="..", cAlternateFileName="")) returned 1 [0167.112] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.112] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.112] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.112] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.112] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.112] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.112] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.112] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x123526f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0xd3, dwReserved0=0xfe7dfa89, dwReserved1=0xfe000000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.113] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.113] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.113] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.113] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.113] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.113] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.113] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.113] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 109 [0167.113] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.113] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.113] lstrlenW (lpString=".ini") returned 4 [0167.113] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0167.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.114] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=211) returned 1 [0167.114] CloseHandle (hObject=0x19c) returned 1 [0167.114] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x921e7f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x5a9, dwReserved0=0xfe7dfa89, dwReserved1=0xfe000000, cFileName="Internet Explorer.lnk", cAlternateFileName="INTERN~1.LNK")) returned 1 [0167.114] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Windows") returned -1 [0167.114] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Program Files") returned -1 [0167.114] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Program Files (x86)") returned -1 [0167.114] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="$Recycle.bin") returned 1 [0167.114] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="System Volume Information") returned -1 [0167.114] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2=".") returned 1 [0167.114] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="..") returned 1 [0167.114] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 119 [0167.114] lstrcmpW (lpString1="Internet Explorer.lnk", lpString2="PUSSY.TXT") returned -1 [0167.114] PathFindExtensionW (pszPath="Internet Explorer.lnk") returned=".lnk" [0167.114] lstrlenW (lpString=".lnk") returned 4 [0167.114] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0167.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.115] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1449) returned 1 [0167.115] GetProcessHeap () returned 0x4c0000 [0167.115] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c480a8 [0167.129] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="72") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="BC") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="70") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="54") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="84") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="A9") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="EA") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="36") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="A5") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="27") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="31") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="E0") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="98") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="C0") returned 2 [0167.129] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="82") returned 2 [0167.129] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="3E") returned 2 [0167.130] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="16") returned 2 [0167.130] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="9B") returned 2 [0167.130] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="1A") returned 2 [0167.130] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="27") returned 2 [0167.130] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="A5") returned 2 [0167.130] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="94") returned 2 [0167.130] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="FA") returned 2 [0167.130] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="AF") returned 2 [0167.130] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="13") returned 2 [0167.130] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="4D") returned 2 [0167.130] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="04") returned 2 [0167.130] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="9E") returned 2 [0167.130] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="24") returned 2 [0167.130] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="98") returned 2 [0167.130] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="38") returned 2 [0167.130] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="4A") returned 2 [0167.143] lstrcpyW (in: lpString1=0x3c580dc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" [0167.143] lstrcpyW (in: lpString1=0x3c480dc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" [0167.143] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk", lpString2=".72BC705484A9EA36A52731E098C0823E169B1A27A594FAAF134D049E2498384A" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.72BC705484A9EA36A52731E098C0823E169B1A27A594FAAF134D049E2498384A") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.72BC705484A9EA36A52731E098C0823E169B1A27A594FAAF134D049E2498384A" [0167.143] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c480a8, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.144] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c480a8, lpOverlapped=0x3c480a8) returned 1 [0167.144] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7dfa026d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x4cc, dwReserved0=0xfe7dfa89, dwReserved1=0xfe000000, cFileName="Windows Explorer.lnk", cAlternateFileName="WINDOW~2.LNK")) returned 1 [0167.144] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Windows") returned 1 [0167.144] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Program Files") returned 1 [0167.144] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Program Files (x86)") returned 1 [0167.144] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="$Recycle.bin") returned 1 [0167.144] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="System Volume Information") returned 1 [0167.144] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2=".") returned 1 [0167.144] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="..") returned 1 [0167.144] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 118 [0167.144] lstrcmpW (lpString1="Windows Explorer.lnk", lpString2="PUSSY.TXT") returned 1 [0167.144] PathFindExtensionW (pszPath="Windows Explorer.lnk") returned=".lnk" [0167.144] lstrlenW (lpString=".lnk") returned 4 [0167.144] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0167.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0167.145] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1228) returned 1 [0167.145] GetProcessHeap () returned 0x4c0000 [0167.145] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0167.159] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="F2") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="56") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="36") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="33") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="56") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="9C") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="1C") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="A8") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="69") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="35") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="0A") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="E2") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="D1") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="71") returned 2 [0167.159] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="BE") returned 2 [0167.159] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="F0") returned 2 [0167.160] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="AD") returned 2 [0167.160] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="20") returned 2 [0167.160] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="2D") returned 2 [0167.160] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="EA") returned 2 [0167.160] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="7A") returned 2 [0167.160] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="E8") returned 2 [0167.160] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="38") returned 2 [0167.160] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="90") returned 2 [0167.160] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="1D") returned 2 [0167.160] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="D7") returned 2 [0167.160] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="46") returned 2 [0167.160] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="4E") returned 2 [0167.160] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="86") returned 2 [0167.160] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="62") returned 2 [0167.160] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="65") returned 2 [0167.160] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="0F") returned 2 [0167.170] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" [0167.170] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" [0167.170] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk", lpString2=".F2563633569C1CA869350AE2D171BEF0AD202DEA7AE838901DD7464E8662650F" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.F2563633569C1CA869350AE2D171BEF0AD202DEA7AE838901DD7464E8662650F") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.F2563633569C1CA869350AE2D171BEF0AD202DEA7AE838901DD7464E8662650F" [0167.170] CreateIoCompletionPort (FileHandle=0x178, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.170] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0167.172] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2e24b3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x60b, dwReserved0=0xfe7dfa89, dwReserved1=0xfe000000, cFileName="Windows Media Player.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0167.172] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Windows") returned 1 [0167.172] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Program Files") returned 1 [0167.172] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Program Files (x86)") returned 1 [0167.172] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="$Recycle.bin") returned 1 [0167.172] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="System Volume Information") returned 1 [0167.172] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2=".") returned 1 [0167.172] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="..") returned 1 [0167.172] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 122 [0167.172] lstrcmpW (lpString1="Windows Media Player.lnk", lpString2="PUSSY.TXT") returned 1 [0167.172] PathFindExtensionW (pszPath="Windows Media Player.lnk") returned=".lnk" [0167.172] lstrlenW (lpString=".lnk") returned 4 [0167.172] SystemFunction036 (in: RandomBuffer=0x28ad24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ad24) returned 1 [0167.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0167.173] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28ad18 | out: lpFileSize=0x28ad18*=1547) returned 1 [0167.173] GetProcessHeap () returned 0x4c0000 [0167.173] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0167.181] wsprintfW (in: param_1=0x28ad66, param_2="%02X" | out: param_1="62") returned 2 [0167.181] wsprintfW (in: param_1=0x28ad6a, param_2="%02X" | out: param_1="DA") returned 2 [0167.181] wsprintfW (in: param_1=0x28ad6e, param_2="%02X" | out: param_1="DB") returned 2 [0167.181] wsprintfW (in: param_1=0x28ad72, param_2="%02X" | out: param_1="35") returned 2 [0167.181] wsprintfW (in: param_1=0x28ad76, param_2="%02X" | out: param_1="0E") returned 2 [0167.182] wsprintfW (in: param_1=0x28ad7a, param_2="%02X" | out: param_1="3A") returned 2 [0167.182] wsprintfW (in: param_1=0x28ad7e, param_2="%02X" | out: param_1="1F") returned 2 [0167.182] wsprintfW (in: param_1=0x28ad82, param_2="%02X" | out: param_1="48") returned 2 [0167.182] wsprintfW (in: param_1=0x28ad86, param_2="%02X" | out: param_1="F3") returned 2 [0167.182] wsprintfW (in: param_1=0x28ad8a, param_2="%02X" | out: param_1="50") returned 2 [0167.182] wsprintfW (in: param_1=0x28ad8e, param_2="%02X" | out: param_1="A8") returned 2 [0167.182] wsprintfW (in: param_1=0x28ad92, param_2="%02X" | out: param_1="27") returned 2 [0167.182] wsprintfW (in: param_1=0x28ad96, param_2="%02X" | out: param_1="10") returned 2 [0167.182] wsprintfW (in: param_1=0x28ad9a, param_2="%02X" | out: param_1="40") returned 2 [0167.182] wsprintfW (in: param_1=0x28ad9e, param_2="%02X" | out: param_1="71") returned 2 [0167.182] wsprintfW (in: param_1=0x28ada2, param_2="%02X" | out: param_1="4F") returned 2 [0167.182] wsprintfW (in: param_1=0x28ada6, param_2="%02X" | out: param_1="31") returned 2 [0167.182] wsprintfW (in: param_1=0x28adaa, param_2="%02X" | out: param_1="47") returned 2 [0167.182] wsprintfW (in: param_1=0x28adae, param_2="%02X" | out: param_1="13") returned 2 [0167.182] wsprintfW (in: param_1=0x28adb2, param_2="%02X" | out: param_1="38") returned 2 [0167.182] wsprintfW (in: param_1=0x28adb6, param_2="%02X" | out: param_1="6E") returned 2 [0167.182] wsprintfW (in: param_1=0x28adba, param_2="%02X" | out: param_1="5B") returned 2 [0167.182] wsprintfW (in: param_1=0x28adbe, param_2="%02X" | out: param_1="1B") returned 2 [0167.182] wsprintfW (in: param_1=0x28adc2, param_2="%02X" | out: param_1="E2") returned 2 [0167.182] wsprintfW (in: param_1=0x28adc6, param_2="%02X" | out: param_1="B9") returned 2 [0167.182] wsprintfW (in: param_1=0x28adca, param_2="%02X" | out: param_1="26") returned 2 [0167.182] wsprintfW (in: param_1=0x28adce, param_2="%02X" | out: param_1="72") returned 2 [0167.182] wsprintfW (in: param_1=0x28add2, param_2="%02X" | out: param_1="A5") returned 2 [0167.182] wsprintfW (in: param_1=0x28add6, param_2="%02X" | out: param_1="3E") returned 2 [0167.182] wsprintfW (in: param_1=0x28adda, param_2="%02X" | out: param_1="4A") returned 2 [0167.182] wsprintfW (in: param_1=0x28adde, param_2="%02X" | out: param_1="38") returned 2 [0167.182] wsprintfW (in: param_1=0x28ade2, param_2="%02X" | out: param_1="2C") returned 2 [0167.191] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" [0167.191] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" [0167.191] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk", lpString2=".62DADB350E3A1F48F350A8271040714F314713386E5B1BE2B92672A53E4A382C" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.62DADB350E3A1F48F350A8271040714F314713386E5B1BE2B92672A53E4A382C") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.62DADB350E3A1F48F350A8271040714F314713386E5B1BE2B92672A53E4A382C" [0167.191] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.191] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0167.192] FindNextFileW (in: hFindFile=0x3bb71e0, lpFindFileData=0x28ae38 | out: lpFindFileData=0x28ae38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2e24b3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x60b, dwReserved0=0xfe7dfa89, dwReserved1=0xfe000000, cFileName="Windows Media Player.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0167.193] FindClose (in: hFindFile=0x3bb71e0 | out: hFindFile=0x3bb71e0) returned 1 [0167.194] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PUSSY.TXT") returned 107 [0167.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0167.195] lstrlenA (lpString="abcd") returned 4 [0167.196] WriteFile (in: hFile=0x1b8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b08c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b08c*=0x4, lpOverlapped=0x0) returned 1 [0167.197] CloseHandle (hObject=0x1b8) returned 1 [0167.197] GetProcessHeap () returned 0x4c0000 [0167.197] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c380a0 | out: hHeap=0x4c0000) returned 1 [0167.197] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6477260, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x123526f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="TaskBar", cAlternateFileName="")) returned 0 [0167.197] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0167.197] wnsprintfW (in: pszDest=0x3c28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\PUSSY.TXT") returned 99 [0167.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0167.200] lstrlenA (lpString="abcd") returned 4 [0167.200] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0167.201] CloseHandle (hObject=0x18c) returned 1 [0167.201] GetProcessHeap () returned 0x4c0000 [0167.201] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0167.201] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7de6f76b, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e143190, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0167.201] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Windows") returned -1 [0167.201] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Program Files") returned 1 [0167.202] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Program Files (x86)") returned 1 [0167.202] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="$Recycle.bin") returned 1 [0167.202] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="System Volume Information") returned 1 [0167.202] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2=".") returned 1 [0167.202] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="..") returned 1 [0167.202] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 97 [0167.202] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="PUSSY.TXT") returned 1 [0167.202] PathFindExtensionW (pszPath="Window Switcher.lnk") returned=".lnk" [0167.202] lstrlenW (lpString=".lnk") returned 4 [0167.202] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0167.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0167.203] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=272) returned 1 [0167.203] CloseHandle (hObject=0x18c) returned 1 [0167.203] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7de6f76b, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e143190, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0167.204] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0167.204] wnsprintfW (in: pszDest=0x3bd80e8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\PUSSY.TXT") returned 87 [0167.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0167.205] lstrlenA (lpString="abcd") returned 4 [0167.205] WriteFile (in: hFile=0x128, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0167.206] CloseHandle (hObject=0x128) returned 1 [0167.206] GetProcessHeap () returned 0x4c0000 [0167.206] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bd80e8 | out: hHeap=0x4c0000) returned 1 [0167.210] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 0 [0167.210] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0167.211] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\PUSSY.TXT") returned 74 [0167.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0167.212] lstrlenA (lpString="abcd") returned 4 [0167.212] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0167.213] CloseHandle (hObject=0x190) returned 1 [0167.213] GetProcessHeap () returned 0x4c0000 [0167.213] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0167.214] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Protect", cAlternateFileName="")) returned 1 [0167.214] lstrcmpiW (lpString1="Protect", lpString2="Windows") returned -1 [0167.214] lstrcmpiW (lpString1="Protect", lpString2="Program Files") returned 1 [0167.214] lstrcmpiW (lpString1="Protect", lpString2="Program Files (x86)") returned 1 [0167.214] lstrcmpiW (lpString1="Protect", lpString2="$Recycle.bin") returned 1 [0167.214] lstrcmpiW (lpString1="Protect", lpString2="System Volume Information") returned -1 [0167.214] lstrcmpiW (lpString1="Protect", lpString2=".") returned 1 [0167.214] lstrcmpiW (lpString1="Protect", lpString2="..") returned 1 [0167.214] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect") returned 54 [0167.215] GetProcessHeap () returned 0x4c0000 [0167.215] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c28098 [0167.216] lstrcpyW (in: lpString1=0x3c28098, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect" [0167.216] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*" [0167.216] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0167.216] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.217] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.217] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.217] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.217] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.217] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.217] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.217] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.217] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.217] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.217] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.217] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.217] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.217] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.217] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0167.218] lstrcmpiW (lpString1="CREDHIST", lpString2="Windows") returned -1 [0167.218] lstrcmpiW (lpString1="CREDHIST", lpString2="Program Files") returned -1 [0167.218] lstrcmpiW (lpString1="CREDHIST", lpString2="Program Files (x86)") returned -1 [0167.218] lstrcmpiW (lpString1="CREDHIST", lpString2="$Recycle.bin") returned 1 [0167.218] lstrcmpiW (lpString1="CREDHIST", lpString2="System Volume Information") returned -1 [0167.218] lstrcmpiW (lpString1="CREDHIST", lpString2=".") returned 1 [0167.218] lstrcmpiW (lpString1="CREDHIST", lpString2="..") returned 1 [0167.218] wnsprintfW (in: pszDest=0x3c28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 63 [0167.218] lstrcmpW (lpString1="CREDHIST", lpString2="PUSSY.TXT") returned -1 [0167.218] PathFindExtensionW (pszPath="CREDHIST") returned="" [0167.218] lstrlenW (lpString="") returned 0 [0167.218] SystemFunction036 (in: RandomBuffer=0x28c404, RandomBufferLength=0x20 | out: RandomBuffer=0x28c404) returned 1 [0167.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0167.219] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28c3f8 | out: lpFileSize=0x28c3f8*=24) returned 1 [0167.219] CloseHandle (hObject=0x128) returned 1 [0167.219] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="S-1-5-21-3111613574-2524581245-2586426736-500", cAlternateFileName="S-1-5-~1")) returned 1 [0167.219] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="Windows") returned -1 [0167.219] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="Program Files") returned 1 [0167.219] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="Program Files (x86)") returned 1 [0167.219] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="$Recycle.bin") returned 1 [0167.219] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="System Volume Information") returned -1 [0167.219] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2=".") returned 1 [0167.219] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="..") returned 1 [0167.219] wnsprintfW (in: pszDest=0x3c28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500") returned 100 [0167.220] GetProcessHeap () returned 0x4c0000 [0167.220] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c380a0 [0167.220] lstrcpyW (in: lpString1=0x3c380a0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500" [0167.220] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*" [0167.220] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0167.223] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.223] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.223] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.223] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.223] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.224] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.224] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.224] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.224] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.224] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.224] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.224] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.224] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.224] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.224] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2b9bd87, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", cAlternateFileName="BE5B4F~1")) returned 1 [0167.224] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Windows") returned -1 [0167.225] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Program Files") returned -1 [0167.225] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Program Files (x86)") returned -1 [0167.225] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="$Recycle.bin") returned 1 [0167.225] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="System Volume Information") returned -1 [0167.225] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2=".") returned 1 [0167.225] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="..") returned 1 [0167.225] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned 137 [0167.225] lstrcmpW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="PUSSY.TXT") returned -1 [0167.225] PathFindExtensionW (pszPath="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned="" [0167.225] lstrlenW (lpString="") returned 0 [0167.225] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0167.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0167.226] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=468) returned 1 [0167.226] CloseHandle (hObject=0x18c) returned 1 [0167.226] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0167.226] lstrcmpiW (lpString1="Preferred", lpString2="Windows") returned -1 [0167.226] lstrcmpiW (lpString1="Preferred", lpString2="Program Files") returned -1 [0167.227] lstrcmpiW (lpString1="Preferred", lpString2="Program Files (x86)") returned -1 [0167.227] lstrcmpiW (lpString1="Preferred", lpString2="$Recycle.bin") returned 1 [0167.227] lstrcmpiW (lpString1="Preferred", lpString2="System Volume Information") returned -1 [0167.227] lstrcmpiW (lpString1="Preferred", lpString2=".") returned 1 [0167.227] lstrcmpiW (lpString1="Preferred", lpString2="..") returned 1 [0167.227] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred") returned 110 [0167.227] lstrcmpW (lpString1="Preferred", lpString2="PUSSY.TXT") returned -1 [0167.227] PathFindExtensionW (pszPath="Preferred") returned="" [0167.227] lstrlenW (lpString="") returned 0 [0167.227] SystemFunction036 (in: RandomBuffer=0x28bc64, RandomBufferLength=0x20 | out: RandomBuffer=0x28bc64) returned 1 [0167.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0167.228] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28bc58 | out: lpFileSize=0x28bc58*=24) returned 1 [0167.228] CloseHandle (hObject=0x18c) returned 1 [0167.228] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 0 [0167.228] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0167.228] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\PUSSY.TXT") returned 110 [0167.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0167.229] lstrlenA (lpString="abcd") returned 4 [0167.229] WriteFile (in: hFile=0x128, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0167.230] CloseHandle (hObject=0x128) returned 1 [0167.231] GetProcessHeap () returned 0x4c0000 [0167.231] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c380a0 | out: hHeap=0x4c0000) returned 1 [0167.231] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="S-1-5-21-3111613574-2524581245-2586426736-500", cAlternateFileName="S-1-5-~1")) returned 0 [0167.231] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0167.231] wnsprintfW (in: pszDest=0x3c28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\PUSSY.TXT") returned 64 [0167.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0167.231] lstrlenA (lpString="abcd") returned 4 [0167.232] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0167.233] CloseHandle (hObject=0x190) returned 1 [0167.233] GetProcessHeap () returned 0x4c0000 [0167.233] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0167.233] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0167.233] lstrcmpiW (lpString1="SystemCertificates", lpString2="Windows") returned -1 [0167.233] lstrcmpiW (lpString1="SystemCertificates", lpString2="Program Files") returned 1 [0167.233] lstrcmpiW (lpString1="SystemCertificates", lpString2="Program Files (x86)") returned 1 [0167.233] lstrcmpiW (lpString1="SystemCertificates", lpString2="$Recycle.bin") returned 1 [0167.233] lstrcmpiW (lpString1="SystemCertificates", lpString2="System Volume Information") returned 1 [0167.233] lstrcmpiW (lpString1="SystemCertificates", lpString2=".") returned 1 [0167.233] lstrcmpiW (lpString1="SystemCertificates", lpString2="..") returned 1 [0167.234] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned 65 [0167.234] GetProcessHeap () returned 0x4c0000 [0167.234] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c28098 [0167.234] lstrcpyW (in: lpString1=0x3c28098, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0167.234] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0167.234] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7120 [0167.234] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.234] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.234] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.234] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.234] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.234] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.234] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.235] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.235] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.235] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.235] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.235] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.235] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.235] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.235] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="My", cAlternateFileName="")) returned 1 [0167.235] lstrcmpiW (lpString1="My", lpString2="Windows") returned -1 [0167.235] lstrcmpiW (lpString1="My", lpString2="Program Files") returned -1 [0167.235] lstrcmpiW (lpString1="My", lpString2="Program Files (x86)") returned -1 [0167.235] lstrcmpiW (lpString1="My", lpString2="$Recycle.bin") returned 1 [0167.235] lstrcmpiW (lpString1="My", lpString2="System Volume Information") returned -1 [0167.235] lstrcmpiW (lpString1="My", lpString2=".") returned 1 [0167.235] lstrcmpiW (lpString1="My", lpString2="..") returned 1 [0167.235] wnsprintfW (in: pszDest=0x3c28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned 68 [0167.235] GetProcessHeap () returned 0x4c0000 [0167.235] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3c380a0 [0167.235] lstrcpyW (in: lpString1=0x3c380a0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0167.235] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0167.235] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7160 [0167.235] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.235] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.236] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.236] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.236] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.236] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.236] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.236] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.236] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.236] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.236] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.236] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.236] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.236] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.236] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0167.236] lstrcmpiW (lpString1="Certificates", lpString2="Windows") returned -1 [0167.236] lstrcmpiW (lpString1="Certificates", lpString2="Program Files") returned -1 [0167.236] lstrcmpiW (lpString1="Certificates", lpString2="Program Files (x86)") returned -1 [0167.237] lstrcmpiW (lpString1="Certificates", lpString2="$Recycle.bin") returned 1 [0167.237] lstrcmpiW (lpString1="Certificates", lpString2="System Volume Information") returned -1 [0167.237] lstrcmpiW (lpString1="Certificates", lpString2=".") returned 1 [0167.237] lstrcmpiW (lpString1="Certificates", lpString2="..") returned 1 [0167.237] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned 81 [0167.237] GetProcessHeap () returned 0x4c0000 [0167.237] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0167.238] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0167.238] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0167.238] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0167.238] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.238] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.239] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.239] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.239] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.239] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.239] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.239] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.239] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.239] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.239] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.239] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.239] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.239] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.239] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0167.239] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0167.240] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\PUSSY.TXT") returned 91 [0167.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0167.240] lstrlenA (lpString="abcd") returned 4 [0167.240] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0167.241] CloseHandle (hObject=0x18c) returned 1 [0167.241] GetProcessHeap () returned 0x4c0000 [0167.241] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0167.241] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="CRLs", cAlternateFileName="")) returned 1 [0167.241] lstrcmpiW (lpString1="CRLs", lpString2="Windows") returned -1 [0167.241] lstrcmpiW (lpString1="CRLs", lpString2="Program Files") returned -1 [0167.241] lstrcmpiW (lpString1="CRLs", lpString2="Program Files (x86)") returned -1 [0167.241] lstrcmpiW (lpString1="CRLs", lpString2="$Recycle.bin") returned 1 [0167.241] lstrcmpiW (lpString1="CRLs", lpString2="System Volume Information") returned -1 [0167.241] lstrcmpiW (lpString1="CRLs", lpString2=".") returned 1 [0167.241] lstrcmpiW (lpString1="CRLs", lpString2="..") returned 1 [0167.241] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned 73 [0167.242] GetProcessHeap () returned 0x4c0000 [0167.242] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0167.242] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0167.242] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0167.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0167.242] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.242] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.242] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.242] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.242] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.242] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.242] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.242] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.242] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.242] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.242] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.242] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.242] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.242] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.242] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0167.242] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0167.242] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\PUSSY.TXT") returned 83 [0167.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0167.243] lstrlenA (lpString="abcd") returned 4 [0167.243] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0167.244] CloseHandle (hObject=0x18c) returned 1 [0167.244] GetProcessHeap () returned 0x4c0000 [0167.244] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0167.244] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="CTLs", cAlternateFileName="")) returned 1 [0167.244] lstrcmpiW (lpString1="CTLs", lpString2="Windows") returned -1 [0167.244] lstrcmpiW (lpString1="CTLs", lpString2="Program Files") returned -1 [0167.244] lstrcmpiW (lpString1="CTLs", lpString2="Program Files (x86)") returned -1 [0167.244] lstrcmpiW (lpString1="CTLs", lpString2="$Recycle.bin") returned 1 [0167.244] lstrcmpiW (lpString1="CTLs", lpString2="System Volume Information") returned -1 [0167.244] lstrcmpiW (lpString1="CTLs", lpString2=".") returned 1 [0167.244] lstrcmpiW (lpString1="CTLs", lpString2="..") returned 1 [0167.244] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned 73 [0167.244] GetProcessHeap () returned 0x4c0000 [0167.244] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3bc80e0 [0167.244] lstrcpyW (in: lpString1=0x3bc80e0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0167.244] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0167.244] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb71a0 [0167.245] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.245] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.245] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.245] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.245] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.245] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.245] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.245] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.245] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.245] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.245] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.245] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.245] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.245] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.245] FindNextFileW (in: hFindFile=0x3bb71a0, lpFindFileData=0x28b5d8 | out: lpFindFileData=0x28b5d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0167.245] FindClose (in: hFindFile=0x3bb71a0 | out: hFindFile=0x3bb71a0) returned 1 [0167.246] wnsprintfW (in: pszDest=0x3bc80e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\PUSSY.TXT") returned 83 [0167.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0167.246] lstrlenA (lpString="abcd") returned 4 [0167.246] WriteFile (in: hFile=0x18c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28b82c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28b82c*=0x4, lpOverlapped=0x0) returned 1 [0167.247] CloseHandle (hObject=0x18c) returned 1 [0167.247] GetProcessHeap () returned 0x4c0000 [0167.247] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0167.247] FindNextFileW (in: hFindFile=0x3bb7160, lpFindFileData=0x28bd78 | out: lpFindFileData=0x28bd78*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="CTLs", cAlternateFileName="")) returned 0 [0167.247] FindClose (in: hFindFile=0x3bb7160 | out: hFindFile=0x3bb7160) returned 1 [0167.247] wnsprintfW (in: pszDest=0x3c380a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\PUSSY.TXT") returned 78 [0167.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0167.248] lstrlenA (lpString="abcd") returned 4 [0167.248] WriteFile (in: hFile=0x128, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28bfcc, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28bfcc*=0x4, lpOverlapped=0x0) returned 1 [0167.249] CloseHandle (hObject=0x128) returned 1 [0167.249] GetProcessHeap () returned 0x4c0000 [0167.249] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c380a0 | out: hHeap=0x4c0000) returned 1 [0167.250] FindNextFileW (in: hFindFile=0x3bb7120, lpFindFileData=0x28c518 | out: lpFindFileData=0x28c518*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e29d8, dwReserved1=0x77c5f9e2, cFileName="My", cAlternateFileName="")) returned 0 [0167.251] FindClose (in: hFindFile=0x3bb7120 | out: hFindFile=0x3bb7120) returned 1 [0167.251] wnsprintfW (in: pszDest=0x3c28098, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\PUSSY.TXT") returned 75 [0167.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0167.251] lstrlenA (lpString="abcd") returned 4 [0167.251] WriteFile (in: hFile=0x190, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28c76c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28c76c*=0x4, lpOverlapped=0x0) returned 1 [0167.252] CloseHandle (hObject=0x190) returned 1 [0167.252] GetProcessHeap () returned 0x4c0000 [0167.253] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0167.253] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows", cAlternateFileName="")) returned 1 [0167.253] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0167.253] FindNextFileW (in: hFindFile=0x3bb70e0, lpFindFileData=0x28ccb8 | out: lpFindFileData=0x28ccb8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ccf0, dwReserved1=0x77c61b06, cFileName="Windows", cAlternateFileName="")) returned 0 [0167.253] FindClose (in: hFindFile=0x3bb70e0 | out: hFindFile=0x3bb70e0) returned 1 [0167.253] wnsprintfW (in: pszDest=0x3b10050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\PUSSY.TXT") returned 56 [0167.253] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0167.254] lstrlenA (lpString="abcd") returned 4 [0167.254] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28cf0c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28cf0c*=0x4, lpOverlapped=0x0) returned 1 [0167.255] CloseHandle (hObject=0x1d8) returned 1 [0167.255] GetProcessHeap () returned 0x4c0000 [0167.255] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b10050 | out: hHeap=0x4c0000) returned 1 [0167.256] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0167.256] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0167.256] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\PUSSY.TXT") returned 46 [0167.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\roaming\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0167.257] lstrlenA (lpString="abcd") returned 4 [0167.257] WriteFile (in: hFile=0x184, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0167.258] CloseHandle (hObject=0x184) returned 1 [0167.258] GetProcessHeap () returned 0x4c0000 [0167.258] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0167.258] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="Roaming", cAlternateFileName="")) returned 0 [0167.258] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0167.258] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\PUSSY.TXT") returned 38 [0167.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\PUSSY.TXT" (normalized: "c:\\users\\default\\appdata\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0167.259] lstrlenA (lpString="abcd") returned 4 [0167.259] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0167.260] CloseHandle (hObject=0x124) returned 1 [0167.260] GetProcessHeap () returned 0x4c0000 [0167.260] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.264] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0167.264] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0167.264] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0167.264] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0167.264] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0167.264] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0167.264] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0167.265] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0167.265] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Application Data") returned 37 [0167.265] GetProcessHeap () returned 0x4c0000 [0167.265] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.265] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\Default\\Application Data") returned="\\\\?\\C:\\Users\\Default\\Application Data" [0167.265] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Application Data\\*") returned="\\\\?\\C:\\Users\\Default\\Application Data\\*" [0167.265] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Application Data\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="Roaming", cAlternateFileName="a")) returned 0xffffffff [0167.266] GetProcessHeap () returned 0x4c0000 [0167.266] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.266] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Contacts", cAlternateFileName="")) returned 1 [0167.266] lstrcmpiW (lpString1="Contacts", lpString2="Windows") returned -1 [0167.266] lstrcmpiW (lpString1="Contacts", lpString2="Program Files") returned -1 [0167.266] lstrcmpiW (lpString1="Contacts", lpString2="Program Files (x86)") returned -1 [0167.266] lstrcmpiW (lpString1="Contacts", lpString2="$Recycle.bin") returned 1 [0167.266] lstrcmpiW (lpString1="Contacts", lpString2="System Volume Information") returned -1 [0167.266] lstrcmpiW (lpString1="Contacts", lpString2=".") returned 1 [0167.266] lstrcmpiW (lpString1="Contacts", lpString2="..") returned 1 [0167.266] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts") returned 29 [0167.266] GetProcessHeap () returned 0x4c0000 [0167.266] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.266] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Contacts" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts") returned="\\\\?\\C:\\Users\\Default\\Contacts" [0167.266] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Contacts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\*") returned="\\\\?\\C:\\Users\\Default\\Contacts\\*" [0167.266] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0167.267] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.267] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.267] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.267] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.267] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.267] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.267] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.267] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.267] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.267] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.267] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.267] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.267] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.267] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.267] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0167.267] lstrcmpiW (lpString1="Administrator.contact", lpString2="Windows") returned -1 [0167.267] lstrcmpiW (lpString1="Administrator.contact", lpString2="Program Files") returned -1 [0167.267] lstrcmpiW (lpString1="Administrator.contact", lpString2="Program Files (x86)") returned -1 [0167.267] lstrcmpiW (lpString1="Administrator.contact", lpString2="$Recycle.bin") returned 1 [0167.267] lstrcmpiW (lpString1="Administrator.contact", lpString2="System Volume Information") returned -1 [0167.267] lstrcmpiW (lpString1="Administrator.contact", lpString2=".") returned 1 [0167.267] lstrcmpiW (lpString1="Administrator.contact", lpString2="..") returned 1 [0167.267] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned 51 [0167.267] lstrcmpW (lpString1="Administrator.contact", lpString2="PUSSY.TXT") returned -1 [0167.267] PathFindExtensionW (pszPath="Administrator.contact") returned=".contact" [0167.267] lstrlenW (lpString=".contact") returned 8 [0167.267] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0167.268] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=68382) returned 1 [0167.268] GetProcessHeap () returned 0x4c0000 [0167.268] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0167.279] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="95") returned 2 [0167.279] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="9F") returned 2 [0167.279] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="5A") returned 2 [0167.279] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="35") returned 2 [0167.279] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="4B") returned 2 [0167.279] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="BE") returned 2 [0167.279] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="51") returned 2 [0167.279] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="30") returned 2 [0167.279] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="CA") returned 2 [0167.279] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="EF") returned 2 [0167.279] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="18") returned 2 [0167.279] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="F3") returned 2 [0167.279] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="1A") returned 2 [0167.279] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="3E") returned 2 [0167.279] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="D8") returned 2 [0167.279] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="5E") returned 2 [0167.279] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="92") returned 2 [0167.279] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="2B") returned 2 [0167.280] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="BB") returned 2 [0167.280] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="06") returned 2 [0167.280] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="F9") returned 2 [0167.280] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="56") returned 2 [0167.280] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="8F") returned 2 [0167.280] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="E8") returned 2 [0167.280] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="DE") returned 2 [0167.280] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="2A") returned 2 [0167.280] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="EA") returned 2 [0167.280] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="53") returned 2 [0167.280] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="95") returned 2 [0167.280] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="BC") returned 2 [0167.280] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="B5") returned 2 [0167.280] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="1E") returned 2 [0167.288] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" [0167.288] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" [0167.288] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact", lpString2=".959F5A354BBE5130CAEF18F31A3ED85E922BBB06F9568FE8DE2AEA5395BCB51E" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.959F5A354BBE5130CAEF18F31A3ED85E922BBB06F9568FE8DE2AEA5395BCB51E") returned="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.959F5A354BBE5130CAEF18F31A3ED85E922BBB06F9568FE8DE2AEA5395BCB51E" [0167.288] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.288] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0167.289] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.289] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.289] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.289] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.289] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.289] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.289] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.289] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.289] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini") returned 41 [0167.289] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.318] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.318] lstrlenW (lpString=".ini") returned 4 [0167.318] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini" (normalized: "c:\\users\\default\\contacts\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0167.319] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=412) returned 1 [0167.319] CloseHandle (hObject=0x1d8) returned 1 [0167.319] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0167.319] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0167.319] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\PUSSY.TXT") returned 39 [0167.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\PUSSY.TXT" (normalized: "c:\\users\\default\\contacts\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0167.320] lstrlenA (lpString="abcd") returned 4 [0167.320] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0167.320] CloseHandle (hObject=0x124) returned 1 [0167.321] GetProcessHeap () returned 0x4c0000 [0167.321] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.321] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Cookies", cAlternateFileName="")) returned 1 [0167.321] lstrcmpiW (lpString1="Cookies", lpString2="Windows") returned -1 [0167.321] lstrcmpiW (lpString1="Cookies", lpString2="Program Files") returned -1 [0167.321] lstrcmpiW (lpString1="Cookies", lpString2="Program Files (x86)") returned -1 [0167.321] lstrcmpiW (lpString1="Cookies", lpString2="$Recycle.bin") returned 1 [0167.321] lstrcmpiW (lpString1="Cookies", lpString2="System Volume Information") returned -1 [0167.321] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0167.321] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0167.321] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Cookies") returned 28 [0167.321] GetProcessHeap () returned 0x4c0000 [0167.321] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.321] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Cookies" | out: lpString1="\\\\?\\C:\\Users\\Default\\Cookies") returned="\\\\?\\C:\\Users\\Default\\Cookies" [0167.321] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Cookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Cookies\\*") returned="\\\\?\\C:\\Users\\Default\\Cookies\\*" [0167.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Cookies\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="s")) returned 0xffffffff [0167.321] GetProcessHeap () returned 0x4c0000 [0167.321] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.321] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Desktop", cAlternateFileName="")) returned 1 [0167.321] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0167.321] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0167.321] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0167.321] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0167.321] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0167.322] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0167.322] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0167.322] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop") returned 28 [0167.322] GetProcessHeap () returned 0x4c0000 [0167.322] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.322] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop") returned="\\\\?\\C:\\Users\\Default\\Desktop" [0167.322] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\*") returned="\\\\?\\C:\\Users\\Default\\Desktop\\*" [0167.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0167.322] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.322] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.322] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.322] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.322] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.322] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.322] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.322] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.322] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.322] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.322] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.322] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.322] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.322] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.323] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.323] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.323] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.323] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.323] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.323] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.323] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.323] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.323] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini") returned 40 [0167.323] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.323] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.323] lstrlenW (lpString=".ini") returned 4 [0167.323] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini" (normalized: "c:\\users\\default\\desktop\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0167.323] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=282) returned 1 [0167.324] CloseHandle (hObject=0x1d8) returned 1 [0167.324] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0167.324] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0167.324] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\PUSSY.TXT") returned 38 [0167.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\PUSSY.TXT" (normalized: "c:\\users\\default\\desktop\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0167.324] lstrlenA (lpString="abcd") returned 4 [0167.324] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0167.325] CloseHandle (hObject=0x124) returned 1 [0167.325] GetProcessHeap () returned 0x4c0000 [0167.325] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.325] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0167.325] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0167.325] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0167.325] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0167.325] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0167.325] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0167.325] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0167.325] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0167.325] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents") returned 30 [0167.326] GetProcessHeap () returned 0x4c0000 [0167.326] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.326] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Documents" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents") returned="\\\\?\\C:\\Users\\Default\\Documents" [0167.326] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*" [0167.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0167.327] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.327] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.327] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.327] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.327] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.327] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.327] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.327] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.327] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.327] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.327] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.327] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.327] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.327] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.327] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.327] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.327] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.327] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.327] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.327] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.327] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.327] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.327] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini") returned 42 [0167.327] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.327] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.327] lstrlenW (lpString=".ini") returned 4 [0167.327] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini" (normalized: "c:\\users\\default\\documents\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0167.328] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=402) returned 1 [0167.328] CloseHandle (hObject=0x1d8) returned 1 [0167.328] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0167.328] lstrcmpiW (lpString1="My Music", lpString2="Windows") returned -1 [0167.328] lstrcmpiW (lpString1="My Music", lpString2="Program Files") returned -1 [0167.328] lstrcmpiW (lpString1="My Music", lpString2="Program Files (x86)") returned -1 [0167.328] lstrcmpiW (lpString1="My Music", lpString2="$Recycle.bin") returned 1 [0167.328] lstrcmpiW (lpString1="My Music", lpString2="System Volume Information") returned -1 [0167.328] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0167.328] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0167.328] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Music") returned 39 [0167.328] GetProcessHeap () returned 0x4c0000 [0167.328] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0167.329] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Default\\Documents\\My Music" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Music" [0167.329] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*" [0167.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x77c5fa12, ftLastAccessTime.dwHighDateTime=0x76c1c16b, ftLastWriteTime.dwLowDateTime=0x1d8, ftLastWriteTime.dwHighDateTime=0x28d498, nFileSizeHigh=0x28d480, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="띝盁ǘ", cAlternateFileName="c")) returned 0xffffffff [0167.330] GetProcessHeap () returned 0x4c0000 [0167.330] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0167.330] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0167.330] lstrcmpiW (lpString1="My Pictures", lpString2="Windows") returned -1 [0167.330] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files") returned -1 [0167.330] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files (x86)") returned -1 [0167.330] lstrcmpiW (lpString1="My Pictures", lpString2="$Recycle.bin") returned 1 [0167.330] lstrcmpiW (lpString1="My Pictures", lpString2="System Volume Information") returned -1 [0167.330] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0167.330] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0167.330] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures") returned 42 [0167.330] GetProcessHeap () returned 0x4c0000 [0167.330] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0167.330] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures" [0167.330] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*" [0167.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x77c5fa12, ftLastAccessTime.dwHighDateTime=0x76c1c16b, ftLastWriteTime.dwLowDateTime=0x1d8, ftLastWriteTime.dwHighDateTime=0x28d498, nFileSizeHigh=0x28d480, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="띝盁ǘ", cAlternateFileName="s")) returned 0xffffffff [0167.330] GetProcessHeap () returned 0x4c0000 [0167.330] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0167.330] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0167.330] lstrcmpiW (lpString1="My Videos", lpString2="Windows") returned -1 [0167.330] lstrcmpiW (lpString1="My Videos", lpString2="Program Files") returned -1 [0167.330] lstrcmpiW (lpString1="My Videos", lpString2="Program Files (x86)") returned -1 [0167.330] lstrcmpiW (lpString1="My Videos", lpString2="$Recycle.bin") returned 1 [0167.330] lstrcmpiW (lpString1="My Videos", lpString2="System Volume Information") returned -1 [0167.330] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0167.330] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0167.330] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Videos") returned 40 [0167.331] GetProcessHeap () returned 0x4c0000 [0167.331] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0167.331] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Default\\Documents\\My Videos" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Videos" [0167.331] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*" [0167.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x77c5fa12, ftLastAccessTime.dwHighDateTime=0x76c1c16b, ftLastWriteTime.dwLowDateTime=0x1d8, ftLastWriteTime.dwHighDateTime=0x28d498, nFileSizeHigh=0x28d480, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="띝盁ǘ", cAlternateFileName="s")) returned 0xffffffff [0167.331] GetProcessHeap () returned 0x4c0000 [0167.331] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0167.331] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0167.331] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0167.331] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\PUSSY.TXT") returned 40 [0167.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\PUSSY.TXT" (normalized: "c:\\users\\default\\documents\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0167.332] lstrlenA (lpString="abcd") returned 4 [0167.332] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0167.333] CloseHandle (hObject=0x124) returned 1 [0167.333] GetProcessHeap () returned 0x4c0000 [0167.333] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.334] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0167.334] lstrcmpiW (lpString1="Downloads", lpString2="Windows") returned -1 [0167.334] lstrcmpiW (lpString1="Downloads", lpString2="Program Files") returned -1 [0167.334] lstrcmpiW (lpString1="Downloads", lpString2="Program Files (x86)") returned -1 [0167.334] lstrcmpiW (lpString1="Downloads", lpString2="$Recycle.bin") returned 1 [0167.334] lstrcmpiW (lpString1="Downloads", lpString2="System Volume Information") returned -1 [0167.334] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0167.334] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0167.334] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads") returned 30 [0167.334] GetProcessHeap () returned 0x4c0000 [0167.334] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.335] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Downloads" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads") returned="\\\\?\\C:\\Users\\Default\\Downloads" [0167.335] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Downloads", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\*") returned="\\\\?\\C:\\Users\\Default\\Downloads\\*" [0167.335] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0167.335] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.335] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.335] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.335] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.335] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.335] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.335] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.335] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.336] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.336] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.336] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.336] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.336] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.336] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.336] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.336] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.336] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.336] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.336] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.336] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.336] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.336] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.336] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini") returned 42 [0167.336] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.336] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.336] lstrlenW (lpString=".ini") returned 4 [0167.336] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini" (normalized: "c:\\users\\default\\downloads\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0167.337] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=282) returned 1 [0167.337] CloseHandle (hObject=0x1d8) returned 1 [0167.337] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0167.337] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0167.337] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\PUSSY.TXT") returned 40 [0167.337] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\PUSSY.TXT" (normalized: "c:\\users\\default\\downloads\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0167.337] lstrlenA (lpString="abcd") returned 4 [0167.338] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0167.339] CloseHandle (hObject=0x124) returned 1 [0167.340] GetProcessHeap () returned 0x4c0000 [0167.340] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.340] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0167.340] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0167.340] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0167.340] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0167.340] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0167.340] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0167.340] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0167.340] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0167.340] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites") returned 30 [0167.340] GetProcessHeap () returned 0x4c0000 [0167.340] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.340] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Favorites" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites") returned="\\\\?\\C:\\Users\\Default\\Favorites" [0167.340] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\*" [0167.340] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0167.343] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.344] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.344] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.344] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.344] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.344] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.344] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.344] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.344] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.344] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.344] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.344] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.344] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.344] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.344] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.344] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.344] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.344] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.344] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.344] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.344] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.344] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.344] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini") returned 42 [0167.344] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.344] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.345] lstrlenW (lpString=".ini") returned 4 [0167.345] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini" (normalized: "c:\\users\\default\\favorites\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0167.345] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=402) returned 1 [0167.345] CloseHandle (hObject=0x1d8) returned 1 [0167.345] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Links", cAlternateFileName="")) returned 1 [0167.345] lstrcmpiW (lpString1="Links", lpString2="Windows") returned -1 [0167.345] lstrcmpiW (lpString1="Links", lpString2="Program Files") returned -1 [0167.345] lstrcmpiW (lpString1="Links", lpString2="Program Files (x86)") returned -1 [0167.345] lstrcmpiW (lpString1="Links", lpString2="$Recycle.bin") returned 1 [0167.345] lstrcmpiW (lpString1="Links", lpString2="System Volume Information") returned -1 [0167.345] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0167.346] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0167.346] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links") returned 36 [0167.346] GetProcessHeap () returned 0x4c0000 [0167.346] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0167.347] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Links" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Links" [0167.347] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*" [0167.347] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0167.347] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.347] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.347] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.347] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.347] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.348] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.348] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.348] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.348] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.348] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.348] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.348] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.348] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.348] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.348] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfefb1330, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.348] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.348] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.348] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.348] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.348] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.348] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.348] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.348] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini") returned 48 [0167.348] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.348] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.348] lstrlenW (lpString=".ini") returned 4 [0167.348] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.348] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\default\\favorites\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0167.349] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=80) returned 1 [0167.349] CloseHandle (hObject=0x190) returned 1 [0167.349] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb11062, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 1 [0167.349] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="Windows") returned -1 [0167.349] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="Program Files") returned 1 [0167.349] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="Program Files (x86)") returned 1 [0167.349] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="$Recycle.bin") returned 1 [0167.349] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="System Volume Information") returned 1 [0167.349] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2=".") returned 1 [0167.350] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="..") returned 1 [0167.350] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url") returned 58 [0167.350] lstrcmpW (lpString1="Web Slice Gallery.url", lpString2="PUSSY.TXT") returned 1 [0167.350] PathFindExtensionW (pszPath="Web Slice Gallery.url") returned=".url" [0167.350] lstrlenW (lpString=".url") returned 4 [0167.350] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0167.351] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=226) returned 1 [0167.351] CloseHandle (hObject=0x190) returned 1 [0167.351] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb11062, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 0 [0167.351] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0167.351] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\PUSSY.TXT") returned 46 [0167.351] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\PUSSY.TXT" (normalized: "c:\\users\\default\\favorites\\links\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0167.351] lstrlenA (lpString="abcd") returned 4 [0167.351] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0167.352] CloseHandle (hObject=0x1d8) returned 1 [0167.352] GetProcessHeap () returned 0x4c0000 [0167.352] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0167.352] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0167.352] lstrcmpiW (lpString1="Microsoft Websites", lpString2="Windows") returned -1 [0167.353] lstrcmpiW (lpString1="Microsoft Websites", lpString2="Program Files") returned -1 [0167.353] lstrcmpiW (lpString1="Microsoft Websites", lpString2="Program Files (x86)") returned -1 [0167.353] lstrcmpiW (lpString1="Microsoft Websites", lpString2="$Recycle.bin") returned 1 [0167.353] lstrcmpiW (lpString1="Microsoft Websites", lpString2="System Volume Information") returned -1 [0167.353] lstrcmpiW (lpString1="Microsoft Websites", lpString2=".") returned 1 [0167.353] lstrcmpiW (lpString1="Microsoft Websites", lpString2="..") returned 1 [0167.353] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites") returned 49 [0167.353] GetProcessHeap () returned 0x4c0000 [0167.353] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0167.353] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites" [0167.353] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*" [0167.353] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0167.356] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.356] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.356] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.356] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.356] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.356] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.356] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.356] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.356] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.356] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.356] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.356] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.356] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.356] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.356] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa066c0, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0167.356] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="Windows") returned -1 [0167.356] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="Program Files") returned -1 [0167.357] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="Program Files (x86)") returned -1 [0167.357] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="$Recycle.bin") returned 1 [0167.357] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="System Volume Information") returned -1 [0167.357] lstrcmpiW (lpString1="IE Add-on site.url", lpString2=".") returned 1 [0167.357] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="..") returned 1 [0167.357] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 68 [0167.357] lstrcmpW (lpString1="IE Add-on site.url", lpString2="PUSSY.TXT") returned -1 [0167.357] PathFindExtensionW (pszPath="IE Add-on site.url") returned=".url" [0167.357] lstrlenW (lpString=".url") returned 4 [0167.357] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0167.357] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.357] CloseHandle (hObject=0x190) returned 1 [0167.357] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa066c0, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="IE site on Microsoft.com.url", cAlternateFileName="IESITE~1.URL")) returned 1 [0167.357] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="Windows") returned -1 [0167.357] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="Program Files") returned -1 [0167.357] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="Program Files (x86)") returned -1 [0167.358] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="$Recycle.bin") returned 1 [0167.358] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="System Volume Information") returned -1 [0167.358] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2=".") returned 1 [0167.358] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="..") returned 1 [0167.358] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 78 [0167.358] lstrcmpW (lpString1="IE site on Microsoft.com.url", lpString2="PUSSY.TXT") returned -1 [0167.358] PathFindExtensionW (pszPath="IE site on Microsoft.com.url") returned=".url" [0167.358] lstrlenW (lpString=".url") returned 4 [0167.358] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0167.358] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.358] CloseHandle (hObject=0x190) returned 1 [0167.358] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Microsoft At Home.url", cAlternateFileName="MICROS~3.URL")) returned 1 [0167.358] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="Windows") returned -1 [0167.358] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="Program Files") returned -1 [0167.358] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="Program Files (x86)") returned -1 [0167.358] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="$Recycle.bin") returned 1 [0167.358] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="System Volume Information") returned -1 [0167.359] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2=".") returned 1 [0167.359] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="..") returned 1 [0167.359] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 71 [0167.359] lstrcmpW (lpString1="Microsoft At Home.url", lpString2="PUSSY.TXT") returned -1 [0167.359] PathFindExtensionW (pszPath="Microsoft At Home.url") returned=".url" [0167.359] lstrlenW (lpString=".url") returned 4 [0167.359] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0167.359] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.359] CloseHandle (hObject=0x190) returned 1 [0167.359] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Microsoft At Work.url", cAlternateFileName="MICROS~2.URL")) returned 1 [0167.359] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="Windows") returned -1 [0167.359] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="Program Files") returned -1 [0167.359] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="Program Files (x86)") returned -1 [0167.359] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="$Recycle.bin") returned 1 [0167.359] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="System Volume Information") returned -1 [0167.359] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2=".") returned 1 [0167.359] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="..") returned 1 [0167.359] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 71 [0167.359] lstrcmpW (lpString1="Microsoft At Work.url", lpString2="PUSSY.TXT") returned -1 [0167.359] PathFindExtensionW (pszPath="Microsoft At Work.url") returned=".url" [0167.360] lstrlenW (lpString=".url") returned 4 [0167.360] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0167.360] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.360] CloseHandle (hObject=0x190) returned 1 [0167.360] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 1 [0167.360] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="Windows") returned -1 [0167.360] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="Program Files") returned -1 [0167.360] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="Program Files (x86)") returned -1 [0167.360] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="$Recycle.bin") returned 1 [0167.360] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="System Volume Information") returned -1 [0167.360] lstrcmpiW (lpString1="Microsoft Store.url", lpString2=".") returned 1 [0167.360] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="..") returned 1 [0167.360] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 69 [0167.360] lstrcmpW (lpString1="Microsoft Store.url", lpString2="PUSSY.TXT") returned -1 [0167.360] PathFindExtensionW (pszPath="Microsoft Store.url") returned=".url" [0167.360] lstrlenW (lpString=".url") returned 4 [0167.360] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0167.361] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=134) returned 1 [0167.361] CloseHandle (hObject=0x190) returned 1 [0167.361] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 0 [0167.361] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0167.361] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\PUSSY.TXT") returned 59 [0167.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\PUSSY.TXT" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0167.361] lstrlenA (lpString="abcd") returned 4 [0167.361] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0167.362] CloseHandle (hObject=0x1d8) returned 1 [0167.362] GetProcessHeap () returned 0x4c0000 [0167.362] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0167.362] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0167.363] lstrcmpiW (lpString1="MSN Websites", lpString2="Windows") returned -1 [0167.363] lstrcmpiW (lpString1="MSN Websites", lpString2="Program Files") returned -1 [0167.363] lstrcmpiW (lpString1="MSN Websites", lpString2="Program Files (x86)") returned -1 [0167.363] lstrcmpiW (lpString1="MSN Websites", lpString2="$Recycle.bin") returned 1 [0167.363] lstrcmpiW (lpString1="MSN Websites", lpString2="System Volume Information") returned -1 [0167.363] lstrcmpiW (lpString1="MSN Websites", lpString2=".") returned 1 [0167.363] lstrcmpiW (lpString1="MSN Websites", lpString2="..") returned 1 [0167.363] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites") returned 43 [0167.363] GetProcessHeap () returned 0x4c0000 [0167.363] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0167.363] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites" [0167.363] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*" [0167.363] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0167.388] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.388] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.388] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.388] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.388] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.388] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.388] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.388] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.388] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.388] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.388] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.388] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.388] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.388] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.388] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0167.388] lstrcmpiW (lpString1="MSN Autos.url", lpString2="Windows") returned -1 [0167.388] lstrcmpiW (lpString1="MSN Autos.url", lpString2="Program Files") returned -1 [0167.388] lstrcmpiW (lpString1="MSN Autos.url", lpString2="Program Files (x86)") returned -1 [0167.388] lstrcmpiW (lpString1="MSN Autos.url", lpString2="$Recycle.bin") returned 1 [0167.388] lstrcmpiW (lpString1="MSN Autos.url", lpString2="System Volume Information") returned -1 [0167.388] lstrcmpiW (lpString1="MSN Autos.url", lpString2=".") returned 1 [0167.388] lstrcmpiW (lpString1="MSN Autos.url", lpString2="..") returned 1 [0167.388] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned 57 [0167.388] lstrcmpW (lpString1="MSN Autos.url", lpString2="PUSSY.TXT") returned -1 [0167.388] PathFindExtensionW (pszPath="MSN Autos.url") returned=".url" [0167.388] lstrlenW (lpString=".url") returned 4 [0167.389] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.389] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.389] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.389] CloseHandle (hObject=0x19c) returned 1 [0167.389] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSN Entertainment.url", cAlternateFileName="MSNENT~1.URL")) returned 1 [0167.389] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="Windows") returned -1 [0167.389] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="Program Files") returned -1 [0167.389] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="Program Files (x86)") returned -1 [0167.389] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="$Recycle.bin") returned 1 [0167.389] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="System Volume Information") returned -1 [0167.389] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2=".") returned 1 [0167.389] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="..") returned 1 [0167.389] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 65 [0167.389] lstrcmpW (lpString1="MSN Entertainment.url", lpString2="PUSSY.TXT") returned -1 [0167.389] PathFindExtensionW (pszPath="MSN Entertainment.url") returned=".url" [0167.390] lstrlenW (lpString=".url") returned 4 [0167.390] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.390] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.390] CloseHandle (hObject=0x19c) returned 1 [0167.390] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSN Money.url", cAlternateFileName="MSNMON~1.URL")) returned 1 [0167.390] lstrcmpiW (lpString1="MSN Money.url", lpString2="Windows") returned -1 [0167.390] lstrcmpiW (lpString1="MSN Money.url", lpString2="Program Files") returned -1 [0167.390] lstrcmpiW (lpString1="MSN Money.url", lpString2="Program Files (x86)") returned -1 [0167.390] lstrcmpiW (lpString1="MSN Money.url", lpString2="$Recycle.bin") returned 1 [0167.390] lstrcmpiW (lpString1="MSN Money.url", lpString2="System Volume Information") returned -1 [0167.390] lstrcmpiW (lpString1="MSN Money.url", lpString2=".") returned 1 [0167.390] lstrcmpiW (lpString1="MSN Money.url", lpString2="..") returned 1 [0167.390] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url") returned 57 [0167.390] lstrcmpW (lpString1="MSN Money.url", lpString2="PUSSY.TXT") returned -1 [0167.390] PathFindExtensionW (pszPath="MSN Money.url") returned=".url" [0167.390] lstrlenW (lpString=".url") returned 4 [0167.390] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.391] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.391] CloseHandle (hObject=0x19c) returned 1 [0167.391] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSN Sports.url", cAlternateFileName="MSNSPO~1.URL")) returned 1 [0167.391] lstrcmpiW (lpString1="MSN Sports.url", lpString2="Windows") returned -1 [0167.391] lstrcmpiW (lpString1="MSN Sports.url", lpString2="Program Files") returned -1 [0167.391] lstrcmpiW (lpString1="MSN Sports.url", lpString2="Program Files (x86)") returned -1 [0167.391] lstrcmpiW (lpString1="MSN Sports.url", lpString2="$Recycle.bin") returned 1 [0167.391] lstrcmpiW (lpString1="MSN Sports.url", lpString2="System Volume Information") returned -1 [0167.391] lstrcmpiW (lpString1="MSN Sports.url", lpString2=".") returned 1 [0167.391] lstrcmpiW (lpString1="MSN Sports.url", lpString2="..") returned 1 [0167.391] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url") returned 58 [0167.391] lstrcmpW (lpString1="MSN Sports.url", lpString2="PUSSY.TXT") returned -1 [0167.391] PathFindExtensionW (pszPath="MSN Sports.url") returned=".url" [0167.391] lstrlenW (lpString=".url") returned 4 [0167.391] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.392] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.392] CloseHandle (hObject=0x19c) returned 1 [0167.392] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSN.url", cAlternateFileName="")) returned 1 [0167.392] lstrcmpiW (lpString1="MSN.url", lpString2="Windows") returned -1 [0167.392] lstrcmpiW (lpString1="MSN.url", lpString2="Program Files") returned -1 [0167.392] lstrcmpiW (lpString1="MSN.url", lpString2="Program Files (x86)") returned -1 [0167.392] lstrcmpiW (lpString1="MSN.url", lpString2="$Recycle.bin") returned 1 [0167.392] lstrcmpiW (lpString1="MSN.url", lpString2="System Volume Information") returned -1 [0167.392] lstrcmpiW (lpString1="MSN.url", lpString2=".") returned 1 [0167.392] lstrcmpiW (lpString1="MSN.url", lpString2="..") returned 1 [0167.392] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url") returned 51 [0167.392] lstrcmpW (lpString1="MSN.url", lpString2="PUSSY.TXT") returned -1 [0167.392] PathFindExtensionW (pszPath="MSN.url") returned=".url" [0167.392] lstrlenW (lpString=".url") returned 4 [0167.393] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.393] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.393] CloseHandle (hObject=0x19c) returned 1 [0167.393] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 1 [0167.393] lstrcmpiW (lpString1="MSNBC News.url", lpString2="Windows") returned -1 [0167.393] lstrcmpiW (lpString1="MSNBC News.url", lpString2="Program Files") returned -1 [0167.393] lstrcmpiW (lpString1="MSNBC News.url", lpString2="Program Files (x86)") returned -1 [0167.393] lstrcmpiW (lpString1="MSNBC News.url", lpString2="$Recycle.bin") returned 1 [0167.393] lstrcmpiW (lpString1="MSNBC News.url", lpString2="System Volume Information") returned -1 [0167.393] lstrcmpiW (lpString1="MSNBC News.url", lpString2=".") returned 1 [0167.393] lstrcmpiW (lpString1="MSNBC News.url", lpString2="..") returned 1 [0167.393] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url") returned 58 [0167.393] lstrcmpW (lpString1="MSNBC News.url", lpString2="PUSSY.TXT") returned -1 [0167.394] PathFindExtensionW (pszPath="MSNBC News.url") returned=".url" [0167.394] lstrlenW (lpString=".url") returned 4 [0167.394] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.394] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.394] CloseHandle (hObject=0x19c) returned 1 [0167.394] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 0 [0167.394] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0167.394] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\PUSSY.TXT") returned 53 [0167.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\PUSSY.TXT" (normalized: "c:\\users\\default\\favorites\\msn websites\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0167.395] lstrlenA (lpString="abcd") returned 4 [0167.395] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0167.396] CloseHandle (hObject=0x1d8) returned 1 [0167.396] GetProcessHeap () returned 0x4c0000 [0167.396] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0167.396] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0167.396] lstrcmpiW (lpString1="Windows Live", lpString2="Windows") returned 1 [0167.396] lstrcmpiW (lpString1="Windows Live", lpString2="Program Files") returned 1 [0167.396] lstrcmpiW (lpString1="Windows Live", lpString2="Program Files (x86)") returned 1 [0167.396] lstrcmpiW (lpString1="Windows Live", lpString2="$Recycle.bin") returned 1 [0167.396] lstrcmpiW (lpString1="Windows Live", lpString2="System Volume Information") returned 1 [0167.396] lstrcmpiW (lpString1="Windows Live", lpString2=".") returned 1 [0167.396] lstrcmpiW (lpString1="Windows Live", lpString2="..") returned 1 [0167.396] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live") returned 43 [0167.396] GetProcessHeap () returned 0x4c0000 [0167.396] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0167.396] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live" [0167.396] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*" [0167.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0167.398] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.398] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.398] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.398] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.398] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.398] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.398] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.398] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.398] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.398] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.398] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.399] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.399] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.399] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.399] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0167.399] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="Windows") returned -1 [0167.399] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="Program Files") returned -1 [0167.399] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="Program Files (x86)") returned -1 [0167.399] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="$Recycle.bin") returned 1 [0167.399] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="System Volume Information") returned -1 [0167.399] lstrcmpiW (lpString1="Get Windows Live.url", lpString2=".") returned 1 [0167.399] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="..") returned 1 [0167.399] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned 64 [0167.399] lstrcmpW (lpString1="Get Windows Live.url", lpString2="PUSSY.TXT") returned -1 [0167.399] PathFindExtensionW (pszPath="Get Windows Live.url") returned=".url" [0167.399] lstrlenW (lpString=".url") returned 4 [0167.399] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.399] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.400] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.400] CloseHandle (hObject=0x19c) returned 1 [0167.400] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Windows Live Gallery.url", cAlternateFileName="WINDOW~2.URL")) returned 1 [0167.400] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="Windows") returned 1 [0167.400] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="Program Files") returned 1 [0167.400] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="Program Files (x86)") returned 1 [0167.400] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="$Recycle.bin") returned 1 [0167.400] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="System Volume Information") returned 1 [0167.400] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2=".") returned 1 [0167.400] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="..") returned 1 [0167.400] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 68 [0167.400] lstrcmpW (lpString1="Windows Live Gallery.url", lpString2="PUSSY.TXT") returned 1 [0167.400] PathFindExtensionW (pszPath="Windows Live Gallery.url") returned=".url" [0167.400] lstrlenW (lpString=".url") returned 4 [0167.400] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.401] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.401] CloseHandle (hObject=0x19c) returned 1 [0167.401] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Windows Live Mail.url", cAlternateFileName="WINDOW~1.URL")) returned 1 [0167.401] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="Windows") returned 1 [0167.401] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="Program Files") returned 1 [0167.401] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="Program Files (x86)") returned 1 [0167.401] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="$Recycle.bin") returned 1 [0167.401] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="System Volume Information") returned 1 [0167.402] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2=".") returned 1 [0167.402] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="..") returned 1 [0167.402] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url") returned 65 [0167.402] lstrcmpW (lpString1="Windows Live Mail.url", lpString2="PUSSY.TXT") returned 1 [0167.402] PathFindExtensionW (pszPath="Windows Live Mail.url") returned=".url" [0167.402] lstrlenW (lpString=".url") returned 4 [0167.402] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.402] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.402] CloseHandle (hObject=0x19c) returned 1 [0167.403] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 1 [0167.403] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="Windows") returned 1 [0167.403] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="Program Files") returned 1 [0167.403] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="Program Files (x86)") returned 1 [0167.403] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="$Recycle.bin") returned 1 [0167.403] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="System Volume Information") returned 1 [0167.403] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2=".") returned 1 [0167.403] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="..") returned 1 [0167.403] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 67 [0167.403] lstrcmpW (lpString1="Windows Live Spaces.url", lpString2="PUSSY.TXT") returned 1 [0167.403] PathFindExtensionW (pszPath="Windows Live Spaces.url") returned=".url" [0167.403] lstrlenW (lpString=".url") returned 4 [0167.403] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0167.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.404] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=133) returned 1 [0167.404] CloseHandle (hObject=0x19c) returned 1 [0167.404] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 0 [0167.404] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0167.404] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\PUSSY.TXT") returned 53 [0167.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\PUSSY.TXT" (normalized: "c:\\users\\default\\favorites\\windows live\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0167.404] lstrlenA (lpString="abcd") returned 4 [0167.404] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0167.405] CloseHandle (hObject=0x1d8) returned 1 [0167.406] GetProcessHeap () returned 0x4c0000 [0167.406] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0167.406] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0167.406] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0167.406] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\PUSSY.TXT") returned 40 [0167.406] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\PUSSY.TXT" (normalized: "c:\\users\\default\\favorites\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0167.406] lstrlenA (lpString="abcd") returned 4 [0167.406] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0167.407] CloseHandle (hObject=0x124) returned 1 [0167.408] GetProcessHeap () returned 0x4c0000 [0167.408] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.413] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Links", cAlternateFileName="")) returned 1 [0167.413] lstrcmpiW (lpString1="Links", lpString2="Windows") returned -1 [0167.413] lstrcmpiW (lpString1="Links", lpString2="Program Files") returned -1 [0167.413] lstrcmpiW (lpString1="Links", lpString2="Program Files (x86)") returned -1 [0167.413] lstrcmpiW (lpString1="Links", lpString2="$Recycle.bin") returned 1 [0167.413] lstrcmpiW (lpString1="Links", lpString2="System Volume Information") returned -1 [0167.413] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0167.413] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0167.413] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links") returned 26 [0167.413] GetProcessHeap () returned 0x4c0000 [0167.413] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.414] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Links" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links") returned="\\\\?\\C:\\Users\\Default\\Links" [0167.414] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*") returned="\\\\?\\C:\\Users\\Default\\Links\\*" [0167.414] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Links\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0167.419] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.422] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.422] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.422] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.422] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.422] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.422] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.422] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.422] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.422] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.423] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.423] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.423] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.423] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.423] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.423] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.423] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.423] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.423] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.423] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.423] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.423] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.423] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini") returned 38 [0167.423] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.423] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.423] lstrlenW (lpString=".ini") returned 4 [0167.423] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" (normalized: "c:\\users\\default\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0167.424] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=580) returned 1 [0167.424] GetProcessHeap () returned 0x4c0000 [0167.424] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0167.433] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="D2") returned 2 [0167.434] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="0D") returned 2 [0167.434] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="21") returned 2 [0167.434] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="49") returned 2 [0167.434] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="24") returned 2 [0167.434] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="82") returned 2 [0167.434] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="BB") returned 2 [0167.434] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="90") returned 2 [0167.434] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="02") returned 2 [0167.434] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="E1") returned 2 [0167.434] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="62") returned 2 [0167.434] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="4C") returned 2 [0167.434] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="97") returned 2 [0167.434] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="EF") returned 2 [0167.434] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="7A") returned 2 [0167.435] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="79") returned 2 [0167.435] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="1B") returned 2 [0167.435] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="62") returned 2 [0167.435] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="F0") returned 2 [0167.435] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="C7") returned 2 [0167.435] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="68") returned 2 [0167.435] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="DB") returned 2 [0167.435] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="BA") returned 2 [0167.435] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="F4") returned 2 [0167.435] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="BA") returned 2 [0167.435] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="4B") returned 2 [0167.435] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="AD") returned 2 [0167.435] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="CA") returned 2 [0167.435] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="BF") returned 2 [0167.435] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="70") returned 2 [0167.436] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="A4") returned 2 [0167.436] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="4E") returned 2 [0167.444] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" [0167.444] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" [0167.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini", lpString2=".D20D21492482BB9002E1624C97EF7A791B62F0C768DBBAF4BA4BADCABF70A44E" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini.D20D21492482BB9002E1624C97EF7A791B62F0C768DBBAF4BA4BADCABF70A44E") returned="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini.D20D21492482BB9002E1624C97EF7A791B62F0C768DBBAF4BA4BADCABF70A44E" [0167.444] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.444] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0167.448] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0167.449] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Windows") returned -1 [0167.450] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Program Files") returned -1 [0167.450] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Program Files (x86)") returned -1 [0167.450] lstrcmpiW (lpString1="Desktop.lnk", lpString2="$Recycle.bin") returned 1 [0167.450] lstrcmpiW (lpString1="Desktop.lnk", lpString2="System Volume Information") returned -1 [0167.450] lstrcmpiW (lpString1="Desktop.lnk", lpString2=".") returned 1 [0167.450] lstrcmpiW (lpString1="Desktop.lnk", lpString2="..") returned 1 [0167.450] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk") returned 38 [0167.450] lstrcmpW (lpString1="Desktop.lnk", lpString2="PUSSY.TXT") returned -1 [0167.450] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0167.450] lstrlenW (lpString=".lnk") returned 4 [0167.450] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.450] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk" (normalized: "c:\\users\\default\\links\\desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0167.451] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=467) returned 1 [0167.451] CloseHandle (hObject=0x184) returned 1 [0167.451] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0167.451] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Windows") returned -1 [0167.451] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Program Files") returned -1 [0167.451] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Program Files (x86)") returned -1 [0167.451] lstrcmpiW (lpString1="Downloads.lnk", lpString2="$Recycle.bin") returned 1 [0167.451] lstrcmpiW (lpString1="Downloads.lnk", lpString2="System Volume Information") returned -1 [0167.451] lstrcmpiW (lpString1="Downloads.lnk", lpString2=".") returned 1 [0167.451] lstrcmpiW (lpString1="Downloads.lnk", lpString2="..") returned 1 [0167.451] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk") returned 40 [0167.451] lstrcmpW (lpString1="Downloads.lnk", lpString2="PUSSY.TXT") returned -1 [0167.451] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0167.451] lstrlenW (lpString=".lnk") returned 4 [0167.451] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" (normalized: "c:\\users\\default\\links\\downloads.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0167.452] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=894) returned 1 [0167.452] GetProcessHeap () returned 0x4c0000 [0167.452] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0167.462] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="0E") returned 2 [0167.462] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="C9") returned 2 [0167.462] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="8B") returned 2 [0167.463] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="DF") returned 2 [0167.463] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="85") returned 2 [0167.463] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="7A") returned 2 [0167.463] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="8D") returned 2 [0167.463] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="C2") returned 2 [0167.463] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="0F") returned 2 [0167.463] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="53") returned 2 [0167.463] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="80") returned 2 [0167.463] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="1E") returned 2 [0167.463] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="DD") returned 2 [0167.463] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="22") returned 2 [0167.463] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="00") returned 2 [0167.463] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="2E") returned 2 [0167.463] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="75") returned 2 [0167.464] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="BF") returned 2 [0167.464] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="61") returned 2 [0167.464] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="DE") returned 2 [0167.464] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="BB") returned 2 [0167.464] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="61") returned 2 [0167.464] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="B9") returned 2 [0167.464] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="F5") returned 2 [0167.464] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="1C") returned 2 [0167.464] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="73") returned 2 [0167.464] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="7E") returned 2 [0167.464] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="67") returned 2 [0167.464] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="D4") returned 2 [0167.464] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="F9") returned 2 [0167.465] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="A0") returned 2 [0167.465] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="0F") returned 2 [0167.473] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk") returned="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" [0167.473] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk") returned="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" [0167.473] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk", lpString2=".0EC98BDF857A8DC20F53801EDD22002E75BF61DEBB61B9F51C737E67D4F9A00F" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk.0EC98BDF857A8DC20F53801EDD22002E75BF61DEBB61B9F51C737E67D4F9A00F") returned="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk.0EC98BDF857A8DC20F53801EDD22002E75BF61DEBB61B9F51C737E67D4F9A00F" [0167.473] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.473] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0167.473] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0167.473] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="Windows") returned -1 [0167.473] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="Program Files") returned 1 [0167.474] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="Program Files (x86)") returned 1 [0167.474] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="$Recycle.bin") returned 1 [0167.474] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="System Volume Information") returned -1 [0167.474] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2=".") returned 1 [0167.476] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="..") returned 1 [0167.476] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk") returned 43 [0167.476] lstrcmpW (lpString1="RecentPlaces.lnk", lpString2="PUSSY.TXT") returned 1 [0167.476] PathFindExtensionW (pszPath="RecentPlaces.lnk") returned=".lnk" [0167.476] lstrlenW (lpString=".lnk") returned 4 [0167.476] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\default\\links\\recentplaces.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0167.480] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=363) returned 1 [0167.480] CloseHandle (hObject=0x184) returned 1 [0167.481] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0 [0167.481] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0167.481] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\PUSSY.TXT") returned 36 [0167.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\PUSSY.TXT" (normalized: "c:\\users\\default\\links\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0167.481] lstrlenA (lpString="abcd") returned 4 [0167.481] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0167.482] CloseHandle (hObject=0x124) returned 1 [0167.482] GetProcessHeap () returned 0x4c0000 [0167.482] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.484] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0167.484] lstrcmpiW (lpString1="Local Settings", lpString2="Windows") returned -1 [0167.484] lstrcmpiW (lpString1="Local Settings", lpString2="Program Files") returned -1 [0167.484] lstrcmpiW (lpString1="Local Settings", lpString2="Program Files (x86)") returned -1 [0167.485] lstrcmpiW (lpString1="Local Settings", lpString2="$Recycle.bin") returned 1 [0167.485] lstrcmpiW (lpString1="Local Settings", lpString2="System Volume Information") returned -1 [0167.485] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0167.485] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0167.485] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Local Settings") returned 35 [0167.485] GetProcessHeap () returned 0x4c0000 [0167.485] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.485] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Local Settings" | out: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings") returned="\\\\?\\C:\\Users\\Default\\Local Settings" [0167.485] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings\\*") returned="\\\\?\\C:\\Users\\Default\\Local Settings\\*" [0167.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Local Settings\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="RecentPlaces.lnk", cAlternateFileName="s")) returned 0xffffffff [0167.486] GetProcessHeap () returned 0x4c0000 [0167.486] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.486] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Music", cAlternateFileName="")) returned 1 [0167.486] lstrcmpiW (lpString1="Music", lpString2="Windows") returned -1 [0167.486] lstrcmpiW (lpString1="Music", lpString2="Program Files") returned -1 [0167.486] lstrcmpiW (lpString1="Music", lpString2="Program Files (x86)") returned -1 [0167.486] lstrcmpiW (lpString1="Music", lpString2="$Recycle.bin") returned 1 [0167.486] lstrcmpiW (lpString1="Music", lpString2="System Volume Information") returned -1 [0167.486] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0167.486] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0167.486] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music") returned 26 [0167.486] GetProcessHeap () returned 0x4c0000 [0167.486] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.486] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Music" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music") returned="\\\\?\\C:\\Users\\Default\\Music" [0167.486] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music\\*") returned="\\\\?\\C:\\Users\\Default\\Music\\*" [0167.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Music\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0167.486] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.486] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.486] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.487] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.487] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.487] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.487] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.487] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.487] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.487] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.487] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.487] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.487] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.487] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.487] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.487] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.487] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.487] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.487] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.487] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.487] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.487] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.487] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini") returned 38 [0167.487] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.487] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.487] lstrlenW (lpString=".ini") returned 4 [0167.487] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini" (normalized: "c:\\users\\default\\music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0167.488] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=504) returned 1 [0167.488] CloseHandle (hObject=0x184) returned 1 [0167.488] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0167.488] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0167.488] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\PUSSY.TXT") returned 36 [0167.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\PUSSY.TXT" (normalized: "c:\\users\\default\\music\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x124 [0167.488] lstrlenA (lpString="abcd") returned 4 [0167.488] WriteFile (in: hFile=0x124, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0167.489] CloseHandle (hObject=0x124) returned 1 [0167.489] GetProcessHeap () returned 0x4c0000 [0167.489] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.489] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0167.489] lstrcmpiW (lpString1="My Documents", lpString2="Windows") returned -1 [0167.490] lstrcmpiW (lpString1="My Documents", lpString2="Program Files") returned -1 [0167.490] lstrcmpiW (lpString1="My Documents", lpString2="Program Files (x86)") returned -1 [0167.490] lstrcmpiW (lpString1="My Documents", lpString2="$Recycle.bin") returned 1 [0167.490] lstrcmpiW (lpString1="My Documents", lpString2="System Volume Information") returned -1 [0167.490] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0167.490] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0167.490] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\My Documents") returned 33 [0167.490] GetProcessHeap () returned 0x4c0000 [0167.490] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.490] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\My Documents" | out: lpString1="\\\\?\\C:\\Users\\Default\\My Documents") returned="\\\\?\\C:\\Users\\Default\\My Documents" [0167.490] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\My Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\My Documents\\*") returned="\\\\?\\C:\\Users\\Default\\My Documents\\*" [0167.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\My Documents\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="s")) returned 0xffffffff [0167.490] GetProcessHeap () returned 0x4c0000 [0167.490] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.490] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NetHood", cAlternateFileName="")) returned 1 [0167.490] lstrcmpiW (lpString1="NetHood", lpString2="Windows") returned -1 [0167.490] lstrcmpiW (lpString1="NetHood", lpString2="Program Files") returned -1 [0167.490] lstrcmpiW (lpString1="NetHood", lpString2="Program Files (x86)") returned -1 [0167.490] lstrcmpiW (lpString1="NetHood", lpString2="$Recycle.bin") returned 1 [0167.490] lstrcmpiW (lpString1="NetHood", lpString2="System Volume Information") returned -1 [0167.490] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0167.490] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0167.490] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NetHood") returned 28 [0167.490] GetProcessHeap () returned 0x4c0000 [0167.490] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.491] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\NetHood" | out: lpString1="\\\\?\\C:\\Users\\Default\\NetHood") returned="\\\\?\\C:\\Users\\Default\\NetHood" [0167.491] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NetHood", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\NetHood\\*") returned="\\\\?\\C:\\Users\\Default\\NetHood\\*" [0167.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\NetHood\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="d")) returned 0xffffffff [0167.491] GetProcessHeap () returned 0x4c0000 [0167.491] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.491] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6770de0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x6770de0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xc0000, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0167.491] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Windows") returned -1 [0167.491] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Program Files") returned -1 [0167.491] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Program Files (x86)") returned -1 [0167.491] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$Recycle.bin") returned 1 [0167.491] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="System Volume Information") returned -1 [0167.491] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0167.491] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0167.491] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned 31 [0167.491] lstrcmpW (lpString1="NTUSER.DAT", lpString2="PUSSY.TXT") returned -1 [0167.491] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0167.491] lstrlenW (lpString=".DAT") returned 4 [0167.491] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0167.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0167.492] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=786432) returned 1 [0167.492] GetProcessHeap () returned 0x4c0000 [0167.492] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0167.503] wsprintfW (in: param_1=0x28e2c6, param_2="%02X" | out: param_1="3E") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2ca, param_2="%02X" | out: param_1="CB") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2ce, param_2="%02X" | out: param_1="57") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2d2, param_2="%02X" | out: param_1="8C") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2d6, param_2="%02X" | out: param_1="54") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2da, param_2="%02X" | out: param_1="53") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2de, param_2="%02X" | out: param_1="01") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2e2, param_2="%02X" | out: param_1="B6") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2e6, param_2="%02X" | out: param_1="73") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2ea, param_2="%02X" | out: param_1="47") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2ee, param_2="%02X" | out: param_1="B5") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2f2, param_2="%02X" | out: param_1="21") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2f6, param_2="%02X" | out: param_1="2A") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2fa, param_2="%02X" | out: param_1="86") returned 2 [0167.503] wsprintfW (in: param_1=0x28e2fe, param_2="%02X" | out: param_1="E3") returned 2 [0167.503] wsprintfW (in: param_1=0x28e302, param_2="%02X" | out: param_1="98") returned 2 [0167.503] wsprintfW (in: param_1=0x28e306, param_2="%02X" | out: param_1="C0") returned 2 [0167.503] wsprintfW (in: param_1=0x28e30a, param_2="%02X" | out: param_1="02") returned 2 [0167.503] wsprintfW (in: param_1=0x28e30e, param_2="%02X" | out: param_1="58") returned 2 [0167.503] wsprintfW (in: param_1=0x28e312, param_2="%02X" | out: param_1="3A") returned 2 [0167.503] wsprintfW (in: param_1=0x28e316, param_2="%02X" | out: param_1="58") returned 2 [0167.503] wsprintfW (in: param_1=0x28e31a, param_2="%02X" | out: param_1="97") returned 2 [0167.503] wsprintfW (in: param_1=0x28e31e, param_2="%02X" | out: param_1="A9") returned 2 [0167.503] wsprintfW (in: param_1=0x28e322, param_2="%02X" | out: param_1="E5") returned 2 [0167.504] wsprintfW (in: param_1=0x28e326, param_2="%02X" | out: param_1="6B") returned 2 [0167.504] wsprintfW (in: param_1=0x28e32a, param_2="%02X" | out: param_1="AF") returned 2 [0167.504] wsprintfW (in: param_1=0x28e32e, param_2="%02X" | out: param_1="48") returned 2 [0167.504] wsprintfW (in: param_1=0x28e332, param_2="%02X" | out: param_1="46") returned 2 [0167.504] wsprintfW (in: param_1=0x28e336, param_2="%02X" | out: param_1="24") returned 2 [0167.504] wsprintfW (in: param_1=0x28e33a, param_2="%02X" | out: param_1="C9") returned 2 [0167.504] wsprintfW (in: param_1=0x28e33e, param_2="%02X" | out: param_1="25") returned 2 [0167.504] wsprintfW (in: param_1=0x28e342, param_2="%02X" | out: param_1="7F") returned 2 [0167.513] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" [0167.513] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" [0167.513] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT", lpString2=".3ECB578C545301B67347B5212A86E398C002583A5897A9E56BAF484624C9257F" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.3ECB578C545301B67347B5212A86E398C002583A5897A9E56BAF484624C9257F") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.3ECB578C545301B67347B5212A86E398C002583A5897A9E56BAF484624C9257F" [0167.513] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.513] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0167.514] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xc103692e, ftCreationTime.dwHighDateTime=0x1ca0451, ftLastAccessTime.dwLowDateTime=0x1dd1880d, ftLastAccessTime.dwHighDateTime=0x1cbf8ec, ftLastWriteTime.dwLowDateTime=0x1dd1880d, ftLastWriteTime.dwHighDateTime=0x1cbf8ec, nFileSizeHigh=0x0, nFileSizeLow=0x400, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NTUSER.DAT.LOG", cAlternateFileName="NTUSER~3.LOG")) returned 1 [0167.514] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="Windows") returned -1 [0167.514] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="Program Files") returned -1 [0167.514] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="Program Files (x86)") returned -1 [0167.514] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="$Recycle.bin") returned 1 [0167.514] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="System Volume Information") returned -1 [0167.542] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2=".") returned 1 [0167.542] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="..") returned 1 [0167.542] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned 35 [0167.542] lstrcmpW (lpString1="NTUSER.DAT.LOG", lpString2="PUSSY.TXT") returned -1 [0167.542] PathFindExtensionW (pszPath="NTUSER.DAT.LOG") returned=".LOG" [0167.542] lstrlenW (lpString=".LOG") returned 4 [0167.542] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0167.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0167.544] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=1024) returned 1 [0167.544] GetProcessHeap () returned 0x4c0000 [0167.544] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0167.553] wsprintfW (in: param_1=0x28e2c6, param_2="%02X" | out: param_1="B3") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2ca, param_2="%02X" | out: param_1="4F") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2ce, param_2="%02X" | out: param_1="3A") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2d2, param_2="%02X" | out: param_1="3C") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2d6, param_2="%02X" | out: param_1="E2") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2da, param_2="%02X" | out: param_1="1E") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2de, param_2="%02X" | out: param_1="66") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2e2, param_2="%02X" | out: param_1="AB") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2e6, param_2="%02X" | out: param_1="A9") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2ea, param_2="%02X" | out: param_1="60") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2ee, param_2="%02X" | out: param_1="BD") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2f2, param_2="%02X" | out: param_1="0C") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2f6, param_2="%02X" | out: param_1="B0") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2fa, param_2="%02X" | out: param_1="64") returned 2 [0167.554] wsprintfW (in: param_1=0x28e2fe, param_2="%02X" | out: param_1="91") returned 2 [0167.554] wsprintfW (in: param_1=0x28e302, param_2="%02X" | out: param_1="0D") returned 2 [0167.554] wsprintfW (in: param_1=0x28e306, param_2="%02X" | out: param_1="6F") returned 2 [0167.554] wsprintfW (in: param_1=0x28e30a, param_2="%02X" | out: param_1="BA") returned 2 [0167.554] wsprintfW (in: param_1=0x28e30e, param_2="%02X" | out: param_1="A5") returned 2 [0167.554] wsprintfW (in: param_1=0x28e312, param_2="%02X" | out: param_1="C5") returned 2 [0167.554] wsprintfW (in: param_1=0x28e316, param_2="%02X" | out: param_1="60") returned 2 [0167.554] wsprintfW (in: param_1=0x28e31a, param_2="%02X" | out: param_1="86") returned 2 [0167.554] wsprintfW (in: param_1=0x28e31e, param_2="%02X" | out: param_1="7A") returned 2 [0167.554] wsprintfW (in: param_1=0x28e322, param_2="%02X" | out: param_1="27") returned 2 [0167.554] wsprintfW (in: param_1=0x28e326, param_2="%02X" | out: param_1="E2") returned 2 [0167.554] wsprintfW (in: param_1=0x28e32a, param_2="%02X" | out: param_1="84") returned 2 [0167.554] wsprintfW (in: param_1=0x28e32e, param_2="%02X" | out: param_1="60") returned 2 [0167.555] wsprintfW (in: param_1=0x28e332, param_2="%02X" | out: param_1="0C") returned 2 [0167.555] wsprintfW (in: param_1=0x28e336, param_2="%02X" | out: param_1="92") returned 2 [0167.555] wsprintfW (in: param_1=0x28e33a, param_2="%02X" | out: param_1="F3") returned 2 [0167.555] wsprintfW (in: param_1=0x28e33e, param_2="%02X" | out: param_1="72") returned 2 [0167.555] wsprintfW (in: param_1=0x28e342, param_2="%02X" | out: param_1="5C") returned 2 [0167.565] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" [0167.565] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" [0167.565] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG", lpString2=".B34F3A3CE21E66ABA960BD0CB064910D6FBAA5C560867A27E284600C92F3725C" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.B34F3A3CE21E66ABA960BD0CB064910D6FBAA5C560867A27E284600C92F3725C") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.B34F3A3CE21E66ABA960BD0CB064910D6FBAA5C560867A27E284600C92F3725C" [0167.565] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.565] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0167.573] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x9012aa61, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x674ac80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2e400, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0167.573] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="Windows") returned -1 [0167.573] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="Program Files") returned -1 [0167.573] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="Program Files (x86)") returned -1 [0167.573] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="$Recycle.bin") returned 1 [0167.573] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="System Volume Information") returned -1 [0167.573] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2=".") returned 1 [0167.573] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="..") returned 1 [0167.573] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 36 [0167.573] lstrcmpW (lpString1="NTUSER.DAT.LOG1", lpString2="PUSSY.TXT") returned -1 [0167.573] PathFindExtensionW (pszPath="NTUSER.DAT.LOG1") returned=".LOG1" [0167.573] lstrlenW (lpString=".LOG1") returned 5 [0167.573] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0167.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0167.574] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=189440) returned 1 [0167.574] GetProcessHeap () returned 0x4c0000 [0167.574] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0167.583] wsprintfW (in: param_1=0x28e2c6, param_2="%02X" | out: param_1="86") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2ca, param_2="%02X" | out: param_1="03") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2ce, param_2="%02X" | out: param_1="69") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2d2, param_2="%02X" | out: param_1="F4") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2d6, param_2="%02X" | out: param_1="C2") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2da, param_2="%02X" | out: param_1="7F") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2de, param_2="%02X" | out: param_1="5B") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2e2, param_2="%02X" | out: param_1="08") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2e6, param_2="%02X" | out: param_1="85") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2ea, param_2="%02X" | out: param_1="1F") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2ee, param_2="%02X" | out: param_1="FC") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2f2, param_2="%02X" | out: param_1="F4") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2f6, param_2="%02X" | out: param_1="79") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2fa, param_2="%02X" | out: param_1="A9") returned 2 [0167.583] wsprintfW (in: param_1=0x28e2fe, param_2="%02X" | out: param_1="46") returned 2 [0167.583] wsprintfW (in: param_1=0x28e302, param_2="%02X" | out: param_1="60") returned 2 [0167.583] wsprintfW (in: param_1=0x28e306, param_2="%02X" | out: param_1="50") returned 2 [0167.583] wsprintfW (in: param_1=0x28e30a, param_2="%02X" | out: param_1="15") returned 2 [0167.583] wsprintfW (in: param_1=0x28e30e, param_2="%02X" | out: param_1="10") returned 2 [0167.583] wsprintfW (in: param_1=0x28e312, param_2="%02X" | out: param_1="78") returned 2 [0167.583] wsprintfW (in: param_1=0x28e316, param_2="%02X" | out: param_1="FC") returned 2 [0167.583] wsprintfW (in: param_1=0x28e31a, param_2="%02X" | out: param_1="56") returned 2 [0167.583] wsprintfW (in: param_1=0x28e31e, param_2="%02X" | out: param_1="F2") returned 2 [0167.583] wsprintfW (in: param_1=0x28e322, param_2="%02X" | out: param_1="6E") returned 2 [0167.583] wsprintfW (in: param_1=0x28e326, param_2="%02X" | out: param_1="D8") returned 2 [0167.583] wsprintfW (in: param_1=0x28e32a, param_2="%02X" | out: param_1="2F") returned 2 [0167.583] wsprintfW (in: param_1=0x28e32e, param_2="%02X" | out: param_1="4D") returned 2 [0167.583] wsprintfW (in: param_1=0x28e332, param_2="%02X" | out: param_1="38") returned 2 [0167.583] wsprintfW (in: param_1=0x28e336, param_2="%02X" | out: param_1="F9") returned 2 [0167.583] wsprintfW (in: param_1=0x28e33a, param_2="%02X" | out: param_1="3B") returned 2 [0167.583] wsprintfW (in: param_1=0x28e33e, param_2="%02X" | out: param_1="12") returned 2 [0167.583] wsprintfW (in: param_1=0x28e342, param_2="%02X" | out: param_1="36") returned 2 [0167.592] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" [0167.592] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" [0167.592] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1", lpString2=".860369F4C27F5B08851FFCF479A9466050151078FC56F26ED82F4D38F93B1236" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.860369F4C27F5B08851FFCF479A9466050151078FC56F26ED82F4D38F93B1236") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.860369F4C27F5B08851FFCF479A9466050151078FC56F26ED82F4D38F93B1236" [0167.592] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.592] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0167.592] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x9012aa61, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x9012aa61, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0167.593] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="Windows") returned -1 [0167.593] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="Program Files") returned -1 [0167.593] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="Program Files (x86)") returned -1 [0167.625] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="$Recycle.bin") returned 1 [0167.625] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="System Volume Information") returned -1 [0167.625] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2=".") returned 1 [0167.625] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="..") returned 1 [0167.625] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 36 [0167.625] lstrcmpW (lpString1="NTUSER.DAT.LOG2", lpString2="PUSSY.TXT") returned -1 [0167.625] PathFindExtensionW (pszPath="NTUSER.DAT.LOG2") returned=".LOG2" [0167.625] lstrlenW (lpString=".LOG2") returned 5 [0167.625] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0167.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0167.626] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=0) returned 1 [0167.626] CloseHandle (hObject=0x1d8) returned 1 [0167.627] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8d30919, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0xf8d30919, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0xf8ead6dc, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0167.627] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="Windows") returned -1 [0167.627] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="Program Files") returned -1 [0167.627] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="Program Files (x86)") returned -1 [0167.627] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="$Recycle.bin") returned 1 [0167.627] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="System Volume Information") returned -1 [0167.627] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".") returned 1 [0167.627] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="..") returned 1 [0167.627] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 76 [0167.627] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="PUSSY.TXT") returned -1 [0167.627] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned=".blf" [0167.627] lstrlenW (lpString=".blf") returned 4 [0167.627] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0167.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0167.628] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=65536) returned 1 [0167.628] GetProcessHeap () returned 0x4c0000 [0167.628] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0167.640] wsprintfW (in: param_1=0x28e2c6, param_2="%02X" | out: param_1="97") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2ca, param_2="%02X" | out: param_1="1D") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2ce, param_2="%02X" | out: param_1="C4") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2d2, param_2="%02X" | out: param_1="17") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2d6, param_2="%02X" | out: param_1="0E") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2da, param_2="%02X" | out: param_1="D0") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2de, param_2="%02X" | out: param_1="20") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2e2, param_2="%02X" | out: param_1="0E") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2e6, param_2="%02X" | out: param_1="91") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2ea, param_2="%02X" | out: param_1="25") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2ee, param_2="%02X" | out: param_1="30") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2f2, param_2="%02X" | out: param_1="D6") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2f6, param_2="%02X" | out: param_1="54") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2fa, param_2="%02X" | out: param_1="D4") returned 2 [0167.640] wsprintfW (in: param_1=0x28e2fe, param_2="%02X" | out: param_1="AB") returned 2 [0167.640] wsprintfW (in: param_1=0x28e302, param_2="%02X" | out: param_1="14") returned 2 [0167.640] wsprintfW (in: param_1=0x28e306, param_2="%02X" | out: param_1="D8") returned 2 [0167.640] wsprintfW (in: param_1=0x28e30a, param_2="%02X" | out: param_1="7A") returned 2 [0167.640] wsprintfW (in: param_1=0x28e30e, param_2="%02X" | out: param_1="47") returned 2 [0167.640] wsprintfW (in: param_1=0x28e312, param_2="%02X" | out: param_1="F0") returned 2 [0167.640] wsprintfW (in: param_1=0x28e316, param_2="%02X" | out: param_1="D0") returned 2 [0167.640] wsprintfW (in: param_1=0x28e31a, param_2="%02X" | out: param_1="9D") returned 2 [0167.640] wsprintfW (in: param_1=0x28e31e, param_2="%02X" | out: param_1="D0") returned 2 [0167.640] wsprintfW (in: param_1=0x28e322, param_2="%02X" | out: param_1="57") returned 2 [0167.640] wsprintfW (in: param_1=0x28e326, param_2="%02X" | out: param_1="4B") returned 2 [0167.641] wsprintfW (in: param_1=0x28e32a, param_2="%02X" | out: param_1="7A") returned 2 [0167.641] wsprintfW (in: param_1=0x28e32e, param_2="%02X" | out: param_1="CF") returned 2 [0167.641] wsprintfW (in: param_1=0x28e332, param_2="%02X" | out: param_1="0B") returned 2 [0167.641] wsprintfW (in: param_1=0x28e336, param_2="%02X" | out: param_1="07") returned 2 [0167.641] wsprintfW (in: param_1=0x28e33a, param_2="%02X" | out: param_1="79") returned 2 [0167.641] wsprintfW (in: param_1=0x28e33e, param_2="%02X" | out: param_1="7A") returned 2 [0167.641] wsprintfW (in: param_1=0x28e342, param_2="%02X" | out: param_1="0F") returned 2 [0167.649] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0167.649] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0167.649] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".971DC4170ED0200E912530D654D4AB14D87A47F0D09DD0574B7ACF0B07797A0F" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.971DC4170ED0200E912530D654D4AB14D87A47F0D09DD0574B7ACF0B07797A0F") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.971DC4170ED0200E912530D654D4AB14D87A47F0D09DD0574B7ACF0B07797A0F" [0167.649] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.650] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0167.650] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8da2d3a, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0xf8da2d3a, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0xf8e8757c, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0167.650] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="Windows") returned -1 [0167.650] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="Program Files") returned -1 [0167.650] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="Program Files (x86)") returned -1 [0167.650] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="$Recycle.bin") returned 1 [0167.650] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="System Volume Information") returned -1 [0167.680] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0167.680] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0167.680] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 113 [0167.680] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="PUSSY.TXT") returned -1 [0167.680] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0167.680] lstrlenW (lpString=".regtrans-ms") returned 12 [0167.680] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0167.680] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0167.681] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=524288) returned 1 [0167.681] GetProcessHeap () returned 0x4c0000 [0167.681] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0167.691] wsprintfW (in: param_1=0x28e2c6, param_2="%02X" | out: param_1="72") returned 2 [0167.691] wsprintfW (in: param_1=0x28e2ca, param_2="%02X" | out: param_1="FF") returned 2 [0167.691] wsprintfW (in: param_1=0x28e2ce, param_2="%02X" | out: param_1="7F") returned 2 [0167.691] wsprintfW (in: param_1=0x28e2d2, param_2="%02X" | out: param_1="BA") returned 2 [0167.692] wsprintfW (in: param_1=0x28e2d6, param_2="%02X" | out: param_1="0B") returned 2 [0167.692] wsprintfW (in: param_1=0x28e2da, param_2="%02X" | out: param_1="78") returned 2 [0167.692] wsprintfW (in: param_1=0x28e2de, param_2="%02X" | out: param_1="47") returned 2 [0167.692] wsprintfW (in: param_1=0x28e2e2, param_2="%02X" | out: param_1="DB") returned 2 [0167.692] wsprintfW (in: param_1=0x28e2e6, param_2="%02X" | out: param_1="E6") returned 2 [0167.692] wsprintfW (in: param_1=0x28e2ea, param_2="%02X" | out: param_1="CC") returned 2 [0167.692] wsprintfW (in: param_1=0x28e2ee, param_2="%02X" | out: param_1="E6") returned 2 [0167.692] wsprintfW (in: param_1=0x28e2f2, param_2="%02X" | out: param_1="F5") returned 2 [0167.692] wsprintfW (in: param_1=0x28e2f6, param_2="%02X" | out: param_1="19") returned 2 [0167.692] wsprintfW (in: param_1=0x28e2fa, param_2="%02X" | out: param_1="21") returned 2 [0167.692] wsprintfW (in: param_1=0x28e2fe, param_2="%02X" | out: param_1="42") returned 2 [0167.692] wsprintfW (in: param_1=0x28e302, param_2="%02X" | out: param_1="EE") returned 2 [0167.692] wsprintfW (in: param_1=0x28e306, param_2="%02X" | out: param_1="B0") returned 2 [0167.692] wsprintfW (in: param_1=0x28e30a, param_2="%02X" | out: param_1="A2") returned 2 [0167.692] wsprintfW (in: param_1=0x28e30e, param_2="%02X" | out: param_1="49") returned 2 [0167.692] wsprintfW (in: param_1=0x28e312, param_2="%02X" | out: param_1="FC") returned 2 [0167.692] wsprintfW (in: param_1=0x28e316, param_2="%02X" | out: param_1="F9") returned 2 [0167.692] wsprintfW (in: param_1=0x28e31a, param_2="%02X" | out: param_1="2E") returned 2 [0167.692] wsprintfW (in: param_1=0x28e31e, param_2="%02X" | out: param_1="8A") returned 2 [0167.692] wsprintfW (in: param_1=0x28e322, param_2="%02X" | out: param_1="BF") returned 2 [0167.692] wsprintfW (in: param_1=0x28e326, param_2="%02X" | out: param_1="8A") returned 2 [0167.692] wsprintfW (in: param_1=0x28e32a, param_2="%02X" | out: param_1="D2") returned 2 [0167.692] wsprintfW (in: param_1=0x28e32e, param_2="%02X" | out: param_1="9D") returned 2 [0167.692] wsprintfW (in: param_1=0x28e332, param_2="%02X" | out: param_1="A8") returned 2 [0167.692] wsprintfW (in: param_1=0x28e336, param_2="%02X" | out: param_1="87") returned 2 [0167.692] wsprintfW (in: param_1=0x28e33a, param_2="%02X" | out: param_1="7F") returned 2 [0167.692] wsprintfW (in: param_1=0x28e33e, param_2="%02X" | out: param_1="17") returned 2 [0167.692] wsprintfW (in: param_1=0x28e342, param_2="%02X" | out: param_1="56") returned 2 [0167.701] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0167.701] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0167.701] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".72FF7FBA0B7847DBE6CCE6F5192142EEB0A249FCF92E8ABF8AD29DA8877F1756" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.72FF7FBA0B7847DBE6CCE6F5192142EEB0A249FCF92E8ABF8AD29DA8877F1756") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.72FF7FBA0B7847DBE6CCE6F5192142EEB0A249FCF92E8ABF8AD29DA8877F1756" [0167.701] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.701] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0167.702] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8deeffb, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0xf8deeffb, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0xf8ead6dc, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0167.702] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="Windows") returned -1 [0167.702] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="Program Files") returned -1 [0167.702] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="Program Files (x86)") returned -1 [0167.702] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="$Recycle.bin") returned 1 [0167.702] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="System Volume Information") returned -1 [0167.702] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0167.702] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0167.702] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 113 [0167.702] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="PUSSY.TXT") returned -1 [0167.702] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0167.702] lstrlenW (lpString=".regtrans-ms") returned 12 [0167.702] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0167.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0167.703] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=524288) returned 1 [0167.703] GetProcessHeap () returned 0x4c0000 [0167.703] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0167.747] wsprintfW (in: param_1=0x28e2c6, param_2="%02X" | out: param_1="4E") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2ca, param_2="%02X" | out: param_1="EA") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2ce, param_2="%02X" | out: param_1="3C") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2d2, param_2="%02X" | out: param_1="6A") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2d6, param_2="%02X" | out: param_1="CF") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2da, param_2="%02X" | out: param_1="0F") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2de, param_2="%02X" | out: param_1="54") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2e2, param_2="%02X" | out: param_1="73") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2e6, param_2="%02X" | out: param_1="57") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2ea, param_2="%02X" | out: param_1="38") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2ee, param_2="%02X" | out: param_1="24") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2f2, param_2="%02X" | out: param_1="85") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2f6, param_2="%02X" | out: param_1="2F") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2fa, param_2="%02X" | out: param_1="2F") returned 2 [0167.747] wsprintfW (in: param_1=0x28e2fe, param_2="%02X" | out: param_1="60") returned 2 [0167.747] wsprintfW (in: param_1=0x28e302, param_2="%02X" | out: param_1="28") returned 2 [0167.747] wsprintfW (in: param_1=0x28e306, param_2="%02X" | out: param_1="73") returned 2 [0167.748] wsprintfW (in: param_1=0x28e30a, param_2="%02X" | out: param_1="F7") returned 2 [0167.748] wsprintfW (in: param_1=0x28e30e, param_2="%02X" | out: param_1="F9") returned 2 [0167.748] wsprintfW (in: param_1=0x28e312, param_2="%02X" | out: param_1="92") returned 2 [0167.748] wsprintfW (in: param_1=0x28e316, param_2="%02X" | out: param_1="80") returned 2 [0167.748] wsprintfW (in: param_1=0x28e31a, param_2="%02X" | out: param_1="4E") returned 2 [0167.748] wsprintfW (in: param_1=0x28e31e, param_2="%02X" | out: param_1="13") returned 2 [0167.748] wsprintfW (in: param_1=0x28e322, param_2="%02X" | out: param_1="4E") returned 2 [0167.748] wsprintfW (in: param_1=0x28e326, param_2="%02X" | out: param_1="6F") returned 2 [0167.748] wsprintfW (in: param_1=0x28e32a, param_2="%02X" | out: param_1="E5") returned 2 [0167.748] wsprintfW (in: param_1=0x28e32e, param_2="%02X" | out: param_1="69") returned 2 [0167.748] wsprintfW (in: param_1=0x28e332, param_2="%02X" | out: param_1="D8") returned 2 [0167.748] wsprintfW (in: param_1=0x28e336, param_2="%02X" | out: param_1="55") returned 2 [0167.748] wsprintfW (in: param_1=0x28e33a, param_2="%02X" | out: param_1="9A") returned 2 [0167.748] wsprintfW (in: param_1=0x28e33e, param_2="%02X" | out: param_1="6B") returned 2 [0167.748] wsprintfW (in: param_1=0x28e342, param_2="%02X" | out: param_1="69") returned 2 [0167.757] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0167.758] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0167.758] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".4EEA3C6ACF0F5473573824852F2F602873F7F992804E134E6FE569D8559A6B69" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.4EEA3C6ACF0F5473573824852F2F602873F7F992804E134E6FE569D8559A6B69") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.4EEA3C6ACF0F5473573824852F2F602873F7F992804E134E6FE569D8559A6B69" [0167.758] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.758] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0167.759] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0167.759] lstrcmpiW (lpString1="ntuser.ini", lpString2="Windows") returned -1 [0167.759] lstrcmpiW (lpString1="ntuser.ini", lpString2="Program Files") returned -1 [0167.759] lstrcmpiW (lpString1="ntuser.ini", lpString2="Program Files (x86)") returned -1 [0167.792] lstrcmpiW (lpString1="ntuser.ini", lpString2="$Recycle.bin") returned 1 [0167.792] lstrcmpiW (lpString1="ntuser.ini", lpString2="System Volume Information") returned -1 [0167.792] lstrcmpiW (lpString1="ntuser.ini", lpString2=".") returned 1 [0167.792] lstrcmpiW (lpString1="ntuser.ini", lpString2="..") returned 1 [0167.792] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\ntuser.ini") returned 31 [0167.792] lstrcmpW (lpString1="ntuser.ini", lpString2="PUSSY.TXT") returned -1 [0167.792] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0167.792] lstrlenW (lpString=".ini") returned 4 [0167.792] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0167.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\ntuser.ini" (normalized: "c:\\users\\default\\ntuser.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0167.793] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=20) returned 1 [0167.793] CloseHandle (hObject=0x178) returned 1 [0167.793] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Pictures", cAlternateFileName="")) returned 1 [0167.793] lstrcmpiW (lpString1="Pictures", lpString2="Windows") returned -1 [0167.793] lstrcmpiW (lpString1="Pictures", lpString2="Program Files") returned -1 [0167.793] lstrcmpiW (lpString1="Pictures", lpString2="Program Files (x86)") returned -1 [0167.794] lstrcmpiW (lpString1="Pictures", lpString2="$Recycle.bin") returned 1 [0167.794] lstrcmpiW (lpString1="Pictures", lpString2="System Volume Information") returned -1 [0167.794] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0167.794] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0167.794] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures") returned 29 [0167.794] GetProcessHeap () returned 0x4c0000 [0167.794] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.794] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Pictures" | out: lpString1="\\\\?\\C:\\Users\\Default\\Pictures") returned="\\\\?\\C:\\Users\\Default\\Pictures" [0167.794] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Pictures\\*") returned="\\\\?\\C:\\Users\\Default\\Pictures\\*" [0167.794] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0167.794] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.794] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.794] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.794] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.794] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.794] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.794] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.794] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.795] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.795] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.795] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.795] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.795] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.795] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.795] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.795] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.795] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.795] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.795] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.795] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.795] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.795] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.795] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini") returned 41 [0167.795] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.795] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.795] lstrlenW (lpString=".ini") returned 4 [0167.795] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini" (normalized: "c:\\users\\default\\pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0167.796] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=504) returned 1 [0167.796] CloseHandle (hObject=0x190) returned 1 [0167.796] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0167.796] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0167.796] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\PUSSY.TXT") returned 39 [0167.796] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\PUSSY.TXT" (normalized: "c:\\users\\default\\pictures\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0167.797] lstrlenA (lpString="abcd") returned 4 [0167.797] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0167.797] CloseHandle (hObject=0x178) returned 1 [0167.798] GetProcessHeap () returned 0x4c0000 [0167.798] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.798] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0167.798] lstrcmpiW (lpString1="PrintHood", lpString2="Windows") returned -1 [0167.798] lstrcmpiW (lpString1="PrintHood", lpString2="Program Files") returned -1 [0167.798] lstrcmpiW (lpString1="PrintHood", lpString2="Program Files (x86)") returned -1 [0167.798] lstrcmpiW (lpString1="PrintHood", lpString2="$Recycle.bin") returned 1 [0167.798] lstrcmpiW (lpString1="PrintHood", lpString2="System Volume Information") returned -1 [0167.798] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0167.798] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0167.798] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\PrintHood") returned 30 [0167.798] GetProcessHeap () returned 0x4c0000 [0167.798] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.798] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\PrintHood" | out: lpString1="\\\\?\\C:\\Users\\Default\\PrintHood") returned="\\\\?\\C:\\Users\\Default\\PrintHood" [0167.798] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\PrintHood", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\PrintHood\\*") returned="\\\\?\\C:\\Users\\Default\\PrintHood\\*" [0167.798] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\PrintHood\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="d")) returned 0xffffffff [0167.798] GetProcessHeap () returned 0x4c0000 [0167.798] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.798] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Recent", cAlternateFileName="")) returned 1 [0167.798] lstrcmpiW (lpString1="Recent", lpString2="Windows") returned -1 [0167.798] lstrcmpiW (lpString1="Recent", lpString2="Program Files") returned 1 [0167.798] lstrcmpiW (lpString1="Recent", lpString2="Program Files (x86)") returned 1 [0167.798] lstrcmpiW (lpString1="Recent", lpString2="$Recycle.bin") returned 1 [0167.798] lstrcmpiW (lpString1="Recent", lpString2="System Volume Information") returned -1 [0167.799] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0167.799] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0167.799] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Recent") returned 27 [0167.799] GetProcessHeap () returned 0x4c0000 [0167.799] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.799] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Recent" | out: lpString1="\\\\?\\C:\\Users\\Default\\Recent") returned="\\\\?\\C:\\Users\\Default\\Recent" [0167.799] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Recent", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Recent\\*") returned="\\\\?\\C:\\Users\\Default\\Recent\\*" [0167.799] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Recent\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="t")) returned 0xffffffff [0167.799] GetProcessHeap () returned 0x4c0000 [0167.799] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.799] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0167.799] lstrcmpiW (lpString1="Saved Games", lpString2="Windows") returned -1 [0167.799] lstrcmpiW (lpString1="Saved Games", lpString2="Program Files") returned 1 [0167.799] lstrcmpiW (lpString1="Saved Games", lpString2="Program Files (x86)") returned 1 [0167.799] lstrcmpiW (lpString1="Saved Games", lpString2="$Recycle.bin") returned 1 [0167.799] lstrcmpiW (lpString1="Saved Games", lpString2="System Volume Information") returned -1 [0167.799] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0167.799] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0167.799] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games") returned 32 [0167.799] GetProcessHeap () returned 0x4c0000 [0167.799] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.799] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Saved Games" | out: lpString1="\\\\?\\C:\\Users\\Default\\Saved Games") returned="\\\\?\\C:\\Users\\Default\\Saved Games" [0167.799] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Saved Games", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Saved Games\\*") returned="\\\\?\\C:\\Users\\Default\\Saved Games\\*" [0167.799] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0167.800] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.800] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.800] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.800] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.800] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.800] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.800] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.800] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.800] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.800] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.800] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.800] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.800] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.800] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.800] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.800] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.800] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.800] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.800] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.800] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.800] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.801] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.801] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini") returned 44 [0167.801] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.801] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.801] lstrlenW (lpString=".ini") returned 4 [0167.801] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini" (normalized: "c:\\users\\default\\saved games\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0167.801] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=282) returned 1 [0167.801] CloseHandle (hObject=0x190) returned 1 [0167.801] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0167.801] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0167.809] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\PUSSY.TXT") returned 42 [0167.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\PUSSY.TXT" (normalized: "c:\\users\\default\\saved games\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0167.810] lstrlenA (lpString="abcd") returned 4 [0167.810] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0167.811] CloseHandle (hObject=0x178) returned 1 [0167.811] GetProcessHeap () returned 0x4c0000 [0167.811] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.811] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Searches", cAlternateFileName="")) returned 1 [0167.811] lstrcmpiW (lpString1="Searches", lpString2="Windows") returned -1 [0167.811] lstrcmpiW (lpString1="Searches", lpString2="Program Files") returned 1 [0167.811] lstrcmpiW (lpString1="Searches", lpString2="Program Files (x86)") returned 1 [0167.811] lstrcmpiW (lpString1="Searches", lpString2="$Recycle.bin") returned 1 [0167.811] lstrcmpiW (lpString1="Searches", lpString2="System Volume Information") returned -1 [0167.811] lstrcmpiW (lpString1="Searches", lpString2=".") returned 1 [0167.811] lstrcmpiW (lpString1="Searches", lpString2="..") returned 1 [0167.811] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches") returned 29 [0167.811] GetProcessHeap () returned 0x4c0000 [0167.811] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.811] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Searches" | out: lpString1="\\\\?\\C:\\Users\\Default\\Searches") returned="\\\\?\\C:\\Users\\Default\\Searches" [0167.811] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Searches", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Searches\\*") returned="\\\\?\\C:\\Users\\Default\\Searches\\*" [0167.811] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0167.859] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.859] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.859] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.859] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.859] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.859] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.859] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.859] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.859] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.859] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.859] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.859] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.859] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.859] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.859] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.859] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.859] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.859] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.859] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.859] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.859] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.860] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.860] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini") returned 41 [0167.860] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.860] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.860] lstrlenW (lpString=".ini") returned 4 [0167.860] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.860] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini" (normalized: "c:\\users\\default\\searches\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x124 [0167.861] GetFileSizeEx (in: hFile=0x124, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=524) returned 1 [0167.861] GetProcessHeap () returned 0x4c0000 [0167.861] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0167.870] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="F8") returned 2 [0167.870] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="C4") returned 2 [0167.870] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="CB") returned 2 [0167.870] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="8E") returned 2 [0167.870] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="0B") returned 2 [0167.870] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="46") returned 2 [0167.870] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="C2") returned 2 [0167.870] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="F2") returned 2 [0167.870] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="5C") returned 2 [0167.871] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="B1") returned 2 [0167.871] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="AA") returned 2 [0167.871] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="D6") returned 2 [0167.871] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="05") returned 2 [0167.871] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="FB") returned 2 [0167.871] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="D9") returned 2 [0167.871] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="1E") returned 2 [0167.871] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="62") returned 2 [0167.871] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="6E") returned 2 [0167.871] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="5C") returned 2 [0167.871] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="05") returned 2 [0167.871] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="87") returned 2 [0167.871] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="76") returned 2 [0167.871] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="4A") returned 2 [0167.871] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="31") returned 2 [0167.871] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="FE") returned 2 [0167.871] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="7A") returned 2 [0167.871] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="BA") returned 2 [0167.871] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="BA") returned 2 [0167.871] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="13") returned 2 [0167.871] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="B4") returned 2 [0167.871] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="15") returned 2 [0167.871] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="3E") returned 2 [0167.881] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini" [0167.881] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini" [0167.881] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini", lpString2=".F8C4CB8E0B46C2F25CB1AAD605FBD91E626E5C0587764A31FE7ABABA13B4153E" | out: lpString1="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini.F8C4CB8E0B46C2F25CB1AAD605FBD91E626E5C0587764A31FE7ABABA13B4153E") returned="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini.F8C4CB8E0B46C2F25CB1AAD605FBD91E626E5C0587764A31FE7ABABA13B4153E" [0167.881] CreateIoCompletionPort (FileHandle=0x124, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.881] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0167.881] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99d9932, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0167.881] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Windows") returned -1 [0167.881] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Program Files") returned -1 [0167.881] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Program Files (x86)") returned -1 [0167.881] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="$Recycle.bin") returned 1 [0167.881] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="System Volume Information") returned -1 [0167.881] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2=".") returned 1 [0167.882] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="..") returned 1 [0167.882] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms") returned 50 [0167.882] lstrcmpW (lpString1="Everywhere.search-ms", lpString2="PUSSY.TXT") returned -1 [0167.882] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0167.882] lstrlenW (lpString=".search-ms") returned 10 [0167.882] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0167.882] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0167.882] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Windows") returned -1 [0167.882] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Program Files") returned -1 [0167.882] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Program Files (x86)") returned -1 [0167.882] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="$Recycle.bin") returned 1 [0167.882] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="System Volume Information") returned -1 [0167.882] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1 [0167.882] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1 [0167.882] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms") returned 57 [0167.882] lstrcmpW (lpString1="Indexed Locations.search-ms", lpString2="PUSSY.TXT") returned -1 [0167.882] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0167.882] lstrlenW (lpString=".search-ms") returned 10 [0167.882] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0167.883] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0167.883] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0167.883] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\PUSSY.TXT") returned 39 [0167.883] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\PUSSY.TXT" (normalized: "c:\\users\\default\\searches\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0167.883] lstrlenA (lpString="abcd") returned 4 [0167.884] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0167.884] CloseHandle (hObject=0x178) returned 1 [0167.884] GetProcessHeap () returned 0x4c0000 [0167.885] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.885] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="SendTo", cAlternateFileName="")) returned 1 [0167.885] lstrcmpiW (lpString1="SendTo", lpString2="Windows") returned -1 [0167.885] lstrcmpiW (lpString1="SendTo", lpString2="Program Files") returned 1 [0167.885] lstrcmpiW (lpString1="SendTo", lpString2="Program Files (x86)") returned 1 [0167.885] lstrcmpiW (lpString1="SendTo", lpString2="$Recycle.bin") returned 1 [0167.885] lstrcmpiW (lpString1="SendTo", lpString2="System Volume Information") returned -1 [0167.885] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0167.885] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0167.885] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\SendTo") returned 27 [0167.885] GetProcessHeap () returned 0x4c0000 [0167.885] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.885] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\SendTo" | out: lpString1="\\\\?\\C:\\Users\\Default\\SendTo") returned="\\\\?\\C:\\Users\\Default\\SendTo" [0167.885] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\SendTo", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\SendTo\\*") returned="\\\\?\\C:\\Users\\Default\\SendTo\\*" [0167.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\SendTo\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Indexed Locations.search-ms", cAlternateFileName="o")) returned 0xffffffff [0167.885] GetProcessHeap () returned 0x4c0000 [0167.885] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.885] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0167.885] lstrcmpiW (lpString1="Start Menu", lpString2="Windows") returned -1 [0167.885] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files") returned 1 [0167.885] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files (x86)") returned 1 [0167.885] lstrcmpiW (lpString1="Start Menu", lpString2="$Recycle.bin") returned 1 [0167.885] lstrcmpiW (lpString1="Start Menu", lpString2="System Volume Information") returned -1 [0167.885] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0167.886] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0167.886] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Start Menu") returned 31 [0167.886] GetProcessHeap () returned 0x4c0000 [0167.886] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.886] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Start Menu" | out: lpString1="\\\\?\\C:\\Users\\Default\\Start Menu") returned="\\\\?\\C:\\Users\\Default\\Start Menu" [0167.886] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Start Menu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Start Menu\\*") returned="\\\\?\\C:\\Users\\Default\\Start Menu\\*" [0167.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Start Menu\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Indexed Locations.search-ms", cAlternateFileName="u")) returned 0xffffffff [0167.886] GetProcessHeap () returned 0x4c0000 [0167.886] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.886] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0167.886] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0167.886] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0167.886] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0167.886] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0167.886] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0167.886] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0167.886] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0167.886] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Templates") returned 30 [0167.886] GetProcessHeap () returned 0x4c0000 [0167.886] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.886] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Templates" | out: lpString1="\\\\?\\C:\\Users\\Default\\Templates") returned="\\\\?\\C:\\Users\\Default\\Templates" [0167.886] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Templates\\*") returned="\\\\?\\C:\\Users\\Default\\Templates\\*" [0167.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Templates\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Indexed Locations.search-ms", cAlternateFileName="s")) returned 0xffffffff [0167.886] GetProcessHeap () returned 0x4c0000 [0167.886] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.886] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Videos", cAlternateFileName="")) returned 1 [0167.886] lstrcmpiW (lpString1="Videos", lpString2="Windows") returned -1 [0167.886] lstrcmpiW (lpString1="Videos", lpString2="Program Files") returned 1 [0167.887] lstrcmpiW (lpString1="Videos", lpString2="Program Files (x86)") returned 1 [0167.887] lstrcmpiW (lpString1="Videos", lpString2="$Recycle.bin") returned 1 [0167.887] lstrcmpiW (lpString1="Videos", lpString2="System Volume Information") returned 1 [0167.887] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0167.887] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0167.887] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos") returned 27 [0167.887] GetProcessHeap () returned 0x4c0000 [0167.887] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.887] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Default\\Videos" | out: lpString1="\\\\?\\C:\\Users\\Default\\Videos") returned="\\\\?\\C:\\Users\\Default\\Videos" [0167.887] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Videos\\*") returned="\\\\?\\C:\\Users\\Default\\Videos\\*" [0167.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0167.887] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.887] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.887] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.887] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.887] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.887] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.887] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.887] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.887] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.887] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.887] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.887] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.887] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.888] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.888] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.888] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.888] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.888] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.888] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.888] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.888] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.888] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.888] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini") returned 39 [0167.888] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.888] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.888] lstrlenW (lpString=".ini") returned 4 [0167.888] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini" (normalized: "c:\\users\\default\\videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0167.889] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=504) returned 1 [0167.889] CloseHandle (hObject=0x190) returned 1 [0167.889] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0167.889] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0167.889] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\PUSSY.TXT") returned 37 [0167.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\PUSSY.TXT" (normalized: "c:\\users\\default\\videos\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0167.889] lstrlenA (lpString="abcd") returned 4 [0167.889] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0167.890] CloseHandle (hObject=0x178) returned 1 [0167.890] GetProcessHeap () returned 0x4c0000 [0167.890] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0167.890] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Videos", cAlternateFileName="")) returned 0 [0167.890] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0167.891] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\PUSSY.TXT") returned 30 [0167.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\PUSSY.TXT" (normalized: "c:\\users\\default\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0167.891] lstrlenA (lpString="abcd") returned 4 [0167.891] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0167.892] CloseHandle (hObject=0x1a4) returned 1 [0167.892] GetProcessHeap () returned 0x4c0000 [0167.892] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0167.892] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0167.892] lstrcmpiW (lpString1="Default User", lpString2="Windows") returned -1 [0167.892] lstrcmpiW (lpString1="Default User", lpString2="Program Files") returned -1 [0167.892] lstrcmpiW (lpString1="Default User", lpString2="Program Files (x86)") returned -1 [0167.892] lstrcmpiW (lpString1="Default User", lpString2="$Recycle.bin") returned 1 [0167.892] lstrcmpiW (lpString1="Default User", lpString2="System Volume Information") returned -1 [0167.892] lstrcmpiW (lpString1="Default User", lpString2=".") returned 1 [0167.892] lstrcmpiW (lpString1="Default User", lpString2="..") returned 1 [0167.892] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default User") returned 25 [0167.892] GetProcessHeap () returned 0x4c0000 [0167.892] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0167.893] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\Default User" | out: lpString1="\\\\?\\C:\\Users\\Default User") returned="\\\\?\\C:\\Users\\Default User" [0167.893] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default User", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default User\\*") returned="\\\\?\\C:\\Users\\Default User\\*" [0167.893] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default User\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Videos", cAlternateFileName="r")) returned 0xffffffff [0167.893] GetProcessHeap () returned 0x4c0000 [0167.893] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0167.893] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.893] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.893] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.893] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.893] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.893] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.893] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.893] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.893] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\desktop.ini") returned 24 [0167.893] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.893] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.893] lstrlenW (lpString=".ini") returned 4 [0167.893] SystemFunction036 (in: RandomBuffer=0x28ea24, RandomBufferLength=0x20 | out: RandomBuffer=0x28ea24) returned 1 [0167.893] CreateFileW (lpFileName="\\\\?\\C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1a4 [0167.894] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x28ea18 | out: lpFileSize=0x28ea18*=174) returned 1 [0167.894] CloseHandle (hObject=0x1a4) returned 1 [0167.894] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Public", cAlternateFileName="")) returned 1 [0167.894] lstrcmpiW (lpString1="Public", lpString2="Windows") returned -1 [0167.894] lstrcmpiW (lpString1="Public", lpString2="Program Files") returned 1 [0167.894] lstrcmpiW (lpString1="Public", lpString2="Program Files (x86)") returned 1 [0167.894] lstrcmpiW (lpString1="Public", lpString2="$Recycle.bin") returned 1 [0167.894] lstrcmpiW (lpString1="Public", lpString2="System Volume Information") returned -1 [0167.894] lstrcmpiW (lpString1="Public", lpString2=".") returned 1 [0167.894] lstrcmpiW (lpString1="Public", lpString2="..") returned 1 [0167.894] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public") returned 19 [0167.894] GetProcessHeap () returned 0x4c0000 [0167.895] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3dd9008 [0167.895] lstrcpyW (in: lpString1=0x3dd9008, lpString2="\\\\?\\C:\\Users\\Public" | out: lpString1="\\\\?\\C:\\Users\\Public") returned="\\\\?\\C:\\Users\\Public" [0167.895] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*") returned="\\\\?\\C:\\Users\\Public\\*" [0167.895] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\*", lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7020 [0167.895] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.895] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.895] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.895] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.895] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.895] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.895] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.895] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.895] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.895] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.895] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.895] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.895] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.895] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.895] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Desktop", cAlternateFileName="")) returned 1 [0167.895] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0167.895] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0167.895] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0167.895] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0167.895] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0167.895] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0167.895] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0167.895] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop") returned 27 [0167.895] GetProcessHeap () returned 0x4c0000 [0167.896] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0167.896] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Public\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop") returned="\\\\?\\C:\\Users\\Public\\Desktop" [0167.896] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\*") returned="\\\\?\\C:\\Users\\Public\\Desktop\\*" [0167.896] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0167.896] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0167.896] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0167.896] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0167.896] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0167.896] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0167.896] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0167.896] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0167.896] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0167.896] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0167.896] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0167.896] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0167.896] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0167.896] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0167.896] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0167.896] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83c279c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x83c279c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x83c4db20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x7e9, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="Adobe Reader X.lnk", cAlternateFileName="ADOBER~1.LNK")) returned 1 [0167.896] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="Windows") returned -1 [0167.896] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="Program Files") returned -1 [0167.896] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="Program Files (x86)") returned -1 [0167.896] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="$Recycle.bin") returned 1 [0167.896] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="System Volume Information") returned -1 [0167.896] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2=".") returned 1 [0167.896] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="..") returned 1 [0167.897] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned 46 [0167.897] lstrcmpW (lpString1="Adobe Reader X.lnk", lpString2="PUSSY.TXT") returned -1 [0167.897] PathFindExtensionW (pszPath="Adobe Reader X.lnk") returned=".lnk" [0167.897] lstrlenW (lpString=".lnk") returned 4 [0167.897] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0167.897] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2025) returned 1 [0167.897] GetProcessHeap () returned 0x4c0000 [0167.897] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52aad8 [0167.908] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="B5") returned 2 [0167.908] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="F1") returned 2 [0167.908] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="94") returned 2 [0167.908] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="27") returned 2 [0167.908] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="FC") returned 2 [0167.908] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="5D") returned 2 [0167.908] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="FA") returned 2 [0167.908] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="BB") returned 2 [0167.908] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="0B") returned 2 [0167.908] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="7C") returned 2 [0167.908] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="8A") returned 2 [0167.908] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="AC") returned 2 [0167.908] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="DD") returned 2 [0167.909] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="2F") returned 2 [0167.909] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="30") returned 2 [0167.909] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="BC") returned 2 [0167.909] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="2F") returned 2 [0167.909] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="CA") returned 2 [0167.909] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="1E") returned 2 [0167.909] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="0C") returned 2 [0167.909] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="77") returned 2 [0167.909] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="1A") returned 2 [0167.909] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="31") returned 2 [0167.909] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="2D") returned 2 [0167.909] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="C1") returned 2 [0167.909] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="87") returned 2 [0167.909] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="9F") returned 2 [0167.909] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="EE") returned 2 [0167.909] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="DC") returned 2 [0167.909] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="E5") returned 2 [0167.909] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="22") returned 2 [0167.909] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="63") returned 2 [0167.918] lstrcpyW (in: lpString1=0x53ab0c, lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" [0167.918] lstrcpyW (in: lpString1=0x52ab0c, lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" [0167.918] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk", lpString2=".B5F19427FC5DFABB0B7C8AACDD2F30BC2FCA1E0C771A312DC1879FEEDCE52263" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk.B5F19427FC5DFABB0B7C8AACDD2F30BC2FCA1E0C771A312DC1879FEEDCE52263") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk.B5F19427FC5DFABB0B7C8AACDD2F30BC2FCA1E0C771A312DC1879FEEDCE52263" [0167.918] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x52aad8, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.918] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52aad8, lpOverlapped=0x52aad8) returned 1 [0167.918] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2826d6cd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2826d6cd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28860dd8, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.918] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0167.918] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0167.918] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0167.919] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0167.919] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0167.919] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0167.919] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0167.919] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini") returned 39 [0167.919] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0167.919] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.919] lstrlenW (lpString=".ini") returned 4 [0167.919] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0167.920] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=174) returned 1 [0167.920] CloseHandle (hObject=0x128) returned 1 [0167.920] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7df21ca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7df21ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7df21ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x8d1, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0167.920] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Windows") returned -1 [0167.920] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Program Files") returned -1 [0167.920] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Program Files (x86)") returned -1 [0167.920] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="$Recycle.bin") returned 1 [0167.920] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="System Volume Information") returned -1 [0167.920] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0167.920] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0167.920] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned 45 [0167.920] lstrcmpW (lpString1="Google Chrome.lnk", lpString2="PUSSY.TXT") returned -1 [0167.920] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0167.920] lstrlenW (lpString=".lnk") returned 4 [0167.920] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.920] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x128 [0167.921] GetFileSizeEx (in: hFile=0x128, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=2257) returned 1 [0167.921] GetProcessHeap () returned 0x4c0000 [0167.921] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x552b28 [0167.931] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="C1") returned 2 [0167.931] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="F3") returned 2 [0167.931] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="AF") returned 2 [0167.931] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="5D") returned 2 [0167.931] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="BA") returned 2 [0167.931] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="98") returned 2 [0167.931] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="FC") returned 2 [0167.931] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="AE") returned 2 [0167.931] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="0F") returned 2 [0167.931] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="40") returned 2 [0167.931] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="15") returned 2 [0167.931] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="80") returned 2 [0167.931] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="79") returned 2 [0167.931] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C7") returned 2 [0167.931] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="1D") returned 2 [0167.931] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="21") returned 2 [0167.931] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="0E") returned 2 [0167.931] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="FF") returned 2 [0167.931] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="44") returned 2 [0167.931] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="5F") returned 2 [0167.931] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="BC") returned 2 [0167.931] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="F0") returned 2 [0167.931] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="96") returned 2 [0167.931] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="55") returned 2 [0167.931] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="DF") returned 2 [0167.932] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="9C") returned 2 [0167.932] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="F7") returned 2 [0167.932] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="B1") returned 2 [0167.932] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="3C") returned 2 [0167.932] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="46") returned 2 [0167.932] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="3D") returned 2 [0167.932] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="49") returned 2 [0167.940] lstrcpyW (in: lpString1=0x562b5c, lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk" [0167.940] lstrcpyW (in: lpString1=0x552b5c, lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk" [0167.940] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk", lpString2=".C1F3AF5DBA98FCAE0F40158079C71D210EFF445FBCF09655DF9CF7B13C463D49" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk.C1F3AF5DBA98FCAE0F40158079C71D210EFF445FBCF09655DF9CF7B13C463D49") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk.C1F3AF5DBA98FCAE0F40158079C71D210EFF445FBCF09655DF9CF7B13C463D49" [0167.940] CreateIoCompletionPort (FileHandle=0x128, ExistingCompletionPort=0x94, CompletionKey=0x552b28, NumberOfConcurrentThreads=0x0) returned 0x94 [0167.940] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x552b28, lpOverlapped=0x552b28) returned 1 [0167.940] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0a09a40, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x485, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0167.940] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Windows") returned -1 [0167.940] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Program Files") returned -1 [0167.940] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Program Files (x86)") returned -1 [0167.940] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="$Recycle.bin") returned 1 [0167.941] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="System Volume Information") returned -1 [0167.941] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0167.941] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0167.941] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned 47 [0167.941] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2="PUSSY.TXT") returned -1 [0167.941] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0167.941] lstrlenW (lpString=".lnk") returned 4 [0167.941] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0167.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0167.942] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=1157) returned 1 [0167.942] GetProcessHeap () returned 0x4c0000 [0167.942] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28068 [0167.958] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="19") returned 2 [0167.958] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="B2") returned 2 [0167.958] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="C5") returned 2 [0167.958] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="CA") returned 2 [0167.958] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="23") returned 2 [0167.958] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="70") returned 2 [0167.958] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="1E") returned 2 [0167.958] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="C6") returned 2 [0167.958] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="46") returned 2 [0167.958] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="80") returned 2 [0167.958] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="B6") returned 2 [0167.958] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="DC") returned 2 [0167.958] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="66") returned 2 [0167.958] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="1D") returned 2 [0167.958] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="65") returned 2 [0167.958] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="EE") returned 2 [0167.958] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="9C") returned 2 [0167.958] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="CA") returned 2 [0167.958] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="1B") returned 2 [0167.958] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="48") returned 2 [0167.958] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="33") returned 2 [0167.958] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="0F") returned 2 [0167.958] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="B1") returned 2 [0167.958] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="DB") returned 2 [0167.958] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="07") returned 2 [0167.959] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="6D") returned 2 [0167.959] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="B4") returned 2 [0167.959] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="0A") returned 2 [0167.959] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="4E") returned 2 [0167.959] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="84") returned 2 [0167.959] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="CD") returned 2 [0167.959] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="78") returned 2 [0168.006] lstrcpyW (in: lpString1=0x3b3809c, lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0168.006] lstrcpyW (in: lpString1=0x3b2809c, lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0168.006] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk", lpString2=".19B2C5CA23701EC64680B6DC661D65EE9CCA1B48330FB1DB076DB40A4E84CD78" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.19B2C5CA23701EC64680B6DC661D65EE9CCA1B48330FB1DB076DB40A4E84CD78") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.19B2C5CA23701EC64680B6DC661D65EE9CCA1B48330FB1DB076DB40A4E84CD78" [0168.006] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3b28068, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.006] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28068, lpOverlapped=0x3b28068) returned 1 [0168.007] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0a09a40, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x485, dwReserved0=0x4dda10, dwReserved1=0x77c5f9e2, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 0 [0168.011] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0168.011] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\PUSSY.TXT") returned 37 [0168.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\PUSSY.TXT" (normalized: "c:\\users\\public\\desktop\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0168.012] lstrlenA (lpString="abcd") returned 4 [0168.012] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0168.014] CloseHandle (hObject=0x178) returned 1 [0168.014] GetProcessHeap () returned 0x4c0000 [0168.014] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0168.019] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.019] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0168.019] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0168.019] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0168.020] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0168.020] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0168.020] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0168.020] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0168.020] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\desktop.ini") returned 31 [0168.020] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0168.020] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.020] lstrlenW (lpString=".ini") returned 4 [0168.020] SystemFunction036 (in: RandomBuffer=0x28e284, RandomBufferLength=0x20 | out: RandomBuffer=0x28e284) returned 1 [0168.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0168.021] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28e278 | out: lpFileSize=0x28e278*=174) returned 1 [0168.021] CloseHandle (hObject=0x178) returned 1 [0168.021] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0168.021] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0168.021] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0168.021] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0168.021] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0168.021] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0168.021] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0168.021] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0168.021] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents") returned 29 [0168.021] GetProcessHeap () returned 0x4c0000 [0168.021] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0168.022] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Public\\Documents" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents") returned="\\\\?\\C:\\Users\\Public\\Documents" [0168.022] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*" [0168.022] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0168.022] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0168.022] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0168.023] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0168.023] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0168.023] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0168.023] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0168.023] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0168.023] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0168.023] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0168.023] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0168.023] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0168.023] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0168.023] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0168.023] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0168.023] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28697d55, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28697d55, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.023] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0168.023] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0168.023] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0168.023] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0168.023] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0168.023] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0168.023] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0168.023] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini") returned 41 [0168.023] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0168.023] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.023] lstrlenW (lpString=".ini") returned 4 [0168.024] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0168.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0168.024] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=278) returned 1 [0168.024] CloseHandle (hObject=0x1d8) returned 1 [0168.024] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0168.024] lstrcmpiW (lpString1="My Music", lpString2="Windows") returned -1 [0168.024] lstrcmpiW (lpString1="My Music", lpString2="Program Files") returned -1 [0168.025] lstrcmpiW (lpString1="My Music", lpString2="Program Files (x86)") returned -1 [0168.025] lstrcmpiW (lpString1="My Music", lpString2="$Recycle.bin") returned 1 [0168.025] lstrcmpiW (lpString1="My Music", lpString2="System Volume Information") returned -1 [0168.025] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0168.025] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0168.025] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Music") returned 38 [0168.025] GetProcessHeap () returned 0x4c0000 [0168.025] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0168.026] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Public\\Documents\\My Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Music" [0168.026] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*" [0168.026] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x77c5fa12, ftLastAccessTime.dwHighDateTime=0x76c1c16b, ftLastWriteTime.dwLowDateTime=0x1d8, ftLastWriteTime.dwHighDateTime=0x28d498, nFileSizeHigh=0x28d480, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="띝盁ǘ", cAlternateFileName="c")) returned 0xffffffff [0168.026] GetProcessHeap () returned 0x4c0000 [0168.026] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0168.026] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0168.027] lstrcmpiW (lpString1="My Pictures", lpString2="Windows") returned -1 [0168.027] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files") returned -1 [0168.027] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files (x86)") returned -1 [0168.027] lstrcmpiW (lpString1="My Pictures", lpString2="$Recycle.bin") returned 1 [0168.027] lstrcmpiW (lpString1="My Pictures", lpString2="System Volume Information") returned -1 [0168.027] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0168.027] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0168.027] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures") returned 41 [0168.027] GetProcessHeap () returned 0x4c0000 [0168.027] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0168.027] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures" [0168.027] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*" [0168.027] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x77c5fa12, ftLastAccessTime.dwHighDateTime=0x76c1c16b, ftLastWriteTime.dwLowDateTime=0x1d8, ftLastWriteTime.dwHighDateTime=0x28d498, nFileSizeHigh=0x28d480, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="띝盁ǘ", cAlternateFileName="s")) returned 0xffffffff [0168.027] GetProcessHeap () returned 0x4c0000 [0168.027] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0168.027] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0168.027] lstrcmpiW (lpString1="My Videos", lpString2="Windows") returned -1 [0168.027] lstrcmpiW (lpString1="My Videos", lpString2="Program Files") returned -1 [0168.027] lstrcmpiW (lpString1="My Videos", lpString2="Program Files (x86)") returned -1 [0168.027] lstrcmpiW (lpString1="My Videos", lpString2="$Recycle.bin") returned 1 [0168.028] lstrcmpiW (lpString1="My Videos", lpString2="System Volume Information") returned -1 [0168.028] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0168.028] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0168.028] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Videos") returned 39 [0168.028] GetProcessHeap () returned 0x4c0000 [0168.028] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0168.028] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Public\\Documents\\My Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Videos" [0168.028] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*" [0168.028] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x77c5fa12, ftLastAccessTime.dwHighDateTime=0x76c1c16b, ftLastWriteTime.dwLowDateTime=0x1d8, ftLastWriteTime.dwHighDateTime=0x28d498, nFileSizeHigh=0x28d480, nFileSizeLow=0x18, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="띝盁ǘ", cAlternateFileName="s")) returned 0xffffffff [0168.028] GetProcessHeap () returned 0x4c0000 [0168.028] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0168.028] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0168.028] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0168.029] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\PUSSY.TXT") returned 39 [0168.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\PUSSY.TXT" (normalized: "c:\\users\\public\\documents\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0168.030] lstrlenA (lpString="abcd") returned 4 [0168.030] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0168.031] CloseHandle (hObject=0x178) returned 1 [0168.031] GetProcessHeap () returned 0x4c0000 [0168.031] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0168.033] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0168.033] lstrcmpiW (lpString1="Downloads", lpString2="Windows") returned -1 [0168.033] lstrcmpiW (lpString1="Downloads", lpString2="Program Files") returned -1 [0168.033] lstrcmpiW (lpString1="Downloads", lpString2="Program Files (x86)") returned -1 [0168.033] lstrcmpiW (lpString1="Downloads", lpString2="$Recycle.bin") returned 1 [0168.033] lstrcmpiW (lpString1="Downloads", lpString2="System Volume Information") returned -1 [0168.033] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0168.033] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0168.033] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads") returned 29 [0168.033] GetProcessHeap () returned 0x4c0000 [0168.033] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0168.034] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Public\\Downloads" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads") returned="\\\\?\\C:\\Users\\Public\\Downloads" [0168.034] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Downloads", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\*") returned="\\\\?\\C:\\Users\\Public\\Downloads\\*" [0168.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0168.034] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0168.034] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0168.035] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0168.035] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0168.035] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0168.035] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0168.035] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0168.035] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0168.035] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0168.035] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0168.035] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0168.035] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0168.035] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0168.035] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0168.035] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28351f0f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.035] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0168.035] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0168.035] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0168.035] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0168.035] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0168.035] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0168.035] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0168.035] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini") returned 41 [0168.035] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0168.035] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.035] lstrlenW (lpString=".ini") returned 4 [0168.035] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0168.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0168.036] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=174) returned 1 [0168.036] CloseHandle (hObject=0x1d8) returned 1 [0168.036] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28351f0f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0168.036] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0168.036] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\PUSSY.TXT") returned 39 [0168.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\PUSSY.TXT" (normalized: "c:\\users\\public\\downloads\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0168.037] lstrlenA (lpString="abcd") returned 4 [0168.037] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0168.038] CloseHandle (hObject=0x178) returned 1 [0168.039] GetProcessHeap () returned 0x4c0000 [0168.039] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0168.039] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0168.039] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0168.039] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0168.039] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0168.039] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0168.039] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0168.039] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0168.039] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0168.039] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Favorites") returned 29 [0168.039] GetProcessHeap () returned 0x4c0000 [0168.039] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0168.039] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Public\\Favorites" | out: lpString1="\\\\?\\C:\\Users\\Public\\Favorites") returned="\\\\?\\C:\\Users\\Public\\Favorites" [0168.039] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Favorites\\*") returned="\\\\?\\C:\\Users\\Public\\Favorites\\*" [0168.039] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0168.040] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0168.040] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0168.040] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0168.040] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0168.040] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0168.040] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0168.040] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0168.040] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0168.040] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0168.040] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0168.040] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0168.040] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0168.040] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0168.040] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0168.040] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 0 [0168.040] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0168.040] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Favorites\\PUSSY.TXT") returned 39 [0168.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\PUSSY.TXT" (normalized: "c:\\users\\public\\favorites\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0168.041] lstrlenA (lpString="abcd") returned 4 [0168.041] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0168.042] CloseHandle (hObject=0x178) returned 1 [0168.042] GetProcessHeap () returned 0x4c0000 [0168.042] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0168.042] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0168.042] lstrcmpiW (lpString1="Libraries", lpString2="Windows") returned -1 [0168.042] lstrcmpiW (lpString1="Libraries", lpString2="Program Files") returned -1 [0168.042] lstrcmpiW (lpString1="Libraries", lpString2="Program Files (x86)") returned -1 [0168.042] lstrcmpiW (lpString1="Libraries", lpString2="$Recycle.bin") returned 1 [0168.042] lstrcmpiW (lpString1="Libraries", lpString2="System Volume Information") returned -1 [0168.042] lstrcmpiW (lpString1="Libraries", lpString2=".") returned 1 [0168.043] lstrcmpiW (lpString1="Libraries", lpString2="..") returned 1 [0168.043] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries") returned 29 [0168.043] GetProcessHeap () returned 0x4c0000 [0168.043] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0168.043] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Public\\Libraries" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries") returned="\\\\?\\C:\\Users\\Public\\Libraries" [0168.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\*") returned="\\\\?\\C:\\Users\\Public\\Libraries\\*" [0168.043] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0168.043] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0168.043] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0168.043] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0168.043] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0168.043] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0168.043] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0168.043] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0168.043] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0168.043] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0168.044] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0168.044] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0168.044] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0168.044] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0168.044] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0168.044] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2839e1d0, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2839e1d0, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288f9359, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x58, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.044] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0168.044] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0168.044] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0168.044] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0168.044] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0168.044] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0168.044] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0168.044] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini") returned 41 [0168.044] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0168.044] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.044] lstrlenW (lpString=".ini") returned 4 [0168.044] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0168.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0168.045] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=88) returned 1 [0168.045] CloseHandle (hObject=0x1d8) returned 1 [0168.045] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2837806f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x289b7a3b, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x36c, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0168.045] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="Windows") returned -1 [0168.045] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="Program Files") returned 1 [0168.045] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="Program Files (x86)") returned 1 [0168.045] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="$Recycle.bin") returned 1 [0168.045] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="System Volume Information") returned -1 [0168.045] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2=".") returned 1 [0168.045] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="..") returned 1 [0168.045] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 51 [0168.045] lstrcmpW (lpString1="RecordedTV.library-ms", lpString2="PUSSY.TXT") returned 1 [0168.046] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0168.046] lstrlenW (lpString=".library-ms") returned 11 [0168.046] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0168.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x1d8 [0168.046] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=876) returned 1 [0168.046] GetProcessHeap () returned 0x4c0000 [0168.046] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0168.065] wsprintfW (in: param_1=0x28db26, param_2="%02X" | out: param_1="69") returned 2 [0168.065] wsprintfW (in: param_1=0x28db2a, param_2="%02X" | out: param_1="E5") returned 2 [0168.065] wsprintfW (in: param_1=0x28db2e, param_2="%02X" | out: param_1="FD") returned 2 [0168.065] wsprintfW (in: param_1=0x28db32, param_2="%02X" | out: param_1="BC") returned 2 [0168.065] wsprintfW (in: param_1=0x28db36, param_2="%02X" | out: param_1="E5") returned 2 [0168.065] wsprintfW (in: param_1=0x28db3a, param_2="%02X" | out: param_1="EE") returned 2 [0168.065] wsprintfW (in: param_1=0x28db3e, param_2="%02X" | out: param_1="B6") returned 2 [0168.065] wsprintfW (in: param_1=0x28db42, param_2="%02X" | out: param_1="B2") returned 2 [0168.065] wsprintfW (in: param_1=0x28db46, param_2="%02X" | out: param_1="F3") returned 2 [0168.065] wsprintfW (in: param_1=0x28db4a, param_2="%02X" | out: param_1="C3") returned 2 [0168.065] wsprintfW (in: param_1=0x28db4e, param_2="%02X" | out: param_1="92") returned 2 [0168.065] wsprintfW (in: param_1=0x28db52, param_2="%02X" | out: param_1="E8") returned 2 [0168.065] wsprintfW (in: param_1=0x28db56, param_2="%02X" | out: param_1="EA") returned 2 [0168.065] wsprintfW (in: param_1=0x28db5a, param_2="%02X" | out: param_1="C9") returned 2 [0168.065] wsprintfW (in: param_1=0x28db5e, param_2="%02X" | out: param_1="77") returned 2 [0168.066] wsprintfW (in: param_1=0x28db62, param_2="%02X" | out: param_1="44") returned 2 [0168.066] wsprintfW (in: param_1=0x28db66, param_2="%02X" | out: param_1="3F") returned 2 [0168.066] wsprintfW (in: param_1=0x28db6a, param_2="%02X" | out: param_1="64") returned 2 [0168.066] wsprintfW (in: param_1=0x28db6e, param_2="%02X" | out: param_1="10") returned 2 [0168.066] wsprintfW (in: param_1=0x28db72, param_2="%02X" | out: param_1="C6") returned 2 [0168.066] wsprintfW (in: param_1=0x28db76, param_2="%02X" | out: param_1="6F") returned 2 [0168.066] wsprintfW (in: param_1=0x28db7a, param_2="%02X" | out: param_1="9B") returned 2 [0168.066] wsprintfW (in: param_1=0x28db7e, param_2="%02X" | out: param_1="46") returned 2 [0168.066] wsprintfW (in: param_1=0x28db82, param_2="%02X" | out: param_1="A0") returned 2 [0168.066] wsprintfW (in: param_1=0x28db86, param_2="%02X" | out: param_1="1A") returned 2 [0168.066] wsprintfW (in: param_1=0x28db8a, param_2="%02X" | out: param_1="67") returned 2 [0168.066] wsprintfW (in: param_1=0x28db8e, param_2="%02X" | out: param_1="0A") returned 2 [0168.066] wsprintfW (in: param_1=0x28db92, param_2="%02X" | out: param_1="F0") returned 2 [0168.066] wsprintfW (in: param_1=0x28db96, param_2="%02X" | out: param_1="0B") returned 2 [0168.067] wsprintfW (in: param_1=0x28db9a, param_2="%02X" | out: param_1="34") returned 2 [0168.067] wsprintfW (in: param_1=0x28db9e, param_2="%02X" | out: param_1="07") returned 2 [0168.067] wsprintfW (in: param_1=0x28dba2, param_2="%02X" | out: param_1="6C") returned 2 [0168.080] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0168.080] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0168.080] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms", lpString2=".69E5FDBCE5EEB6B2F3C392E8EAC977443F6410C66F9B46A01A670AF00B34076C" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.69E5FDBCE5EEB6B2F3C392E8EAC977443F6410C66F9B46A01A670AF00B34076C") returned="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.69E5FDBCE5EEB6B2F3C392E8EAC977443F6410C66F9B46A01A670AF00B34076C" [0168.080] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.081] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0168.081] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2837806f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x289b7a3b, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x36c, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0 [0168.084] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0168.084] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\PUSSY.TXT") returned 39 [0168.086] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\PUSSY.TXT" (normalized: "c:\\users\\public\\libraries\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0168.089] lstrlenA (lpString="abcd") returned 4 [0168.089] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0168.090] CloseHandle (hObject=0x1d8) returned 1 [0168.090] GetProcessHeap () returned 0x4c0000 [0168.090] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0168.093] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Music", cAlternateFileName="")) returned 1 [0168.093] lstrcmpiW (lpString1="Music", lpString2="Windows") returned -1 [0168.093] lstrcmpiW (lpString1="Music", lpString2="Program Files") returned -1 [0168.093] lstrcmpiW (lpString1="Music", lpString2="Program Files (x86)") returned -1 [0168.093] lstrcmpiW (lpString1="Music", lpString2="$Recycle.bin") returned 1 [0168.093] lstrcmpiW (lpString1="Music", lpString2="System Volume Information") returned -1 [0168.093] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0168.093] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0168.093] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music") returned 25 [0168.094] GetProcessHeap () returned 0x4c0000 [0168.094] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0168.095] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Public\\Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music") returned="\\\\?\\C:\\Users\\Public\\Music" [0168.095] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\*") returned="\\\\?\\C:\\Users\\Public\\Music\\*" [0168.095] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0168.095] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0168.095] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0168.095] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0168.095] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0168.095] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0168.095] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0168.095] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0168.095] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0168.095] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0168.095] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0168.095] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0168.095] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0168.095] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0168.096] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0168.096] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28305c4e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.096] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0168.096] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0168.096] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0168.096] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0168.096] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0168.096] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0168.096] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0168.096] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini") returned 37 [0168.096] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0168.096] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.096] lstrlenW (lpString=".ini") returned 4 [0168.096] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0168.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0168.097] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=380) returned 1 [0168.097] CloseHandle (hObject=0x178) returned 1 [0168.097] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 1 [0168.098] lstrcmpiW (lpString1="Sample Music", lpString2="Windows") returned -1 [0168.098] lstrcmpiW (lpString1="Sample Music", lpString2="Program Files") returned 1 [0168.098] lstrcmpiW (lpString1="Sample Music", lpString2="Program Files (x86)") returned 1 [0168.098] lstrcmpiW (lpString1="Sample Music", lpString2="$Recycle.bin") returned 1 [0168.098] lstrcmpiW (lpString1="Sample Music", lpString2="System Volume Information") returned -1 [0168.098] lstrcmpiW (lpString1="Sample Music", lpString2=".") returned 1 [0168.098] lstrcmpiW (lpString1="Sample Music", lpString2="..") returned 1 [0168.098] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music") returned 38 [0168.098] GetProcessHeap () returned 0x4c0000 [0168.098] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0168.099] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music" [0168.099] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*" [0168.099] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0168.101] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0168.101] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0168.101] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0168.101] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0168.101] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0168.102] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0168.102] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0168.102] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0168.102] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0168.102] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0168.102] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0168.102] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0168.102] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0168.102] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0168.102] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x24a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.102] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0168.102] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0168.102] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0168.102] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0168.102] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0168.102] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0168.102] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0168.102] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned 50 [0168.102] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0168.102] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.103] lstrlenW (lpString=".ini") returned 4 [0168.103] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.103] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0168.104] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=586) returned 1 [0168.104] GetProcessHeap () returned 0x4c0000 [0168.104] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0168.118] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="06") returned 2 [0168.118] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="AA") returned 2 [0168.118] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="A6") returned 2 [0168.118] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="8E") returned 2 [0168.118] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="CA") returned 2 [0168.118] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="B0") returned 2 [0168.118] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="FA") returned 2 [0168.118] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="A6") returned 2 [0168.118] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="FF") returned 2 [0168.119] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="FD") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="E6") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="8E") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="FC") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="A5") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="0D") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="86") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="D4") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="24") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="1C") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="98") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="0C") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="DB") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="22") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="47") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="54") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="41") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="D5") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="19") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="77") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="4D") returned 2 [0168.126] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="7F") returned 2 [0168.126] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="60") returned 2 [0168.139] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" [0168.139] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" [0168.139] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini", lpString2=".06AAA68ECAB0FAA6FFFDE68EFCA50D86D4241C980CDB22475441D519774D7F60" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini.06AAA68ECAB0FAA6FFFDE68EFCA50D86D4241C980CDB22475441D519774D7F60") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini.06AAA68ECAB0FAA6FFFDE68EFCA50D86D4241C980CDB22475441D519774D7F60" [0168.139] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.139] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0168.142] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be5ebf7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x8064f1, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Kalimba.mp3", cAlternateFileName="")) returned 1 [0168.142] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="Windows") returned -1 [0168.142] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="Program Files") returned -1 [0168.142] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="Program Files (x86)") returned -1 [0168.143] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="$Recycle.bin") returned 1 [0168.143] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="System Volume Information") returned -1 [0168.143] lstrcmpiW (lpString1="Kalimba.mp3", lpString2=".") returned 1 [0168.143] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="..") returned 1 [0168.143] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned 50 [0168.143] lstrcmpW (lpString1="Kalimba.mp3", lpString2="PUSSY.TXT") returned -1 [0168.143] PathFindExtensionW (pszPath="Kalimba.mp3") returned=".mp3" [0168.143] lstrlenW (lpString=".mp3") returned 4 [0168.143] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0168.144] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=8414449) returned 1 [0168.144] GetProcessHeap () returned 0x4c0000 [0168.144] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0168.158] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="06") returned 2 [0168.158] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="5D") returned 2 [0168.158] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="AE") returned 2 [0168.158] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="97") returned 2 [0168.158] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="4C") returned 2 [0168.158] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="36") returned 2 [0168.158] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="64") returned 2 [0168.158] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="02") returned 2 [0168.158] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="4A") returned 2 [0168.158] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="EA") returned 2 [0168.158] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="45") returned 2 [0168.158] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="71") returned 2 [0168.158] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="21") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="AC") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="8B") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="A3") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="E3") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="FB") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="B7") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="1C") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="99") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="3A") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="8B") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="85") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="01") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="A7") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="A2") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="8A") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="E7") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="D4") returned 2 [0168.159] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="58") returned 2 [0168.159] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="6A") returned 2 [0168.173] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" [0168.173] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" [0168.173] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpString2=".065DAE974C3664024AEA457121AC8BA3E3FBB71C993A8B8501A7A28AE7D4586A" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.065DAE974C3664024AEA457121AC8BA3E3FBB71C993A8B8501A7A28AE7D4586A") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.065DAE974C3664024AEA457121AC8BA3E3FBB71C993A8B8501A7A28AE7D4586A" [0168.173] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.173] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0168.174] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be38a97, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be5ebf7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3ec5d2, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Maid with the Flaxen Hair.mp3", cAlternateFileName="MAIDWI~1.MP3")) returned 1 [0168.174] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="Windows") returned -1 [0168.174] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="Program Files") returned -1 [0168.174] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="Program Files (x86)") returned -1 [0168.174] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="$Recycle.bin") returned 1 [0168.224] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="System Volume Information") returned -1 [0168.224] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2=".") returned 1 [0168.224] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="..") returned 1 [0168.224] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned 68 [0168.224] lstrcmpW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="PUSSY.TXT") returned -1 [0168.224] PathFindExtensionW (pszPath="Maid with the Flaxen Hair.mp3") returned=".mp3" [0168.224] lstrlenW (lpString=".mp3") returned 4 [0168.224] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.224] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0168.225] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=4113874) returned 1 [0168.225] GetProcessHeap () returned 0x4c0000 [0168.225] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b500b8 [0168.242] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="3E") returned 2 [0168.242] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="1D") returned 2 [0168.242] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="55") returned 2 [0168.242] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="ED") returned 2 [0168.242] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="B7") returned 2 [0168.242] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="FA") returned 2 [0168.242] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="C8") returned 2 [0168.242] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="46") returned 2 [0168.242] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="D2") returned 2 [0168.242] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="FB") returned 2 [0168.242] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="66") returned 2 [0168.242] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="90") returned 2 [0168.242] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="1C") returned 2 [0168.242] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="47") returned 2 [0168.242] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="A2") returned 2 [0168.242] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="C4") returned 2 [0168.242] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="7A") returned 2 [0168.242] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="64") returned 2 [0168.242] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="09") returned 2 [0168.243] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="80") returned 2 [0168.243] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="81") returned 2 [0168.243] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="84") returned 2 [0168.243] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="08") returned 2 [0168.243] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="57") returned 2 [0168.243] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="7E") returned 2 [0168.243] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="2A") returned 2 [0168.243] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="48") returned 2 [0168.243] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="46") returned 2 [0168.243] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="9F") returned 2 [0168.243] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="EF") returned 2 [0168.243] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="E8") returned 2 [0168.243] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="60") returned 2 [0168.258] lstrcpyW (in: lpString1=0x3b600ec, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" [0168.258] lstrcpyW (in: lpString1=0x3b500ec, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" [0168.258] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3", lpString2=".3E1D55EDB7FAC846D2FB66901C47A2C47A640980818408577E2A48469FEFE860" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.3E1D55EDB7FAC846D2FB66901C47A2C47A640980818408577E2A48469FEFE860") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.3E1D55EDB7FAC846D2FB66901C47A2C47A640980818408577E2A48469FEFE860" [0168.258] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x3b500b8, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.258] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b500b8, lpOverlapped=0x3b500b8) returned 1 [0168.259] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x802f4656, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be38a97, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be38a97, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x49e459, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Sleep Away.mp3", cAlternateFileName="SLEEPA~1.MP3")) returned 1 [0168.259] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="Windows") returned -1 [0168.259] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="Program Files") returned 1 [0168.259] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="Program Files (x86)") returned 1 [0168.259] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="$Recycle.bin") returned 1 [0168.259] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="System Volume Information") returned -1 [0168.259] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2=".") returned 1 [0168.259] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="..") returned 1 [0168.259] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned 53 [0168.260] lstrcmpW (lpString1="Sleep Away.mp3", lpString2="PUSSY.TXT") returned 1 [0168.260] PathFindExtensionW (pszPath="Sleep Away.mp3") returned=".mp3" [0168.260] lstrlenW (lpString=".mp3") returned 4 [0168.260] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0168.261] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=4842585) returned 1 [0168.261] GetProcessHeap () returned 0x4c0000 [0168.261] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b78108 [0168.318] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="F1") returned 2 [0168.318] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="04") returned 2 [0168.318] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="DC") returned 2 [0168.318] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="F4") returned 2 [0168.318] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="E2") returned 2 [0168.318] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="59") returned 2 [0168.318] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="13") returned 2 [0168.318] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="12") returned 2 [0168.318] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="48") returned 2 [0168.318] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="C3") returned 2 [0168.318] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="AD") returned 2 [0168.318] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="20") returned 2 [0168.318] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="FC") returned 2 [0168.318] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="D7") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="C9") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="C9") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="E4") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="44") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="10") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="AF") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="0E") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="88") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="32") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="87") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="E2") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="F8") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="3F") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="B9") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="8D") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="4D") returned 2 [0168.319] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="F6") returned 2 [0168.319] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="77") returned 2 [0168.355] lstrcpyW (in: lpString1=0x3b8813c, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" [0168.355] lstrcpyW (in: lpString1=0x3b7813c, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" [0168.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3", lpString2=".F104DCF4E259131248C3AD20FCD7C9C9E44410AF0E883287E2F83FB98D4DF677" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.F104DCF4E259131248C3AD20FCD7C9C9E44410AF0E883287E2F83FB98D4DF677") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.F104DCF4E259131248C3AD20FCD7C9C9E44410AF0E883287E2F83FB98D4DF677" [0168.355] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x3b78108, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.355] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b78108, lpOverlapped=0x3b78108) returned 1 [0168.356] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x802f4656, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be38a97, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be38a97, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x49e459, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Sleep Away.mp3", cAlternateFileName="SLEEPA~1.MP3")) returned 0 [0168.356] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0168.356] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\PUSSY.TXT") returned 48 [0168.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\PUSSY.TXT" (normalized: "c:\\users\\public\\music\\sample music\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0168.413] lstrlenA (lpString="abcd") returned 4 [0168.413] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0168.414] CloseHandle (hObject=0x178) returned 1 [0168.414] GetProcessHeap () returned 0x4c0000 [0168.414] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0168.417] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 0 [0168.417] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0168.417] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\PUSSY.TXT") returned 35 [0168.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\PUSSY.TXT" (normalized: "c:\\users\\public\\music\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0168.418] lstrlenA (lpString="abcd") returned 4 [0168.418] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0168.420] CloseHandle (hObject=0x1d8) returned 1 [0168.420] GetProcessHeap () returned 0x4c0000 [0168.420] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0168.420] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Pictures", cAlternateFileName="")) returned 1 [0168.420] lstrcmpiW (lpString1="Pictures", lpString2="Windows") returned -1 [0168.420] lstrcmpiW (lpString1="Pictures", lpString2="Program Files") returned -1 [0168.420] lstrcmpiW (lpString1="Pictures", lpString2="Program Files (x86)") returned -1 [0168.420] lstrcmpiW (lpString1="Pictures", lpString2="$Recycle.bin") returned 1 [0168.420] lstrcmpiW (lpString1="Pictures", lpString2="System Volume Information") returned -1 [0168.420] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0168.420] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0168.420] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures") returned 28 [0168.420] GetProcessHeap () returned 0x4c0000 [0168.420] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0168.420] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Public\\Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures") returned="\\\\?\\C:\\Users\\Public\\Pictures" [0168.420] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\*" [0168.420] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0168.420] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0168.421] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0168.421] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0168.421] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0168.421] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0168.421] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0168.421] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0168.421] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0168.421] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0168.421] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0168.421] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0168.421] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0168.421] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0168.421] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0168.421] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.421] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0168.421] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0168.421] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0168.421] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0168.421] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0168.421] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0168.421] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0168.421] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini") returned 40 [0168.422] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0168.422] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.422] lstrlenW (lpString=".ini") returned 4 [0168.422] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0168.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0168.422] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=380) returned 1 [0168.423] CloseHandle (hObject=0x178) returned 1 [0168.423] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 1 [0168.423] lstrcmpiW (lpString1="Sample Pictures", lpString2="Windows") returned -1 [0168.423] lstrcmpiW (lpString1="Sample Pictures", lpString2="Program Files") returned 1 [0168.423] lstrcmpiW (lpString1="Sample Pictures", lpString2="Program Files (x86)") returned 1 [0168.423] lstrcmpiW (lpString1="Sample Pictures", lpString2="$Recycle.bin") returned 1 [0168.423] lstrcmpiW (lpString1="Sample Pictures", lpString2="System Volume Information") returned -1 [0168.423] lstrcmpiW (lpString1="Sample Pictures", lpString2=".") returned 1 [0168.423] lstrcmpiW (lpString1="Sample Pictures", lpString2="..") returned 1 [0168.423] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures") returned 44 [0168.423] GetProcessHeap () returned 0x4c0000 [0168.423] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0168.424] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures" [0168.424] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*" [0168.424] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0168.427] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0168.427] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0168.427] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0168.427] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0168.427] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0168.427] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0168.427] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0168.427] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0168.427] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0168.427] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0168.428] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0168.428] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0168.428] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0168.428] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0168.428] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xd6b22, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Chrysanthemum.jpg", cAlternateFileName="CHRYSA~1.JPG")) returned 1 [0168.428] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="Windows") returned -1 [0168.428] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="Program Files") returned -1 [0168.428] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="Program Files (x86)") returned -1 [0168.428] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="$Recycle.bin") returned 1 [0168.428] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="System Volume Information") returned -1 [0168.428] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2=".") returned 1 [0168.428] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="..") returned 1 [0168.428] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned 62 [0168.428] lstrcmpW (lpString1="Chrysanthemum.jpg", lpString2="PUSSY.TXT") returned -1 [0168.428] PathFindExtensionW (pszPath="Chrysanthemum.jpg") returned=".jpg" [0168.428] lstrlenW (lpString=".jpg") returned 4 [0168.428] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0168.430] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=879394) returned 1 [0168.430] GetProcessHeap () returned 0x4c0000 [0168.430] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3b28068 [0168.446] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="03") returned 2 [0168.446] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="80") returned 2 [0168.446] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="3B") returned 2 [0168.446] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="A1") returned 2 [0168.446] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="78") returned 2 [0168.446] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="51") returned 2 [0168.446] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="DE") returned 2 [0168.446] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="8C") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="40") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="B3") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="3E") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="9B") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="F9") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="F6") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="5C") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="46") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="2D") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="76") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="3D") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="F6") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="0D") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="88") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="1D") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="D1") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="2C") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="56") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="69") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="37") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="6B") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="FF") returned 2 [0168.447] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="8C") returned 2 [0168.447] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="4E") returned 2 [0168.462] lstrcpyW (in: lpString1=0x3b3809c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" [0168.462] lstrcpyW (in: lpString1=0x3b2809c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" [0168.462] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg", lpString2=".03803BA17851DE8C40B33E9BF9F65C462D763DF60D881DD12C5669376BFF8C4E" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.03803BA17851DE8C40B33E9BF9F65C462D763DF60D881DD12C5669376BFF8C4E") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.03803BA17851DE8C40B33E9BF9F65C462D763DF60D881DD12C5669376BFF8C4E" [0168.462] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3b28068, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.462] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3b28068, lpOverlapped=0x3b28068) returned 1 [0168.463] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xce875, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Desert.jpg", cAlternateFileName="")) returned 1 [0168.463] lstrcmpiW (lpString1="Desert.jpg", lpString2="Windows") returned -1 [0168.463] lstrcmpiW (lpString1="Desert.jpg", lpString2="Program Files") returned -1 [0168.463] lstrcmpiW (lpString1="Desert.jpg", lpString2="Program Files (x86)") returned -1 [0168.463] lstrcmpiW (lpString1="Desert.jpg", lpString2="$Recycle.bin") returned 1 [0168.463] lstrcmpiW (lpString1="Desert.jpg", lpString2="System Volume Information") returned -1 [0168.463] lstrcmpiW (lpString1="Desert.jpg", lpString2=".") returned 1 [0168.463] lstrcmpiW (lpString1="Desert.jpg", lpString2="..") returned 1 [0168.463] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned 55 [0168.463] lstrcmpW (lpString1="Desert.jpg", lpString2="PUSSY.TXT") returned -1 [0168.463] PathFindExtensionW (pszPath="Desert.jpg") returned=".jpg" [0168.463] lstrlenW (lpString=".jpg") returned 4 [0168.463] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0168.464] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=845941) returned 1 [0168.464] GetProcessHeap () returned 0x4c0000 [0168.464] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0168.479] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="69") returned 2 [0168.479] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="2A") returned 2 [0168.479] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="55") returned 2 [0168.479] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="DE") returned 2 [0168.479] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="63") returned 2 [0168.479] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="91") returned 2 [0168.479] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="2B") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="8D") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="8F") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="C8") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="25") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="F0") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="77") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="AE") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="B4") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="89") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="3F") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="27") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="4F") returned 2 [0168.479] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="02") returned 2 [0168.480] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="C2") returned 2 [0168.480] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="BF") returned 2 [0168.480] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="01") returned 2 [0168.480] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="54") returned 2 [0168.480] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="B2") returned 2 [0168.480] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="9A") returned 2 [0168.480] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="FB") returned 2 [0168.480] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="EC") returned 2 [0168.480] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="FD") returned 2 [0168.480] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="21") returned 2 [0168.480] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="6C") returned 2 [0168.480] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="19") returned 2 [0168.492] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" [0168.492] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" [0168.492] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg", lpString2=".692A55DE63912B8D8FC825F077AEB4893F274F02C2BF0154B29AFBECFD216C19" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.692A55DE63912B8D8FC825F077AEB4893F274F02C2BF0154B29AFBECFD216C19") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.692A55DE63912B8D8FC825F077AEB4893F274F02C2BF0154B29AFBECFD216C19" [0168.492] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.492] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0168.492] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.492] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0168.492] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0168.492] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0168.492] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0168.492] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0168.492] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0168.492] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0168.492] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini") returned 56 [0168.493] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0168.493] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.493] lstrlenW (lpString=".ini") returned 4 [0168.493] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x18c [0168.495] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=1120) returned 1 [0168.495] GetProcessHeap () returned 0x4c0000 [0168.495] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0168.610] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="01") returned 2 [0168.610] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="A3") returned 2 [0168.610] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="29") returned 2 [0168.610] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="40") returned 2 [0168.610] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="72") returned 2 [0168.610] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="7E") returned 2 [0168.610] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="76") returned 2 [0168.610] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="68") returned 2 [0168.610] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="04") returned 2 [0168.610] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="04") returned 2 [0168.610] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="1C") returned 2 [0168.610] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="9B") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="63") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="B2") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="EA") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="42") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="AE") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="04") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="05") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="AB") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="87") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="C8") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="61") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="08") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="49") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="05") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="29") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="EE") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="61") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="D9") returned 2 [0168.611] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="AF") returned 2 [0168.611] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="28") returned 2 [0168.620] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" [0168.620] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" [0168.620] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini", lpString2=".01A32940727E766804041C9B63B2EA42AE0405AB87C86108490529EE61D9AF28" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini.01A32940727E766804041C9B63B2EA42AE0405AB87C86108490529EE61D9AF28") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini.01A32940727E766804041C9B63B2EA42AE0405AB87C86108490529EE61D9AF28" [0168.620] CreateIoCompletionPort (FileHandle=0x18c, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.620] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0168.624] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x91554, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Hydrangeas.jpg", cAlternateFileName="HYDRAN~1.JPG")) returned 1 [0168.624] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="Windows") returned -1 [0168.624] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="Program Files") returned -1 [0168.624] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="Program Files (x86)") returned -1 [0168.624] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="$Recycle.bin") returned 1 [0168.624] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="System Volume Information") returned -1 [0168.624] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2=".") returned 1 [0168.624] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="..") returned 1 [0168.624] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned 59 [0168.624] lstrcmpW (lpString1="Hydrangeas.jpg", lpString2="PUSSY.TXT") returned -1 [0168.624] PathFindExtensionW (pszPath="Hydrangeas.jpg") returned=".jpg" [0168.624] lstrlenW (lpString=".jpg") returned 4 [0168.624] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0168.625] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=595284) returned 1 [0168.625] GetProcessHeap () returned 0x4c0000 [0168.625] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0168.633] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="00") returned 2 [0168.633] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="48") returned 2 [0168.633] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="41") returned 2 [0168.633] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="F2") returned 2 [0168.633] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="9E") returned 2 [0168.633] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="71") returned 2 [0168.633] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="97") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="71") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="3E") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="0A") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="76") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="1D") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="F0") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="67") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="C1") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="CA") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="41") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="7D") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="F1") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="A5") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="E1") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="57") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="CE") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="12") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="7B") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="A1") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="F3") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="27") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="F7") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="41") returned 2 [0168.634] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="1E") returned 2 [0168.634] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="7A") returned 2 [0168.643] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" [0168.643] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" [0168.643] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg", lpString2=".004841F29E7197713E0A761DF067C1CA417DF1A5E157CE127BA1F327F7411E7A" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.004841F29E7197713E0A761DF067C1CA417DF1A5E157CE127BA1F327F7411E7A") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.004841F29E7197713E0A761DF067C1CA417DF1A5E157CE127BA1F327F7411E7A" [0168.644] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.644] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0168.675] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xbd616, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Jellyfish.jpg", cAlternateFileName="JELLYF~1.JPG")) returned 1 [0168.675] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="Windows") returned -1 [0168.676] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="Program Files") returned -1 [0168.676] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="Program Files (x86)") returned -1 [0168.676] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="$Recycle.bin") returned 1 [0168.676] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="System Volume Information") returned -1 [0168.676] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2=".") returned 1 [0168.676] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="..") returned 1 [0168.676] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned 58 [0168.676] lstrcmpW (lpString1="Jellyfish.jpg", lpString2="PUSSY.TXT") returned -1 [0168.676] PathFindExtensionW (pszPath="Jellyfish.jpg") returned=".jpg" [0168.676] lstrlenW (lpString=".jpg") returned 4 [0168.676] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0168.677] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=775702) returned 1 [0168.677] GetProcessHeap () returned 0x4c0000 [0168.677] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c00048 [0168.688] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="74") returned 2 [0168.688] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="33") returned 2 [0168.688] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="B8") returned 2 [0168.688] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="A1") returned 2 [0168.688] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="63") returned 2 [0168.688] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="EA") returned 2 [0168.688] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="0D") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="77") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="45") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="1E") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="FE") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="04") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="06") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="3D") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="93") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="10") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="2E") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="F4") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="C6") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="04") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="E1") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="03") returned 2 [0168.688] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="CE") returned 2 [0168.689] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="FC") returned 2 [0168.689] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="4B") returned 2 [0168.689] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="EF") returned 2 [0168.689] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="9D") returned 2 [0168.689] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="62") returned 2 [0168.689] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="28") returned 2 [0168.689] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="D0") returned 2 [0168.689] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="59") returned 2 [0168.689] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="60") returned 2 [0168.697] lstrcpyW (in: lpString1=0x3c1007c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" [0168.697] lstrcpyW (in: lpString1=0x3c0007c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" [0168.697] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg", lpString2=".7433B8A163EA0D77451EFE04063D93102EF4C604E103CEFC4BEF9D6228D05960" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.7433B8A163EA0D77451EFE04063D93102EF4C604E103CEFC4BEF9D6228D05960") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.7433B8A163EA0D77451EFE04063D93102EF4C604E103CEFC4BEF9D6228D05960" [0168.697] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c00048, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.697] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c00048, lpOverlapped=0x3c00048) returned 1 [0168.697] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xbea1f, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Koala.jpg", cAlternateFileName="")) returned 1 [0168.697] lstrcmpiW (lpString1="Koala.jpg", lpString2="Windows") returned -1 [0168.697] lstrcmpiW (lpString1="Koala.jpg", lpString2="Program Files") returned -1 [0168.697] lstrcmpiW (lpString1="Koala.jpg", lpString2="Program Files (x86)") returned -1 [0168.697] lstrcmpiW (lpString1="Koala.jpg", lpString2="$Recycle.bin") returned 1 [0168.697] lstrcmpiW (lpString1="Koala.jpg", lpString2="System Volume Information") returned -1 [0168.697] lstrcmpiW (lpString1="Koala.jpg", lpString2=".") returned 1 [0168.697] lstrcmpiW (lpString1="Koala.jpg", lpString2="..") returned 1 [0168.697] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned 54 [0168.698] lstrcmpW (lpString1="Koala.jpg", lpString2="PUSSY.TXT") returned -1 [0168.698] PathFindExtensionW (pszPath="Koala.jpg") returned=".jpg" [0168.698] lstrlenW (lpString=".jpg") returned 4 [0168.698] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0168.698] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=780831) returned 1 [0168.698] GetProcessHeap () returned 0x4c0000 [0168.699] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c28098 [0168.709] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="E2") returned 2 [0168.709] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="0B") returned 2 [0168.709] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="95") returned 2 [0168.709] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="3B") returned 2 [0168.709] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="A9") returned 2 [0168.709] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="42") returned 2 [0168.709] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="83") returned 2 [0168.709] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="3D") returned 2 [0168.709] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="9C") returned 2 [0168.709] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="35") returned 2 [0168.709] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="FF") returned 2 [0168.709] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="7A") returned 2 [0168.709] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="14") returned 2 [0168.709] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="56") returned 2 [0168.709] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="9A") returned 2 [0168.709] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="6F") returned 2 [0168.709] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="B2") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="5A") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="03") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="B4") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="DA") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="6B") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="B2") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="63") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="B8") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="E4") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="3D") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="A7") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="0F") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="7D") returned 2 [0168.710] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="87") returned 2 [0168.710] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="5C") returned 2 [0168.719] lstrcpyW (in: lpString1=0x3c380cc, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" [0168.719] lstrcpyW (in: lpString1=0x3c280cc, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" [0168.719] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg", lpString2=".E20B953BA942833D9C35FF7A14569A6FB25A03B4DA6BB263B8E43DA70F7D875C" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.E20B953BA942833D9C35FF7A14569A6FB25A03B4DA6BB263B8E43DA70F7D875C") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.E20B953BA942833D9C35FF7A14569A6FB25A03B4DA6BB263B8E43DA70F7D875C" [0168.719] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x3c28098, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.719] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c28098, lpOverlapped=0x3c28098) returned 1 [0168.719] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x8907c, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Lighthouse.jpg", cAlternateFileName="LIGHTH~1.JPG")) returned 1 [0168.719] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="Windows") returned -1 [0168.719] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="Program Files") returned -1 [0168.719] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="Program Files (x86)") returned -1 [0168.719] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="$Recycle.bin") returned 1 [0168.719] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="System Volume Information") returned -1 [0168.719] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2=".") returned 1 [0168.719] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="..") returned 1 [0168.719] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned 59 [0168.719] lstrcmpW (lpString1="Lighthouse.jpg", lpString2="PUSSY.TXT") returned -1 [0168.719] PathFindExtensionW (pszPath="Lighthouse.jpg") returned=".jpg" [0168.719] lstrlenW (lpString=".jpg") returned 4 [0168.719] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x184 [0168.721] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=561276) returned 1 [0168.722] GetProcessHeap () returned 0x4c0000 [0168.722] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x502a88 [0168.732] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="12") returned 2 [0168.732] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="B7") returned 2 [0168.732] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="25") returned 2 [0168.732] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="DA") returned 2 [0168.733] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="DE") returned 2 [0168.733] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="79") returned 2 [0168.733] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="02") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="31") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="1C") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="2E") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="5F") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="55") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="56") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="DE") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="B7") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="AA") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="B5") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="0B") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="A1") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="1A") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="A6") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="A6") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="C6") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="D8") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="4E") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="3A") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="07") returned 2 [0168.733] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="27") returned 2 [0168.734] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="F9") returned 2 [0168.734] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="DC") returned 2 [0168.734] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="39") returned 2 [0168.734] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="4F") returned 2 [0168.869] lstrcpyW (in: lpString1=0x512abc, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" [0168.869] lstrcpyW (in: lpString1=0x502abc, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" [0168.869] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg", lpString2=".12B725DADE7902311C2E5F5556DEB7AAB50BA11AA6A6C6D84E3A0727F9DC394F" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.12B725DADE7902311C2E5F5556DEB7AAB50BA11AA6A6C6D84E3A0727F9DC394F") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.12B725DADE7902311C2E5F5556DEB7AAB50BA11AA6A6C6D84E3A0727F9DC394F" [0168.869] CreateIoCompletionPort (FileHandle=0x184, ExistingCompletionPort=0x94, CompletionKey=0x502a88, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.869] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x502a88, lpOverlapped=0x502a88) returned 1 [0168.869] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xbde6b, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Penguins.jpg", cAlternateFileName="")) returned 1 [0168.869] lstrcmpiW (lpString1="Penguins.jpg", lpString2="Windows") returned -1 [0168.869] lstrcmpiW (lpString1="Penguins.jpg", lpString2="Program Files") returned -1 [0168.869] lstrcmpiW (lpString1="Penguins.jpg", lpString2="Program Files (x86)") returned -1 [0168.869] lstrcmpiW (lpString1="Penguins.jpg", lpString2="$Recycle.bin") returned 1 [0168.906] lstrcmpiW (lpString1="Penguins.jpg", lpString2="System Volume Information") returned -1 [0168.906] lstrcmpiW (lpString1="Penguins.jpg", lpString2=".") returned 1 [0168.906] lstrcmpiW (lpString1="Penguins.jpg", lpString2="..") returned 1 [0168.906] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned 57 [0168.906] lstrcmpW (lpString1="Penguins.jpg", lpString2="PUSSY.TXT") returned -1 [0168.906] PathFindExtensionW (pszPath="Penguins.jpg") returned=".jpg" [0168.906] lstrlenW (lpString=".jpg") returned 4 [0168.906] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x190 [0168.907] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=777835) returned 1 [0168.907] GetProcessHeap () returned 0x4c0000 [0168.907] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0168.918] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="67") returned 2 [0168.918] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="55") returned 2 [0168.918] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="46") returned 2 [0168.918] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="6A") returned 2 [0168.918] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="CF") returned 2 [0168.918] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="CD") returned 2 [0168.918] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="E7") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="4A") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="82") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="4A") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="34") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="68") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="08") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="42") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="0A") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="21") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="E8") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="5B") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="EE") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="7C") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="D1") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="7A") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="A5") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="28") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="24") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="57") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="40") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="CC") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="1F") returned 2 [0168.918] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="80") returned 2 [0168.919] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="34") returned 2 [0168.919] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="12") returned 2 [0168.933] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" [0168.933] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" [0168.933] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg", lpString2=".6755466ACFCDE74A824A346808420A21E85BEE7CD17AA528245740CC1F803412" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.6755466ACFCDE74A824A346808420A21E85BEE7CD17AA528245740CC1F803412") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.6755466ACFCDE74A824A346808420A21E85BEE7CD17AA528245740CC1F803412" [0168.933] CreateIoCompletionPort (FileHandle=0x190, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0168.934] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0168.934] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x97958, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Tulips.jpg", cAlternateFileName="")) returned 1 [0168.934] lstrcmpiW (lpString1="Tulips.jpg", lpString2="Windows") returned -1 [0168.934] lstrcmpiW (lpString1="Tulips.jpg", lpString2="Program Files") returned 1 [0168.934] lstrcmpiW (lpString1="Tulips.jpg", lpString2="Program Files (x86)") returned 1 [0168.934] lstrcmpiW (lpString1="Tulips.jpg", lpString2="$Recycle.bin") returned 1 [0168.934] lstrcmpiW (lpString1="Tulips.jpg", lpString2="System Volume Information") returned 1 [0168.934] lstrcmpiW (lpString1="Tulips.jpg", lpString2=".") returned 1 [0168.934] lstrcmpiW (lpString1="Tulips.jpg", lpString2="..") returned 1 [0168.934] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned 55 [0168.935] lstrcmpW (lpString1="Tulips.jpg", lpString2="PUSSY.TXT") returned 1 [0168.935] PathFindExtensionW (pszPath="Tulips.jpg") returned=".jpg" [0168.935] lstrlenW (lpString=".jpg") returned 4 [0168.935] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0168.935] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0168.936] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=620888) returned 1 [0168.936] GetProcessHeap () returned 0x4c0000 [0168.936] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c9a148 [0168.947] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="A6") returned 2 [0168.947] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="E0") returned 2 [0168.947] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="80") returned 2 [0168.947] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="6D") returned 2 [0168.947] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="D9") returned 2 [0168.947] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="D7") returned 2 [0168.947] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="9C") returned 2 [0168.947] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="C1") returned 2 [0168.947] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="6D") returned 2 [0168.947] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="F6") returned 2 [0168.947] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="F3") returned 2 [0168.947] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="E5") returned 2 [0168.947] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="67") returned 2 [0168.947] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="F9") returned 2 [0168.947] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="20") returned 2 [0168.947] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="F4") returned 2 [0168.947] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="94") returned 2 [0168.947] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="3F") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="9F") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="79") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="7C") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="87") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="BD") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="89") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="08") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="CD") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="F8") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="DE") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="01") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="DD") returned 2 [0168.948] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="BC") returned 2 [0168.948] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="36") returned 2 [0169.001] lstrcpyW (in: lpString1=0x3caa17c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" [0169.001] lstrcpyW (in: lpString1=0x3c9a17c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" [0169.001] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg", lpString2=".A6E0806DD9D79CC16DF6F3E567F920F4943F9F797C87BD8908CDF8DE01DDBC36" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.A6E0806DD9D79CC16DF6F3E567F920F4943F9F797C87BD8908CDF8DE01DDBC36") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.A6E0806DD9D79CC16DF6F3E567F920F4943F9F797C87BD8908CDF8DE01DDBC36" [0169.001] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c9a148, NumberOfConcurrentThreads=0x0) returned 0x94 [0169.001] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c9a148, lpOverlapped=0x3c9a148) returned 1 [0169.002] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x97958, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Tulips.jpg", cAlternateFileName="")) returned 0 [0169.002] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0169.038] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\PUSSY.TXT") returned 54 [0169.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\PUSSY.TXT" (normalized: "c:\\users\\public\\pictures\\sample pictures\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0169.039] lstrlenA (lpString="abcd") returned 4 [0169.040] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0169.040] CloseHandle (hObject=0x178) returned 1 [0169.041] GetProcessHeap () returned 0x4c0000 [0169.041] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0169.047] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 0 [0169.047] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0169.047] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\PUSSY.TXT") returned 38 [0169.047] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\PUSSY.TXT" (normalized: "c:\\users\\public\\pictures\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0169.048] lstrlenA (lpString="abcd") returned 4 [0169.048] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0169.049] CloseHandle (hObject=0x1d8) returned 1 [0169.049] GetProcessHeap () returned 0x4c0000 [0169.049] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0169.049] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Recorded TV", cAlternateFileName="RECORD~1")) returned 1 [0169.049] lstrcmpiW (lpString1="Recorded TV", lpString2="Windows") returned -1 [0169.049] lstrcmpiW (lpString1="Recorded TV", lpString2="Program Files") returned 1 [0169.049] lstrcmpiW (lpString1="Recorded TV", lpString2="Program Files (x86)") returned 1 [0169.049] lstrcmpiW (lpString1="Recorded TV", lpString2="$Recycle.bin") returned 1 [0169.049] lstrcmpiW (lpString1="Recorded TV", lpString2="System Volume Information") returned -1 [0169.049] lstrcmpiW (lpString1="Recorded TV", lpString2=".") returned 1 [0169.049] lstrcmpiW (lpString1="Recorded TV", lpString2="..") returned 1 [0169.049] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV") returned 31 [0169.049] GetProcessHeap () returned 0x4c0000 [0169.049] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0169.049] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV") returned="\\\\?\\C:\\Users\\Public\\Recorded TV" [0169.049] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\*") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\*" [0169.049] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0169.050] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0169.050] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0169.050] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0169.050] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0169.050] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0169.050] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0169.050] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0169.050] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0169.050] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0169.050] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0169.050] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0169.050] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0169.050] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0169.050] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0169.050] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x89e5e11e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x89e5e11e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0169.050] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0169.050] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0169.050] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0169.050] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0169.051] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0169.051] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0169.051] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0169.051] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini") returned 43 [0169.051] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0169.051] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0169.051] lstrlenW (lpString=".ini") returned 4 [0169.051] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0169.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x178 [0169.052] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=80) returned 1 [0169.052] CloseHandle (hObject=0x178) returned 1 [0169.052] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 1 [0169.052] lstrcmpiW (lpString1="Sample Media", lpString2="Windows") returned -1 [0169.052] lstrcmpiW (lpString1="Sample Media", lpString2="Program Files") returned 1 [0169.052] lstrcmpiW (lpString1="Sample Media", lpString2="Program Files (x86)") returned 1 [0169.052] lstrcmpiW (lpString1="Sample Media", lpString2="$Recycle.bin") returned 1 [0169.052] lstrcmpiW (lpString1="Sample Media", lpString2="System Volume Information") returned -1 [0169.052] lstrcmpiW (lpString1="Sample Media", lpString2=".") returned 1 [0169.053] lstrcmpiW (lpString1="Sample Media", lpString2="..") returned 1 [0169.053] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media") returned 44 [0169.053] GetProcessHeap () returned 0x4c0000 [0169.053] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0169.054] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media" [0169.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*" [0169.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0169.054] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0169.054] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0169.054] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0169.054] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0169.054] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0169.054] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0169.054] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0169.054] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0169.054] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0169.055] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0169.055] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0169.055] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0169.055] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0169.055] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0169.055] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x8a1f1b86, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8a1f1b86, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xab, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0169.055] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0169.055] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0169.055] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0169.055] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0169.055] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0169.055] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0169.055] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0169.055] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini") returned 56 [0169.055] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0169.055] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0169.055] lstrlenW (lpString=".ini") returned 4 [0169.055] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0169.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0169.056] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=171) returned 1 [0169.056] CloseHandle (hObject=0x19c) returned 1 [0169.056] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x8a1f1b86, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8a1f1b86, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x940000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="win7_scenic-demoshort_raw.wtv", cAlternateFileName="WIN7_S~1.WTV")) returned 1 [0169.056] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="Windows") returned -1 [0169.056] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="Program Files") returned 1 [0169.056] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="Program Files (x86)") returned 1 [0169.056] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="$Recycle.bin") returned 1 [0169.056] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="System Volume Information") returned 1 [0169.056] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2=".") returned 1 [0169.056] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="..") returned 1 [0169.056] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned 74 [0169.056] lstrcmpW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="PUSSY.TXT") returned 1 [0169.056] PathFindExtensionW (pszPath="win7_scenic-demoshort_raw.wtv") returned=".wtv" [0169.056] lstrlenW (lpString=".wtv") returned 4 [0169.056] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0169.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0169.057] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=9699328) returned 1 [0169.057] GetProcessHeap () returned 0x4c0000 [0169.057] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x52aad8 [0169.067] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="26") returned 2 [0169.067] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="62") returned 2 [0169.067] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="19") returned 2 [0169.067] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="63") returned 2 [0169.067] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="F0") returned 2 [0169.067] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="04") returned 2 [0169.067] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="7F") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="A2") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="92") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="11") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="72") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="D0") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="F5") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="1D") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="EE") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="1B") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="32") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="CB") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="04") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="EB") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="AD") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="9C") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="04") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="EF") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="28") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="AA") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="08") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="DE") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="92") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="D3") returned 2 [0169.068] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="89") returned 2 [0169.068] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="0D") returned 2 [0169.077] lstrcpyW (in: lpString1=0x53ab0c, lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" [0169.077] lstrcpyW (in: lpString1=0x52ab0c, lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" [0169.077] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv", lpString2=".26621963F0047FA2921172D0F51DEE1B32CB04EBAD9C04EF28AA08DE92D3890D" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.26621963F0047FA2921172D0F51DEE1B32CB04EBAD9C04EF28AA08DE92D3890D") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.26621963F0047FA2921172D0F51DEE1B32CB04EBAD9C04EF28AA08DE92D3890D" [0169.077] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x94, CompletionKey=0x52aad8, NumberOfConcurrentThreads=0x0) returned 0x94 [0169.077] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x52aad8, lpOverlapped=0x52aad8) returned 1 [0169.077] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x8a1f1b86, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8a1f1b86, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x940000, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="win7_scenic-demoshort_raw.wtv", cAlternateFileName="WIN7_S~1.WTV")) returned 0 [0169.078] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0169.078] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\PUSSY.TXT") returned 54 [0169.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\PUSSY.TXT" (normalized: "c:\\users\\public\\recorded tv\\sample media\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0169.079] lstrlenA (lpString="abcd") returned 4 [0169.079] WriteFile (in: hFile=0x178, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0169.080] CloseHandle (hObject=0x178) returned 1 [0169.080] GetProcessHeap () returned 0x4c0000 [0169.080] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0169.080] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 0 [0169.080] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0169.080] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\PUSSY.TXT") returned 41 [0169.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\PUSSY.TXT" (normalized: "c:\\users\\public\\recorded tv\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0169.081] lstrlenA (lpString="abcd") returned 4 [0169.081] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0169.082] CloseHandle (hObject=0x1d8) returned 1 [0169.082] GetProcessHeap () returned 0x4c0000 [0169.082] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0169.084] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Videos", cAlternateFileName="")) returned 1 [0169.084] lstrcmpiW (lpString1="Videos", lpString2="Windows") returned -1 [0169.084] lstrcmpiW (lpString1="Videos", lpString2="Program Files") returned 1 [0169.084] lstrcmpiW (lpString1="Videos", lpString2="Program Files (x86)") returned 1 [0169.084] lstrcmpiW (lpString1="Videos", lpString2="$Recycle.bin") returned 1 [0169.084] lstrcmpiW (lpString1="Videos", lpString2="System Volume Information") returned 1 [0169.084] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0169.084] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0169.084] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos") returned 26 [0169.084] GetProcessHeap () returned 0x4c0000 [0169.084] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x5a6bd8 [0169.085] lstrcpyW (in: lpString1=0x5a6bd8, lpString2="\\\\?\\C:\\Users\\Public\\Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos") returned="\\\\?\\C:\\Users\\Public\\Videos" [0169.085] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\*") returned="\\\\?\\C:\\Users\\Public\\Videos\\*" [0169.085] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\*", lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb7060 [0169.085] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0169.085] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0169.085] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0169.085] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0169.085] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0169.085] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0169.085] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0169.085] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0169.085] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0169.085] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0169.085] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0169.086] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0169.086] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0169.086] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0169.086] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0169.086] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0169.086] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0169.086] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0169.086] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0169.166] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0169.166] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0169.166] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0169.166] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini") returned 38 [0169.166] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0169.166] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0169.166] lstrlenW (lpString=".ini") returned 4 [0169.166] SystemFunction036 (in: RandomBuffer=0x28dae4, RandomBufferLength=0x20 | out: RandomBuffer=0x28dae4) returned 1 [0169.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x19c [0169.167] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x28dad8 | out: lpFileSize=0x28dad8*=380) returned 1 [0169.167] CloseHandle (hObject=0x19c) returned 1 [0169.167] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 1 [0169.167] lstrcmpiW (lpString1="Sample Videos", lpString2="Windows") returned -1 [0169.167] lstrcmpiW (lpString1="Sample Videos", lpString2="Program Files") returned 1 [0169.167] lstrcmpiW (lpString1="Sample Videos", lpString2="Program Files (x86)") returned 1 [0169.167] lstrcmpiW (lpString1="Sample Videos", lpString2="$Recycle.bin") returned 1 [0169.167] lstrcmpiW (lpString1="Sample Videos", lpString2="System Volume Information") returned -1 [0169.167] lstrcmpiW (lpString1="Sample Videos", lpString2=".") returned 1 [0169.167] lstrcmpiW (lpString1="Sample Videos", lpString2="..") returned 1 [0169.167] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos") returned 40 [0169.167] GetProcessHeap () returned 0x4c0000 [0169.167] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x10000) returned 0x3b00048 [0169.168] lstrcpyW (in: lpString1=0x3b00048, lpString2="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos" [0169.168] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*" [0169.168] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*", lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName=".", cAlternateFileName="")) returned 0x3bb70a0 [0169.169] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0169.169] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0169.169] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0169.169] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0169.169] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0169.169] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0169.169] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="..", cAlternateFileName="")) returned 1 [0169.169] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0169.169] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0169.169] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0169.169] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0169.169] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0169.169] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0169.169] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0169.169] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x802f4656, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be12937, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0169.169] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0169.169] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0169.169] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0169.169] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0169.169] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0169.169] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0169.169] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0169.169] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini") returned 52 [0169.169] lstrcmpW (lpString1="desktop.ini", lpString2="PUSSY.TXT") returned -1 [0169.169] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0169.169] lstrlenW (lpString=".ini") returned 4 [0169.169] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0169.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0169.170] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=326) returned 1 [0169.170] CloseHandle (hObject=0xec) returned 1 [0169.170] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80282235, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bda0516, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be12937, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x1907b8a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Wildlife.wmv", cAlternateFileName="")) returned 1 [0169.170] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="Windows") returned -1 [0169.170] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="Program Files") returned 1 [0169.170] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="Program Files (x86)") returned 1 [0169.170] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="$Recycle.bin") returned 1 [0169.171] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="System Volume Information") returned 1 [0169.171] lstrcmpiW (lpString1="Wildlife.wmv", lpString2=".") returned 1 [0169.171] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="..") returned 1 [0169.171] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned 53 [0169.171] lstrcmpW (lpString1="Wildlife.wmv", lpString2="PUSSY.TXT") returned 1 [0169.171] PathFindExtensionW (pszPath="Wildlife.wmv") returned=".wmv" [0169.171] lstrlenW (lpString=".wmv") returned 4 [0169.171] SystemFunction036 (in: RandomBuffer=0x28d344, RandomBufferLength=0x20 | out: RandomBuffer=0x28d344) returned 1 [0169.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xec [0169.171] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x28d338 | out: lpFileSize=0x28d338*=26246026) returned 1 [0169.171] GetProcessHeap () returned 0x4c0000 [0169.171] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28048) returned 0x3c720f8 [0169.181] wsprintfW (in: param_1=0x28d386, param_2="%02X" | out: param_1="4C") returned 2 [0169.181] wsprintfW (in: param_1=0x28d38a, param_2="%02X" | out: param_1="F0") returned 2 [0169.181] wsprintfW (in: param_1=0x28d38e, param_2="%02X" | out: param_1="1F") returned 2 [0169.181] wsprintfW (in: param_1=0x28d392, param_2="%02X" | out: param_1="7C") returned 2 [0169.181] wsprintfW (in: param_1=0x28d396, param_2="%02X" | out: param_1="03") returned 2 [0169.181] wsprintfW (in: param_1=0x28d39a, param_2="%02X" | out: param_1="02") returned 2 [0169.181] wsprintfW (in: param_1=0x28d39e, param_2="%02X" | out: param_1="74") returned 2 [0169.181] wsprintfW (in: param_1=0x28d3a2, param_2="%02X" | out: param_1="2D") returned 2 [0169.181] wsprintfW (in: param_1=0x28d3a6, param_2="%02X" | out: param_1="F0") returned 2 [0169.181] wsprintfW (in: param_1=0x28d3aa, param_2="%02X" | out: param_1="0B") returned 2 [0169.181] wsprintfW (in: param_1=0x28d3ae, param_2="%02X" | out: param_1="48") returned 2 [0169.181] wsprintfW (in: param_1=0x28d3b2, param_2="%02X" | out: param_1="48") returned 2 [0169.181] wsprintfW (in: param_1=0x28d3b6, param_2="%02X" | out: param_1="8C") returned 2 [0169.181] wsprintfW (in: param_1=0x28d3ba, param_2="%02X" | out: param_1="85") returned 2 [0169.181] wsprintfW (in: param_1=0x28d3be, param_2="%02X" | out: param_1="F9") returned 2 [0169.181] wsprintfW (in: param_1=0x28d3c2, param_2="%02X" | out: param_1="BC") returned 2 [0169.181] wsprintfW (in: param_1=0x28d3c6, param_2="%02X" | out: param_1="BC") returned 2 [0169.181] wsprintfW (in: param_1=0x28d3ca, param_2="%02X" | out: param_1="CD") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3ce, param_2="%02X" | out: param_1="E2") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3d2, param_2="%02X" | out: param_1="F0") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3d6, param_2="%02X" | out: param_1="82") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3da, param_2="%02X" | out: param_1="79") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3de, param_2="%02X" | out: param_1="39") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3e2, param_2="%02X" | out: param_1="CE") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3e6, param_2="%02X" | out: param_1="6E") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3ea, param_2="%02X" | out: param_1="8C") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3ee, param_2="%02X" | out: param_1="08") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3f2, param_2="%02X" | out: param_1="26") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3f6, param_2="%02X" | out: param_1="80") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3fa, param_2="%02X" | out: param_1="89") returned 2 [0169.182] wsprintfW (in: param_1=0x28d3fe, param_2="%02X" | out: param_1="17") returned 2 [0169.182] wsprintfW (in: param_1=0x28d402, param_2="%02X" | out: param_1="1A") returned 2 [0169.191] lstrcpyW (in: lpString1=0x3c8212c, lpString2="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" [0169.191] lstrcpyW (in: lpString1=0x3c7212c, lpString2="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" [0169.191] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv", lpString2=".4CF01F7C0302742DF00B48488C85F9BCBCCDE2F0827939CE6E8C08268089171A" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.4CF01F7C0302742DF00B48488C85F9BCBCCDE2F0827939CE6E8C08268089171A") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.4CF01F7C0302742DF00B48488C85F9BCBCCDE2F0827939CE6E8C08268089171A" [0169.191] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x94, CompletionKey=0x3c720f8, NumberOfConcurrentThreads=0x0) returned 0x94 [0169.191] PostQueuedCompletionStatus (CompletionPort=0x94, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3c720f8, lpOverlapped=0x3c720f8) returned 1 [0169.191] FindNextFileW (in: hFindFile=0x3bb70a0, lpFindFileData=0x28d458 | out: lpFindFileData=0x28d458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80282235, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bda0516, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be12937, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x1907b8a, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Wildlife.wmv", cAlternateFileName="")) returned 0 [0169.191] FindClose (in: hFindFile=0x3bb70a0 | out: hFindFile=0x3bb70a0) returned 1 [0169.192] wnsprintfW (in: pszDest=0x3b00048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\PUSSY.TXT") returned 50 [0169.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\PUSSY.TXT" (normalized: "c:\\users\\public\\videos\\sample videos\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0169.227] lstrlenA (lpString="abcd") returned 4 [0169.227] WriteFile (in: hFile=0x19c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28d6ac, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28d6ac*=0x4, lpOverlapped=0x0) returned 1 [0169.228] CloseHandle (hObject=0x19c) returned 1 [0169.228] GetProcessHeap () returned 0x4c0000 [0169.228] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0169.228] FindNextFileW (in: hFindFile=0x3bb7060, lpFindFileData=0x28dbf8 | out: lpFindFileData=0x28dbf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x77c5f9e2, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 0 [0169.229] FindClose (in: hFindFile=0x3bb7060 | out: hFindFile=0x3bb7060) returned 1 [0169.229] wnsprintfW (in: pszDest=0x5a6bd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\PUSSY.TXT") returned 36 [0169.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\PUSSY.TXT" (normalized: "c:\\users\\public\\videos\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0169.229] lstrlenA (lpString="abcd") returned 4 [0169.229] WriteFile (in: hFile=0x1d8, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28de4c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28de4c*=0x4, lpOverlapped=0x0) returned 1 [0169.230] CloseHandle (hObject=0x1d8) returned 1 [0169.230] GetProcessHeap () returned 0x4c0000 [0169.230] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x5a6bd8 | out: hHeap=0x4c0000) returned 1 [0169.234] FindNextFileW (in: hFindFile=0x3bb7020, lpFindFileData=0x28e398 | out: lpFindFileData=0x28e398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5, dwReserved1=0x77c5f9e2, cFileName="Videos", cAlternateFileName="")) returned 0 [0169.234] FindClose (in: hFindFile=0x3bb7020 | out: hFindFile=0x3bb7020) returned 1 [0169.234] wnsprintfW (in: pszDest=0x3dd9008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\PUSSY.TXT") returned 29 [0169.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\PUSSY.TXT" (normalized: "c:\\users\\public\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0169.235] lstrlenA (lpString="abcd") returned 4 [0169.235] WriteFile (in: hFile=0x1a4, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28e5ec, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28e5ec*=0x4, lpOverlapped=0x0) returned 1 [0169.236] CloseHandle (hObject=0x1a4) returned 1 [0169.236] GetProcessHeap () returned 0x4c0000 [0169.236] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3dd9008 | out: hHeap=0x4c0000) returned 1 [0169.236] FindNextFileW (in: hFindFile=0x4e22d0, lpFindFileData=0x28eb38 | out: lpFindFileData=0x28eb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xc0100080, cFileName="Public", cAlternateFileName="")) returned 0 [0169.236] FindClose (in: hFindFile=0x4e22d0 | out: hFindFile=0x4e22d0) returned 1 [0169.236] wnsprintfW (in: pszDest=0x3bb80d8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\PUSSY.TXT") returned 22 [0169.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\PUSSY.TXT" (normalized: "c:\\users\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0169.237] lstrlenA (lpString="abcd") returned 4 [0169.237] WriteFile (in: hFile=0x160, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28ed8c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28ed8c*=0x4, lpOverlapped=0x0) returned 1 [0169.238] CloseHandle (hObject=0x160) returned 1 [0169.239] GetProcessHeap () returned 0x4c0000 [0169.239] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0169.240] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0169.240] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0169.240] FindNextFileW (in: hFindFile=0x4d5718, lpFindFileData=0x28f2d8 | out: lpFindFileData=0x28f2d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0169.240] FindClose (in: hFindFile=0x4d5718 | out: hFindFile=0x4d5718) returned 1 [0169.240] wnsprintfW (in: pszDest=0x4f2a80, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\PUSSY.TXT") returned 16 [0169.240] CreateFileW (lpFileName="\\\\?\\C:\\PUSSY.TXT" (normalized: "c:\\pussy.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0169.241] lstrlenA (lpString="abcd") returned 4 [0169.241] WriteFile (in: hFile=0x15c, lpBuffer=0x4760f6*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x28f52c, lpOverlapped=0x0 | out: lpBuffer=0x4760f6*, lpNumberOfBytesWritten=0x28f52c*=0x4, lpOverlapped=0x0) returned 1 [0169.241] CloseHandle (hObject=0x15c) returned 1 [0169.242] GetProcessHeap () returned 0x4c0000 [0169.242] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4f2a80 | out: hHeap=0x4c0000) returned 1 [0169.245] GetProcessHeap () returned 0x4c0000 [0169.245] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4e2a78 | out: hHeap=0x4c0000) returned 1 [0169.245] CoCreateInstance (in: rclsid=0x4765f0*(Data1=0x674b6698, Data2=0xee92, Data3=0x11d0, Data4=([0]=0xad, [1]=0x71, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd8, [6]=0xfd, [7]=0xff)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x476940*(Data1=0x44aca674, Data2=0xe8fc, Data3=0x11d0, Data4=([0]=0xa0, [1]=0x7c, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0x28f614 | out: ppv=0x28f614*=0x0) returned 0x800401f0 [0169.246] Sleep (dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x23c [0061.326] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0081.991] CloseHandle (hObject=0x170) returned 1 [0085.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.E75FD0809E4A259A98EEE004CA75987035CF6EAED53121BDCC91CCAB3020BE69" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.e75fd0809e4a259a98eee004ca75987035cf6eaed53121bdcc91ccab3020be69")) returned 1 [0085.702] GetProcessHeap () returned 0x4c0000 [0085.702] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0085.702] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0096.404] WriteFile (in: hFile=0x190, lpBuffer=0x3be820c, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc81d8 | out: lpBuffer=0x3be820c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc81d8) returned 0x0 [0096.405] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0096.451] CloseHandle (hObject=0x190) returned 1 [0096.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.E961908DDB4CC79756367E715D6EA9A6AEEDC1EF2325845939FB189808C24D5C" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.e961908ddb4cc79756367e715d6ea9a6aeedc1ef2325845939fb189808c24d5c")) returned 1 [0096.453] GetProcessHeap () returned 0x4c0000 [0096.453] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc81d8 | out: hHeap=0x4c0000) returned 1 [0096.454] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0096.568] CloseHandle (hObject=0x174) returned 1 [0096.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.41B903B505E262C8C14FAF292A5A514CF1A207C5A9F99A502B8ED4D357F6B360" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.41b903b505e262c8c14faf292a5a514cf1a207c5a9f99a502b8ed4d357f6b360")) returned 1 [0096.571] GetProcessHeap () returned 0x4c0000 [0096.571] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0096.571] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0096.747] WriteFile (in: hFile=0x194, lpBuffer=0x3c7011c*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 1 [0096.749] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0096.890] ReadFile (in: hFile=0x174, lpBuffer=0x3cc01bc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0188 | out: lpBuffer=0x3cc01bc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0188) returned 1 [0096.891] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.363] ReadFile (in: hFile=0x198, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0097.363] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.440] WriteFile (in: hFile=0x198, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0097.441] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.459] CloseHandle (hObject=0x1a0) returned 1 [0097.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.B56BBFC70D387203B6CE73F10E54ABA12DCE519CE086856FE7B444797AAA3C46" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.b56bbfc70d387203b6ce73f10e54aba12dce519ce086856fe7b444797aaa3c46")) returned 1 [0097.461] GetProcessHeap () returned 0x4c0000 [0097.461] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0097.461] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.464] CloseHandle (hObject=0x174) returned 1 [0097.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.6513B0881F03DC949076684E8632B0E87F5CE2A81BFA5284BA786D1A97550C12" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.6513b0881f03dc949076684e8632b0e87f5ce2a81bfa5284ba786d1a97550c12")) returned 1 [0097.466] GetProcessHeap () returned 0x4c0000 [0097.466] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0097.466] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.468] CloseHandle (hObject=0x170) returned 1 [0097.469] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.51E394BBDB67E837C562602CCE412B8C2185C849F5B5A473740EA3DFF39F6422" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.51e394bbdb67e837c562602cce412b8c2185c849f5b5a473740ea3dff39f6422")) returned 1 [0097.470] GetProcessHeap () returned 0x4c0000 [0097.470] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0097.470] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.472] ReadFile (in: hFile=0x194, lpBuffer=0x3b7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8) returned 1 [0097.472] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.508] WriteFile (in: hFile=0x194, lpBuffer=0x3b7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8) returned 0x0 [0097.509] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.529] ReadFile (in: hFile=0x170, lpBuffer=0x3b480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098) returned 1 [0097.530] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.566] WriteFile (in: hFile=0x170, lpBuffer=0x3b480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098) returned 0x0 [0097.568] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.593] ReadFile (in: hFile=0x174, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0097.593] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.624] WriteFile (in: hFile=0x174, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0097.625] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.658] ReadFile (in: hFile=0x1a0, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0097.658] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.687] WriteFile (in: hFile=0x1a0, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0097.688] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0097.698] CloseHandle (hObject=0x1a0) returned 1 [0097.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.4960AE314AAF508A3FD0058AA0786ADF71713A34ECF8AC93318C451B02EE1534" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.4960ae314aaf508a3fd0058aa0786adf71713a34ecf8ac93318c451b02ee1534")) returned 1 [0097.701] GetProcessHeap () returned 0x4c0000 [0097.702] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0097.702] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.544] CloseHandle (hObject=0x19c) returned 1 [0098.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.9567D9A3DB1C6DA310BA9887DB6C0D09156892E7E45BA41750826088C6E82C66" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.9567d9a3db1c6da310ba9887db6c0d09156892e7e45ba41750826088c6e82c66")) returned 1 [0098.546] GetProcessHeap () returned 0x4c0000 [0098.546] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500e8 | out: hHeap=0x4c0000) returned 1 [0098.548] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.642] WriteFile (in: hFile=0x188, lpBuffer=0x3bc01bc, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188) returned 0x0 [0098.643] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.663] ReadFile (in: hFile=0x180, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0098.664] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.692] WriteFile (in: hFile=0x180, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0098.694] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.732] ReadFile (in: hFile=0x188, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0098.732] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.760] WriteFile (in: hFile=0x188, lpBuffer=0x3c7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 0x0 [0098.763] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.767] CloseHandle (hObject=0x194) returned 1 [0098.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.B51CB106334115D1009D11DAEF8C54B1BF4AB42E2C7A45F47518970D5DABCD68" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.b51cb106334115d1009d11daef8c54b1bf4ab42e2c7a45f47518970d5dabcd68")) returned 1 [0098.769] GetProcessHeap () returned 0x4c0000 [0098.769] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0098.771] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.773] CloseHandle (hObject=0x170) returned 1 [0098.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.A8D71D1EC79EC4FFDF1E640628E7C1B848D1FA9B5C010C957C7B3CE78B173B3F" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.a8d71d1ec79ec4ffdf1e640628e7c1b848d1fa9b5c010c957c7b3ce78b173b3f")) returned 1 [0098.775] GetProcessHeap () returned 0x4c0000 [0098.775] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0098.775] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.776] CloseHandle (hObject=0x184) returned 1 [0098.778] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.E49DCA29A8EA35B506AF649F1DC96F44375B3DCDA5270E1BADD27ED752C5B320" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.e49dca29a8ea35b506af649f1dc96f44375b3dcda5270e1badd27ed752c5b320")) returned 1 [0098.778] GetProcessHeap () returned 0x4c0000 [0098.778] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0098.779] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.782] CloseHandle (hObject=0x1a4) returned 1 [0098.783] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.1C076FF3C8AB9BF077376F08D2FF6BDC7283B32822C3DBECC5B66E3CFBC5DF58" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.1c076ff3c8ab9bf077376f08d2ff6bdc7283b32822c3dbecc5b66e3cfbc5df58")) returned 1 [0098.787] GetProcessHeap () returned 0x4c0000 [0098.787] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0098.791] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.809] CloseHandle (hObject=0x198) returned 1 [0098.812] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.44063DDEA511DBAFA1804B13BD4A40BAD4EA2C08DA2C42F59DCD2133D92EE600" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.44063ddea511dbafa1804b13bd4a40bad4ea2c08da2c42f59dcd2133d92ee600")) returned 1 [0098.813] GetProcessHeap () returned 0x4c0000 [0098.813] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0098.813] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.815] CloseHandle (hObject=0x1a0) returned 1 [0098.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.6BFFB85D401CBC72F020FEA170FD8C9FB87C47183B1D04EE8964353918BC4648" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.6bffb85d401cbc72f020fea170fd8c9fb87c47183b1d04ee8964353918bc4648")) returned 1 [0098.825] GetProcessHeap () returned 0x4c0000 [0098.825] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b78138 | out: hHeap=0x4c0000) returned 1 [0098.831] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.853] ReadFile (in: hFile=0x18c, lpBuffer=0x3c9816c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c78138 | out: lpBuffer=0x3c9816c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c78138) returned 1 [0098.853] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.895] WriteFile (in: hFile=0x18c, lpBuffer=0x3c9816c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c78138 | out: lpBuffer=0x3c9816c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c78138) returned 0x0 [0098.897] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.926] ReadFile (in: hFile=0x180, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0098.926] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.975] WriteFile (in: hFile=0x180, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0098.976] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0098.998] ReadFile (in: hFile=0x19c, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0098.999] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.040] WriteFile (in: hFile=0x19c, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0099.041] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.089] CloseHandle (hObject=0x188) returned 1 [0099.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.DF4734819A99C65945949A680413A4EC13CE67F11ECA78756C3737B8853A474D" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.df4734819a99c65945949a680413a4ec13ce67f11eca78756c3737b8853a474d")) returned 1 [0099.093] GetProcessHeap () returned 0x4c0000 [0099.093] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0099.093] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.096] CloseHandle (hObject=0x18c) returned 1 [0099.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.1F069302F1124CFD86814AA0A0648117E6D716ED4878BE1946699751BD274E6C" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.1f069302f1124cfd86814aa0a0648117e6d716ed4878be1946699751bd274e6c")) returned 1 [0099.099] GetProcessHeap () returned 0x4c0000 [0099.099] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c78138 | out: hHeap=0x4c0000) returned 1 [0099.099] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.101] CloseHandle (hObject=0x180) returned 1 [0099.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.1C6FE3CD1A394FAC3401D260C9CFF971CE6F2166F4856435D4AC144A53C13E47" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.1c6fe3cd1a394fac3401d260c9cff971ce6f2166f4856435d4ac144a53c13e47")) returned 1 [0099.104] GetProcessHeap () returned 0x4c0000 [0099.104] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0099.104] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.112] ReadFile (in: hFile=0x1a0, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0099.112] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.156] WriteFile (in: hFile=0x1a0, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0099.158] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.188] ReadFile (in: hFile=0x180, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0099.189] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.210] WriteFile (in: hFile=0x180, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0099.211] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.241] ReadFile (in: hFile=0x18c, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0099.242] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.284] WriteFile (in: hFile=0x18c, lpBuffer=0x592b6c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 0x0 [0099.286] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.323] ReadFile (in: hFile=0x188, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0099.323] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.364] WriteFile (in: hFile=0x188, lpBuffer=0x3c7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 0x0 [0099.365] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.367] CloseHandle (hObject=0x19c) returned 1 [0099.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.AD0C5FF420ACAA7F05BE0ACC44C97B7F5A904B3F6BDAEE64F93BA37CD069D750" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.ad0c5ff420acaa7f05be0acc44c97b7f5a904b3f6bdaee64f93ba37cd069d750")) returned 1 [0099.370] GetProcessHeap () returned 0x4c0000 [0099.370] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0099.372] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.385] CloseHandle (hObject=0x1a0) returned 1 [0099.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.1A061BB06769C76298769D4D9E9A5DB06DC094BA38C224364254EBD14F8D9072" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.1a061bb06769c76298769d4d9e9a5db06dc094ba38c224364254ebd14f8d9072")) returned 1 [0099.389] GetProcessHeap () returned 0x4c0000 [0099.389] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0099.389] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.417] ReadFile (in: hFile=0x198, lpBuffer=0x3c9816c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c78138 | out: lpBuffer=0x3c9816c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c78138) returned 1 [0099.418] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.461] WriteFile (in: hFile=0x198, lpBuffer=0x3c9816c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c78138 | out: lpBuffer=0x3c9816c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c78138) returned 0x0 [0099.462] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.490] ReadFile (in: hFile=0x1a0, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x7800, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0099.491] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.530] WriteFile (in: hFile=0x1a0, lpBuffer=0x56ab1c*, nNumberOfBytesToWrite=0x7800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 1 [0099.531] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.532] CloseHandle (hObject=0x1a0) returned 1 [0099.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.3E4E45FFDD04F41D3BFE2BD1C01B46F1FC43ED69F621A8E6B391EB5DA0D2395B" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.3e4e45ffdd04f41d3bfe2bd1c01b46f1fc43ed69f621a8e6b391eb5da0d2395b")) returned 1 [0099.534] GetProcessHeap () returned 0x4c0000 [0099.534] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0099.534] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.588] ReadFile (in: hFile=0x174, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0099.589] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.632] WriteFile (in: hFile=0x174, lpBuffer=0x56ab1c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 1 [0099.636] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.638] CloseHandle (hObject=0x174) returned 1 [0099.640] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.ABB3169276CFE3BC4CA3BF74976A86528EB16C0DB3FA6199E8C3E2A4B70FBD0C" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.abb3169276cfe3bc4ca3bf74976a86528eb16c0db3fa6199e8c3e2a4b70fbd0c")) returned 1 [0099.641] GetProcessHeap () returned 0x4c0000 [0099.641] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0099.641] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.927] WriteFile (in: hFile=0x19c, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0099.929] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.932] CloseHandle (hObject=0x19c) returned 1 [0099.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.B6FC1B4919B79F448659164E2540306E39C274730733DDF9EDA73AF93487D33E" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.b6fc1b4919b79f448659164e2540306e39c274730733ddf9eda73af93487d33e")) returned 1 [0099.936] GetProcessHeap () returned 0x4c0000 [0099.936] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0099.940] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.955] ReadFile (in: hFile=0x18c, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0099.956] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0099.997] WriteFile (in: hFile=0x18c, lpBuffer=0x56ab1c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 1 [0100.015] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.017] CloseHandle (hObject=0x18c) returned 1 [0100.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.72CE08B09381C9C2ACA6AF838686B5B265E9CA640ACFB2BF629505315AB1703A" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.72ce08b09381c9c2aca6af838686b5b265e9ca640acfb2bf629505315ab1703a")) returned 1 [0100.019] GetProcessHeap () returned 0x4c0000 [0100.019] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0100.019] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.048] ReadFile (in: hFile=0x18c, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0100.048] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.091] WriteFile (in: hFile=0x18c, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0100.092] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.094] CloseHandle (hObject=0x18c) returned 1 [0100.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.0B6CDD2808DA5412C550A1C4B8757C0BA6D42C68C4F6E9C41C2C0C898D372F27" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.0b6cdd2808da5412c550a1c4b8757c0ba6d42c68c4f6e9c41c2c0c898d372f27")) returned 1 [0100.096] GetProcessHeap () returned 0x4c0000 [0100.096] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0100.096] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.124] ReadFile (in: hFile=0x19c, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0100.124] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.167] WriteFile (in: hFile=0x19c, lpBuffer=0x592b6c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 1 [0100.169] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.170] CloseHandle (hObject=0x19c) returned 1 [0100.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.34B27FA8C129BCCA6E2FB6FF9B7405CC296F3B3ECCA4F0C695C3F79DAE639B3F" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.34b27fa8c129bcca6e2fb6ff9b7405cc296f3b3ecca4f0c695c3f79dae639b3f")) returned 1 [0100.172] GetProcessHeap () returned 0x4c0000 [0100.172] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0100.172] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.199] ReadFile (in: hFile=0x18c, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0100.200] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.208] WriteFile (in: hFile=0x18c, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0100.209] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.228] CloseHandle (hObject=0x18c) returned 1 [0100.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.072E88E29F589C714F0B7E624122753A0C71F684B3AD286A84784882708F0451" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.072e88e29f589c714f0b7e624122753a0c71f684b3ad286a84784882708f0451")) returned 1 [0100.230] GetProcessHeap () returned 0x4c0000 [0100.230] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0100.230] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.239] ReadFile (in: hFile=0x19c, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0100.239] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.269] WriteFile (in: hFile=0x19c, lpBuffer=0x592b6c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 1 [0100.271] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.273] CloseHandle (hObject=0x19c) returned 1 [0100.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.868DA7DF91B8CBF98F5148579A06D3CA5BE19DAD7527C653033CF2176D13DC28" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.868da7df91b8cbf98f5148579a06d3ca5be19dad7527c653033cf2176d13dc28")) returned 1 [0100.274] GetProcessHeap () returned 0x4c0000 [0100.274] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0100.274] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.293] ReadFile (in: hFile=0x18c, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0100.293] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.322] WriteFile (in: hFile=0x18c, lpBuffer=0x56ab1c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 1 [0100.326] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.326] CloseHandle (hObject=0x18c) returned 1 [0100.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.EB27D31FD085AD7C3BC8D638BF8E4FDF266E8A4B7152CD2C703093302A068533" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.eb27d31fd085ad7c3bc8d638bf8e4fdf266e8a4b7152cd2c703093302a068533")) returned 1 [0100.329] GetProcessHeap () returned 0x4c0000 [0100.329] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0100.329] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.360] ReadFile (in: hFile=0x18c, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0100.360] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.385] WriteFile (in: hFile=0x18c, lpBuffer=0x56ab1c*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 1 [0100.408] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.409] CloseHandle (hObject=0x18c) returned 1 [0100.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.2182B9CFB4638F7051E79AEC311D46D3AF296DBFEB5BDC6C1F55CC7090EE1B1B" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.2182b9cfb4638f7051e79aec311d46d3af296dbfeb5bdc6c1f55cc7090ee1b1b")) returned 1 [0100.411] GetProcessHeap () returned 0x4c0000 [0100.411] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0100.411] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.484] ReadFile (in: hFile=0x18c, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0100.485] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.542] WriteFile (in: hFile=0x19c, lpBuffer=0x592b6c*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 1 [0100.543] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.543] CloseHandle (hObject=0x19c) returned 1 [0100.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.CE6E44C337BC1098316D4B753B77B0E376F01C1C489C304C8B74223223B7CB6A" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.ce6e44c337bc1098316d4b753b77b0e376f01c1c489c304c8b74223223b7cb6a")) returned 1 [0100.545] GetProcessHeap () returned 0x4c0000 [0100.545] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0100.545] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.579] ReadFile (in: hFile=0x19c, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0100.580] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.628] WriteFile (in: hFile=0x19c, lpBuffer=0x592b6c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 0x0 [0100.646] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.653] ReadFile (in: hFile=0x198, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0100.653] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.683] WriteFile (in: hFile=0x198, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0100.684] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.705] ReadFile (in: hFile=0x188, lpBuffer=0x3b480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098) returned 1 [0100.705] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.731] ReadFile (in: hFile=0x180, lpBuffer=0x3b7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8) returned 1 [0100.731] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.773] WriteFile (in: hFile=0x180, lpBuffer=0x3b7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8) returned 0x0 [0100.774] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.854] CloseHandle (hObject=0x18c) returned 1 [0100.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.505A3CD615C99F02EC7AD68E8E760790C09C97A1BF0AD7E7530D55DE1BE6F831" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.505a3cd615c99f02ec7ad68e8e760790c09c97a1bf0ad7e7530d55de1be6f831")) returned 1 [0100.856] GetProcessHeap () returned 0x4c0000 [0100.856] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0100.857] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.861] CloseHandle (hObject=0x19c) returned 1 [0100.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.89F57B62A6228860B70955F73A36690348D9773380B138560EF35EED61B88A34" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.89f57b62a6228860b70955f73a36690348d9773380b138560ef35eed61b88a34")) returned 1 [0100.863] GetProcessHeap () returned 0x4c0000 [0100.863] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0100.863] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.866] CloseHandle (hObject=0x198) returned 1 [0100.870] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.1C38EBB324E0B9DA6350698BC9CEB7E3185C6659137042BFD7E5FA0904D28A2B" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.1c38ebb324e0b9da6350698bc9ceb7e3185c6659137042bfd7e5fa0904d28a2b")) returned 1 [0100.871] GetProcessHeap () returned 0x4c0000 [0100.871] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0100.871] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0100.873] CloseHandle (hObject=0x188) returned 1 [0100.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.A4B2511870670D26D457921D3235853A0184920E443BCC0721BC362F9B6D6933" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.a4b2511870670d26d457921d3235853a0184920e443bcc0721bc362f9b6d6933")) returned 1 [0100.875] GetProcessHeap () returned 0x4c0000 [0100.875] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0100.875] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0101.016] ReadFile (in: hFile=0x188, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0101.016] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0101.061] WriteFile (in: hFile=0x188, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0101.063] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.702] CloseHandle (hObject=0x16c) returned 1 [0102.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll.1665776112408A00AC1187AFE46B6EBDC8FD7FDB3E222A98B0402A6EA76ACE51" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll.1665776112408a00ac1187afe46b6ebdc8fd7fdb3e222a98b0402a6ea76ace51")) returned 1 [0102.704] GetProcessHeap () returned 0x4c0000 [0102.704] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0102.704] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.742] ReadFile (in: hFile=0x16c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0102.742] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.751] WriteFile (in: hFile=0x16c, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0102.753] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.754] CloseHandle (hObject=0x16c) returned 1 [0102.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.97469B60AF3BA2EE7DABFBA880E7AFB38B3DE9BEBF8933289091624A77F0F54C" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico.97469b60af3ba2ee7dabfba880e7afb38b3de9bebf8933289091624a77f0f54c")) returned 1 [0102.757] GetProcessHeap () returned 0x4c0000 [0102.757] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0102.757] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.808] ReadFile (in: hFile=0x16c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x6200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0102.808] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.831] WriteFile (in: hFile=0x16c, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x6200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0102.833] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.834] CloseHandle (hObject=0x16c) returned 1 [0102.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico.1C34CB7EE2A2CEE8A5AAA726DDF0C923798D540A454E2F62A5FF372E0475CC3A" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico.1c34cb7ee2a2cee8a5aaa726ddf0c923798d540a454e2f62a5ff372e0475cc3a")) returned 1 [0102.835] GetProcessHeap () returned 0x4c0000 [0102.835] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0102.835] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.855] ReadFile (in: hFile=0x18c, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0102.855] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.887] WriteFile (in: hFile=0x18c, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0102.888] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.913] ReadFile (in: hFile=0x16c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x6200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0102.913] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.936] WriteFile (in: hFile=0x16c, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x6200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0102.937] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.939] CloseHandle (hObject=0x16c) returned 1 [0102.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico.5ABCA1E2693903A11909E4DB1BA7D3A36F9B6AA279E167BEDDA6533B5310032C" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico.5abca1e2693903a11909e4db1ba7d3a36f9b6aa279e167bedda6533b5310032c")) returned 1 [0102.940] GetProcessHeap () returned 0x4c0000 [0102.940] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0102.940] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.944] CloseHandle (hObject=0x194) returned 1 [0102.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.8E53D31B5CB8FBA53E31A3EB7E91DD70C2FD37D9F678A4E44E3B44C8B7923873" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl.8e53d31b5cb8fba53e31a3eb7e91dd70c2fd37d9f678a4e44e3b44c8b7923873")) returned 1 [0102.946] GetProcessHeap () returned 0x4c0000 [0102.946] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0102.946] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.948] CloseHandle (hObject=0x174) returned 1 [0102.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat.C9EF2F43E01D8FB1915ED4C4DA46DDA9839DC9452BB7DF15010E9179B6956448" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat.c9ef2f43e01d8fb1915ed4c4da46dda9839dc9452bb7df15010e9179b6956448")) returned 1 [0102.950] GetProcessHeap () returned 0x4c0000 [0102.950] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0102.950] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.953] CloseHandle (hObject=0x184) returned 1 [0102.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.E8CF226070660F8810FA215FD1D4F1685F15EA8D5649F3617864F3C368B06F71" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat.e8cf226070660f8810fa215fd1d4f1685f15ea8d5649f3617864f3c368b06f71")) returned 1 [0102.957] GetProcessHeap () returned 0x4c0000 [0102.957] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0102.957] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0102.977] ReadFile (in: hFile=0x1a4, lpBuffer=0x54ab0c, nNumberOfBytesToRead=0x6200, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8) returned 1 [0102.977] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.029] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x6200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0103.029] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.053] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x6200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0103.054] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.056] CloseHandle (hObject=0x184) returned 1 [0103.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico.3935B437226CAB5291349BCA8A886EDCBFC31CACD5611528BBF5822D1967594D" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico.3935b437226cab5291349bca8a886edcbfc31cacd5611528bbf5822d1967594d")) returned 1 [0103.057] GetProcessHeap () returned 0x4c0000 [0103.057] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0103.057] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.063] CloseHandle (hObject=0x18c) returned 1 [0103.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.55939C724393956734DC13A58851ACE2457463AD225E6630856309F327005356" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico.55939c724393956734dc13a58851ace2457463ad225e6630856309f327005356")) returned 1 [0103.065] GetProcessHeap () returned 0x4c0000 [0103.065] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0103.069] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.101] ReadFile (in: hFile=0x18c, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0103.101] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.121] WriteFile (in: hFile=0x18c, lpBuffer=0x3be8194*, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 1 [0103.122] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.147] CloseHandle (hObject=0x1a4) returned 1 [0103.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico.F64D90735861F4D18A2B2FC40919870ACF584779C18161D1A4E503E86278DE49" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico.f64d90735861f4d18a2b2fc40919870acf584779c18161d1a4e503e86278de49")) returned 1 [0103.149] GetProcessHeap () returned 0x4c0000 [0103.149] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52aad8 | out: hHeap=0x4c0000) returned 1 [0103.149] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.151] CloseHandle (hObject=0x18c) returned 1 [0103.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.3875663549BEC1A8BC707F7DAF89F2EC5DD418574C7DFDE49D4FE0BB6DE84E79" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll.3875663549bec1a8bc707f7daf89f2ec5dd418574c7dfde49d4fe0bb6de84e79")) returned 1 [0103.153] GetProcessHeap () returned 0x4c0000 [0103.153] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0103.153] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.161] ReadFile (in: hFile=0x194, lpBuffer=0x574b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x554b38 | out: lpBuffer=0x574b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x554b38) returned 1 [0103.162] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.204] WriteFile (in: hFile=0x194, lpBuffer=0x574b6c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x554b38 | out: lpBuffer=0x574b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x554b38) returned 0x0 [0103.207] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.233] ReadFile (in: hFile=0x18c, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0103.233] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.276] WriteFile (in: hFile=0x18c, lpBuffer=0x3be8194, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 0x0 [0103.277] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.310] ReadFile (in: hFile=0x1a4, lpBuffer=0x532ac4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90) returned 1 [0103.310] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.348] ReadFile (in: hFile=0x16c, lpBuffer=0x59cbbc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x57cb88 | out: lpBuffer=0x59cbbc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x57cb88) returned 1 [0103.348] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.370] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0103.370] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.393] ReadFile (in: hFile=0x188, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0103.393] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.429] ReadFile (in: hFile=0x198, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0103.429] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.663] WriteFile (in: hFile=0x1a4, lpBuffer=0x532ac4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90) returned 0x0 [0103.664] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.679] CloseHandle (hObject=0x194) returned 1 [0103.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.51195CD96A68E6F98A3621FFDEC82A4652FC04707FD74ACFAAD454C3F6852D17" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll.51195cd96a68e6f98a3621ffdec82a4652fc04707fd74acfaad454c3f6852d17")) returned 1 [0103.683] GetProcessHeap () returned 0x4c0000 [0103.683] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x554b38 | out: hHeap=0x4c0000) returned 1 [0103.683] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.686] CloseHandle (hObject=0x18c) returned 1 [0103.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.C3F18BAE5AD696C3D4480734B5A634F969BCE29FEFDEEE36A28E960FECA7115C" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll.c3f18bae5ad696c3d4480734b5a634f969bce29fefdeee36a28e960feca7115c")) returned 1 [0103.691] GetProcessHeap () returned 0x4c0000 [0103.691] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0103.695] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.695] CloseHandle (hObject=0x1a0) returned 1 [0103.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.62896D414C9A0C0FA5A8D174B7C9F4251B79AAB38096ADEC34101D9241A24123" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll.62896d414c9a0c0fa5a8d174b7c9f4251b79aab38096adec34101d9241a24123")) returned 1 [0103.698] GetProcessHeap () returned 0x4c0000 [0103.698] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0103.698] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.699] CloseHandle (hObject=0x188) returned 1 [0103.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.EE71B3EA2E70B3ED663D23F3AB7C94712A4ADB0B4F4FCDE7C4F185375E86AF35" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll.ee71b3ea2e70b3ed663d23f3ab7c94712a4adb0b4f4fcde7c4f185375e86af35")) returned 1 [0103.702] GetProcessHeap () returned 0x4c0000 [0103.702] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0103.702] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.986] CloseHandle (hObject=0x170) returned 1 [0103.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.45F48CB302ADE93101EA9ED39D4208027A1FD861973057B2943B35FFB01D664C" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll.45f48cb302ade93101ea9ed39d4208027a1fd861973057b2943b35ffb01d664c")) returned 1 [0103.988] GetProcessHeap () returned 0x4c0000 [0103.988] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0103.988] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0103.990] ReadFile (in: hFile=0x198, lpBuffer=0x574b6c, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x554b38 | out: lpBuffer=0x574b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x554b38) returned 1 [0103.991] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.004] WriteFile (in: hFile=0x198, lpBuffer=0x574b6c, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x554b38 | out: lpBuffer=0x574b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x554b38) returned 0x0 [0104.006] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.038] ReadFile (in: hFile=0x170, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0104.038] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.080] WriteFile (in: hFile=0x170, lpBuffer=0x3be8194, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 0x0 [0104.080] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.109] ReadFile (in: hFile=0x16c, lpBuffer=0x59cbbc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x57cb88 | out: lpBuffer=0x59cbbc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x57cb88) returned 1 [0104.109] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.151] WriteFile (in: hFile=0x16c, lpBuffer=0x59cbbc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57cb88 | out: lpBuffer=0x59cbbc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57cb88) returned 0x0 [0104.152] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.192] ReadFile (in: hFile=0x190, lpBuffer=0x532ac4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90) returned 1 [0104.192] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.233] WriteFile (in: hFile=0x190, lpBuffer=0x532ac4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90) returned 0x0 [0104.235] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.239] CloseHandle (hObject=0x198) returned 1 [0104.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.52FBCA4AABAD8F7B060DCEE474FE1E6895C21B543E803DC7677BA6C50497D44B" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll.52fbca4aabad8f7b060dcee474fe1e6895c21b543e803dc7677ba6c50497d44b")) returned 1 [0104.241] GetProcessHeap () returned 0x4c0000 [0104.241] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x554b38 | out: hHeap=0x4c0000) returned 1 [0104.244] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.245] CloseHandle (hObject=0x170) returned 1 [0104.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.15536CAC8EDB5D3C1EFC119CDA247FDAEAC2C75AF7AEFC908D009A89645D956E" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll.15536cac8edb5d3c1efc119cda247fdaeac2c75af7aefc908d009a89645d956e")) returned 1 [0104.248] GetProcessHeap () returned 0x4c0000 [0104.248] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0104.248] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.250] CloseHandle (hObject=0x16c) returned 1 [0104.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.52FAB71D9D63584C01E1EB78F547E062A168BB9B3D9C0FE60DBC4B0DCCC9AC72" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll.52fab71d9d63584c01e1eb78f547e062a168bb9b3d9c0fe60dbc4b0dccc9ac72")) returned 1 [0104.252] GetProcessHeap () returned 0x4c0000 [0104.252] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57cb88 | out: hHeap=0x4c0000) returned 1 [0104.253] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.270] ReadFile (in: hFile=0x1a4, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0104.270] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.313] WriteFile (in: hFile=0x1a4, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0104.315] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.343] ReadFile (in: hFile=0x16c, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0104.343] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.387] WriteFile (in: hFile=0x16c, lpBuffer=0x3be8194, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 0x0 [0104.389] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.437] ReadFile (in: hFile=0x170, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x3200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0104.437] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.480] WriteFile (in: hFile=0x170, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x3200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0104.481] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.596] ReadFile (in: hFile=0x188, lpBuffer=0x532ac4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90) returned 1 [0104.597] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.634] WriteFile (in: hFile=0x190, lpBuffer=0x59cbbc, nNumberOfBytesToWrite=0x6800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57cb88 | out: lpBuffer=0x59cbbc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57cb88) returned 0x0 [0104.636] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.707] CloseHandle (hObject=0x190) returned 1 [0104.710] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.FC89A10265746106232DF85C10605477A344DB3EC9BEC9BCB0A352D6077EAD51" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll.fc89a10265746106232df85c10605477a344db3ec9bec9bcb0a352d6077ead51")) returned 1 [0104.711] GetProcessHeap () returned 0x4c0000 [0104.711] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57cb88 | out: hHeap=0x4c0000) returned 1 [0104.711] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.720] CloseHandle (hObject=0x198) returned 1 [0104.721] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.7D1264631E14A1169A6F1FA8CF6F0B043E59742FFECE864F943CA2F6C85E692E" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll.7d1264631e14a1169a6f1fa8cf6f0b043e59742ffece864f943ca2f6c85e692e")) returned 1 [0104.722] GetProcessHeap () returned 0x4c0000 [0104.722] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x554b38 | out: hHeap=0x4c0000) returned 1 [0104.722] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.738] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0104.738] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.796] WriteFile (in: hFile=0x1a0, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0104.798] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.833] ReadFile (in: hFile=0x198, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0104.833] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.878] WriteFile (in: hFile=0x198, lpBuffer=0x3be8194, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 0x0 [0104.879] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.939] ReadFile (in: hFile=0x190, lpBuffer=0x574b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x554b38 | out: lpBuffer=0x574b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x554b38) returned 1 [0104.939] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0104.988] WriteFile (in: hFile=0x190, lpBuffer=0x574b6c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x554b38 | out: lpBuffer=0x574b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x554b38) returned 0x0 [0104.989] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0105.299] WriteFile (in: hFile=0x1a4, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0105.299] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0105.304] ReadFile (in: hFile=0x18c, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0105.305] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0105.333] ReadFile (in: hFile=0x194, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0105.334] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0105.383] WriteFile (in: hFile=0x18c, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0105.384] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0105.497] CloseHandle (hObject=0x170) returned 1 [0105.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.35F1923C7D729FE9412F77BF79EFC5E7E8BADB9F517213186541B7D94FA4AC0E" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll.35f1923c7d729fe9412f77bf79efc5e7e8badb9f517213186541b7d94fa4ac0e")) returned 1 [0105.499] GetProcessHeap () returned 0x4c0000 [0105.499] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57cb88 | out: hHeap=0x4c0000) returned 1 [0105.499] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0105.500] CloseHandle (hObject=0x188) returned 1 [0105.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.1162F7C175D9F22652FCF6C6E2FB80BF3D31D2813B182F0352AD204DDF8C473E" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll.1162f7c175d9f22652fcf6c6e2fb80bf3d31d2813b182f0352ad204ddf8c473e")) returned 1 [0105.502] GetProcessHeap () returned 0x4c0000 [0105.502] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0105.503] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0105.504] CloseHandle (hObject=0x16c) returned 1 [0105.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.76570790C19949C8F004F4853FFC9E782494298909316E003DD7995AC1149B64" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll.76570790c19949c8f004f4853ffc9e782494298909316e003dd7995ac1149b64")) returned 1 [0105.507] GetProcessHeap () returned 0x4c0000 [0105.507] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0105.512] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0105.514] CloseHandle (hObject=0x1a4) returned 1 [0105.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.F11D1198DAD6239B75EFD1C549F07C2EA102A8CBCF780792487982D8A5FFD93C" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll.f11d1198dad6239b75efd1c549f07c2ea102a8cbcf780792487982d8a5ffd93c")) returned 1 [0105.517] GetProcessHeap () returned 0x4c0000 [0105.517] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0105.518] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0106.016] WriteFile (in: hFile=0x194, lpBuffer=0x3c7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 0x0 [0106.017] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0106.092] CloseHandle (hObject=0x1a4) returned 1 [0106.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.B24C88AA07F35212776B6668EADE6AEDBC281FFB46C9D4288342BDB804434113" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll.b24c88aa07f35212776b6668eade6aedbc281ffb46c9d4288342bdb804434113")) returned 1 [0106.097] GetProcessHeap () returned 0x4c0000 [0106.097] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0106.097] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0107.244] CloseHandle (hObject=0x16c) returned 1 [0107.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.9EB9A56C2FF2F71F708D50A7B146596DB46BFFF8D0894BAC5A49F9212F2B6112" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll.9eb9a56c2ff2f71f708d50a7b146596db46bfff8d0894bac5a49f9212f2b6112")) returned 1 [0107.253] GetProcessHeap () returned 0x4c0000 [0107.253] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0107.254] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0107.468] CloseHandle (hObject=0x194) returned 1 [0107.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.48800B22AA0C455F06408C880834F41A38F68020E1C96E06D1D5CCFD6BE3F531" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll.48800b22aa0c455f06408c880834f41a38f68020e1c96e06d1d5ccfd6be3f531")) returned 1 [0107.576] GetProcessHeap () returned 0x4c0000 [0107.576] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x554b38 | out: hHeap=0x4c0000) returned 1 [0107.576] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0107.603] ReadFile (in: hFile=0x1a4, lpBuffer=0x59cbbc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x57cb88 | out: lpBuffer=0x59cbbc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x57cb88) returned 1 [0107.603] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0107.636] ReadFile (in: hFile=0x184, lpBuffer=0x55ab14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53aae0 | out: lpBuffer=0x55ab14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53aae0) returned 1 [0107.636] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0108.805] WriteFile (in: hFile=0xec, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0108.807] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0108.840] WriteFile (in: hFile=0x178, lpBuffer=0x3c7011c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 1 [0108.842] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0108.857] ReadFile (in: hFile=0x16c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0108.857] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0108.887] CloseHandle (hObject=0x18c) returned 1 [0108.889] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.991D78AF38B21CA967EACCE1BE715150A44709E8E32386E7C1514B8F5876BD51" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab.991d78af38b21ca967eacce1be715150a44709e8e32386e7c1514b8f5876bd51")) returned 1 [0108.891] GetProcessHeap () returned 0x4c0000 [0108.891] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0108.891] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0108.984] WriteFile (in: hFile=0x184, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0108.986] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.560] CloseHandle (hObject=0x114) returned 1 [0109.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.73FEA845425B415724D7DD5EF3BC1D23B312899B84B81AECF890547908FBA552" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab.73fea845425b415724d7dd5ef3bc1d23b312899b84b81aecf890547908fba552")) returned 1 [0109.567] GetProcessHeap () returned 0x4c0000 [0109.567] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0109.567] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.579] ReadFile (in: hFile=0xec, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0109.579] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.602] ReadFile (in: hFile=0x178, lpBuffer=0x3bd810c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8) returned 1 [0109.602] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.705] WriteFile (in: hFile=0xec, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0109.706] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.708] ReadFile (in: hFile=0x114, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0109.708] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.751] WriteFile (in: hFile=0x114, lpBuffer=0x3c7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 0x0 [0109.752] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.916] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0109.916] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.957] WriteFile (in: hFile=0x19c, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0109.958] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.960] CloseHandle (hObject=0x16c) returned 1 [0109.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.B59DAAF1823184A9047D193D843285B270E3949DD58B0B9B1916D2FD58074D2E" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab.b59daaf1823184a9047d193d843285b270e3949dd58b0b9b1916d2fd58074d2e")) returned 1 [0109.966] GetProcessHeap () returned 0x4c0000 [0109.966] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0109.966] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.968] CloseHandle (hObject=0x184) returned 1 [0109.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.705B70E5341428944FB480D00DD8D81061F5709CF4D1C5AC2D02F444C6D33D25" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.705b70e5341428944fb480d00dd8d81061f5709cf4d1c5ac2d02f444c6d33d25")) returned 1 [0109.971] GetProcessHeap () returned 0x4c0000 [0109.971] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0109.971] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.972] CloseHandle (hObject=0x178) returned 1 [0109.974] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.B0C847315011CBFB47CA754F5EC4BB7B3CB7D8572DA5612C5520EEDFA154715F" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.b0c847315011cbfb47ca754f5ec4bb7b3cb7d8572da5612c5520eedfa154715f")) returned 1 [0109.976] GetProcessHeap () returned 0x4c0000 [0109.976] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0109.982] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.983] CloseHandle (hObject=0xec) returned 1 [0109.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.E1A04C6DE8B3F1355E4CB678C2A7AABEE943138F63C17EA6DE07C5E4DBE2FE16" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab.e1a04c6de8b3f1355e4cb678c2a7aabee943138f63c17ea6de07c5e4dbe2fe16")) returned 1 [0109.985] GetProcessHeap () returned 0x4c0000 [0109.985] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0109.985] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.986] CloseHandle (hObject=0x114) returned 1 [0109.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.4C9858CB7B01A65CB90A674B961FB4D8543970DEFF0B184716136B6A796F9D4D" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab.4c9858cb7b01a65cb90a674b961fb4d8543970deff0b184716136b6a796f9d4d")) returned 1 [0109.991] GetProcessHeap () returned 0x4c0000 [0109.991] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0109.992] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0109.995] CloseHandle (hObject=0x174) returned 1 [0109.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.3D629413C6FEF4F8741172D5CD860DC081A87F6FEB73780837BD99CACCCF0148" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab.3d629413c6fef4f8741172d5cd860dc081a87f6feb73780837bd99cacccf0148")) returned 1 [0109.999] GetProcessHeap () returned 0x4c0000 [0109.999] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0110.000] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.004] ReadFile (in: hFile=0x190, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0110.004] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.046] WriteFile (in: hFile=0x190, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0110.048] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.106] ReadFile (in: hFile=0x174, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0110.106] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.150] ReadFile (in: hFile=0x114, lpBuffer=0x3bd810c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8) returned 1 [0110.150] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.157] CloseHandle (hObject=0x190) returned 1 [0110.319] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.37AA7B2CB6CB762C5489A6E19C863866789067A087A34463C9370D73F56F6A60" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.37aa7b2cb6cb762c5489a6e19c863866789067a087a34463c9370d73f56f6a60")) returned 1 [0110.320] GetProcessHeap () returned 0x4c0000 [0110.320] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0110.320] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.397] ReadFile (in: hFile=0x1a4, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0110.398] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.494] WriteFile (in: hFile=0x1a4, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0110.524] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.547] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0110.547] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.582] ReadFile (in: hFile=0x190, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0110.582] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.631] CloseHandle (hObject=0x114) returned 1 [0110.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.89433CE538C20F46AA7929B1D25C6E373C48B622AF80BF50B2F1CCC4FB616E0F" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.89433ce538c20f46aa7929b1d25c6e373c48b622af80bf50b2f1ccc4fb616e0f")) returned 1 [0110.635] GetProcessHeap () returned 0x4c0000 [0110.635] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0110.636] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.663] CloseHandle (hObject=0x18c) returned 1 [0110.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.F6EE45B2D84E7B031FE76E36FA80FAA3FC1F90209CB9D10E3AE8600512662A52" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.f6ee45b2d84e7b031fe76e36fa80faa3fc1f90209cb9d10e3ae8600512662a52")) returned 1 [0110.716] GetProcessHeap () returned 0x4c0000 [0110.716] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0110.716] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.728] CloseHandle (hObject=0x19c) returned 1 [0110.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.B6D41D63620B0FC59E1DD3B3CA8586AA65D1639D2264114DB2ABF6CC49A7532C" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.b6d41d63620b0fc59e1dd3b3ca8586aa65d1639d2264114db2abf6cc49a7532c")) returned 1 [0110.879] GetProcessHeap () returned 0x4c0000 [0110.879] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0110.880] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0110.918] ReadFile (in: hFile=0x180, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0110.918] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0111.050] WriteFile (in: hFile=0x180, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0111.052] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0111.059] CloseHandle (hObject=0x114) returned 1 [0111.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.859CA46D254D29424B1E751BF25F1ABA5CCEE9A2E3A580AB0C065465B33E842D" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab.859ca46d254d29424b1e751bf25f1aba5ccee9a2e3a580ab0c065465b33e842d")) returned 1 [0111.064] GetProcessHeap () returned 0x4c0000 [0111.064] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0111.064] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0111.221] WriteFile (in: hFile=0x19c, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0111.223] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0111.373] WriteFile (in: hFile=0x180, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0111.567] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0111.701] ReadFile (in: hFile=0x18c, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0111.702] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0111.946] ReadFile (in: hFile=0x194, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0111.946] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0112.284] WriteFile (in: hFile=0x198, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0112.286] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0112.937] CloseHandle (hObject=0x16c) returned 1 [0112.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst.DD789A8C3E0F924C61AE0A09C5934475A4C30935BC64D33DC3AD2269DECE2967" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst.dd789a8c3e0f924c61ae0a09c5934475a4c30935bc64d33dc3ad2269dece2967")) returned 1 [0112.939] GetProcessHeap () returned 0x4c0000 [0112.939] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0112.939] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0113.116] ReadFile (in: hFile=0x16c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x4200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0113.117] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0113.228] WriteFile (in: hFile=0x1ac, lpBuffer=0x3c9816c, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c78138 | out: lpBuffer=0x3c9816c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c78138) returned 0x0 [0113.229] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0113.241] CloseHandle (hObject=0x1ac) returned 1 [0113.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.37F9BBF366E0D997CC5809E107718699756B8642C65C5FC804E5372781506A3F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.37f9bbf366e0d997cc5809e107718699756b8642c65c5fc804e5372781506a3f")) returned 1 [0113.243] GetProcessHeap () returned 0x4c0000 [0113.243] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c78138 | out: hHeap=0x4c0000) returned 1 [0113.243] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.236] WriteFile (in: hFile=0x184, lpBuffer=0x3cc003c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 0x0 [0118.237] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.271] ReadFile (in: hFile=0x16c, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0118.271] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.273] WriteFile (in: hFile=0x16c, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0118.275] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.276] CloseHandle (hObject=0x16c) returned 1 [0118.276] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.BE0AADCD425E62D7B55C9997CD547BDE0E7D8D99CC0143E117DBDB812CA64F7F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.be0aadcd425e62d7b55c9997cd547bde0e7d8d99cc0143e117dbdb812ca64f7f")) returned 1 [0118.278] GetProcessHeap () returned 0x4c0000 [0118.278] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0118.278] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.280] CloseHandle (hObject=0x1b0) returned 1 [0118.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.ABC0D2966CA3643865D45DB0CB9ED4DB40151DB22B3612D8FA0EC2244BA2C00D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.abc0d2966ca3643865d45db0cb9ed4db40151db22b3612d8fa0ec2244ba2c00d")) returned 1 [0118.284] GetProcessHeap () returned 0x4c0000 [0118.284] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0118.288] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.421] CloseHandle (hObject=0x184) returned 1 [0118.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.5C3EA6E9D657442DA0E9FD10E86DC4FD0F5571822324803B105E0A8FA4DD6273" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.5c3ea6e9d657442da0e9fd10e86dc4fd0f5571822324803b105e0a8fa4dd6273")) returned 1 [0118.424] GetProcessHeap () returned 0x4c0000 [0118.424] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0118.427] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.464] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0118.464] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.497] WriteFile (in: hFile=0x1a0, lpBuffer=0x3c4008c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 0x0 [0118.499] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.650] ReadFile (in: hFile=0x16c, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0118.662] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.690] ReadFile (in: hFile=0x16c, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0118.690] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.724] WriteFile (in: hFile=0x16c, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0118.726] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.737] ReadFile (in: hFile=0x184, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0118.737] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.819] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0118.820] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.827] ReadFile (in: hFile=0x17c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0118.828] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.903] ReadFile (in: hFile=0x1b0, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0118.903] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0118.904] WriteFile (in: hFile=0x184, lpBuffer=0x3cc003c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 0x0 [0119.035] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0119.047] WriteFile (in: hFile=0x1bc, lpBuffer=0x3ce808c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3cc8058 | out: lpBuffer=0x3ce808c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3cc8058) returned 0x0 [0119.048] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0119.208] WriteFile (in: hFile=0x1b8, lpBuffer=0x3c91134, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c71100 | out: lpBuffer=0x3c91134, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c71100) returned 0x0 [0119.210] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0119.551] WriteFile (in: hFile=0x198, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0119.552] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0119.613] CloseHandle (hObject=0x1b8) returned 1 [0119.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.051AB15F8B18C747C8CA5F363F057A2B01E4C7D718B224C3C2F24BCAAA376055" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.051ab15f8b18c747c8ca5f363f057a2b01e4c7d718b224c3c2f24bcaaa376055")) returned 1 [0119.644] GetProcessHeap () returned 0x4c0000 [0119.644] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c71100 | out: hHeap=0x4c0000) returned 1 [0119.644] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0119.848] CloseHandle (hObject=0x1c4) returned 1 [0120.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json.5BB94FB99468FADB905F56CA65B5D923F196C0F9FDE546293630BCD445803757" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\messages.json.5bb94fb99468fadb905f56ca65b5d923f196c0f9fde546293630bcd445803757")) returned 1 [0120.059] GetProcessHeap () returned 0x4c0000 [0120.059] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d11240 | out: hHeap=0x4c0000) returned 1 [0120.063] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0120.262] ReadFile (in: hFile=0x1c0, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0120.262] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0120.273] WriteFile (in: hFile=0x1c4, lpBuffer=0x3d3108c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d11058 | out: lpBuffer=0x3d3108c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d11058) returned 0x0 [0120.287] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0122.406] CloseHandle (hObject=0x1c8) returned 1 [0122.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.9EBD0225D5E5A7A75F5405BDBA6CA4D85AD817B229638AF8CDBDF4828F584350" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.9ebd0225d5e5a7a75f5405bdba6ca4d85ad817b229638af8cdbdf4828f584350")) returned 1 [0122.413] GetProcessHeap () returned 0x4c0000 [0122.413] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d610f8 | out: hHeap=0x4c0000) returned 1 [0122.413] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0122.523] ReadFile (in: hFile=0x1cc, lpBuffer=0x3d3108c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d11058 | out: lpBuffer=0x3d3108c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d11058) returned 1 [0122.523] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0122.626] ReadFile (in: hFile=0x1ac, lpBuffer=0x3da917c, nNumberOfBytesToRead=0x3c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d89148 | out: lpBuffer=0x3da917c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d89148) returned 1 [0122.626] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0122.652] ReadFile (in: hFile=0x1b4, lpBuffer=0x3dd11cc, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db1198 | out: lpBuffer=0x3dd11cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db1198) returned 1 [0122.652] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0122.672] WriteFile (in: hFile=0x1b4, lpBuffer=0x3dd11cc, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db1198 | out: lpBuffer=0x3dd11cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db1198) returned 0x0 [0122.675] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0122.691] CloseHandle (hObject=0x1b0) returned 1 [0122.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.7ECEB4434E0A19C8D4EE3F47B8CE83CBADF7EE86DA637784E50B420C2E91A34F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.7eceb4434e0a19c8d4ee3f47b8ce83cbadf7ee86da637784e50b420c2e91a34f")) returned 1 [0122.693] GetProcessHeap () returned 0x4c0000 [0122.693] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0122.693] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0122.700] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0122.700] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0122.773] ReadFile (in: hFile=0x1b0, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x4600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0122.774] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0122.952] WriteFile (in: hFile=0x1b0, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x4600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0122.954] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0123.431] WriteFile (in: hFile=0x1c8, lpBuffer=0x3d0903c, nNumberOfBytesToWrite=0x5200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ce9008 | out: lpBuffer=0x3d0903c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ce9008) returned 0x0 [0123.618] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0123.638] WriteFile (in: hFile=0x114, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0123.669] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0123.688] WriteFile (in: hFile=0x1e4, lpBuffer=0x40d816c, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x40b8138 | out: lpBuffer=0x40d816c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x40b8138) returned 0x0 [0123.695] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0123.695] CloseHandle (hObject=0x1c0) returned 1 [0123.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.035EEB9B73015B3219C41E972B575D8362004F16E4944A669CED8CA549F65A65" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.035eeb9b73015b3219c41e972b575d8362004f16e4944a669ced8ca549f65a65")) returned 1 [0123.709] GetProcessHeap () returned 0x4c0000 [0123.709] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d610f8 | out: hHeap=0x4c0000) returned 1 [0123.709] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0123.881] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x5400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0123.882] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0124.557] WriteFile (in: hFile=0x1a0, lpBuffer=0x3d590dc, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d390a8 | out: lpBuffer=0x3d590dc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d390a8) returned 0x0 [0124.841] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0125.765] ReadFile (in: hFile=0x1cc, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0125.787] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0125.832] WriteFile (in: hFile=0x1a0, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0125.833] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0125.852] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0125.853] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0125.952] WriteFile (in: hFile=0x1e4, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0125.953] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0125.999] ReadFile (in: hFile=0x1bc, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0125.999] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0126.004] CloseHandle (hObject=0x1d4) returned 1 [0126.006] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.17BA426002658980D440BB76C5F953BEEC72AFCEC545FEAD478BE1D9BDC6EF1C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.17ba426002658980d440bb76c5f953beec72afcec545fead478be1d9bdc6ef1c")) returned 1 [0126.007] GetProcessHeap () returned 0x4c0000 [0126.007] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0126.007] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0126.011] CloseHandle (hObject=0x1cc) returned 1 [0126.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.07207A342F67600B64DEACBBCDBA67CC832939CFC7961C7132C8E9AAD2A34D6D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.07207a342f67600b64deacbbcdba67cc832939cfc7961c7132c8e9aad2a34d6d")) returned 1 [0126.013] GetProcessHeap () returned 0x4c0000 [0126.013] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0126.016] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0126.018] CloseHandle (hObject=0x1a0) returned 1 [0126.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.37D1155F9DD35A08EB9F7A4868247412F586E46CCD0AA5AD9B8CE992E655F94A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.37d1155f9dd35a08eb9f7a4868247412f586e46ccd0aa5ad9b8ce992e655f94a")) returned 1 [0126.031] GetProcessHeap () returned 0x4c0000 [0126.031] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0126.032] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0126.034] CloseHandle (hObject=0x1dc) returned 1 [0126.037] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.721300B6E077B92A944C39FA333D2735EA3DC6A54377786B224FB48C68E34002" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.721300b6e077b92a944c39fa333d2735ea3dc6a54377786b224fb48c68e34002")) returned 1 [0126.039] GetProcessHeap () returned 0x4c0000 [0126.039] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0126.039] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0126.198] WriteFile (in: hFile=0x1bc, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0126.201] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0126.739] CloseHandle (hObject=0x1e4) returned 1 [0126.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.B6386028C7EC829543FBAE75A87EA119071851C6A42570B1E342CB1FA18BEF67" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.b6386028c7ec829543fbae75a87ea119071851c6a42570b1e342cb1fa18bef67")) returned 1 [0126.767] GetProcessHeap () returned 0x4c0000 [0126.767] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0126.767] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0126.767] CloseHandle (hObject=0x1a0) returned 1 [0126.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.51166FD6F93F5C9AFDDDAE1E3078EA7E5ECBBF955EC1D2F5DB05B3BD65E6040F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.51166fd6f93f5c9afdddae1e3078ea7e5ecbbf955ec1d2f5db05b3bd65e6040f")) returned 1 [0126.776] GetProcessHeap () returned 0x4c0000 [0126.776] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0126.778] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0137.081] CloseHandle (hObject=0xec) returned 1 [0137.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png.C399BC1693FBF4DB672D1A686B648B217686F3F77D8C1F1E921B2C0ACAF5004A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png.c399bc1693fbf4db672d1a686b648b217686f3f77d8c1f1e921b2c0acaf5004a")) returned 1 [0137.725] GetProcessHeap () returned 0x4c0000 [0137.725] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0137.725] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0137.725] CloseHandle (hObject=0x184) returned 1 [0137.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-bgohlsavants.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-BGohlSAVantS.m4a.23DB6130A402A3A41B878BF6F6A6B21D7D67090D5539EB475F6F190261676C00" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-bgohlsavants.m4a.23db6130a402a3a41b878bf6f6a6b21d7d67090d5539eb475f6f190261676c00")) returned 1 [0137.762] GetProcessHeap () returned 0x4c0000 [0137.762] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0137.767] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0137.931] WriteFile (in: hFile=0x124, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0137.962] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0138.004] WriteFile (in: hFile=0x178, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0138.006] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0138.069] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0138.071] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0138.106] CloseHandle (hObject=0x178) returned 1 [0138.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vzeltb-s.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VZEltb-s.swf.C1BD074E875F8C597022C581EB5E57FB01E602A8587B8ADD2077F9ED95E96C4C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vzeltb-s.swf.c1bd074e875f8c597022c581eb5e57fb01e602a8587b8add2077f9ed95e96c4c")) returned 1 [0138.108] GetProcessHeap () returned 0x4c0000 [0138.108] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0138.108] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0138.256] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0138.257] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0138.311] WriteFile (in: hFile=0x124, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0138.314] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0138.892] CloseHandle (hObject=0x1d4) returned 1 [0138.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21.D2252D4B7FFE0F26B5E7CD5B5F7457C8B667F2BA70F9BA90F5678A43098DA04C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21.d2252d4b7ffe0f26b5e7cd5b5f7457c8b667f2ba70f9ba90f5678a43098da04c")) returned 1 [0138.897] GetProcessHeap () returned 0x4c0000 [0138.897] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0138.897] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0138.958] WriteFile (in: hFile=0x128, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0138.961] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.034] WriteFile (in: hFile=0x128, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0139.036] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.132] WriteFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 0x0 [0139.133] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.201] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0139.201] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.203] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0139.205] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.206] CloseHandle (hObject=0x1d4) returned 1 [0139.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61.B1C0129D2B333A681E232C76316AF2D9EBB1308AF6FEB944B72A7092C936702D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61.b1c0129d2b333a681e232c76316af2d9ebb1308af6feb944b72a7092c936702d")) returned 1 [0139.208] GetProcessHeap () returned 0x4c0000 [0139.208] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0139.208] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.298] WriteFile (in: hFile=0x18c, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0139.301] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.450] ReadFile (in: hFile=0x128, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0139.450] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.460] WriteFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 0x0 [0139.462] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.493] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0139.494] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.581] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0139.583] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.689] ReadFile (in: hFile=0x184, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0139.695] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.698] CloseHandle (hObject=0x18c) returned 1 [0139.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9.1D37530EE125E50DD13C8A9C6B57A84E76BC1507303154674311A7B7EEA76C41" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9.1d37530ee125e50dd13c8a9c6b57a84e76bc1507303154674311a7b7eea76c41")) returned 1 [0139.700] GetProcessHeap () returned 0x4c0000 [0139.700] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0139.705] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.707] ReadFile (in: hFile=0x1d0, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0139.708] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.712] CloseHandle (hObject=0x1d0) returned 1 [0139.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.4CAF8F9937454FF0276C5212C2923C440D01B93F2F05A2C458056FF14E07B962" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc.4caf8f9937454ff0276c5212c2923c440d01b93f2f05a2c458056ff14e07b962")) returned 1 [0139.714] GetProcessHeap () returned 0x4c0000 [0139.714] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0139.715] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.852] ReadFile (in: hFile=0x1d0, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0139.856] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0139.863] WriteFile (in: hFile=0x18c, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0139.864] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.295] CloseHandle (hObject=0x178) returned 1 [0140.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.514AB8074F53A4C5424859889EFD10F523CC877355ECD6E56785CBCFF657EA40" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150.514ab8074f53a4c5424859889efd10f523cc877355ecd6e56785cbcff657ea40")) returned 1 [0140.305] GetProcessHeap () returned 0x4c0000 [0140.305] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0140.305] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.397] ReadFile (in: hFile=0x178, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0140.397] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.428] WriteFile (in: hFile=0x178, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0140.443] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.445] CloseHandle (hObject=0x178) returned 1 [0140.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.3FAFFDF1EB9F72377A8049B0B9AF2894E7932BB1CFEF54F863402784156FA07E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat.3faffdf1eb9f72377a8049b0b9af2894e7932bb1cfef54f863402784156fa07e")) returned 1 [0140.448] GetProcessHeap () returned 0x4c0000 [0140.448] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0140.448] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.455] ReadFile (in: hFile=0x1d0, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0140.455] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.456] WriteFile (in: hFile=0x1d0, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0140.458] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.459] CloseHandle (hObject=0x1d0) returned 1 [0140.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\www.msn[1].xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml.F294BAB096A7C123C1038CB7B9DE0A471E5492E0C1B2EB723DB9503D470F1A20" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\www.msn[1].xml.f294bab096a7c123c1038cb7b9de0a471e5492e0c1b2eb723db9503d470f1a20")) returned 1 [0140.461] GetProcessHeap () returned 0x4c0000 [0140.461] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0140.461] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.585] ReadFile (in: hFile=0x1d0, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0140.585] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.617] WriteFile (in: hFile=0x1d0, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0140.619] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.624] ReadFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0140.624] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.629] WriteFile (in: hFile=0x178, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0140.631] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.631] CloseHandle (hObject=0x178) returned 1 [0140.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.979A47A8DB44740B73E297C5CCB5CF7B62583E72A9766CA90DF29A33C44CCA4B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties.979a47a8db44740b73e297c5ccb5cf7b62583e72a9766ca90df29a33c44cca4b")) returned 1 [0140.633] GetProcessHeap () returned 0x4c0000 [0140.633] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0140.633] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.683] ReadFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0140.683] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.732] WriteFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 0x0 [0140.734] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.743] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0140.744] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.771] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0140.788] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.795] CloseHandle (hObject=0x1d4) returned 1 [0140.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\jre1.7.0_45.msi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi.2C3676E4BD27E28CE6648B51124A551F23BD24257E679A10E00748532EA69576" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\jre1.7.0_45.msi.2c3676e4bd27e28ce6648b51124a551f23bd24257e679a10e00748532ea69576")) returned 1 [0140.800] GetProcessHeap () returned 0x4c0000 [0140.800] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0140.801] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0140.944] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0140.944] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0141.018] WriteFile (in: hFile=0x124, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0141.020] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0141.441] WriteFile (in: hFile=0x180, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0141.442] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0141.443] CloseHandle (hObject=0x180) returned 1 [0141.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.579FC98F4AEFD8F7E22B0BEFD54A6D2D48F6910061C23530F4F79CC849975B3D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl.579fc98f4aefd8f7e22b0befd54a6d2d48f6910061c23530f4f79cc849975b3d")) returned 1 [0141.448] GetProcessHeap () returned 0x4c0000 [0141.449] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0141.449] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0141.799] CloseHandle (hObject=0x1b8) returned 1 [0141.801] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bpobfval-zrzm_.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\bpobfvAL-zRZM_.mp3.AA3A1C987BE134DB5367442688995E93FE48F34A8123F10A3E299AFE93465449" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bpobfval-zrzm_.mp3.aa3a1c987be134db5367442688995e93fe48f34a8123f10a3e299afe93465449")) returned 1 [0141.802] GetProcessHeap () returned 0x4c0000 [0141.802] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0141.802] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0141.845] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0141.847] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0141.898] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0141.900] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0141.954] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0141.956] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0141.993] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0141.994] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0142.054] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0142.056] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0142.136] CloseHandle (hObject=0x1b8) returned 1 [0142.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kbxqrbaeu.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kBXqRBAEu.mp4.1041E793875B52FF08189BE18AACF828FBDC3962AD10481C8E2038F3C65F0F32" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kbxqrbaeu.mp4.1041e793875b52ff08189be18aacf828fbdc3962ad10481c8e2038f3c65f0f32")) returned 1 [0142.139] GetProcessHeap () returned 0x4c0000 [0142.139] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0142.139] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0142.199] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0142.201] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0142.310] CloseHandle (hObject=0x1b8) returned 1 [0142.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lsxsrjmkvt068pt.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lSxsrJmkVT068pT.flv.2DA6A1A5F316A1FE99CAA5481CB848B1DA9ED205D9DC1A51AAC64B341E79A85F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lsxsrjmkvt068pt.flv.2da6a1a5f316a1fe99caa5481cb848b1da9ed205d9dc1a51aac64b341e79a85f")) returned 1 [0142.311] GetProcessHeap () returned 0x4c0000 [0142.312] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0142.312] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0142.489] ReadFile (in: hFile=0x124, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 0x0 [0142.492] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0142.742] CloseHandle (hObject=0x180) returned 1 [0142.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.6A9E1140E301D3513A8BAA0335A333C0958CBFBCEF48582935AC3D831307065D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk.6a9e1140e301d3513a8baa0335a333c0958cbfbcef48582935ac3d831307065d")) returned 1 [0142.745] GetProcessHeap () returned 0x4c0000 [0142.745] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0142.745] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0142.843] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0142.845] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0142.849] CloseHandle (hObject=0x1d4) returned 1 [0142.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.2F4E551FAC7FC92BC50F6780C9FC2A79DE3B33448D8315EBA38A8F618E09AD55" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk.2f4e551fac7fc92bc50f6780c9fc2a79de3b33448d8315eba38a8f618e09ad55")) returned 1 [0142.852] GetProcessHeap () returned 0x4c0000 [0142.852] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0142.852] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0142.892] ReadFile (in: hFile=0x18c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0142.892] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0142.940] WriteFile (in: hFile=0x18c, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0142.944] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0142.970] ReadFile (in: hFile=0x124, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0142.970] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.037] WriteFile (in: hFile=0x124, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0143.039] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.044] CloseHandle (hObject=0x124) returned 1 [0143.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT.27A73D5D1A384F47CF97EE77F53A9034588F0B664686D7ABDC06C21AE482D54A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt.27a73d5d1a384f47cf97ee77f53a9034588f0b664686d7abdc06c21ae482d54a")) returned 1 [0143.046] GetProcessHeap () returned 0x4c0000 [0143.046] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0143.047] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.234] CloseHandle (hObject=0x124) returned 1 [0143.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.2DC58A9D598A504108675FE575A3668D35FF41931966405321986C89DA965544" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl.2dc58a9d598a504108675fe575a3668d35ff41931966405321986c89da965544")) returned 1 [0143.236] GetProcessHeap () returned 0x4c0000 [0143.236] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0143.236] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.296] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0143.296] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.331] CloseHandle (hObject=0x18c) returned 1 [0143.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.4ECD348535F7E6234867B099E2DC530B3AB3075AD7797D0928FC627C31E65321" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml.4ecd348535f7e6234867b099e2dc530b3ab3075ad7797d0928fc627c31e65321")) returned 1 [0143.334] GetProcessHeap () returned 0x4c0000 [0143.334] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0143.334] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.391] CloseHandle (hObject=0x184) returned 1 [0143.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK.4889B62BCF3017F2EEB83C81E5EA95BD90CBE26AC5A535BC71957090272E221E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk.4889b62bcf3017f2eeb83c81e5ea95bd90cbe26ac5a535bc71957090272e221e")) returned 1 [0143.409] GetProcessHeap () returned 0x4c0000 [0143.409] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0143.410] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.524] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0143.524] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.548] WriteFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0143.549] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.551] CloseHandle (hObject=0x124) returned 1 [0143.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.1C441D62791AA684F981B69E33D02C8273AF40883B91588B2BA98A723619DC2A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm.1c441d62791aa684f981b69e33d02c8273af40883b91588b2ba98a723619dc2a")) returned 1 [0143.552] GetProcessHeap () returned 0x4c0000 [0143.552] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0143.552] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.677] ReadFile (in: hFile=0x1d0, lpBuffer=0x522abc, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0143.678] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.699] WriteFile (in: hFile=0x1d0, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0143.700] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.700] CloseHandle (hObject=0x1d0) returned 1 [0143.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json.2E602169D9F9C6DACBC74D8CB92AA727B67B77E1DFE72A90AB6E3EB8AFDBF247" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json.2e602169d9f9c6dacbc74d8cb92aa727b67b77e1dfe72a90ab6e3eb8afdbf247")) returned 1 [0143.702] GetProcessHeap () returned 0x4c0000 [0143.702] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0143.702] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.705] ReadFile (in: hFile=0x1d4, lpBuffer=0x54bb14, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0143.705] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.707] WriteFile (in: hFile=0x1d4, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0143.712] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.712] CloseHandle (hObject=0x1d4) returned 1 [0143.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json.25484739089AF3D81348985734E5172EEBAC3B993D3A3CD36DAA1656E2DA0110" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json.25484739089af3d81348985734e5172eebac3b993d3a3cd36daa1656e2da0110")) returned 1 [0143.715] GetProcessHeap () returned 0x4c0000 [0143.715] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0143.715] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.767] ReadFile (in: hFile=0x1d4, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0143.767] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0143.802] WriteFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0143.895] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.011] ReadFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0144.011] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.043] ReadFile (in: hFile=0x178, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0144.043] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.085] WriteFile (in: hFile=0x178, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0144.088] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.164] CloseHandle (hObject=0x178) returned 1 [0144.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite.AE545938174A9D9E1AA0813A0802BE36C051F8A25B299B61C825C8E017FE7C21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite.ae545938174a9d9e1aa0813a0802be36c051f8a25b299b61c825c8e017fe7c21")) returned 1 [0144.169] GetProcessHeap () returned 0x4c0000 [0144.169] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0144.170] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.202] WriteFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0144.203] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.246] CloseHandle (hObject=0x18c) returned 1 [0144.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite.9DE6BDF6EE5FE3CDF806D265C6ADB8B8AD888C3BAEAF0EF6C705F4002F93692A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite.9de6bdf6ee5fe3cdf806d265c6adb8b8ad888c3baeaf0ef6c705f4002f93692a")) returned 1 [0144.248] GetProcessHeap () returned 0x4c0000 [0144.248] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0144.252] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.254] ReadFile (in: hFile=0xec, lpBuffer=0x3c580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c380a0 | out: lpBuffer=0x3c580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c380a0) returned 1 [0144.254] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.293] WriteFile (in: hFile=0xec, lpBuffer=0x3c580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c380a0 | out: lpBuffer=0x3c580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c380a0) returned 0x0 [0144.298] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.318] ReadFile (in: hFile=0x128, lpBuffer=0x522abc, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0144.318] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.333] CloseHandle (hObject=0x128) returned 1 [0144.334] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db.2081C765CEE1DF36F9C04A3A1C640B11D6EEA8D7D139EB3C7D08CFB7F6F74315" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db.2081c765cee1df36f9c04a3a1c640b11d6eea8d7d139eb3c7d08cfb7f6f74315")) returned 1 [0144.336] GetProcessHeap () returned 0x4c0000 [0144.336] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0144.336] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.356] ReadFile (in: hFile=0x128, lpBuffer=0x522abc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0144.356] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.383] ReadFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0144.383] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.388] WriteFile (in: hFile=0x120, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0144.390] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.399] CloseHandle (hObject=0x120) returned 1 [0144.400] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\mimetypes.rdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf.47813210D52A0BFCB7C1175E24768BF78673DE97CBE24130363374037714E469" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\mimetypes.rdf.47813210d52a0bfcb7c1175e24768bf78673de97cbe24130363374037714e469")) returned 1 [0144.453] GetProcessHeap () returned 0x4c0000 [0144.453] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0144.453] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.478] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0144.478] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.508] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0144.510] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.516] CloseHandle (hObject=0x120) returned 1 [0144.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite.8740C137266BB046E423C9A6B218A9817276685BBE1A084C79DB51530B2F453F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite.8740c137266bb046e423c9a6b218a9817276685bbe1a084c79db51530b2f453f")) returned 1 [0144.517] GetProcessHeap () returned 0x4c0000 [0144.517] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0144.517] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.531] ReadFile (in: hFile=0x128, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0144.532] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.551] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0144.552] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.586] WriteFile (in: hFile=0x128, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0144.587] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0144.616] WriteFile (in: hFile=0x1d0, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0144.618] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0145.108] CloseHandle (hObject=0x1b8) returned 1 [0145.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\njvdz.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Njvdz.mkv.DAFB1545CF9A08D7B1F624C1E6D5B5C872288350B7CE4B8DA9C1B8DCCE98FC6C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\njvdz.mkv.dafb1545cf9a08d7b1f624c1e6d5b5c872288350b7ce4b8da9c1b8dcce98fc6c")) returned 1 [0145.111] GetProcessHeap () returned 0x4c0000 [0145.111] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0145.111] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0145.186] WriteFile (in: hFile=0x1b8, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0145.189] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0145.422] CloseHandle (hObject=0x1b8) returned 1 [0145.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pygzua5oazbgc.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\PYGzua5OAZBGc.avi.A26AE81A77CBCA9DEAE87A3D55481339837B360B7E1623D3D6CFDD5B2FA03C0E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pygzua5oazbgc.avi.a26ae81a77cbca9deae87a3d55481339837b360b7e1623d3d6cfdd5b2fa03c0e")) returned 1 [0145.425] GetProcessHeap () returned 0x4c0000 [0145.425] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0145.425] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0145.475] WriteFile (in: hFile=0x1b8, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0145.477] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0146.000] CloseHandle (hObject=0x1b8) returned 1 [0146.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\udkfco0gjqiupfreic.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\udkFco0GjQIuPfreiC.bmp.6F4AD3840F6C797F51B9ACABF1A42A47D7CAB8EA4D7E8B692EDABC3D20F2D208" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\udkfco0gjqiupfreic.bmp.6f4ad3840f6c797f51b9acabf1a42a47d7cab8ea4d7e8b692edabc3d20f2d208")) returned 1 [0146.002] GetProcessHeap () returned 0x4c0000 [0146.002] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0146.003] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0146.062] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0146.064] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0146.138] CloseHandle (hObject=0x1b8) returned 1 [0146.140] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wph5.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WPh5.m4a.0B9A8546452388FA3B4460596B46CF2DA9F64DA8E861EC1AFC31D9297B688E32" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wph5.m4a.0b9a8546452388fa3b4460596b46cf2da9f64da8e861ec1afc31d9297b688e32")) returned 1 [0146.141] GetProcessHeap () returned 0x4c0000 [0146.141] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0146.141] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0146.210] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0146.212] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0147.346] CloseHandle (hObject=0x19c) returned 1 [0147.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hg9v r.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hg9V R.xlsx.F929BDFB85AAF70817E5D5122717E3ECE3A69E2F9BAFC6F67C9C7EBCFB276C3E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hg9v r.xlsx.f929bdfb85aaf70817e5d5122717e3ece3a69e2f9bafc6f67c9c7ebcfb276c3e")) returned 1 [0147.348] GetProcessHeap () returned 0x4c0000 [0147.348] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.348] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0147.406] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.408] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0147.453] CloseHandle (hObject=0x19c) returned 1 [0147.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jqbip1qt0rh k9qckpu.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JQBip1QT0RH K9qcKPU.mkv.1DA3DECFD21A4AFCD2492C435802099BC81BEC9ED70B455A33F378D38E0F2233" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jqbip1qt0rh k9qckpu.mkv.1da3decfd21a4afcd2492c435802099bc81bec9ed70b455a33f378d38e0f2233")) returned 1 [0147.455] GetProcessHeap () returned 0x4c0000 [0147.455] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.455] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0147.505] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.507] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0147.640] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.642] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0147.707] CloseHandle (hObject=0x19c) returned 1 [0147.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\myxg7te.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MYxG7te.csv.09ECDAD4971D6BA627CAEA64A7EF68FD0DE8E6562EAA4BC39812DC1C07157359" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\myxg7te.csv.09ecdad4971d6ba627caea64a7ef68fd0de8e6562eaa4bc39812dc1c07157359")) returned 1 [0147.717] GetProcessHeap () returned 0x4c0000 [0147.717] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.717] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0147.733] ReadFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0147.734] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0147.765] CloseHandle (hObject=0x120) returned 1 [0147.766] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\7aqsxvg8ewczzcey.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7AQSxvG8ewCZZCEY.mkv.F87C615FB12D4195E5DAC05D2715074FBCAAE7ED7A8E8CDA244246A9D9F94C4B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\7aqsxvg8ewczzcey.mkv.f87c615fb12d4195e5dac05d2715074fbcaae7ed7a8e8cda244246a9d9f94c4b")) returned 1 [0147.767] GetProcessHeap () returned 0x4c0000 [0147.767] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0147.767] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0147.829] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.831] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0147.928] CloseHandle (hObject=0x120) returned 1 [0147.929] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\h19h.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\H19h.mkv.CC62779BC6B7BB3ABADD9D59E3B8838F1E276FB1F210ED12F6A0EBEA4B015D6B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\h19h.mkv.cc62779bc6b7bb3abadd9d59e3b8838f1e276fb1f210ed12f6a0ebea4b015d6b")) returned 1 [0147.930] GetProcessHeap () returned 0x4c0000 [0147.930] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.930] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0147.996] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.998] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0148.059] CloseHandle (hObject=0x120) returned 1 [0148.059] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\hw3bbwh.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\hw3bBwh.gif.D51A84D1E94FF59EBD02A062650440E011DAFC0D5D1EFE2508386182CFAF6370" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\hw3bbwh.gif.d51a84d1e94ff59ebd02a062650440e011dafc0d5d1efe2508386182cfaf6370")) returned 1 [0148.061] GetProcessHeap () returned 0x4c0000 [0148.061] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0148.061] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0148.115] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x6600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0148.120] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0148.359] CloseHandle (hObject=0x120) returned 1 [0148.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\_5lrkhjlf2gnu.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\_5lrKHjlF2GNU.pdf.72869DB357629A25140CA3539250F7C80F109658541FFBB9F07FA72AD3DF110F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\_5lrkhjlf2gnu.pdf.72869db357629a25140ca3539250f7c80f109658541ffbb9f07fa72ad3df110f")) returned 1 [0148.361] GetProcessHeap () returned 0x4c0000 [0148.361] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0148.361] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0148.413] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0148.415] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0148.712] CloseHandle (hObject=0x120) returned 1 [0148.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qwedv4gihalkhs.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qWedV4GiHAlkHS.png.CD63B5D0651FBE6A79060DF349994DE4E3888D28DE5722422277044E38477A4F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qwedv4gihalkhs.png.cd63b5d0651fbe6a79060df349994de4e3888d28de5722422277044e38477a4f")) returned 1 [0148.714] GetProcessHeap () returned 0x4c0000 [0148.714] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0148.714] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0148.763] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0148.765] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0148.826] CloseHandle (hObject=0x120) returned 1 [0148.827] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tizll5agz.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tiZLL5aGz.wav.CB75674F88E7F9BBA3437F1060C7A5AFBFB943D1BD147844327EFCAB6578F132" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tizll5agz.wav.cb75674f88e7f9bba3437f1060c7a5afbfb943d1bd147844327efcab6578f132")) returned 1 [0148.828] GetProcessHeap () returned 0x4c0000 [0148.828] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0148.828] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0148.975] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x4a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0148.977] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0149.313] CloseHandle (hObject=0x120) returned 1 [0149.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ui2inzx5pef4sn35r5ox.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ui2INzx5pef4SN35R5ox.png.968005A132A39B9FBD8374B75135156324BF2312E69EC2B2B69864D33FFD942C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ui2inzx5pef4sn35r5ox.png.968005a132a39b9fbd8374b75135156324bf2312e69ec2b2b69864d33ffd942c")) returned 1 [0149.316] GetProcessHeap () returned 0x4c0000 [0149.316] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0149.316] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0149.394] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0149.396] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0149.482] CloseHandle (hObject=0x120) returned 1 [0149.483] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\w1iy9c2qwbwd-ymp.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\W1iY9C2qWbWd-YMp.avi.4DB214FD96BE0056AEEC5E5690084CF59F89409209291DFDF06575B636B33164" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\w1iy9c2qwbwd-ymp.avi.4db214fd96be0056aeec5e5690084cf59f89409209291dfdf06575b636b33164")) returned 1 [0149.485] GetProcessHeap () returned 0x4c0000 [0149.485] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0149.485] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0149.618] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0149.619] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0149.704] CloseHandle (hObject=0x120) returned 1 [0149.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xafemszw32uno.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XAfEmSzW32uNo.mp4.5612A4ABA15432227C236A2BEA67CAF56F04C8CCD861E32983C70AB7C6D86C09" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xafemszw32uno.mp4.5612a4aba15432227c236a2bea67caf56f04c8ccd861e32983c70ab7c6d86c09")) returned 1 [0149.706] GetProcessHeap () returned 0x4c0000 [0149.706] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0149.706] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0149.783] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0149.785] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0149.877] CloseHandle (hObject=0x120) returned 1 [0149.878] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zgmaub7thn.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZGmauB7tHN.odt.268BCF1B49D6355ABE9AA45A6167F16D5C3F575408FF0DC45D70B9F4295CD877" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zgmaub7thn.odt.268bcf1b49d6355abe9aa45a6167f16d5c3f575408ff0dc45d70b9f4295cd877")) returned 1 [0149.879] GetProcessHeap () returned 0x4c0000 [0149.879] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0149.879] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.013] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.015] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.053] CloseHandle (hObject=0x120) returned 1 [0150.054] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_qzq0b_.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_QZQ0b_.csv.B01C3E188498CF577C2597CF5FBE1B72610BB29278B62F65D64704037A851329" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_qzq0b_.csv.b01c3e188498cf577c2597cf5fbe1b72610bb29278b62f65d64704037a851329")) returned 1 [0150.056] GetProcessHeap () returned 0x4c0000 [0150.056] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.056] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.101] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x6e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.102] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.215] CloseHandle (hObject=0x120) returned 1 [0150.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-hq50y79h.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-HQ50Y79h.pptx.1CF290FF634299287AAA8F21F15522E1240FEC4910190726AE2AC1494DCBBD4B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-hq50y79h.pptx.1cf290ff634299287aaa8f21f15522e1240fec4910190726ae2ac1494dcbbd4b")) returned 1 [0150.217] GetProcessHeap () returned 0x4c0000 [0150.218] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.218] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.265] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.267] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.329] CloseHandle (hObject=0x120) returned 1 [0150.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6agq.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6agQ.docx.3B0BE467659B31CE11FB1760DCFDA6D2768BDAF5DF80D91A972665563CB97402" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6agq.docx.3b0be467659b31ce11fb1760dcfda6d2768bdaf5df80d91a972665563cb97402")) returned 1 [0150.331] GetProcessHeap () returned 0x4c0000 [0150.331] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.331] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.372] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.375] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.469] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.471] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.528] CloseHandle (hObject=0x120) returned 1 [0150.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f jhwaq.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\F jHWaq.xlsx.8CBB8300246BB469A2B9ECCB4CC887D7A5939E7D6D965FEF850EDF094DDDEA32" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f jhwaq.xlsx.8cbb8300246bb469a2b9eccb4cc887d7a5939e7d6d965fef850edf094dddea32")) returned 1 [0150.530] GetProcessHeap () returned 0x4c0000 [0150.530] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.530] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.554] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.555] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.592] CloseHandle (hObject=0x120) returned 1 [0150.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\knanq59binsr fd2hz1x.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KNANQ59bINsR fD2hz1x.docx.D9A2EEEFB38C079DB20435D811273EA6F111D2F42F172461384302B179AEFD5D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\knanq59binsr fd2hz1x.docx.d9a2eeefb38c079db20435d811273ea6f111d2f42f172461384302b179aefd5d")) returned 1 [0150.593] GetProcessHeap () returned 0x4c0000 [0150.593] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.594] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.644] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.645] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.747] CloseHandle (hObject=0x120) returned 1 [0150.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lebtogfk.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lEbTOgfk.docx.8D8BA923541B75190400E0CCB6B96698EEB12A77E33350A993FF4B8D2874153A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lebtogfk.docx.8d8ba923541b75190400e0ccb6b96698eeb12a77e33350a993ff4b8d2874153a")) returned 1 [0150.749] GetProcessHeap () returned 0x4c0000 [0150.749] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.749] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0150.774] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.776] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0151.042] WriteFile (in: hFile=0x120, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0151.043] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0151.094] WriteFile (in: hFile=0x120, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0151.095] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0151.149] WriteFile (in: hFile=0x120, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0151.151] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0151.203] CloseHandle (hObject=0x120) returned 1 [0151.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oqgukva7gga4t8c.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OQgUKVa7GGa4T8C.pptx.6A8CE6268E425C863610F459AE10D78EAD95FB41BE12C3E5A79623D2A4570353" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oqgukva7gga4t8c.pptx.6a8ce6268e425c863610f459ae10d78ead95fb41be12c3e5a79623d2a4570353")) returned 1 [0151.205] GetProcessHeap () returned 0x4c0000 [0151.205] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0151.205] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0151.256] WriteFile (in: hFile=0x1b8, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0151.258] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0151.389] CloseHandle (hObject=0x120) returned 1 [0151.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\puubn.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pUUBN.pps.CD9870EAB50D9D2B2C3A2E797C58311CD86D9BF5CF227DC52BFE16C800B6D41E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\puubn.pps.cd9870eab50d9d2b2c3a2e797c58311cd86d9bf5cf227dc52bfe16c800b6d41e")) returned 1 [0151.392] GetProcessHeap () returned 0x4c0000 [0151.392] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0151.392] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0151.611] WriteFile (in: hFile=0x1b8, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x4c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0151.612] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0151.977] CloseHandle (hObject=0x124) returned 1 [0151.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\q6xrv4uncleiiosbrekd.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\Q6xrv4uNCLEiIosbRekD.odt.4AB2A5C7241096BC529D60367AD7E6BBB87369C2E9114A59D84488AA93C53526" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\q6xrv4uncleiiosbrekd.odt.4ab2a5c7241096bc529d60367ad7e6bbb87369c2e9114a59d84488aa93c53526")) returned 1 [0151.979] GetProcessHeap () returned 0x4c0000 [0151.979] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0151.979] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0152.039] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.041] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0152.104] CloseHandle (hObject=0x124) returned 1 [0152.105] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\_6mfepdbfnfzwif.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\_6MFepDBFNfzWIf.pps.0B4D6B8E639B3F45E832B599B204F03D0575EE40AA49057AC7472A5FCEE6036A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\_6mfepdbfnfzwif.pps.0b4d6b8e639b3f45e832b599b204f03d0575ee40aa49057ac7472a5fcee6036a")) returned 1 [0152.106] GetProcessHeap () returned 0x4c0000 [0152.106] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.106] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0152.167] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x6c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.168] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0152.262] CloseHandle (hObject=0x18c) returned 1 [0152.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\m2sjfu_p9erx.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\m2SJfU_P9eRX.pptx.68A20F649DF6D98E33FFAD8B43FCB53A7AE42DAE2A24BABC963036EB5A1A5E1D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\m2sjfu_p9erx.pptx.68a20f649df6d98e33ffad8b43fcb53a7ae42dae2a24babc963036eb5a1a5e1d")) returned 1 [0152.264] GetProcessHeap () returned 0x4c0000 [0152.264] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.264] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0152.321] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.323] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0152.513] CloseHandle (hObject=0x1b8) returned 1 [0152.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\pfovfcfkmodv.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\PFovFcFkMoDv.rtf.30BB393AD648EC9E66E3C4079D4BBE847B47FCEA577398A4084B8B2FA0B62A0C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\pfovfcfkmodv.rtf.30bb393ad648ec9e66e3c4079d4bbe847b47fcea577398a4084b8b2fa0b62a0c")) returned 1 [0152.515] GetProcessHeap () returned 0x4c0000 [0152.515] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.515] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0152.564] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.569] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0152.604] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x3400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.605] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0152.710] CloseHandle (hObject=0x18c) returned 1 [0152.711] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\8w_iqouo6xxux02sscr4.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\8w_iQoUo6XxuX02SScr4.pps.70A23E75972048A6B1B4A70687D46B528228CF909C4E3FC1938FDB57C4081A1B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\8w_iqouo6xxux02sscr4.pps.70a23e75972048a6b1b4a70687d46b528228cf909c4e3fc1938fdb57c4081a1b")) returned 1 [0152.713] GetProcessHeap () returned 0x4c0000 [0152.713] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.713] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0152.765] CloseHandle (hObject=0x18c) returned 1 [0152.765] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\f73w.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\F73w.rtf.D6A7D37515D6D9F5677C8F7098864E617BE10DEE83FE89DB355D179F53A2DA4B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\f73w.rtf.d6a7d37515d6d9f5677c8f7098864e617be10dee83fe89db355d179f53a2da4b")) returned 1 [0152.766] GetProcessHeap () returned 0x4c0000 [0152.766] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.766] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0152.786] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.786] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0152.903] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.905] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0153.032] CloseHandle (hObject=0x1b8) returned 1 [0153.033] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\xzm99ec6fmvyknm.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\xzM99eC6FmvYKnm.pdf.D3AEEEF332DD4B05C90D6CEAA5462EA0BCE2C61975CD59924996FEEBC30A7053" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\xzm99ec6fmvyknm.pdf.d3aeeef332dd4b05c90d6ceaa5462ea0bce2c61975cd59924996feebc30a7053")) returned 1 [0153.034] GetProcessHeap () returned 0x4c0000 [0153.034] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0153.034] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0153.055] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x4c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0153.055] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0153.073] CloseHandle (hObject=0x1b8) returned 1 [0153.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\yhbvoagfnej_xygmcjyl.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\YhBVoagfnEj_xYGMCjyl.odp.019FC829063CCC007F5F5036D1BFB617C377248C5A71F7F61D18D76DA9C5B42F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\yhbvoagfnej_xygmcjyl.odp.019fc829063ccc007f5f5036d1bfb617c377248c5a71f7f61d18d76da9c5b42f")) returned 1 [0153.076] GetProcessHeap () returned 0x4c0000 [0153.076] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0153.076] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0153.102] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x2c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0153.102] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0153.135] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0153.135] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0153.267] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0153.267] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0153.299] ReadFile (in: hFile=0x1b8, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0153.299] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0153.455] WriteFile (in: hFile=0x1b8, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0153.457] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0153.483] CloseHandle (hObject=0x1b8) returned 1 [0153.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.5A9CA9916809C860C9283F1DD0E756DBCD9C68767C9D64DCA246B51AA6D49650" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk.5a9ca9916809c860c9283f1dd0e756dbcd9c68767c9d64dca246b51aa6d49650")) returned 1 [0153.485] GetProcessHeap () returned 0x4c0000 [0153.485] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0153.488] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0159.154] WriteFile (in: hFile=0x1b8, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x4c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0159.166] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0165.192] CloseHandle (hObject=0x1d8) returned 1 [0165.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.D4A26A2E7F8E2E70877E2A77B8993A4D9F17345DE448266D0C46EE731D764462" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl.d4a26a2e7f8e2e70877e2a77b8993a4d9f17345de448266d0c46ee731d764462")) returned 1 [0165.230] GetProcessHeap () returned 0x4c0000 [0165.230] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0165.231] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08) returned 1 [0166.559] CloseHandle (hObject=0x178) returned 1 [0166.572] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.D984C89F19EDF99CEF3E19A6C272560250BD45C7553D8455BC373B12F5BF334A" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg.d984c89f19edf99cef3e19a6c272560250bd45c7553d8455bc373b12f5bf334a")) returned 1 [0166.588] GetProcessHeap () returned 0x4c0000 [0166.588] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x552b28 | out: hHeap=0x4c0000) returned 1 [0166.589] GetQueuedCompletionStatus (CompletionPort=0x94, lpNumberOfBytesTransferred=0x1f2fe10, lpCompletionKey=0x1f2fe0c, lpOverlapped=0x1f2fe08, dwMilliseconds=0xffffffff) Thread: id = 3 os_tid = 0x2a8 [0061.327] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0079.075] CloseHandle (hObject=0x178) returned 1 [0079.081] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.3E6F36F71A1BB941387EC8150403467649F2FDE7ABCD9DB565C27BF17BF8836F" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.3e6f36f71a1bb941387ec8150403467649f2fde7abcd9db565c27bf17bf8836f")) returned 1 [0079.082] GetProcessHeap () returned 0x4c0000 [0079.082] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500e8 | out: hHeap=0x4c0000) returned 1 [0079.082] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0080.369] ReadFile (in: hFile=0x174, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0080.719] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0080.764] WriteFile (in: hFile=0x188, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0080.767] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0081.881] CloseHandle (hObject=0x174) returned 1 [0084.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.41A0E30146711B387E0A8ACE38C3E843348E864300EE3E06C86B558C24B74524" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.41a0e30146711b387e0a8ace38c3e843348e864300ee3e06c86b558c24b74524")) returned 1 [0084.047] GetProcessHeap () returned 0x4c0000 [0084.047] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0084.051] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0084.439] ReadFile (in: hFile=0x1a0, lpBuffer=0x3bc01bc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188) returned 1 [0084.439] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0084.482] ReadFile (in: hFile=0x184, lpBuffer=0x3cc01bc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0188 | out: lpBuffer=0x3cc01bc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0188) returned 1 [0084.484] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0084.486] WriteFile (in: hFile=0x184, lpBuffer=0x3cc01bc, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0188 | out: lpBuffer=0x3cc01bc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0188) returned 0x0 [0085.223] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0085.410] WriteFile (in: hFile=0x178, lpBuffer=0x592b6c, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 0x0 [0085.411] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0085.414] CloseHandle (hObject=0x18c) returned 1 [0085.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.00678306F9CDE8A7E0B88F64629E0969569A06FF4155E5779C39D3165C345240" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.00678306f9cde8a7e0b88f64629e0969569a06ff4155e5779c39d3165c345240")) returned 1 [0085.797] GetProcessHeap () returned 0x4c0000 [0085.797] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500e8 | out: hHeap=0x4c0000) returned 1 [0085.799] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0085.838] ReadFile (in: hFile=0x198, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0085.838] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0085.896] ReadFile (in: hFile=0x190, lpBuffer=0x3be820c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc81d8 | out: lpBuffer=0x3be820c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc81d8) returned 1 [0085.897] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0085.922] ReadFile (in: hFile=0x194, lpBuffer=0x3b480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098) returned 1 [0085.923] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0096.497] WriteFile (in: hFile=0x198, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0096.499] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0096.512] CloseHandle (hObject=0x18c) returned 1 [0096.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.5E11BE09E13D9395AEA8E23DAFA565E0E3FE9BD95FAECDEC047B694B3917613A" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.5e11be09e13d9395aea8e23dafa565e0e3fe9bd95faecdec047b694b3917613a")) returned 1 [0096.515] GetProcessHeap () returned 0x4c0000 [0096.515] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0096.516] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0096.565] CloseHandle (hObject=0x184) returned 1 [0096.567] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.0EBC13BF42D5412933E6F1879A13A7BDFDFBB8E759F5A8A93BA95D49BFD32318" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.0ebc13bf42d5412933e6f1879a13a7bdfdfbb8e759f5a8a93ba95d49bfd32318")) returned 1 [0096.567] GetProcessHeap () returned 0x4c0000 [0096.567] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0188 | out: hHeap=0x4c0000) returned 1 [0096.568] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0096.927] ReadFile (in: hFile=0x184, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0096.927] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0096.940] WriteFile (in: hFile=0x184, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0096.942] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0096.961] ReadFile (in: hFile=0x1a0, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0096.962] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0096.970] CloseHandle (hObject=0x174) returned 1 [0096.971] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.20A11E93DADFC257714141C98FDC365A876279E6A14118CE570F51AD693A477C" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.20a11e93dadfc257714141c98fdc365a876279e6a14118ce570f51ad693a477c")) returned 1 [0096.972] GetProcessHeap () returned 0x4c0000 [0096.972] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0188 | out: hHeap=0x4c0000) returned 1 [0096.973] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0096.990] CloseHandle (hObject=0x198) returned 1 [0096.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.E9471E2C855F120614F2EA168B7ADF9877EDE079AC701FB43B3C75377E2DA36A" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.e9471e2c855f120614f2ea168b7adf9877ede079ac701fb43b3c75377e2da36a")) returned 1 [0096.993] GetProcessHeap () returned 0x4c0000 [0096.993] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0096.999] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.115] CloseHandle (hObject=0x170) returned 1 [0097.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.969271CFAD9B29390B8F6FC64F9F38AB4C2BA3BC4744E8261459684A6F218505" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.969271cfad9b29390b8f6fc64f9f38ab4c2ba3bc4744e8261459684a6f218505")) returned 1 [0097.116] GetProcessHeap () returned 0x4c0000 [0097.116] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0097.116] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.176] WriteFile (in: hFile=0x1a0, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0097.183] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.189] CloseHandle (hObject=0x174) returned 1 [0097.192] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.A28834FE329E2BF73510BC2E9F12B108719E85E6CEB48780FEB1982ADEB86135" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.a28834fe329e2bf73510bc2e9f12b108719e85e6ceb48780feb1982adeb86135")) returned 1 [0097.196] GetProcessHeap () returned 0x4c0000 [0097.196] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0097.196] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.263] ReadFile (in: hFile=0x174, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0097.263] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.304] WriteFile (in: hFile=0x174, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0097.306] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.707] CloseHandle (hObject=0x170) returned 1 [0097.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.6C7B34BBBE6B5B38CBFEE8BF85F40593F5D181098CE56EC0A62F4727D9AD714F" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.6c7b34bbbe6b5b38cbfee8bf85f40593f5d181098ce56ec0a62f4727d9ad714f")) returned 1 [0097.712] GetProcessHeap () returned 0x4c0000 [0097.712] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0097.712] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.720] ReadFile (in: hFile=0x184, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0097.720] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.759] WriteFile (in: hFile=0x184, lpBuffer=0x592b6c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 0x0 [0097.761] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.812] ReadFile (in: hFile=0x170, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0097.812] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.827] WriteFile (in: hFile=0x170, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0097.828] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.843] ReadFile (in: hFile=0x194, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0097.844] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.888] WriteFile (in: hFile=0x194, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0097.889] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.922] CloseHandle (hObject=0x174) returned 1 [0097.923] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.AF15F1A16FF6E8954C57C1194771B591B5E98FBFCA432EBECD11800028C9392D" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.af15f1a16ff6e8954c57c1194771b591b5e98fbfca432ebecd11800028c9392d")) returned 1 [0097.924] GetProcessHeap () returned 0x4c0000 [0097.924] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0097.924] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0097.927] ReadFile (in: hFile=0x198, lpBuffer=0x3b480cc, nNumberOfBytesToRead=0x6a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098) returned 1 [0097.927] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0098.197] CloseHandle (hObject=0x174) returned 1 [0098.198] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.2580E11390A069190A0BFC88CBDD9E6C7EDAD3DEECA2C884473F72F971F67E30" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.2580e11390a069190a0bfc88cbdd9e6c7edad3deeca2c884473f72f971f67e30")) returned 1 [0098.199] GetProcessHeap () returned 0x4c0000 [0098.199] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0098.199] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0098.234] ReadFile (in: hFile=0x194, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0098.235] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0098.264] WriteFile (in: hFile=0x194, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0098.266] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0098.287] ReadFile (in: hFile=0x170, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0098.287] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0098.290] WriteFile (in: hFile=0x170, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0098.291] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0098.315] ReadFile (in: hFile=0x184, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0098.315] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0098.344] WriteFile (in: hFile=0x184, lpBuffer=0x592b6c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 0x0 [0098.345] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0098.368] ReadFile (in: hFile=0x1a4, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0098.381] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0098.418] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0098.419] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0098.512] ReadFile (in: hFile=0x198, lpBuffer=0x3b480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098) returned 1 [0098.513] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0098.540] WriteFile (in: hFile=0x198, lpBuffer=0x3b480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098) returned 0x0 [0098.542] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0098.543] WriteFile (in: hFile=0x19c, lpBuffer=0x3b7011c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8) returned 1 [0098.544] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0099.930] CloseHandle (hObject=0x198) returned 1 [0099.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.F46811E683C620981ECAB5AF3290FD32F1D8601C36669CF128E3039EA3F0B522" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.f46811e683c620981ecab5af3290fd32f1d8601c36669cf128e3039ea3f0b522")) returned 1 [0099.932] GetProcessHeap () returned 0x4c0000 [0099.932] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c78138 | out: hHeap=0x4c0000) returned 1 [0099.932] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0100.485] ReadFile (in: hFile=0x19c, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0100.485] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0100.533] WriteFile (in: hFile=0x18c, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0100.536] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0100.813] WriteFile (in: hFile=0x188, lpBuffer=0x3b480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098) returned 0x0 [0100.813] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0100.825] ReadFile (in: hFile=0x174, lpBuffer=0x3b9816c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78138 | out: lpBuffer=0x3b9816c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78138) returned 1 [0100.825] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0100.853] WriteFile (in: hFile=0x174, lpBuffer=0x3b9816c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78138 | out: lpBuffer=0x3b9816c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78138) returned 0x0 [0100.854] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0100.868] CloseHandle (hObject=0x180) returned 1 [0100.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.2352B848D78F40435A5582183E64670B92C506FE9E02D8B0AF3DAF24FFE02A1C" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.2352b848d78f40435a5582183e64670b92c506fe9e02d8b0af3daf24ffe02a1c")) returned 1 [0100.870] GetProcessHeap () returned 0x4c0000 [0100.870] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500e8 | out: hHeap=0x4c0000) returned 1 [0100.870] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0100.919] ReadFile (in: hFile=0x180, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0100.920] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0100.945] WriteFile (in: hFile=0x180, lpBuffer=0x592b6c*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 1 [0100.946] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0100.948] CloseHandle (hObject=0x180) returned 1 [0100.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.70C39EFFFF5AC6FE714C73D38968B82622B1E924635597E75702917C58395A4E" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.70c39effff5ac6fe714c73d38968b82622b1e924635597e75702917c58395a4e")) returned 1 [0100.950] GetProcessHeap () returned 0x4c0000 [0100.950] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0100.950] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0101.017] ReadFile (in: hFile=0x180, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 0x0 [0101.109] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0101.183] CloseHandle (hObject=0x188) returned 1 [0101.184] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.3E9438FC3FC1A4462AA6769EF3A2524C04DA1B0970FCF142D2CA1F283CE42F79" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.3e9438fc3fc1a4462aa6769ef3a2524c04da1b0970fcf142d2ca1f283ce42f79")) returned 1 [0101.185] GetProcessHeap () returned 0x4c0000 [0101.185] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0101.185] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0101.191] ReadFile (in: hFile=0x19c, lpBuffer=0x3b480cc, nNumberOfBytesToRead=0x2200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098) returned 1 [0101.191] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0101.206] CloseHandle (hObject=0x180) returned 1 [0101.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.C3CBB6FC553505F04585BEA264CB63657367A1C175EC44BA216F6B2FAE26003C" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.c3cbb6fc553505f04585bea264cb63657367a1c175ec44ba216f6b2fae26003c")) returned 1 [0101.208] GetProcessHeap () returned 0x4c0000 [0101.208] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0101.213] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0101.639] ReadFile (in: hFile=0x184, lpBuffer=0x54ab0c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8) returned 1 [0101.639] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0101.671] WriteFile (in: hFile=0x184, lpBuffer=0x54ab0c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8) returned 1 [0101.672] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0101.673] CloseHandle (hObject=0x184) returned 1 [0101.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.DF161A83E97A2060FE006880C66BC5DF0EE7CEBDCED3C6C6FD2AD24B16422753" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w.df161a83e97a2060fe006880c66bc5df0ee7cebdced3c6c6fd2ad24b16422753")) returned 1 [0101.675] GetProcessHeap () returned 0x4c0000 [0101.675] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52aad8 | out: hHeap=0x4c0000) returned 1 [0101.675] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0101.758] ReadFile (in: hFile=0x1a4, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0101.758] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0101.836] WriteFile (in: hFile=0x184, lpBuffer=0x54ab0c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8) returned 0x0 [0101.837] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0101.852] CloseHandle (hObject=0x170) returned 1 [0101.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.FF57DD97C67F02A9E957129C801A427F26FC85434E43012AB304E3052F6A3E03" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d.ff57dd97c67f02a9e957129c801a427f26fc85434e43012ab304e3052f6a3e03")) returned 1 [0101.854] GetProcessHeap () returned 0x4c0000 [0101.854] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x552b28 | out: hHeap=0x4c0000) returned 1 [0101.854] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0102.362] WriteFile (in: hFile=0x18c, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x3a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0102.364] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0102.701] WriteFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0102.702] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0103.005] WriteFile (in: hFile=0x1a4, lpBuffer=0x54ab0c, nNumberOfBytesToWrite=0x6200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8) returned 0x0 [0103.006] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0103.463] WriteFile (in: hFile=0x1a0, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0103.476] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0107.290] CloseHandle (hObject=0x178) returned 1 [0107.292] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.B7C5A2A203788A361D0955FAEDCEAB4FBD765A05E3A4D6380EE8C590DD368C4A" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll.b7c5a2a203788a361d0955faedceab4fbd765a05e3a4d6380ee8c590dd368c4a")) returned 1 [0107.292] GetProcessHeap () returned 0x4c0000 [0107.292] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0107.292] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0107.468] CloseHandle (hObject=0x1a4) returned 1 [0107.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.D5163E369246A273AFFF41F268115C5A54F7CAD55EA1835DE56E38504C8B3303" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll.d5163e369246a273afff41f268115c5a54f7cad55ea1835de56e38504c8b3303")) returned 1 [0107.503] GetProcessHeap () returned 0x4c0000 [0107.503] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0107.504] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0108.717] CloseHandle (hObject=0x19c) returned 1 [0108.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.BCF2BF9586BC1CE860416E73B9562270E7458999A8D76DB962B7B67014DED067" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.bcf2bf9586bc1ce860416e73b9562270e7458999a8d76db962b7b67014ded067")) returned 1 [0108.719] GetProcessHeap () returned 0x4c0000 [0108.719] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0108.719] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0111.797] WriteFile (in: hFile=0x18c, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0111.945] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0112.382] WriteFile (in: hFile=0x184, lpBuffer=0x58fb54, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x56fb20 | out: lpBuffer=0x58fb54, lpNumberOfBytesWritten=0x0, lpOverlapped=0x56fb20) returned 0x0 [0112.384] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0112.493] CloseHandle (hObject=0x184) returned 1 [0112.499] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.49F0B9297563B7F901292ADD3A2076F2F9268E8E679120C41B9D07619236FF4B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst.49f0b9297563b7f901292add3a2076f2f9268e8e679120c41b9d07619236ff4b")) returned 1 [0112.500] GetProcessHeap () returned 0x4c0000 [0112.500] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x56fb20 | out: hHeap=0x4c0000) returned 1 [0112.504] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0112.597] WriteFile (in: hFile=0x1b0, lpBuffer=0x3cc01bc, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0188 | out: lpBuffer=0x3cc01bc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0188) returned 0x0 [0112.600] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0112.770] CloseHandle (hObject=0x114) returned 1 [0112.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.9F830D6405817EAF69B6806CBC75A57170C4461AB14FA2F42ABEAE7EB86F391C" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab.9f830d6405817eaf69b6806cbc75a57170c4461ab14fa2f42abeae7eb86f391c")) returned 1 [0113.112] GetProcessHeap () returned 0x4c0000 [0113.112] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0113.115] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0113.236] CloseHandle (hObject=0x17c) returned 1 [0113.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\googleupdatesetup.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe.3CF574D6C3949A5AD57014A056B2A79A58A588C19F6874D8080E04CE55AC003E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\googleupdatesetup.exe.3cf574d6c3949a5ad57014a056b2a79a58a588c19f6874d8080e04ce55ac003e")) returned 1 [0113.304] GetProcessHeap () returned 0x4c0000 [0113.304] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54caf8 | out: hHeap=0x4c0000) returned 1 [0113.305] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0113.310] CloseHandle (hObject=0x16c) returned 1 [0113.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.B1DED7B6A360FA705295093C7FE96833B706021A1F49A2FDADFC9DDC0615C653" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.b1ded7b6a360fa705295093c7fe96833b706021a1f49a2fdadfc9ddc0615c653")) returned 1 [0113.312] GetProcessHeap () returned 0x4c0000 [0113.312] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0113.312] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0113.410] CloseHandle (hObject=0x180) returned 1 [0113.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.FCC587B273057C7890AC395F4CF58EE7739AE2C8B9439A59B3E82D979F4A5F0A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.fcc587b273057c7890ac395f4cf58ee7739ae2c8b9439a59b3e82d979f4a5f0a")) returned 1 [0113.413] GetProcessHeap () returned 0x4c0000 [0113.413] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0113.414] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0113.434] WriteFile (in: hFile=0x16c, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0113.436] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0113.848] CloseHandle (hObject=0x194) returned 1 [0113.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.128CB2DC964A3E22676E69D9A970CCC8C7437A190098C83524315AD724C1780F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.128cb2dc964a3e22676e69d9a970ccc8c7437a190098c83524315ad724c1780f")) returned 1 [0113.850] GetProcessHeap () returned 0x4c0000 [0113.850] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0113.850] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0113.863] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0113.864] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0113.903] ReadFile (in: hFile=0x1b0, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0113.903] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0114.101] WriteFile (in: hFile=0x1ac, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0114.103] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0114.158] CloseHandle (hObject=0x1b0) returned 1 [0114.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies.1F01A34609F7E546C66135979453FF5A520A09F8CCADB04760F175392095CC6F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies.1f01a34609f7e546c66135979453ff5a520a09f8ccadb04760f175392095cc6f")) returned 1 [0114.159] GetProcessHeap () returned 0x4c0000 [0114.159] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0114.159] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0117.433] CloseHandle (hObject=0x17c) returned 1 [0117.440] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.FB90C6F6CB84418C0DBAC253FEB0D1E8F7C1A7E27986219096E88CA18970C83E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.fb90c6f6cb84418c0dbac253feb0d1e8f7c1a7e27986219096e88ca18970c83e")) returned 1 [0117.447] GetProcessHeap () returned 0x4c0000 [0117.447] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.450] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0117.609] CloseHandle (hObject=0x1ac) returned 1 [0117.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.D5EAC7A786C824ADEFD3E8A2B9D01E1AFDC3E91524ED2238257FB857F6329465" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.d5eac7a786c824adefd3e8a2b9d01e1afdc3e91524ed2238257fb857f6329465")) returned 1 [0117.610] GetProcessHeap () returned 0x4c0000 [0117.610] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0117.610] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0117.670] ReadFile (in: hFile=0x17c, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0117.670] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0117.792] CloseHandle (hObject=0x17c) returned 1 [0117.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.A9A69F08950787356E3D80EB9DC12FBFEB00B61BA5FD7C42FB07443D11B56D73" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.a9a69f08950787356e3d80eb9dc12fbfeb00b61ba5fd7c42fb07443d11b56d73")) returned 1 [0117.797] GetProcessHeap () returned 0x4c0000 [0117.797] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0117.798] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0117.832] ReadFile (in: hFile=0x184, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0117.832] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0117.835] WriteFile (in: hFile=0x184, lpBuffer=0x3cc003c, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 0x0 [0117.836] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0117.858] ReadFile (in: hFile=0x1b0, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x4400, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0117.858] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0117.987] CloseHandle (hObject=0x184) returned 1 [0117.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.26C7CBB699E19C83C6A6636EE33228FADD55AD13AD759A9EDAC6E02C9E5E197E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.26c7cbb699e19c83c6a6636ee33228fadd55ad13ad759a9edac6e02c9e5e197e")) returned 1 [0117.989] GetProcessHeap () returned 0x4c0000 [0117.989] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.989] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0118.201] CloseHandle (hObject=0x114) returned 1 [0118.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.1C11BA688AEF4C7DB46A629EE29E89D9745B756F72C3F6659341E269D3B2E526" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.1c11ba688aef4c7db46a629ee29e89d9745b756f72c3f6659341e269d3b2e526")) returned 1 [0118.206] GetProcessHeap () returned 0x4c0000 [0118.206] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0118.206] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0118.935] WriteFile (in: hFile=0x17c, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0118.957] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0118.999] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c91134, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c71100 | out: lpBuffer=0x3c91134*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c71100) returned 1 [0118.999] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0119.571] WriteFile (in: hFile=0x1b4, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0119.648] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0119.732] ReadFile (in: hFile=0x184, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0119.733] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0119.759] ReadFile (in: hFile=0x16c, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0119.761] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0119.792] ReadFile (in: hFile=0x1b0, lpBuffer=0x584b74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0119.792] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0119.844] ReadFile (in: hFile=0x1ac, lpBuffer=0x3c690e4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c490b0 | out: lpBuffer=0x3c690e4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c490b0) returned 1 [0119.844] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0119.845] CloseHandle (hObject=0x198) returned 1 [0120.064] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.872C998FC63D8A207B632125EF173284655FD5FD72921FDE638A99B2003BED60" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.872c998fc63d8a207b632125ef173284655fd5fd72921fde638a99b2003bed60")) returned 1 [0120.065] GetProcessHeap () returned 0x4c0000 [0120.065] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0120.067] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0120.177] CloseHandle (hObject=0x1c4) returned 1 [0120.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.72AB6466BD6E7EDDD5BC4660A64E1ECF7562FEEA3921321187D41D586621F924" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.72ab6466bd6e7eddd5bc4660a64e1ecf7562feea3921321187d41d586621f924")) returned 1 [0120.178] GetProcessHeap () returned 0x4c0000 [0120.178] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d11058 | out: hHeap=0x4c0000) returned 1 [0120.178] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0120.243] ReadFile (in: hFile=0x184, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0120.243] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0120.243] CloseHandle (hObject=0x1ac) returned 1 [0120.276] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.4AEFAA33970AE63A2D96FA277DE423D2A73733F5C0FBAAA4C9DF6FAD5EB2C331" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.4aefaa33970ae63a2d96fa277de423d2a73733f5c0fbaaa4c9df6fad5eb2c331")) returned 1 [0120.296] GetProcessHeap () returned 0x4c0000 [0120.296] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c490b0 | out: hHeap=0x4c0000) returned 1 [0120.296] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0120.387] ReadFile (in: hFile=0x1b4, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x2c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0120.387] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0120.425] CloseHandle (hObject=0x1c0) returned 1 [0120.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json.E0B5D4559901A4A8F68EE76E0E6D98B188401E290C3B33AD0C1E2FE537080752" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\messages.json.e0b5d4559901a4a8f68ee76e0e6d98b188401e290c3b33ad0c1e2fe537080752")) returned 1 [0120.427] GetProcessHeap () returned 0x4c0000 [0120.427] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0120.428] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0121.316] WriteFile (in: hFile=0x178, lpBuffer=0x3d0903c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ce9008 | out: lpBuffer=0x3d0903c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ce9008) returned 0x0 [0121.317] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0121.322] ReadFile (in: hFile=0x114, lpBuffer=0x3d3108c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d11058 | out: lpBuffer=0x3d3108c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d11058) returned 1 [0121.323] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0121.367] WriteFile (in: hFile=0x114, lpBuffer=0x3d3108c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d11058 | out: lpBuffer=0x3d3108c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d11058) returned 0x0 [0121.368] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0122.083] CloseHandle (hObject=0x1b8) returned 1 [0122.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.47FE3E53DD1C145EF089C7147D0EBD8BE63FE238C396B73976BBB651C8C14D76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.47fe3e53dd1c145ef089c7147d0ebd8be63fe238c396b73976bbb651c8c14d76")) returned 1 [0122.087] GetProcessHeap () returned 0x4c0000 [0122.087] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0122.091] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0122.138] CloseHandle (hObject=0x1ac) returned 1 [0122.139] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.E034CF3E171C122427EB714B68EDB75EEE614C3765D85C4A57E6D98AF03A0532" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.e034cf3e171c122427eb714b68edb75eee614c3765d85c4a57e6d98af03a0532")) returned 1 [0122.140] GetProcessHeap () returned 0x4c0000 [0122.140] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0122.141] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0122.160] ReadFile (in: hFile=0x1ac, lpBuffer=0x3da917c, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d89148 | out: lpBuffer=0x3da917c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d89148) returned 1 [0122.161] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0122.189] CloseHandle (hObject=0x198) returned 1 [0122.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.8C5B24EFFA6B58266F3D15D366FC2CFC73E404A6252A604BAFC42285D0161172" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.8c5b24effa6b58266f3d15d366fc2cfc73e404a6252a604bafc42285d0161172")) returned 1 [0122.191] GetProcessHeap () returned 0x4c0000 [0122.191] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0122.191] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0122.194] ReadFile (in: hFile=0x1b4, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x4800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0122.194] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0122.212] WriteFile (in: hFile=0x1b4, lpBuffer=0x3c4008c, nNumberOfBytesToWrite=0x4800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 0x0 [0122.213] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0122.327] CloseHandle (hObject=0x114) returned 1 [0122.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.73CCA0C8B0C87E1259D9B569A77DF09802F7F895A92D76953452D75A97FED374" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.73cca0c8b0c87e1259d9b569a77df09802f7f895a92d76953452d75a97fed374")) returned 1 [0122.328] GetProcessHeap () returned 0x4c0000 [0122.329] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d11058 | out: hHeap=0x4c0000) returned 1 [0122.329] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0122.333] CloseHandle (hObject=0x198) returned 1 [0122.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.1578A71D4D56C122357BFBC6A09ACD413396E5F922AB7C1399F408974543363B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.1578a71d4d56c122357bfbc6a09acd413396e5f922ab7c1399f408974543363b")) returned 1 [0122.522] GetProcessHeap () returned 0x4c0000 [0122.522] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0122.522] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0123.024] ReadFile (in: hFile=0x1d0, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0123.024] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0123.038] ReadFile (in: hFile=0x1e0, lpBuffer=0x40b011c, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x0, lpOverlapped=0x40900e8 | out: lpBuffer=0x40b011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x40900e8) returned 1 [0123.039] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0123.159] WriteFile (in: hFile=0x1d0, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0123.224] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0123.225] CloseHandle (hObject=0x1c4) returned 1 [0123.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.71C4802548FED7E9F496392C051A3B37AC952B8B9B560A62185D23D859D1CD1A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.71c4802548fed7e9f496392c051a3b37ac952b8b9b560a62185d23d859d1cd1a")) returned 1 [0123.227] GetProcessHeap () returned 0x4c0000 [0123.227] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0123.227] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0123.302] CloseHandle (hObject=0x1b4) returned 1 [0123.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.ED610136BD7E58ED2DB586E67202581E9B8F3CD0F6553ADFEDB6641B3D2DAD07" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.ed610136bd7e58ed2db586e67202581e9b8f3cd0f6553adfedb6641b3d2dad07")) returned 1 [0123.722] GetProcessHeap () returned 0x4c0000 [0123.722] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3db1198 | out: hHeap=0x4c0000) returned 1 [0123.724] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0123.799] ReadFile (in: hFile=0x1dc, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0123.841] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0123.873] CloseHandle (hObject=0x1d8) returned 1 [0124.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.6FD6E4B1386DB682E1FCC8A5F54C71C2FF6FE89836F7BA0CB9928AD3DE941D43" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.6fd6e4b1386db682e1fcc8a5f54c71c2ff6fe89836f7ba0cb9928ad3de941d43")) returned 1 [0124.843] GetProcessHeap () returned 0x4c0000 [0124.843] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4040048 | out: hHeap=0x4c0000) returned 1 [0124.857] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0124.971] CloseHandle (hObject=0x1d4) returned 1 [0124.973] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.19CBC1FD624349A0D2CC4379F276EBD58FA61792D9A79AB16A9692B7E8F44B1B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.19cbc1fd624349a0d2cc4379f276ebd58fa61792d9a79ab16a9692b7e8f44b1b")) returned 1 [0124.974] GetProcessHeap () returned 0x4c0000 [0124.974] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0124.974] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0125.169] WriteFile (in: hFile=0x1e4, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x5200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0125.170] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0125.214] ReadFile (in: hFile=0x1ac, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0125.214] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0125.755] CloseHandle (hObject=0x1bc) returned 1 [0125.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.22A54886B076925ADF21E1690519FBC96222BA35D5AF1DFCE509315954CD2429" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.22a54886b076925adf21e1690519fbc96222ba35d5af1dfce509315954cd2429")) returned 1 [0125.757] GetProcessHeap () returned 0x4c0000 [0125.757] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c480a8 | out: hHeap=0x4c0000) returned 1 [0125.757] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0126.230] WriteFile (in: hFile=0x1ac, lpBuffer=0x3c680dc, nNumberOfBytesToWrite=0x4800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8) returned 0x0 [0126.231] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0126.720] ReadFile (in: hFile=0x17c, lpBuffer=0x3daa35c, nNumberOfBytesToRead=0x3c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d8a328 | out: lpBuffer=0x3daa35c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d8a328) returned 1 [0126.720] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0126.738] CloseHandle (hObject=0x16c) returned 1 [0126.783] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.708FFAFE0B0EF396A768B75CEA304CD25C22453BC03023E115A2333674343A24" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.708ffafe0b0ef396a768b75cea304cd25c22453bc03023e115a2333674343a24")) returned 1 [0126.783] GetProcessHeap () returned 0x4c0000 [0126.783] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0126.811] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0126.897] CloseHandle (hObject=0x1d8) returned 1 [0127.003] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.F4843D13EFBA858BA0F33897D7CBC0AB9D67DFF0C614601247162CD3A060EF04" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.f4843d13efba858ba0f33897d7cbc0ab9d67dff0c614601247162cd3a060ef04")) returned 1 [0127.012] GetProcessHeap () returned 0x4c0000 [0127.012] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d12238 | out: hHeap=0x4c0000) returned 1 [0127.012] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0127.146] CloseHandle (hObject=0x1d0) returned 1 [0127.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.5E94C3C084EF632C534E6C92C57825CFA78FFCAA1666C4A1B707231F66F3B330" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.5e94c3c084ef632c534e6c92c57825cfa78ffcaa1666c4a1b707231f66f3b330")) returned 1 [0127.150] GetProcessHeap () returned 0x4c0000 [0127.151] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0127.151] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0127.162] ReadFile (in: hFile=0x17c, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0127.162] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0127.259] WriteFile (in: hFile=0x18c, lpBuffer=0x3daa35c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d8a328 | out: lpBuffer=0x3daa35c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d8a328) returned 0x0 [0127.261] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0127.376] ReadFile (in: hFile=0x1c0, lpBuffer=0x3c680dc, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8) returned 1 [0127.376] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0127.484] ReadFile (in: hFile=0x1d0, lpBuffer=0x584b74, nNumberOfBytesToRead=0x4800, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0127.484] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0127.496] ReadFile (in: hFile=0x1d8, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x3c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0127.522] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0127.545] ReadFile (in: hFile=0x178, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0127.551] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0127.600] CloseHandle (hObject=0x18c) returned 1 [0127.601] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History.3E828F8A7CE13406210296CD5D23BB150C9CBCDC9197A199403A1787C61BDF7F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history.3e828f8a7ce13406210296cd5d23bb150c9cbcdc9197a199403a1787c61bdf7f")) returned 1 [0127.602] GetProcessHeap () returned 0x4c0000 [0127.602] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d8a328 | out: hHeap=0x4c0000) returned 1 [0127.606] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0127.625] ReadFile (in: hFile=0x18c, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0127.636] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0127.642] CloseHandle (hObject=0x194) returned 1 [0127.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons.2A5966C2C9CAE8958E933537DCE61E02D3204860FDDD94DDD971A22DEEC73D37" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons.2a5966c2c9cae8958e933537dce61e02d3204860fddd94ddd971a22deec73d37")) returned 1 [0127.644] GetProcessHeap () returned 0x4c0000 [0127.644] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0127.647] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0127.674] CloseHandle (hObject=0x1c0) returned 1 [0127.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage.F6B3DB19A4D2355B2102A977BB7B5D06A9ED9D828AB70EDDC78C83C9381AE922" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage.f6b3db19a4d2355b2102a977bb7b5d06a9ed9d828ab70eddc78c83c9381ae922")) returned 1 [0127.677] GetProcessHeap () returned 0x4c0000 [0127.677] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c480a8 | out: hHeap=0x4c0000) returned 1 [0127.677] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0127.681] CloseHandle (hObject=0x1d8) returned 1 [0127.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor.1FC3684A77BDC7AB9C38DBD445F7AF02A4CCF5ADD2002F3E6B08A1477D7FDF2E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor.1fc3684a77bdc7ab9c38dbd445f7af02a4ccf5add2002f3e6b08a1477d7fdf2e")) returned 1 [0127.685] GetProcessHeap () returned 0x4c0000 [0127.685] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0127.688] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0128.091] ReadFile (in: hFile=0x1d8, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0128.091] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0128.104] CloseHandle (hObject=0x184) returned 1 [0128.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\google profile.ico"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico.8C8828D101723AF8C1CDBC05992659F8F24779171ACF8F66BB9B1EAC990D6173" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\google profile.ico.8c8828d101723af8c1cdbc05992659f8f24779171acf8f66bb9b1eac990d6173")) returned 1 [0128.490] GetProcessHeap () returned 0x4c0000 [0128.490] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0128.490] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0128.490] CloseHandle (hObject=0x1d0) returned 1 [0128.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.AC0D3F6829A0C4D8BDBF1948D92BB0E676D5B8A6D8D71020BD8AF57114B36A41" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data.ac0d3f6829a0c4d8bdbf1948d92bb0e676d5b8a6d8d71020bd8af57114b36a41")) returned 1 [0128.493] GetProcessHeap () returned 0x4c0000 [0128.493] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0128.496] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0129.008] CloseHandle (hObject=0x18c) returned 1 [0129.136] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db.794F14E560B730CBD1ED19B034B64D182E9F053176CFD4739C4F1497F9A6D01F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db.794f14e560b730cbd1ed19b034b64d182e9f053176cfd4739c4f1497f9a6d01f")) returned 1 [0129.142] GetProcessHeap () returned 0x4c0000 [0129.142] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0129.143] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0129.674] WriteFile (in: hFile=0x1d0, lpBuffer=0x3c4008c*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 1 [0129.863] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0129.863] CloseHandle (hObject=0x1d0) returned 1 [0129.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs.2C1A9C9DB1035A897DB6E1AC673DD46F64F0C770F0A330B30C0513256F0D6F5A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids.2c1a9c9db1035a897db6e1ac673dd46f64f0c770f0a330b30c0513256f0d6f5a")) returned 1 [0129.866] GetProcessHeap () returned 0x4c0000 [0129.866] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0129.866] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0130.159] ReadFile (in: hFile=0x1a8, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0130.159] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0130.197] WriteFile (in: hFile=0x1a8, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0130.199] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0130.506] CloseHandle (hObject=0x17c) returned 1 [0130.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.A6E9074F648F65935FCD44E80E5A07FE68C637DAE3B360EC770758FCA5034F5B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms.a6e9074f648f65935fcd44e80e5a07fe68c637dae3b360ec770758fca5034f5b")) returned 1 [0130.508] GetProcessHeap () returned 0x4c0000 [0130.508] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0130.509] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0130.608] ReadFile (in: hFile=0x17c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0130.664] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0130.939] WriteFile (in: hFile=0x174, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0130.942] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0131.157] WriteFile (in: hFile=0x17c, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0131.158] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0131.632] CloseHandle (hObject=0x1a8) returned 1 [0131.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\06_pictures_rated_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl.82912EF8DFE9654032A8E8E7760D9037240F1A6D3696770633BD8A74FEF0C600" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\06_pictures_rated_4_or_5_stars.wpl.82912ef8dfe9654032a8e8e7760d9037240f1a6d3696770633bd8a74fef0c600")) returned 1 [0131.640] GetProcessHeap () returned 0x4c0000 [0131.640] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0131.640] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0131.691] ReadFile (in: hFile=0x18c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0131.691] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0131.692] WriteFile (in: hFile=0x18c, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0131.694] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0131.762] ReadFile (in: hFile=0x194, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0131.762] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0131.764] WriteFile (in: hFile=0x194, lpBuffer=0x3ba8174*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 1 [0131.765] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0131.766] CloseHandle (hObject=0x194) returned 1 [0131.767] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\12_all_video.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl.AE8FD9E32D42223686A7FDCF4BE1BDC3E568CDAE95C3078734E84E067C674F3F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\12_all_video.wpl.ae8fd9e32d42223686a7fdcf4be1bdc3e568cdae95c3078734e84e067c674f3f")) returned 1 [0131.768] GetProcessHeap () returned 0x4c0000 [0131.768] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0131.768] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0131.775] WriteFile (in: hFile=0x178, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0131.860] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0131.873] ReadFile (in: hFile=0x1d8, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0131.873] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0131.902] ReadFile (in: hFile=0x18c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0131.904] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0131.985] ReadFile (in: hFile=0x174, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0131.990] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0131.999] WriteFile (in: hFile=0x174, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0132.003] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.118] ReadFile (in: hFile=0x178, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0132.118] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.120] WriteFile (in: hFile=0x178, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0132.122] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.122] CloseHandle (hObject=0x178) returned 1 [0132.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.378D476B837D7B17B6B3CF1F9D0A3A2EE71FD6306482CCD871B8B3F70FD0926A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl.378d476b837d7b17b6b3cf1f9d0a3a2ee71fd6306482ccd871b8b3f70fd0926a")) returned 1 [0132.126] GetProcessHeap () returned 0x4c0000 [0132.126] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0132.126] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.129] CloseHandle (hObject=0x1a8) returned 1 [0132.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\08_video_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl.727A89AEB293881AC54C2C0C314DFF06249E4552B3A2A7C9F240545E0DBADE39" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\08_video_rated_at_4_or_5_stars.wpl.727a89aeb293881ac54c2c0c314dff06249e4552b3a2a7c9f240545e0dbade39")) returned 1 [0132.132] GetProcessHeap () returned 0x4c0000 [0132.132] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0132.136] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.146] ReadFile (in: hFile=0x18c, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0132.146] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.150] CloseHandle (hObject=0x18c) returned 1 [0132.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.FF5D8C0C949E51A2F8F98A56C7931B7A93EB782DBA0F4F99D39A6B13A5E6482C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl.ff5d8c0c949e51a2f8f98a56c7931b7a93eb782dba0f4f99d39a6b13a5e6482c")) returned 1 [0132.154] GetProcessHeap () returned 0x4c0000 [0132.154] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0132.156] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.189] ReadFile (in: hFile=0x18c, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0132.189] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.190] WriteFile (in: hFile=0x18c, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0132.192] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.216] ReadFile (in: hFile=0x1a8, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0132.216] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.254] ReadFile (in: hFile=0x178, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0132.263] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.268] CloseHandle (hObject=0x174) returned 1 [0132.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.75FC850C00BCA631F0AB31506A9670E93DCAB67A5CC02FBBE47BF216252A7238" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl.75fc850c00bca631f0ab31506a9670e93dcab67a5cc02fbbe47bf216252a7238")) returned 1 [0132.271] GetProcessHeap () returned 0x4c0000 [0132.271] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0132.276] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.277] CloseHandle (hObject=0x184) returned 1 [0132.278] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.8E25CC758D0BD245258C633158A67B710200308A895967DBDA802339B03AFB44" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl.8e25cc758d0bd245258c633158a67b710200308a895967dbda802339b03afb44")) returned 1 [0132.279] GetProcessHeap () returned 0x4c0000 [0132.279] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0132.280] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.300] ReadFile (in: hFile=0x1d8, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0132.300] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.303] CloseHandle (hObject=0x1d8) returned 1 [0132.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.742793DE8F67E2EEAD5B7ED0653057EDC698B35643415060B8A51B3C7C7B1673" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl.742793de8f67e2eead5b7ed0653057edc698b35643415060b8a51b3c7c7b1673")) returned 1 [0132.305] GetProcessHeap () returned 0x4c0000 [0132.305] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0132.306] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.379] ReadFile (in: hFile=0x194, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0132.379] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.411] WriteFile (in: hFile=0x194, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0132.414] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.459] WriteFile (in: hFile=0x1d8, lpBuffer=0x584b74*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 1 [0132.461] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.461] CloseHandle (hObject=0x1d8) returned 1 [0132.463] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-{48508c83-ec67-468f-aa1f-6f3caf625658}.fsd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD.B66299847307C9550A4B457883DC530D2BAB8E7B96F95B2F6A2C86D760BF1F4A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-{48508c83-ec67-468f-aa1f-6f3caf625658}.fsd.b66299847307c9550a4b457883dc530d2bab8e7b96f95b2f6a2c86d760bf1f4a")) returned 1 [0132.465] GetProcessHeap () returned 0x4c0000 [0132.465] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0132.465] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.531] ReadFile (in: hFile=0x1d8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0132.531] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.580] ReadFile (in: hFile=0x17c, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0132.581] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.812] CloseHandle (hObject=0x17c) returned 1 [0132.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.89C75B9618B4585A567803143C8DC9BD238E20B5DB217A5CF91FE3E29EFA9650" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount.89c75b9618b4585a567803143c8dc9bd238e20b5db217a5cf91fe3e29efa9650")) returned 1 [0132.838] GetProcessHeap () returned 0x4c0000 [0132.838] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0132.838] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0132.858] WriteFile (in: hFile=0x1d0, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0132.860] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.070] CloseHandle (hObject=0x1d0) returned 1 [0133.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.chk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.409AA94E33400B296F770B497293190FDB1FD7799DA3057253F829794A83A766" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.chk.409aa94e33400b296f770b497293190fdb1fd7799da3057253f829794a83a766")) returned 1 [0133.074] GetProcessHeap () returned 0x4c0000 [0133.074] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0133.074] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.416] CloseHandle (hObject=0x18c) returned 1 [0133.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\edb00001.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log.0152A4DC5375EB5CA683B1A802EF71BAE70533D34FA95AF595563EDC8D41E54B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\edb00001.log.0152a4dc5375eb5ca683b1a802ef71bae70533d34fa95af595563edc8d41e54b")) returned 1 [0133.418] GetProcessHeap () returned 0x4c0000 [0133.418] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0133.421] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.424] CloseHandle (hObject=0x17c) returned 1 [0133.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.97FA558EE44D9F1616970F01EE833F96A39393C824FD611C9F99E1ED3F70E643" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb00001.log.97fa558ee44d9f1616970f01ee833f96a39393c824fd611c9f99e1ed3f70e643")) returned 1 [0133.430] GetProcessHeap () returned 0x4c0000 [0133.430] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0133.430] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.432] CloseHandle (hObject=0x194) returned 1 [0133.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.msmessagestore"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore.AC49C24FD9DE5BE39BE63441D351B5BA2EA6B532F6FE3D8A069088339983F54A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.msmessagestore.ac49c24fd9de5be39be63441d351b5ba2ea6b532f6fe3d8a069088339983f54a")) returned 1 [0133.434] GetProcessHeap () returned 0x4c0000 [0133.434] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0133.436] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.438] CloseHandle (hObject=0xec) returned 1 [0133.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.pat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat.0128ADF522BE69120F95144ED9F2BC7C29E6CB1B3300CCD0601909D539DB1178" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.pat.0128adf522be69120f95144ed9f2bc7c29e6cb1b3300ccd0601909d539db1178")) returned 1 [0133.440] GetProcessHeap () returned 0x4c0000 [0133.440] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0133.441] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.442] CloseHandle (hObject=0x1d0) returned 1 [0133.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.28F7A0C27E9538651E3FA7B855F4A2EC197D3FA7E254772631C3453F0125DE4C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.log.28f7a0c27e9538651e3fa7b855f4a2ec197d3fa7e254772631c3453f0125de4c")) returned 1 [0133.444] GetProcessHeap () returned 0x4c0000 [0133.444] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0133.447] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.448] CloseHandle (hObject=0x184) returned 1 [0133.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.69267C6DBCFE9E24B65106506C88CAC1B25EA54600B77B12DFAB791345853752" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs.69267c6dbcfe9e24b65106506c88cac1b25ea54600b77b12dfab791345853752")) returned 1 [0133.478] GetProcessHeap () returned 0x4c0000 [0133.478] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0133.479] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.501] ReadFile (in: hFile=0x1d4, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0133.501] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.504] CloseHandle (hObject=0x1d4) returned 1 [0133.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.50F0F2B30DC666D2860EC7C1314A24B80903D0E47046C041122F33439FFBC967" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini.50f0f2b30dc666d2860ec7c1314a24b80903d0e47046c041122f33439ffbc967")) returned 1 [0133.508] GetProcessHeap () returned 0x4c0000 [0133.508] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0133.509] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.535] ReadFile (in: hFile=0x1d4, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x5c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0133.535] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.573] WriteFile (in: hFile=0x1d4, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0133.574] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.586] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0133.586] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.593] WriteFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0133.594] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.596] CloseHandle (hObject=0x184) returned 1 [0133.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.47339DA23962044B75FE1295CA3953E068403DD7D45CE12F4856996010594B38" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg.47339da23962044b75fe1295ca3953e068403dd7d45ce12f4856996010594b38")) returned 1 [0133.601] GetProcessHeap () returned 0x4c0000 [0133.601] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0133.606] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.636] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0133.637] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.643] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0133.645] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.646] CloseHandle (hObject=0x184) returned 1 [0133.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.686E52F6C6F76240C82253F855A50BCDD8D481FDCCABBB27E37497D0F610117A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg.686e52f6c6f76240c82253f855a50bcdd8d481fdccabbb27e37497d0f610117a")) returned 1 [0133.650] GetProcessHeap () returned 0x4c0000 [0133.651] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0133.651] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.783] ReadFile (in: hFile=0x184, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 0x0 [0133.808] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.830] CloseHandle (hObject=0x1d4) returned 1 [0133.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.2FAA694BBBA18557E108C6EB57AA22A88187BC137C2772D524CEDAF84CC8544C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg.2faa694bbba18557e108c6eb57aa22a88187bc137c2772d524cedaf84cc8544c")) returned 1 [0133.832] GetProcessHeap () returned 0x4c0000 [0133.832] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0133.833] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.847] ReadFile (in: hFile=0xec, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0133.847] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.874] ReadFile (in: hFile=0x1d4, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0133.874] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.897] ReadFile (in: hFile=0x1d0, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0133.897] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.912] CloseHandle (hObject=0xec) returned 1 [0133.912] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.D4385AB5A2501AF58A1D523522F28C6C39912821CD534869E861A1B3A347FA1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg.d4385ab5a2501af58a1d523522f28c6c39912821cd534869e861a1b3a347fa1e")) returned 1 [0133.913] GetProcessHeap () returned 0x4c0000 [0133.913] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0133.914] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.943] WriteFile (in: hFile=0x1d4, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0133.944] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.951] WriteFile (in: hFile=0x1d0, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0133.952] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.955] CloseHandle (hObject=0x1d0) returned 1 [0133.956] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.28AA986FBC6FED9E05B02A4F6B14F79A5932BCE1AD6BD4746D043DF943DA650F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg.28aa986fbc6fed9e05b02a4f6b14f79a5932bce1ad6bd4746d043df943da650f")) returned 1 [0133.957] GetProcessHeap () returned 0x4c0000 [0133.957] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0133.957] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.964] ReadFile (in: hFile=0xec, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0133.964] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0133.998] WriteFile (in: hFile=0xec, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0134.000] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.043] ReadFile (in: hFile=0x1d4, lpBuffer=0x522abc, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0134.043] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.096] CloseHandle (hObject=0xec) returned 1 [0134.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.572AEBDDA5FFB68AA1F1D7274992835F07CCE615AB43E338468CA17B1C17633B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore.572aebdda5ffb68aa1f1d7274992835f07cce615ab43e338468ca17b1c17633b")) returned 1 [0134.102] GetProcessHeap () returned 0x4c0000 [0134.102] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0134.103] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.123] WriteFile (in: hFile=0x1d4, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0134.141] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.155] ReadFile (in: hFile=0x194, lpBuffer=0x57cb34, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x55cb00 | out: lpBuffer=0x57cb34*, lpNumberOfBytesRead=0x0, lpOverlapped=0x55cb00) returned 1 [0134.155] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.202] WriteFile (in: hFile=0x194, lpBuffer=0x57cb34*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x55cb00 | out: lpBuffer=0x57cb34*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x55cb00) returned 1 [0134.204] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.205] CloseHandle (hObject=0x194) returned 1 [0134.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\98\\b60f3d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01.8EEC661954353AC32D6D6025836F872B9C634BE67F9D7EEBD768790C8100CB17" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\98\\b60f3d01.8eec661954353ac32d6d6025836f872b9c634be67f9d7eebd768790c8100cb17")) returned 1 [0134.207] GetProcessHeap () returned 0x4c0000 [0134.207] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x55cb00 | out: hHeap=0x4c0000) returned 1 [0134.207] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.235] ReadFile (in: hFile=0x194, lpBuffer=0x57cb34, nNumberOfBytesToRead=0x4800, lpNumberOfBytesRead=0x0, lpOverlapped=0x55cb00 | out: lpBuffer=0x57cb34*, lpNumberOfBytesRead=0x0, lpOverlapped=0x55cb00) returned 1 [0134.235] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.265] WriteFile (in: hFile=0x194, lpBuffer=0x57cb34*, nNumberOfBytesToWrite=0x4800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x55cb00 | out: lpBuffer=0x57cb34*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x55cb00) returned 1 [0134.266] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.294] CloseHandle (hObject=0x194) returned 1 [0134.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\a8\\c3b7bd01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01.F241FE4C8F4A5D22D6B09D4F20722319420AD00647D318330892FF1B3B3D9550" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\a8\\c3b7bd01.f241fe4c8f4a5d22d6b09d4f20722319420ad00647d318330892ff1b3b3d9550")) returned 1 [0134.296] GetProcessHeap () returned 0x4c0000 [0134.296] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x55cb00 | out: hHeap=0x4c0000) returned 1 [0134.296] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.306] ReadFile (in: hFile=0x17c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0134.307] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.351] WriteFile (in: hFile=0x17c, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0134.352] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.385] ReadFile (in: hFile=0x194, lpBuffer=0x56cb2c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54caf8 | out: lpBuffer=0x56cb2c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54caf8) returned 1 [0134.385] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.418] WriteFile (in: hFile=0x194, lpBuffer=0x56cb2c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54caf8 | out: lpBuffer=0x56cb2c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54caf8) returned 0x0 [0134.419] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.443] ReadFile (in: hFile=0x18c, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0134.444] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.475] WriteFile (in: hFile=0x18c, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0134.477] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.529] ReadFile (in: hFile=0x178, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0134.530] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0134.589] CloseHandle (hObject=0x1d4) returned 1 [0134.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.FAE4D29A3E4EFB7EF6AAC767F2547D4064FB983648902659CF481023E009E618" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml.fae4d29a3e4efb7ef6aac767f2547d4064fb983648902659cf481023e009e618")) returned 1 [0134.937] GetProcessHeap () returned 0x4c0000 [0134.937] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0134.940] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0135.011] WriteFile (in: hFile=0x194, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x5200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0135.013] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0135.034] ReadFile (in: hFile=0x178, lpBuffer=0x584b74, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0135.034] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0135.168] WriteFile (in: hFile=0x17c, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0135.170] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.438] WriteFile (in: hFile=0x18c, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0136.440] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.465] CloseHandle (hObject=0x1d0) returned 1 [0136.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5irzish2nd.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5IrZISH2ND.flv.2AAAD887D91CB78EEE65C407996183D4315BB386C1CE1C55E7558440C20F153D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5irzish2nd.flv.2aaad887d91cb78eee65c407996183d4315bb386c1ce1c55e7558440c20f153d")) returned 1 [0136.467] GetProcessHeap () returned 0x4c0000 [0136.467] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0136.467] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.497] WriteFile (in: hFile=0x1d0, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0136.499] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.556] CloseHandle (hObject=0x1a8) returned 1 [0136.559] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\active-update.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml.849F3F5D0894DC68933198D864C77D66AB6181091945C3B1D405E9358610A16C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\active-update.xml.849f3f5d0894dc68933198d864c77d66ab6181091945c3b1d405e9358610a16c")) returned 1 [0136.560] GetProcessHeap () returned 0x4c0000 [0136.560] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0136.561] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.563] CloseHandle (hObject=0x1d0) returned 1 [0136.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ad8nbrda5r-dsu6hiug.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AD8NbrdA5R-dSu6Hiug.mkv.32BBB004B2F6BE8E6BC5E5D18CD2B9EF39397FB32A3053DD4FC8DFA562D7C50D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ad8nbrda5r-dsu6hiug.mkv.32bbb004b2f6be8e6bc5e5d18cd2b9ef39397fb32a3053dd4fc8dfa562d7c50d")) returned 1 [0136.565] GetProcessHeap () returned 0x4c0000 [0136.565] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0136.565] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.584] WriteFile (in: hFile=0x1d0, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0136.586] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.640] CloseHandle (hObject=0x1d0) returned 1 [0136.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ceo6zvjkf_8.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CeO6ZVJkF_8.m4a.3D719BB00A33C7E587B096E86D3AC4A405C05AE4FB998DF7790741E6C2BC9312" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ceo6zvjkf_8.m4a.3d719bb00a33c7e587b096e86d3ac4a405c05ae4fb998df7790741e6c2bc9312")) returned 1 [0136.643] GetProcessHeap () returned 0x4c0000 [0136.643] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0136.643] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.665] CloseHandle (hObject=0x18c) returned 1 [0136.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.mar"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar.050F1074D9A10164E0004FFDED9398381F185C4201CA1A922D309C8C4980701A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.mar.050f1074d9a10164e0004ffded9398381f185c4201ca1a922d309c8c4980701a")) returned 1 [0136.667] GetProcessHeap () returned 0x4c0000 [0136.667] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0136.668] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.682] ReadFile (in: hFile=0x1a8, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0136.682] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.709] ReadFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0136.732] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.754] ReadFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0136.754] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.762] CloseHandle (hObject=0x1d0) returned 1 [0136.763] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\deei61kghvcikoee4o.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\DeEi61KghvciKoee4O.wav.BF581C7F23E9273F0C56C4292D0C866B2FEA1D72C37D50513C2D3302E891F352" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\deei61kghvcikoee4o.wav.bf581c7f23e9273f0c56c4292d0c866b2fea1d72c37d50513c2d3302e891f352")) returned 1 [0136.764] GetProcessHeap () returned 0x4c0000 [0136.764] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0136.764] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.784] ReadFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0136.785] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.837] WriteFile (in: hFile=0x1a8, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0136.838] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0136.915] WriteFile (in: hFile=0x1d0, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x5200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0137.495] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0137.495] ReadFile (in: hFile=0x1d8, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x4200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0137.496] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0137.496] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x7e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0137.496] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0137.496] ReadFile (in: hFile=0x184, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0137.497] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0137.497] ReadFile (in: hFile=0x154, lpBuffer=0x3ce21cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3cc2198 | out: lpBuffer=0x3ce21cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3cc2198) returned 1 [0137.498] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0137.498] ReadFile (in: hFile=0x120, lpBuffer=0x3d0a21c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3cea1e8 | out: lpBuffer=0x3d0a21c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3cea1e8) returned 1 [0137.498] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0137.498] ReadFile (in: hFile=0x128, lpBuffer=0x3d3226c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d12238 | out: lpBuffer=0x3d3226c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d12238) returned 1 [0137.499] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0137.499] CloseHandle (hObject=0x1d0) returned 1 [0137.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\hpny-.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\hPnY-.flv.23161EBD5BBBA6BC7044A169A88ABC61A304066EB9CC3AC5BF8339F628F5352E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\hpny-.flv.23161ebd5bbba6bc7044a169a88abc61a304066eb9cc3ac5bf8339f628f5352e")) returned 1 [0137.756] GetProcessHeap () returned 0x4c0000 [0137.756] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0137.761] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0137.962] CloseHandle (hObject=0x124) returned 1 [0137.963] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tzuuj7reaazj5ymvvwif.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tZuuJ7ReAAzj5YmvVWiF.ods.0BECFB1CDDFC7A2D095197F8325FE3C21C7CA4B3C8F7690D2FABF265F7798A76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tzuuj7reaazj5ymvvwif.ods.0becfb1cddfc7a2d095197f8325fe3c21c7ca4b3c8f7690d2fabf265f7798a76")) returned 1 [0137.964] GetProcessHeap () returned 0x4c0000 [0137.964] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0137.964] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0137.977] ReadFile (in: hFile=0x178, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0137.977] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0138.006] CloseHandle (hObject=0x178) returned 1 [0138.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vvquag3tma6okbtooe59.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VvquaG3tma6oKBTooe59.jpg.C5503652BBF682918FD697E99BA48FE4E5EF961DCDA3327D82993E8FAF84F330" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vvquag3tma6okbtooe59.jpg.c5503652bbf682918fd697e99ba48fe4e5ef961dcda3327d82993e8faf84f330")) returned 1 [0138.009] GetProcessHeap () returned 0x4c0000 [0138.009] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0138.009] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0138.073] ReadFile (in: hFile=0x178, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0138.074] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0138.226] ReadFile (in: hFile=0x178, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0138.226] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0138.285] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0138.287] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0153.529] ReadFile (in: hFile=0x19c, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0153.529] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0153.570] CloseHandle (hObject=0x120) returned 1 [0153.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.EF1DB84AADB54354512C003439D8B85912BF4BAF0138E2E9FC0430BB25D98A43" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini.ef1db84aadb54354512c003439d8b85912bf4baf0138e2e9fc0430bb25d98a43")) returned 1 [0153.574] GetProcessHeap () returned 0x4c0000 [0153.574] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0153.574] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0153.593] ReadFile (in: hFile=0x184, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0153.594] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0153.641] CloseHandle (hObject=0x184) returned 1 [0153.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bjm8w o3fk fqat.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bJM8w O3fk fqat.m4a.4CE60ECD9E484DCCDFCECB6245409D9D1E551046B8BE726B4437993AB3DB6174" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bjm8w o3fk fqat.m4a.4ce60ecd9e484dccdfcecb6245409d9d1e551046b8be726b4437993ab3db6174")) returned 1 [0153.644] GetProcessHeap () returned 0x4c0000 [0153.644] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0153.645] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0153.711] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x6800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0153.713] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0153.787] CloseHandle (hObject=0x184) returned 1 [0153.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\c-0uhhocnf3u8qyxlbb.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-0uHHocNF3U8qyXLbB.m4a.00A98966DF0813837763502DCE8E3C71C17E1ED53349AB359FCD4309CF9DFF75" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\c-0uhhocnf3u8qyxlbb.m4a.00a98966df0813837763502dce8e3c71c17e1ed53349ab359fcd4309cf9dff75")) returned 1 [0153.789] GetProcessHeap () returned 0x4c0000 [0153.789] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0153.789] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0153.871] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0153.889] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.099] CloseHandle (hObject=0x184) returned 1 [0154.100] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i-jc_nzs4sp.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I-Jc_nzs4Sp.wav.750DF7491F4B9E63B112E651414577E5D519C9A66339B107D66A88640192917F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i-jc_nzs4sp.wav.750df7491f4b9e63b112e651414577e5d519c9a66339b107d66a88640192917f")) returned 1 [0154.101] GetProcessHeap () returned 0x4c0000 [0154.101] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.101] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.163] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x6e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.165] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.351] CloseHandle (hObject=0x184) returned 1 [0154.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i_74.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I_74.m4a.A7E86FF3DCCE5028F6553A90F56AFB4519CCBE7D627FB785516702A9B9A1982D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i_74.m4a.a7e86ff3dcce5028f6553a90f56afb4519ccbe7d627fb785516702a9b9a1982d")) returned 1 [0154.353] GetProcessHeap () returned 0x4c0000 [0154.353] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.353] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.409] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.413] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.486] CloseHandle (hObject=0x184) returned 1 [0154.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jxilwq2ju.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jXIlwQ2Ju.wav.AB82A86A75A989512E3F1F6CE1817F777D4F3DD2CF98F4E1682195D98374C96A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jxilwq2ju.wav.ab82a86a75a989512e3f1f6ce1817f777d4f3dd2cf98f4e1682195d98374c96a")) returned 1 [0154.489] GetProcessHeap () returned 0x4c0000 [0154.489] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.489] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.520] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.522] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.586] CloseHandle (hObject=0x184) returned 1 [0154.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\lcx7.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lcx7.m4a.DBE2BA4B1F02C884BB409EC9E1772FFC217C2E2C443F4011CC2102F448DDE81A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\lcx7.m4a.dbe2ba4b1f02c884bb409ec9e1772ffc217c2e2c443f4011cc2102f448dde81a")) returned 1 [0154.588] GetProcessHeap () returned 0x4c0000 [0154.589] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.589] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.659] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.661] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.735] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.737] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.791] CloseHandle (hObject=0x184) returned 1 [0154.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\mhsl6lbxqzlm.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\MHSl6lBxqzlm.mp3.5A5A6A9DC7F01E4DB5DB3960F23C3B8266BC63FA6A367A65573B676A8E8FC035" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\mhsl6lbxqzlm.mp3.5a5a6a9dc7f01e4db5db3960f23c3b8266bc63fa6a367a65573b676a8e8fc035")) returned 1 [0154.795] GetProcessHeap () returned 0x4c0000 [0154.795] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.795] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.815] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.815] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.861] CloseHandle (hObject=0x184) returned 1 [0154.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\nhw ds3rwiev8xmyc.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NHW dS3rWIEV8xMYC.wav.4F4A55F69A76AF7EA09DBD6607E5F5DDD242CD0D67995EF0C41116D2A81E404D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\nhw ds3rwiev8xmyc.wav.4f4a55f69a76af7ea09dbd6607e5f5ddd242cd0d67995ef0c41116d2a81e404d")) returned 1 [0154.863] GetProcessHeap () returned 0x4c0000 [0154.863] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.863] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.886] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.887] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.957] CloseHandle (hObject=0x184) returned 1 [0154.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\q-obtzb2pdpm-x0rj.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Q-oBtzb2PDPM-x0rj.mp3.8952B2045B49529ECC8BB8692AC17AF56112FC59B92FCE117134476F362FE873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\q-obtzb2pdpm-x0rj.mp3.8952b2045b49529ecc8bb8692ac17af56112fc59b92fce117134476f362fe873")) returned 1 [0154.959] GetProcessHeap () returned 0x4c0000 [0154.959] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.959] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0154.992] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x3600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.997] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0155.079] CloseHandle (hObject=0x184) returned 1 [0155.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uf4jeptvus_qir.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UF4JePTVus_qiR.m4a.0D1221904F09E33DD8A9217B7244DC8CB12D0170242BF9D5183477B0F2526314" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uf4jeptvus_qir.m4a.0d1221904f09e33dd8a9217b7244dc8cb12d0170242bf9d5183477b0f2526314")) returned 1 [0155.083] GetProcessHeap () returned 0x4c0000 [0155.083] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0155.084] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0155.117] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x3a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0155.120] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0155.173] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0155.175] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0155.265] CloseHandle (hObject=0x184) returned 1 [0155.266] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vo1muye6ocxqrwxu.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vO1mUYE6ocXqRWxu.m4a.A5B4192C93B914002FAAC08FBC420C4D8630E6423C9A4BDADAF34BFFF4CF8341" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vo1muye6ocxqrwxu.m4a.a5b4192c93b914002faac08fbc420c4d8630e6423c9a4bdadaf34bfff4cf8341")) returned 1 [0155.268] GetProcessHeap () returned 0x4c0000 [0155.268] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0155.268] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0155.394] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0155.397] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0155.499] CloseHandle (hObject=0x120) returned 1 [0155.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aa5e4xh fd\\0ezdlbhe1hmr.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AA5E4XH FD\\0eZdlbhe1hMr.gif.5BBEE725C751A8390A13FAABEB860274BF1F01C1EC3803DE06C90E82F12F985E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aa5e4xh fd\\0ezdlbhe1hmr.gif.5bbee725c751a8390a13faabeb860274bf1f01c1ec3803de06c90e82f12f985e")) returned 1 [0155.502] GetProcessHeap () returned 0x4c0000 [0155.502] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0155.502] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0155.582] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0155.584] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0155.658] CloseHandle (hObject=0x184) returned 1 [0155.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iazx.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IAzX.jpg.056B7D0F82EE5BA1CEDB4CA9E9D0919AEC9F6A361727133311E3BF7136A57533" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iazx.jpg.056b7d0f82ee5ba1cedb4ca9e9d0919aec9f6a361727133311e3bf7136a57533")) returned 1 [0155.660] GetProcessHeap () returned 0x4c0000 [0155.660] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0155.660] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0155.727] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0155.730] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0155.804] CloseHandle (hObject=0x120) returned 1 [0155.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\0bhjkihw0wlow.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\0bhJKihw0wLow.gif.CF616877BBBE36A4A8C64E00C76DCF7937C3F6EC8B71BE8BC8B9FDA07BAE7728" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\0bhjkihw0wlow.gif.cf616877bbbe36a4a8c64e00c76dcf7937c3f6ec8b71be8bc8b9fda07bae7728")) returned 1 [0155.806] GetProcessHeap () returned 0x4c0000 [0155.806] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0155.806] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0155.881] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0155.908] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0155.947] WriteFile (in: hFile=0x124, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0155.968] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.021] CloseHandle (hObject=0x124) returned 1 [0156.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\gu5apz4tw.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\GU5APZ4Tw.png.243968808888425A4DBEE403FB2AA6BCEF2CB4199E4BD852D5551C5641E6CF23" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\gu5apz4tw.png.243968808888425a4dbee403fb2aa6bcef2cb4199e4bd852d5551c5641e6cf23")) returned 1 [0156.023] GetProcessHeap () returned 0x4c0000 [0156.024] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.024] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.070] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.072] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.111] CloseHandle (hObject=0x124) returned 1 [0156.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\lb4eanci.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\lB4EANCI.png.DB8EB441A8797640BE6AC6770904D3DFE33241DA2A90C6572580C1F2159D973E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\lb4eanci.png.db8eb441a8797640be6ac6770904d3dfe33241da2a90c6572580c1f2159d973e")) returned 1 [0156.113] GetProcessHeap () returned 0x4c0000 [0156.113] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.113] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.185] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.187] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.241] CloseHandle (hObject=0x19c) returned 1 [0156.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\2n948l34tgvg\\eapizfao_vrpuk0xm-cw.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\EapIZfAo_VRPUK0XM-cW.png.04C0FD568679EE8D76DD33AB3C38C18C657B8F23F8812B55E6FDD37D82C03104" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\2n948l34tgvg\\eapizfao_vrpuk0xm-cw.png.04c0fd568679ee8d76dd33ab3c38c18c657b8f23f8812b55e6fdd37d82c03104")) returned 1 [0156.261] GetProcessHeap () returned 0x4c0000 [0156.261] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.261] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.270] ReadFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0156.271] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.275] CloseHandle (hObject=0x18c) returned 1 [0156.276] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\2n948l34tgvg\\gm39.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\Gm39.jpg.938E1B8C221E89E5FA0DB66A7F7DF615C83ED8008271A9A0EB3F513BB2DE537D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\2n948l34tgvg\\gm39.jpg.938e1b8c221e89e5fa0db66a7f7df615c83ed8008271a9a0eb3f513bb2de537d")) returned 1 [0156.278] GetProcessHeap () returned 0x4c0000 [0156.278] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0156.278] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.338] CloseHandle (hObject=0x18c) returned 1 [0156.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\2n948l34tgvg\\kso74.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\2n948L34tgvG\\kSo74.jpg.E0CA653C94E2D3A53DE769CC31DEF8290B6B025DD71D4981B33C0F50B7EB2337" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\2n948l34tgvg\\kso74.jpg.e0ca653c94e2d3a53de769cc31def8290b6b025dd71d4981b33c0f50b7eb2337")) returned 1 [0156.339] GetProcessHeap () returned 0x4c0000 [0156.340] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.340] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.399] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.401] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.594] CloseHandle (hObject=0x19c) returned 1 [0156.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\g_ig6dqa.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\g_IG6dqa.jpg.C86D7D2A818946AF7D24875859AAF2E1EA8565A64CFB59835C7CC7271501E50D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\g_ig6dqa.jpg.c86d7d2a818946af7d24875859aaf2e1ea8565a64cfb59835c7cc7271501e50d")) returned 1 [0156.597] GetProcessHeap () returned 0x4c0000 [0156.597] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.597] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.671] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.673] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.764] CloseHandle (hObject=0x19c) returned 1 [0156.766] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\stvl.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\STvL.gif.348F1181FEE76E197B32F0917CEB6391CF81744F45B6D9B873B05E210864D26F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\stvl.gif.348f1181fee76e197b32f0917ceb6391cf81744f45b6d9b873b05e210864d26f")) returned 1 [0156.767] GetProcessHeap () returned 0x4c0000 [0156.767] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.767] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.836] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.838] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0156.998] CloseHandle (hObject=0x1b8) returned 1 [0156.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\5erwhgnylutanvdiy.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\5eRWhGnYlutAnVdIY.png.DC68740B622B24F7D246EF7352CC2CF5989C10004ADC0207B321C51D2A26DA3B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\5erwhgnylutanvdiy.png.dc68740b622b24f7d246ef7352cc2cf5989c10004adc0207b321c51d2a26da3b")) returned 1 [0157.001] GetProcessHeap () returned 0x4c0000 [0157.001] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0157.001] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0157.053] CloseHandle (hObject=0x1b8) returned 1 [0157.053] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\8gsyzrakx.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\8GsYZRAkx.bmp.D40FBC0DA3E419FAE0EE8E04C6FC2BE414FCF33493183250756653B60356BB66" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\8gsyzrakx.bmp.d40fbc0da3e419fae0ee8e04c6fc2be414fcf33493183250756653b60356bb66")) returned 1 [0157.055] GetProcessHeap () returned 0x4c0000 [0157.055] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0157.055] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0157.104] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0157.107] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0157.163] CloseHandle (hObject=0x1b8) returned 1 [0157.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\rl_ti8nb0.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\RL_Ti8nB0.gif.A080E97FAE3B6D03899732BC68F4E4BC305CCBCCB4EAA4C4EE43510B7DEB3253" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\rl_ti8nb0.gif.a080e97fae3b6d03899732bc68f4e4bc305ccbccb4eaa4c4ee43510b7deb3253")) returned 1 [0157.166] GetProcessHeap () returned 0x4c0000 [0157.166] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0157.166] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0157.227] CloseHandle (hObject=0x19c) returned 1 [0157.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\x 22.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\X 22.gif.A56E2D7A423281975E68FFB45E6BF3522BE0F70D382B82713EB835FAC25DDF49" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\x 22.gif.a56e2d7a423281975e68ffb45e6bf3522be0f70d382b82713eb835fac25ddf49")) returned 1 [0157.229] GetProcessHeap () returned 0x4c0000 [0157.229] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0157.229] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0157.296] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0157.297] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0157.626] ReadFile (in: hFile=0x184, lpBuffer=0x573b64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0157.627] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0157.629] CloseHandle (hObject=0x184) returned 1 [0157.630] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.3B4B0EEE1D7C63CA6161220AFA6D8D7579283FA625910230804142716C356A6E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini.3b4b0eee1d7c63ca6161220afa6d8d7579283fa625910230804142716c356a6e")) returned 1 [0157.633] GetProcessHeap () returned 0x4c0000 [0157.633] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0157.633] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0157.665] ReadFile (in: hFile=0x124, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x5400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0157.666] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0157.728] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0157.728] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0157.809] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0157.809] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0157.892] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0157.893] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0157.971] CloseHandle (hObject=0x124) returned 1 [0157.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\a_mflj.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a_mFLj.mkv.0DE0E5A01357AB76A55762D70B49F9E8CD5954B94A3AC3DBAEAE2D8940496107" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\a_mflj.mkv.0de0e5a01357ab76a55762d70b49f9e8cd5954b94a3ac3dbaeae2d8940496107")) returned 1 [0157.974] GetProcessHeap () returned 0x4c0000 [0157.974] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0157.974] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.006] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.007] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.048] WriteFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0158.052] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.081] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.081] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.123] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.127] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.158] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.170] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.202] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.274] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.274] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.345] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.371] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.398] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.398] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.437] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x2e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.437] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.484] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.484] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.498] CloseHandle (hObject=0x184) returned 1 [0158.499] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\5g4adtfyonv.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\5g4AdtfyonV.mp4.5E1B1DE94EA22074C40AEDA191E1DC88A0C4D1335EA28CB7F5ACA0932DEEAA25" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\5g4adtfyonv.mp4.5e1b1de94ea22074c40aeda191e1dc88a0c4d1335ea28cb7f5aca0932deeaa25")) returned 1 [0158.503] GetProcessHeap () returned 0x4c0000 [0158.503] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.503] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.530] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.578] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.608] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.608] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.650] CloseHandle (hObject=0x184) returned 1 [0158.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\j2yk.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\J2yK.mkv.BC27985B7E83195618A8BCFD21BB94D2E03D5A750E46D296D909183C63113509" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\j2yk.mkv.bc27985b7e83195618a8bcfd21bb94d2e03d5a750e46d296d909183c63113509")) returned 1 [0158.653] GetProcessHeap () returned 0x4c0000 [0158.653] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.653] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.682] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x5a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.682] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.743] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x6400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.743] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.848] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.886] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.891] ReadFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0158.891] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0158.962] ReadFile (in: hFile=0x120, lpBuffer=0x573b64, nNumberOfBytesToRead=0x7200, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0159.021] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0159.049] ReadFile (in: hFile=0x19c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0159.100] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0159.129] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x4c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0159.130] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0159.178] CloseHandle (hObject=0x120) returned 1 [0159.179] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\a_nlvhx1kkinby.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a_nlvHX1KkINBy.swf.8854AE02F3D60CECA70453C05483618665AE3288922EDB2C766E073D37A6E86C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\a_nlvhx1kkinby.swf.8854ae02f3d60ceca70453c05483618665ae3288922edb2c766e073d37a6e86c")) returned 1 [0159.181] GetProcessHeap () returned 0x4c0000 [0159.181] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0159.181] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0159.209] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0159.209] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0160.855] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0160.857] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0160.919] CloseHandle (hObject=0x120) returned 1 [0160.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\idbeg07.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\iDbeG07.flv.A5ECB774E5E4CB032E7E3340C874D6E477359E9225DFA6177ED0B23EBB0CC05C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\idbeg07.flv.a5ecb774e5e4cb032e7e3340c874d6e477359e9225dfa6177ed0b23ebb0cc05c")) returned 1 [0160.936] GetProcessHeap () returned 0x4c0000 [0160.936] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0160.936] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0160.975] ReadFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x6a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0160.975] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0161.010] CloseHandle (hObject=0x18c) returned 1 [0161.011] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\idmnp4en.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\IDMNP4en.mkv.661BDC04527917800B3A89BFE012C309533D3BD5FF453066F2A52DF4BAC0D401" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\idmnp4en.mkv.661bdc04527917800b3a89bfe012c309533d3bd5ff453066f2a52df4bac0d401")) returned 1 [0161.012] GetProcessHeap () returned 0x4c0000 [0161.012] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0161.012] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0161.079] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0161.092] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0161.119] WriteFile (in: hFile=0x120, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0161.120] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0161.180] CloseHandle (hObject=0x120) returned 1 [0161.183] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\piwuckddpslbo.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\pIWuCKdDpSLBo.mkv.CB28D1AD4431F7A982F5A070A45A416B4591CB649C8F6769AEDCD07C2A14C862" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\piwuckddpslbo.mkv.cb28d1ad4431f7a982f5a070a45a416b4591cb649c8f6769aedcd07c2a14c862")) returned 1 [0161.185] GetProcessHeap () returned 0x4c0000 [0161.185] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0161.185] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0161.255] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0161.257] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0161.329] CloseHandle (hObject=0x120) returned 1 [0161.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\wmvs.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\WmvS.mp4.2A37E68D685584B8864ED78D5CABDD15B18AAF37D3D94F83B7F8BDDD22CD7C3C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\wmvs.mp4.2a37e68d685584b8864ed78d5cabdd15b18aaf37d3d94f83b7f8bddd22cd7c3c")) returned 1 [0161.331] GetProcessHeap () returned 0x4c0000 [0161.331] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0161.332] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0161.410] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0161.413] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0161.522] CloseHandle (hObject=0x120) returned 1 [0161.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\z81l4a.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Z81L4A.mp4.AC7B0B2FC968CF7CC0A14DE3D1A5BD8C0A3EABE055A9E11756AF648054DBE715" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\z81l4a.mp4.ac7b0b2fc968cf7cc0a14de3d1a5bd8c0a3eabe055a9e11756af648054dbe715")) returned 1 [0161.524] GetProcessHeap () returned 0x4c0000 [0161.524] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0161.524] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0161.607] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0161.609] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0161.660] CloseHandle (hObject=0x184) returned 1 [0161.661] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\nclomjqbrzi2.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\NcloMJQBRZi2.mp4.41CA3BD15E86399883B2B441F9DAA760D354167637C92C39EF12577FECB5826D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\nclomjqbrzi2.mp4.41ca3bd15e86399883b2b441f9daa760d354167637c92c39ef12577fecb5826d")) returned 1 [0161.663] GetProcessHeap () returned 0x4c0000 [0161.663] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0161.663] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0161.757] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0162.635] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0162.724] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0162.726] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0162.864] ReadFile (in: hFile=0x124, lpBuffer=0x573b64, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0162.864] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0163.686] ReadFile (in: hFile=0x120, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0163.686] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0163.884] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0163.884] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0163.940] ReadFile (in: hFile=0x180, lpBuffer=0x3b4809c, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28068 | out: lpBuffer=0x3b4809c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28068) returned 1 [0163.941] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0164.010] ReadFile (in: hFile=0x128, lpBuffer=0x522abc, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0164.011] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0164.247] CloseHandle (hObject=0x1b8) returned 1 [0164.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.D4F000729516D65D1F885C1726941E1F44095626DA2236FD063276C514199048" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms.d4f000729516d65d1f885c1726941e1f44095626da2236fd063276c514199048")) returned 1 [0164.347] GetProcessHeap () returned 0x4c0000 [0164.347] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0164.347] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0164.421] CloseHandle (hObject=0x178) returned 1 [0164.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.BEDA93D4F82E6B15EFEE57E25D82EF9260577CA7144BDA346022F241FCE0327A" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms.beda93d4f82e6b15efee57e25d82ef9260577ca7144bda346022f241fce0327a")) returned 1 [0164.424] GetProcessHeap () returned 0x4c0000 [0164.424] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500b8 | out: hHeap=0x4c0000) returned 1 [0164.424] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0164.703] WriteFile (in: hFile=0x1d0, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0164.722] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0165.191] CloseHandle (hObject=0x1c0) returned 1 [0165.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.1FA007C0B33AFA3FE68783FA4A28EC14C722C2D1697935B379C68751089E842D" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl.1fa007c0b33afa3fe68783fa4a28ec14c722c2d1697935b379c68751089e842d")) returned 1 [0165.226] GetProcessHeap () returned 0x4c0000 [0165.226] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0165.230] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08) returned 1 [0166.559] CloseHandle (hObject=0x1c0) returned 1 [0166.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.B133D54F9F14E55D546A226CE04F225B8886EC639933DB9D54C678C6EA25671F" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg.b133d54f9f14e55d546a226ce04f225b8886ec639933db9d54c678c6ea25671f")) returned 1 [0166.585] GetProcessHeap () returned 0x4c0000 [0166.586] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0166.586] GetQueuedCompletionStatus (CompletionPort=0x94, lpNumberOfBytesTransferred=0x216fe10, lpCompletionKey=0x216fe0c, lpOverlapped=0x216fe08, dwMilliseconds=0xffffffff) Thread: id = 4 os_tid = 0x7d0 [0061.327] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0079.070] WriteFile (in: hFile=0x178, lpBuffer=0x3b7011c*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8) returned 1 [0079.074] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0080.546] CloseHandle (hObject=0x18c) returned 1 [0081.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.DB96511C0C7760845AE4A5638828526CD029D10C949C21DAC83AD3FE16F4784A" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.db96511c0c7760845ae4a5638828526cd029d10c949c21dac83ad3fe16f4784a")) returned 1 [0081.348] GetProcessHeap () returned 0x4c0000 [0081.348] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b78138 | out: hHeap=0x4c0000) returned 1 [0081.348] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0081.364] ReadFile (in: hFile=0x198, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0081.364] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0081.373] CloseHandle (hObject=0x178) returned 1 [0085.847] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.27C77A2D13BD713DFB87C4F745D5BC6B71575BB38A8624AD1793EF8C08EC6C59" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.27c77a2d13bd713dfb87c4f745d5bc6b71575bb38a8624ad1793ef8c08ec6c59")) returned 1 [0085.848] GetProcessHeap () returned 0x4c0000 [0085.848] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc81d8 | out: hHeap=0x4c0000) returned 1 [0085.923] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0096.355] CloseHandle (hObject=0x17c) returned 1 [0096.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.2E1F536426535688E557D599A1244432686752008EE1C48C79A907E3B40C5E6C" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.2e1f536426535688e557d599a1244432686752008ee1c48c79a907e3b40c5e6c")) returned 1 [0096.357] GetProcessHeap () returned 0x4c0000 [0096.357] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0096.357] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0096.357] CloseHandle (hObject=0x178) returned 1 [0096.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.EE0E016AFC2D3347ACB4282A1C3B44A6565AF20BE7C703C9A046890890A8E444" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.ee0e016afc2d3347acb4282a1c3b44a6565af20be7c703c9a046890890a8e444")) returned 1 [0096.359] GetProcessHeap () returned 0x4c0000 [0096.359] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0096.362] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0112.483] WriteFile (in: hFile=0x180, lpBuffer=0x3c7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 0x0 [0112.487] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0112.935] WriteFile (in: hFile=0x17c, lpBuffer=0x56cb2c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54caf8 | out: lpBuffer=0x56cb2c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54caf8) returned 0x0 [0112.937] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0113.117] ReadFile (in: hFile=0x180, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x3400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0113.117] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0113.206] WriteFile (in: hFile=0x16c, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x4200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0113.207] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0113.243] CloseHandle (hObject=0x178) returned 1 [0113.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.9D011523D38B2CC8F24A0CF136958D7AF6DFA0F8D7DCE295445CEFF5A6D18128" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.9d011523d38b2cc8f24a0cf136958d7af6dfa0f8d7dce295445ceff5a6d18128")) returned 1 [0113.245] GetProcessHeap () returned 0x4c0000 [0113.245] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0113.246] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0114.112] WriteFile (in: hFile=0x1b0, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0114.116] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0114.157] WriteFile (in: hFile=0x18c, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0114.386] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0114.416] ReadFile (in: hFile=0x1ac, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0114.416] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0114.421] WriteFile (in: hFile=0x1ac, lpBuffer=0x3cc003c, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 0x0 [0114.422] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0114.446] ReadFile (in: hFile=0x16c, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 0x0 [0114.449] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0114.478] CloseHandle (hObject=0x16c) returned 1 [0114.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.7A4109A72B032AC487F178545E94A726BA273F083F289290010E7C1CDAA03C52" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.7a4109a72b032ac487f178545e94a726ba273f083f289290010e7c1cdaa03c52")) returned 1 [0114.480] GetProcessHeap () returned 0x4c0000 [0114.480] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0114.480] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0114.752] ReadFile (in: hFile=0x184, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0114.752] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0114.767] WriteFile (in: hFile=0x184, lpBuffer=0x3cc003c*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 1 [0114.771] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0114.788] CloseHandle (hObject=0x184) returned 1 [0114.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.9ACC0ACEB605A9035053493A1EF52F6E15888A6941453B7B5433763B200FB12E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.9acc0aceb605a9035053493a1ef52f6e15888a6941453b7b5433763b200fb12e")) returned 1 [0114.792] GetProcessHeap () returned 0x4c0000 [0114.793] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.793] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0114.840] ReadFile (in: hFile=0x184, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0114.847] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0114.847] CloseHandle (hObject=0x184) returned 1 [0114.848] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.3864D76E934E21780E4DD4A565971838E377D97554FADB83D227CF966FF77931" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.3864d76e934e21780e4dd4a565971838e377d97554fadb83d227cf966ff77931")) returned 1 [0114.849] GetProcessHeap () returned 0x4c0000 [0114.849] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.849] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0114.881] ReadFile (in: hFile=0x184, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0114.883] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0115.097] CloseHandle (hObject=0x184) returned 1 [0115.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.7CD3D65EF150BC893FC020337938E58B34FE70FCB5A6BFA01C99811282E1B17C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.7cd3d65ef150bc893fc020337938e58b34fe70fcb5a6bfa01c99811282e1b17c")) returned 1 [0115.105] GetProcessHeap () returned 0x4c0000 [0115.105] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.105] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0115.408] ReadFile (in: hFile=0x184, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0115.421] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0115.663] ReadFile (in: hFile=0x1b0, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0115.681] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0115.687] CloseHandle (hObject=0x1b0) returned 1 [0115.711] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.BA758134093CEE3BB1B67EF500573B7F01CEA179D58BF283FA415E356725C018" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.ba758134093cee3bb1b67ef500573b7f01cea179d58bf283fa415e356725c018")) returned 1 [0115.711] GetProcessHeap () returned 0x4c0000 [0115.711] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0115.711] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0116.285] ReadFile (in: hFile=0x184, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0116.285] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0116.334] ReadFile (in: hFile=0x16c, lpBuffer=0x55cb24, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0116.334] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0116.382] WriteFile (in: hFile=0x16c, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0116.386] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0116.402] CloseHandle (hObject=0x184) returned 1 [0116.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.73F7AD2ACA3C005BA7CA4F0463FA4DA256E9EBE4E2442059451AE3A20D0A146A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.73f7ad2aca3c005ba7ca4f0463fa4da256e9ebe4e2442059451ae3a20d0a146a")) returned 1 [0116.416] GetProcessHeap () returned 0x4c0000 [0116.416] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.420] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0117.216] WriteFile (in: hFile=0x16c, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0117.217] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0117.428] CloseHandle (hObject=0x16c) returned 1 [0117.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dashersettingschema.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json.F9AF4DC8BF8E8CED47611370395AB8F0DDD7D057594E926D6B36716F9F41410C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dashersettingschema.json.f9af4dc8bf8e8ced47611370395ab8f0ddd7d057594e926d6b36716f9f41410c")) returned 1 [0117.445] GetProcessHeap () returned 0x4c0000 [0117.445] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0117.446] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0118.023] WriteFile (in: hFile=0x1ac, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0118.027] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0118.080] ReadFile (in: hFile=0x198, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0118.080] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0118.084] WriteFile (in: hFile=0x198, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0118.085] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0118.121] ReadFile (in: hFile=0x184, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0118.121] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0118.122] CloseHandle (hObject=0x1b0) returned 1 [0118.123] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.9A8D14A4F0F4C83C8B66CEE9BCD204925F2D0F2540852EE61796FEE3F8B6250B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.9a8d14a4f0f4c83c8b66cee9bcd204925f2d0f2540852ee61796fee3f8b6250b")) returned 1 [0118.124] GetProcessHeap () returned 0x4c0000 [0118.124] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0118.124] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0118.154] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0118.157] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0118.192] ReadFile (in: hFile=0x1b0, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0118.192] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0118.269] CloseHandle (hObject=0x198) returned 1 [0118.269] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.53549080C10940230558B01846628B08934F3C2F7B5B47FD5FF384C1C8CA3C63" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.53549080c10940230558b01846628b08934f3c2f7b5b47fd5ff384c1c8ca3c63")) returned 1 [0118.270] GetProcessHeap () returned 0x4c0000 [0118.271] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0118.271] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0118.658] WriteFile (in: hFile=0x16c, lpBuffer=0x3ba8174*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 1 [0118.660] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0118.718] CloseHandle (hObject=0x1a0) returned 1 [0118.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.41E53C89C34DB59F064E5801D8356A4D9FC6896FEA44913EF6FE4083A3D9280D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.41e53c89c34db59f064e5801d8356a4d9fc6896fea44913ef6fe4083a3d9280d")) returned 1 [0118.720] GetProcessHeap () returned 0x4c0000 [0118.720] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0118.723] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0118.905] ReadFile (in: hFile=0x198, lpBuffer=0x584b74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0118.906] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0118.932] WriteFile (in: hFile=0x1b0, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0119.034] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.055] CloseHandle (hObject=0x1b0) returned 1 [0119.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.6A1AA59E914E1845D9F45A652B775FCCB0E229ADD94015204FBED8C097A21A08" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.6a1aa59e914e1845d9f45a652b775fccb0e229add94015204fbed8c097a21a08")) returned 1 [0119.058] GetProcessHeap () returned 0x4c0000 [0119.058] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0119.059] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.077] CloseHandle (hObject=0x184) returned 1 [0119.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.FBD7AFD8058316D805FB021F8F7967525DEDA3CF08AF67720EC390FB3B72DF5D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.fbd7afd8058316d805fb021f8f7967525deda3cf08af67720ec390fb3b72df5d")) returned 1 [0119.080] GetProcessHeap () returned 0x4c0000 [0119.080] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0119.085] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.099] CloseHandle (hObject=0x1b8) returned 1 [0119.101] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.89D0291962BDC644F7DD76C3A9173579886278CFAE94DA79A23FDE1FD5A2D42D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.89d0291962bdc644f7dd76c3a9173579886278cfae94da79a23fde1fd5a2d42d")) returned 1 [0119.102] GetProcessHeap () returned 0x4c0000 [0119.102] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c71100 | out: hHeap=0x4c0000) returned 1 [0119.103] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.123] ReadFile (in: hFile=0x1b0, lpBuffer=0x3c690e4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c490b0 | out: lpBuffer=0x3c690e4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c490b0) returned 1 [0119.124] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.125] WriteFile (in: hFile=0x1b0, lpBuffer=0x3c690e4, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c490b0 | out: lpBuffer=0x3c690e4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c490b0) returned 0x0 [0119.127] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.207] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c91134, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c71100 | out: lpBuffer=0x3c91134*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c71100) returned 1 [0119.210] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.327] WriteFile (in: hFile=0x1bc, lpBuffer=0x3ce11d4, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3cc11a0 | out: lpBuffer=0x3ce11d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3cc11a0) returned 0x0 [0119.328] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.356] WriteFile (in: hFile=0x1a0, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0119.358] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.410] ReadFile (in: hFile=0x184, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0119.411] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.436] ReadFile (in: hFile=0x198, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0119.437] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.473] ReadFile (in: hFile=0x1b4, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0119.473] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.525] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d09224, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ce91f0 | out: lpBuffer=0x3d09224*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ce91f0) returned 1 [0119.525] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.572] WriteFile (in: hFile=0x16c, lpBuffer=0x584b74*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 1 [0119.622] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.623] WriteFile (in: hFile=0x1c4, lpBuffer=0x3d31274, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d11240 | out: lpBuffer=0x3d31274, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d11240) returned 0x0 [0119.632] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.632] CloseHandle (hObject=0x16c) returned 1 [0119.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.AB21441C0E56F86A5D9F8845B5BD23626D871EFAB06561A81FC46506835CCF3F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.ab21441c0e56f86a5d9f8845b5bd23626d871efab06561a81fc46506835ccf3f")) returned 1 [0119.642] GetProcessHeap () returned 0x4c0000 [0119.642] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0119.642] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0119.847] WriteFile (in: hFile=0x1b0, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0120.053] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0123.465] WriteFile (in: hFile=0x16c, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0123.641] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0123.641] CloseHandle (hObject=0x1d4) returned 1 [0123.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.4B097F5D2E44119D8BE519DB703C9A98B294360B86B040E5CD5C1C6F9A515209" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.4b097f5d2e44119d8be519db703c9a98b294360b86b040e5cd5c1c6f9a515209")) returned 1 [0123.702] GetProcessHeap () returned 0x4c0000 [0123.702] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0123.702] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0124.684] CloseHandle (hObject=0x1c8) returned 1 [0124.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.63D81BBEE0AF82847B2ED5486AABF211040AD75B2190FE91A2A2DAB01F4D6210" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.63d81bbee0af82847b2ed5486aabf211040ad75b2190fe91a2a2dab01f4d6210")) returned 1 [0124.703] GetProcessHeap () returned 0x4c0000 [0124.703] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ce9008 | out: hHeap=0x4c0000) returned 1 [0124.703] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0124.732] WriteFile (in: hFile=0x1ac, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x5400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0124.743] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0124.743] CloseHandle (hObject=0x1dc) returned 1 [0124.747] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.5427BB106E8DDFF9A0E59245704F4A5C0E5465EC3D2865A50DB76C4B58AFB667" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.5427bb106e8ddff9a0e59245704f4a5c0e5465ec3d2865a50db76c4b58afb667")) returned 1 [0124.750] GetProcessHeap () returned 0x4c0000 [0124.750] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0124.755] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0125.726] ReadFile (in: hFile=0x1d4, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0125.726] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0126.739] CloseHandle (hObject=0x1d0) returned 1 [0126.763] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.B3AADDBDF05A04EC3225E52C3A18A4934AA6B4AA959BB7D949FFB87931BF523A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.b3aaddbdf05a04ec3225e52c3a18a4934aa6b4aa959bb7d949ffb87931bf523a")) returned 1 [0126.767] GetProcessHeap () returned 0x4c0000 [0126.767] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3cc2198 | out: hHeap=0x4c0000) returned 1 [0126.770] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0126.770] CloseHandle (hObject=0x1cc) returned 1 [0126.773] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.77349D3737F35C2FFA50BC2706BD12FAFE7F7DEBE7348C7F38B013C8A86E2E55" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.77349d3737f35c2ffa50bc2706bd12fafe7f7debe7348c7f38b013c8a86e2e55")) returned 1 [0126.778] GetProcessHeap () returned 0x4c0000 [0126.778] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0126.779] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0129.844] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0129.853] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0137.016] WriteFile (in: hFile=0x1d4, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0137.592] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0137.633] WriteFile (in: hFile=0x154, lpBuffer=0x3ce21cc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3cc2198 | out: lpBuffer=0x3ce21cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3cc2198) returned 1 [0137.698] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0137.698] CloseHandle (hObject=0xec) returned 1 [0137.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\mml91smnftmo.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Mml91SMnftMo.jpg.8D31D5AA6143DCDBE2224298323D3B2617FF112C48248D38F946491B56BF757C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\mml91smnftmo.jpg.8d31d5aa6143dcdbe2224298323d3b2617ff112c48248d38f946491b56bf757c")) returned 1 [0137.736] GetProcessHeap () returned 0x4c0000 [0137.736] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0137.737] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0137.737] CloseHandle (hObject=0x120) returned 1 [0137.739] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ry-eoee1dqk.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ry-Eoee1Dqk.m4a.2A4207E8523D0BF18AF256384EBAB74C3C5C3F772EBA6DEFF6B9269690AEF91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ry-eoee1dqk.m4a.2a4207e8523d0bf18af256384ebab74c3c5c3f772eba6deff6b9269690aef91b")) returned 1 [0137.754] GetProcessHeap () returned 0x4c0000 [0137.754] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3cea1e8 | out: hHeap=0x4c0000) returned 1 [0137.754] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0153.408] ReadFile (in: hFile=0x184, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0153.409] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0153.438] CloseHandle (hObject=0x184) returned 1 [0153.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bghxggm.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bghxGGm.m4a.91AADE2D04270B9F5E40588A28B93852CBD98D1A677093990AE56E365C46AA02" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bghxggm.m4a.91aade2d04270b9f5e40588a28b93852cbd98d1a677093990ae56e365c46aa02")) returned 1 [0153.440] GetProcessHeap () returned 0x4c0000 [0153.440] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0153.440] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0153.481] WriteFile (in: hFile=0x18c, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x6a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0153.483] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.195] ReadFile (in: hFile=0x180, lpBuffer=0x522abc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0165.197] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.222] CloseHandle (hObject=0x180) returned 1 [0165.236] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.1ED940281124A60E5487E99A8C637D57B1AF417AB9C38BF8ACE5F5E2FCFFE96D" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl.1ed940281124a60e5487e99a8c637d57b1af417ab9c38bf8ace5f5e2fcffe96d")) returned 1 [0165.239] GetProcessHeap () returned 0x4c0000 [0165.239] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0165.243] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.392] ReadFile (in: hFile=0x194, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0165.394] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.442] CloseHandle (hObject=0x1d8) returned 1 [0165.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.55076685D306777AF0C1F3AC7A70BC379B295B595AB88F21658E64DC05B74149" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl.55076685d306777af0c1f3ac7a70bc379b295b595ab88f21658e64dc05b74149")) returned 1 [0165.444] GetProcessHeap () returned 0x4c0000 [0165.444] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0165.445] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.552] ReadFile (in: hFile=0x1d8, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0165.556] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.588] ReadFile (in: hFile=0x19c, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0165.589] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.632] WriteFile (in: hFile=0x19c, lpBuffer=0x3cba17c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 0x0 [0165.634] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.661] ReadFile (in: hFile=0xec, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0165.662] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.705] WriteFile (in: hFile=0xec, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0165.706] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.736] ReadFile (in: hFile=0x1c0, lpBuffer=0x54ab0c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8) returned 1 [0165.736] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.758] WriteFile (in: hFile=0x1c0, lpBuffer=0x54ab0c, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8) returned 0x0 [0165.759] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.782] CloseHandle (hObject=0x194) returned 1 [0165.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.77ADB0CC0D08E2854DD1AB6F1F3C4E436D3EB0768223D2ECC523CFF83EE3C31D" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount.77adb0cc0d08e2854dd1ab6f1f3c4e436d3eb0768223d2ecc523cff83ee3c31d")) returned 1 [0165.793] GetProcessHeap () returned 0x4c0000 [0165.793] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0165.794] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.800] CloseHandle (hObject=0x19c) returned 1 [0165.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\edb00001.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log.FD9FDE1A94C2A6FC5039C669C61E36A74E8277D80A88DF92E396928E8E0E443E" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\edb00001.log.fd9fde1a94c2a6fc5039c669c61e36a74e8277d80a88df92e396928e8e0e443e")) returned 1 [0165.803] GetProcessHeap () returned 0x4c0000 [0165.803] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0165.804] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.806] CloseHandle (hObject=0xec) returned 1 [0165.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.msmessagestore"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore.3321F43FDDA548AF0E71A95B5BB8CBEA226BDE1B2AA163A9D5F6A821F4E93535" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.msmessagestore.3321f43fdda548af0e71a95b5bb8cbea226bde1b2aa163a9d5f6a821f4e93535")) returned 1 [0165.808] GetProcessHeap () returned 0x4c0000 [0165.809] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0165.813] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0165.828] ReadFile (in: hFile=0x128, lpBuffer=0x572b5c, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x552b28 | out: lpBuffer=0x572b5c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x552b28) returned 1 [0165.842] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0166.003] WriteFile (in: hFile=0x19c, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0166.004] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0166.248] WriteFile (in: hFile=0x19c, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0166.252] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0166.258] ReadFile (in: hFile=0x1c0, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0166.259] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0166.283] ReadFile (in: hFile=0x19c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x5c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0166.283] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0166.310] WriteFile (in: hFile=0x19c, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0166.407] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0166.408] CloseHandle (hObject=0x1c0) returned 1 [0166.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.D46221214271A54A1D099504F292953F6A31AD73110E4EA540245C6D9C6DD34F" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini.d46221214271a54a1d099504f292953f6a31ad73110e4ea540245c6d9c6dd34f")) returned 1 [0166.412] GetProcessHeap () returned 0x4c0000 [0166.412] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0166.412] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0166.469] CloseHandle (hObject=0xec) returned 1 [0166.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.157E88DE486C7C5A24A6D6658111EF96C36B0CAB5057982E3B54F2306C9C452D" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs.157e88de486c7c5a24a6d6658111ef96c36b0cab5057982e3b54f2306c9c452d")) returned 1 [0166.471] GetProcessHeap () returned 0x4c0000 [0166.471] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0166.471] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0166.549] WriteFile (in: hFile=0x1b8, lpBuffer=0x3b4809c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28068 | out: lpBuffer=0x3b4809c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28068) returned 1 [0166.550] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08) returned 1 [0166.554] CloseHandle (hObject=0x194) returned 1 [0166.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.5EC27664728110919B0204A6B858C47DBAA05E474CFF61E2CF6C1DAB4B1F9D37" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg.5ec27664728110919b0204a6b858c47dbaa05e474cff61e2cf6c1dab4b1f9d37")) returned 1 [0166.580] GetProcessHeap () returned 0x4c0000 [0166.580] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52aad8 | out: hHeap=0x4c0000) returned 1 [0166.580] GetQueuedCompletionStatus (CompletionPort=0x94, lpNumberOfBytesTransferred=0x23afe10, lpCompletionKey=0x23afe0c, lpOverlapped=0x23afe08, dwMilliseconds=0xffffffff) Thread: id = 5 os_tid = 0x7d4 [0061.327] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0078.984] ReadFile (in: hFile=0x170, lpBuffer=0x3b480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098) returned 1 [0078.985] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0079.019] WriteFile (in: hFile=0x170, lpBuffer=0x3b480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098) returned 0x0 [0079.040] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0079.067] ReadFile (in: hFile=0x178, lpBuffer=0x3b7011c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8) returned 1 [0079.082] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0079.168] ReadFile (in: hFile=0x180, lpBuffer=0x3b7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8) returned 1 [0079.168] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0079.211] WriteFile (in: hFile=0x180, lpBuffer=0x3b7011c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8) returned 1 [0079.212] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0080.200] ReadFile (in: hFile=0x18c, lpBuffer=0x3b9816c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78138 | out: lpBuffer=0x3b9816c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78138) returned 1 [0080.201] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0080.252] WriteFile (in: hFile=0x18c, lpBuffer=0x3b9816c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78138 | out: lpBuffer=0x3b9816c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78138) returned 0x0 [0080.253] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0080.284] ReadFile (in: hFile=0x188, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0080.285] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0080.287] WriteFile (in: hFile=0x188, lpBuffer=0x3b2007c*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 1 [0080.288] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0080.289] CloseHandle (hObject=0x188) returned 1 [0080.294] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.E410D7C6512B17208DE3D30B8AF1D0E8671AB7A8B193210DAD04906CC0512D48" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.e410d7c6512b17208de3d30b8af1d0e8671ab7a8b193210dad04906cc0512d48")) returned 1 [0080.295] GetProcessHeap () returned 0x4c0000 [0080.295] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0080.298] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0080.369] ReadFile (in: hFile=0x188, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0080.718] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0080.809] WriteFile (in: hFile=0x174, lpBuffer=0x592b6c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 0x0 [0080.810] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0081.703] WriteFile (in: hFile=0x198, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0082.827] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0082.876] WriteFile (in: hFile=0x180, lpBuffer=0x3b9816c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78138 | out: lpBuffer=0x3b9816c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78138) returned 0x0 [0082.879] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0083.839] WriteFile (in: hFile=0x18c, lpBuffer=0x3c7011c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 0x0 [0083.841] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0083.892] CloseHandle (hObject=0x18c) returned 1 [0083.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.80501B3FACF99BAF61A5A1A5FF01CEEB899D9783DEE414322CC2E89D8EC17C73" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.80501b3facf99baf61a5a1a5ff01ceeb899d9783dee414322cc2e89d8ec17c73")) returned 1 [0083.905] GetProcessHeap () returned 0x4c0000 [0083.905] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0083.906] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0083.972] ReadFile (in: hFile=0x18c, lpBuffer=0x3b7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8) returned 1 [0083.973] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0084.032] WriteFile (in: hFile=0x18c, lpBuffer=0x3b7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8) returned 0x0 [0084.033] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0084.520] ReadFile (in: hFile=0x178, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0084.520] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0085.048] CloseHandle (hObject=0x19c) returned 1 [0096.929] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.A739F126497A2FB97B1232E52372B93B802AB4E0B4F950AD600E3200E51CAC22" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.a739f126497a2fb97b1232e52372b93b802ab4e0b4f950ad600e3200e51cac22")) returned 1 [0096.930] GetProcessHeap () returned 0x4c0000 [0096.930] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c78138 | out: hHeap=0x4c0000) returned 1 [0096.932] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0096.935] CloseHandle (hObject=0x194) returned 1 [0096.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.1FF5A92ECF74EEAFCFCF7D5CE945B409DC7B6B0E207C9760C4D454D835E9513A" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.1ff5a92ecf74eeafcfcf7d5ce945b409dc7b6b0e207c9760c4d454d835e9513a")) returned 1 [0096.939] GetProcessHeap () returned 0x4c0000 [0096.939] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0096.940] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0096.974] WriteFile (in: hFile=0x1a0, lpBuffer=0x592b6c*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 1 [0096.976] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0096.977] CloseHandle (hObject=0x1a0) returned 1 [0096.978] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.2A574D844285EBCF941041108B741C8D5597F787F5DA7B0F43EFDBB405AEC60F" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.2a574d844285ebcf941041108b741c8d5597f787f5da7b0f43efdbb405aec60f")) returned 1 [0096.979] GetProcessHeap () returned 0x4c0000 [0096.979] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0096.979] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0096.988] CloseHandle (hObject=0x184) returned 1 [0096.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.B6281D1F9CB970C4A1F08F325560BC49462D4B597E66D9F551CFB16E52837F75" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.b6281d1f9cb970c4a1f08f325560bc49462d4b597e66d9f551cfb16e52837f75")) returned 1 [0097.000] GetProcessHeap () returned 0x4c0000 [0097.000] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0097.000] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0097.016] ReadFile (in: hFile=0x174, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0097.017] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0097.051] WriteFile (in: hFile=0x174, lpBuffer=0x592b6c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 0x0 [0097.053] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0097.112] WriteFile (in: hFile=0x170, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0097.114] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0097.114] ReadFile (in: hFile=0x1a0, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0097.115] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0097.263] ReadFile (in: hFile=0x170, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0097.362] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0097.441] ReadFile (in: hFile=0x184, lpBuffer=0x3b480cc, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098) returned 1 [0097.441] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0097.453] WriteFile (in: hFile=0x184, lpBuffer=0x3b480cc*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098) returned 1 [0097.454] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0097.455] CloseHandle (hObject=0x184) returned 1 [0097.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.5AF8DC2C0538A4A4E8BCE29AC0736865C174FB3FAD88A96497331AA85C348F49" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.5af8dc2c0538a4a4e8bce29ac0736865c174fb3fad88a96497331aa85c348f49")) returned 1 [0097.459] GetProcessHeap () returned 0x4c0000 [0097.459] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0097.459] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0097.702] CloseHandle (hObject=0x198) returned 1 [0097.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.06E27AE0C7BAB1861848F0F58087E390C2280DEF989794A897B392FCBF59E712" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.06e27ae0c7bab1861848f0f58087e390c2280def989794a897b392fcbf59e712")) returned 1 [0097.704] GetProcessHeap () returned 0x4c0000 [0097.704] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0097.704] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0098.548] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b9816c, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78138 | out: lpBuffer=0x3b9816c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78138) returned 1 [0098.548] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0098.551] WriteFile (in: hFile=0x1a0, lpBuffer=0x3b9816c, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78138 | out: lpBuffer=0x3b9816c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78138) returned 0x0 [0098.554] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0098.601] ReadFile (in: hFile=0x19c, lpBuffer=0x3b7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8) returned 1 [0098.601] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0098.638] WriteFile (in: hFile=0x19c, lpBuffer=0x3b7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8) returned 0x0 [0098.639] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0098.816] CloseHandle (hObject=0x180) returned 1 [0098.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.376524B85512BBA0B218415F278B797AB1EFFB24934745B33ADE3BF8D4DE0730" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.376524b85512bba0b218415f278b797ab1effb24934745b33ade3bf8d4de0730")) returned 1 [0098.820] GetProcessHeap () returned 0x4c0000 [0098.820] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0098.821] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0099.875] WriteFile (in: hFile=0x180, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0099.877] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0099.878] CloseHandle (hObject=0x180) returned 1 [0099.878] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.5786C007691F5154CA8E9F7B6271C76BBCB3054A549645529D14D6CF5B979807" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.5786c007691f5154ca8e9f7b6271c76bbcb3054a549645529d14d6cf5b979807")) returned 1 [0099.879] GetProcessHeap () returned 0x4c0000 [0099.879] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0099.879] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0101.107] WriteFile (in: hFile=0x180, lpBuffer=0x592b6c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 0x0 [0101.109] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0101.636] WriteFile (in: hFile=0x1a4, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0101.638] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0101.759] ReadFile (in: hFile=0x170, lpBuffer=0x572b5c, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x0, lpOverlapped=0x552b28 | out: lpBuffer=0x572b5c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x552b28) returned 1 [0101.854] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0101.857] CloseHandle (hObject=0x198) returned 1 [0101.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.6EFB53755298338D49BC31AD38D03298154F0E45C01421EB29FF3B6259B3E372" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp.6efb53755298338d49bc31ad38d03298154f0e45c01421eb29ff3b6259b3e372")) returned 1 [0101.859] GetProcessHeap () returned 0x4c0000 [0101.859] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0101.862] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0101.864] CloseHandle (hObject=0x188) returned 1 [0101.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.D336B87C9E58C5E83AFBC1DB96D0321E8B688F7A76293F3AF3A708A9B1D9063E" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp.d336b87c9e58c5e83afbc1db96d0321e8b688f7a76293f3af3a708a9b1d9063e")) returned 1 [0101.866] GetProcessHeap () returned 0x4c0000 [0101.866] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b90108 | out: hHeap=0x4c0000) returned 1 [0101.866] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0101.868] CloseHandle (hObject=0x1a0) returned 1 [0101.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.9B94FAE1DE8A8D1F8B3B7E0A5140F0EC23B03C51C370B6268777A40E0278B159" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp.9b94fae1de8a8d1f8b3b7e0a5140f0ec23b03c51c370b6268777a40e0278b159")) returned 1 [0101.870] GetProcessHeap () returned 0x4c0000 [0101.870] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b680b8 | out: hHeap=0x4c0000) returned 1 [0101.870] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0101.872] CloseHandle (hObject=0x184) returned 1 [0101.878] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.2F73440F24E136C69EA5A6F82EF3D88B31B8DED242F53CBDB49D0288E3C4DC44" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h.2f73440f24e136c69ea5a6f82ef3d88b31b8ded242f53cbdb49d0288e3c4dc44")) returned 1 [0101.878] GetProcessHeap () returned 0x4c0000 [0101.879] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52aad8 | out: hHeap=0x4c0000) returned 1 [0101.879] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0101.898] ReadFile (in: hFile=0x194, lpBuffer=0x59abac, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x57ab78 | out: lpBuffer=0x59abac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x57ab78) returned 1 [0101.899] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0101.928] WriteFile (in: hFile=0x194, lpBuffer=0x59abac, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57ab78 | out: lpBuffer=0x59abac, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57ab78) returned 0x0 [0101.929] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0101.996] ReadFile (in: hFile=0x18c, lpBuffer=0x54ab0c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8) returned 1 [0101.996] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0101.998] WriteFile (in: hFile=0x18c, lpBuffer=0x54ab0c*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8) returned 1 [0102.001] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0102.002] CloseHandle (hObject=0x18c) returned 1 [0102.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.B561E2563A1A68E95F5715D7BAC0D4A7C50D247E8DD6231ACEB4569785CAE934" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.b561e2563a1a68e95f5715d7bac0d4a7c50d247e8dd6231aceb4569785cae934")) returned 1 [0102.005] GetProcessHeap () returned 0x4c0000 [0102.005] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52aad8 | out: hHeap=0x4c0000) returned 1 [0102.005] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0102.022] CloseHandle (hObject=0x1a4) returned 1 [0102.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.50F6A07C60D278C4612A964316DD245C601439A9DDA0BAE896A3800610FF332C" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w.50f6a07c60d278c4612a964316dd245c601439a9dda0bae896a3800610ff332c")) returned 1 [0102.024] GetProcessHeap () returned 0x4c0000 [0102.024] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0102.025] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0102.030] CloseHandle (hObject=0x194) returned 1 [0102.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.6843B124B43D72E3CA51BC778B138312ECA7D0C80408A0A07A89D3A3C276663F" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q.6843b124b43d72e3ca51bc778b138312eca7d0c80408a0a07a89d3a3c276663f")) returned 1 [0102.033] GetProcessHeap () returned 0x4c0000 [0102.033] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57ab78 | out: hHeap=0x4c0000) returned 1 [0102.036] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0102.163] ReadFile (in: hFile=0x1a4, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x3c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0102.163] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0102.183] WriteFile (in: hFile=0x1a4, lpBuffer=0x3be8194, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 0x0 [0102.196] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0102.216] ReadFile (in: hFile=0x16c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0102.217] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0102.261] WriteFile (in: hFile=0x16c, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0102.262] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0102.315] ReadFile (in: hFile=0x194, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x3a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0102.315] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0102.349] WriteFile (in: hFile=0x194, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x3a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0102.365] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0102.443] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0102.443] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0102.600] CloseHandle (hObject=0x18c) returned 1 [0102.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL.F71BE3414F88B865378397818EA61300363202F81D6F4E589D92C244E6BE5C5E" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl.f71be3414f88b865378397818ea61300363202f81d6f4e589d92c244e6be5c5e")) returned 1 [0102.606] GetProcessHeap () returned 0x4c0000 [0102.606] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0102.606] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0103.544] WriteFile (in: hFile=0x16c, lpBuffer=0x59cbbc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57cb88 | out: lpBuffer=0x59cbbc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57cb88) returned 0x0 [0103.545] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0106.097] CloseHandle (hObject=0x16c) returned 1 [0106.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.FA5F95295C7A39EBFBA6715D24A72C14EDD0F0324DC42D50BEDCF77B53AA951D" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll.fa5f95295c7a39ebfba6715d24a72c14edd0f0324dc42d50bedcf77b53aa951d")) returned 1 [0106.100] GetProcessHeap () returned 0x4c0000 [0106.100] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0106.100] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0107.244] WriteFile (in: hFile=0x194, lpBuffer=0x574b6c, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x554b38 | out: lpBuffer=0x574b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x554b38) returned 0x0 [0107.252] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0107.576] CloseHandle (hObject=0xec) returned 1 [0107.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.7B427BF273288E96C84523C9A05CCE75A2FACC1AADC9DE342F70167E82998F23" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll.7b427bf273288e96c84523c9a05cce75a2facc1aadc9de342f70167e82998f23")) returned 1 [0107.639] GetProcessHeap () returned 0x4c0000 [0107.639] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0107.639] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0108.023] WriteFile (in: hFile=0x194, lpBuffer=0x3be8194, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 0x0 [0108.025] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0108.763] WriteFile (in: hFile=0x18c, lpBuffer=0x3bd810c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8) returned 0x0 [0108.765] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0108.986] CloseHandle (hObject=0x1a4) returned 1 [0108.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.2EF59AB4291BFB01F766E117A36470A8045E464F1AF6DFD7AB8A2523E4BA7F51" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.2ef59ab4291bfb01f766e117a36470a8045e464f1af6dfd7ab8a2523e4ba7f51")) returned 1 [0108.987] GetProcessHeap () returned 0x4c0000 [0108.987] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0108.991] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0109.558] CloseHandle (hObject=0x178) returned 1 [0109.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.B1FD35E1F10B95B5743E2C2A05F8965A3888AC73D5AF78B74977FF52B6777866" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.b1fd35e1f10b95b5743e2c2a05f8965a3888ac73d5af78b74977ff52b6777866")) returned 1 [0109.563] GetProcessHeap () returned 0x4c0000 [0109.563] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0109.566] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0109.667] WriteFile (in: hFile=0x178, lpBuffer=0x3bd810c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8) returned 0x0 [0109.669] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0109.846] ReadFile (in: hFile=0x174, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0109.846] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0109.888] WriteFile (in: hFile=0x174, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0109.890] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0110.261] WriteFile (in: hFile=0x174, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0110.319] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0110.398] ReadFile (in: hFile=0x18c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0110.398] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0110.548] WriteFile (in: hFile=0x19c, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0110.729] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0110.747] ReadFile (in: hFile=0x1a4, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0110.747] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0110.851] WriteFile (in: hFile=0x114, lpBuffer=0x3bd810c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8) returned 0x0 [0110.854] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0111.568] CloseHandle (hObject=0x180) returned 1 [0111.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.A0C15149EDF323A786F4295FB405142E4FB45E0C103368D416630710831CEB30" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.a0c15149edf323a786f4295fb405142e4fb45e0c103368d416630710831ceb30")) returned 1 [0111.947] GetProcessHeap () returned 0x4c0000 [0111.947] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0111.950] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0111.970] ReadFile (in: hFile=0x184, lpBuffer=0x58fb54, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x56fb20 | out: lpBuffer=0x58fb54*, lpNumberOfBytesRead=0x0, lpOverlapped=0x56fb20) returned 1 [0111.971] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0112.040] ReadFile (in: hFile=0x16c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0112.040] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0112.072] ReadFile (in: hFile=0x198, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0112.073] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0112.096] ReadFile (in: hFile=0x17c, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0112.097] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0112.132] ReadFile (in: hFile=0x178, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0112.132] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0112.162] ReadFile (in: hFile=0x1ac, lpBuffer=0x3c9816c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c78138 | out: lpBuffer=0x3c9816c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c78138) returned 1 [0112.163] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0112.544] WriteFile (in: hFile=0x16c, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0112.565] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0112.593] ReadFile (in: hFile=0x1b0, lpBuffer=0x3cc01bc, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0188 | out: lpBuffer=0x3cc01bc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0188) returned 1 [0112.593] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0112.773] CloseHandle (hObject=0x1ac) returned 1 [0112.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc.B652D1C7334DB14EB13F9AD18DE2B6651A67E7A377000C2C5AAE7E64B5028473" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc.b652d1c7334db14eb13f9ad18de2b6651a67e7a377000c2c5aae7e64b5028473")) returned 1 [0112.941] GetProcessHeap () returned 0x4c0000 [0112.941] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c78138 | out: hHeap=0x4c0000) returned 1 [0112.945] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0113.116] ReadFile (in: hFile=0x1ac, lpBuffer=0x3c9816c, nNumberOfBytesToRead=0x3c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c78138 | out: lpBuffer=0x3c9816c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c78138) returned 1 [0113.116] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0113.268] WriteFile (in: hFile=0x180, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x3400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0113.270] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0113.414] ReadFile (in: hFile=0x16c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0113.414] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0113.453] WriteFile (in: hFile=0x194, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0113.454] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0113.467] ReadFile (in: hFile=0x174, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0113.467] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0113.509] WriteFile (in: hFile=0x174, lpBuffer=0x3b2007c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 1 [0113.510] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0113.511] CloseHandle (hObject=0x174) returned 1 [0113.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.7B0A3B26DBCE335514E78D8448381BEE33BB6412EB050F5847174DA22E49A818" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat.7b0a3b26dbce335514e78d8448381bee33bb6412eb050f5847174da22e49a818")) returned 1 [0113.514] GetProcessHeap () returned 0x4c0000 [0113.514] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0113.514] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0113.613] ReadFile (in: hFile=0x18c, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0113.614] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0113.662] CloseHandle (hObject=0x18c) returned 1 [0113.662] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0.FDCDEA98DE189465C2CF0AC1C7741B1DF351ABED3305D10AC962EB94490F697C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0.fdcdea98de189465c2cf0ac1c7741b1df351abed3305d10ac962eb94490f697c")) returned 1 [0113.665] GetProcessHeap () returned 0x4c0000 [0113.665] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0113.665] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0113.736] WriteFile (in: hFile=0x178, lpBuffer=0x584b74*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 1 [0114.164] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0114.365] CloseHandle (hObject=0x1ac) returned 1 [0114.366] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\index"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index.6E51FC49791A5CD616C3BBBC3474EE5902C3C5E4454330708792C9D2E306FB59" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\index.6e51fc49791a5cd616c3bbbc3474ee5902c3c5e4454330708792c9d2e306fb59")) returned 1 [0114.367] GetProcessHeap () returned 0x4c0000 [0114.367] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0114.368] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0115.680] WriteFile (in: hFile=0x1b0, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0115.681] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0116.334] ReadFile (in: hFile=0x1b0, lpBuffer=0x584b74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0116.334] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0116.375] WriteFile (in: hFile=0x184, lpBuffer=0x3cc003c*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 1 [0116.385] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0116.414] CloseHandle (hObject=0x1b0) returned 1 [0116.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.D939505F9CF0CDB91DD6F98E46EAC3709AA680515575A059D6105877A2056268" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.d939505f9cf0cdb91dd6f98e46eac3709aa680515575a059d6105877a2056268")) returned 1 [0116.429] GetProcessHeap () returned 0x4c0000 [0116.429] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0116.430] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0116.682] ReadFile (in: hFile=0x1b0, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0116.682] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0116.715] WriteFile (in: hFile=0x1b0, lpBuffer=0x3cc003c, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 0x0 [0116.719] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0116.720] CloseHandle (hObject=0x1b0) returned 1 [0116.721] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.2CB6DEB86925B34BAD2D404B71CD6EDA345142C869C30ACFF0F23FC77A80911D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.2cb6deb86925b34bad2d404b71cd6eda345142c869c30acff0f23fc77a80911d")) returned 1 [0116.722] GetProcessHeap () returned 0x4c0000 [0116.722] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.722] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0116.744] ReadFile (in: hFile=0x1b0, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0116.744] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0116.749] WriteFile (in: hFile=0x1b0, lpBuffer=0x3cc003c, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 0x0 [0116.750] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0116.775] ReadFile (in: hFile=0x1ac, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0116.776] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0116.777] WriteFile (in: hFile=0x1ac, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0116.778] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0116.778] CloseHandle (hObject=0x1ac) returned 1 [0116.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.CF24996714D0C626465C21AB107884EBAE20EF5821089745F781B954BC57E51E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.cf24996714d0c626465c21ab107884ebae20ef5821089745f781b954bc57e51e")) returned 1 [0116.780] GetProcessHeap () returned 0x4c0000 [0116.780] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.780] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0116.870] CloseHandle (hObject=0x1b0) returned 1 [0116.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.2C6357AD8B9E1B516F59238DFFBE7A9DAEED2363A6109232478ED7DE208DFA02" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.2c6357ad8b9e1b516f59238dffbe7a9daeed2363a6109232478ed7de208dfa02")) returned 1 [0116.873] GetProcessHeap () returned 0x4c0000 [0116.873] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0116.873] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.056] ReadFile (in: hFile=0x17c, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0117.056] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.072] WriteFile (in: hFile=0x17c, lpBuffer=0x3cc003c*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 1 [0117.075] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.076] CloseHandle (hObject=0x17c) returned 1 [0117.077] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.DA6300507FC162F911C6AC5C0BAF0DDA38F7DC91B1F71C669148A3C1B3738857" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.da6300507fc162f911c6ac5c0baf0dda38f7dc91b1f71c669148a3c1b3738857")) returned 1 [0117.078] GetProcessHeap () returned 0x4c0000 [0117.078] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.078] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.123] ReadFile (in: hFile=0x17c, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0117.123] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.152] WriteFile (in: hFile=0x17c, lpBuffer=0x3cc003c, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 0x0 [0117.218] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.219] CloseHandle (hObject=0x17c) returned 1 [0117.219] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.AD3059910042926EFCC2423458D45D1FE057405A56B5D64044C296690F3C8009" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.ad3059910042926efcc2423458d45d1fe057405a56b5d64044c296690f3c8009")) returned 1 [0117.220] GetProcessHeap () returned 0x4c0000 [0117.220] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0117.220] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.229] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x5a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0117.230] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.251] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x5a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0117.252] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.330] ReadFile (in: hFile=0x17c, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0117.330] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.332] WriteFile (in: hFile=0x17c, lpBuffer=0x3cc003c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 0x0 [0117.333] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.429] CloseHandle (hObject=0x1b0) returned 1 [0117.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.CB5C16A1058D9D16E452970072C6AEB91619DFA5733195355E21EB3B5CDDB749" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.cb5c16a1058d9d16e452970072c6aeb91619dfa5733195355e21eb3b5cddb749")) returned 1 [0117.451] GetProcessHeap () returned 0x4c0000 [0117.451] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0117.451] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.528] ReadFile (in: hFile=0x17c, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0117.528] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.529] WriteFile (in: hFile=0x17c, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0117.530] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.531] CloseHandle (hObject=0x17c) returned 1 [0117.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.83F37AE5BF0BCCD6B91CD24C71801D2B9CADFE0E3C0710A7AC25603A40DEAC4F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.83f37ae5bf0bccd6b91cd24c71801d2b9cadfe0e3c0710a7ac25603a40deac4f")) returned 1 [0117.533] GetProcessHeap () returned 0x4c0000 [0117.533] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0117.533] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.602] ReadFile (in: hFile=0x1ac, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0117.603] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.606] WriteFile (in: hFile=0x1ac, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0117.609] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.680] WriteFile (in: hFile=0x17c, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0117.794] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.876] WriteFile (in: hFile=0x1b0, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x4400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0117.877] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.920] ReadFile (in: hFile=0x17c, lpBuffer=0x584b74, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0117.920] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.944] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0117.944] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0117.972] ReadFile (in: hFile=0x114, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0117.972] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.078] WriteFile (in: hFile=0x17c, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0118.080] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.267] WriteFile (in: hFile=0x1b0, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0118.289] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.294] CloseHandle (hObject=0x1ac) returned 1 [0118.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.DBE5BF0A00E03F7B113EFFA32BAED20BF65941D749DDC951F021CA6E7EB8294E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.dbe5bf0a00e03f7b113effa32baed20bf65941d749ddc951f021ca6e7eb8294e")) returned 1 [0118.296] GetProcessHeap () returned 0x4c0000 [0118.296] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0118.296] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.301] CloseHandle (hObject=0x17c) returned 1 [0118.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.51FEE13F9AAA665EB32D8AE79F11F8954185350BAF35F318D1FD548C2B047169" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.51fee13f9aaa665eb32d8ae79f11f8954185350baf35f318d1fd548c2b047169")) returned 1 [0118.304] GetProcessHeap () returned 0x4c0000 [0118.304] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0118.307] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.332] ReadFile (in: hFile=0x1b0, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0118.332] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.333] WriteFile (in: hFile=0x1b0, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0118.335] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.335] CloseHandle (hObject=0x1b0) returned 1 [0118.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.BB720A1169D6AF66EEB6808254B22B25B03C40373093C7B4C3B4A7D2FF955733" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.bb720a1169d6af66eeb6808254b22b25b03c40373093c7b4c3b4a7d2ff955733")) returned 1 [0118.338] GetProcessHeap () returned 0x4c0000 [0118.338] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0118.339] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.374] ReadFile (in: hFile=0x16c, lpBuffer=0x56cb2c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x54caf8 | out: lpBuffer=0x56cb2c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54caf8) returned 1 [0118.374] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.375] WriteFile (in: hFile=0x16c, lpBuffer=0x56cb2c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54caf8 | out: lpBuffer=0x56cb2c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54caf8) returned 0x0 [0118.377] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.417] ReadFile (in: hFile=0x17c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0118.417] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.419] CloseHandle (hObject=0x1a0) returned 1 [0118.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.8AF9F83DFC9139A7844948E3820E12C44E2DB19264AFCC7EF9622306E5BBD615" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.8af9f83dfc9139a7844948e3820e12c44e2db19264afcc7ef9622306e5bbd615")) returned 1 [0118.421] GetProcessHeap () returned 0x4c0000 [0118.421] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0118.421] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.499] WriteFile (in: hFile=0x17c, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0118.501] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.505] ReadFile (in: hFile=0x1b0, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0118.505] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.516] WriteFile (in: hFile=0x1b0, lpBuffer=0x3cc003c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 0x0 [0118.521] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.521] CloseHandle (hObject=0x1b0) returned 1 [0118.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.DE925410C78280C1FC021844934E373B161A525A10D7B86E05ABC991479D9F48" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.de925410c78280c1fc021844934e373b161a525a10d7b86e05abc991479d9f48")) returned 1 [0118.523] GetProcessHeap () returned 0x4c0000 [0118.523] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0118.523] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.544] CloseHandle (hObject=0x16c) returned 1 [0118.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.F6816CE787B8B86D59BFE5DC6B6D2F9D28F22125A9D8308F99DA2C2C62003472" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.f6816ce787b8b86d59bfe5dc6b6d2f9d28f22125a9d8308f99da2c2c62003472")) returned 1 [0118.546] GetProcessHeap () returned 0x4c0000 [0118.546] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54caf8 | out: hHeap=0x4c0000) returned 1 [0118.547] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.553] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0118.553] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.555] WriteFile (in: hFile=0x1ac, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0118.570] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.571] CloseHandle (hObject=0x1ac) returned 1 [0118.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.7230E6FE1DF5C3F4A3629F56CF49821215AE1418C5E345E7587C3CB1FFEC1D14" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.7230e6fe1df5c3f4a3629f56cf49821215ae1418c5e345e7587c3cb1ffec1d14")) returned 1 [0118.572] GetProcessHeap () returned 0x4c0000 [0118.573] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0118.573] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.650] ReadFile (in: hFile=0x184, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0118.650] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.651] WriteFile (in: hFile=0x184, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0118.653] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.653] CloseHandle (hObject=0x184) returned 1 [0118.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.29B79113657F870CD5AA01B8AACD339A00FD48D3387BD1836D065AE479EAEC17" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.29b79113657f870cd5aa01b8aacd339a00fd48d3387bd1836d065ae479eaec17")) returned 1 [0118.655] GetProcessHeap () returned 0x4c0000 [0118.655] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0118.657] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.660] CloseHandle (hObject=0x16c) returned 1 [0118.661] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json.6AAE164380F76B0C5E98CDC7DEF72032BC41A2BEFAE30AB6DF82188CEEB8E60F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\messages.json.6aae164380f76b0c5e98cdc7def72032bc41a2befae30ab6df82188ceeb8e60f")) returned 1 [0118.662] GetProcessHeap () returned 0x4c0000 [0118.662] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0118.662] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.715] CloseHandle (hObject=0x17c) returned 1 [0118.716] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.BEB99719CC30145A7A9C1A38C3E4107964B2C32C52AD5189C632AA08DF9C6369" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.beb99719cc30145a7a9c1a38c3e4107964b2c32c52ad5189c632aa08df9c6369")) returned 1 [0118.717] GetProcessHeap () returned 0x4c0000 [0118.717] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0118.718] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0118.934] WriteFile (in: hFile=0x1a0, lpBuffer=0x3c4008c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 0x0 [0118.944] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0119.032] WriteFile (in: hFile=0x1b8, lpBuffer=0x3c91134, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c71100 | out: lpBuffer=0x3c91134, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c71100) returned 0x0 [0119.033] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0119.043] CloseHandle (hObject=0x1b4) returned 1 [0119.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.A24142CC7C850AFE12B073FD7C4FC3EEDEACC172F0F8BAD9B0CE6C5272A83C21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.a24142cc7c850afe12b073fd7c4fc3eedeacc172f0f8bad9b0ce6c5272a83c21")) returned 1 [0119.046] GetProcessHeap () returned 0x4c0000 [0119.046] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c490b0 | out: hHeap=0x4c0000) returned 1 [0119.046] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0119.555] CloseHandle (hObject=0x1a0) returned 1 [0119.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.30489C633BBEB494AE0E401A89EF5FFA2145D6856641DF915C2FA4FF9E3AC92A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.30489c633bbeb494ae0e401a89ef5ffa2145d6856641df915c2fa4ff9e3ac92a")) returned 1 [0119.646] GetProcessHeap () returned 0x4c0000 [0119.646] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0119.646] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0119.730] WriteFile (in: hFile=0x198, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0119.732] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0119.733] WriteFile (in: hFile=0x184, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0119.733] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0119.760] WriteFile (in: hFile=0x16c, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0119.761] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0119.843] CloseHandle (hObject=0x1c0) returned 1 [0120.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json.A11FC3242D0EB01016922905919B0215B50E5851C1BFD104131F407FD5546873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\messages.json.a11fc3242d0eb01016922905919b0215b50e5851c1bfd104131f407fd5546873")) returned 1 [0120.072] GetProcessHeap () returned 0x4c0000 [0120.072] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ce91f0 | out: hHeap=0x4c0000) returned 1 [0120.073] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0120.117] ReadFile (in: hFile=0x198, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0120.120] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0120.145] ReadFile (in: hFile=0x16c, lpBuffer=0x3d0903c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ce9008 | out: lpBuffer=0x3d0903c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ce9008) returned 1 [0120.145] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0120.174] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d3108c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d11058 | out: lpBuffer=0x3d3108c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d11058) returned 1 [0120.174] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0120.242] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d3108c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d11058 | out: lpBuffer=0x3d3108c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d11058) returned 1 [0120.243] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0120.245] CloseHandle (hObject=0x198) returned 1 [0120.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.FA583394EC2B5522F11E4B42004F2BFF51F90E6D753E140D303E9FBEF9A6870C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.fa583394ec2b5522f11e4b42004f2bff51f90e6d753e140d303e9fbef9a6870c")) returned 1 [0120.297] GetProcessHeap () returned 0x4c0000 [0120.297] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0120.298] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0120.384] ReadFile (in: hFile=0x16c, lpBuffer=0x3d0903c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ce9008 | out: lpBuffer=0x3d0903c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ce9008) returned 1 [0120.384] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0120.401] WriteFile (in: hFile=0x1b4, lpBuffer=0x3ba8174*, nNumberOfBytesToWrite=0x2c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 1 [0120.402] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0120.419] CloseHandle (hObject=0x1b4) returned 1 [0120.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.545882CE48D487AFF2543F76AB03316D5CF211D34078E58085F54287FF591D3F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.545882ce48d487aff2543f76ab03316d5cf211d34078e58085f54287ff591d3f")) returned 1 [0120.422] GetProcessHeap () returned 0x4c0000 [0120.422] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0120.424] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0120.428] CloseHandle (hObject=0x1c4) returned 1 [0120.449] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.79D3A98CBF7B168123743DADC81C5E9E959F92A231D06601C000D62EEC4E0127" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.79d3a98cbf7b168123743dadc81c5e9e959f92a231d06601c000d62eec4e0127")) returned 1 [0120.450] GetProcessHeap () returned 0x4c0000 [0120.450] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d11058 | out: hHeap=0x4c0000) returned 1 [0120.451] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0120.517] ReadFile (in: hFile=0x16c, lpBuffer=0x3c680dc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8) returned 1 [0120.517] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0120.533] WriteFile (in: hFile=0x184, lpBuffer=0x3c4008c*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 1 [0120.534] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0120.541] CloseHandle (hObject=0x16c) returned 1 [0120.542] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.8EAA27DA89FE4BE917D78DD6A234715173E12C045BC16249A46C877DF62CF376" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.8eaa27da89fe4be917d78dd6a234715173e12c045bc16249a46c877df62cf376")) returned 1 [0120.543] GetProcessHeap () returned 0x4c0000 [0120.543] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c480a8 | out: hHeap=0x4c0000) returned 1 [0120.550] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.096] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c4008c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 0x0 [0121.098] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.155] ReadFile (in: hFile=0x16c, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0121.155] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.188] ReadFile (in: hFile=0x178, lpBuffer=0x3d0903c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ce9008 | out: lpBuffer=0x3d0903c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ce9008) returned 1 [0121.188] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.415] WriteFile (in: hFile=0x16c, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0121.416] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.742] CloseHandle (hObject=0x16c) returned 1 [0121.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.1C1B58FE9F5DB6DF089C6328EB509CE040DB7EE62A4E2A811EBDF9069B0ED207" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.1c1b58fe9f5db6df089c6328eb509ce040db7ee62a4e2a811ebdf9069b0ed207")) returned 1 [0121.745] GetProcessHeap () returned 0x4c0000 [0121.745] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0121.745] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.750] CloseHandle (hObject=0x17c) returned 1 [0121.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.9E3B71FBBA9BB382F94A34EAE4FCCF95CEEA88D7D9904057E0C7140537811C45" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.9e3b71fbba9bb382f94a34eae4fccf95ceea88d7d9904057e0c7140537811c45")) returned 1 [0121.752] GetProcessHeap () returned 0x4c0000 [0121.752] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0121.752] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.769] ReadFile (in: hFile=0x16c, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0121.769] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.791] ReadFile (in: hFile=0x1b0, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0121.791] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.822] ReadFile (in: hFile=0x17c, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0121.823] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.843] ReadFile (in: hFile=0x1a0, lpBuffer=0x3d590dc, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d390a8 | out: lpBuffer=0x3d590dc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d390a8) returned 1 [0121.843] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.866] ReadFile (in: hFile=0x1bc, lpBuffer=0x3d8112c, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d610f8 | out: lpBuffer=0x3d8112c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d610f8) returned 1 [0121.866] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.883] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d8112c, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d610f8 | out: lpBuffer=0x3d8112c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d610f8) returned 0x0 [0121.884] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.886] CloseHandle (hObject=0x1bc) returned 1 [0121.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.65A4F2AA168A94D4AF57BABFF0362784349AAFB467684DABFCE7ACCCC9516938" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.65a4f2aa168a94d4af57babff0362784349aafb467684dabfce7acccc9516938")) returned 1 [0121.887] GetProcessHeap () returned 0x4c0000 [0121.887] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d610f8 | out: hHeap=0x4c0000) returned 1 [0121.887] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.900] ReadFile (in: hFile=0x1c8, lpBuffer=0x3da917c, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d89148 | out: lpBuffer=0x3da917c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d89148) returned 1 [0121.900] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.903] CloseHandle (hObject=0x1c8) returned 1 [0121.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.1714ACDB02222F46261D227AD61F9448B63B4DC101FB5171D17882DD5DC69867" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.1714acdb02222f46261d227ad61f9448b63b4dc101fb5171d17882dd5dc69867")) returned 1 [0121.905] GetProcessHeap () returned 0x4c0000 [0121.905] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d89148 | out: hHeap=0x4c0000) returned 1 [0121.905] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.925] ReadFile (in: hFile=0x1c8, lpBuffer=0x3d8112c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d610f8 | out: lpBuffer=0x3d8112c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d610f8) returned 1 [0121.926] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.929] CloseHandle (hObject=0x1c4) returned 1 [0121.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.B49BA54FE595E3AB24C4577EB5748C46BD51DE1AEFEEA47EA0FD90A2F6E2A363" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.b49ba54fe595e3ab24c4577eb5748c46bd51de1aefeea47ea0fd90a2f6e2a363")) returned 1 [0121.931] GetProcessHeap () returned 0x4c0000 [0121.931] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0121.931] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.961] WriteFile (in: hFile=0x1c8, lpBuffer=0x3d8112c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d610f8 | out: lpBuffer=0x3d8112c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d610f8) returned 0x0 [0121.963] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0121.979] ReadFile (in: hFile=0x1bc, lpBuffer=0x3da917c, nNumberOfBytesToRead=0x7c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d89148 | out: lpBuffer=0x3da917c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d89148) returned 1 [0121.979] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.009] WriteFile (in: hFile=0x1bc, lpBuffer=0x3da917c, nNumberOfBytesToWrite=0x7c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d89148 | out: lpBuffer=0x3da917c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d89148) returned 0x0 [0122.010] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.026] ReadFile (in: hFile=0x1c4, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0122.026] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.082] CloseHandle (hObject=0x1bc) returned 1 [0122.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.A0CFA3EAF65F8AD4DA0BB46E2EBBED853A1259E51A1773A9E6C18AD96D696869" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.a0cfa3eaf65f8ad4da0bb46e2ebbed853a1259e51a1773a9e6c18ad96d696869")) returned 1 [0122.092] GetProcessHeap () returned 0x4c0000 [0122.092] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d89148 | out: hHeap=0x4c0000) returned 1 [0122.092] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.096] ReadFile (in: hFile=0x1cc, lpBuffer=0x3dd11cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db1198 | out: lpBuffer=0x3dd11cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db1198) returned 1 [0122.096] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.137] WriteFile (in: hFile=0x1cc, lpBuffer=0x3dd11cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db1198 | out: lpBuffer=0x3dd11cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db1198) returned 0x0 [0122.138] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.215] WriteFile (in: hFile=0x1ac, lpBuffer=0x3da917c, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d89148 | out: lpBuffer=0x3da917c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d89148) returned 0x0 [0122.216] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.224] CloseHandle (hObject=0x1ac) returned 1 [0122.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.4408CFC26037DB42CCEEC568F275FCBC280F0F2EACDC9D69C2694C87B0E1B149" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.4408cfc26037db42cceec568f275fcbc280f0f2eacdc9d69c2694c87b0e1b149")) returned 1 [0122.226] GetProcessHeap () returned 0x4c0000 [0122.226] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d89148 | out: hHeap=0x4c0000) returned 1 [0122.226] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.248] ReadFile (in: hFile=0x1ac, lpBuffer=0x3da917c, nNumberOfBytesToRead=0x4400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d89148 | out: lpBuffer=0x3da917c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d89148) returned 1 [0122.248] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.263] WriteFile (in: hFile=0x1ac, lpBuffer=0x3da917c, nNumberOfBytesToWrite=0x4400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d89148 | out: lpBuffer=0x3da917c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d89148) returned 0x0 [0122.264] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.292] CloseHandle (hObject=0x1b4) returned 1 [0122.294] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.366B322A7CF54FF64BDE16BB5D2EDCA816E3693898DD0F076F691D2C802A7A58" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.366b322a7cf54ff64bde16bb5d2edca816e3693898dd0f076f691d2c802a7a58")) returned 1 [0122.295] GetProcessHeap () returned 0x4c0000 [0122.295] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0122.295] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.295] CloseHandle (hObject=0x1ac) returned 1 [0122.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.177266775646C96894FB075F2C3F2FDC39DBD46B911A4E2597C8F661CE95D631" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.177266775646c96894fb075f2c3f2fdc39dbd46b911a4e2597c8f661ce95d631")) returned 1 [0122.297] GetProcessHeap () returned 0x4c0000 [0122.297] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d89148 | out: hHeap=0x4c0000) returned 1 [0122.297] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.303] ReadFile (in: hFile=0x198, lpBuffer=0x584b74, nNumberOfBytesToRead=0x4a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0122.303] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.326] WriteFile (in: hFile=0x198, lpBuffer=0x584b74*, nNumberOfBytesToWrite=0x4a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 1 [0122.327] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.378] CloseHandle (hObject=0x1cc) returned 1 [0122.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.7CFEEDFA9346F982C744F369F555A2A21B2D3A4B10F4E4AD91290458ABF9352D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.7cfeedfa9346f982c744f369f555a2a21b2d3a4b10f4e4ad91290458abf9352d")) returned 1 [0122.411] GetProcessHeap () returned 0x4c0000 [0122.411] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3db1198 | out: hHeap=0x4c0000) returned 1 [0122.412] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.501] WriteFile (in: hFile=0x17c, lpBuffer=0x3cba17c, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 0x0 [0122.507] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0122.773] WriteFile (in: hFile=0x1c0, lpBuffer=0x3d8112c, nNumberOfBytesToWrite=0x4a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d610f8 | out: lpBuffer=0x3d8112c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d610f8) returned 0x0 [0122.926] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0123.485] WriteFile (in: hFile=0x1cc, lpBuffer=0x3d3108c, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d11058 | out: lpBuffer=0x3d3108c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d11058) returned 0x0 [0123.642] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0123.663] WriteFile (in: hFile=0x1d8, lpBuffer=0x406007c, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x4040048 | out: lpBuffer=0x406007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x4040048) returned 0x0 [0123.692] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0123.692] CloseHandle (hObject=0x16c) returned 1 [0123.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.67B61AD535BDD9E387E94BDA3154A0A75A106F088A381DFE17E2A7ED42ECF91D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.67b61ad535bdd9e387e94bda3154a0a75a106f088a381dfe17e2a7ed42ecf91d")) returned 1 [0123.708] GetProcessHeap () returned 0x4c0000 [0123.708] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0123.709] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0124.624] CloseHandle (hObject=0x1d0) returned 1 [0124.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.855CA535428773573A87C7522CE5434ED0091AFB168AC41EC11744EA84CF4773" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.855ca535428773573a87c7522ce5434ed0091afb168ac41ec11744ea84cf4773")) returned 1 [0124.757] GetProcessHeap () returned 0x4c0000 [0124.757] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0124.758] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0124.815] ReadFile (in: hFile=0x1e4, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0124.837] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0125.787] ReadFile (in: hFile=0x1a0, lpBuffer=0x584b74, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0125.788] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0125.873] WriteFile (in: hFile=0x1dc, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0125.875] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0125.912] WriteFile (in: hFile=0x1ac, lpBuffer=0x3cba17c, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 0x0 [0125.914] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0125.931] ReadFile (in: hFile=0x1e4, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0125.931] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.040] CloseHandle (hObject=0x1ac) returned 1 [0126.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.7BAF6E4A91B06D895AE9A3F30765919566A637B83F8D57E0D807F77A1B6B7C5C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.7baf6e4a91b06d895ae9a3f30765919566a637b83f8d57e0d807f77a1b6b7c5c")) returned 1 [0126.042] GetProcessHeap () returned 0x4c0000 [0126.042] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0126.047] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.072] ReadFile (in: hFile=0x1b0, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0126.072] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.155] ReadFile (in: hFile=0x1ac, lpBuffer=0x3c680dc, nNumberOfBytesToRead=0x4800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8) returned 1 [0126.155] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.157] ReadFile (in: hFile=0x1dc, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0126.158] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.275] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0126.275] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.314] WriteFile (in: hFile=0x1e4, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x4800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0126.315] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.326] ReadFile (in: hFile=0x1cc, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0126.326] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.358] WriteFile (in: hFile=0x1cc, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0126.360] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.423] ReadFile (in: hFile=0x16c, lpBuffer=0x584b74, nNumberOfBytesToRead=0x5400, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0126.423] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.464] WriteFile (in: hFile=0x1e4, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x5600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0126.466] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.654] ReadFile (in: hFile=0x178, lpBuffer=0x3d5a2bc, nNumberOfBytesToRead=0x4200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d3a288 | out: lpBuffer=0x3d5a2bc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d3a288) returned 1 [0126.655] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.672] WriteFile (in: hFile=0x1d8, lpBuffer=0x3d3226c, nNumberOfBytesToWrite=0x4800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d12238 | out: lpBuffer=0x3d3226c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d12238) returned 0x0 [0126.674] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.699] CloseHandle (hObject=0x1dc) returned 1 [0126.759] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.CABFFD561A083D889F8066E653DDE4B635EAE2641CAC819E062CCE87C49AC768" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.cabffd561a083d889f8066e653dde4b635eae2641cac819e062cce87c49ac768")) returned 1 [0126.812] GetProcessHeap () returned 0x4c0000 [0126.812] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0126.815] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.867] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d8230c, nNumberOfBytesToRead=0x7200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d622d8 | out: lpBuffer=0x3d8230c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d622d8) returned 1 [0126.867] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0126.896] CloseHandle (hObject=0x178) returned 1 [0127.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.0DF03D3C63677337E70EEB449FD3EB112E6EF87C3AEE48D450E50A0058903405" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.0df03d3c63677337e70eeb449fd3eb112e6ef87c3aee48d450e50a0058903405")) returned 1 [0127.007] GetProcessHeap () returned 0x4c0000 [0127.007] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d3a288 | out: hHeap=0x4c0000) returned 1 [0127.007] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0128.359] WriteFile (in: hFile=0x1d4, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0128.488] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0128.496] CloseHandle (hObject=0x1d4) returned 1 [0128.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.9D23A13EFCE8958B27107F15A5B89DB1A45CEA6B463716B5BE031468BEA37969" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.9d23a13efce8958b27107f15a5b89db1a45cea6b463716b5be031468bea37969")) returned 1 [0128.499] GetProcessHeap () returned 0x4c0000 [0128.499] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0128.500] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0128.976] WriteFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0129.143] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0129.259] WriteFile (in: hFile=0x184, lpBuffer=0x3c680dc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8) returned 0x0 [0129.261] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0129.469] ReadFile (in: hFile=0x17c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0129.469] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0129.474] CloseHandle (hObject=0x184) returned 1 [0129.863] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data.A9CBD2B2AEC4CFF750A29917C64B7956DD89891B30808B81A8A6E497CB8EF805" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data.a9cbd2b2aec4cff750a29917c64b7956dd89891b30808b81a8a6e497cb8ef805")) returned 1 [0129.867] GetProcessHeap () returned 0x4c0000 [0129.867] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c480a8 | out: hHeap=0x4c0000) returned 1 [0129.867] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0129.958] ReadFile (in: hFile=0x174, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0129.958] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0129.994] WriteFile (in: hFile=0x174, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0129.996] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0129.997] CloseHandle (hObject=0x174) returned 1 [0129.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.FD7BF352DC500AA0228FCE2E960DCAB7347BDB5FDA24F4A313D7BE288D6CBD7A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db.fd7bf352dc500aa0228fce2e960dcab7347bdb5fda24f4a313d7be288d6cbd7a")) returned 1 [0130.001] GetProcessHeap () returned 0x4c0000 [0130.001] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0130.001] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.009] CloseHandle (hObject=0x1a8) returned 1 [0130.013] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\local state"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.5B299BAD4A76F624BA866A6F572E2BCFA9CB07FB9E406D8469DF98C5C9D52642" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\local state.5b299bad4a76f624ba866a6f572e2bcfa9cb07fb9e406d8469df98c5c9d52642")) returned 1 [0130.014] GetProcessHeap () returned 0x4c0000 [0130.014] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0130.014] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.017] CloseHandle (hObject=0x1d8) returned 1 [0130.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\secure preferences"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences.25023DC190C4DDB5582485887A032317AAF81A8F75FDEAC7B6D0148EB0DB1359" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\secure preferences.25023dc190c4ddb5582485887a032317aaf81a8f75fdeac7b6d0148eb0db1359")) returned 1 [0130.020] GetProcessHeap () returned 0x4c0000 [0130.020] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0130.021] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.046] ReadFile (in: hFile=0x174, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0130.046] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.055] WriteFile (in: hFile=0x174, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0130.057] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.057] CloseHandle (hObject=0x174) returned 1 [0130.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.41190D745E98B57569FDD9BB95311623C9D163D85B8285091B73A9B4D39EA02E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms.41190d745e98b57569fdd9bb95311623c9d163d85b8285091b73a9b4d39ea02e")) returned 1 [0130.059] GetProcessHeap () returned 0x4c0000 [0130.059] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0130.059] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.212] ReadFile (in: hFile=0x1d8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0130.212] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.251] WriteFile (in: hFile=0x1d8, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0130.252] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.256] CloseHandle (hObject=0x1a8) returned 1 [0130.257] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.CC71E98911A4A045FFA1E2C08800016F61DE3868F73892DCC836774124045D7B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms.cc71e98911a4a045ffa1e2c08800016f61de3868f73892dcc836774124045d7b")) returned 1 [0130.258] GetProcessHeap () returned 0x4c0000 [0130.258] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0130.263] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.283] ReadFile (in: hFile=0x1d0, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0130.283] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.325] WriteFile (in: hFile=0x1d0, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0130.328] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.363] ReadFile (in: hFile=0x1b8, lpBuffer=0x584b74, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0130.364] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.407] WriteFile (in: hFile=0x1b8, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0130.408] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.409] CloseHandle (hObject=0x1b8) returned 1 [0130.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\suggested sites~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms.79B595D6F50B7747EC30B4EB0D53A8EDBA4D3FFD27DD69A6B29DA99B2D4B322B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\suggested sites~.feed-ms.79b595d6f50b7747ec30b4eb0d53a8edba4d3ffd27dd69a6b29da99b2d4b322b")) returned 1 [0130.415] GetProcessHeap () returned 0x4c0000 [0130.415] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0130.415] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.443] ReadFile (in: hFile=0x17c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0130.443] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.482] WriteFile (in: hFile=0x17c, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0130.484] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.495] CloseHandle (hObject=0x1d8) returned 1 [0130.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.B4BDD58EDE44A88C909064657557CA590053B58198955A64D92EA8CA24B56534" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms.b4bdd58ede44a88c909064657557ca590053b58198955a64d92ea8ca24b56534")) returned 1 [0130.498] GetProcessHeap () returned 0x4c0000 [0130.498] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0130.498] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.500] CloseHandle (hObject=0x1d0) returned 1 [0130.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.5783F70152EA6184A75D14E00615DED1D62768B0906AEEEF027C7DB36C35AC28" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms.5783f70152ea6184a75d14e00615ded1d62768b0906aeeef027c7db36c35ac28")) returned 1 [0130.505] GetProcessHeap () returned 0x4c0000 [0130.505] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0130.506] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.664] ReadFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0130.665] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.707] WriteFile (in: hFile=0x1d0, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0130.709] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.710] CloseHandle (hObject=0x1d0) returned 1 [0130.711] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\frmcache.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT.92B857934FB1905A409B2CB1C90E90E766EA8A0F24BE3AFCA458D916E7792346" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\frmcache.dat.92b857934fb1905a409b2cb1c90e90e766ea8a0f24be3afca458d916e7792346")) returned 1 [0130.712] GetProcessHeap () returned 0x4c0000 [0130.712] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0130.712] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.765] ReadFile (in: hFile=0x17c, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x2e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0130.765] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.780] WriteFile (in: hFile=0x17c, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0130.782] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.811] ReadFile (in: hFile=0xec, lpBuffer=0x522abc, nNumberOfBytesToRead=0x2e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0130.812] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.851] WriteFile (in: hFile=0xec, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0130.853] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.869] CloseHandle (hObject=0x17c) returned 1 [0130.871] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.F1E90241264CCA18C39B60C28B97B2937BA058DA333D45BF487622016F9F3046" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak.f1e90241264cca18c39b60c28b97b2937ba058da333d45bf487622016f9f3046")) returned 1 [0130.872] GetProcessHeap () returned 0x4c0000 [0130.872] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0130.874] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0130.900] ReadFile (in: hFile=0x174, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0130.900] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0131.069] WriteFile (in: hFile=0x174, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0131.071] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0131.145] ReadFile (in: hFile=0x17c, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0131.158] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0131.502] WriteFile (in: hFile=0x1b8, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0131.503] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0131.539] WriteFile (in: hFile=0x184, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0131.540] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0131.573] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0131.574] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0131.634] ReadFile (in: hFile=0x18c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0131.636] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0131.800] WriteFile (in: hFile=0x1d8, lpBuffer=0x3ba8174*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 1 [0131.801] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0131.959] WriteFile (in: hFile=0x18c, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0131.966] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0131.985] ReadFile (in: hFile=0x184, lpBuffer=0x584b74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0131.985] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0131.987] WriteFile (in: hFile=0x184, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0131.989] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.116] WriteFile (in: hFile=0x174, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0132.118] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.259] WriteFile (in: hFile=0x1a8, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0132.260] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.263] CloseHandle (hObject=0x1a8) returned 1 [0132.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.570914584ED671186FA93477CB3AF8DAF6D846E10F80564E9611EEA7E318205B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl.570914584ed671186fa93477cb3af8daf6d846e10f80564e9611eea7e318205b")) returned 1 [0132.268] GetProcessHeap () returned 0x4c0000 [0132.268] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0132.268] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.301] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0132.303] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.414] ReadFile (in: hFile=0x1d8, lpBuffer=0x584b74, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0132.414] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.415] CloseHandle (hObject=0x194) returned 1 [0132.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-cnry.fsd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD.B7E97B4CD4F3D69CA622618CD3E86289E2C9B80E6F9F28131F8B2EEC10CAE109" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-cnry.fsd.b7e97b4cd4f3d69ca622618cd3e86289e2c9b80e6f9f28131f8b2eec10cae109")) returned 1 [0132.467] GetProcessHeap () returned 0x4c0000 [0132.467] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0132.467] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.474] CloseHandle (hObject=0x18c) returned 1 [0132.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.4D8DCE5B2DE1613C0A87BE1CF08345AEA40F5A28A0C3E37C743B6D200C463D6F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl.4d8dce5b2de1613c0a87be1cf08345aea40f5a28a0c3e37c743b6d200c463d6f")) returned 1 [0132.581] GetProcessHeap () returned 0x4c0000 [0132.581] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0132.582] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.589] CloseHandle (hObject=0x1d8) returned 1 [0132.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml.4EEDE392EBEDA2FFDDEA74288B4CBD25C9AB335BD543388C99A0BB88F406060C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.xml.4eede392ebeda2ffddea74288b4cbd25c9ab335bd543388c99a0bb88f406060c")) returned 1 [0132.592] GetProcessHeap () returned 0x4c0000 [0132.592] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0132.592] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.698] ReadFile (in: hFile=0x1d8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0132.727] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.811] WriteFile (in: hFile=0x17c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0132.812] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.835] CloseHandle (hObject=0x1d0) returned 1 [0132.838] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.AEC7D43648FBF61598853FC3F3C55B0DAB98E5A478FCB0D7349D0D178B2E195E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount.aec7d43648fbf61598853fc3f3c55b0dab98e5a478fcb0d7349d0d178b2e195e")) returned 1 [0132.839] GetProcessHeap () returned 0x4c0000 [0132.839] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0132.839] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.857] ReadFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0132.857] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.910] ReadFile (in: hFile=0x194, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0132.916] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0132.982] WriteFile (in: hFile=0x194, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0132.982] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.001] ReadFile (in: hFile=0xec, lpBuffer=0x584b74, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0133.001] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.015] WriteFile (in: hFile=0xec, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0133.015] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.046] ReadFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0133.074] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.099] ReadFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0133.099] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.148] WriteFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0133.150] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.174] ReadFile (in: hFile=0x17c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0133.174] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.206] WriteFile (in: hFile=0x17c, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0133.208] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.241] ReadFile (in: hFile=0x184, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0133.242] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.286] WriteFile (in: hFile=0x184, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0133.287] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.326] ReadFile (in: hFile=0x174, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0133.326] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.371] WriteFile (in: hFile=0x174, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0133.372] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.409] ReadFile (in: hFile=0x178, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0133.409] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.411] WriteFile (in: hFile=0x178, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0133.412] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.413] CloseHandle (hObject=0x178) returned 1 [0133.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.B7EACA71C7865749DA6E9A7442F07AF68B758693D9D9D48A4ACB80367BD14370" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg.b7eaca71c7865749da6e9a7442f07af68b758693d9d9d48a4acb80367bd14370")) returned 1 [0133.416] GetProcessHeap () returned 0x4c0000 [0133.416] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0133.416] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.501] WriteFile (in: hFile=0x1d4, lpBuffer=0x3ba8174*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 1 [0133.506] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.651] CloseHandle (hObject=0x174) returned 1 [0133.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.96C7346EA719778FEE1527F67F2ADB7EAFE89F0E00CF29B110C93B2CEA7AE537" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs.96c7346ea719778fee1527f67f2adb7eafe89f0e00cf29b110c93b2cea7ae537")) returned 1 [0133.653] GetProcessHeap () returned 0x4c0000 [0133.653] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0133.654] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.783] ReadFile (in: hFile=0x174, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0133.783] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.789] WriteFile (in: hFile=0x174, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0133.790] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0133.798] CloseHandle (hObject=0x174) returned 1 [0133.799] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.00DE54ADEF5323090314B08A304936B31CAEFED5EE253CE3663929A1A6E90035" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg.00de54adef5323090314b08a304936b31caefed5ee253ce3663929a1a6e90035")) returned 1 [0133.800] GetProcessHeap () returned 0x4c0000 [0133.800] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0133.801] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0136.440] CloseHandle (hObject=0x1d8) returned 1 [0136.440] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\4itgjbluuohph.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\4iTgJBluuOHPh.avi.4E4BC696CA24C592703333155DA610BE67772E52D2BB2508BD9A44404016EC5D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\4itgjbluuohph.avi.4e4bc696ca24c592703333155da610be67772e52d2bb2508bd9a44404016ec5d")) returned 1 [0136.442] GetProcessHeap () returned 0x4c0000 [0136.442] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0136.442] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0136.463] WriteFile (in: hFile=0x1d0, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0136.465] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0136.499] CloseHandle (hObject=0x1d0) returned 1 [0136.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\9 6j9qdkboezrsfwyh.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9 6J9QDKbOEzRSfwYh.mp3.640E1FB265BDA728A8B8724DD7C6BD4CF8EFA4BA7ADC8714AB727746606B2464" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\9 6j9qdkboezrsfwyh.mp3.640e1fb265bda728a8b8724dd7c6bd4cf8efa4ba7adc8714ab727746606b2464")) returned 1 [0136.501] GetProcessHeap () returned 0x4c0000 [0136.501] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0136.504] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0136.556] WriteFile (in: hFile=0x1d0, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0136.565] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0136.583] ReadFile (in: hFile=0x1d0, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0136.583] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0136.638] WriteFile (in: hFile=0x1d0, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0136.640] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0136.733] CloseHandle (hObject=0x1d0) returned 1 [0136.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cvc6v1rp3r.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CVc6v1RP3r.bmp.522293847F9958427FF591E05C3BEA82BDF1C022E1D5F8C86593CE0B82432F3D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cvc6v1rp3r.bmp.522293847f9958427ff591e05c3bea82bdf1c022e1d5f8c86593ce0b82432f3d")) returned 1 [0136.735] GetProcessHeap () returned 0x4c0000 [0136.735] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0136.735] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0136.761] WriteFile (in: hFile=0x1d0, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0136.762] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0136.822] WriteFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0136.824] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0136.964] WriteFile (in: hFile=0x18c, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0137.702] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0137.703] CloseHandle (hObject=0x1d8) returned 1 [0137.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ngaxkzeoszttqh5tf.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ngaxkzeOsZtTQh5Tf.gif.D940F8A66FE64ADBA19CBB633382659A3B5E155ECF818194075D126BA05C1341" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ngaxkzeoszttqh5tf.gif.d940f8a66fe64adba19cbb633382659a3b5e155ecf818194075d126ba05c1341")) returned 1 [0137.768] GetProcessHeap () returned 0x4c0000 [0137.768] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0137.769] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0137.811] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0137.811] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0137.852] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0137.854] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0137.870] CloseHandle (hObject=0x1b8) returned 1 [0137.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat.A4AC4C1B08E8A2492018BB086036B7824D11FE35B1208E3ECED1D967BB260A36" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\index.dat.a4ac4c1b08e8a2492018bb086036b7824d11fe35b1208e3eced1d967bb260a36")) returned 1 [0137.875] GetProcessHeap () returned 0x4c0000 [0137.875] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0137.875] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0137.895] ReadFile (in: hFile=0x124, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0137.895] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.041] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0138.042] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.071] CloseHandle (hObject=0x1b8) returned 1 [0138.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\uz_4j.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uZ_4j.png.B6F13D0BB5B055B57EF0C5F02796F50988BD70CDE2FB0260075959669B62AA59" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\uz_4j.png.b6f13d0bb5b055b57ef0c5f02796f50988bd70cde2fb0260075959669b62aa59")) returned 1 [0138.073] GetProcessHeap () returned 0x4c0000 [0138.073] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0138.073] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.104] WriteFile (in: hFile=0x178, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0138.106] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.291] ReadFile (in: hFile=0x124, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x5c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0138.292] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.367] ReadFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0138.368] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.408] WriteFile (in: hFile=0x180, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0138.410] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.416] CloseHandle (hObject=0x180) returned 1 [0138.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip.7FB23E0B0807577E473879D58B45D3974F15025D9E5F63B369836776C86DC656" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip.7fb23e0b0807577e473879d58b45d3974f15025d9e5f63b369836776c86dc656")) returned 1 [0138.419] GetProcessHeap () returned 0x4c0000 [0138.419] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0138.419] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.528] ReadFile (in: hFile=0x178, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0138.529] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.554] WriteFile (in: hFile=0x178, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0138.556] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.557] CloseHandle (hObject=0x178) returned 1 [0138.558] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875.5468B761A9D590EA7980E201FE3F5145DD983A9485711477CC291CB6A65E265A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875.5468b761a9d590ea7980e201fe3f5145dd983a9485711477cc291cb6a65e265a")) returned 1 [0138.559] GetProcessHeap () returned 0x4c0000 [0138.559] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0138.559] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.579] ReadFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0138.580] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.583] WriteFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0138.584] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.619] ReadFile (in: hFile=0x178, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0138.619] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.622] CloseHandle (hObject=0x178) returned 1 [0138.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3130b1871a126520a8c47861efe3ed4d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D.40BB0B3E6786115533C34926E75D63008EB90C1A973EE67E80FFA8599153114E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3130b1871a126520a8c47861efe3ed4d.40bb0b3e6786115533c34926e75d63008eb90c1a973ee67e80ffa8599153114e")) returned 1 [0138.624] GetProcessHeap () returned 0x4c0000 [0138.624] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0138.624] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.636] ReadFile (in: hFile=0x184, lpBuffer=0x573b64, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0138.637] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.640] CloseHandle (hObject=0x184) returned 1 [0138.640] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D.E99A76F6788DB535D144F7445F43D41551FCBC4699A6E000C151F41CE05B513F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d.e99a76f6788db535d144f7445f43d41551fcbc4699a6e000c151f41ce05b513f")) returned 1 [0138.642] GetProcessHeap () returned 0x4c0000 [0138.642] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0138.642] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.664] ReadFile (in: hFile=0x184, lpBuffer=0x54bb14, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0138.664] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.667] WriteFile (in: hFile=0x184, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0138.668] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.669] CloseHandle (hObject=0x184) returned 1 [0138.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.9E79BC6D5A3516654DAA6792E119BF7AA5120F037EEC03C5C1AF88DEA992D50A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1.9e79bc6d5a3516654daa6792e119bf7aa5120f037eec03c5c1af88dea992d50a")) returned 1 [0138.671] GetProcessHeap () returned 0x4c0000 [0138.671] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0138.671] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.694] ReadFile (in: hFile=0x184, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0138.696] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0138.881] ReadFile (in: hFile=0x128, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0138.894] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.200] WriteFile (in: hFile=0x1d0, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0139.201] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.684] WriteFile (in: hFile=0x1d4, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0139.685] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.854] WriteFile (in: hFile=0x1d0, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0139.856] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.864] CloseHandle (hObject=0x184) returned 1 [0139.864] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.EB6A85DB26FBE31F9A8DA55E1F8C3985C9CB1B8309552F1E0F3B4D1807C5ED44" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf.eb6a85db26fbe31f9a8da55e1f8c3985c9cb1b8309552f1e0f3b4d1807c5ed44")) returned 1 [0139.866] GetProcessHeap () returned 0x4c0000 [0139.866] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0139.866] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.880] CloseHandle (hObject=0x178) returned 1 [0139.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E.2DAFA6630D5527429C9EE0A19638460F95D5CC1808D8C371AD64D39060820F19" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e.2dafa6630d5527429c9ee0a19638460f95d5cc1808d8c371ad64d39060820f19")) returned 1 [0139.883] GetProcessHeap () returned 0x4c0000 [0139.883] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0139.884] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.904] ReadFile (in: hFile=0x1d4, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0139.904] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.909] CloseHandle (hObject=0x1d4) returned 1 [0139.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC.C1D12D65021BD2EB74AC40D2325C903BC7D3AB023DEE778854F21EDA56055A2F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc.c1d12d65021bd2eb74ac40d2325c903bc7d3ab023dee778854f21eda56055a2f")) returned 1 [0139.911] GetProcessHeap () returned 0x4c0000 [0139.911] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0139.911] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.939] ReadFile (in: hFile=0x1d4, lpBuffer=0x573b64, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0139.939] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.941] WriteFile (in: hFile=0x1d4, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0139.943] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.943] CloseHandle (hObject=0x1d4) returned 1 [0139.944] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE.EC87B89AD069C514B6A0F3DB24B4942A1A78F178E10F551FCA54E45AEDA51659" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de.ec87b89ad069c514b6a0f3db24b4942a1a78f178e10f551fca54e45aeda51659")) returned 1 [0139.946] GetProcessHeap () returned 0x4c0000 [0139.946] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0139.946] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.973] ReadFile (in: hFile=0x1d4, lpBuffer=0x573b64, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0139.974] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.979] WriteFile (in: hFile=0x1d4, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0139.980] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0139.981] CloseHandle (hObject=0x1d4) returned 1 [0139.982] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C.3E65B9B4D2F07037FB1FB04DCC292ABD2F2AFFA92593E47A79F4645348A7B928" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c.3e65b9b4d2f07037fb1fb04dcc292abd2f2affa92593e47a79f4645348a7b928")) returned 1 [0139.984] GetProcessHeap () returned 0x4c0000 [0139.984] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0139.984] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.022] CloseHandle (hObject=0x1d0) returned 1 [0140.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873.1DE38684433FE0E73DA8F54B7390642F0FDB35CC1B9505992792AF7F9CAE6A64" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873.1de38684433fe0e73da8f54b7390642f0fdb35cc1b9505992792af7f9cae6a64")) returned 1 [0140.025] GetProcessHeap () returned 0x4c0000 [0140.025] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0140.031] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.043] ReadFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0140.043] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.046] WriteFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 0x0 [0140.048] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.078] ReadFile (in: hFile=0x1d0, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0140.079] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.081] WriteFile (in: hFile=0x1d0, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0140.083] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.083] CloseHandle (hObject=0x1d0) returned 1 [0140.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1.BA8261CAA2ECCE9EC053D8141B53A36EDE503F660574B0A7DC203B571AD9B827" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1.ba8261caa2ecce9ec053d8141b53a36ede503f660574b0a7dc203b571ad9b827")) returned 1 [0140.086] GetProcessHeap () returned 0x4c0000 [0140.086] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0140.086] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.114] ReadFile (in: hFile=0x1d0, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0140.114] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.117] CloseHandle (hObject=0x1d0) returned 1 [0140.118] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f90f18257cbb4d84216ac1e1f3bb2c76"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76.84393C02E0EBE9971CD02237A80F218D9F05903EB8907477D1CB0DEA380A422F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f90f18257cbb4d84216ac1e1f3bb2c76.84393c02e0ebe9971cd02237a80f218d9f05903eb8907477d1cb0dea380a422f")) returned 1 [0140.120] GetProcessHeap () returned 0x4c0000 [0140.120] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0140.120] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.160] CloseHandle (hObject=0x18c) returned 1 [0140.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE.665C277F21845371B2FC3E35723DD9FC9DDE010FF54BA67FBE5892E62DD4AD45" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce.665c277f21845371b2fc3e35723dd9fc9dde010ff54ba67fbe5892e62dd4ad45")) returned 1 [0140.165] GetProcessHeap () returned 0x4c0000 [0140.165] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0140.165] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.289] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0140.290] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.294] WriteFile (in: hFile=0x178, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0140.296] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.559] WriteFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0140.561] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0140.983] ReadFile (in: hFile=0x124, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0141.023] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.027] CloseHandle (hObject=0x18c) returned 1 [0141.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.msi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi.CE59D027055D5D72D52E0E7BCE94EF74E33127C80E311F986CED7238CDD1D63F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.msi.ce59d027055d5d72d52e0e7bce94ef74e33127c80e311f986ced7238cdd1d63f")) returned 1 [0141.029] GetProcessHeap () returned 0x4c0000 [0141.029] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0141.032] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.035] CloseHandle (hObject=0x1d0) returned 1 [0141.037] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab.542A8AA589D7764F3C7D209F557FC5959DCAB757D9F1AEF9914911225A571D5E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab.542a8aa589d7764f3c7d209f557fc5959dcab757d9f1aef9914911225a571d5e")) returned 1 [0141.042] GetProcessHeap () returned 0x4c0000 [0141.042] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0141.042] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.054] ReadFile (in: hFile=0x1b8, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0141.054] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.084] CloseHandle (hObject=0x1b8) returned 1 [0141.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\4a jzfmg1mkvhgbjs7o.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4a JZfmG1mKVhGBJS7O.m4a.9ECECCBE6796FF483BFD1904F63EBBCE76D648FBD1E21FDA06BB118A39C0B91A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\4a jzfmg1mkvhgbjs7o.m4a.9ececcbe6796ff483bfd1904f63ebbce76d648fbd1e21fda06bb118a39c0b91a")) returned 1 [0141.087] GetProcessHeap () returned 0x4c0000 [0141.087] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0141.088] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.108] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x3200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0141.109] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.121] CloseHandle (hObject=0x1b8) returned 1 [0141.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\6tcu1pz2f1_r.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6Tcu1PZ2f1_r.swf.9F1EF0D591228F47F2D1319D4E3B072874C94D0FC6BE9821960452AC16C6CA3E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\6tcu1pz2f1_r.swf.9f1ef0d591228f47f2d1319d4e3b072874c94d0fc6be9821960452ac16c6ca3e")) returned 1 [0141.123] GetProcessHeap () returned 0x4c0000 [0141.123] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0141.123] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.143] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0141.144] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.187] CloseHandle (hObject=0x1b8) returned 1 [0141.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\7gj9.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7gJ9.m4a.CB6E4926DE88AFDCB66B2224E5AB5288F776F34553393DF8D48A3AB3CF06C02A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\7gj9.m4a.cb6e4926de88afdcb66b2224e5ab5288f776f34553393df8d48a3ab3cf06c02a")) returned 1 [0141.189] GetProcessHeap () returned 0x4c0000 [0141.189] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0141.189] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.218] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0141.218] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.261] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0141.263] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.431] ReadFile (in: hFile=0x180, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0141.432] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.480] ReadFile (in: hFile=0x128, lpBuffer=0x573b64, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0141.480] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.559] WriteFile (in: hFile=0x128, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0141.561] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.562] CloseHandle (hObject=0x128) returned 1 [0141.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\a9b8213768adc68af64fcc6409e8be414726687f.crl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.363A649E1E7BA04CCB7C40A31A8B868D43BAEC2ADD8F156FAD8E8D5799FE6D50" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\a9b8213768adc68af64fcc6409e8be414726687f.crl.363a649e1e7ba04ccb7c40a31a8b868d43baec2add8f156fad8e8d5799fe6d50")) returned 1 [0141.565] GetProcessHeap () returned 0x4c0000 [0141.565] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0141.566] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.659] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0141.660] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.705] CloseHandle (hObject=0x1b8) returned 1 [0141.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\atxh3uc6vdscscrbd.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ATxH3uC6VdsCscrBd.mkv.67DFD7AB1E1612DA04827F3AD7DF8A916B3BFCE30832EDB8DED1808E2AE97C5A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\atxh3uc6vdscscrbd.mkv.67dfd7ab1e1612da04827f3ad7df8a916b3bfce30832edb8ded1808e2ae97c5a")) returned 1 [0141.708] GetProcessHeap () returned 0x4c0000 [0141.708] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0141.708] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.736] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0141.736] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.826] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0141.827] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.847] CloseHandle (hObject=0x1b8) returned 1 [0141.847] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\e1nd5mwqd 1nl8rr1pgw.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\e1Nd5MWqD 1Nl8rr1pgw.mp3.7D0F78D1A76AEA97CE771BD48EECB6BA13B78B3308AFDA40144AB7CCE1BDE652" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\e1nd5mwqd 1nl8rr1pgw.mp3.7d0f78d1a76aea97ce771bd48eecb6ba13b78b3308afda40144ab7cce1bde652")) returned 1 [0141.849] GetProcessHeap () returned 0x4c0000 [0141.849] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0141.849] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.869] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0141.869] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.900] CloseHandle (hObject=0x1b8) returned 1 [0141.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fm9lgzygvaxn0vzujdmt.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FM9lgZyGvaxn0VzUJDMT.gif.4DB5EB2F4450B672BA2EC899F35874048651E2A7FFDAC24BA62CBEBF0B048727" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fm9lgzygvaxn0vzujdmt.gif.4db5eb2f4450b672ba2ec899f35874048651e2a7ffdac24ba62cbebf0b048727")) returned 1 [0141.902] GetProcessHeap () returned 0x4c0000 [0141.902] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0141.902] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.923] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0141.923] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.956] CloseHandle (hObject=0x1b8) returned 1 [0141.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\hkk1uutbmrfhy.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hKK1UUtbMRFhy.mp3.C82E3ECB2ECF59BF7E9DCF078A9136870159180F3DC2711EFE9DA4F7037C0A55" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\hkk1uutbmrfhy.mp3.c82e3ecb2ecf59bf7e9dcf078a9136870159180f3dc2711efe9da4f7037c0a55")) returned 1 [0141.958] GetProcessHeap () returned 0x4c0000 [0141.958] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0141.958] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.985] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0141.985] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0141.994] CloseHandle (hObject=0x1b8) returned 1 [0141.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\h_ydwgh6.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\h_YDWgh6.xls.AD42E90877D25AEC36FBF800A090106091747EAFFD1AD2FF3139BB2CA2FD0A11" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\h_ydwgh6.xls.ad42e90877d25aec36fbf800a090106091747eaffd1ad2ff3139bb2ca2fd0a11")) returned 1 [0141.997] GetProcessHeap () returned 0x4c0000 [0141.997] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0141.997] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.042] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0142.043] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.092] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0142.092] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.170] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0142.171] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.253] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0142.257] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.276] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0142.278] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.488] ReadFile (in: hFile=0x128, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0142.489] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.524] WriteFile (in: hFile=0x128, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0142.530] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.541] ReadFile (in: hFile=0x1d4, lpBuffer=0x573b64, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0142.541] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.556] WriteFile (in: hFile=0x1d4, lpBuffer=0x573b64, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 0x0 [0142.558] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.578] ReadFile (in: hFile=0x180, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0142.579] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.581] WriteFile (in: hFile=0x180, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0142.582] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.605] ReadFile (in: hFile=0x184, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0142.605] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.607] WriteFile (in: hFile=0x184, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0142.608] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.608] CloseHandle (hObject=0x184) returned 1 [0142.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer (2).lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk.6E00020A459D99D478EB7BF83BD9A6263F8196BC6B58BA2D5D9FE4802C039471" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer (2).lnk.6e00020a459d99d478eb7bf83bd9a6263f8196bc6b58ba2d5d9fe4802c039471")) returned 1 [0142.611] GetProcessHeap () returned 0x4c0000 [0142.611] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0142.611] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.633] ReadFile (in: hFile=0x184, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0142.633] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.634] WriteFile (in: hFile=0x184, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0142.635] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.636] CloseHandle (hObject=0x184) returned 1 [0142.637] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.A31A984994FA1E0F7748F7C0232C3B5D5A8899FD83324573F49A506033EEA55D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk.a31a984994fa1e0f7748f7c0232c3b5d5a8899fd83324573f49a506033eea55d")) returned 1 [0142.638] GetProcessHeap () returned 0x4c0000 [0142.638] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0142.638] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.658] ReadFile (in: hFile=0x184, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0142.659] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.660] WriteFile (in: hFile=0x184, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0142.661] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.664] CloseHandle (hObject=0x128) returned 1 [0142.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx.187ED9B6CD6E8398201B7AA400DD805AB71297CED6A7CE86E2F428429E441428" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx.187ed9b6cd6e8398201b7aa400dd805ab71297ced6a7ce86e2f428429e441428")) returned 1 [0142.666] GetProcessHeap () returned 0x4c0000 [0142.666] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0142.669] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.671] CloseHandle (hObject=0x1d4) returned 1 [0142.675] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\launch internet explorer browser.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk.3A3B3C88C8D05DD3507D10BB41354265436F446271F1941E4B0E4307F950AB42" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\launch internet explorer browser.lnk.3a3b3c88c8d05dd3507d10bb41354265436f446271f1941e4b0e4307f950ab42")) returned 1 [0142.676] GetProcessHeap () returned 0x4c0000 [0142.676] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0142.676] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.707] ReadFile (in: hFile=0x180, lpBuffer=0x522abc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0142.707] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.709] WriteFile (in: hFile=0x180, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0142.710] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.711] CloseHandle (hObject=0x180) returned 1 [0142.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer (2).lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk.F42BFBD18FAE15A606139C5B33BA0C1705F9C1E88BF6BF59CB935444BF8DB262" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer (2).lnk.f42bfbd18fae15a606139c5b33ba0c1705f9c1e88bf6bf59cb935444bf8db262")) returned 1 [0142.713] GetProcessHeap () returned 0x4c0000 [0142.713] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0142.716] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.739] ReadFile (in: hFile=0x180, lpBuffer=0x522abc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0142.745] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.766] ReadFile (in: hFile=0x180, lpBuffer=0x522abc, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0142.766] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.772] WriteFile (in: hFile=0x180, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0142.774] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.793] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0142.810] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0142.827] CloseHandle (hObject=0x184) returned 1 [0142.828] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\mozilla firefox.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk.59B0B3BB0689061001E45816D45C8E02CED84B2043F1285048909A7F25D7FD42" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\mozilla firefox.lnk.59b0b3bb0689061001e45816d45c8e02ced84b2043f1285048909a7f25d7fd42")) returned 1 [0142.830] GetProcessHeap () returned 0x4c0000 [0142.830] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0142.830] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0143.039] CloseHandle (hObject=0x18c) returned 1 [0143.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat.36920CE3F7FF57CE65422609148EEA10BEF2F09C1AA5B28280A7CF3AE75B413E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\index.dat.36920ce3f7ff57ce65422609148eea10bef2f09c1aa5b28280a7cf3ae75b413e")) returned 1 [0143.044] GetProcessHeap () returned 0x4c0000 [0143.044] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0143.044] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0143.298] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0143.300] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0153.491] ReadFile (in: hFile=0x124, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0153.491] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0153.557] WriteFile (in: hFile=0x19c, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0153.559] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0157.576] CloseHandle (hObject=0x18c) returned 1 [0157.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\syqp4isox\\uzidqkit5.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\UZIDqKIt5.bmp.E373ED6DDF34AEBB66CE1C5842B870DCFA07821890DCCDB57DBF4F0B7F78E649" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\syqp4isox\\uzidqkit5.bmp.e373ed6ddf34aebb66ce1c5842b870dcfa07821890dccdb57dbf4f0b7f78e649")) returned 1 [0157.579] GetProcessHeap () returned 0x4c0000 [0157.579] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0157.579] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0157.621] WriteFile (in: hFile=0x120, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0157.623] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0159.021] WriteFile (in: hFile=0x120, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x7200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0159.164] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0159.166] CloseHandle (hObject=0x19c) returned 1 [0159.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\baka.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\BAkA.mp4.97F3B579299CBCEA369C3055DFBB372CAE996F99C0E7706DEF51C642FB0F3E2E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\baka.mp4.97f3b579299cbcea369c3055dfbb372cae996f99c0e7706def51c642fb0f3e2e")) returned 1 [0159.169] GetProcessHeap () returned 0x4c0000 [0159.169] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0159.169] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0164.215] WriteFile (in: hFile=0x128, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0164.344] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0165.191] CloseHandle (hObject=0x1b8) returned 1 [0165.219] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.F35290EEEA542D4D7558FF549D827D02F519F34B3FA69DF5DF5B1076C2542D2D" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl.f35290eeea542d4d7558ff549d827d02f519f34b3fa69df5df5b1076c2542d2d")) returned 1 [0165.231] GetProcessHeap () returned 0x4c0000 [0165.231] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500b8 | out: hHeap=0x4c0000) returned 1 [0165.234] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0166.384] WriteFile (in: hFile=0x194, lpBuffer=0x54ab0c, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8) returned 0x0 [0166.407] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0166.558] CloseHandle (hObject=0x19c) returned 1 [0166.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.DADBF50D1681C9401C528F50FD190D5275EF5D5BA9456C82C5722136BA78F574" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg.dadbf50d1681c9401c528f50fd190d5275ef5d5ba9456c82c5722136ba78f574")) returned 1 [0166.590] GetProcessHeap () returned 0x4c0000 [0166.590] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0166.591] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0166.736] WriteFile (in: hFile=0xec, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0166.737] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0166.737] CloseHandle (hObject=0xec) returned 1 [0166.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.8572660F403D13D956988250CE83A5C18D4D20817055F59FE9F4CA195E3DB25F" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg.8572660f403d13d956988250ce83a5c18d4d20817055f59fe9f4ca195e3db25f")) returned 1 [0166.739] GetProcessHeap () returned 0x4c0000 [0166.739] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0166.740] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0166.896] CloseHandle (hObject=0x1d8) returned 1 [0166.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.1FB813595B7195FBE2F3372CD7D01B6C6D69A1D9C487EAC6F9A43724C34BED16" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml.1fb813595b7195fbe2f3372cd7d01b6c6d69a1d9c487eac6f9a43724c34bed16")) returned 1 [0166.898] GetProcessHeap () returned 0x4c0000 [0166.898] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0166.898] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0166.971] ReadFile (in: hFile=0xec, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0166.971] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0166.974] CloseHandle (hObject=0x128) returned 1 [0167.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.06F10BDAAC9DC1CF9CA32E03ADD568BCDB03FEE49FBA382160D0796446A0F20C" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore.06f10bdaac9dc1cf9ca32e03add568bcdb03fee49fba382160d0796446a0f20c")) returned 1 [0167.037] GetProcessHeap () returned 0x4c0000 [0167.037] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0167.038] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.152] ReadFile (in: hFile=0x19c, lpBuffer=0x3c680dc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8) returned 1 [0167.152] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.171] WriteFile (in: hFile=0x178, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0167.262] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.288] ReadFile (in: hFile=0x184, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0167.289] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.316] WriteFile (in: hFile=0x184, lpBuffer=0x3cba17c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 0x0 [0167.318] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.364] CloseHandle (hObject=0x178) returned 1 [0167.385] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.F2563633569C1CA869350AE2D171BEF0AD202DEA7AE838901DD7464E8662650F" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk.f2563633569c1ca869350ae2d171bef0ad202dea7ae838901dd7464e8662650f")) returned 1 [0167.386] GetProcessHeap () returned 0x4c0000 [0167.386] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0167.386] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.419] CloseHandle (hObject=0x184) returned 1 [0167.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.959F5A354BBE5130CAEF18F31A3ED85E922BBB06F9568FE8DE2AEA5395BCB51E" (normalized: "c:\\users\\default\\contacts\\administrator.contact.959f5a354bbe5130caef18f31a3ed85e922bbb06f9568fe8de2aea5395bcb51e")) returned 1 [0167.421] GetProcessHeap () returned 0x4c0000 [0167.421] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0167.422] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.444] ReadFile (in: hFile=0x184, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0167.444] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.447] CloseHandle (hObject=0x184) returned 1 [0167.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" (normalized: "c:\\users\\default\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini.D20D21492482BB9002E1624C97EF7A791B62F0C768DBBAF4BA4BADCABF70A44E" (normalized: "c:\\users\\default\\links\\desktop.ini.d20d21492482bb9002e1624c97ef7a791b62f0c768dbbaf4ba4badcabf70a44e")) returned 1 [0167.450] GetProcessHeap () returned 0x4c0000 [0167.450] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0167.450] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.473] ReadFile (in: hFile=0x184, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0167.473] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.474] WriteFile (in: hFile=0x184, lpBuffer=0x3c9212c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 1 [0167.476] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.476] CloseHandle (hObject=0x184) returned 1 [0167.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" (normalized: "c:\\users\\default\\links\\downloads.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk.0EC98BDF857A8DC20F53801EDD22002E75BF61DEBB61B9F51C737E67D4F9A00F" (normalized: "c:\\users\\default\\links\\downloads.lnk.0ec98bdf857a8dc20f53801edd22002e75bf61debb61b9f51c737e67d4f9a00f")) returned 1 [0167.480] GetProcessHeap () returned 0x4c0000 [0167.480] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0167.480] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.513] ReadFile (in: hFile=0x124, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0167.514] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.541] WriteFile (in: hFile=0x124, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0167.543] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.565] ReadFile (in: hFile=0x184, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0167.566] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.567] WriteFile (in: hFile=0x184, lpBuffer=0x3cba17c*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 1 [0167.568] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.569] CloseHandle (hObject=0x184) returned 1 [0167.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.B34F3A3CE21E66ABA960BD0CB064910D6FBAA5C560867A27E284600C92F3725C" (normalized: "c:\\users\\default\\ntuser.dat.log.b34f3a3ce21e66aba960bd0cb064910d6fbaa5c560867a27e284600c92f3725c")) returned 1 [0167.570] GetProcessHeap () returned 0x4c0000 [0167.570] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0167.570] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.592] ReadFile (in: hFile=0x184, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0167.592] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.621] WriteFile (in: hFile=0x184, lpBuffer=0x3cba17c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 0x0 [0167.625] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.650] ReadFile (in: hFile=0x1d8, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0167.650] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.678] WriteFile (in: hFile=0x1d8, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0167.680] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.701] ReadFile (in: hFile=0x19c, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0167.702] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.742] WriteFile (in: hFile=0x19c, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0167.744] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.758] ReadFile (in: hFile=0xec, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0167.759] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.791] WriteFile (in: hFile=0xec, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0167.792] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.838] CloseHandle (hObject=0x124) returned 1 [0167.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.3ECB578C545301B67347B5212A86E398C002583A5897A9E56BAF484624C9257F" (normalized: "c:\\users\\default\\ntuser.dat.3ecb578c545301b67347b5212a86e398c002583a5897a9e56baf484624c9257f")) returned 1 [0167.858] GetProcessHeap () returned 0x4c0000 [0167.858] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0167.858] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.881] ReadFile (in: hFile=0x124, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0167.881] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.965] ReadFile (in: hFile=0x190, lpBuffer=0x54ab0c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8) returned 1 [0167.965] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.968] CloseHandle (hObject=0x124) returned 1 [0167.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini" (normalized: "c:\\users\\default\\searches\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini.F8C4CB8E0B46C2F25CB1AAD605FBD91E626E5C0587764A31FE7ABABA13B4153E" (normalized: "c:\\users\\default\\searches\\desktop.ini.f8c4cb8e0b46c2f25cb1aad605fbd91e626e5c0587764a31fe7ababa13b4153e")) returned 1 [0167.972] GetProcessHeap () returned 0x4c0000 [0167.972] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0167.976] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0167.999] CloseHandle (hObject=0x1d8) returned 1 [0168.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.971DC4170ED0200E912530D654D4AB14D87A47F0D09DD0574B7ACF0B07797A0F" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.971dc4170ed0200e912530d654d4ab14d87a47f0d09dd0574b7acf0b07797a0f")) returned 1 [0168.003] GetProcessHeap () returned 0x4c0000 [0168.003] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0168.003] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0168.140] WriteFile (in: hFile=0x19c, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0168.337] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0168.339] CloseHandle (hObject=0xec) returned 1 [0168.341] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.065DAE974C3664024AEA457121AC8BA3E3FBB71C993A8B8501A7A28AE7D4586A" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.065dae974c3664024aea457121ac8ba3e3fbb71c993a8b8501a7a28ae7d4586a")) returned 1 [0168.342] GetProcessHeap () returned 0x4c0000 [0168.342] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0168.343] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0168.355] ReadFile (in: hFile=0x190, lpBuffer=0x3b9813c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78108 | out: lpBuffer=0x3b9813c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78108) returned 1 [0168.356] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0168.410] WriteFile (in: hFile=0x190, lpBuffer=0x3b9813c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78108 | out: lpBuffer=0x3b9813c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78108) returned 0x0 [0168.411] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0168.509] ReadFile (in: hFile=0xec, lpBuffer=0x3b4809c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28068 | out: lpBuffer=0x3b4809c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28068) returned 1 [0168.509] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08) returned 1 [0168.558] WriteFile (in: hFile=0xec, lpBuffer=0x3b4809c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28068 | out: lpBuffer=0x3b4809c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28068) returned 0x0 [0168.560] GetQueuedCompletionStatus (CompletionPort=0x94, lpNumberOfBytesTransferred=0x25efe10, lpCompletionKey=0x25efe0c, lpOverlapped=0x25efe08, dwMilliseconds=0xffffffff) Thread: id = 6 os_tid = 0x5d4 [0061.328] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0077.139] WriteFile (in: hFile=0x184, lpBuffer=0x3b9816c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78138 | out: lpBuffer=0x3b9816c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78138) returned 0x0 [0077.140] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0077.170] ReadFile (in: hFile=0x174, lpBuffer=0x3b480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098) returned 1 [0077.170] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0077.304] CloseHandle (hObject=0x184) returned 1 [0078.373] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.40D1DECB85534CBCC3463AA7F3800CC6676E53783C6FA026199EEA0C81E1A16C" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.40d1decb85534cbcc3463aa7f3800cc6676e53783c6fa026199eea0c81e1a16c")) returned 1 [0078.374] GetProcessHeap () returned 0x4c0000 [0078.374] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b78138 | out: hHeap=0x4c0000) returned 1 [0078.374] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0078.376] CloseHandle (hObject=0x168) returned 1 [0080.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.EC916CD03B485B53124342DF0B828FDC6D890B1C21B27626AE7DADBB84B6496C" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.ec916cd03b485b53124342df0b828fdc6d890b1c21b27626ae7dadbb84b6496c")) returned 1 [0080.813] GetProcessHeap () returned 0x4c0000 [0080.813] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ba0188 | out: hHeap=0x4c0000) returned 1 [0080.813] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0081.174] WriteFile (in: hFile=0x178, lpBuffer=0x3be820c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc81d8 | out: lpBuffer=0x3be820c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc81d8) returned 0x0 [0081.203] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0081.586] CloseHandle (hObject=0x190) returned 1 [0082.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.3D9A760019F30AAD6FCA9872E04A1FFA473868FCBD6FA2D05BD61DFCA3A50131" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.3d9a760019f30aad6fca9872e04a1ffa473868fcbd6fa2d05bd61dfca3a50131")) returned 1 [0082.819] GetProcessHeap () returned 0x4c0000 [0082.820] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ba0188 | out: hHeap=0x4c0000) returned 1 [0082.820] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0082.820] ReadFile (in: hFile=0x180, lpBuffer=0x3b9816c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78138 | out: lpBuffer=0x3b9816c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78138) returned 1 [0082.820] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0082.820] ReadFile (in: hFile=0x18c, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0082.820] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0082.820] ReadFile (in: hFile=0x19c, lpBuffer=0x3c9816c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c78138 | out: lpBuffer=0x3c9816c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c78138) returned 1 [0082.821] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0082.821] ReadFile (in: hFile=0x1a0, lpBuffer=0x3cc01bc, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0188 | out: lpBuffer=0x3cc01bc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0188) returned 1 [0082.821] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0083.641] WriteFile (in: hFile=0x1a0, lpBuffer=0x3cc01bc*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0188 | out: lpBuffer=0x3cc01bc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0188) returned 1 [0083.642] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0083.642] CloseHandle (hObject=0x198) returned 1 [0083.646] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.160A0CAAEF59F2FC0E1E0DCB9ACFCB736A62AA7D3EC982B1E05FCA30DD5CD512" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.160a0caaef59f2fc0e1e0dcb9acfcb736a62aa7d3ec982b1e05fca30dd5cd512")) returned 1 [0083.647] GetProcessHeap () returned 0x4c0000 [0083.647] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0083.647] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0083.671] CloseHandle (hObject=0x1a0) returned 1 [0083.675] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.AF85BEAB3618D2A81B384F7A3742AF057AAC55D56EE6CB001BBD7C74BF8E5C5C" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.af85beab3618d2a81b384f7a3742af057aac55d56ee6cb001bbd7c74bf8e5c5c")) returned 1 [0083.677] GetProcessHeap () returned 0x4c0000 [0083.677] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0188 | out: hHeap=0x4c0000) returned 1 [0083.682] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0085.582] ReadFile (in: hFile=0x174, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0085.582] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0085.673] WriteFile (in: hFile=0x174, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0085.698] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.449] WriteFile (in: hFile=0x194, lpBuffer=0x3b480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098) returned 0x0 [0096.450] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.572] CloseHandle (hObject=0x194) returned 1 [0096.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.3423352A368E221796D1FBC7AEC2C22E10DF6677207DEEE4A4C147001BF5A478" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.3423352a368e221796d1fbc7aec2c22e10df6677207deee4a4c147001bf5a478")) returned 1 [0096.574] GetProcessHeap () returned 0x4c0000 [0096.574] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0096.574] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.581] ReadFile (in: hFile=0x1a4, lpBuffer=0x3b7011c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8) returned 1 [0096.581] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.584] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b7011c, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8) returned 0x0 [0096.586] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.586] CloseHandle (hObject=0x1a4) returned 1 [0096.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.9F63E731AC4BD0D879197A0E9C6C2B9D615B9030B4044B6B26F28ECE06997D4D" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.9f63e731ac4bd0d879197a0e9c6c2b9d615b9030b4044b6b26f28ece06997d4d")) returned 1 [0096.588] GetProcessHeap () returned 0x4c0000 [0096.588] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500e8 | out: hHeap=0x4c0000) returned 1 [0096.593] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.632] ReadFile (in: hFile=0x170, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0096.633] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.654] ReadFile (in: hFile=0x194, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0096.654] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.656] WriteFile (in: hFile=0x194, lpBuffer=0x3c7011c*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 1 [0096.658] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.658] CloseHandle (hObject=0x194) returned 1 [0096.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.192C0E4D3FD8C155C762BE56E5E38E52CCCB4264B25716FCB15955BF572AE42C" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.192c0e4d3fd8c155c762be56e5e38e52cccb4264b25716fcb15955bf572ae42c")) returned 1 [0096.660] GetProcessHeap () returned 0x4c0000 [0096.660] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0096.660] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.681] ReadFile (in: hFile=0x174, lpBuffer=0x3cc01bc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0188 | out: lpBuffer=0x3cc01bc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0188) returned 1 [0096.681] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.718] WriteFile (in: hFile=0x174, lpBuffer=0x3cc01bc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0188 | out: lpBuffer=0x3cc01bc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0188) returned 0x0 [0096.720] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.723] CloseHandle (hObject=0x174) returned 1 [0096.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.B31C925FE4D2FD5DD02D931108CB9F256F170F803B664AE55BC55F9A57AED53C" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.b31c925fe4d2fd5dd02d931108cb9f256f170f803b664ae55bc55f9a57aed53c")) returned 1 [0096.725] GetProcessHeap () returned 0x4c0000 [0096.725] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0188 | out: hHeap=0x4c0000) returned 1 [0096.725] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.744] ReadFile (in: hFile=0x194, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0096.745] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.749] CloseHandle (hObject=0x194) returned 1 [0096.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.00C5BF4F67F15EC2E0049C47BA0316FA65F09EE9A9C5656DF2FFED818210D369" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.00c5bf4f67f15ec2e0049c47ba0316fa65f09ee9a9c5656df2ffed818210d369")) returned 1 [0096.752] GetProcessHeap () returned 0x4c0000 [0096.752] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0096.752] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0096.858] ReadFile (in: hFile=0x194, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0096.858] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.575] WriteFile (in: hFile=0x198, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0103.577] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.597] ReadFile (in: hFile=0x170, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x7a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0103.597] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.629] WriteFile (in: hFile=0x170, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x7a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0103.630] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.702] CloseHandle (hObject=0x198) returned 1 [0103.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.F9C4BA0480AE7FC7E8AA44969299411D07EF63B1A8004B3E1A2B800383DB1F31" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll.f9c4ba0480ae7fc7e8aa44969299411d07ef63b1a8004b3e1a2b800383db1f31")) returned 1 [0103.704] GetProcessHeap () returned 0x4c0000 [0103.704] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0103.713] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.715] CloseHandle (hObject=0x170) returned 1 [0103.716] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.912A0D89B97A006E2AC31E1EE4E9799A3877983656355405CC665969EA428402" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll.912a0d89b97a006e2ac31e1ee4e9799a3877983656355405cc665969ea428402")) returned 1 [0103.717] GetProcessHeap () returned 0x4c0000 [0103.717] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0103.717] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.720] CloseHandle (hObject=0x16c) returned 1 [0103.721] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.8DB5AB422F20B0A900AEFA738892B61D98E58F92DDD91D9DE1E27BA1B516ED40" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll.8db5ab422f20b0a900aefa738892b61d98e58f92ddd91d9de1e27ba1b516ed40")) returned 1 [0103.722] GetProcessHeap () returned 0x4c0000 [0103.722] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57cb88 | out: hHeap=0x4c0000) returned 1 [0103.723] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.738] ReadFile (in: hFile=0x190, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0103.739] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.783] WriteFile (in: hFile=0x190, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0103.800] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.829] ReadFile (in: hFile=0x16c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0103.829] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.869] WriteFile (in: hFile=0x16c, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0103.870] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.925] ReadFile (in: hFile=0x170, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0103.926] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.967] WriteFile (in: hFile=0x170, lpBuffer=0x3be8194*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 1 [0103.968] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.973] CloseHandle (hObject=0x1a4) returned 1 [0103.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.57EF540DF68E990F3F918A9B7149BD1FF63CDD7FCC3216DCA54C31FAE09C8A5E" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll.57ef540df68e990f3f918a9b7149bd1ff63cdd7fcc3216dca54c31fae09c8a5e")) returned 1 [0103.975] GetProcessHeap () returned 0x4c0000 [0103.975] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0103.976] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.979] CloseHandle (hObject=0x190) returned 1 [0103.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.1ACE6B1150E9B850B9E5F1DAF05847687934A4C6DEADDF2077C19E29EEC1B755" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll.1ace6b1150e9b850b9e5f1daf05847687934a4c6deaddf2077c19e29eec1b755")) returned 1 [0103.981] GetProcessHeap () returned 0x4c0000 [0103.981] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0103.981] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0103.983] CloseHandle (hObject=0x16c) returned 1 [0103.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.0D7CF7D5590FB0965E5E1263F9394004C7F2AA028FE9D26909CC7737CC0EF509" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll.0d7cf7d5590fb0965e5e1263f9394004c7f2aa028fe9d26909cc7737cc0ef509")) returned 1 [0103.986] GetProcessHeap () returned 0x4c0000 [0103.986] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0103.986] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0104.481] CloseHandle (hObject=0x190) returned 1 [0104.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.4D3A267BDD8B33EB9FBFA0BC04F2C9A356571F235F660F25F408619259518973" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll.4d3a267bdd8b33eb9fbfa0bc04f2c9a356571f235f660f25f408619259518973")) returned 1 [0104.483] GetProcessHeap () returned 0x4c0000 [0104.483] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0104.484] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0104.494] ReadFile (in: hFile=0x198, lpBuffer=0x574b6c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x554b38 | out: lpBuffer=0x574b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x554b38) returned 1 [0104.494] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0104.517] WriteFile (in: hFile=0x198, lpBuffer=0x574b6c, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x554b38 | out: lpBuffer=0x574b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x554b38) returned 0x0 [0104.519] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0104.596] ReadFile (in: hFile=0x190, lpBuffer=0x59cbbc, nNumberOfBytesToRead=0x6800, lpNumberOfBytesRead=0x0, lpOverlapped=0x57cb88 | out: lpBuffer=0x59cbbc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x57cb88) returned 1 [0104.596] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0104.681] WriteFile (in: hFile=0x188, lpBuffer=0x532ac4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90) returned 0x0 [0104.682] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0104.684] CloseHandle (hObject=0x1a4) returned 1 [0104.688] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.59FE512D45B19CC00B6B8A7C3DFFC7D1A2ED9AC228F0E99E3D7A57F248790316" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll.59fe512d45b19cc00b6b8a7c3dffc7d1a2ed9ac228f0e99e3d7a57f248790316")) returned 1 [0104.689] GetProcessHeap () returned 0x4c0000 [0104.690] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0104.690] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0104.693] CloseHandle (hObject=0x16c) returned 1 [0104.695] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.6C8755DEDCBA40062AF5F76C739950387F75E17CEC7AB42A0CFE8ECFA78FE911" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll.6c8755dedcba40062af5f76c739950387f75e17cec7ab42a0cfe8ecfa78fe911")) returned 1 [0104.696] GetProcessHeap () returned 0x4c0000 [0104.696] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0104.699] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0104.701] CloseHandle (hObject=0x170) returned 1 [0104.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.5BA3AD7005F912490FEE705975B3B5557B0A4627FEB4E30C5634F1F2674A4A1D" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll.5ba3ad7005f912490fee705975b3b5557b0a4627feb4e30c5634f1f2674a4a1d")) returned 1 [0104.706] GetProcessHeap () returned 0x4c0000 [0104.706] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0104.707] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0104.989] CloseHandle (hObject=0x188) returned 1 [0104.990] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.789F4CD51AFF4729781E1549FCAB1EAD9C578589130F15EFC95727C4CBA29143" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll.789f4cd51aff4729781e1549fcab1ead9c578589130f15efc95727c4cba29143")) returned 1 [0104.991] GetProcessHeap () returned 0x4c0000 [0104.991] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0104.992] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0104.998] ReadFile (in: hFile=0x170, lpBuffer=0x59cbbc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x57cb88 | out: lpBuffer=0x59cbbc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x57cb88) returned 1 [0104.998] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.044] WriteFile (in: hFile=0x170, lpBuffer=0x59cbbc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57cb88 | out: lpBuffer=0x59cbbc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57cb88) returned 0x0 [0105.046] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.090] ReadFile (in: hFile=0x188, lpBuffer=0x532ac4, nNumberOfBytesToRead=0x3c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90) returned 1 [0105.090] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.115] WriteFile (in: hFile=0x188, lpBuffer=0x532ac4, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90) returned 0x0 [0105.116] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.173] ReadFile (in: hFile=0x16c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x3600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0105.175] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.187] ReadFile (in: hFile=0x1a4, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0105.187] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.256] WriteFile (in: hFile=0x16c, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x3600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0105.258] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.426] WriteFile (in: hFile=0x194, lpBuffer=0x3ba8174*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 1 [0105.440] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.480] CloseHandle (hObject=0x1a0) returned 1 [0105.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.6014F040976C99B5533BF6FF844114B5BA1927CD709BEFBD1DDB59E31FFFE05C" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll.6014f040976c99b5533bf6ff844114b5ba1927cd709befbd1ddb59e31fffe05c")) returned 1 [0105.482] GetProcessHeap () returned 0x4c0000 [0105.482] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0105.482] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.486] CloseHandle (hObject=0x198) returned 1 [0105.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.377D793FC7DE28BDE10A25D7E84BFA2DA264EB5006FED223E1C2A296C75D2D04" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll.377d793fc7de28bde10a25d7e84bfa2da264eb5006fed223e1c2a296c75d2d04")) returned 1 [0105.489] GetProcessHeap () returned 0x4c0000 [0105.489] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0105.491] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.494] CloseHandle (hObject=0x190) returned 1 [0105.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.63F47ACF67111D280A1DFC89EFA7504F90667687D54754CD80F76F45D66B5833" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll.63f47acf67111d280a1dfc89efa7504f90667687d54754cd80f76f45d66b5833")) returned 1 [0105.497] GetProcessHeap () returned 0x4c0000 [0105.497] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x554b38 | out: hHeap=0x4c0000) returned 1 [0105.497] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.518] CloseHandle (hObject=0x18c) returned 1 [0105.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.AB3433E1E01E12EBE9BCE3C028BE0D3454D8BC64728D8317313F7F11CCDFA957" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll.ab3433e1e01e12ebe9bce3c028be0d3454d8bc64728d8317313f7f11ccdfa957")) returned 1 [0105.520] GetProcessHeap () returned 0x4c0000 [0105.520] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0105.521] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.522] CloseHandle (hObject=0x194) returned 1 [0105.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.35C8F12F5DE6D0E750A26627A53BA0BAE713A711A7D2F8D687C5A2AB9109703F" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll.35c8f12f5de6d0e750a26627a53ba0bae713a711a7d2f8d687c5a2ab9109703f")) returned 1 [0105.524] GetProcessHeap () returned 0x4c0000 [0105.524] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0105.527] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.542] ReadFile (in: hFile=0x178, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0105.542] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.586] WriteFile (in: hFile=0x178, lpBuffer=0x3c7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 0x0 [0105.588] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.617] ReadFile (in: hFile=0x194, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0105.617] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.660] WriteFile (in: hFile=0x194, lpBuffer=0x3be8194, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 0x0 [0105.664] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.692] ReadFile (in: hFile=0x18c, lpBuffer=0x532ac4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90) returned 1 [0105.693] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.733] WriteFile (in: hFile=0x18c, lpBuffer=0x532ac4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90) returned 0x0 [0105.735] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.763] ReadFile (in: hFile=0x1a4, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0105.763] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.817] WriteFile (in: hFile=0x1a4, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0105.818] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.834] CloseHandle (hObject=0x178) returned 1 [0105.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.93356F5D6EDAAE7BD008CA76A7EEF06CF3580A678D08219886E5D293B7B3301A" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll.93356f5d6edaae7bd008ca76a7eef06cf3580a678d08219886e5d293b7b3301a")) returned 1 [0105.836] GetProcessHeap () returned 0x4c0000 [0105.836] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0105.836] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.838] CloseHandle (hObject=0x194) returned 1 [0105.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.FEB261CB776307ED6D045636E6578B30FDFAA5E931509B2FC9B02078B0216677" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll.feb261cb776307ed6d045636e6578b30fdfaa5e931509b2fc9b02078b0216677")) returned 1 [0105.840] GetProcessHeap () returned 0x4c0000 [0105.840] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0105.840] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.844] CloseHandle (hObject=0x18c) returned 1 [0105.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.9F56573654604534048A1C7F8B6D39C73548BDBE638E32FFB751CAD914F9F307" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll.9f56573654604534048a1c7f8b6d39c73548bdbe638e32ffb751cad914f9f307")) returned 1 [0105.846] GetProcessHeap () returned 0x4c0000 [0105.846] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0105.846] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.862] ReadFile (in: hFile=0x16c, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x7a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0105.863] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.902] WriteFile (in: hFile=0x16c, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x7a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0105.904] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.933] ReadFile (in: hFile=0x18c, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0105.934] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0105.963] ReadFile (in: hFile=0x194, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0105.963] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.059] WriteFile (in: hFile=0x18c, lpBuffer=0x3be8194, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 0x0 [0106.067] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.102] ReadFile (in: hFile=0x178, lpBuffer=0x532ac4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90) returned 1 [0106.102] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.132] WriteFile (in: hFile=0x178, lpBuffer=0x532ac4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90) returned 0x0 [0106.135] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.158] ReadFile (in: hFile=0x194, lpBuffer=0x574b6c, nNumberOfBytesToRead=0x2c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x554b38 | out: lpBuffer=0x574b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x554b38) returned 1 [0106.158] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.168] WriteFile (in: hFile=0x194, lpBuffer=0x574b6c, nNumberOfBytesToWrite=0x2c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x554b38 | out: lpBuffer=0x574b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x554b38) returned 0x0 [0106.170] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.198] ReadFile (in: hFile=0x16c, lpBuffer=0x59cbbc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x57cb88 | out: lpBuffer=0x59cbbc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x57cb88) returned 1 [0106.198] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.248] WriteFile (in: hFile=0x16c, lpBuffer=0x59cbbc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57cb88 | out: lpBuffer=0x59cbbc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57cb88) returned 0x0 [0106.249] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.285] ReadFile (in: hFile=0x1a4, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0106.285] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.327] WriteFile (in: hFile=0x1a4, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0106.329] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.330] CloseHandle (hObject=0x1a4) returned 1 [0106.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.D6913BCF4876F8FEC5EAC1F2F130CA2864D7D70424B67C6847AB66E75E31345B" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll.d6913bcf4876f8fec5eac1f2f130ca2864d7d70424b67c6847ab66e75e31345b")) returned 1 [0106.332] GetProcessHeap () returned 0x4c0000 [0106.332] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0106.332] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.344] CloseHandle (hObject=0x18c) returned 1 [0106.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.141325BF7C6C99311F24AC18A68429E195B38C9C1D0880073E863351111A9009" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll.141325bf7c6c99311f24ac18a68429e195b38c9c1d0880073e863351111a9009")) returned 1 [0106.347] GetProcessHeap () returned 0x4c0000 [0106.347] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0106.351] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.355] CloseHandle (hObject=0x178) returned 1 [0106.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.A7AFE54B9986789192FEA278291694A8D1458E8F79047A486E32ADAEC99B4C41" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll.a7afe54b9986789192fea278291694a8d1458e8f79047a486e32adaec99b4c41")) returned 1 [0106.358] GetProcessHeap () returned 0x4c0000 [0106.358] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0106.358] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.380] ReadFile (in: hFile=0x1a4, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0106.385] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.449] WriteFile (in: hFile=0x1a4, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0106.466] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.487] ReadFile (in: hFile=0x178, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0106.488] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.537] WriteFile (in: hFile=0x178, lpBuffer=0x3be8194, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 0x0 [0106.552] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.585] ReadFile (in: hFile=0x18c, lpBuffer=0x532ac4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90) returned 1 [0106.585] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.635] WriteFile (in: hFile=0x18c, lpBuffer=0x532ac4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90) returned 0x0 [0106.637] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.657] CloseHandle (hObject=0x194) returned 1 [0106.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.63EBE590F86EE6E6780F7A2A533332D8FF71418ABDA9057B35A0D6FCC9546357" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll.63ebe590f86ee6e6780f7a2a533332d8ff71418abda9057b35a0d6fcc9546357")) returned 1 [0106.660] GetProcessHeap () returned 0x4c0000 [0106.660] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x554b38 | out: hHeap=0x4c0000) returned 1 [0106.660] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.705] WriteFile (in: hFile=0xec, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x3200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0106.707] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.728] ReadFile (in: hFile=0x178, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x4200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0106.728] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.745] WriteFile (in: hFile=0x178, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x4200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0106.746] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.762] CloseHandle (hObject=0x178) returned 1 [0106.763] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.AEE5AB20C7DBF1749F77E812C06EB08AAFBD6BDC4EAF0E8DF33AB4F780D24263" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll.aee5ab20c7dbf1749f77e812c06eb08aafbd6bdc4eaf0e8df33ab4f780d24263")) returned 1 [0106.764] GetProcessHeap () returned 0x4c0000 [0106.764] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0106.764] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.802] ReadFile (in: hFile=0x1a4, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x6800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0106.803] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.839] WriteFile (in: hFile=0x1a4, lpBuffer=0x3be8194, nNumberOfBytesToWrite=0x6800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 0x0 [0106.840] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.852] ReadFile (in: hFile=0x178, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0106.853] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.882] WriteFile (in: hFile=0x178, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0106.884] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.907] CloseHandle (hObject=0x18c) returned 1 [0106.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.7FF752BFE057AE695081F77D89C05B5F6D92698436BB856E1B26DB6CF636F371" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll.7ff752bfe057ae695081f77d89c05b5f6d92698436bb856e1b26db6cf636f371")) returned 1 [0106.909] GetProcessHeap () returned 0x4c0000 [0106.909] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0106.909] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.911] CloseHandle (hObject=0xec) returned 1 [0106.914] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.0B7095B199C0CDBA0D06FB2EC3D8130270AC426B7FF7BFA93836ADA44FA2AF7C" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll.0b7095b199c0cdba0d06fb2ec3d8130270ac426b7ff7bfa93836ada44fa2af7c")) returned 1 [0106.915] GetProcessHeap () returned 0x4c0000 [0106.915] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0106.915] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.918] CloseHandle (hObject=0x1a4) returned 1 [0106.919] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.2B2F78A18B2C34435D0D8B44C1228B4EE44C4E155BA06069A462F6999957D325" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll.2b2f78a18b2c34435d0d8b44c1228b4ee44c4e155ba06069a462f6999957d325")) returned 1 [0106.920] GetProcessHeap () returned 0x4c0000 [0106.920] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0106.920] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.928] ReadFile (in: hFile=0x16c, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0106.928] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.970] WriteFile (in: hFile=0x16c, lpBuffer=0x3c7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 0x0 [0106.973] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0106.995] ReadFile (in: hFile=0x1a4, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0106.995] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0107.036] WriteFile (in: hFile=0x1a4, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0107.039] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0107.107] ReadFile (in: hFile=0xec, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0107.108] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0107.226] WriteFile (in: hFile=0x18c, lpBuffer=0x532ac4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90) returned 0x0 [0107.250] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0107.577] CloseHandle (hObject=0x184) returned 1 [0107.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.7E81FBFF00D9189227FC99B2EC4C7669EAF46F2B0E859F778CD1E3E3DD5F2F2B" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat.7e81fbff00d9189227fc99b2ec4c7669eaf46f2b0e859f778cd1e3e3dd5f2f2b")) returned 1 [0107.643] GetProcessHeap () returned 0x4c0000 [0107.643] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0107.643] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0107.836] WriteFile (in: hFile=0x1a4, lpBuffer=0x59cbbc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57cb88 | out: lpBuffer=0x59cbbc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x57cb88) returned 0x0 [0107.838] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.025] ReadFile (in: hFile=0x178, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0108.026] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.056] WriteFile (in: hFile=0x178, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0108.057] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.113] ReadFile (in: hFile=0x114, lpBuffer=0x3c30084, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c10050 | out: lpBuffer=0x3c30084*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c10050) returned 1 [0108.119] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.124] CloseHandle (hObject=0x114) returned 1 [0108.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.C75DA4B11ADC76525EE682328FEC058E1D8C54D77E6B02D6D7E7774A099C3047" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}.c75da4b11adc76525ee682328fec058e1d8c54d77e6b02d6d7e7774a099c3047")) returned 1 [0108.125] GetProcessHeap () returned 0x4c0000 [0108.125] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c10050 | out: hHeap=0x4c0000) returned 1 [0108.125] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.143] ReadFile (in: hFile=0x174, lpBuffer=0x3c580d4, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c380a0 | out: lpBuffer=0x3c580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c380a0) returned 1 [0108.144] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.150] WriteFile (in: hFile=0x174, lpBuffer=0x3c580d4*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c380a0 | out: lpBuffer=0x3c580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c380a0) returned 1 [0108.151] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.151] CloseHandle (hObject=0x174) returned 1 [0108.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\unknown.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log.B3AB65078A216843F5DF0D5BDBC0B83C546A61FFA09F77E9908DA62504B7B40B" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\unknown.log.b3ab65078a216843f5df0d5bdbc0b83c546a61ffa09f77e9908da62504b7b40b")) returned 1 [0108.153] GetProcessHeap () returned 0x4c0000 [0108.153] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c380a0 | out: hHeap=0x4c0000) returned 1 [0108.153] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.163] CloseHandle (hObject=0x1a4) returned 1 [0108.164] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.C4E3B02A63CE713B17C818A52BC2B4C1B405BFB734A01E7399F3DEBF823B995A" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp.c4e3b02a63ce713b17c818a52bc2b4c1b405bfb734a01e7399f3debf823b995a")) returned 1 [0108.164] GetProcessHeap () returned 0x4c0000 [0108.164] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57cb88 | out: hHeap=0x4c0000) returned 1 [0108.165] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.179] CloseHandle (hObject=0x184) returned 1 [0108.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.0DDD8DB049BDE0BA08D59328A05835DBB6735BA864939E531F6FF4C755294C13" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp.0ddd8db049bde0ba08d59328a05835dbb6735ba864939e531f6ff4c755294c13")) returned 1 [0108.182] GetProcessHeap () returned 0x4c0000 [0108.182] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53aae0 | out: hHeap=0x4c0000) returned 1 [0108.182] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.184] CloseHandle (hObject=0x194) returned 1 [0108.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.436BADEA47FAD445E69E01BD0CD79685291C1EFFE14EEBBC69E288DB1CEE3C29" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm.436badea47fad445e69e01bd0cd79685291c1effe14eebbc69e288db1cee3c29")) returned 1 [0108.187] GetProcessHeap () returned 0x4c0000 [0108.187] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0108.187] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.188] CloseHandle (hObject=0x178) returned 1 [0108.250] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.CA4B70616CC0EA5353E93436D9DCBAD0BB4DC77D5BF62354D86E54A5C3A8185C" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm.ca4b70616cc0ea5353e93436d9dcbad0bb4dc77d5bf62354d86e54a5c3a8185c")) returned 1 [0108.311] GetProcessHeap () returned 0x4c0000 [0108.311] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0108.314] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.323] ReadFile (in: hFile=0x194, lpBuffer=0x3bd810c, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8) returned 1 [0108.323] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.333] WriteFile (in: hFile=0x194, lpBuffer=0x3bd810c*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8) returned 1 [0108.336] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.337] CloseHandle (hObject=0x194) returned 1 [0108.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl.CC666C16DFD091991D2970BC6DA053A58E4A5FBA55D10755050923D25235310E" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl.cc666c16dfd091991d2970bc6da053a58e4a5fba55d10755050923d25235310e")) returned 1 [0108.339] GetProcessHeap () returned 0x4c0000 [0108.339] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0108.339] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.413] ReadFile (in: hFile=0x19c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0108.413] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.455] WriteFile (in: hFile=0x19c, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0108.477] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.515] ReadFile (in: hFile=0x1a4, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0108.516] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.556] WriteFile (in: hFile=0x1a4, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0108.558] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.637] ReadFile (in: hFile=0x18c, lpBuffer=0x3bd810c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8) returned 1 [0108.637] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.839] ReadFile (in: hFile=0x184, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0108.839] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0108.842] CloseHandle (hObject=0x178) returned 1 [0108.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.BAD3D950C968588C5F0579BAC4C41519FFD0DAD5B41AC35E1DA5D207554CBF31" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.bad3d950c968588c5f0579bac4c41519ffd0dad5b41ac35e1da5d207554cbf31")) returned 1 [0108.992] GetProcessHeap () returned 0x4c0000 [0108.992] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0108.993] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0109.205] WriteFile (in: hFile=0x174, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0109.215] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0109.234] CloseHandle (hObject=0x16c) returned 1 [0109.235] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.A67710D9F824D2EE7C41410732DD483CC0E9985514F50A63A565026BE0E4C209" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab.a67710d9f824d2ee7c41410732dd483cc0e9985514f50a63a565026be0e4c209")) returned 1 [0109.237] GetProcessHeap () returned 0x4c0000 [0109.237] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0109.237] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0109.266] CloseHandle (hObject=0x178) returned 1 [0109.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.EDD9A80FA6422FFE70A9133A7D0D46A5D81585D76C3871219BF20A10A080D60C" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.edd9a80fa6422ffe70a9133a7d0d46a5d81585d76c3871219bf20a10a080d60c")) returned 1 [0109.270] GetProcessHeap () returned 0x4c0000 [0109.270] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0109.270] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0109.283] ReadFile (in: hFile=0x114, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0109.284] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0109.304] ReadFile (in: hFile=0x178, lpBuffer=0x3bd810c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8) returned 1 [0109.304] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0109.356] WriteFile (in: hFile=0x114, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0109.362] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0109.557] CloseHandle (hObject=0x19c) returned 1 [0109.557] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.DD872ED8FCC4C56931D9BCA1DA4F9C0F2258E2B1BE49EA789829DEE688D15D76" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.dd872ed8fcc4c56931d9bca1da4f9c0f2258e2b1be49ea789829dee688d15d76")) returned 1 [0109.558] GetProcessHeap () returned 0x4c0000 [0109.558] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0109.558] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0110.261] CloseHandle (hObject=0x19c) returned 1 [0110.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.2218F531B535A42FE16E5FFBB881FCF7FA33DFACC8FC5CDB5398F2FFA1E97E24" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.2218f531b535a42fe16e5ffbb881fcf7fa33dfacc8fc5cdb5398f2ffa1e97e24")) returned 1 [0110.316] GetProcessHeap () returned 0x4c0000 [0110.316] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0110.317] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0110.658] CloseHandle (hObject=0x1a4) returned 1 [0110.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.CEF1BE81943400317CB36F7D1B2EB1E43B34D260BAA9CF8E2DA3EB9F477A5B29" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab.cef1be81943400317cb36f7d1b2eb1e43b34d260baa9cf8e2da3eb9f477a5b29")) returned 1 [0110.711] GetProcessHeap () returned 0x4c0000 [0110.711] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0110.715] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0110.752] CloseHandle (hObject=0x190) returned 1 [0110.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.6F9CC363BD6314B4A7CF501A0DC98D9D6AE78EAB8CEBBB6CF1CB6F93495E374C" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.6f9cc363bd6314b4a7cf501a0dc98d9d6ae78eab8cebbb6cf1cb6f93495e374c")) returned 1 [0110.862] GetProcessHeap () returned 0x4c0000 [0110.862] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0110.863] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0110.948] ReadFile (in: hFile=0x19c, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0110.948] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0110.990] WriteFile (in: hFile=0x19c, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0110.992] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.060] CloseHandle (hObject=0x1a4) returned 1 [0111.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.B3B7180E6ECFA0C79395A4FE36B44D4C722DF06B6434A8A0485A36C9D4F27131" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.b3b7180e6ecfa0c79395a4fe36b44d4c722df06b6434a8a0485a36c9d4f27131")) returned 1 [0111.064] GetProcessHeap () returned 0x4c0000 [0111.064] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0111.064] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.066] CloseHandle (hObject=0x19c) returned 1 [0111.068] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.27E06E12456562547C5FCF08DA69BE3E84ABF794C7DDB979F247D6AFA9DA2315" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.27e06e12456562547c5fcf08da69be3e84abf794c7ddb979f247d6afa9da2315")) returned 1 [0111.072] GetProcessHeap () returned 0x4c0000 [0111.072] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0111.072] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.097] ReadFile (in: hFile=0x190, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0111.097] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.098] WriteFile (in: hFile=0x190, lpBuffer=0x3ba8174*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 1 [0111.100] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.101] CloseHandle (hObject=0x190) returned 1 [0111.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.787C5C76DF4D3B65FAA98F219122A2E1445429BF3DBCFA38BB9FFB5D0DA0C870" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.787c5c76df4d3b65faa98f219122a2e1445429bf3dbcfa38bb9ffb5d0da0c870")) returned 1 [0111.104] GetProcessHeap () returned 0x4c0000 [0111.104] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0111.108] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.136] ReadFile (in: hFile=0x190, lpBuffer=0x3bd810c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8) returned 1 [0111.136] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.178] WriteFile (in: hFile=0x190, lpBuffer=0x3bd810c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8) returned 0x0 [0111.180] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.220] ReadFile (in: hFile=0x19c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0111.223] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.258] ReadFile (in: hFile=0x1a4, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0111.258] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.301] WriteFile (in: hFile=0x1a4, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0111.302] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.304] CloseHandle (hObject=0x1a4) returned 1 [0111.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.07A169B8421BD17822A27E08E9268077DC7F61193A8AE5A7D46AF264A90B1605" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.07a169b8421bd17822a27e08e9268077dc7f61193a8ae5a7d46af264a90b1605")) returned 1 [0111.306] GetProcessHeap () returned 0x4c0000 [0111.306] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0111.306] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.308] CloseHandle (hObject=0x180) returned 1 [0111.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.45037AFFE66501EE302988A84029E1D91FC10BDD1EC0200FF2CAF5A3C44EC01C" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab.45037affe66501ee302988a84029e1d91fc10bdd1ec0200ff2caf5a3c44ec01c")) returned 1 [0111.310] GetProcessHeap () returned 0x4c0000 [0111.310] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0111.310] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.342] CloseHandle (hObject=0x190) returned 1 [0111.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.861F8538A4DD71E9B1525F48DABCEAE378034B937729526BE38A8028ED28A77C" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe.861f8538a4dd71e9b1525f48dabceae378034b937729526be38a8028ed28a77c")) returned 1 [0111.568] GetProcessHeap () returned 0x4c0000 [0111.568] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bb80d8 | out: hHeap=0x4c0000) returned 1 [0111.568] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.700] ReadFile (in: hFile=0x114, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0111.701] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.747] WriteFile (in: hFile=0x114, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0111.850] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0111.945] ReadFile (in: hFile=0x180, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0111.946] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0112.337] WriteFile (in: hFile=0x194, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0112.338] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0112.488] CloseHandle (hObject=0x198) returned 1 [0112.489] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents.AB0015D7564C732CE8EC1D2EFF1C1D85571C95F52D144C03D6689116BB354605" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents.ab0015d7564c732ce8ec1d2eff1c1d85571c95f52d144c03d6689116bb354605")) returned 1 [0112.490] GetProcessHeap () returned 0x4c0000 [0112.490] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0112.493] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0112.892] CloseHandle (hObject=0x194) returned 1 [0113.108] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.1DEFFAD86B675C8204C26A2647290920D2A95DBBD6CB4664D6419853E310C268" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.1deffad86b675c8204c26a2647290920d2a95dbbd6cb4664d6419853e310c268")) returned 1 [0113.109] GetProcessHeap () returned 0x4c0000 [0113.109] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0113.109] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0113.110] ReadFile (in: hFile=0x184, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0113.110] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0119.571] WriteFile (in: hFile=0x1c0, lpBuffer=0x3d09224, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ce91f0 | out: lpBuffer=0x3d09224, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ce91f0) returned 0x0 [0119.623] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0119.624] CloseHandle (hObject=0x184) returned 1 [0119.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.32F6E7360963EF40FBF22200C622CC056AD030DA3D8CF15508DBD9DAC12D220E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.32f6e7360963ef40fbf22200c622cc056ad030da3d8cf15508dbd9dac12d220e")) returned 1 [0119.642] GetProcessHeap () returned 0x4c0000 [0119.642] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0119.642] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0119.848] WriteFile (in: hFile=0x1ac, lpBuffer=0x3c690e4, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c490b0 | out: lpBuffer=0x3c690e4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c490b0) returned 0x0 [0120.054] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0120.288] WriteFile (in: hFile=0x1c0, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0120.289] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0120.428] CloseHandle (hObject=0x184) returned 1 [0120.452] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.5FCF63611F3E512DECCA5F2B0EDB888F3E5AE770197019D4273EEA7437DC9E06" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.5fcf63611f3e512decca5f2b0edb888f3e5ae770197019d4273eea7437dc9e06")) returned 1 [0120.452] GetProcessHeap () returned 0x4c0000 [0120.453] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0120.454] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0120.521] ReadFile (in: hFile=0x184, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0120.521] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0120.523] WriteFile (in: hFile=0x16c, lpBuffer=0x3c680dc*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8) returned 1 [0120.535] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0120.550] CloseHandle (hObject=0x184) returned 1 [0120.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.A42FEF02E4F2CB9178876F4AF1F2A0ADB6F1008032A9A2B6286F89F3A062EE4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.a42fef02e4f2cb9178876f4af1f2a0adb6f1008032a9a2b6286f89f3a062ee4d")) returned 1 [0120.552] GetProcessHeap () returned 0x4c0000 [0120.552] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.553] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0120.944] ReadFile (in: hFile=0x184, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0120.944] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0120.964] WriteFile (in: hFile=0x184, lpBuffer=0x3c4008c*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 1 [0120.969] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0120.970] CloseHandle (hObject=0x184) returned 1 [0120.971] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.DB2DF7A2862E877C763B63B49B9BE0668B4F664100C53B75C58978C3D00A024A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.db2df7a2862e877c763b63b49b9be0668b4f664100c53b75c58978c3d00a024a")) returned 1 [0120.972] GetProcessHeap () returned 0x4c0000 [0120.972] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0120.973] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.019] ReadFile (in: hFile=0x1c4, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0121.020] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.155] ReadFile (in: hFile=0x1c0, lpBuffer=0x3c680dc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8) returned 1 [0121.155] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.458] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c680dc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8) returned 0x0 [0121.470] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.564] ReadFile (in: hFile=0x198, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0121.585] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.601] WriteFile (in: hFile=0x198, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0121.602] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.612] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0121.612] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.613] CloseHandle (hObject=0x198) returned 1 [0121.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.49233EE15B30A83E6C33BD55AB18309BA5C8B8B3B55998F671D5A41D14713E0C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.49233ee15b30a83e6c33bd55ab18309ba5c8b8b3b55998f671d5a41d14713e0c")) returned 1 [0121.614] GetProcessHeap () returned 0x4c0000 [0121.614] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0121.614] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.647] WriteFile (in: hFile=0x1ac, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0121.649] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.665] ReadFile (in: hFile=0x198, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0121.665] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.672] WriteFile (in: hFile=0x198, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0121.673] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.702] ReadFile (in: hFile=0x1b8, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0121.703] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.707] WriteFile (in: hFile=0x1b8, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0121.708] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.733] ReadFile (in: hFile=0x17c, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0121.733] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.741] WriteFile (in: hFile=0x17c, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0121.742] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0121.902] WriteFile (in: hFile=0x1c8, lpBuffer=0x3da917c*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d89148 | out: lpBuffer=0x3da917c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d89148) returned 1 [0121.903] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0122.054] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c4008c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 1 [0122.055] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0122.072] CloseHandle (hObject=0x1c4) returned 1 [0122.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.97B65B77281D2972040851BDE31D50CE69345C14655C5BA580DABEF398C3C953" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.97b65b77281d2972040851bde31d50ce69345c14655c5ba580dabef398c3c953")) returned 1 [0122.074] GetProcessHeap () returned 0x4c0000 [0122.074] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0122.075] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0122.080] CloseHandle (hObject=0x1b4) returned 1 [0122.081] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.768D60F622CF2E8C26B1FD090A2863DEC3F5BB728EE00DF64AE9E453845E6A33" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.768d60f622cf2e8c26b1fd090a2863dec3f5bb728ee00df64ae9e453845e6a33")) returned 1 [0122.082] GetProcessHeap () returned 0x4c0000 [0122.082] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0122.082] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0122.329] CloseHandle (hObject=0x178) returned 1 [0122.378] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.69E0E03D0D33832B76FA63B7FB1A22A4EEC7EAFDA8989732C098120D6012A82D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.69e0e03d0d33832b76fa63b7fb1a22a4eec7eafda8989732c098120d6012a82d")) returned 1 [0122.414] GetProcessHeap () returned 0x4c0000 [0122.414] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ce9008 | out: hHeap=0x4c0000) returned 1 [0122.414] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0122.522] ReadFile (in: hFile=0x1c8, lpBuffer=0x3d0903c, nNumberOfBytesToRead=0x5200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ce9008 | out: lpBuffer=0x3d0903c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ce9008) returned 1 [0122.522] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0123.022] WriteFile (in: hFile=0x1ac, lpBuffer=0x3da917c, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d89148 | out: lpBuffer=0x3da917c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d89148) returned 0x0 [0123.024] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0123.035] CloseHandle (hObject=0x1ac) returned 1 [0123.037] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.40A8EF183F1DB068A2A0819C8842F47D0FB6B7D709AB9E5028C2179EDE35FF4B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.40a8ef183f1db068a2a0819c8842f47d0fb6b7d709ab9e5028c2179ede35ff4b")) returned 1 [0123.038] GetProcessHeap () returned 0x4c0000 [0123.038] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d89148 | out: hHeap=0x4c0000) returned 1 [0123.038] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0123.064] CloseHandle (hObject=0x1b0) returned 1 [0123.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.39047C400144D8DED4A7BA306CC3CE7743DADE84EEB12AA1E9B5A636D2C29E3F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.39047c400144d8ded4a7ba306cc3ce7743dade84eeb12aa1e9b5a636d2c29e3f")) returned 1 [0123.068] GetProcessHeap () returned 0x4c0000 [0123.068] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0123.068] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0123.074] CloseHandle (hObject=0x1b4) returned 1 [0123.076] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.84076EF31E20B6C3AE9B2200742E20101EDB118E543594B45E448BE5C3B4BF58" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.84076ef31e20b6c3ae9b2200742e20101edb118e543594b45e448be5c3b4bf58")) returned 1 [0123.077] GetProcessHeap () returned 0x4c0000 [0123.077] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3db1198 | out: hHeap=0x4c0000) returned 1 [0123.077] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0123.081] ReadFile (in: hFile=0x1ac, lpBuffer=0x3da917c, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d89148 | out: lpBuffer=0x3da917c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d89148) returned 1 [0123.081] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0123.160] ReadFile (in: hFile=0x1b4, lpBuffer=0x3dd11cc, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db1198 | out: lpBuffer=0x3dd11cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db1198) returned 1 [0123.160] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0123.224] ReadFile (in: hFile=0x1b0, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0123.224] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0123.307] ReadFile (in: hFile=0x1e4, lpBuffer=0x40d816c, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x40b8138 | out: lpBuffer=0x40d816c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x40b8138) returned 1 [0123.307] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0123.347] CloseHandle (hObject=0x1dc) returned 1 [0123.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.6799682F5A68C1D0A53ECD6C0CBE9E5784876CF9B6324835A17A252E01D54978" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.6799682f5a68c1d0a53ecd6c0cbe9e5784876cf9b6324835a17a252e01d54978")) returned 1 [0123.710] GetProcessHeap () returned 0x4c0000 [0123.710] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4068098 | out: hHeap=0x4c0000) returned 1 [0123.714] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0123.840] WriteFile (in: hFile=0x1dc, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0124.686] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0124.686] CloseHandle (hObject=0x1bc) returned 1 [0124.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.D559114FF8FEDD5A6DB1E9B3078C037F64B87FAAD39DE367391BAEA2A119D50E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.d559114ff8fedd5a6db1e9b3078c037f64b87faad39de367391baea2a119d50e")) returned 1 [0124.732] GetProcessHeap () returned 0x4c0000 [0124.732] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0124.740] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0124.740] CloseHandle (hObject=0x1e4) returned 1 [0124.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.FDA1FB72B5415B65C3A6A21B6FF8EF64A9E22B2CB9470C20FD56BFCAAD32245D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.fda1fb72b5415b65c3a6a21b6ff8ef64a9e22b2cb9470c20fd56bfcaad32245d")) returned 1 [0124.749] GetProcessHeap () returned 0x4c0000 [0124.749] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x40b8138 | out: hHeap=0x4c0000) returned 1 [0124.750] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0125.747] WriteFile (in: hFile=0x1d4, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0125.753] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.246] WriteFile (in: hFile=0x1dc, lpBuffer=0x3cba17c, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 0x0 [0126.248] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.275] ReadFile (in: hFile=0x1e4, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x4800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0126.275] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.298] WriteFile (in: hFile=0x1a0, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0126.299] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.360] CloseHandle (hObject=0x1e4) returned 1 [0126.361] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.0B679323A4F43234175197A29656B13D754D53192EFE008394194696D1E96E1C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.0b679323a4f43234175197a29656b13d754d53192efe008394194696d1e96e1c")) returned 1 [0126.362] GetProcessHeap () returned 0x4c0000 [0126.362] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0126.362] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.370] ReadFile (in: hFile=0x1d4, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0126.370] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.422] ReadFile (in: hFile=0x1e4, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x5600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0126.423] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.484] WriteFile (in: hFile=0x16c, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x5400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0126.489] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.499] ReadFile (in: hFile=0x1d0, lpBuffer=0x3ce21cc, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3cc2198 | out: lpBuffer=0x3ce21cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3cc2198) returned 1 [0126.499] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.529] WriteFile (in: hFile=0x1d0, lpBuffer=0x3ce21cc, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3cc2198 | out: lpBuffer=0x3ce21cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3cc2198) returned 0x0 [0126.530] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.541] ReadFile (in: hFile=0x1c8, lpBuffer=0x3d0a21c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3cea1e8 | out: lpBuffer=0x3d0a21c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3cea1e8) returned 1 [0126.541] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.555] WriteFile (in: hFile=0x1c8, lpBuffer=0x3d0a21c, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3cea1e8 | out: lpBuffer=0x3d0a21c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3cea1e8) returned 0x0 [0126.556] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.654] ReadFile (in: hFile=0x1d8, lpBuffer=0x3d3226c, nNumberOfBytesToRead=0x4800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d12238 | out: lpBuffer=0x3d3226c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d12238) returned 1 [0126.654] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.699] CloseHandle (hObject=0x1ac) returned 1 [0126.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.1BF5ECB8A9BBE4A4E67481C9297C7124D6ABD6C75FC2B2EB1C14502C9C1FFE6F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.1bf5ecb8a9bbe4a4e67481c9297c7124d6abd6c75fc2b2eb1c14502c9c1ffe6f")) returned 1 [0126.782] GetProcessHeap () returned 0x4c0000 [0126.782] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c480a8 | out: hHeap=0x4c0000) returned 1 [0126.783] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.808] WriteFile (in: hFile=0x17c, lpBuffer=0x3daa35c, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d8a328 | out: lpBuffer=0x3daa35c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d8a328) returned 0x0 [0126.809] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0126.999] WriteFile (in: hFile=0x1d0, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0127.014] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0127.060] ReadFile (in: hFile=0x194, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0127.061] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0127.092] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0127.093] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0127.169] ReadFile (in: hFile=0x18c, lpBuffer=0x3daa35c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d8a328 | out: lpBuffer=0x3daa35c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d8a328) returned 1 [0127.169] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0127.170] CloseHandle (hObject=0x1c0) returned 1 [0127.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.863E773C89E5DF78AC80E0BB05D47C1462B944B0E53CBD3A52F3EFF923451C03" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.863e773c89e5df78ac80e0bb05d47c1462b944b0e53cbd3a52f3eff923451c03")) returned 1 [0127.172] GetProcessHeap () returned 0x4c0000 [0127.172] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d622d8 | out: hHeap=0x4c0000) returned 1 [0127.173] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0127.212] WriteFile (in: hFile=0x194, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0127.217] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0127.522] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c680dc, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8) returned 0x0 [0127.522] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0127.549] WriteFile (in: hFile=0x178, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0127.550] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0127.598] CloseHandle (hObject=0x178) returned 1 [0127.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\preferences"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences.00E4A8717BF34894EE9A27E90C2665D216472CFB59A05CFE00D5CEB08752B405" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\preferences.00e4a8717bf34894ee9a27e90c2665d216472cfb59a05cfe00d5ceb08752b405")) returned 1 [0127.600] GetProcessHeap () returned 0x4c0000 [0127.600] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0127.600] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0127.720] WriteFile (in: hFile=0x18c, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0127.722] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0127.737] ReadFile (in: hFile=0x178, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x3c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0127.738] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0127.934] WriteFile (in: hFile=0x178, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0128.503] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0128.554] ReadFile (in: hFile=0x17c, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0128.555] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0128.594] ReadFile (in: hFile=0x1d4, lpBuffer=0x522abc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0128.595] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0128.625] ReadFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0128.639] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0128.670] WriteFile (in: hFile=0x17c, lpBuffer=0x3c4008c, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 0x0 [0128.671] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0128.684] CloseHandle (hObject=0x1c0) returned 1 [0128.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts.161C34F38ED442673617CB5511B976277D112594D756F62BB7264EF40544B876" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts.161c34f38ed442673617cb5511b976277d112594d756f62bb7264ef40544b876")) returned 1 [0128.686] GetProcessHeap () returned 0x4c0000 [0128.687] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c480a8 | out: hHeap=0x4c0000) returned 1 [0128.687] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0128.689] ReadFile (in: hFile=0x1b8, lpBuffer=0x56cb2c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54caf8 | out: lpBuffer=0x56cb2c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54caf8) returned 1 [0128.690] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0128.718] WriteFile (in: hFile=0x1b8, lpBuffer=0x56cb2c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54caf8 | out: lpBuffer=0x56cb2c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54caf8) returned 0x0 [0129.132] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0129.133] CloseHandle (hObject=0x178) returned 1 [0129.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager.F1E12352AC4A2B28E2392603AE114CDE8A6570C3B72C165FE8CFE25E1BC7E834" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager.f1e12352ac4a2b28e2392603ae114cde8a6570c3b72c165fe8cfe25e1bc7e834")) returned 1 [0129.139] GetProcessHeap () returned 0x4c0000 [0129.139] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0129.142] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0129.680] WriteFile (in: hFile=0x17c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0129.850] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0129.852] CloseHandle (hObject=0x17c) returned 1 [0129.856] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies.5D4A59FADC7107F159F3261076DDC84950C0858003CDDC78DC086899C6ABAA06" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies.5d4a59fadc7107f159f3261076ddc84950c0858003cddc78dc086899c6abaa06")) returned 1 [0129.859] GetProcessHeap () returned 0x4c0000 [0129.859] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0129.862] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0130.644] WriteFile (in: hFile=0x17c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0130.660] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.158] CloseHandle (hObject=0x17c) returned 1 [0131.162] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{aae6bf5c-4991-11e7-8e2b-c43dc7584a00}.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat.671D1460DE983DCADB51B4F15EF19E73FB4EE00F61C571E72096F07598B0A544" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{aae6bf5c-4991-11e7-8e2b-c43dc7584a00}.dat.671d1460de983dcadb51b4f15ef19e73fb4ee00f61c571e72096f07598b0a544")) returned 1 [0131.163] GetProcessHeap () returned 0x4c0000 [0131.163] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0131.163] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.188] ReadFile (in: hFile=0x17c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0131.195] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.197] CloseHandle (hObject=0x17c) returned 1 [0131.198] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{4bd650f0-c8f9-11e7-b5bf-c43dc7584a00}.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat.2B3806B352E470E467ABB8ED58E2C23130684C310734A17AC23A8FC4C15C1F16" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{4bd650f0-c8f9-11e7-b5bf-c43dc7584a00}.dat.2b3806b352e470e467abb8ed58e2c23130684c310734a17ac23a8fc4c15c1f16")) returned 1 [0131.199] GetProcessHeap () returned 0x4c0000 [0131.199] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0131.199] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.221] ReadFile (in: hFile=0x17c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0131.222] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.226] WriteFile (in: hFile=0x17c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0131.228] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.228] CloseHandle (hObject=0x17c) returned 1 [0131.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{69512155-c8f9-11e7-b5bf-c43dc7584a00}.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat.DFA34DE61D960592D576B69F610A7BAA8082A4444B0E77C2F9A37A6563139E15" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{69512155-c8f9-11e7-b5bf-c43dc7584a00}.dat.dfa34de61d960592d576b69f610a7baa8082a4444b0e77c2f9a37a6563139e15")) returned 1 [0131.230] GetProcessHeap () returned 0x4c0000 [0131.230] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0131.230] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.330] ReadFile (in: hFile=0x174, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0131.330] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.359] WriteFile (in: hFile=0x174, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0131.361] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.417] CloseHandle (hObject=0x174) returned 1 [0131.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.8F62DFA2B1B79160930CBD0B66D21D95FD0CCC37576FB0A9C22F5DBB6AE7E03F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb.8f62dfa2b1b79160930cbd0b66d21d95fd0ccc37576fb0a9c22f5dbb6ae7e03f")) returned 1 [0131.419] GetProcessHeap () returned 0x4c0000 [0131.419] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0131.419] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.433] ReadFile (in: hFile=0x1a8, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0131.433] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.435] WriteFile (in: hFile=0x1a8, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0131.437] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.497] ReadFile (in: hFile=0x174, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0131.498] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.500] WriteFile (in: hFile=0x174, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0131.500] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.631] WriteFile (in: hFile=0x1a8, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0131.632] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.636] CloseHandle (hObject=0x18c) returned 1 [0131.640] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\07_tv_recorded_in_the_last_week.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl.FD36DA4164643278772392EBF8CB384B29FB620BE842241C97E4E2AE4AF4DE13" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\07_tv_recorded_in_the_last_week.wpl.fd36da4164643278772392ebf8cb384b29fb620be842241c97e4e2ae4af4de13")) returned 1 [0131.641] GetProcessHeap () returned 0x4c0000 [0131.641] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0131.641] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.691] ReadFile (in: hFile=0x1a8, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0131.693] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.695] WriteFile (in: hFile=0x1a8, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0131.696] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.717] ReadFile (in: hFile=0x178, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0131.717] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.719] WriteFile (in: hFile=0x178, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0131.719] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.720] CloseHandle (hObject=0x178) returned 1 [0131.721] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\10_all_music.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl.9ED9F1DE5D4186588464732C9CA1F882749F1942001B69B8C5E51A68D1D0021F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\10_all_music.wpl.9ed9f1de5d4186588464732c9ca1f882749f1942001b69b8c5e51a68d1d0021f")) returned 1 [0131.722] GetProcessHeap () returned 0x4c0000 [0131.722] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0131.722] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.774] ReadFile (in: hFile=0x178, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0131.776] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.798] ReadFile (in: hFile=0x1d8, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0131.801] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.835] CloseHandle (hObject=0x1d4) returned 1 [0131.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\05_pictures_taken_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl.E26D1936FBE95B601EBFACADF004B021A99728320FC3FD8529C8BC3C2FF61A39" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\05_pictures_taken_in_the_last_month.wpl.e26d1936fbe95b601ebfacadf004b021a99728320fc3fd8529c8bc3c2ff61a39")) returned 1 [0131.846] GetProcessHeap () returned 0x4c0000 [0131.846] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0131.847] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.848] CloseHandle (hObject=0x174) returned 1 [0131.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\02_music_added_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl.0C89AA4A4FE4922D207745E9F26E828B4B46DE98536BEB69815A661C35E7A473" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\02_music_added_in_the_last_month.wpl.0c89aa4a4fe4922d207745e9f26e828b4b46de98536beb69815a661c35e7a473")) returned 1 [0131.851] GetProcessHeap () returned 0x4c0000 [0131.851] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0131.854] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.857] CloseHandle (hObject=0x18c) returned 1 [0131.858] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\09_music_played_the_most.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl.DC5AC93AAE13539413104DCAD7C769E87017DB36C0D448614E5D2303DA905565" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\09_music_played_the_most.wpl.dc5ac93aae13539413104dcad7c769e87017db36c0d448614e5d2303da905565")) returned 1 [0131.859] GetProcessHeap () returned 0x4c0000 [0131.859] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0131.859] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0131.859] CloseHandle (hObject=0x178) returned 1 [0131.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\11_all_pictures.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl.95A01E779D381A2547383175BC4737B235EE8C580AF912641FE577B06FAC6D3F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\11_all_pictures.wpl.95a01e779d381a2547383175bc4737b235ee8c580af912641fe577b06fac6d3f")) returned 1 [0131.994] GetProcessHeap () returned 0x4c0000 [0131.994] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0131.996] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0132.001] CloseHandle (hObject=0x174) returned 1 [0132.003] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.B5553D2DC379376B2DEC232769165C04E60FA58DED13D0562D860F6DEEAEAA66" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl.b5553d2dc379376b2dec232769165c04e60fa58ded13d0562d860f6deeaeaa66")) returned 1 [0132.005] GetProcessHeap () returned 0x4c0000 [0132.005] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0132.008] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0132.114] ReadFile (in: hFile=0x174, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0132.118] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0132.147] WriteFile (in: hFile=0x18c, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0132.150] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0132.256] WriteFile (in: hFile=0x178, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0132.257] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0132.587] WriteFile (in: hFile=0x17c, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0132.589] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0132.760] WriteFile (in: hFile=0x1d8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0132.761] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0132.762] CloseHandle (hObject=0x1d8) returned 1 [0132.763] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\thumbs.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat.FBFCD6FFEF8FC410A9B2CE288DF1DE9BE51AF75A15F41652F4397E5807F2BF67" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\thumbs.dat.fbfcd6ffef8fc410a9b2ce288df1de9be51af75a15f41652f4397e5807f2bf67")) returned 1 [0132.766] GetProcessHeap () returned 0x4c0000 [0132.766] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0132.766] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0132.809] ReadFile (in: hFile=0x17c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0132.813] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0132.813] WriteFile (in: hFile=0x1d0, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0132.835] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0133.797] WriteFile (in: hFile=0x184, lpBuffer=0x55cb24*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 1 [0133.798] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0133.801] CloseHandle (hObject=0x184) returned 1 [0133.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.9FD294168F9438D3DF77D30E3E2FAECC4CAF229ED64A6B7E3CD504277E2FC164" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg.9fd294168f9438d3df77d30e3e2faecc4caf229ed64a6b7e3cd504277e2fc164")) returned 1 [0133.802] GetProcessHeap () returned 0x4c0000 [0133.802] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0133.808] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0135.170] CloseHandle (hObject=0x17c) returned 1 [0135.172] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\61\\28e95d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01.565DAF7FA423BB2E86C0C088C84704A576FC9C05C55473931EBF7B487B657916" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\61\\28e95d01.565daf7fa423bb2e86c0c088c84704a576fc9c05c55473931ebf7b487b657916")) returned 1 [0135.179] GetProcessHeap () returned 0x4c0000 [0135.179] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0135.179] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0135.408] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0135.416] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0135.524] WriteFile (in: hFile=0x174, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0135.525] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0135.570] WriteFile (in: hFile=0x178, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0135.571] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0135.606] CloseHandle (hObject=0x178) returned 1 [0135.606] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\69\\885eed01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01.57AE41B4F20A55139DBAD756F4E62DB66F37673F9DE951A0D89FB78F45834306" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\69\\885eed01.57ae41b4f20a55139dbad756f4e62db66f37673f9de951a0d89fb78f45834306")) returned 1 [0135.607] GetProcessHeap () returned 0x4c0000 [0135.608] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0135.608] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0135.721] CloseHandle (hObject=0x1d4) returned 1 [0135.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\e6\\9dcb7d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01.A1EDA95900CABE5043AFA746114E42CD6D86BCF91DA8BC22E82BF532D18AB070" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\e6\\9dcb7d01.a1eda95900cabe5043afa746114e42cd6d86bcf91da8bc22e82bf532d18ab070")) returned 1 [0135.724] GetProcessHeap () returned 0x4c0000 [0135.724] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0135.727] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0135.749] CloseHandle (hObject=0x1b8) returned 1 [0135.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\f0\\ecb2dd01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01.FF0E1809D5837315C482E3CBBFB1AFAEA23703C00119D686FD0122EF2FC63266" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\f0\\ecb2dd01.ff0e1809d5837315c482e3cbbfb1afaea23703c00119d686fd0122ef2fc63266")) returned 1 [0135.751] GetProcessHeap () returned 0x4c0000 [0135.751] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0135.752] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0136.000] WriteFile (in: hFile=0x194, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0136.001] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0136.002] CloseHandle (hObject=0x194) returned 1 [0136.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\offlinecache\\index.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite.81367C7356E40A68DB1E4B2501763212644EB51A5879C8E4753BD9FF1002E767" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\offlinecache\\index.sqlite.81367c7356e40a68db1e4b2501763212644eb51a5879c8e4753bd9ff1002e767")) returned 1 [0136.003] GetProcessHeap () returned 0x4c0000 [0136.003] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0136.004] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0136.051] ReadFile (in: hFile=0x194, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0136.052] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0136.085] WriteFile (in: hFile=0x194, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0136.087] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0136.089] CloseHandle (hObject=0x194) returned 1 [0136.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\startupcache\\startupcache.4.little"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little.50A5E72F290E6080845CC475ED858673B7E52531BF15E37E7CA1D92373E44A41" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\startupcache\\startupcache.4.little.50a5e72f290e6080845cc475ed858673b7e52531bf15e37e7ca1d92373e44a41")) returned 1 [0136.091] GetProcessHeap () returned 0x4c0000 [0136.091] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0136.093] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0136.115] ReadFile (in: hFile=0x194, lpBuffer=0x522abc, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0136.115] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0136.133] WriteFile (in: hFile=0x194, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0136.139] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0136.199] ReadFile (in: hFile=0xec, lpBuffer=0x584b74, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0136.199] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0136.262] WriteFile (in: hFile=0xec, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0136.264] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0136.321] WriteFile (in: hFile=0x1a8, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0136.322] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0136.409] WriteFile (in: hFile=0x1d8, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x4800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0136.411] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0137.020] WriteFile (in: hFile=0x194, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x5e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0137.573] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0137.591] WriteFile (in: hFile=0x184, lpBuffer=0x3cba17c*, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 1 [0137.697] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0137.697] CloseHandle (hObject=0x1a8) returned 1 [0137.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\kxrtmslzts0-9.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KxRTMsLzTS0-9.gif.431CF89B48E7D134A16171D2F2AD7C35B0CB2C1158E11374E5F575E94151422B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\kxrtmslzts0-9.gif.431cf89b48e7d134a16171d2f2ad7c35b0cb2c1158e11374e5f575e94151422b")) returned 1 [0137.731] GetProcessHeap () returned 0x4c0000 [0137.731] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0137.734] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0137.734] CloseHandle (hObject=0x154) returned 1 [0137.736] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\pbwl.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PBWL.bmp.228BC458051224D8517B15E9AC94716E53004352F11F3B65F8A47BC10D8B890B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\pbwl.bmp.228bc458051224d8517b15e9ac94716e53004352f11f3b65f8a47bc10d8b890b")) returned 1 [0137.752] GetProcessHeap () returned 0x4c0000 [0137.752] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3cc2198 | out: hHeap=0x4c0000) returned 1 [0137.752] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0153.437] WriteFile (in: hFile=0x184, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0153.438] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0153.488] CloseHandle (hObject=0x18c) returned 1 [0153.489] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\-zbsgguwmegchxchqzpn.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-zBSgGuwMeGChxChQZPn.m4a.314076CE974E99A1E33CFD17D26FBF27E22D3326D50686812294EFDC000D7A7F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\-zbsgguwmegchxchqzpn.m4a.314076ce974e99a1e33cfd17d26fbf27e22d3326d50686812294efdc000d7a7f")) returned 1 [0153.490] GetProcessHeap () returned 0x4c0000 [0153.490] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0153.491] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0153.526] CloseHandle (hObject=0x124) returned 1 [0153.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\6j5sfzq4osz.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6j5sFZq4Osz.wav.F20DF016C69C6D749C6163D3527173DDD5B88D9CC60B7F68717C6C364FA11560" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\6j5sfzq4osz.wav.f20df016c69c6d749c6163d3527173ddd5b88d9cc60b7f68717c6c364fa11560")) returned 1 [0153.529] GetProcessHeap () returned 0x4c0000 [0153.529] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0153.529] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0153.559] CloseHandle (hObject=0x19c) returned 1 [0153.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\agshlti0u31rovik.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\agshLti0U31roviK.m4a.5245E51A8CF36C371057CC9EED274806248BD5949C3F04B3C557DE8EE3FD5724" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\agshlti0u31rovik.m4a.5245e51a8cf36c371057cc9eed274806248bd5949c3f04b3c557de8ee3fd5724")) returned 1 [0153.561] GetProcessHeap () returned 0x4c0000 [0153.561] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0153.561] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0153.713] CloseHandle (hObject=0x184) returned 1 [0153.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bojzw00wtqxzntf5.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\bojzw00wTqXzntf5.mp3.58D5068B0FF76F99546EB9C23A5FE30DBF8164DD594141D6AA478A587151CC01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bojzw00wtqxzntf5.mp3.58d5068b0ff76f99546eb9c23a5fe30dbf8164dd594141d6aa478a587151cc01")) returned 1 [0153.716] GetProcessHeap () returned 0x4c0000 [0153.716] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0153.716] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0153.785] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0153.787] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0153.890] CloseHandle (hObject=0x184) returned 1 [0153.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\cdo7ynhje.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\cDO7YnHJe.m4a.FF4A8AF6D0C51F55DB10AEC119AFEEE5F366DECE69DB0DE097174C2E7757C168" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\cdo7ynhje.m4a.ff4a8af6d0c51f55db10aec119afeee5f366dece69db0de097174c2e7757c168")) returned 1 [0153.897] GetProcessHeap () returned 0x4c0000 [0153.897] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0153.897] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.018] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.022] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.096] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.099] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.166] CloseHandle (hObject=0x184) returned 1 [0154.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\imlf6qkfuo21ta7gus2.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\imlf6Qkfuo21Ta7GuS2.mp3.068D17DDF99FD45205B84D913D31F8FB651376ACCEAE3F6B7D89458EFB7C973B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\imlf6qkfuo21ta7gus2.mp3.068d17ddf99fd45205b84d913d31f8fb651376acceae3f6b7d89458efb7c973b")) returned 1 [0154.168] GetProcessHeap () returned 0x4c0000 [0154.168] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.168] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.210] CloseHandle (hObject=0x184) returned 1 [0154.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\itwd4rv5.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\itwD4RV5.wav.32A6E9248E4A76228B6965495283CD1D29AC6805A6F7AC737A814D33B3F1B72E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\itwd4rv5.wav.32a6e9248e4a76228b6965495283cd1d29ac6805a6f7ac737a814d33b3f1b72e")) returned 1 [0154.212] GetProcessHeap () returned 0x4c0000 [0154.212] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.212] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.266] CloseHandle (hObject=0x184) returned 1 [0154.267] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\iuzfvgjs1_7pj.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iUZFVgJS1_7PJ.wav.2ECC87FE0243638F8A27C3C38DE590B68C0BE4FDEED9EF3D6FFF4FBC2C0BF40B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\iuzfvgjs1_7pj.wav.2ecc87fe0243638f8a27c3c38de590b68c0be4fdeed9ef3d6fff4fbc2c0bf40b")) returned 1 [0154.268] GetProcessHeap () returned 0x4c0000 [0154.268] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.268] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.300] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.300] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.376] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.416] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.449] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x7e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.449] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.516] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.524] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.551] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x6400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.552] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.617] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.617] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.661] CloseHandle (hObject=0x184) returned 1 [0154.662] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\lk3_iftmtfnr7.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\lk3_IftMtfnr7.wav.3818AE4D31C8B3E661DC3578DE10EF9903C7895A23955CA710A52FB10F122747" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\lk3_iftmtfnr7.wav.3818ae4d31c8b3e661dc3578de10ef9903c7895a23955ca710a52fb10f122747")) returned 1 [0154.664] GetProcessHeap () returned 0x4c0000 [0154.664] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.664] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.694] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.740] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.760] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.761] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.843] WriteFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0154.863] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.883] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.883] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.912] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.913] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0154.980] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x3600, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.981] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.031] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0155.084] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.103] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x3a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0155.103] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.120] CloseHandle (hObject=0x184) returned 1 [0155.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\unnkjphg57hmozy.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UNnKJphG57hMozy.m4a.EE52E067AE6BEC02DAE71AA12D27B938FEC42FDA24381F30D4939B3B17ADBC74" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\unnkjphg57hmozy.m4a.ee52e067ae6bec02dae71aa12d27b938fec42fda24381f30d4939b3b17adbc74")) returned 1 [0155.122] GetProcessHeap () returned 0x4c0000 [0155.122] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0155.122] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.141] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0155.141] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.205] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0155.205] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.355] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0155.355] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.453] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0155.453] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.540] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0155.541] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.615] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0155.616] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.687] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0155.688] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.761] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0155.761] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.857] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0155.882] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.908] CloseHandle (hObject=0x19c) returned 1 [0155.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\d8yr0xga.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\d8yr0xGA.png.A6C265B3CF5732D71875F7F3CBBA61C5511C92E24F844CAB9764083479465B76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\d8yr0xga.png.a6c265b3cf5732d71875f7f3cbba61c5511c92e24f844cab9764083479465b76")) returned 1 [0155.911] GetProcessHeap () returned 0x4c0000 [0155.911] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0155.911] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.916] ReadFile (in: hFile=0x124, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0155.916] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0155.992] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0155.992] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.043] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.043] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.096] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.096] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.145] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.145] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.212] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.212] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.274] WriteFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0156.278] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.307] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.308] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.336] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0156.340] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.370] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.371] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.455] CloseHandle (hObject=0x19c) returned 1 [0156.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\9kasv8v8kybh-7.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\9kasv8v8KYbh-7.jpg.27861DA6F5EC003E5D6DD3D619CB07A2190AD5EA01B5E72F72F7E1D60878BC26" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\9kasv8v8kybh-7.jpg.27861da6f5ec003e5d6dd3d619cb07a2190ad5ea01b5e72f72f7e1d60878bc26")) returned 1 [0156.458] GetProcessHeap () returned 0x4c0000 [0156.458] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.458] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.485] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.485] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.537] CloseHandle (hObject=0x19c) returned 1 [0156.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\fugm5.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\fUGm5.jpg.BD0C50099794FCC319DC36450FA9C819A599CBA2D513C086B6506AA1A4267A0B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\fugm5.jpg.bd0c50099794fcc319dc36450fa9c819a599cba2d513c086b6506aa1a4267a0b")) returned 1 [0156.539] GetProcessHeap () returned 0x4c0000 [0156.539] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.539] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.564] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.564] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.627] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.673] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.725] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0156.729] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.757] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.757] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.799] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.800] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.875] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.876] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.924] CloseHandle (hObject=0x19c) returned 1 [0156.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\5wje.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\5WjE.gif.6E2E23AD41D15A46535ED1B65E1BA0850AAA8B29B535413090991FA59D46F355" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\5wje.gif.6e2e23ad41d15a46535ed1b65e1ba0850aaa8b29b535413090991fa59d46f355")) returned 1 [0156.927] GetProcessHeap () returned 0x4c0000 [0156.927] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.927] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0156.954] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0157.001] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.022] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0157.022] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.050] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0157.055] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.075] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0157.076] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.132] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0157.132] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.193] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0157.193] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.223] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0157.229] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.266] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0157.267] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.319] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0157.320] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.350] CloseHandle (hObject=0x18c) returned 1 [0157.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\syqp4isox\\igdtzkqrwpo3syx7lf.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\iGDtzKqrWpo3SYX7lF.jpg.97C2BE34DE2F2DC4570B721E34090454F8E38995B6A1875C4E39ABBD8DA14967" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\syqp4isox\\igdtzkqrwpo3syx7lf.jpg.97c2be34de2f2dc4570b721e34090454f8e38995b6a1875c4e39abbd8da14967")) returned 1 [0157.355] GetProcessHeap () returned 0x4c0000 [0157.355] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0157.355] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.400] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0157.400] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.579] ReadFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0157.579] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.627] WriteFile (in: hFile=0x184, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0157.631] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.692] WriteFile (in: hFile=0x124, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x5400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0157.695] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.778] CloseHandle (hObject=0x124) returned 1 [0157.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\56zhfrjeuscd-.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\56ZHFrjeUsCd-.swf.2C14810A3B7F212A56378D9E9A41E74578892C38E16B272152BF0E748B70BF24" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\56zhfrjeuscd-.swf.2c14810a3b7f212a56378d9e9a41e74578892c38e16b272152bf0e748b70bf24")) returned 1 [0157.781] GetProcessHeap () returned 0x4c0000 [0157.781] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0157.781] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0157.848] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0157.850] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0158.167] CloseHandle (hObject=0x124) returned 1 [0158.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\g215a0oz xfa.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G215a0oz xFA.mp4.6C9852063AC19E9712C78BA6F16461B711C2F898DEA55F5FDAAA28E33B0D1045" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\g215a0oz xfa.mp4.6c9852063ac19e9712c78ba6f16461b711c2f898dea55f5fdaaa28e33b0d1045")) returned 1 [0158.170] GetProcessHeap () returned 0x4c0000 [0158.170] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.170] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0158.241] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.243] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0158.316] CloseHandle (hObject=0x124) returned 1 [0158.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\gpyfkqhw.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\gPyfKQhW.mp4.9841D8AAFCECE86A0DF5231387E5459C08FB491B57BF2F8B015E37F7CF3B2B26" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\gpyfkqhw.mp4.9841d8aafcece86a0df5231387e5459c08fb491b57bf2f8b015e37f7cf3b2b26")) returned 1 [0158.318] GetProcessHeap () returned 0x4c0000 [0158.318] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0158.366] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.368] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0158.404] CloseHandle (hObject=0x124) returned 1 [0158.404] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\nvfjq19nmq29jd.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\NVFJq19nmq29JD.mp4.32CFCDDE7AEE8163EF0316E15F41352421B8BDC9E61536E10132BD5963650E10" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\nvfjq19nmq29jd.mp4.32cfcdde7aee8163ef0316e15f41352421b8bdc9e61536e10132bd5963650e10")) returned 1 [0158.406] GetProcessHeap () returned 0x4c0000 [0158.406] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.406] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0158.452] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.454] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0158.576] CloseHandle (hObject=0x184) returned 1 [0158.576] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\hddgwr1yxqc.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\hdDgWR1YXQc.avi.49CE3864020C00AB40AB14F71ADDA73E16E97436EAB16E4CD41334A65E5DA714" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\hddgwr1yxqc.avi.49ce3864020c00ab40ab14f71adda73e16e97436eab16e4cd41334a65e5da714")) returned 1 [0158.578] GetProcessHeap () returned 0x4c0000 [0158.578] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.578] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0158.648] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.650] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0158.712] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x5a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.714] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0158.776] CloseHandle (hObject=0x184) returned 1 [0158.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\lqf0pgc57cmaizj-b0q.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\LQF0PGC57Cmaizj-b0q.mkv.68BD78CAE5BFEC3B0102D97C2821CF8700782CE7BF71B6B02F5208F4E4CC4467" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\lqf0pgc57cmaizj-b0q.mkv.68bd78cae5bfec3b0102d97c2821cf8700782ce7bf71b6b02f5208f4e4cc4467")) returned 1 [0158.778] GetProcessHeap () returned 0x4c0000 [0158.778] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.778] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0158.808] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0158.808] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0158.885] CloseHandle (hObject=0x120) returned 1 [0159.176] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\60ohq--5hxs9d-.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\60OhQ--5HxS9d-.swf.F3A1BA38300CE9FC19B3E6E6BC4F6DB62175CA053CEC1642DFD4CF20DA06BA4A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\60ohq--5hxs9d-.swf.f3a1ba38300ce9fc19b3e6e6bc4f6db62175ca053cec1642dfd4cf20da06ba4a")) returned 1 [0159.177] GetProcessHeap () returned 0x4c0000 [0159.177] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0159.177] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0159.251] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0159.253] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0160.857] CloseHandle (hObject=0x120) returned 1 [0160.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\gqnhm2npuuv.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\gqnhm2NPUuV.flv.8C12E2573312BBE7081D1B6739717307DC4323296CFF9BA3B8D4020956C1A375" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\gqnhm2npuuv.flv.8c12e2573312bbe7081d1b6739717307dc4323296cff9ba3b8d4020956c1a375")) returned 1 [0160.860] GetProcessHeap () returned 0x4c0000 [0160.860] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0160.861] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0160.916] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x5600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0160.918] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0161.121] CloseHandle (hObject=0x120) returned 1 [0161.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\lfthov.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\lfTHoV.mp4.112AED6C6133EA072A521A7A967C2A6C6A68F4F0805B5AEB87318E4E07A6D619" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\lfthov.mp4.112aed6c6133ea072a521a7a967c2a6c6a68f4f0805b5aeb87318e4e07a6d619")) returned 1 [0161.123] GetProcessHeap () returned 0x4c0000 [0161.123] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0161.123] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0161.178] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0161.180] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0161.257] CloseHandle (hObject=0x120) returned 1 [0161.258] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\wbflfchp i.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\wbfLFCHP i.avi.47CD87A971379FB9FCF2059D852502E43FB18F0F7EB799CB153BCD1257803054" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\wbflfchp i.avi.47cd87a971379fb9fcf2059d852502e43fb18f0f7eb799cb153bcd1257803054")) returned 1 [0161.259] GetProcessHeap () returned 0x4c0000 [0161.259] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0161.259] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0161.327] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0161.329] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0161.413] CloseHandle (hObject=0x120) returned 1 [0161.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\xcez_wt nue.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\XCeZ_Wt nUE.mp4.28AD86EBF226EBAFD7DFC9875758F4D0462B60E6473874A912512361188BA348" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\xcez_wt nue.mp4.28ad86ebf226ebafd7dfc9875758f4d0462b60e6473874a912512361188ba348")) returned 1 [0161.415] GetProcessHeap () returned 0x4c0000 [0161.415] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0161.415] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0161.519] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0161.522] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0161.609] CloseHandle (hObject=0x184) returned 1 [0161.610] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\nb_78vppefhfy-4w6j5.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\nb_78VpPeFHfy-4w6J5.swf.6196FBD63509E8B65B7FE9DEE962AD154789E0465AC0F1412B9410F3E57D0A62" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\nb_78vppefhfy-4w6j5.swf.6196fbd63509e8b65b7fe9dee962ad154789e0465ac0f1412b9410f3e57d0a62")) returned 1 [0161.612] GetProcessHeap () returned 0x4c0000 [0161.612] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0161.612] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0161.658] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x3400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0161.660] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0161.856] WriteFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0162.634] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0162.634] CloseHandle (hObject=0x184) returned 1 [0162.638] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\qsjc nnalos.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\qSJc NnAlOS.swf.909013B69B834C8A4ABE3BEAEC782FEF0102ECA3854581CAAB4A7442D2D4F171" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\qsjc nnalos.swf.909013b69b834c8a4abe3beaec782fef0102eca3854581caab4a7442d2d4f171")) returned 1 [0162.640] GetProcessHeap () returned 0x4c0000 [0162.640] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0162.640] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0162.675] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0162.675] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0162.726] CloseHandle (hObject=0x184) returned 1 [0162.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\t1l4ssm.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\T1l4Ssm.swf.6EE2D0F43F9B67809D6CA93171E6C0780EA1557760AAF7047A0F4FDB3BFC8B30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\t1l4ssm.swf.6ee2d0f43f9b67809d6ca93171e6c0780ea1557760aaf7047a0f4fdb3bfc8b30")) returned 1 [0162.728] GetProcessHeap () returned 0x4c0000 [0162.728] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0162.729] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0162.817] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0162.817] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0162.907] WriteFile (in: hFile=0x124, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0162.909] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0163.940] WriteFile (in: hFile=0x1b8, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0163.940] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0164.185] WriteFile (in: hFile=0x178, lpBuffer=0x3b700ec, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500b8 | out: lpBuffer=0x3b700ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500b8) returned 0x0 [0164.347] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0164.430] CloseHandle (hObject=0x1d0) returned 1 [0164.434] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.22B219B62713280035F615708B5E0B4C5EDAE0C9877B80338EBBC523135C9D1E" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms.22b219b62713280035f615708b5e0b4c5edae0c9877b80338ebbc523135c9d1e")) returned 1 [0164.435] GetProcessHeap () returned 0x4c0000 [0164.435] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b78108 | out: hHeap=0x4c0000) returned 1 [0164.436] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0164.445] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0164.445] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0164.574] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x2e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0164.574] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0164.575] CloseHandle (hObject=0x180) returned 1 [0164.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.B761161DA93F7161AF142BE67741CB3680549E640C9D0934699606F3EF664C3D" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms.b761161da93f7161af142be67741cb3680549e640c9d0934699606f3ef664c3d")) returned 1 [0164.724] GetProcessHeap () returned 0x4c0000 [0164.724] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28068 | out: hHeap=0x4c0000) returned 1 [0164.724] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0165.140] CloseHandle (hObject=0x180) returned 1 [0165.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.533BADD00854862AB5A881E76749F4AFB4FA54462DAFB1A3980AC300A003B659" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl.533badd00854862ab5a881e76749f4afb4fa54462dafb1a3980ac300a003b659")) returned 1 [0165.142] GetProcessHeap () returned 0x4c0000 [0165.142] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0165.142] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0165.190] CloseHandle (hObject=0xec) returned 1 [0165.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.59EA8CA6755999EF4CE52DC284AB9477E30609E55EB306E44C93880F6D17017F" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl.59ea8ca6755999ef4ce52dc284ab9477e30609e55eb306e44c93880f6d17017f")) returned 1 [0165.235] GetProcessHeap () returned 0x4c0000 [0165.235] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28068 | out: hHeap=0x4c0000) returned 1 [0165.235] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0166.343] ReadFile (in: hFile=0x1d8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0166.343] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0166.369] ReadFile (in: hFile=0x194, lpBuffer=0x54ab0c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8) returned 1 [0166.369] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0166.390] WriteFile (in: hFile=0x1d8, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0166.407] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0166.556] CloseHandle (hObject=0x1d8) returned 1 [0166.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.4B9B8CE5D2A5641B101C988EEB3959E308BE6CE3C85BF7A845B3073BE968F855" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg.4b9b8ce5d2a5641b101c988eeb3959e308be6ce3c85bf7a845b3073be968f855")) returned 1 [0166.592] GetProcessHeap () returned 0x4c0000 [0166.592] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0166.592] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0166.694] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0166.701] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0166.723] WriteFile (in: hFile=0x1b8, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0166.726] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0167.038] CloseHandle (hObject=0xec) returned 1 [0167.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.F1CBAD1BF06438B359CD2B2B09AB17183D6B58A494DACC09535678A33C4D6443" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9.f1cbad1bf06438b359cd2b2b09ab17183d6b58a494dacc09535678a33c4d6443")) returned 1 [0167.152] GetProcessHeap () returned 0x4c0000 [0167.152] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0167.152] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0167.153] WriteFile (in: hFile=0x19c, lpBuffer=0x3c680dc, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8) returned 0x0 [0167.163] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0167.170] ReadFile (in: hFile=0x178, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0167.170] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0167.191] ReadFile (in: hFile=0xec, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0167.192] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0167.193] WriteFile (in: hFile=0xec, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0167.262] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0167.365] CloseHandle (hObject=0x19c) returned 1 [0167.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.72BC705484A9EA36A52731E098C0823E169B1A27A594FAAF134D049E2498384A" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk.72bc705484a9ea36a52731e098c0823e169b1a27a594faaf134d049e2498384a")) returned 1 [0167.385] GetProcessHeap () returned 0x4c0000 [0167.385] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c480a8 | out: hHeap=0x4c0000) returned 1 [0167.385] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0167.445] WriteFile (in: hFile=0x184, lpBuffer=0x3c9212c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 1 [0167.447] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0167.963] WriteFile (in: hFile=0x124, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0167.976] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0167.994] CloseHandle (hObject=0x184) returned 1 [0167.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.860369F4C27F5B08851FFCF479A9466050151078FC56F26ED82F4D38F93B1236" (normalized: "c:\\users\\default\\ntuser.dat.log1.860369f4c27f5b08851ffcf479a9466050151078fc56f26ed82f4d38f93b1236")) returned 1 [0167.998] GetProcessHeap () returned 0x4c0000 [0167.998] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0167.999] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0168.593] WriteFile (in: hFile=0x19c, lpBuffer=0x3c9212c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 1 [0168.595] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0168.622] WriteFile (in: hFile=0x18c, lpBuffer=0x3cba17c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 0x0 [0168.623] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0168.644] ReadFile (in: hFile=0x19c, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0168.644] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0168.720] ReadFile (in: hFile=0x190, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0168.721] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08) returned 1 [0168.764] WriteFile (in: hFile=0xec, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0168.764] GetQueuedCompletionStatus (CompletionPort=0x94, lpNumberOfBytesTransferred=0x282fe10, lpCompletionKey=0x282fe0c, lpOverlapped=0x282fe08, dwMilliseconds=0xffffffff) Thread: id = 7 os_tid = 0x408 [0061.328] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0076.476] WriteFile (in: hFile=0x170, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0076.477] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0076.486] ReadFile (in: hFile=0x17c, lpBuffer=0x3b480cc, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098) returned 1 [0076.486] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0076.560] WriteFile (in: hFile=0x17c, lpBuffer=0x3b480cc, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098) returned 0x0 [0076.571] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0076.664] ReadFile (in: hFile=0x178, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0076.664] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0076.695] ReadFile (in: hFile=0x184, lpBuffer=0x3b9816c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78138 | out: lpBuffer=0x3b9816c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78138) returned 1 [0076.696] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0076.727] ReadFile (in: hFile=0x188, lpBuffer=0x3bc01bc, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188) returned 1 [0076.737] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0076.828] CloseHandle (hObject=0x17c) returned 1 [0076.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.A7048630A7B30DD81D9C9A675FBB50A29E831FFDF1F9577BB9C15644367CA95E" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.a7048630a7b30dd81d9c9a675fbb50a29e831ffdf1f9577bb9c15644367ca95e")) returned 1 [0076.833] GetProcessHeap () returned 0x4c0000 [0076.833] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0076.833] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0076.867] WriteFile (in: hFile=0x180, lpBuffer=0x3b7011c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8) returned 0x0 [0076.869] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0076.885] CloseHandle (hObject=0x174) returned 1 [0076.923] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.D2F89B88F60A38DBB9E173DD367F358E3241F7DA5DEAE642AD8D38C248CD061F" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.d2f89b88f60a38dbb9e173dd367f358e3241f7da5deae642ad8d38c248cd061f")) returned 1 [0076.924] GetProcessHeap () returned 0x4c0000 [0076.924] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0076.925] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0078.737] CloseHandle (hObject=0x184) returned 1 [0080.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.357AC7E0B4128AA32C597EE125DC86AF9877272761856801E897150DD0F56962" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.357ac7e0b4128aa32c597ee125dc86af9877272761856801e897150dd0f56962")) returned 1 [0080.815] GetProcessHeap () returned 0x4c0000 [0080.815] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0080.818] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0081.028] WriteFile (in: hFile=0x170, lpBuffer=0x3b480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098) returned 0x0 [0081.030] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0081.051] ReadFile (in: hFile=0x190, lpBuffer=0x3bc01bc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188) returned 1 [0081.051] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0081.134] ReadFile (in: hFile=0x178, lpBuffer=0x3be820c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc81d8 | out: lpBuffer=0x3be820c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc81d8) returned 1 [0081.134] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0081.336] WriteFile (in: hFile=0x194, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0081.337] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0081.378] CloseHandle (hObject=0x188) returned 1 [0085.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.EF9747999FFECEB7523BE289ABD462146B54CEFF65642639449F9BE54663434D" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.ef9747999ffeceb7523be289abd462146b54ceff65642639449f9be54663434d")) returned 1 [0085.230] GetProcessHeap () returned 0x4c0000 [0085.230] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0085.230] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0085.706] ReadFile (in: hFile=0x17c, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0085.707] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0085.837] WriteFile (in: hFile=0x17c, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0085.838] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0096.400] WriteFile (in: hFile=0x188, lpBuffer=0x3c7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 0x0 [0096.401] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0112.431] WriteFile (in: hFile=0x178, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0112.432] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0112.493] CloseHandle (hObject=0x178) returned 1 [0112.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.BA4968FA2C6AE973C82AF94CF46A906409598C50D357EA3C2F37790A0452305D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst.ba4968fa2c6ae973c82af94cf46a906409598c50d357ea3c2f37790a0452305d")) returned 1 [0112.497] GetProcessHeap () returned 0x4c0000 [0112.497] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0112.497] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0112.821] ReadFile (in: hFile=0x17c, lpBuffer=0x56cb2c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54caf8 | out: lpBuffer=0x56cb2c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54caf8) returned 1 [0112.821] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0112.892] CloseHandle (hObject=0x180) returned 1 [0112.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.686DC42611824501A1F3EF658F978700569F179F8A6A7B2843E8FB39D72BF165" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.686dc42611824501a1f3ef658f978700569f179f8a6a7b2843e8fb39d72bf165")) returned 1 [0113.248] GetProcessHeap () returned 0x4c0000 [0113.248] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0113.251] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0113.436] ReadFile (in: hFile=0x194, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x2e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0113.437] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0113.656] WriteFile (in: hFile=0x18c, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0113.665] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0113.666] CloseHandle (hObject=0x16c) returned 1 [0113.668] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.030ECF744FECD9A107C5AFB597FB27D75D4A0092A5B49A0D4AA91119804C1B4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.030ecf744fecd9a107c5afb597fb27d75d4a0092a5b49a0d4aa91119804c1b4d")) returned 1 [0113.669] GetProcessHeap () returned 0x4c0000 [0113.669] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0113.673] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0113.689] ReadFile (in: hFile=0x178, lpBuffer=0x584b74, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0113.690] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0113.767] ReadFile (in: hFile=0x16c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0113.768] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0113.778] WriteFile (in: hFile=0x16c, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0113.779] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0113.847] ReadFile (in: hFile=0x18c, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0114.160] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0114.175] CloseHandle (hObject=0x178) returned 1 [0114.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1.D423AA6E52EAE67F766F776E78F6F340F7331FBF7915FC0A948EC0C6332EEC1C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1.d423aa6e52eae67f766f776e78f6f340f7331fbf7915fc0a948ec0c6332eec1c")) returned 1 [0114.177] GetProcessHeap () returned 0x4c0000 [0114.177] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0114.178] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0114.242] ReadFile (in: hFile=0x178, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0114.242] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0114.246] CloseHandle (hObject=0x16c) returned 1 [0114.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2.A14C1137DD4766689D8B844293893DF14D7223131277679361C7B42B47FCCA76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2.a14c1137dd4766689d8b844293893df14d7223131277679361c7b42b47fcca76")) returned 1 [0114.249] GetProcessHeap () returned 0x4c0000 [0114.249] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0114.249] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0114.363] WriteFile (in: hFile=0x178, lpBuffer=0x3cc003c*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 1 [0114.365] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0114.368] CloseHandle (hObject=0x178) returned 1 [0114.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log.D49B7DA6CEDF63EF26F0826E003361B6D378CAEDC8DCBE09B5A5AEE8EC7EEB65" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\000003.log.d49b7da6cedf63ef26f0826e003361b6d378caedc8dcbe09b5a5aee8ec7eeb65")) returned 1 [0114.370] GetProcessHeap () returned 0x4c0000 [0114.370] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.370] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0114.384] CloseHandle (hObject=0x18c) returned 1 [0114.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3.3A0464329BB2EAED0B633FA3D05C905657ACAE423369DBA9B77361B3484EE278" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3.3a0464329bb2eaed0b633fa3d05c905657acae423369dba9b77361b3484ee278")) returned 1 [0114.385] GetProcessHeap () returned 0x4c0000 [0114.385] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0114.386] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0114.448] WriteFile (in: hFile=0x16c, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0114.449] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0114.472] CloseHandle (hObject=0x1ac) returned 1 [0114.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.C1B2842C8BC54DBA2AE1D12D76BE87A8FCBEC44FE467FB80CCF9975F8E4D1042" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.c1b2842c8bc54dba2ae1d12d76be87a8fcbec44fe467fb80ccf9975f8e4d1042")) returned 1 [0114.474] GetProcessHeap () returned 0x4c0000 [0114.474] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0114.478] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0114.845] WriteFile (in: hFile=0x184, lpBuffer=0x3cc003c*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 1 [0114.847] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0114.882] WriteFile (in: hFile=0x184, lpBuffer=0x3cc003c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 1 [0115.097] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0115.419] WriteFile (in: hFile=0x184, lpBuffer=0x3cc003c*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 1 [0115.569] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0115.586] CloseHandle (hObject=0x184) returned 1 [0115.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.0ED9716283B7C078299385C92C5920046941F7C965B885FC2B853AEF5204E505" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.0ed9716283b7c078299385c92c5920046941f7c965b885fc2b853aef5204e505")) returned 1 [0115.588] GetProcessHeap () returned 0x4c0000 [0115.588] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.589] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0115.662] ReadFile (in: hFile=0x184, lpBuffer=0x3cc003c, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ca0008) returned 1 [0115.663] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0115.672] WriteFile (in: hFile=0x184, lpBuffer=0x3cc003c*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008 | out: lpBuffer=0x3cc003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0008) returned 1 [0115.674] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0115.675] CloseHandle (hObject=0x184) returned 1 [0115.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.A016A1D7A65DE33399DE2E6287E5E1D3443D36768607AFC0772147AD27828D4E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.a016a1d7a65de33399de2e6287e5e1d3443d36768607afc0772147ad27828d4e")) returned 1 [0115.679] GetProcessHeap () returned 0x4c0000 [0115.679] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0008 | out: hHeap=0x4c0000) returned 1 [0115.679] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0116.383] WriteFile (in: hFile=0x1b0, lpBuffer=0x584b74*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 1 [0116.386] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0116.414] CloseHandle (hObject=0x16c) returned 1 [0116.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.CAF08552B0B03C2F00C3F5B88E6CD86B87C65504F33223963CD0555007D5727D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.caf08552b0b03c2f00c3f5b88e6cd86b87c65504f33223963cd0555007d5727d")) returned 1 [0116.423] GetProcessHeap () returned 0x4c0000 [0116.423] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0116.423] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0117.173] ReadFile (in: hFile=0x1ac, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0117.173] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0117.195] ReadFile (in: hFile=0x16c, lpBuffer=0x584b74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0117.195] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0117.215] WriteFile (in: hFile=0x1ac, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0117.217] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0117.429] CloseHandle (hObject=0x1ac) returned 1 [0117.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.861003BE795699422E21D79729794D5FC715D4C01CE5011963F7A128030B1A47" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.861003be795699422e21d79729794d5fc715d4c01ce5011963f7a128030b1a47")) returned 1 [0117.441] GetProcessHeap () returned 0x4c0000 [0117.441] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0117.444] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0117.985] WriteFile (in: hFile=0x114, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0117.987] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0118.198] WriteFile (in: hFile=0x1a0, lpBuffer=0x3c4008c, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 0x0 [0118.200] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0118.933] WriteFile (in: hFile=0x198, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0119.033] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0119.570] CloseHandle (hObject=0x17c) returned 1 [0119.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.977C07294290D339BC5BFA07704A9299A2ED7881492F10476BDE195F74E26379" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.977c07294290d339bc5bfa07704a9299a2ed7881492f10476bde195f74e26379")) returned 1 [0119.662] GetProcessHeap () returned 0x4c0000 [0119.662] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c99150 | out: hHeap=0x4c0000) returned 1 [0119.667] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0119.730] ReadFile (in: hFile=0x198, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0119.730] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0119.845] CloseHandle (hObject=0x184) returned 1 [0120.068] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.A9DB50D1F5BFBB9CF7FA0ADDB5C4AB16F7F2F951AA896386703CC3A57BDA4461" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.a9db50d1f5bfbb9cf7fa0addb5c4ab16f7f2f951aa896386703cc3a57bda4461")) returned 1 [0120.069] GetProcessHeap () returned 0x4c0000 [0120.069] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0120.070] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0120.118] WriteFile (in: hFile=0x198, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0120.120] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0120.150] WriteFile (in: hFile=0x16c, lpBuffer=0x3d0903c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ce9008 | out: lpBuffer=0x3d0903c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ce9008) returned 0x0 [0120.152] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0120.175] WriteFile (in: hFile=0x1c4, lpBuffer=0x3d3108c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d11058 | out: lpBuffer=0x3d3108c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d11058) returned 0x0 [0120.177] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0120.245] CloseHandle (hObject=0x1b0) returned 1 [0120.289] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.9E23AD35893B3D59392CA98E435ACAA8D71CD4FBAA3D11DA13D3A6080B12CB0E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.9e23ad35893b3d59392ca98e435acaa8d71cd4fbaa3d11da13d3a6080b12cb0e")) returned 1 [0120.291] GetProcessHeap () returned 0x4c0000 [0120.291] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0120.295] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0120.385] WriteFile (in: hFile=0x16c, lpBuffer=0x3d0903c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ce9008 | out: lpBuffer=0x3d0903c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ce9008) returned 0x0 [0120.387] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0120.428] CloseHandle (hObject=0x16c) returned 1 [0120.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json.D10217FC9AC436A05306EE58568DE33122B39A809520F43F8336AA45B3AF2520" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\messages.json.d10217fc9ac436a05306ee58568de33122b39a809520f43f8336aa45b3af2520")) returned 1 [0120.446] GetProcessHeap () returned 0x4c0000 [0120.446] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ce9008 | out: hHeap=0x4c0000) returned 1 [0120.449] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0121.154] ReadFile (in: hFile=0x1b4, lpBuffer=0x584b74, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0121.155] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0121.258] WriteFile (in: hFile=0x1b4, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0121.272] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0122.317] CloseHandle (hObject=0x1c0) returned 1 [0122.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.8B519553BAD3F5AEF95C5A89F5317A22C1D16649CE7B1AD33C6FD8B01B736F08" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.8b519553bad3f5aef95c5a89f5317a22c1d16649ce7b1ad33c6fd8b01b736f08")) returned 1 [0122.319] GetProcessHeap () returned 0x4c0000 [0122.319] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c480a8 | out: hHeap=0x4c0000) returned 1 [0122.322] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0122.406] WriteFile (in: hFile=0x1b0, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0122.408] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0122.523] ReadFile (in: hFile=0x1bc, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0122.523] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0122.531] ReadFile (in: hFile=0x178, lpBuffer=0x3c680dc, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8) returned 1 [0122.531] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0122.557] ReadFile (in: hFile=0x114, lpBuffer=0x584b74, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0122.557] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0122.626] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d8112c, nNumberOfBytesToRead=0x4a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d610f8 | out: lpBuffer=0x3d8112c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d610f8) returned 1 [0122.626] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0123.008] WriteFile (in: hFile=0x1c4, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0123.009] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0123.131] WriteFile (in: hFile=0x1ac, lpBuffer=0x3da917c, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d89148 | out: lpBuffer=0x3da917c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d89148) returned 0x0 [0123.133] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0123.157] WriteFile (in: hFile=0x1e0, lpBuffer=0x40b011c, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x40900e8 | out: lpBuffer=0x40b011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x40900e8) returned 0x0 [0123.158] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0123.222] WriteFile (in: hFile=0x1b4, lpBuffer=0x3dd11cc*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db1198 | out: lpBuffer=0x3dd11cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db1198) returned 1 [0123.223] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0123.347] CloseHandle (hObject=0x1e0) returned 1 [0123.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.B9655B17C06BDCAD64FFCADACBA18A5C3608A9A14FCDA3D38017BD8A6C43DB62" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.b9655b17c06bdcad64ffcadacba18a5c3608a9a14fcda3d38017bd8a6c43db62")) returned 1 [0123.715] GetProcessHeap () returned 0x4c0000 [0123.715] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x40900e8 | out: hHeap=0x4c0000) returned 1 [0123.716] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0123.841] ReadFile (in: hFile=0x1d4, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x4400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0123.841] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0123.871] CloseHandle (hObject=0x178) returned 1 [0124.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.4CB9C22A2DA20FDD79A1526B56E5CF473B93BE5B04418539A3EDFCEB7E7E722B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.4cb9c22a2da20fdd79a1526b56e5cf473b93be5b04418539a3edfceb7e7e722b")) returned 1 [0124.758] GetProcessHeap () returned 0x4c0000 [0124.758] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c480a8 | out: hHeap=0x4c0000) returned 1 [0124.759] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0124.777] CloseHandle (hObject=0x114) returned 1 [0124.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.194EC3729D51AFEB57CCCD32EDAB5E1C51A1014508933E777F0C5B167D97AC6C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.194ec3729d51afeb57cccd32edab5e1c51a1014508933e777f0c5b167d97ac6c")) returned 1 [0124.859] GetProcessHeap () returned 0x4c0000 [0124.859] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0124.860] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0124.923] ReadFile (in: hFile=0x1cc, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0124.961] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0124.970] CloseHandle (hObject=0x1a0) returned 1 [0124.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.400B4156FDFBEEF689834964460A61BC2E17B9CD2438C5E64FF6A23B5B0D9751" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.400b4156fdfbeef689834964460a61bc2e17b9cd2438c5e64ff6a23b5b0d9751")) returned 1 [0124.977] GetProcessHeap () returned 0x4c0000 [0124.977] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d390a8 | out: hHeap=0x4c0000) returned 1 [0124.983] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0125.110] ReadFile (in: hFile=0x1e4, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x5200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0125.170] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0125.189] CloseHandle (hObject=0x1cc) returned 1 [0125.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.F21ACA678D2E73FD57C88162E9E863D51199F5345216266263CD63C20551BC0E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.f21aca678d2e73fd57c88162e9e863d51199f5345216266263cd63c20551bc0e")) returned 1 [0125.754] GetProcessHeap () returned 0x4c0000 [0125.754] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0125.755] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0126.231] CloseHandle (hObject=0x1e4) returned 1 [0126.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json.0FBAB71F3A09B740E7FDEBB965E59FF260B20A665A91C2408754259F76933238" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\messages.json.0fbab71f3a09b740e7fdebb965e59ff260b20a665a91c2408754259f76933238")) returned 1 [0126.233] GetProcessHeap () returned 0x4c0000 [0126.233] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0126.233] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0126.674] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d8230c, nNumberOfBytesToRead=0x3c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d622d8 | out: lpBuffer=0x3d8230c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d622d8) returned 1 [0126.674] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0126.691] WriteFile (in: hFile=0x1c0, lpBuffer=0x3d8230c*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d622d8 | out: lpBuffer=0x3d8230c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d622d8) returned 1 [0126.692] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0126.694] CloseHandle (hObject=0x1bc) returned 1 [0126.695] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json.C126B38B56C8FD06CC8A23348818867CEA0E1F62534F0959591B41C5DC5AEB1D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\messages.json.c126b38b56c8fd06cc8a23348818867cea0e1f62534f0959591b41c5dc5aeb1d")) returned 1 [0126.696] GetProcessHeap () returned 0x4c0000 [0126.696] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0126.696] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0126.698] CloseHandle (hObject=0x1b0) returned 1 [0126.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.36EEB855D8D082FE123C7B397101C4572D35CCC28929B01D60B4DB97D16ACB7E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.36eeb855d8d082fe123c7b397101c4572d35ccc28929b01d60b4db97d16acb7e")) returned 1 [0126.811] GetProcessHeap () returned 0x4c0000 [0126.811] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0126.812] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0126.868] ReadFile (in: hFile=0x1d0, lpBuffer=0x584b74, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0126.868] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0126.895] WriteFile (in: hFile=0x1c0, lpBuffer=0x3d8230c, nNumberOfBytesToWrite=0x7200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d622d8 | out: lpBuffer=0x3d8230c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d622d8) returned 0x0 [0127.001] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0128.419] CloseHandle (hObject=0x17c) returned 1 [0128.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history provider cache"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache.D7F4DBFE74A91B4E9BAB7490F17E36514C61DBEA073082F59AD46BCE97421B65" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history provider cache.d7f4dbfe74a91b4e9bab7490f17e36514c61dbea073082f59ad46bce97421b65")) returned 1 [0128.500] GetProcessHeap () returned 0x4c0000 [0128.500] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0128.503] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0128.839] WriteFile (in: hFile=0x1d4, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0129.145] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0129.183] CloseHandle (hObject=0x1d4) returned 1 [0129.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\transportsecurity"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity.537B6920FAA9ABAB49FC00C3298F7CD97155E781B881BD69202313348AE97B1B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\transportsecurity.537b6920faa9abab49fc00c3298f7cd97155e781b881bd69202313348ae97b1b")) returned 1 [0129.192] GetProcessHeap () returned 0x4c0000 [0129.192] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0129.192] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0129.204] CloseHandle (hObject=0x17c) returned 1 [0129.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites.B0237971DDF1C186EBFC7261A184C35DEEBF829AEDAC63493AA466B0EDC9E37D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites.b0237971ddf1c186ebfc7261a184c35deebf829aedac63493aa466b0edc9e37d")) returned 1 [0129.207] GetProcessHeap () returned 0x4c0000 [0129.207] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0129.211] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0129.216] ReadFile (in: hFile=0x184, lpBuffer=0x3c680dc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8) returned 1 [0129.216] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0129.262] CloseHandle (hObject=0x1d0) returned 1 [0129.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\visited links"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links.AD1571E3AE0A635A3240E95947D66D8650B02315CEF12075979E324AAFE0222F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\visited links.ad1571e3ae0a635a3240e95947d66d8650b02315cef12075979e324aafe0222f")) returned 1 [0129.264] GetProcessHeap () returned 0x4c0000 [0129.264] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0129.264] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0129.349] ReadFile (in: hFile=0x1a8, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0129.350] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0129.394] ReadFile (in: hFile=0x1d0, lpBuffer=0x3c4008c, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c20058) returned 1 [0129.394] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0129.444] WriteFile (in: hFile=0x1a8, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0129.845] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0137.020] CloseHandle (hObject=0x1a8) returned 1 [0137.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat.A4CD668353E8204EDEC0877F41E1E1920D13F76F1614D8C68F3E6A881581EB03" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\index.dat.a4cd668353e8204edec0877f41e1e1920d13f76f1614d8c68f3e6a881581eb03")) returned 1 [0137.742] GetProcessHeap () returned 0x4c0000 [0137.742] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0137.743] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0137.743] CloseHandle (hObject=0x18c) returned 1 [0137.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\j48uiqdp.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\j48UIqdP.xls.35B9E9BE24699DB5D8CF15C15039ED3E0BBF65DD2E0F7B540B363D32FEEB6161" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\j48uiqdp.xls.35b9e9be24699db5d8cf15c15039ed3e0bbf65dd2e0f7b540b363d32feeb6161")) returned 1 [0137.755] GetProcessHeap () returned 0x4c0000 [0137.755] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0137.756] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.193] ReadFile (in: hFile=0x1d0, lpBuffer=0x584b74, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0138.195] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.210] CloseHandle (hObject=0x1d0) returned 1 [0138.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_zuebtg4zm1whcyx.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_ZUebtG4ZM1wHCYX.mp3.418EB3A352AE5172C0B71BD895926C236F1E4DEA7B3525E85DEB0C6CC3F16D2D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_zuebtg4zm1whcyx.mp3.418eb3a352ae5172c0b71bd895926c236f1e4dea7b3525e85deb0c6cc3f16d2d")) returned 1 [0138.213] GetProcessHeap () returned 0x4c0000 [0138.213] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0138.213] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.255] WriteFile (in: hFile=0x178, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0138.260] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.289] CloseHandle (hObject=0x1b8) returned 1 [0138.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\yj azkp.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Yj aZkP.swf.3518BA0D18F1FDB01A11801BAC043291A66B366C6AC0B007A9818B5FDCC3D351" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\yj azkp.swf.3518ba0d18f1fdb01a11801bac043291a66b366c6ac0b007a9818b5fdcc3d351")) returned 1 [0138.291] GetProcessHeap () returned 0x4c0000 [0138.291] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0138.291] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.314] CloseHandle (hObject=0x124) returned 1 [0138.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_22-5iie.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_22-5iIE.odt.D2F0F10A8C5EF6735FEBCDA36CB59A9C3F05818D802A8F8F86F89B3AD8521D1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_22-5iie.odt.d2f0f10a8c5ef6735febcda36cb59a9c3f05818d802a8f8f86f89b3ad8521d1e")) returned 1 [0138.317] GetProcessHeap () returned 0x4c0000 [0138.317] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0138.317] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.367] ReadFile (in: hFile=0x180, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0138.367] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.383] WriteFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0138.385] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.387] CloseHandle (hObject=0x1d0) returned 1 [0138.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\readermessages"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages.0973F509A7378E9F8EDFE9418EF7C2C61D00BD88C10926ED48CA4EC96A1E5B2D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\readermessages.0973f509a7378e9f8edfe9418ef7c2c61d00bd88c10926ed48ca4ec96a1e5b2d")) returned 1 [0138.389] GetProcessHeap () returned 0x4c0000 [0138.389] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0138.389] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.620] WriteFile (in: hFile=0x178, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0138.623] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.637] WriteFile (in: hFile=0x184, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0138.640] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.698] WriteFile (in: hFile=0x184, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0138.699] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.720] ReadFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0138.731] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.732] WriteFile (in: hFile=0x178, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0138.733] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.733] CloseHandle (hObject=0x178) returned 1 [0138.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77.A756495424E1E692C798CE01F04B19E011833A60CFAC0B379520B2AA0C351B0B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77.a756495424e1e692c798ce01f04b19e011833a60cfac0b379520b2aa0c351b0b")) returned 1 [0138.735] GetProcessHeap () returned 0x4c0000 [0138.735] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0138.735] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.754] ReadFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0138.755] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.756] WriteFile (in: hFile=0x178, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0138.757] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.758] CloseHandle (hObject=0x178) returned 1 [0138.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.BC1967CCFE11303C65F0776EF7F3431EFAB8278E7DDB9AF3C5A305393F45227A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220.bc1967ccfe11303c65f0776ef7f3431efab8278e7ddb9af3c5a305393f45227a")) returned 1 [0138.777] GetProcessHeap () returned 0x4c0000 [0138.777] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0138.777] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.799] ReadFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0138.799] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.801] WriteFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 0x0 [0138.802] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.881] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0138.881] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.884] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0138.885] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0138.887] WriteFile (in: hFile=0x128, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0138.894] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0139.686] CloseHandle (hObject=0x1d4) returned 1 [0139.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8.F5D6A998FA8D02CBFA7EB0180069A90BBE69D9C38A0CF1A20866E628E9924B34" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8.f5d6a998fa8d02cbfa7eb0180069a90bbe69d9c38a0cf1a20866e628e9924b34")) returned 1 [0139.689] GetProcessHeap () returned 0x4c0000 [0139.689] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0139.689] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0139.693] CloseHandle (hObject=0x184) returned 1 [0139.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.FFF83C5B329461014DC704A7CF3359B88496BCE39672F7BD0222B3CCCB918D61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150.fff83c5b329461014dc704a7cf3359b88496bce39672f7bd0222b3cccb918d61")) returned 1 [0139.695] GetProcessHeap () returned 0x4c0000 [0139.695] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0139.695] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0139.709] WriteFile (in: hFile=0x1d0, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0139.712] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0139.857] ReadFile (in: hFile=0x18c, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0139.857] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0139.860] WriteFile (in: hFile=0x184, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0139.861] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0140.932] WriteFile (in: hFile=0x1b8, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0140.937] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0140.975] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0140.977] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0143.300] CloseHandle (hObject=0x124) returned 1 [0143.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.7FFACE9A10AAC79EC8AA5248ED4607A43E32E1524D43FA53F12EE1FAA2EAF54A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs.7fface9a10aac79ec8aa5248ed4607a43e32e1524d43fa53f12ee1faa2eaf54a")) returned 1 [0143.302] GetProcessHeap () returned 0x4c0000 [0143.302] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0143.302] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0143.891] WriteFile (in: hFile=0x1d4, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0143.892] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0143.893] CloseHandle (hObject=0x18c) returned 1 [0143.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite.970F1EEECFDB73FF42965594DBD62501B828B82319B94AD1AAA5385155F82A24" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite.970f1eeecfdb73ff42965594dbd62501b828b82319b94ad1aaa5385155f82a24")) returned 1 [0143.895] GetProcessHeap () returned 0x4c0000 [0143.895] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0143.895] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0144.443] CloseHandle (hObject=0x1d0) returned 1 [0144.451] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite.AA0C7E44DC67476610BF45627E69FBE5D47F7002373F550A4B02B96F51C2CC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite.aa0c7e44dc67476610bf45627e69fbe5d47f7002373f550a4b02b96f51c2cc21")) returned 1 [0144.452] GetProcessHeap () returned 0x4c0000 [0144.452] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0144.452] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0144.591] WriteFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0144.591] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0144.612] ReadFile (in: hFile=0x1d0, lpBuffer=0x54bb14, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0144.618] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0144.653] WriteFile (in: hFile=0x1d0, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0144.655] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0144.698] ReadFile (in: hFile=0x1d4, lpBuffer=0x573b64, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0144.698] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0144.720] WriteFile (in: hFile=0x1d4, lpBuffer=0x573b64, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 0x0 [0144.722] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0144.738] WriteFile (in: hFile=0x178, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0144.739] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0144.843] CloseHandle (hObject=0x120) returned 1 [0144.846] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pluginreg.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat.E923A5DB9A52A7CB5B91B70A0A165E700328D0C6F386391CA6E83653AC9BD43C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pluginreg.dat.e923a5db9a52a7cb5b91b70a0a165e700328d0c6f386391ca6e83653ac9bd43c")) returned 1 [0144.847] GetProcessHeap () returned 0x4c0000 [0144.847] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0144.847] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.106] WriteFile (in: hFile=0x1b8, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0145.108] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.189] CloseHandle (hObject=0x1b8) returned 1 [0145.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\nx8 ncvl3_8xsm.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nx8 nCvL3_8XSM.m4a.E281E5B09F7345E8318C5A90E319489F7E46244F732823EBDAC6BEE6666B4E79" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\nx8 ncvl3_8xsm.m4a.e281e5b09f7345e8318c5a90e319489f7e46244f732823ebdac6bee6666b4e79")) returned 1 [0145.192] GetProcessHeap () returned 0x4c0000 [0145.192] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0145.192] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.312] WriteFile (in: hFile=0x18c, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0145.317] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.366] WriteFile (in: hFile=0x1b8, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0145.368] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.420] WriteFile (in: hFile=0x1b8, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0145.422] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.477] CloseHandle (hObject=0x1b8) returned 1 [0145.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\qkgvvzcp8_kflxtshiv.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qKgvVzcp8_KFLXTSHIv.avi.A0FD121B313C0BA335F354DCBF78BF13D3D45C5584F1B84C5BAC75A310A3B52E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\qkgvvzcp8_kflxtshiv.avi.a0fd121b313c0ba335f354dcbf78bf13d3d45c5584f1b84c5bac75a310a3b52e")) returned 1 [0145.479] GetProcessHeap () returned 0x4c0000 [0145.479] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0145.479] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.607] WriteFile (in: hFile=0x1b8, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0145.609] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.658] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0145.660] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.714] CloseHandle (hObject=0x1b8) returned 1 [0145.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rkqbzn vs0dgr0u1hye6.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rkQBZn Vs0dgR0u1hye6.gif.7B76646087360BD511194AF9140A4D918321257E95D386BC82479ECE6752D762" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rkqbzn vs0dgr0u1hye6.gif.7b76646087360bd511194af9140a4d918321257e95d386bc82479ece6752d762")) returned 1 [0145.718] GetProcessHeap () returned 0x4c0000 [0145.718] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0145.718] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.739] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0145.740] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.768] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0145.769] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.849] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0145.873] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0145.998] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0146.000] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.064] CloseHandle (hObject=0x1b8) returned 1 [0146.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ui4qmn8zh.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\UI4qmN8ZH.mkv.274433E6941852A39768D36FAD31872C93D01AF17D1ABD73A89C492525EA3F56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ui4qmn8zh.mkv.274433e6941852a39768d36fad31872c93d01af17d1abd73a89c492525ea3f56")) returned 1 [0146.066] GetProcessHeap () returned 0x4c0000 [0146.066] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0146.066] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.136] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0146.138] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.213] CloseHandle (hObject=0x1b8) returned 1 [0146.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xk3p1kbq.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Xk3p1kbq.bmp.6E7402286EB9B2A481E21667D1C5FE0D58123931540DB942D7BE0B0595C0BD13" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xk3p1kbq.bmp.6e7402286eb9b2a481e21667d1c5fe0d58123931540db942d7be0b0595c0bd13")) returned 1 [0146.215] GetProcessHeap () returned 0x4c0000 [0146.215] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0146.215] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.358] ReadFile (in: hFile=0x1b8, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0146.358] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.398] WriteFile (in: hFile=0x1b8, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0146.400] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.490] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0146.498] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.518] WriteFile (in: hFile=0x19c, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0146.519] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.542] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0146.543] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.607] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0146.609] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.702] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x7200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0146.704] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.759] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0146.761] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.813] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0146.815] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.869] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0146.884] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0146.938] WriteFile (in: hFile=0x19c, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0146.940] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.040] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.042] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.090] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.092] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.143] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.144] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.198] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.200] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.248] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x7200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.250] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.343] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.346] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.408] CloseHandle (hObject=0x19c) returned 1 [0147.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jjssrqnbwtn 7n.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JjSSrqnbwtn 7n.csv.7FF4B695D03D00AF4E5A4C70F5203FC77B1BC9C9A6CF34A372E4BE604AB27766" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jjssrqnbwtn 7n.csv.7ff4b695d03d00af4e5a4c70f5203fc77b1bc9c9a6cf34a372e4be604ab27766")) returned 1 [0147.410] GetProcessHeap () returned 0x4c0000 [0147.410] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.410] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.452] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x4c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.453] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.642] CloseHandle (hObject=0x19c) returned 1 [0147.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jz6ankacghqe6ckeu.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Jz6ANkacGhqE6CkEu.png.6BC352C17AD0BA49D5C6DF175CF1F448AB25042DEFEEA841B6B7350BCE9E5B0F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jz6ankacghqe6ckeu.png.6bc352c17ad0ba49d5c6df175cf1f448ab25042defeea841b6b7350bce9e5b0f")) returned 1 [0147.644] GetProcessHeap () returned 0x4c0000 [0147.644] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.644] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.703] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.707] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.831] CloseHandle (hObject=0x120) returned 1 [0147.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\7bvvsb0zr v0.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\7bVVsB0zr v0.odp.28717A0599874457BD80CCB78CF07E77E70188ECEC06E1E303C81847CBCD4A26" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\7bvvsb0zr v0.odp.28717a0599874457bd80ccb78cf07e77e70188ecec06e1e303c81847cbcd4a26")) returned 1 [0147.833] GetProcessHeap () returned 0x4c0000 [0147.833] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.833] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.926] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0147.928] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0147.998] CloseHandle (hObject=0x120) returned 1 [0147.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\hw0f.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\Hw0F.bmp.3F1C232F935BED623B2E3410044BD3E9F532D341D43470DC26C969FE0057FD18" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\hw0f.bmp.3f1c232f935bed623b2e3410044bd3e9f532d341d43470dc26c969fe0057fd18")) returned 1 [0148.001] GetProcessHeap () returned 0x4c0000 [0148.001] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0148.001] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0148.057] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0148.059] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0148.120] CloseHandle (hObject=0x120) returned 1 [0148.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\lamd.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\lAMD.flv.C33F90CA55CF4D1B0C5B41FE10FC4161E3F0F00E6DBC4309CF0678C1F1E9347F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\lamd.flv.c33f90ca55cf4d1b0c5b41fe10fc4161e3f0f00e6dbc4309cf0678c1f1e9347f")) returned 1 [0148.125] GetProcessHeap () returned 0x4c0000 [0148.125] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0148.125] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0148.245] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0148.247] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0148.303] CloseHandle (hObject=0x120) returned 1 [0148.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\oetvb4wuvvyaomai.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\OeTVb4wUvvYAOmAI.png.00CEC07D7F25EFD7739D4E3629FFEFC6D00849A75BB7C786C047236A9B1E0608" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\oetvb4wuvvyaomai.png.00cec07d7f25efd7739d4e3629ffefc6d00849a75bb7c786c047236a9b1e0608")) returned 1 [0148.305] GetProcessHeap () returned 0x4c0000 [0148.306] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0148.306] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0148.326] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0148.326] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0148.388] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0148.388] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0148.437] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0148.438] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0148.479] CloseHandle (hObject=0x1b8) returned 1 [0148.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pyp_n wrz-sc.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PyP_N wrZ-sc.m4a.7576F0BBE280F0E1C6F97AA2D143F7A389D9335226A88E1022C8345B39054C75" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pyp_n wrz-sc.m4a.7576f0bbe280f0e1c6f97aa2d143f7a389d9335226a88e1022c8345b39054c75")) returned 1 [0148.481] GetProcessHeap () returned 0x4c0000 [0148.481] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0148.481] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0148.698] ReadFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0148.698] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0148.734] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0148.734] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0148.789] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0148.789] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0148.948] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x4a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0148.948] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0149.263] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0149.263] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0149.345] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0149.346] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0149.431] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0149.485] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0149.609] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0149.622] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0149.652] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0149.653] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0149.739] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0149.789] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0149.818] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0149.818] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0149.962] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.018] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.048] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.056] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.077] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x6e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.077] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.181] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.181] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.237] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.237] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.298] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x5a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.327] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.360] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.373] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.375] CloseHandle (hObject=0x120) returned 1 [0150.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ecc0l4e.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ecc0L4E.xlsx.4C11C23A08A10F106819B304CF0AEC98940B938DA4E944F2E930CD643D8E9B61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ecc0l4e.xlsx.4c11c23a08a10f106819b304cf0aec98940b938da4e944f2e930cd643d8e9b61")) returned 1 [0150.378] GetProcessHeap () returned 0x4c0000 [0150.378] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.378] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.466] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.467] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.498] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.499] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.549] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.557] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.576] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x4200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.576] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.613] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.615] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.716] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.716] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.768] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.769] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.776] CloseHandle (hObject=0x120) returned 1 [0150.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lkfuevx.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lKfueVx.pptx.DDA384EFEEEB9468F04493F3E9CF966A50DD6F95CFB62EA8AE4DC674C5173E33" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lkfuevx.pptx.dda384efeeeb9468f04493f3e9cf966a50dd6f95cfb62ea8ae4dc674c5173e33")) returned 1 [0150.779] GetProcessHeap () returned 0x4c0000 [0150.779] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.779] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.865] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x7400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0150.865] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0150.916] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x7400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0150.937] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.014] ReadFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0151.014] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.043] CloseHandle (hObject=0x120) returned 1 [0151.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\niz7gs.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Niz7GS.ppt.C6BA8A6DAD88413E9480CA18248A6E6349F68ACEE749E17B5DF4D5A46485F453" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\niz7gs.ppt.c6ba8a6dad88413e9480ca18248a6e6349f68acee749e17b5df4d5a46485f453")) returned 1 [0151.045] GetProcessHeap () returned 0x4c0000 [0151.045] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0151.045] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.066] ReadFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0151.067] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.095] CloseHandle (hObject=0x120) returned 1 [0151.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ocjkdylw-gferurz9o.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OCJkdYLw-GFERurZ9O.xlsx.273A44CEAFB923DE51F3C5DD37148F284C1D31DDCC30D354D736322C65DB270C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ocjkdylw-gferurz9o.xlsx.273a44ceafb923de51f3c5dd37148f284c1d31ddcc30d354d736322c65db270c")) returned 1 [0151.097] GetProcessHeap () returned 0x4c0000 [0151.097] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0151.097] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.117] ReadFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0151.118] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.174] ReadFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x6800, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0151.174] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.227] ReadFile (in: hFile=0x1b8, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0151.227] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.357] ReadFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0151.357] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.594] ReadFile (in: hFile=0x1b8, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x4c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0151.594] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.638] ReadFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0151.638] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.668] CloseHandle (hObject=0x18c) returned 1 [0151.668] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\fzkt.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\FZkt.pps.6046C9DADD3689081CF9477B8D8DF6D4ACC0C604D6414F3869E18430AA5F4E7C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\fzkt.pps.6046c9dadd3689081cf9477b8d8df6d4acc0c604d6414f3869e18430aa5f4e7c")) returned 1 [0151.670] GetProcessHeap () returned 0x4c0000 [0151.670] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0151.670] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.691] ReadFile (in: hFile=0x184, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0151.691] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.724] CloseHandle (hObject=0x184) returned 1 [0151.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\7k4s9_o.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\7k4S9_o.pdf.38EBEAF0B0402CB58523BFAA952511DD1A5EBD553FC9F7073C7FCB666D21E90B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\7k4s9_o.pdf.38ebeaf0b0402cb58523bfaa952511dd1a5ebd553fc9f7073c7fcb666d21e90b")) returned 1 [0151.726] GetProcessHeap () returned 0x4c0000 [0151.726] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0151.726] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.756] CloseHandle (hObject=0x19c) returned 1 [0151.757] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.5C21CA837D7605EFFE39B9E673E8DB9B4D435F520B38FC9919EDB845E2A2B148" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.5c21ca837d7605effe39b9e673e8db9b4d435f520b38fc9919edb845e2a2b148")) returned 1 [0151.758] GetProcessHeap () returned 0x4c0000 [0151.758] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0151.758] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0151.967] ReadFile (in: hFile=0x124, lpBuffer=0x573b64, nNumberOfBytesToRead=0x2400, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0151.967] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.000] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.000] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.064] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.065] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.142] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x6c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.142] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.235] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x6400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.236] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.290] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.290] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.351] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x2400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.351] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.361] CloseHandle (hObject=0x120) returned 1 [0152.361] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\szkkvf.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SZkkvF.odt.13D658F5E2886D17CC15850FB1602ECEFF84C7C0C61684C7E62FBBAAA7DF2614" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\szkkvf.odt.13d658f5e2886d17cc15850fb1602eceff84c7c0c61684c7e62fbbaaa7df2614")) returned 1 [0152.363] GetProcessHeap () returned 0x4c0000 [0152.363] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.363] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.385] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.386] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.398] CloseHandle (hObject=0x1b8) returned 1 [0152.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\bg-uh7lc.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\bg-uh7lC.xlsx.D24B16786033325990015CA62EF088D6F68D9D5B624407A3A78DB7B530535039" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\bg-uh7lc.xlsx.d24b16786033325990015ca62ef088d6f68d9d5b624407a3a78db7b530535039")) returned 1 [0152.399] GetProcessHeap () returned 0x4c0000 [0152.399] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.399] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.419] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.419] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.449] CloseHandle (hObject=0x1b8) returned 1 [0152.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\odjilf2_pteho0.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\oDJIlf2_pTEHo0.odt.B73E1FB9BAC5E84675870BF256DAF16B3564E4ED0ACA4C4157B2EB3478306A56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\odjilf2_pteho0.odt.b73e1fb9bac5e84675870bf256daf16b3564e4ed0aca4c4157b2eb3478306a56")) returned 1 [0152.451] GetProcessHeap () returned 0x4c0000 [0152.452] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.452] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.482] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.482] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.536] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.536] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.569] CloseHandle (hObject=0x1b8) returned 1 [0152.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\qklcri7zjm61 ijnq.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\qklcRi7Zjm61 ijnq.ots.405A90B502C4CFF701435E628EAECBC1935844200255529893610CC9B859DE23" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\qklcri7zjm61 ijnq.ots.405a90b502c4cff701435e628eaecbc1935844200255529893610cc9b859de23")) returned 1 [0152.571] GetProcessHeap () returned 0x4c0000 [0152.571] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.571] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.592] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x3400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.593] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.627] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.627] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.657] CloseHandle (hObject=0x18c) returned 1 [0152.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\5wsr.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\5Wsr.xls.5C1BBB86D8548603DCD8D4BF1A0ABE4090CE792012D83A948BF2CFC975495215" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\5wsr.xls.5c1bbb86d8548603dcd8d4bf1a0abe4090ce792012d83a948bf2cfc975495215")) returned 1 [0152.659] GetProcessHeap () returned 0x4c0000 [0152.659] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.659] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.681] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.681] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.734] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.734] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.762] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.764] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.821] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.823] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.905] CloseHandle (hObject=0x18c) returned 1 [0152.905] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\skou9rx_w-xtaay.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\SkoU9rx_w-xtaay.xls.F2CE88C62AA590F128ECEDE7B73DF82BBAA8420C068760E751076B12FE998A51" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\skou9rx_w-xtaay.xls.f2ce88c62aa590f128ecede7b73df82bbaa8420c068760e751076b12fe998a51")) returned 1 [0152.907] GetProcessHeap () returned 0x4c0000 [0152.907] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.907] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0152.976] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.978] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0153.030] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0153.031] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0153.114] CloseHandle (hObject=0x120) returned 1 [0153.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vw75nig9v3wnarste23.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VW75nIg9v3wnArStE23.xlsx.D6C56F6DA0E2D17792BB922E20B59D50EA1A898AB9F28DBCBD0AC08577DE0E6B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vw75nig9v3wnarste23.xlsx.d6c56f6da0e2d17792bb922e20b59d50ea1a898ab9f28dbcbd0ac08577de0e6b")) returned 1 [0153.116] GetProcessHeap () returned 0x4c0000 [0153.116] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0153.117] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0153.163] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0153.165] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0153.457] ReadFile (in: hFile=0x18c, lpBuffer=0x573b64, nNumberOfBytesToRead=0x6a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0153.457] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0153.525] WriteFile (in: hFile=0x124, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0153.526] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0159.099] WriteFile (in: hFile=0x19c, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0159.165] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0159.169] CloseHandle (hObject=0x1b8) returned 1 [0159.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\dyakkb.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\Dyakkb.swf.1E15BFDE18AA1375CBD5743402583990189046A8292C238084622395ECDD2C79" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\dyakkb.swf.1e15bfde18aa1375cbd5743402583990189046a8292c238084622395ecdd2c79")) returned 1 [0159.172] GetProcessHeap () returned 0x4c0000 [0159.172] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0159.172] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0159.173] CloseHandle (hObject=0x18c) returned 1 [0159.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\a3abkoaho3fzrpft.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\a3aBkOAho3fZRpFt.mkv.994F6A1FE5D9039F3A54AD14E1D4339739B27077FA27B89E954CD4F32F5D310F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\a3abkoaho3fzrpft.mkv.994f6a1fe5d9039f3a54ad14e1d4339739b27077fa27b89e954cd4f32f5d310f")) returned 1 [0159.176] GetProcessHeap () returned 0x4c0000 [0159.176] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0159.176] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0162.861] CloseHandle (hObject=0x184) returned 1 [0162.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\tg4y4m2lvj2ybrlta.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tg4y4m2lVj2YBRLTa.mp4.FE9C7F874F04E06D740034D3CB1AD6581C81EC5F11142467E69DD16911118351" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\tg4y4m2lvj2ybrlta.mp4.fe9c7f874f04e06d740034d3cb1ad6581c81ec5f11142467e69dd16911118351")) returned 1 [0162.863] GetProcessHeap () returned 0x4c0000 [0162.863] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0162.863] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0164.246] WriteFile (in: hFile=0x1d0, lpBuffer=0x3b9813c, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78108 | out: lpBuffer=0x3b9813c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78108) returned 0x0 [0164.344] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0164.689] WriteFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0164.725] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0164.948] ReadFile (in: hFile=0x154, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0164.949] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0164.956] WriteFile (in: hFile=0x1d4, lpBuffer=0x3b9813c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78108 | out: lpBuffer=0x3b9813c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78108) returned 0x0 [0164.957] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0164.975] ReadFile (in: hFile=0x194, lpBuffer=0x573b64, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0164.975] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0164.976] WriteFile (in: hFile=0x194, lpBuffer=0x573b64, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 0x0 [0164.977] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.015] ReadFile (in: hFile=0x1d8, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0165.015] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.019] WriteFile (in: hFile=0x1d8, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0165.020] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.023] CloseHandle (hObject=0x120) returned 1 [0165.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.3FCC8E5ED20055581744FBE598194B792B0725CC36688A74956BC85D0B70032F" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt.3fcc8e5ed20055581744fbe598194b792b0725cc36688a74956bc85d0b70032f")) returned 1 [0165.027] GetProcessHeap () returned 0x4c0000 [0165.027] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0165.027] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.071] WriteFile (in: hFile=0x1c0, lpBuffer=0x3cba17c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 0x0 [0165.072] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.105] WriteFile (in: hFile=0x1b8, lpBuffer=0x3b700ec, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500b8 | out: lpBuffer=0x3b700ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500b8) returned 0x0 [0165.106] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.138] WriteFile (in: hFile=0x180, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0165.142] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.189] CloseHandle (hObject=0x194) returned 1 [0165.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.2CC248C53AE3D761FA7E6C0D129C31E43D5058775E169D30E3A5E35C9A332754" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl.2cc248c53ae3d761fa7e6c0d129c31e43d5058775e169d30e3a5e35c9a332754")) returned 1 [0165.244] GetProcessHeap () returned 0x4c0000 [0165.244] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0165.245] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.388] ReadFile (in: hFile=0x1d4, lpBuffer=0x522abc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0165.392] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.393] WriteFile (in: hFile=0x194, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0165.394] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.445] CloseHandle (hObject=0x1d4) returned 1 [0165.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.F7558CD40FDCD81A48E84E13DB4CC575901B0597043E0CB2537A0DCAA5288D17" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl.f7558cd40fdcd81a48e84e13db4cc575901b0597043e0cb2537a0dcaa5288d17")) returned 1 [0165.447] GetProcessHeap () returned 0x4c0000 [0165.447] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0165.448] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.546] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0165.552] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.555] WriteFile (in: hFile=0x1d8, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0165.556] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.782] CloseHandle (hObject=0x1d4) returned 1 [0165.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.4A88AA12B457FB7D41802F32BE783DFC55B3DE5A2894D6630B78C6D4DC525639" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount.4a88aa12b457fb7d41802f32be783dfc55b3de5a2894d6630b78c6d4dc525639")) returned 1 [0165.787] GetProcessHeap () returned 0x4c0000 [0165.788] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0165.792] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.853] WriteFile (in: hFile=0x128, lpBuffer=0x572b5c, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x552b28 | out: lpBuffer=0x572b5c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x552b28) returned 0x0 [0165.855] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.885] ReadFile (in: hFile=0xec, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0165.886] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.927] WriteFile (in: hFile=0xec, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0165.930] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0165.961] ReadFile (in: hFile=0x19c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0165.961] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.029] CloseHandle (hObject=0x1c0) returned 1 [0166.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.pat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.DAF380442D4DDA5525D0D547C72D0666A34FB35C08021CF30C6A5EDD9A0BDA76" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.pat.daf380442d4dda5525d0d547c72d0666a34fb35c08021cf30c6a5edd9a0bda76")) returned 1 [0166.032] GetProcessHeap () returned 0x4c0000 [0166.032] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52aad8 | out: hHeap=0x4c0000) returned 1 [0166.032] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.034] CloseHandle (hObject=0x128) returned 1 [0166.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.chk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.29D354012532D1328E938D90146BE3AD9ADF4C9D1665067C382CCF799EFDA17E" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.chk.29d354012532d1328e938d90146be3ad9adf4c9d1665067c382ccf799efda17e")) returned 1 [0166.037] GetProcessHeap () returned 0x4c0000 [0166.037] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x552b28 | out: hHeap=0x4c0000) returned 1 [0166.037] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.039] CloseHandle (hObject=0xec) returned 1 [0166.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.9EB595D6AA259615CAE597FC08AB4FEBA549A0879D1937D0F923886B77C93721" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.log.9eb595d6aa259615cae597fc08ab4feba549a0879d1937d0f923886b77c93721")) returned 1 [0166.041] GetProcessHeap () returned 0x4c0000 [0166.041] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0166.041] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.046] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0166.047] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.089] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0166.091] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.123] ReadFile (in: hFile=0xec, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0166.125] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.131] CloseHandle (hObject=0x19c) returned 1 [0166.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.C68C05294FCA0231943C7BA05D959597AB2F6517F4DF37AC443E5A6714651A01" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb00001.log.c68c05294fca0231943c7ba05d959597ab2f6517f4df37ac443e5a6714651a01")) returned 1 [0166.133] GetProcessHeap () returned 0x4c0000 [0166.133] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0166.139] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.184] WriteFile (in: hFile=0xec, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0166.186] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.247] ReadFile (in: hFile=0x19c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0166.252] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.257] CloseHandle (hObject=0x1d4) returned 1 [0166.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.B16B2A32D51F231027D4AED0A8A3F8FBE703D722E15A0EE884660782D8A5E56A" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs.b16b2a32d51f231027d4aed0a8a3f8fbe703d722e15a0ee884660782d8a5e56a")) returned 1 [0166.412] GetProcessHeap () returned 0x4c0000 [0166.412] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0166.415] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.421] ReadFile (in: hFile=0x178, lpBuffer=0x572b5c, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x552b28 | out: lpBuffer=0x572b5c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x552b28) returned 1 [0166.422] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.444] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0166.445] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.468] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0166.469] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.555] CloseHandle (hObject=0xec) returned 1 [0166.576] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.4E5E8186BB873807102FF8EE0E83C4B71C5DA0BA26CD1CF601B21FA76BDB9479" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg.4e5e8186bb873807102ff8ee0e83c4b71c5da0ba26cd1cf601b21fa76bdb9479")) returned 1 [0166.594] GetProcessHeap () returned 0x4c0000 [0166.594] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0166.594] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.701] ReadFile (in: hFile=0xec, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0166.701] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.893] WriteFile (in: hFile=0x1d8, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0166.895] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08) returned 1 [0166.971] WriteFile (in: hFile=0xec, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0167.032] GetQueuedCompletionStatus (CompletionPort=0x94, lpNumberOfBytesTransferred=0x2a6fe10, lpCompletionKey=0x2a6fe0c, lpOverlapped=0x2a6fe08, dwMilliseconds=0xffffffff) Thread: id = 8 os_tid = 0x414 [0061.329] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0076.113] WriteFile (in: hFile=0x168, lpBuffer=0x532ac4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x512a90) returned 0x0 [0076.114] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0076.240] CloseHandle (hObject=0x168) returned 1 [0076.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.1F1099844B0C5543F89C7611B74A8C756CAA2BE094D2FBE0ABA2373110A1A472" (normalized: "c:\\boot\\bootstat.dat.1f1099844b0c5543f89c7611b74a8c756caa2be094d2fbe0aba2373110a1a472")) returned 1 [0076.247] GetProcessHeap () returned 0x4c0000 [0076.247] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0076.247] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0076.380] ReadFile (in: hFile=0x170, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0076.380] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0076.442] WriteFile (in: hFile=0x174, lpBuffer=0x592b6c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 0x0 [0076.444] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0076.733] CloseHandle (hObject=0x188) returned 1 [0076.736] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.7F5ED4396821983C6572651B2C9D27D6F1874B592D7DB004F5E759B01AC35A6D" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.7f5ed4396821983c6572651b2c9d27d6f1874b592d7db004f5e759b01ac35a6d")) returned 1 [0076.737] GetProcessHeap () returned 0x4c0000 [0076.737] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ba0188 | out: hHeap=0x4c0000) returned 1 [0076.737] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0076.925] CloseHandle (hObject=0x170) returned 1 [0077.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.91B941EC74D52657EAB3583F8ACD962EC43EDD5D9E523DAF019ABE4C22716D2D" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.91b941ec74d52657eab3583f8acd962ec43edd5d9e523daf019abe4c22716d2d")) returned 1 [0077.940] GetProcessHeap () returned 0x4c0000 [0077.940] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0077.940] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0077.946] CloseHandle (hObject=0x188) returned 1 [0079.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.B78B11BA6862AD7EE870C4B1E8E88D95FCE592EBDAAC319D765C7B7B92AA0922" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.b78b11ba6862ad7ee870c4b1e8e88d95fce592ebdaac319d765c7b7b92aa0922")) returned 1 [0079.567] GetProcessHeap () returned 0x4c0000 [0079.567] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0079.567] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0079.573] CloseHandle (hObject=0x170) returned 1 [0080.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.98897C83ADDCE71F3FE5AA17657E43D9554E27CFBD68AACBAD8155F6D0554E21" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.98897c83addce71f3fe5aa17657e43d9554e27cfbd68aacbad8155f6d0554e21")) returned 1 [0080.820] GetProcessHeap () returned 0x4c0000 [0080.820] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0080.820] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0080.848] ReadFile (in: hFile=0x190, lpBuffer=0x3be9214, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc91e0 | out: lpBuffer=0x3be9214*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc91e0) returned 1 [0080.848] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0080.888] ReadFile (in: hFile=0x170, lpBuffer=0x3b480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28098) returned 1 [0080.888] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0080.896] WriteFile (in: hFile=0x190, lpBuffer=0x3be9214, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc91e0 | out: lpBuffer=0x3be9214, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc91e0) returned 0x0 [0080.900] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0080.922] CloseHandle (hObject=0x190) returned 1 [0080.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.FAF80DE710AB7EF892B2FD7C43D028664AF89DB76344EA6A36C0480BA782CC6F" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.faf80de710ab7ef892b2fd7c43d028664af89db76344ea6a36c0480ba782cc6f")) returned 1 [0080.933] GetProcessHeap () returned 0x4c0000 [0080.933] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc91e0 | out: hHeap=0x4c0000) returned 1 [0080.933] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0080.937] ReadFile (in: hFile=0x184, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0080.937] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0080.985] WriteFile (in: hFile=0x184, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0080.987] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0081.203] ReadFile (in: hFile=0x194, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0081.204] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0081.334] WriteFile (in: hFile=0x190, lpBuffer=0x3bc01bc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188) returned 1 [0081.335] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0081.476] CloseHandle (hObject=0x194) returned 1 [0082.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.864393B753CB375BA396C057DAC27ED2072CDA97EA5BEFD947E2112C5854BB14" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.864393b753cb375ba396c057dac27ed2072cda97ea5befd947e2112c5854bb14")) returned 1 [0082.822] GetProcessHeap () returned 0x4c0000 [0082.822] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0082.826] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0083.891] WriteFile (in: hFile=0x19c, lpBuffer=0x3c9816c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c78138 | out: lpBuffer=0x3c9816c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c78138) returned 0x0 [0083.892] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0085.221] WriteFile (in: hFile=0x1a0, lpBuffer=0x3bc01bc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188) returned 0x0 [0085.229] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0085.292] CloseHandle (hObject=0x180) returned 1 [0096.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.EF2AD8F334BDF147D9C8DB9C0F30E12B2E50049C2A3F7B6D8FE265A527CCD811" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.ef2ad8f334bdf147d9c8db9c0f30e12b2e50049c2a3f7b6d8fe265a527ccd811")) returned 1 [0096.535] GetProcessHeap () returned 0x4c0000 [0096.535] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b78138 | out: hHeap=0x4c0000) returned 1 [0096.539] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0096.558] CloseHandle (hObject=0x188) returned 1 [0096.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.76D6A87C8EEADFD9799A02730243F1D796427A9133401EEE1001B9DC8933DA31" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.76d6a87c8eeadfd9799a02730243f1d796427a9133401eee1001b9dc8933da31")) returned 1 [0096.561] GetProcessHeap () returned 0x4c0000 [0096.561] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0096.561] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0112.429] WriteFile (in: hFile=0x17c, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0112.430] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0112.494] CloseHandle (hObject=0x17c) returned 1 [0112.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin.A4889832DEE00548645C371B752874ABB61372D68F316F313076ED06CA76C042" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin.a4889832dee00548645c371b752874abb61372d68f316f313076ed06ca76c042")) returned 1 [0112.498] GetProcessHeap () returned 0x4c0000 [0112.498] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0112.499] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0112.598] CloseHandle (hObject=0x1b0) returned 1 [0112.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc.A3634D298692334390C13D0CC8EE73078F6E7A07FA4DCD008D04AF29BA1BAB1A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc.a3634d298692334390c13d0cc8ee73078f6e7a07fa4dcd008d04af29ba1bab1a")) returned 1 [0112.600] GetProcessHeap () returned 0x4c0000 [0112.600] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ca0188 | out: hHeap=0x4c0000) returned 1 [0112.600] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0112.772] CloseHandle (hObject=0x18c) returned 1 [0113.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.4091D324F9DD4B2BA690ACD58ED3C1794D7D118C22CCDA443EA7182D8DE5D634" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.4091d324f9dd4b2ba690acd58ed3c1794d7d118c22ccda443ea7182d8de5d634")) returned 1 [0113.115] GetProcessHeap () returned 0x4c0000 [0113.115] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0113.116] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0113.235] WriteFile (in: hFile=0x178, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0113.236] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0119.036] ReadFile (in: hFile=0x1bc, lpBuffer=0x3ce808c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3cc8058 | out: lpBuffer=0x3ce808c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3cc8058) returned 1 [0119.036] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0119.041] WriteFile (in: hFile=0x1b4, lpBuffer=0x3c690e4, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c490b0 | out: lpBuffer=0x3c690e4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c490b0) returned 0x0 [0119.046] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0119.553] CloseHandle (hObject=0x1bc) returned 1 [0119.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.DA6401EC47B5FF5AF6D007D82178156D138426036B6BC942657A818BB6117705" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.da6401ec47b5ff5af6d007d82178156d138426036b6bc942657a818bb6117705")) returned 1 [0119.555] GetProcessHeap () returned 0x4c0000 [0119.555] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3cc11a0 | out: hHeap=0x4c0000) returned 1 [0119.555] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0119.576] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d31274, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d11240 | out: lpBuffer=0x3d31274*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d11240) returned 1 [0119.577] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0119.580] CloseHandle (hObject=0x198) returned 1 [0119.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.0F69CAD62D14372E5B442A795487486DE72EC129DDD6C6104036A60A6CB7CB46" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.0f69cad62d14372e5b442a795487486de72ec129ddd6c6104036a60a6cb7cb46")) returned 1 [0119.646] GetProcessHeap () returned 0x4c0000 [0119.646] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0119.646] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0119.846] CloseHandle (hObject=0x16c) returned 1 [0120.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.0781B4F25F4C10946A417BCF9550F8A67D19E2660D7A47DA1EFA388502D01B3B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.0781b4f25f4c10946a417bcf9550f8a67d19e2660d7a47da1efa388502d01b3b")) returned 1 [0120.059] GetProcessHeap () returned 0x4c0000 [0120.059] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0120.059] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0120.275] WriteFile (in: hFile=0x184, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0120.285] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0123.461] WriteFile (in: hFile=0x1bc, lpBuffer=0x3c4008c, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 0x0 [0123.640] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0123.640] CloseHandle (hObject=0x17c) returned 1 [0123.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.81A8DFC9879D9B2D5B8F0CF0B0B12C36E582CBBA0EC1489AE65F88F41F874128" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.81a8dfc9879d9b2d5b8f0cf0b0b12c36e582cbba0ec1489ae65f88f41f874128")) returned 1 [0123.701] GetProcessHeap () returned 0x4c0000 [0123.701] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0123.701] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0124.684] CloseHandle (hObject=0x1cc) returned 1 [0124.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.3A7F70232E420DB18C15C97F6B121F98400A9B6FB4A0AC78B2D6199B49980C11" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.3a7f70232e420db18c15c97f6b121f98400a9b6fb4a0ac78b2d6199b49980c11")) returned 1 [0124.702] GetProcessHeap () returned 0x4c0000 [0124.702] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d11058 | out: hHeap=0x4c0000) returned 1 [0124.702] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0124.703] CloseHandle (hObject=0x1b0) returned 1 [0124.742] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.4668AD4C376874FD7F87B735ACB68A412EB90711D5336810EA34650A7BC20307" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.4668ad4c376874fd7f87b735acb68a412eb90711d5336810ea34650a7bc20307")) returned 1 [0124.747] GetProcessHeap () returned 0x4c0000 [0124.747] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0124.748] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0126.755] WriteFile (in: hFile=0x178, lpBuffer=0x3d5a2bc, nNumberOfBytesToWrite=0x4200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d3a288 | out: lpBuffer=0x3d5a2bc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d3a288) returned 0x0 [0126.764] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0126.764] CloseHandle (hObject=0x1c8) returned 1 [0126.766] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.04C717353E0A57D026900DB81DE2C510B441175585DF08F2D729476B86469D07" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.04c717353e0a57d026900db81de2c510b441175585df08f2d729476b86469d07")) returned 1 [0126.774] GetProcessHeap () returned 0x4c0000 [0126.774] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3cea1e8 | out: hHeap=0x4c0000) returned 1 [0126.774] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0137.103] ReadFile (in: hFile=0xec, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x6600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0137.103] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0137.126] WriteFile (in: hFile=0xec, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x6600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0137.529] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0137.572] WriteFile (in: hFile=0x1b8, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x7e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0137.669] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0137.696] WriteFile (in: hFile=0x128, lpBuffer=0x3d3226c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d12238 | out: lpBuffer=0x3d3226c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d12238) returned 1 [0137.701] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0137.701] CloseHandle (hObject=0x1d4) returned 1 [0137.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat.9B9FCFB1EF4449AF221BA95950273D503F0D683BAC8CC101ECADD64AAEAEC031" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\index.dat.9b9fcfb1ef4449af221ba95950273d503f0d683bac8cc101ecadd64aaeaec031")) returned 1 [0137.709] GetProcessHeap () returned 0x4c0000 [0137.709] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0137.710] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0137.710] CloseHandle (hObject=0x1b8) returned 1 [0137.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\nqdfgqva8vfzg5.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NqDfGqVA8vFzG5.flv.93E17FDE4B40995EC92B4F3C73CA8A078EF8D6A4D47F098694A85B617F465C04" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\nqdfgqva8vfzg5.flv.93e17fde4b40995ec92b4f3c73ca8a078ef8d6a4d47f098694a85b617f465c04")) returned 1 [0137.745] GetProcessHeap () returned 0x4c0000 [0137.745] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0137.748] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0165.197] WriteFile (in: hFile=0x180, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0165.221] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08) returned 1 [0166.560] CloseHandle (hObject=0x1d4) returned 1 [0166.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.5918CE3FC2AF3CADFC8521A58C691827A222002352380ADCF2EFE61A37B95D41" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg.5918ce3fc2af3cadfc8521a58c691827a222002352380adcf2efe61a37b95d41")) returned 1 [0166.581] GetProcessHeap () returned 0x4c0000 [0166.581] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0166.585] GetQueuedCompletionStatus (CompletionPort=0x94, lpNumberOfBytesTransferred=0x2cafe10, lpCompletionKey=0x2cafe0c, lpOverlapped=0x2cafe08, dwMilliseconds=0xffffffff) Thread: id = 9 os_tid = 0x36c [0061.329] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0076.081] ReadFile (in: hFile=0x168, lpBuffer=0x532ac4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90) returned 1 [0076.081] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0076.352] ReadFile (in: hFile=0x174, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0076.352] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0076.378] ReadFile (in: hFile=0x178, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0076.378] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0076.445] WriteFile (in: hFile=0x178, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0076.446] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0076.560] CloseHandle (hObject=0x178) returned 1 [0076.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.98D1BC21EF9A3E7EFA4C3E2881BACAC451E39C92519040370209AD073CB1B064" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.98d1bc21ef9a3e7efa4c3e2881bacac451e39c92519040370209ad073cb1b064")) returned 1 [0076.570] GetProcessHeap () returned 0x4c0000 [0076.570] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0076.570] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0076.633] ReadFile (in: hFile=0x180, lpBuffer=0x3b7011c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8) returned 1 [0076.662] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0076.731] WriteFile (in: hFile=0x188, lpBuffer=0x3bc01bc*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188) returned 1 [0076.732] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.091] WriteFile (in: hFile=0x178, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0077.102] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.212] WriteFile (in: hFile=0x174, lpBuffer=0x3b480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098) returned 0x0 [0077.214] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.249] ReadFile (in: hFile=0x17c, lpBuffer=0x3bc01bc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188) returned 1 [0077.249] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.251] WriteFile (in: hFile=0x17c, lpBuffer=0x3bc01bc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188) returned 1 [0077.252] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.258] CloseHandle (hObject=0x180) returned 1 [0077.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.58424D39F844C75282A2D4840087DCAF6D016469CBFAD8011773D4010C4A2D70" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.58424d39f844c75282a2d4840087dcaf6d016469cbfad8011773d4010c4a2d70")) returned 1 [0077.266] GetProcessHeap () returned 0x4c0000 [0077.266] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500e8 | out: hHeap=0x4c0000) returned 1 [0077.266] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.269] CloseHandle (hObject=0x178) returned 1 [0077.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.49EF08D9D8A8CB4558D69DB57480835E2E7232210464AAEA86ED2FDEA9EF197D" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.49ef08d9d8a8cb4558d69db57480835e2e7232210464aaea86ed2fdea9ef197d")) returned 1 [0077.301] GetProcessHeap () returned 0x4c0000 [0077.301] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0077.304] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.422] CloseHandle (hObject=0x174) returned 1 [0077.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.4C02D112E361038FA83F489F73164CAC8A31099B82CE51224F781910D54F4350" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.4c02d112e361038fa83f489f73164cac8a31099b82ce51224f781910d54f4350")) returned 1 [0077.459] GetProcessHeap () returned 0x4c0000 [0077.459] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0077.461] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.463] CloseHandle (hObject=0x17c) returned 1 [0077.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.C5B6B2D2086FF7F70D678450AD7CAB7A4AAC5C7D3783BD73933C5DAF783D1F49" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.c5b6b2d2086ff7f70d678450ad7cab7a4aac5c7d3783bd73933c5daf783d1f49")) returned 1 [0077.474] GetProcessHeap () returned 0x4c0000 [0077.474] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ba0188 | out: hHeap=0x4c0000) returned 1 [0077.474] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.609] ReadFile (in: hFile=0x188, lpBuffer=0x592b6c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x572b38) returned 1 [0077.609] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.639] WriteFile (in: hFile=0x188, lpBuffer=0x592b6c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 0x0 [0077.641] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.666] ReadFile (in: hFile=0x17c, lpBuffer=0x3bc01bc, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188) returned 1 [0077.666] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.668] WriteFile (in: hFile=0x17c, lpBuffer=0x3bc01bc*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188) returned 1 [0077.669] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.670] CloseHandle (hObject=0x17c) returned 1 [0077.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.017C5F3BCC20F4CA0782DA73990199645D4EB5B3DCD9F58B805B27CFD1DB751D" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.017c5f3bcc20f4ca0782da73990199645d4eb5b3dcd9f58b805b27cfd1db751d")) returned 1 [0077.678] GetProcessHeap () returned 0x4c0000 [0077.678] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ba0188 | out: hHeap=0x4c0000) returned 1 [0077.678] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.732] ReadFile (in: hFile=0x168, lpBuffer=0x3bc01bc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188) returned 1 [0077.757] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0077.797] WriteFile (in: hFile=0x168, lpBuffer=0x3bc01bc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ba0188) returned 0x0 [0077.799] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.173] ReadFile (in: hFile=0x174, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0078.173] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.210] WriteFile (in: hFile=0x174, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0078.211] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.231] ReadFile (in: hFile=0x170, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0078.232] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.235] WriteFile (in: hFile=0x170, lpBuffer=0x56ab1c*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 1 [0078.236] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.237] CloseHandle (hObject=0x170) returned 1 [0078.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.03A865DC3D972F27F40F2B5A905B8C0928593D029948DC4B2E03145E0B804466" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.03a865dc3d972f27f40f2b5a905b8c0928593d029948dc4b2e03145e0b804466")) returned 1 [0078.240] GetProcessHeap () returned 0x4c0000 [0078.240] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0078.240] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.259] ReadFile (in: hFile=0x184, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0078.259] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.263] WriteFile (in: hFile=0x184, lpBuffer=0x56ab1c*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 1 [0078.264] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.265] CloseHandle (hObject=0x184) returned 1 [0078.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.23EA631E2CF9D4A343709616C0829730B13D8C743CE69B3A38205ECAA45F2448" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.23ea631e2cf9d4a343709616c0829730b13d8c743ce69b3a38205ecaa45f2448")) returned 1 [0078.269] GetProcessHeap () returned 0x4c0000 [0078.269] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0078.269] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.294] ReadFile (in: hFile=0x184, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0078.294] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.296] WriteFile (in: hFile=0x184, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0078.298] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.299] CloseHandle (hObject=0x184) returned 1 [0078.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.31B339472961389901478D63967E174BCEC5B4DD3EB88AE832D898F76440AB5D" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.31b339472961389901478d63967e174bcec5b4dd3eb88ae832d898f76440ab5d")) returned 1 [0078.305] GetProcessHeap () returned 0x4c0000 [0078.305] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0078.305] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.324] ReadFile (in: hFile=0x184, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0078.324] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.363] WriteFile (in: hFile=0x184, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0078.365] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0078.495] CloseHandle (hObject=0x174) returned 1 [0079.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.52A3557A29814C2582DDE920DC4E0759058361826811D9FB65502B7112C2F205" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.52a3557a29814c2582dde920dc4e0759058361826811d9fb65502b7112c2f205")) returned 1 [0079.385] GetProcessHeap () returned 0x4c0000 [0079.385] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0079.385] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0080.063] CloseHandle (hObject=0x180) returned 1 [0082.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.D85A98F1893F70CB346458DE2C81A68856473105C5640E314C9D21036249C901" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.d85a98f1893f70cb346458de2c81a68856473105c5640e314c9d21036249c901")) returned 1 [0082.833] GetProcessHeap () returned 0x4c0000 [0082.879] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500e8 | out: hHeap=0x4c0000) returned 1 [0082.879] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0083.647] CloseHandle (hObject=0x184) returned 1 [0085.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.8D3490C870AECDFD04F20E29CD79FBB59E50197506E2BCF3C5753FDC26E9931E" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.8d3490c870aecdfd04f20e29cd79fbb59e50197506e2bcf3c5753fdc26e9931e")) returned 1 [0085.702] GetProcessHeap () returned 0x4c0000 [0085.702] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0085.706] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0085.838] ReadFile (in: hFile=0x18c, lpBuffer=0x56ab1c, nNumberOfBytesToRead=0x2400, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x54aae8) returned 1 [0085.840] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0085.896] ReadFile (in: hFile=0x188, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0085.896] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0096.511] WriteFile (in: hFile=0x18c, lpBuffer=0x56ab1c, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8 | out: lpBuffer=0x56ab1c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x54aae8) returned 0x0 [0096.516] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0096.561] CloseHandle (hObject=0x1a0) returned 1 [0096.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.58CE6A0711D2379D2FA5F7D0D3DF07AF0F1456EE3372ED73A912E5FB92E6A164" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.58ce6a0711d2379d2fa5f7d0d3df07af0f1456ee3372ed73a912e5fb92e6a164")) returned 1 [0096.564] GetProcessHeap () returned 0x4c0000 [0096.564] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ba0188 | out: hHeap=0x4c0000) returned 1 [0096.565] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0096.888] WriteFile (in: hFile=0x194, lpBuffer=0x3c7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 0x0 [0096.890] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0096.926] WriteFile (in: hFile=0x174, lpBuffer=0x3cc01bc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0188 | out: lpBuffer=0x3cc01bc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ca0188) returned 0x0 [0096.927] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0097.347] WriteFile (in: hFile=0x170, lpBuffer=0x592b6c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38 | out: lpBuffer=0x592b6c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x572b38) returned 0x0 [0097.362] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0097.702] CloseHandle (hObject=0x194) returned 1 [0097.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.04EA7AE870D4683DD7722BCBEF392D907CBBD9965512813E5A4DFC6F5A1EAD1B" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.04ea7ae870d4683dd7722bcbef392d907cbbd9965512813e5a4dfc6f5a1ead1b")) returned 1 [0097.707] GetProcessHeap () returned 0x4c0000 [0097.707] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500e8 | out: hHeap=0x4c0000) returned 1 [0097.707] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0097.967] WriteFile (in: hFile=0x198, lpBuffer=0x3b480cc, nNumberOfBytesToWrite=0x6a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098) returned 0x0 [0097.969] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.019] ReadFile (in: hFile=0x174, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0098.020] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.067] WriteFile (in: hFile=0x174, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0098.068] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.097] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b7011c, nNumberOfBytesToRead=0x2400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8) returned 1 [0098.097] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.106] WriteFile (in: hFile=0x1a0, lpBuffer=0x3b7011c, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500e8) returned 0x0 [0098.107] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.117] CloseHandle (hObject=0x1a0) returned 1 [0098.118] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.D4981534D9B1C280773349FA61FBE0E1C83B6D6B13D6BB2EE19C548ADCE8E758" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.d4981534d9b1c280773349fa61fbe0e1c83b6d6b13d6bb2ee19c548adce8e758")) returned 1 [0098.119] GetProcessHeap () returned 0x4c0000 [0098.119] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500e8 | out: hHeap=0x4c0000) returned 1 [0098.119] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.138] ReadFile (in: hFile=0x19c, lpBuffer=0x3b9816c, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78138 | out: lpBuffer=0x3b9816c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78138) returned 1 [0098.138] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.143] WriteFile (in: hFile=0x19c, lpBuffer=0x3b9816c*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78138 | out: lpBuffer=0x3b9816c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b78138) returned 1 [0098.145] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.145] CloseHandle (hObject=0x19c) returned 1 [0098.146] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.95306314A53560B233AFBE74A2D080BCE3E5D0169F2162ECD66072F889AFF228" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.95306314a53560b233afbe74a2d080bce3e5d0169f2162ecd66072f889aff228")) returned 1 [0098.147] GetProcessHeap () returned 0x4c0000 [0098.147] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b78138 | out: hHeap=0x4c0000) returned 1 [0098.147] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.172] CloseHandle (hObject=0x184) returned 1 [0098.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.13430750B30563AA2506AA4B72663ADF6B4C9F1B49D80B7D30D6DE68028BF023" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.13430750b30563aa2506aa4b72663adf6b4c9f1b49d80b7d30d6de68028bf023")) returned 1 [0098.175] GetProcessHeap () returned 0x4c0000 [0098.175] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0098.176] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.178] CloseHandle (hObject=0x170) returned 1 [0098.179] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.589FD16C66BA3D6F8B6D944817B15EF3AF5ADB86EFCF1ED93BFDAF4A4BDC147B" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.589fd16c66ba3d6f8b6d944817b15ef3af5adb86efcf1ed93bfdaf4a4bdc147b")) returned 1 [0098.180] GetProcessHeap () returned 0x4c0000 [0098.180] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54aae8 | out: hHeap=0x4c0000) returned 1 [0098.180] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.185] CloseHandle (hObject=0x194) returned 1 [0098.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.FE2C668C6C596585B292B47775EA2DF19E103880051E37C75AF2580DDAFC9115" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.fe2c668c6c596585b292b47775ea2df19e103880051e37c75af2580ddafc9115")) returned 1 [0098.187] GetProcessHeap () returned 0x4c0000 [0098.187] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0098.187] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.189] CloseHandle (hObject=0x198) returned 1 [0098.192] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.4C771CF9D3A72A01AA7AC712FF11DF7DFB6F7B84C91575C72688120E7E44122C" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.4c771cf9d3a72a01aa7ac712ff11df7dfb6f7b84c91575c72688120e7e44122c")) returned 1 [0098.192] GetProcessHeap () returned 0x4c0000 [0098.192] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0098.196] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.513] ReadFile (in: hFile=0x19c, lpBuffer=0x3b7011c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8 | out: lpBuffer=0x3b7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500e8) returned 1 [0098.548] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.601] ReadFile (in: hFile=0x188, lpBuffer=0x3bc01bc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188 | out: lpBuffer=0x3bc01bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ba0188) returned 0x0 [0098.643] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.697] CloseHandle (hObject=0x188) returned 1 [0098.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.CDE45FE917EBA527B602B638FDE61E851E860A24D0B8F27533966245D7663768" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.cde45fe917eba527b602b638fde61e851e860a24d0b8f27533966245d7663768")) returned 1 [0098.732] GetProcessHeap () returned 0x4c0000 [0098.732] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ba0188 | out: hHeap=0x4c0000) returned 1 [0098.732] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0098.816] CloseHandle (hObject=0x19c) returned 1 [0098.823] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.94D798D0F120C7749DC7B552E1D1429B6A9E4711F9ADB1AF393A8F38D0EFF101" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.94d798d0f120c7749dc7b552e1d1429b6a9e4711f9adb1af393a8f38d0eff101")) returned 1 [0098.825] GetProcessHeap () returned 0x4c0000 [0098.825] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500e8 | out: hHeap=0x4c0000) returned 1 [0098.825] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0099.636] CloseHandle (hObject=0x18c) returned 1 [0099.637] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.4E3F1F2091681FF6171611208F10C18119D45A337543A6A2C95C6E136FFFE104" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.4e3f1f2091681ff6171611208f10c18119d45a337543a6a2c95c6e136fffe104")) returned 1 [0099.641] GetProcessHeap () returned 0x4c0000 [0099.641] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x572b38 | out: hHeap=0x4c0000) returned 1 [0099.642] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0099.643] CloseHandle (hObject=0x180) returned 1 [0099.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.9343DC6BACE376D22207DDA638D747A13DA897F6ADC43AAF706D30A32FBF9E70" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.9343dc6bace376d22207dda638d747a13da897f6adc43aaf706d30a32fbf9e70")) returned 1 [0099.646] GetProcessHeap () returned 0x4c0000 [0099.646] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0099.646] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0099.648] CloseHandle (hObject=0x188) returned 1 [0099.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.A7A0677386746EA7B2DD77B32D17E3B338E00078E8852803A2CA03A1CD974013" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.a7a0677386746ea7b2dd77b32d17e3b338e00078e8852803a2ca03a1cd974013")) returned 1 [0099.650] GetProcessHeap () returned 0x4c0000 [0099.650] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0099.651] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0099.661] ReadFile (in: hFile=0x19c, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0099.662] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0099.668] WriteFile (in: hFile=0x19c, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0099.669] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0099.681] CloseHandle (hObject=0x19c) returned 1 [0099.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.41898FBD1FFA5F65FF54B8879B73EF1AA8D657C279E51EF5DCD7BA4FD93A7F53" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.41898fbd1ffa5f65ff54b8879b73ef1aa8d657c279e51ef5dcd7ba4fd93a7f53")) returned 1 [0099.683] GetProcessHeap () returned 0x4c0000 [0099.683] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0099.683] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0099.700] ReadFile (in: hFile=0x188, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0099.700] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0099.763] WriteFile (in: hFile=0x188, lpBuffer=0x3c7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 0x0 [0099.765] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0099.771] ReadFile (in: hFile=0x19c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0099.772] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0099.815] ReadFile (in: hFile=0x180, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0099.815] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0099.877] CloseHandle (hObject=0x188) returned 1 [0099.881] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.0A5E80927D8734A321CB07CBABFBA177ADF7F1CF381A3F136991DE5FD1FBD863" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.0a5e80927d8734a321cb07cbabfba177adf7f1cf381a3f136991de5fd1fbd863")) returned 1 [0099.881] GetProcessHeap () returned 0x4c0000 [0099.882] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0099.882] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.109] ReadFile (in: hFile=0x198, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0101.109] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.152] WriteFile (in: hFile=0x198, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0101.153] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.180] CloseHandle (hObject=0x174) returned 1 [0101.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.447B198ED51748DA0CADA9741428A58EF49E29222C7FD4DCBD22109B80CFD849" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.447b198ed51748da0cada9741428a58ef49e29222c7fd4dcbd22109b80cfd849")) returned 1 [0101.182] GetProcessHeap () returned 0x4c0000 [0101.182] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b78138 | out: hHeap=0x4c0000) returned 1 [0101.183] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.225] WriteFile (in: hFile=0x19c, lpBuffer=0x3b480cc*, nNumberOfBytesToWrite=0x2200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098 | out: lpBuffer=0x3b480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28098) returned 1 [0101.227] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.227] CloseHandle (hObject=0x19c) returned 1 [0101.228] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.974C5F72E790FDA42B7773D1F0FB94D724A04D0D114800542683BDFC9B172677" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.974c5f72e790fda42b7773d1f0fb94d724a04d0d114800542683bdfc9b172677")) returned 1 [0101.230] GetProcessHeap () returned 0x4c0000 [0101.230] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28098 | out: hHeap=0x4c0000) returned 1 [0101.230] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.352] CloseHandle (hObject=0x198) returned 1 [0101.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.AF7A2ADBDDDA79FF8227A2A4E8C8A984133CE23D96DD2B5118DB4F16130CFA5B" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.af7a2adbddda79ff8227a2a4e8c8a984133ce23d96dd2b5118db4f16130cfa5b")) returned 1 [0101.355] GetProcessHeap () returned 0x4c0000 [0101.355] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0101.355] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.383] ReadFile (in: hFile=0x198, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0101.383] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.446] WriteFile (in: hFile=0x198, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0101.448] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.463] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b880ec, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b680b8 | out: lpBuffer=0x3b880ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b680b8) returned 1 [0101.463] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.496] WriteFile (in: hFile=0x1a0, lpBuffer=0x3b880ec, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b680b8 | out: lpBuffer=0x3b880ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b680b8) returned 0x0 [0101.497] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.517] ReadFile (in: hFile=0x188, lpBuffer=0x3bb013c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b90108 | out: lpBuffer=0x3bb013c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b90108) returned 1 [0101.518] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.549] WriteFile (in: hFile=0x188, lpBuffer=0x3bb013c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b90108 | out: lpBuffer=0x3bb013c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b90108) returned 0x0 [0101.550] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.626] ReadFile (in: hFile=0x1a4, lpBuffer=0x522abc, nNumberOfBytesToRead=0x2e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0101.626] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.638] CloseHandle (hObject=0x1a4) returned 1 [0101.640] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.39741C82291B3A55753F8D8108EB7681E18D937FEC1FC448F1308E4EE8EAEC68" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d.39741c82291b3a55753f8d8108eb7681e18d937fec1fc448f1308e4ee8eaec68")) returned 1 [0101.641] GetProcessHeap () returned 0x4c0000 [0101.641] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0101.641] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.758] ReadFile (in: hFile=0x184, lpBuffer=0x54ab0c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8) returned 1 [0101.759] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.799] WriteFile (in: hFile=0x1a4, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0101.837] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0101.851] WriteFile (in: hFile=0x170, lpBuffer=0x572b5c, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x552b28 | out: lpBuffer=0x572b5c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x552b28) returned 0x0 [0101.854] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0102.315] ReadFile (in: hFile=0x18c, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x3a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0102.315] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0102.326] CloseHandle (hObject=0x1a4) returned 1 [0102.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.1134E4FFE99DF5C7D28C714A4A9C6257EF6E3877185F004F8B0079A148DFC60E" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll.1134e4ffe99df5c7d28c714a4a9c6257ef6e3877185f004f8b0079a148dfc60e")) returned 1 [0102.366] GetProcessHeap () returned 0x4c0000 [0102.366] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0102.366] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0102.442] ReadFile (in: hFile=0x174, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0102.443] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0102.651] WriteFile (in: hFile=0x174, lpBuffer=0x3be8194, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 0x0 [0102.653] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0103.507] WriteFile (in: hFile=0x188, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0103.508] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0106.100] CloseHandle (hObject=0x194) returned 1 [0106.101] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.909B4B652C4B2500FD1EF1D7B830D8C29CD7682934F1708304F0759F3885E037" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll.909b4b652c4b2500fd1ef1d7b830d8c29cd7682934f1708304f0759f3885e037")) returned 1 [0106.101] GetProcessHeap () returned 0x4c0000 [0106.101] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c500e8 | out: hHeap=0x4c0000) returned 1 [0106.101] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0106.661] CloseHandle (hObject=0x16c) returned 1 [0106.662] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.50DF6D9E501825B79A8BC02A67CAFB2FD2A2D4233CF5E03C07DF2A65ACDBD149" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll.50df6d9e501825b79a8bc02a67cafb2fd2a2d4233cf5e03c07df2a65acdbd149")) returned 1 [0106.663] GetProcessHeap () returned 0x4c0000 [0106.663] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x57cb88 | out: hHeap=0x4c0000) returned 1 [0106.663] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0106.667] CloseHandle (hObject=0x1a4) returned 1 [0106.668] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.4C82347A81A76A2A78E5A1D7799275B4BC97097D4D64223CF4CE13100C423072" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll.4c82347a81a76a2a78e5a1d7799275b4bc97097d4d64223cf4ce13100c423072")) returned 1 [0106.669] GetProcessHeap () returned 0x4c0000 [0106.669] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0106.669] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0106.670] CloseHandle (hObject=0x178) returned 1 [0106.672] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.350F19F738999E06302D20320D48A051002D6A2643E19890600E8070B8D3B85E" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll.350f19f738999e06302d20320d48a051002d6a2643e19890600e8070b8d3b85e")) returned 1 [0106.673] GetProcessHeap () returned 0x4c0000 [0106.673] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc8160 | out: hHeap=0x4c0000) returned 1 [0106.673] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0106.692] ReadFile (in: hFile=0xec, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x3200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0106.692] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0107.108] ReadFile (in: hFile=0x18c, lpBuffer=0x532ac4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90 | out: lpBuffer=0x532ac4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x512a90) returned 1 [0107.108] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0107.127] ReadFile (in: hFile=0x194, lpBuffer=0x574b6c, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x0, lpOverlapped=0x554b38 | out: lpBuffer=0x574b6c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x554b38) returned 1 [0107.127] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0107.184] WriteFile (in: hFile=0xec, lpBuffer=0x3be8194, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc8160) returned 0x0 [0107.255] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0107.293] ReadFile (in: hFile=0x184, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0107.293] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0107.333] WriteFile (in: hFile=0x184, lpBuffer=0x3b2007c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 1 [0107.334] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0107.335] CloseHandle (hObject=0x184) returned 1 [0107.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.27652585F2D357A672072533C20228AF1ADBE889FE29D6A7F274F8D88BB32D6A" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat.27652585f2d357a672072533c20228af1adbe889fe29d6a7f274f8d88bb32d6a")) returned 1 [0107.341] GetProcessHeap () returned 0x4c0000 [0107.341] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b00048 | out: hHeap=0x4c0000) returned 1 [0107.345] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0107.391] ReadFile (in: hFile=0x184, lpBuffer=0x3b2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b00048) returned 1 [0107.391] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0107.432] WriteFile (in: hFile=0x184, lpBuffer=0x3b2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048 | out: lpBuffer=0x3b2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b00048) returned 0x0 [0107.471] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0107.578] CloseHandle (hObject=0x18c) returned 1 [0107.640] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.A08EB1C5F9AEF82168DAA6533ABB921FFE72491543709BD08949FB026347AF0E" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll.a08eb1c5f9aef82168daa6533abb921ffe72491543709bd08949fb026347af0e")) returned 1 [0107.640] GetProcessHeap () returned 0x4c0000 [0107.640] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x512a90 | out: hHeap=0x4c0000) returned 1 [0107.640] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0107.870] WriteFile (in: hFile=0x184, lpBuffer=0x55ab14, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53aae0 | out: lpBuffer=0x55ab14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53aae0) returned 0x0 [0107.871] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0107.975] ReadFile (in: hFile=0x194, lpBuffer=0x3be8194, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160 | out: lpBuffer=0x3be8194*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc8160) returned 1 [0107.975] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0108.119] WriteFile (in: hFile=0x114, lpBuffer=0x3c30084*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c10050 | out: lpBuffer=0x3c30084*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c10050) returned 1 [0108.124] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0108.637] ReadFile (in: hFile=0xec, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0108.637] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0108.839] ReadFile (in: hFile=0x178, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0108.839] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.041] WriteFile (in: hFile=0x16c, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0109.043] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.082] ReadFile (in: hFile=0x178, lpBuffer=0x3bd810c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8) returned 1 [0109.082] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.111] WriteFile (in: hFile=0x178, lpBuffer=0x3bd810c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8) returned 0x0 [0109.121] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.143] ReadFile (in: hFile=0x174, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0109.144] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.165] ReadFile (in: hFile=0x19c, lpBuffer=0x3c7011c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c500e8) returned 1 [0109.166] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.194] WriteFile (in: hFile=0x19c, lpBuffer=0x3c7011c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8 | out: lpBuffer=0x3c7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c500e8) returned 0x0 [0109.195] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.213] CloseHandle (hObject=0x174) returned 1 [0109.214] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.A62E1B7F5248B4FEB21CFC39DDBFE4A700F1D112DE9E6E8CC33FDDC65904676E" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.a62e1b7f5248b4feb21cfc39ddbfe4a700f1d112de9e6e8cc33fddc65904676e")) returned 1 [0109.217] GetProcessHeap () returned 0x4c0000 [0109.217] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0109.217] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.222] CloseHandle (hObject=0xec) returned 1 [0109.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.09C1AB1F6D8EEE2DC416AD671D789A7F98404736D168FC4693E8736079754917" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.09c1ab1f6d8eee2dc416ad671d789a7f98404736d168fc4693e8736079754917")) returned 1 [0109.224] GetProcessHeap () returned 0x4c0000 [0109.224] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0109.226] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.231] CloseHandle (hObject=0x184) returned 1 [0109.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.FD87809AB3A40B9F62F0BBC1F489D64DFECFBA50D4A5BADEEACA4A19EFE34B55" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.fd87809ab3a40b9f62f0bbc1f489d64dfecfba50d4a5badeeaca4a19efe34b55")) returned 1 [0109.233] GetProcessHeap () returned 0x4c0000 [0109.233] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0109.234] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.390] WriteFile (in: hFile=0x178, lpBuffer=0x3bd810c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8) returned 0x0 [0109.390] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.414] ReadFile (in: hFile=0x16c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0109.414] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.443] WriteFile (in: hFile=0x16c, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0109.444] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.489] ReadFile (in: hFile=0x184, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0109.490] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0109.553] WriteFile (in: hFile=0x184, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0109.556] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0110.309] WriteFile (in: hFile=0x114, lpBuffer=0x3bd810c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bb80d8) returned 0x0 [0110.318] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0110.442] WriteFile (in: hFile=0x18c, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0110.444] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0110.629] WriteFile (in: hFile=0x190, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0110.631] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0110.663] CloseHandle (hObject=0x174) returned 1 [0110.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.EE171E528FC871145D4C1B3D85953D2864F45E854C7C0E63F4818CA20F631F7A" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab.ee171e528fc871145d4c1b3d85953d2864f45e854c7c0e63f4818ca20f631f7a")) returned 1 [0110.666] GetProcessHeap () returned 0x4c0000 [0110.666] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0110.666] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0110.701] ReadFile (in: hFile=0x114, lpBuffer=0x3bd810c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8 | out: lpBuffer=0x3bd810c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bb80d8) returned 1 [0110.702] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0110.795] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0110.860] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0111.223] CloseHandle (hObject=0x19c) returned 1 [0111.224] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.26F3EA2F51392E2F2C32A49776F84448CF8B133C88FD97EF7742E108D475B00E" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.26f3ea2f51392e2f2c32a49776f84448cf8b133c88fd97ef7742e108d475b00e")) returned 1 [0111.258] GetProcessHeap () returned 0x4c0000 [0111.258] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0111.258] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0111.372] ReadFile (in: hFile=0x180, lpBuffer=0x522abc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0111.373] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0111.402] ReadFile (in: hFile=0x1a4, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0111.402] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0111.594] WriteFile (in: hFile=0x1a4, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0111.596] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0111.798] CloseHandle (hObject=0x1a4) returned 1 [0111.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.DC5F36B76264E280D2A4B71570B84BA1B61B523A6CFB3A77248568A21DF21521" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe.dc5f36b76264e280d2a4b71570b84ba1b61b523a6cfb3a77248568a21df21521")) returned 1 [0111.947] GetProcessHeap () returned 0x4c0000 [0111.947] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0111.947] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0112.035] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0112.035] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0112.218] WriteFile (in: hFile=0x1a0, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0112.220] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0112.265] WriteFile (in: hFile=0x1ac, lpBuffer=0x3c9816c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c78138 | out: lpBuffer=0x3c9816c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c78138) returned 0x0 [0112.267] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0112.267] CloseHandle (hObject=0x1a0) returned 1 [0112.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst.D798FF33912D8E4F279F25F10C08A914E86AAD9F7E7083FE5CC7F99DDDD9033D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst.d798ff33912d8e4f279f25f10c08a914e86aad9f7e7083fe5cc7f99dddd9033d")) returned 1 [0112.268] GetProcessHeap () returned 0x4c0000 [0112.268] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0112.268] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0113.117] ReadFile (in: hFile=0x178, lpBuffer=0x3b80124, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0113.117] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0113.182] WriteFile (in: hFile=0x184, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0113.184] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0113.236] CloseHandle (hObject=0x184) returned 1 [0113.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.26A4E809104E273260F7D433A2E5104C0A0406EFEA9E502A8AF51D2F87BF7546" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.26a4e809104e273260f7d433a2e5104c0a0406efea9e502a8af51d2f87bf7546")) returned 1 [0113.238] GetProcessHeap () returned 0x4c0000 [0113.238] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0113.241] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.035] ReadFile (in: hFile=0x1b4, lpBuffer=0x3c690e4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c490b0 | out: lpBuffer=0x3c690e4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c490b0) returned 1 [0119.035] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.048] CloseHandle (hObject=0x198) returned 1 [0119.049] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.8AB02C95E8A8028C6286AF77592CCADA862161AA392BEC67C054D0ECDCDFBA4C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.8ab02c95e8a8028c6286af77592ccada862161aa392bec67c054d0ecdcdfba4c")) returned 1 [0119.050] GetProcessHeap () returned 0x4c0000 [0119.050] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0119.055] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.085] CloseHandle (hObject=0x16c) returned 1 [0119.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.602EC73291E141E0BAE88576A76F35B62706DB6BEF9BC20C8085D42469C8FE53" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.602ec73291e141e0bae88576a76f35b62706db6bef9bc20c8085d42469c8fe53")) returned 1 [0119.087] GetProcessHeap () returned 0x4c0000 [0119.087] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0119.087] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.089] CloseHandle (hObject=0x1a0) returned 1 [0119.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.B69937CE59E69A5B122D97A475AFED5AF38378BD48C5F0DE4A918EB054E19941" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.b69937ce59e69a5b122d97a475afed5af38378bd48c5f0de4a918eb054e19941")) returned 1 [0119.091] GetProcessHeap () returned 0x4c0000 [0119.091] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c20058 | out: hHeap=0x4c0000) returned 1 [0119.094] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.095] CloseHandle (hObject=0x17c) returned 1 [0119.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.99B6E00DE52E6B3DF47897E4093D659EE4B5960DB84513401524B3D93427A23E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.99b6e00de52e6b3df47897e4093d659ee4b5960db84513401524b3d93427a23e")) returned 1 [0119.099] GetProcessHeap () returned 0x4c0000 [0119.099] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0119.099] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.210] ReadFile (in: hFile=0x17c, lpBuffer=0x3cb9184, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c99150 | out: lpBuffer=0x3cb9184*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c99150) returned 1 [0119.210] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.212] WriteFile (in: hFile=0x17c, lpBuffer=0x3cb9184, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c99150 | out: lpBuffer=0x3cb9184, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c99150) returned 0x0 [0119.212] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.217] CloseHandle (hObject=0x1bc) returned 1 [0119.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.1581C33849DFA6CC365B9C86E8690C4DEA1A0CF8B2D1BE0CA3BEEFE949A5EF7D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.1581c33849dfa6cc365b9c86e8690c4dea1a0cf8b2d1be0ca3beefe949a5ef7d")) returned 1 [0119.219] GetProcessHeap () returned 0x4c0000 [0119.219] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3cc8058 | out: hHeap=0x4c0000) returned 1 [0119.221] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.326] ReadFile (in: hFile=0x1bc, lpBuffer=0x3ce11d4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3cc11a0 | out: lpBuffer=0x3ce11d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3cc11a0) returned 1 [0119.326] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.355] ReadFile (in: hFile=0x1a0, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0119.358] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.410] ReadFile (in: hFile=0x16c, lpBuffer=0x584b74, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0119.410] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.573] WriteFile (in: hFile=0x184, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0119.621] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0119.621] CloseHandle (hObject=0x1b0) returned 1 [0119.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.26D44C99FBD3A0852D7474630F2BBA2A0CBDFB07E1487D316E62E75247102B2A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.26d44c99fbd3a0852d7474630f2bba2a0cbdfb07e1487d316e62e75247102b2a")) returned 1 [0119.638] GetProcessHeap () returned 0x4c0000 [0119.638] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c490b0 | out: hHeap=0x4c0000) returned 1 [0119.641] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0120.048] CloseHandle (hObject=0x1b4) returned 1 [0120.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.04E90FB9875FC9DC97CF69AC1FA64BF2D47EB3EADFCD38E1FFCB07D99DC89225" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.04e90fb9875fc9dc97cf69ac1fa64bf2d47eb3eadfcd38e1ffcb07d99dc89225")) returned 1 [0120.063] GetProcessHeap () returned 0x4c0000 [0120.063] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0120.063] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0120.246] CloseHandle (hObject=0x16c) returned 1 [0120.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.F16BB3EB20D057414ABF41A0E6CA7DF0E43E3065719A722A4179C0989409504A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.f16bb3eb20d057414abf41a0e6ca7df0e43e3065719a722a4179c0989409504a")) returned 1 [0120.286] GetProcessHeap () returned 0x4c0000 [0120.286] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3ce9008 | out: hHeap=0x4c0000) returned 1 [0120.286] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0122.810] ReadFile (in: hFile=0x1d4, lpBuffer=0x3ba8174, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b88140) returned 1 [0122.810] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0122.826] WriteFile (in: hFile=0x1d4, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0122.826] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0122.858] ReadFile (in: hFile=0x1d8, lpBuffer=0x406007c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x4040048 | out: lpBuffer=0x406007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x4040048) returned 1 [0122.858] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0122.954] ReadFile (in: hFile=0x1dc, lpBuffer=0x40880cc, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x0, lpOverlapped=0x4068098 | out: lpBuffer=0x40880cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x4068098) returned 1 [0122.954] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0122.995] WriteFile (in: hFile=0x1dc, lpBuffer=0x40880cc, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x4068098 | out: lpBuffer=0x40880cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x4068098) returned 0x0 [0122.996] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0123.371] WriteFile (in: hFile=0x1b0, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0123.597] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0123.617] WriteFile (in: hFile=0x178, lpBuffer=0x3c680dc, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8) returned 0x0 [0123.665] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0123.665] CloseHandle (hObject=0x1ac) returned 1 [0123.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.7D550591353269246A2F2C62D1B5C413650015E2CF878B0B931B7CA9B84F405F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.7d550591353269246a2f2c62d1b5c413650015e2cf878b0b931b7ca9b84f405f")) returned 1 [0123.702] GetProcessHeap () returned 0x4c0000 [0123.702] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d89148 | out: hHeap=0x4c0000) returned 1 [0123.707] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0124.683] WriteFile (in: hFile=0x1d4, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x4400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0124.756] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0124.837] WriteFile (in: hFile=0x1e4, lpBuffer=0x3b80124, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 0x0 [0124.858] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0124.959] WriteFile (in: hFile=0x1cc, lpBuffer=0x3c4008c, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 0x0 [0124.961] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0124.983] CloseHandle (hObject=0x1ac) returned 1 [0124.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.5E304258DB0B3E722AF6E7D7718EFB1E50F1DE91AF7DC3B3F4D0DDEA3F438A11" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.5e304258db0b3e722af6e7d7718efb1e50f1de91af7dc3b3f4d0ddea3f438a11")) returned 1 [0124.986] GetProcessHeap () returned 0x4c0000 [0124.986] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0124.989] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0124.990] CloseHandle (hObject=0x1e4) returned 1 [0124.991] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.65DE784568CC01610CFCE33E9CD803B8EFCA6843E61D62FAE688F2F5E5B2DC69" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.65de784568cc01610cfce33e9cd803b8efca6843e61d62fae688f2f5e5b2dc69")) returned 1 [0124.992] GetProcessHeap () returned 0x4c0000 [0124.992] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0124.994] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0125.004] ReadFile (in: hFile=0x114, lpBuffer=0x3c680dc, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8) returned 1 [0125.004] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0125.026] WriteFile (in: hFile=0x114, lpBuffer=0x3c680dc, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8) returned 0x0 [0125.029] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0125.035] CloseHandle (hObject=0x114) returned 1 [0125.037] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.460DA43EC32BB64C61C1EC5965903D4478CF6611B8F380CC025788DAE82C2156" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.460da43ec32bb64c61c1ec5965903d4478cf6611b8f380cc025788dae82c2156")) returned 1 [0125.038] GetProcessHeap () returned 0x4c0000 [0125.038] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c480a8 | out: hHeap=0x4c0000) returned 1 [0125.038] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0125.109] ReadFile (in: hFile=0x1bc, lpBuffer=0x3c680dc, nNumberOfBytesToRead=0x5800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8) returned 1 [0125.110] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0125.140] WriteFile (in: hFile=0x1bc, lpBuffer=0x3c680dc, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8) returned 0x0 [0125.143] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0125.758] CloseHandle (hObject=0x1e4) returned 1 [0125.759] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.2BCB1679370B246CFC5B567BED2DF3B8A79ADDB617276F83745552FF40C33A46" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.2bcb1679370b246cfc5b567bed2df3b8a79addb617276f83745552ff40c33a46")) returned 1 [0125.760] GetProcessHeap () returned 0x4c0000 [0125.760] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0125.765] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0125.786] WriteFile (in: hFile=0x1cc, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0125.787] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0126.214] WriteFile (in: hFile=0x1b0, lpBuffer=0x3c4008c, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 0x0 [0126.215] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0126.739] CloseHandle (hObject=0x1c0) returned 1 [0126.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.D90873D93266310034F4891A2CA992FAA03A8309565B1CF10BD82F3AF4C94179" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.d90873d93266310034f4891a2ca992faa03a8309565b1cf10bd82f3af4c94179")) returned 1 [0126.780] GetProcessHeap () returned 0x4c0000 [0126.780] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d622d8 | out: hHeap=0x4c0000) returned 1 [0126.782] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0127.000] CloseHandle (hObject=0x17c) returned 1 [0127.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json.A466AF03235F3E112F24F7149036C3A3CEAD764E4DE2D8D4A5FE33ABC0D62410" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\messages.json.a466af03235f3e112f24f7149036c3a3cead764e4de2d8d4a5fe33abc0d62410")) returned 1 [0127.008] GetProcessHeap () returned 0x4c0000 [0127.008] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d8a328 | out: hHeap=0x4c0000) returned 1 [0127.011] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0127.267] WriteFile (in: hFile=0x17c, lpBuffer=0x3c4008c, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058 | out: lpBuffer=0x3c4008c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c20058) returned 0x0 [0127.268] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0127.353] WriteFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0127.484] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0127.510] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0127.511] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0127.551] CloseHandle (hObject=0x178) returned 1 [0127.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs.EF35CEDD6FA0100C2726AFFC4116F469198B1985C18789B8E47A7E3B05CF1631" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs.ef35cedd6fa0100c2726affc4116f469198b1985c18789b8e47a7e3b05cf1631")) returned 1 [0127.554] GetProcessHeap () returned 0x4c0000 [0127.554] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0127.554] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0127.571] WriteFile (in: hFile=0x1d0, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x4800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0127.572] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0127.591] ReadFile (in: hFile=0x178, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0127.591] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0127.597] WriteFile (in: hFile=0x178, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0127.598] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0128.124] ReadFile (in: hFile=0x1c0, lpBuffer=0x3c680dc, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c480a8) returned 1 [0128.124] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0128.149] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c680dc, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8 | out: lpBuffer=0x3c680dc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c480a8) returned 0x0 [0128.487] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0129.778] CloseHandle (hObject=0x1b8) returned 1 [0129.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.B1154533E4CE8942A4B35EEE9ED7F9CFFF81B698E5D850A8DA61173B80997918" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico.b1154533e4ce8942a4b35eee9ed7f9cfff81b698e5d850a8da61173b80997918")) returned 1 [0129.857] GetProcessHeap () returned 0x4c0000 [0129.857] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54caf8 | out: hHeap=0x4c0000) returned 1 [0129.858] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0130.661] CloseHandle (hObject=0x17c) returned 1 [0130.662] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.BE3D5A149200DF2A4129EA3354662E65DD0EF6D408F49692F61892769D0CB655" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\index.dat.be3d5a149200df2a4129ea3354662e65dd0ef6d408f49692f61892769d0cb655")) returned 1 [0130.664] GetProcessHeap () returned 0x4c0000 [0130.664] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0130.664] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0130.942] CloseHandle (hObject=0x174) returned 1 [0130.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.AF7A39FF559227ED9FBB5972D35C6B9A943B30F06324E070E6AB7FCC45E8F74D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\index.dat.af7a39ff559227ed9fbb5972d35c6b9a943b30f06324e070e6ab7fcc45e8f74d")) returned 1 [0130.946] GetProcessHeap () returned 0x4c0000 [0130.946] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0130.947] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0130.997] ReadFile (in: hFile=0x1d8, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x2200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0130.998] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.009] WriteFile (in: hFile=0x1d8, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x2200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0131.011] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.012] CloseHandle (hObject=0x1d8) returned 1 [0131.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\frameiconcache.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat.7CFF7FC7DE5F02137D23644E4741706584216747E88B1B63B124DB6264FB0B55" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\frameiconcache.dat.7cff7fc7de5f02137d23644e4741706584216747e88b1b63b124db6264fb0b55")) returned 1 [0131.015] GetProcessHeap () returned 0x4c0000 [0131.015] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0131.015] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.041] CloseHandle (hObject=0xec) returned 1 [0131.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.46FEDB828D1308FB4171168AEC24F417DF6CF9116E10DCEF711347A0406D182B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt.46fedb828d1308fb4171168aec24f417df6cf9116e10dcef711347a0406d182b")) returned 1 [0131.044] GetProcessHeap () returned 0x4c0000 [0131.044] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0131.044] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.047] ReadFile (in: hFile=0x174, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0131.048] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.071] CloseHandle (hObject=0x174) returned 1 [0131.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\msimgsiz.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT.42A99C21F44FEBA87680C6A0364B59A861481A39710D4C75A18F31D79BD72153" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\msimgsiz.dat.42a99c21f44feba87680c6a0364b59a861481a39710d4c75a18f31d79bd72153")) returned 1 [0131.074] GetProcessHeap () returned 0x4c0000 [0131.074] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0131.074] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.145] ReadFile (in: hFile=0x1d8, lpBuffer=0x522abc, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0131.145] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.150] WriteFile (in: hFile=0x1d8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0131.151] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.152] CloseHandle (hObject=0x1d8) returned 1 [0131.160] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{4bd650f1-c8f9-11e7-b5bf-c43dc7584a00}.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat.FC66A3B2A2461DB2D34A5692CA6D9C8CA8F1FC15BB919D1A114ACEF6079A4E0B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{4bd650f1-c8f9-11e7-b5bf-c43dc7584a00}.dat.fc66a3b2a2461db2d34a5692ca6d9c8ca8f1fc15bb919d1a114acef6079a4e0b")) returned 1 [0131.162] GetProcessHeap () returned 0x4c0000 [0131.162] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0131.162] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.195] WriteFile (in: hFile=0x17c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0131.197] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.288] ReadFile (in: hFile=0x17c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0131.289] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.320] WriteFile (in: hFile=0x17c, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0131.322] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.323] CloseHandle (hObject=0x17c) returned 1 [0131.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.4EA2E5B91C0B21E66EFA233F0BCA5628EFAB77AA673496438F6834D999AEE830" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb.4ea2e5b91c0b21e66efa233f0bca5628efab77aa673496438f6834d999aee830")) returned 1 [0131.325] GetProcessHeap () returned 0x4c0000 [0131.325] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0131.325] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.498] ReadFile (in: hFile=0x1b8, lpBuffer=0x584b74, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 0x0 [0131.503] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.537] ReadFile (in: hFile=0x184, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0131.540] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.547] CloseHandle (hObject=0x1a8) returned 1 [0131.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\01_music_auto_rated_at_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl.13B12216D79779272E95068CC29393582A3D939B7839419FA6E34395CE09365F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\01_music_auto_rated_at_5_stars.wpl.13b12216d79779272e95068cc29393582a3d939b7839419fa6e34395ce09365f")) returned 1 [0131.554] GetProcessHeap () returned 0x4c0000 [0131.554] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0131.554] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.572] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0131.572] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.630] ReadFile (in: hFile=0x1a8, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0131.634] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.635] WriteFile (in: hFile=0x18c, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0131.636] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.801] CloseHandle (hObject=0x1d8) returned 1 [0131.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.7E853E5BCEE51D3E548DCD038ACB93A9246D78676F8324244502D8293535EF49" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl.7e853e5bcee51d3e548dcd038acb93a9246d78676f8324244502d8293535ef49")) returned 1 [0131.805] GetProcessHeap () returned 0x4c0000 [0131.805] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0131.805] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.829] CloseHandle (hObject=0x1b8) returned 1 [0131.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\03_music_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl.0B0C3308BCFF9DABD4F4F56F8848F6B085B722D450C8039EC57290E5F388661B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\03_music_rated_at_4_or_5_stars.wpl.0b0c3308bcff9dabd4f4f56f8848f6b085b722d450c8039ec57290e5f388661b")) returned 1 [0131.832] GetProcessHeap () returned 0x4c0000 [0131.832] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0131.832] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.832] CloseHandle (hObject=0x184) returned 1 [0131.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\04_music_played_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl.A0D2671350BDBB5D8029166CD942CF08F807F590CB2069D72D6E7EC232E97F23" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\04_music_played_in_the_last_month.wpl.a0d2671350bdbb5d8029166cd942cf08f807f590cb2069d72d6e7ec232e97f23")) returned 1 [0131.841] GetProcessHeap () returned 0x4c0000 [0131.841] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0131.844] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.953] WriteFile (in: hFile=0x1d8, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0131.955] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.955] CloseHandle (hObject=0x1d8) returned 1 [0131.956] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.A7E8377BA52F62135BA7BB41E1D2EB7997CC77919D06A88F7ECBDD3A78B88A33" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl.a7e8377ba52f62135ba7bb41e1d2eb7997cc77919d06a88f7ecbdd3a78b88a33")) returned 1 [0131.957] GetProcessHeap () returned 0x4c0000 [0131.957] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b88140 | out: hHeap=0x4c0000) returned 1 [0131.957] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0131.961] CloseHandle (hObject=0x18c) returned 1 [0131.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.12D870A4784A46405BE0DDD68128D9FD8A0923C995D87C36D7253CBFA9B5C77E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl.12d870a4784a46405be0ddd68128d9fd8a0923c995d87c36d7253cbfa9b5c77e")) returned 1 [0131.963] GetProcessHeap () returned 0x4c0000 [0131.963] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0131.966] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0132.260] CloseHandle (hObject=0x178) returned 1 [0132.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.47EFF01FA69E727C00DFC70C86D99F39CD82C915BBC891B89ED23D9C55DB8C28" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl.47eff01fa69e727c00dfc70c86d99f39cd82c915bbc891b89ed23d9c55db8c28")) returned 1 [0132.263] GetProcessHeap () returned 0x4c0000 [0132.263] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0132.263] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0132.584] WriteFile (in: hFile=0x1d8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0132.586] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0132.592] CloseHandle (hObject=0x17c) returned 1 [0132.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\mapisvc.inf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf.6CB5689EB67126524E8EC52E4192696589C01DFB37F5389A3DADDF49ABFEF062" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\mapisvc.inf.6cb5689eb67126524e8ec52e4192696589c01dfb37f5389a3daddf49abfef062")) returned 1 [0132.596] GetProcessHeap () returned 0x4c0000 [0132.596] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0132.596] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0132.698] ReadFile (in: hFile=0x17c, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0132.698] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0132.726] WriteFile (in: hFile=0x17c, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0132.728] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0132.729] CloseHandle (hObject=0x17c) returned 1 [0132.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\content14.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat.95887E1CD49549F03248A83DFF26FF5838C3CCAD092C469CEC0B603EA699FC0D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\content14.dat.95887e1cd49549f03248a83dff26ff5838c3ccad092c469cec0b603ea699fc0d")) returned 1 [0132.731] GetProcessHeap () returned 0x4c0000 [0132.731] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0132.731] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0132.813] ReadFile (in: hFile=0x1d0, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0132.835] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0132.860] CloseHandle (hObject=0x1d0) returned 1 [0132.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.617AA7A259582D233762CE701006309A1578D04B61D9C07CCC0236995D30753C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount.617aa7a259582d233762ce701006309a1578d04b61d9c07ccc0236995d30753c")) returned 1 [0132.862] GetProcessHeap () returned 0x4c0000 [0132.862] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0132.862] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0132.910] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0132.915] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0132.948] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0132.950] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0133.059] WriteFile (in: hFile=0x1d0, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0133.070] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0133.808] ReadFile (in: hFile=0x1d0, lpBuffer=0x584b74, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0133.808] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0133.810] WriteFile (in: hFile=0x1d0, lpBuffer=0x584b74*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 1 [0133.811] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0133.812] CloseHandle (hObject=0x1d0) returned 1 [0133.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.B0BB771CEE14C5D4FCB5B54E75A2F0D55859AE3335C87347694F2BF77F63191E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg.b0bb771cee14c5d4fcb5b54e75a2f0d55859ae3335c87347694f2bf77f63191e")) returned 1 [0133.814] GetProcessHeap () returned 0x4c0000 [0133.814] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0133.830] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0133.851] WriteFile (in: hFile=0xec, lpBuffer=0x3c2007c*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 1 [0133.911] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0133.952] CloseHandle (hObject=0x1d4) returned 1 [0133.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.69B1D97AE1D913087EE6C98F6BC64FE1CB1D5106C5F649166B4E642437561541" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg.69b1d97ae1d913087ee6c98f6bc64fe1cb1d5106c5f649166b4e642437561541")) returned 1 [0133.954] GetProcessHeap () returned 0x4c0000 [0133.954] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0133.954] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0134.567] WriteFile (in: hFile=0x178, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0134.569] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0134.576] CloseHandle (hObject=0x17c) returned 1 [0134.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\0b\\fcbf5d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01.F4B73D5FAF641CC4A7E302EEC8CCD2893B7616113E56882C1EE9B67CC078F751" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\0b\\fcbf5d01.f4b73d5faf641cc4a7e302eec8ccd2893b7616113e56882c1ee9b67cc078f751")) returned 1 [0134.578] GetProcessHeap () returned 0x4c0000 [0134.578] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0134.583] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0134.585] CloseHandle (hObject=0x178) returned 1 [0134.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\4b\\1d8fdd01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01.47C6A0BD5C92217C24E301E6EA3C980259800FB84728610529720442BDB21550" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\4b\\1d8fdd01.47c6a0bd5c92217c24e301e6ea3c980259800fb84728610529720442bdb21550")) returned 1 [0134.588] GetProcessHeap () returned 0x4c0000 [0134.588] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0134.589] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0134.623] CloseHandle (hObject=0x194) returned 1 [0134.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\c2\\0b619d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01.FADF4DD5BEEAD0242B929735B89042A93B73ED992C6EF217AED9D9C879C4ED28" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\c2\\0b619d01.fadf4dd5beead0242b929735b89042a93b73ed992c6ef217aed9d9c879c4ed28")) returned 1 [0134.941] GetProcessHeap () returned 0x4c0000 [0134.941] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x54caf8 | out: hHeap=0x4c0000) returned 1 [0134.941] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0134.944] CloseHandle (hObject=0x18c) returned 1 [0134.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\f6\\cbd4dd01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01.5D907F50BE8BC5592B6F54653B2B01BCD7B913ED55DDCC2D8D4B97DA1E7C0B4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\f6\\cbd4dd01.5d907f50be8bc5592b6f54653b2b01bcd7b913ed55ddcc2d8d4b97da1e7c0b4d")) returned 1 [0134.947] GetProcessHeap () returned 0x4c0000 [0134.947] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0134.947] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0134.993] ReadFile (in: hFile=0x194, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x5200, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0134.994] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.079] WriteFile (in: hFile=0x178, lpBuffer=0x584b74, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 0x0 [0135.081] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.123] ReadFile (in: hFile=0x17c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0135.168] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.175] CloseHandle (hObject=0x194) returned 1 [0135.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\10\\16a09d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01.463D12A6DAE31DD04D7572273374CF3210A6C821E1F3277CAF60F2E3E4E94F5C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\10\\16a09d01.463d12a6dae31dd04d7572273374cf3210a6c821e1f3277caf60f2e3e4e94f5c")) returned 1 [0135.180] GetProcessHeap () returned 0x4c0000 [0135.180] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0135.184] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.216] ReadFile (in: hFile=0x17c, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0135.217] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.250] WriteFile (in: hFile=0x17c, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0135.252] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.309] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0135.309] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.329] CloseHandle (hObject=0x178) returned 1 [0135.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\2c\\24b53d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01.60FF04D4D77A5A9292A9D089F6883E7341CD4809F423A10B4968E5B1C249377E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\2c\\24b53d01.60ff04d4d77a5a9292a9d089f6883e7341cd4809f423a10b4968e5b1c249377e")) returned 1 [0135.417] GetProcessHeap () returned 0x4c0000 [0135.417] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0135.418] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.429] ReadFile (in: hFile=0xec, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0135.429] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.461] ReadFile (in: hFile=0x178, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0135.461] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.495] ReadFile (in: hFile=0x174, lpBuffer=0x584b74, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesRead=0x0, lpOverlapped=0x564b40) returned 1 [0135.495] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.605] WriteFile (in: hFile=0xec, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0135.608] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.616] ReadFile (in: hFile=0x1b8, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0135.618] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.635] CloseHandle (hObject=0x17c) returned 1 [0135.637] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\e0\\f17b2d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01.4DDAE4E096E0A6985143972F8BFF18556D1D0B2584E671D8ACB2B3DC9FCF8B4F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\e0\\f17b2d01.4ddae4e096e0a6985143972f8bff18556d1d0b2584e671d8acb2b3dc9fcf8b4f")) returned 1 [0135.638] GetProcessHeap () returned 0x4c0000 [0135.638] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0135.638] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.706] WriteFile (in: hFile=0x1b8, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0135.728] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.730] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0135.730] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.774] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0135.784] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.794] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0135.794] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.834] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0135.836] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.863] ReadFile (in: hFile=0x1b8, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0135.863] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.893] WriteFile (in: hFile=0x1b8, lpBuffer=0x55cb24, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24, lpNumberOfBytesWritten=0x0, lpOverlapped=0x53caf0) returned 0x0 [0135.894] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.916] ReadFile (in: hFile=0x17c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0135.916] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.927] WriteFile (in: hFile=0x17c, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0135.928] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.932] CloseHandle (hObject=0x17c) returned 1 [0135.933] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_map_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_.E8A57ACED77246959106CD812E5699DFBA670C7F63DA0E9AF4F7409CF2B2D215" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_map_.e8a57aced77246959106cd812e5699dfba670c7f63da0e9af4f7409cf2b2d215")) returned 1 [0135.934] GetProcessHeap () returned 0x4c0000 [0135.934] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0135.934] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.957] ReadFile (in: hFile=0x194, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0135.957] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.958] CloseHandle (hObject=0x174) returned 1 [0135.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\23\\7e0fed01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01.9C0553C8D1DA1EE2415DE583CB0EFE912D77669B009A7F675D49A069390EEE5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\23\\7e0fed01.9c0553c8d1da1ee2415de583cb0efe912d77669b009a7f675d49a069390eee5f")) returned 1 [0135.961] GetProcessHeap () returned 0x4c0000 [0135.961] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x564b40 | out: hHeap=0x4c0000) returned 1 [0135.964] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0135.968] CloseHandle (hObject=0x18c) returned 1 [0135.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_001_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_.E4200BECA41A3131CFF4166C1698A11ABB70CD2BF2D2F92FF73ED3293E3DCB3D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_001_.e4200beca41a3131cff4166c1698a11abb70cd2bf2d2f92ff73ed3293e3dcb3d")) returned 1 [0135.971] GetProcessHeap () returned 0x4c0000 [0135.971] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0135.971] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.087] CloseHandle (hObject=0x1d4) returned 1 [0136.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_002_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_.5978354E26C35CB1344B4A2F1FA14E972BB3CD8A5C4B231C266A17B827E77518" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_002_.5978354e26c35cb1344b4a2f1fa14e972bb3cd8a5c4b231c266a17b827e77518")) returned 1 [0136.089] GetProcessHeap () returned 0x4c0000 [0136.089] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0136.089] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.134] CloseHandle (hObject=0xec) returned 1 [0136.135] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\08\\71469d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01.D44FF07C707DC3905C48CFA39F3C86EC0C23072BA73FB4BC2E7C42A8D961A428" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\08\\71469d01.d44ff07c707dc3905c48cfa39f3c86ec0c23072ba73fb4bc2e7c42a8d961a428")) returned 1 [0136.138] GetProcessHeap () returned 0x4c0000 [0136.138] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0136.139] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.159] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0136.159] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.186] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0136.264] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.265] CloseHandle (hObject=0x1b8) returned 1 [0136.269] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_003_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_.1631F973B245CC5FA17837C84A2C8511A4A9634CDE7E8781977C46E809243A4E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_003_.1631f973b245cc5fa17837c84a2c8511a4a9634cde7e8781977c46e809243a4e")) returned 1 [0136.270] GetProcessHeap () returned 0x4c0000 [0136.270] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0136.270] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.285] ReadFile (in: hFile=0x1a8, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0136.286] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.322] ReadFile (in: hFile=0x18c, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0136.323] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.388] ReadFile (in: hFile=0x1d8, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x4800, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0136.442] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.457] ReadFile (in: hFile=0x1d0, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0136.467] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.486] ReadFile (in: hFile=0x1d0, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0136.505] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.514] CloseHandle (hObject=0x194) returned 1 [0136.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png.D107EA691B3F44FBEC7332D0668B20D80BA9188CB3EC4D752E610DD1D682B90A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png.d107ea691b3f44fbec7332d0668b20d80ba9188cb3ec4d752e610dd1d682b90a")) returned 1 [0136.516] GetProcessHeap () returned 0x4c0000 [0136.516] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0136.516] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.528] ReadFile (in: hFile=0x1d0, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0136.528] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.586] CloseHandle (hObject=0x1d0) returned 1 [0136.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\adobearm.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log.6954A65613AD1E26D48A3AFB6C3F95C0F7B990B829F6718281F86EE38218313E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\adobearm.log.6954a65613ad1e26d48a3afb6c3f95c0f7b990b829f6718281f86ee38218313e")) returned 1 [0136.588] GetProcessHeap () returned 0x4c0000 [0136.588] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x53caf0 | out: hHeap=0x4c0000) returned 1 [0136.588] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.611] ReadFile (in: hFile=0x1d0, lpBuffer=0x55cb24, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0 | out: lpBuffer=0x55cb24*, lpNumberOfBytesRead=0x0, lpOverlapped=0x53caf0) returned 1 [0136.643] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.662] CloseHandle (hObject=0x1d4) returned 1 [0136.664] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png.4A2B1D2830EB0B6AB058C259A56EF46E030913903D7382AD797ECACDE0A10834" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png.4a2b1d2830eb0b6ab058c259a56ef46e030913903d7382ad797ecacde0a10834")) returned 1 [0136.665] GetProcessHeap () returned 0x4c0000 [0136.665] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0136.665] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.732] WriteFile (in: hFile=0x1d0, lpBuffer=0x3be8114*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 1 [0136.733] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.838] CloseHandle (hObject=0x1d0) returned 1 [0136.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gz_kt.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gz_kT.wav.BBC895C8563ADD17F7BE2674995E9317070B43E378ACFE7951ADF8BB3E74B452" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gz_kt.wav.bbc895c8563add17f7be2674995e9317070b43e378acfe7951adf8bb3e74b452")) returned 1 [0136.840] GetProcessHeap () returned 0x4c0000 [0136.840] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0136.840] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.868] ReadFile (in: hFile=0x1d4, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0136.868] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.895] ReadFile (in: hFile=0x1d0, lpBuffer=0x522abc, nNumberOfBytesToRead=0x5200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0136.895] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.937] ReadFile (in: hFile=0x18c, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0136.938] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0136.985] ReadFile (in: hFile=0x194, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x5e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0136.985] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0137.042] ReadFile (in: hFile=0x1a8, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0137.043] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0137.070] WriteFile (in: hFile=0x1a8, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0137.503] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0137.526] WriteFile (in: hFile=0x1d8, lpBuffer=0x3ba8174, nNumberOfBytesToWrite=0x4200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140 | out: lpBuffer=0x3ba8174, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b88140) returned 0x0 [0137.636] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0137.667] WriteFile (in: hFile=0x120, lpBuffer=0x3d0a21c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3cea1e8 | out: lpBuffer=0x3d0a21c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3cea1e8) returned 1 [0137.699] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0137.699] CloseHandle (hObject=0x194) returned 1 [0137.705] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\jbsxaweaczeo- 7_.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JBSxAwEacZEO- 7_.ods.571851FD2D601E3EC9E5F5EC339D9A64F5EA8283A241610C9EBE01EB844C2D77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\jbsxaweaczeo- 7_.ods.571851fd2d601e3ec9e5f5ec339d9a64f5ea8283a241610c9ebe01eb844c2d77")) returned 1 [0137.740] GetProcessHeap () returned 0x4c0000 [0137.740] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0137.742] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0137.742] CloseHandle (hObject=0x128) returned 1 [0137.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\smb_dam.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SMb_dAM.swf.C65D4F974F1B7FA697E03CF60A936B4250B4B62BF40506547DB466CB2BA01805" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\smb_dam.swf.c65d4f974f1b7fa697e03cf60a936b4250b4b62bf40506547db466cb2ba01805")) returned 1 [0137.754] GetProcessHeap () returned 0x4c0000 [0137.754] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3d12238 | out: hHeap=0x4c0000) returned 1 [0137.755] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0138.209] WriteFile (in: hFile=0x1d0, lpBuffer=0x584b74*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40 | out: lpBuffer=0x584b74*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x564b40) returned 1 [0138.210] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0138.287] CloseHandle (hObject=0x178) returned 1 [0138.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\x-2hh2tczlzobz.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\x-2HH2TCzLZoBz.xlsx.CEF254A399B39B9B43FBCE00B387B845CC4A0AE7D8DF8B470D53974A13CDC009" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\x-2hh2tczlzobz.xlsx.cef254a399b39b9b43fbce00b387b845cc4a0ae7d8df8b470d53974a13cdc009")) returned 1 [0138.289] GetProcessHeap () returned 0x4c0000 [0138.289] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0138.289] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0138.894] CloseHandle (hObject=0x128) returned 1 [0138.897] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7396c420a8e1bc1da97f1af0d10bad21"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21.CFC737D9DEE2CEC6673CF2EF2A5CD18A93E4E8574BBC5B5A7435CA0FCAD5A575" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7396c420a8e1bc1da97f1af0d10bad21.cfc737d9dee2cec6673cf2ef2a5cd18a93e4e8574bbc5b5a7435ca0fcad5a575")) returned 1 [0138.917] GetProcessHeap () returned 0x4c0000 [0138.917] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0138.917] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0138.920] CloseHandle (hObject=0x1d0) returned 1 [0138.922] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1daf2884ec4dfa96ba4a58d4dbc9c406"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406.4A1025602CD0C904A3D2D0FF03B287A900CBB6508FFF67269C638CC0B45B0C3E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1daf2884ec4dfa96ba4a58d4dbc9c406.4a1025602cd0c904a3d2d0ff03b287a900cbb6508fff67269c638cc0b45b0c3e")) returned 1 [0138.923] GetProcessHeap () returned 0x4c0000 [0138.923] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0138.927] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0138.929] CloseHandle (hObject=0x184) returned 1 [0138.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9.8C922E14930B017F4F9A2F5F6AFD5BD9AB4AE735C0D3F73E9B84766405B62346" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9.8c922e14930b017f4f9a2f5f6afd5bd9ab4ae735c0d3f73e9b84766405b62346")) returned 1 [0138.944] GetProcessHeap () returned 0x4c0000 [0138.944] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0138.944] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0138.955] ReadFile (in: hFile=0x128, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0138.959] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0138.961] CloseHandle (hObject=0x128) returned 1 [0138.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D.97CD63734F06D08D1E956954E57CAB088A4D358DCC326BDFCBFD84B1C3CB1D7E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d.97cd63734f06d08d1e956954e57cab088a4d358dcc326bdfcbfd84b1c3cb1d7e")) returned 1 [0138.964] GetProcessHeap () returned 0x4c0000 [0138.964] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0138.965] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0138.994] ReadFile (in: hFile=0x128, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0138.994] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0138.997] WriteFile (in: hFile=0x128, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0138.999] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0138.999] CloseHandle (hObject=0x128) returned 1 [0139.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6.0DEBC3ACADFD8E4ECB5ACC6E782EDCBB79C6100406E61707F2E881138855C96D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6.0debc3acadfd8e4ecb5acc6e782edcbb79c6100406e61707f2e881138855c96d")) returned 1 [0139.002] GetProcessHeap () returned 0x4c0000 [0139.002] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0139.002] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.031] ReadFile (in: hFile=0x128, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0139.036] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.075] CloseHandle (hObject=0x178) returned 1 [0139.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\696f3de637e6de85b458996d49d759ad"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD.CE4BB4BC2E54249D824D3A7CAD895BFE279B4D7B5C5C168F29AD40C4146F7002" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\696f3de637e6de85b458996d49d759ad.ce4bb4bc2e54249d824d3a7cad895bfe279b4d7b5c5c168f29ad40c4146f7002")) returned 1 [0139.078] GetProcessHeap () returned 0x4c0000 [0139.078] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0139.079] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.096] ReadFile (in: hFile=0x184, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0139.096] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.098] WriteFile (in: hFile=0x184, lpBuffer=0x3be8114, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3bc80e0) returned 0x0 [0139.100] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.129] ReadFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0139.130] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.197] ReadFile (in: hFile=0x1d0, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0139.197] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.205] CloseHandle (hObject=0x1d0) returned 1 [0139.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416.A864EE8C6B9153AB5050127B8B3A8863D4ABB2709C2D7F577662B00256D59461" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416.a864ee8c6b9153ab5050127b8b3a8863d4abb2709c2d7f577662b00256d59461")) returned 1 [0139.209] GetProcessHeap () returned 0x4c0000 [0139.209] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0139.209] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.212] CloseHandle (hObject=0x128) returned 1 [0139.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD.DCDE76DF7C8C86999EE9A199C8342292908E99591133FE0D8C7CF4E1141D0120" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd.dcde76df7c8c86999ee9a199c8342292908e99591133fe0d8c7cf4e1141d0120")) returned 1 [0139.218] GetProcessHeap () returned 0x4c0000 [0139.218] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0139.224] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.224] CloseHandle (hObject=0x178) returned 1 [0139.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F.986877587E770A30D3FC35799C3FC4EA215023F5135A58DA36B01DFBBCEA1459" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f.986877587e770a30d3fc35799c3fc4ea215023f5135a58da36b01dfbbcea1459")) returned 1 [0139.227] GetProcessHeap () returned 0x4c0000 [0139.227] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0139.229] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.256] ReadFile (in: hFile=0x18c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0139.256] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.301] CloseHandle (hObject=0x18c) returned 1 [0139.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015.3613939BC613ADF66D1181AAC566C9D2FB13D4CED85B12E0FD419CDCBD5EEC45" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015.3613939bc613adf66d1181aac566c9d2fb13d4ced85b12e0fd419cdcbd5eec45")) returned 1 [0139.303] GetProcessHeap () returned 0x4c0000 [0139.303] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0139.305] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.347] ReadFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0139.348] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.350] WriteFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0139.352] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.380] ReadFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0139.381] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.383] WriteFile (in: hFile=0x178, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0139.384] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.385] CloseHandle (hObject=0x178) returned 1 [0139.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6.B9D29171EB9B900A5AAC923BF6C53D1C97397E664685DF28CC4D4187AA038402" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6.b9d29171eb9b900a5aac923bf6c53d1c97397e664685df28cc4d4187aa038402")) returned 1 [0139.387] GetProcessHeap () returned 0x4c0000 [0139.387] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0139.387] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.449] ReadFile (in: hFile=0x178, lpBuffer=0x573b64, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0139.450] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.464] WriteFile (in: hFile=0x128, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0139.465] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.491] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0139.491] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.494] CloseHandle (hObject=0x1d4) returned 1 [0139.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001.5DCACB58C3112CE6672B38C9297783857A19CD19F476D00CB86D3DBCEB292E57" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001.5dcacb58c3112ce6672b38c9297783857a19cd19f476d00cb86d3dbceb292e57")) returned 1 [0139.497] GetProcessHeap () returned 0x4c0000 [0139.497] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0139.497] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.554] CloseHandle (hObject=0x184) returned 1 [0139.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.B9713A6244DAB7DC00A92AB83F21E81DA3088E1CE1392E098ADB490B8C19471B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56.b9713a6244dab7dc00a92ab83f21e81da3088e1ce1392e098adb490b8c19471b")) returned 1 [0139.557] GetProcessHeap () returned 0x4c0000 [0139.557] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3bc80e0 | out: hHeap=0x4c0000) returned 1 [0139.562] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.578] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0139.579] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.583] CloseHandle (hObject=0x1d4) returned 1 [0139.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852.C1BEF70C59A1F9598C062E14F94543F91498B5A42C3DFF004CC224D6D071BD64" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852.c1bef70c59a1f9598c062e14f94543f91498b5a42c3dff004cc224d6d071bd64")) returned 1 [0139.588] GetProcessHeap () returned 0x4c0000 [0139.588] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0139.589] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.681] ReadFile (in: hFile=0x1d4, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0139.689] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.691] WriteFile (in: hFile=0x184, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0139.693] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.857] ReadFile (in: hFile=0x184, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0139.866] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.877] CloseHandle (hObject=0x128) returned 1 [0139.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061.8AFC4B0E8B90F74686D051C575D0D2149952F6A1EAF3DF1221448C86FC66D754" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061.8afc4b0e8b90f74686d051c575d0d2149952f6a1eaf3df1221448c86fc66d754")) returned 1 [0139.880] GetProcessHeap () returned 0x4c0000 [0139.880] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0139.880] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0139.906] WriteFile (in: hFile=0x1d4, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0139.908] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0140.115] WriteFile (in: hFile=0x1d0, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0140.119] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0140.165] CloseHandle (hObject=0x178) returned 1 [0140.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585.338105726E265033D7C524F4E0EEEB834F283257724674AD080F89370AFEEE75" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585.338105726e265033d7c524f4e0eeeb834f283257724674ad080f89370afeee75")) returned 1 [0140.168] GetProcessHeap () returned 0x4c0000 [0140.168] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0140.168] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0140.288] ReadFile (in: hFile=0x178, lpBuffer=0x3be8114, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0 | out: lpBuffer=0x3be8114*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3bc80e0) returned 1 [0140.289] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0140.291] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0140.293] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0140.293] CloseHandle (hObject=0x18c) returned 1 [0140.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.211F267B055FAA7ED0011018CDA5CCA0A0D5CD1315E726943FA95AD8504C1150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc.211f267b055faa7ed0011018cda5cca0a0d5cd1315e726943fa95ad8504c1150")) returned 1 [0140.303] GetProcessHeap () returned 0x4c0000 [0140.303] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0140.303] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0140.529] ReadFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0140.529] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0140.917] ReadFile (in: hFile=0x1b8, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0140.917] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0140.934] CloseHandle (hObject=0x1b8) returned 1 [0140.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\2jwjzcin97nec8ps.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2JwjzcIn97nec8pS.flv.EBC5F8181910201EDF8184B092546464C621658009707849A7A59D6187CE616D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\2jwjzcin97nec8ps.flv.ebc5f8181910201edf8184b092546464c621658009707849a7a59d6187ce616d")) returned 1 [0140.936] GetProcessHeap () returned 0x4c0000 [0140.936] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0140.936] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0140.977] CloseHandle (hObject=0x1d4) returned 1 [0140.978] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-7cyglu.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-7CYgLu.mkv.40891206017079CAA6C9E37EF234EFEEE95ACFFC7F18A0BB66B1D43D4217E94C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-7cyglu.mkv.40891206017079caa6c9e37ef234efeee95acffc7f18a0bb66b1d43d4217e94c")) returned 1 [0140.980] GetProcessHeap () returned 0x4c0000 [0140.980] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0140.982] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0141.020] CloseHandle (hObject=0x124) returned 1 [0141.021] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\2 i3b1uwje_rupq.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2 I3B1uwJE_rUPq.docx.BE2402FD5735EFE63E38DB7A03E66C3B772707D9BC184DD086B33BC4D2C7644C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\2 i3b1uwje_rupq.docx.be2402fd5735efe63e38db7a03e66c3b772707d9bc184dd086b33bc4d2c7644c")) returned 1 [0141.022] GetProcessHeap () returned 0x4c0000 [0141.022] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0141.023] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0141.082] WriteFile (in: hFile=0x1b8, lpBuffer=0x3b580d4*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 1 [0141.084] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0141.119] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x3200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0141.121] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0141.184] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0141.186] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0141.264] CloseHandle (hObject=0x1b8) returned 1 [0141.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9jysyyhy-o.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jYSyYhY-O.flv.0FC10D5E4393EE70B6104D30C2540658C0737181FA986C62D94D7960C3A66720" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9jysyyhy-o.flv.0fc10d5e4393ee70b6104d30c2540658c0737181fa986c62d94d7960c3a66720")) returned 1 [0141.266] GetProcessHeap () returned 0x4c0000 [0141.266] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0141.266] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0141.296] CloseHandle (hObject=0x178) returned 1 [0141.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab.EFB9CECE158C3A5C0556848EB80C19DCB4F5BB2DC94628771959E19CE9546E51" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab.efb9cece158c3a5c0556848eb80c19dcb4f5bb2dc94628771959e19ce9546e51")) returned 1 [0141.302] GetProcessHeap () returned 0x4c0000 [0141.302] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0141.303] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0141.431] ReadFile (in: hFile=0x178, lpBuffer=0x522abc, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0141.431] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0141.439] WriteFile (in: hFile=0x178, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0141.440] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0141.442] CloseHandle (hObject=0x178) returned 1 [0141.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata.F2583DBDA0E6774987A58BDA68848452CC617BCDEF53E7D45AB90FE327023858" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata.f2583dbda0e6774987a58bda68848452cc617bcdef53e7d45ab90fe327023858")) returned 1 [0141.446] GetProcessHeap () returned 0x4c0000 [0141.446] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0141.451] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0141.702] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0141.705] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0141.778] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0141.799] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0142.056] CloseHandle (hObject=0x1b8) returned 1 [0142.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\j5l_sg5vsujsqb.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J5L_SG5VSuJSQb.mp3.AE70ED8B456AC4329AF0F44647BECDD6B5D6C5DA7A5F6FA76A1D245AF043607E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\j5l_sg5vsujsqb.mp3.ae70ed8b456ac4329af0f44647becdd6b5d6c5da7a5f6fa76a1d245af043607e")) returned 1 [0142.059] GetProcessHeap () returned 0x4c0000 [0142.059] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0142.059] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0142.134] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0142.136] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0142.201] CloseHandle (hObject=0x1b8) returned 1 [0142.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kvn3fl-alv.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kVn3FL-ALv.wav.1BE0B9ADDB202518032D85A48B60F53151FFE845031CE98641F43A807A70EE33" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kvn3fl-alv.wav.1be0b9addb202518032d85a48b60f53151ffe845031ce98641f43a807a70ee33")) returned 1 [0142.204] GetProcessHeap () returned 0x4c0000 [0142.204] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0142.204] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0142.223] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0142.223] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0142.254] CloseHandle (hObject=0x1b8) returned 1 [0142.255] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lnrc00f10xcfd0x9.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LNRc00f10XCfd0x9.jpg.8FDAF4DBDDB6EB230587D46E0DC3A9BF6664C5D9C07878024FDD342C4C8AA651" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lnrc00f10xcfd0x9.jpg.8fdaf4dbddb6eb230587d46e0dc3a9bf6664c5d9c07878024fdd342c4c8aa651")) returned 1 [0142.256] GetProcessHeap () returned 0x4c0000 [0142.256] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0142.256] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0142.308] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0142.309] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0142.491] WriteFile (in: hFile=0x124, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0142.494] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0142.494] CloseHandle (hObject=0x124) returned 1 [0142.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\google chrome.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk.CF364D7E329EBEB7E79E167C0B17A3EFEE00C2AA0A7656B821359374F4F41D70" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\google chrome.lnk.cf364d7e329ebeb7e79e167c0b17a3efee00c2aa0a7656b821359374f4f41d70")) returned 1 [0142.496] GetProcessHeap () returned 0x4c0000 [0142.496] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0142.496] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0142.671] CloseHandle (hObject=0x180) returned 1 [0142.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\google chrome.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk.20F97A29CA1990065AFFF03C452F9BCF10DFE6C0EFCD157CA3F6BC00B24CD136" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\google chrome.lnk.20f97a29ca1990065afff03c452f9bcf10dfe6c0efcd157ca3f6bc00b24cd136")) returned 1 [0142.675] GetProcessHeap () returned 0x4c0000 [0142.675] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0142.675] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0142.740] WriteFile (in: hFile=0x180, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0142.742] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0143.040] CloseHandle (hObject=0x180) returned 1 [0143.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player (2).lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk.76F1257D89199DA0F2210F0807BDB67C7874C18EF177963A68A2F6505AA29C15" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player (2).lnk.76f1257d89199da0f2210f0807bdb67c7874c18ef177963a68a2f6505aa29c15")) returned 1 [0143.048] GetProcessHeap () returned 0x4c0000 [0143.048] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0143.048] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0143.073] ReadFile (in: hFile=0x124, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0143.073] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0143.115] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0143.117] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0143.149] ReadFile (in: hFile=0x1d0, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0143.150] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0143.152] WriteFile (in: hFile=0x1d0, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0143.153] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0143.156] CloseHandle (hObject=0x1d0) returned 1 [0143.157] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK.E17269267E0464209C162A68C232C0B238413380BE6E12ACD48EE8835870DF63" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk.e17269267e0464209c162a68c232c0b238413380be6e12acd48ee8835870df63")) returned 1 [0143.158] GetProcessHeap () returned 0x4c0000 [0143.158] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0143.162] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0143.203] ReadFile (in: hFile=0x184, lpBuffer=0x573b64, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0143.203] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0143.232] WriteFile (in: hFile=0x184, lpBuffer=0x573b64, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 0x0 [0143.233] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0143.302] ReadFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0143.302] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0143.305] WriteFile (in: hFile=0x18c, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0143.331] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0143.768] ReadFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0143.768] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0143.961] ReadFile (in: hFile=0x1d0, lpBuffer=0x573b64, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0143.961] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.009] WriteFile (in: hFile=0x1d0, lpBuffer=0x573b64, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 0x0 [0144.010] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.057] CloseHandle (hObject=0x1d4) returned 1 [0144.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db.8D64AF9B7B24F37FC8BCD3080D993FE2232AFE793A07F453BDE0BE2C348D7302" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db.8d64af9b7b24f37fc8bcd3080d993fe2232afe793a07f453bde0be2c348d7302")) returned 1 [0144.059] GetProcessHeap () returned 0x4c0000 [0144.059] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0144.059] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.332] WriteFile (in: hFile=0x128, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0144.333] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.442] WriteFile (in: hFile=0x128, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0144.443] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.446] CloseHandle (hObject=0x128) returned 1 [0144.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\localstore.rdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf.77FDD96ADF5AE6FDD76AF6456635A4EA3F00979D47316F5FB496D963D187BF63" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\localstore.rdf.77fdd96adf5ae6fdd76af6456635a4ea3f00979d47316f5fb496d963d187bf63")) returned 1 [0144.450] GetProcessHeap () returned 0x4c0000 [0144.450] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0144.451] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.617] CloseHandle (hObject=0x1d0) returned 1 [0144.618] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\prefs.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js.79B678272ED0D7B3BBDD63AE32FB383C22CE345AC0B937982F12EE49B264B169" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\prefs.js.79b678272ed0d7b3bbdd63ae32fb383c22ce345ac0b937982f12ee49b264b169")) returned 1 [0144.619] GetProcessHeap () returned 0x4c0000 [0144.619] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0144.619] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.639] ReadFile (in: hFile=0x1d0, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0144.639] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.697] ReadFile (in: hFile=0x18c, lpBuffer=0x3b580d4, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b380a0) returned 1 [0144.697] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.722] WriteFile (in: hFile=0x18c, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0144.723] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.735] ReadFile (in: hFile=0x178, lpBuffer=0x3b80124, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0144.736] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.739] CloseHandle (hObject=0x178) returned 1 [0144.740] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js.328A88B7DDE1B17F9E47479030AA6C8AE104E9C122BD9B2281DD24C0DC36685A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.js.328a88b7dde1b17f9e47479030aa6c8ae104e9c122bd9b2281dd24c0dc36685a")) returned 1 [0144.741] GetProcessHeap () returned 0x4c0000 [0144.741] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0144.741] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.747] CloseHandle (hObject=0x1d4) returned 1 [0144.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db.3703E2E5999E7012DA2DD446E316BC4A1A07DFEAAEBA9A5E4DDFF65A4D58573E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db.3703e2e5999e7012da2dd446e316bc4a1a07dfeaaeba9a5e4ddff65a4d58573e")) returned 1 [0144.753] GetProcessHeap () returned 0x4c0000 [0144.753] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0144.755] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.769] ReadFile (in: hFile=0x178, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0144.769] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.809] WriteFile (in: hFile=0x178, lpBuffer=0x3b80124*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b600f0) returned 1 [0144.827] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.843] CloseHandle (hObject=0x128) returned 1 [0144.848] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite.DCE5E15F71AFBE05E9EC5E9255EF5F5FFB2FA31C4796FD250356DCA1BBA3EF6B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite.dce5e15f71afbe05e9ec5e9255ef5f5ffb2fa31c4796fd250356dca1bba3ef6b")) returned 1 [0144.849] GetProcessHeap () returned 0x4c0000 [0144.849] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0144.852] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.930] CloseHandle (hObject=0xec) returned 1 [0144.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.35749FAC484EE0F1347F98EDEC3A9C3249AF2EB9A7E4A5E183CB1992161E6251" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.35749fac484ee0f1347f98edec3a9c3249af2eb9a7e4a5e183cb1992161e6251")) returned 1 [0144.933] GetProcessHeap () returned 0x4c0000 [0144.933] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c380a0 | out: hHeap=0x4c0000) returned 1 [0144.934] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.936] CloseHandle (hObject=0x1d0) returned 1 [0144.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\search.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json.6919FC5782E30B92583A1298A6E34AE1D4679DB27FEB117B20A6B34EED23D50C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\search.json.6919fc5782e30b92583a1298a6e34ae1d4679db27feb117b20a6b34eed23d50c")) returned 1 [0144.939] GetProcessHeap () returned 0x4c0000 [0144.939] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0144.940] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.943] CloseHandle (hObject=0x178) returned 1 [0144.944] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite.C6CD9CB896009C63C5A9EAD9FCF418ACBD84224936AD72557F20207F2C2CBE14" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite.c6cd9cb896009c63c5a9ead9fcf418acbd84224936ad72557f20207f2c2cbe14")) returned 1 [0144.946] GetProcessHeap () returned 0x4c0000 [0144.946] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b600f0 | out: hHeap=0x4c0000) returned 1 [0144.947] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0144.965] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0144.965] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.008] WriteFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0145.013] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.066] ReadFile (in: hFile=0x1b8, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0145.066] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.141] ReadFile (in: hFile=0x1b8, lpBuffer=0x3b80124, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0 | out: lpBuffer=0x3b80124*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b600f0) returned 1 [0145.192] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.245] CloseHandle (hObject=0x18c) returned 1 [0145.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak.7678CA3A27D75CBE0FDB2B69E58DD1E7F2AA7E32F4FD6BAB183CB3B08D0B2623" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak.7678ca3a27d75cbe0fdb2b69e58dd1e7f2aa7e32f4fd6bab183cb3b08d0b2623")) returned 1 [0145.248] GetProcessHeap () returned 0x4c0000 [0145.248] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b380a0 | out: hHeap=0x4c0000) returned 1 [0145.248] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.281] ReadFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0145.313] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.317] CloseHandle (hObject=0x18c) returned 1 [0145.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\p4hvedxotyb-x oydan.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p4hvEdXOtYB-x oYdAN.m4a.42F893A988E179CB55E215FDF525261BDF74C2D6956712391E42A5240E1ABB69" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\p4hvedxotyb-x oydan.m4a.42f893a988e179cb55e215fdf525261bdf74c2d6956712391e42a5240e1abb69")) returned 1 [0145.319] GetProcessHeap () returned 0x4c0000 [0145.319] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0145.319] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.338] ReadFile (in: hFile=0x1b8, lpBuffer=0x573b64, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0145.338] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.368] CloseHandle (hObject=0x1b8) returned 1 [0145.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pctsa_fsottrlc8t8s9.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\pCtsa_FSOttrlc8t8s9.wav.F3BE18B45EF36D7DFB2581B08118C6577AF52A52DAD943C05092FD034589F545" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pctsa_fsottrlc8t8s9.wav.f3be18b45ef36d7dfb2581b08118c6577af52a52dad943c05092fd034589f545")) returned 1 [0145.371] GetProcessHeap () returned 0x4c0000 [0145.371] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0145.371] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.390] ReadFile (in: hFile=0x1b8, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0145.390] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.446] ReadFile (in: hFile=0x1b8, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0145.446] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.579] CloseHandle (hObject=0x120) returned 1 [0145.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite.8D1FC8BE77DB48EEBDA2389CD0F7DA809B8ED6F272793A9FC5D40B0A08A15466" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite.8d1fc8be77db48eebda2389cd0f7da809b8ed6f272793a9fc5d40b0a08a15466")) returned 1 [0145.580] GetProcessHeap () returned 0x4c0000 [0145.580] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0145.581] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.598] ReadFile (in: hFile=0x1b8, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0145.599] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.609] CloseHandle (hObject=0x1b8) returned 1 [0145.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\qvam3q.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\QVAM3q.bmp.1D18E0ADB2D285D34AD8EF544D48203DB3A651FF8EE94376B1043ABB18C30307" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\qvam3q.bmp.1d18e0adb2d285d34ad8ef544d48203db3a651ff8ee94376b1043abb18c30307")) returned 1 [0145.611] GetProcessHeap () returned 0x4c0000 [0145.611] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0145.611] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.631] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0145.631] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.660] CloseHandle (hObject=0x1b8) returned 1 [0145.663] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rfwlnqosbl.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rfWLnqosBl.ppt.58004835F1F1157C666625EC7DC272CB5E5BAC93CC947ACA5A385B166CD0594F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rfwlnqosbl.ppt.58004835f1f1157c666625ec7dc272cb5e5bac93cc947aca5a385b166cd0594f")) returned 1 [0145.665] GetProcessHeap () returned 0x4c0000 [0145.665] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0145.665] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.684] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0145.684] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.712] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0145.714] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.769] CloseHandle (hObject=0x1b8) returned 1 [0145.770] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\t xj7vhkbu92ki7.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\t xJ7vhKbu92Ki7.swf.C919B040111565664CF6AEA51BB377DB7838E5887848861E6D45474B7566A300" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\t xj7vhkbu92ki7.swf.c919b040111565664cf6aea51bb377db7838e5887848861e6d45474b7566a300")) returned 1 [0145.771] GetProcessHeap () returned 0x4c0000 [0145.772] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0145.772] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.792] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0145.793] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.874] CloseHandle (hObject=0x1b8) returned 1 [0145.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ticyjkn.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tICyJkN.gif.76677BF0642FC3D114FF7FDD90E9C92D4CC8386A4E339E834B6A1C501EDDF969" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ticyjkn.gif.76677bf0642fc3d114ff7fdd90e9c92d4cc8386a4e339e834b6a1c501eddf969")) returned 1 [0145.877] GetProcessHeap () returned 0x4c0000 [0145.877] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0145.877] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0145.956] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0145.957] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.030] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x6000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0146.031] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.094] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0146.094] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.169] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0146.169] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.357] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0146.358] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.401] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0146.401] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.409] CloseHandle (hObject=0x19c) returned 1 [0146.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.774C92A5D6A7F19404E47FF944115D35B065A92829429247058CFC40780E212B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.774c92a5d6a7f19404e47ff944115d35b065a92829429247058cfc40780e212b")) returned 1 [0146.411] GetProcessHeap () returned 0x4c0000 [0146.411] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0146.411] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.465] ReadFile (in: hFile=0x120, lpBuffer=0x573b64, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0146.465] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.466] WriteFile (in: hFile=0x120, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0146.468] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.468] CloseHandle (hObject=0x120) returned 1 [0146.469] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.DFBAE06B164F0E890C220BA2AA91CEFFC6988F9E2551697ECF673F351CD51D1B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.dfbae06b164f0e890c220ba2aa91ceffc6988f9e2551697ecf673f351cd51d1b")) returned 1 [0146.470] GetProcessHeap () returned 0x4c0000 [0146.470] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0146.470] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.489] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0146.489] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.498] CloseHandle (hObject=0x120) returned 1 [0146.499] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.A58D31FE607A14203A567052DC160D06E5A64F7C1E8298B0F1887DB2B32C9343" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.a58d31fe607a14203a567052dc160d06e5a64f7c1e8298b0f1887db2b32c9343")) returned 1 [0146.500] GetProcessHeap () returned 0x4c0000 [0146.500] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0146.500] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.516] ReadFile (in: hFile=0x19c, lpBuffer=0x573b64, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesRead=0x0, lpOverlapped=0x553b30) returned 1 [0146.517] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.519] CloseHandle (hObject=0x19c) returned 1 [0146.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.076F998C706585AA22F42EB21FBA01B5CB88968C977AA577EF6A0BF3A3278C55" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.076f998c706585aa22f42eb21fba01b5cb88968c977aa577ef6a0bf3a3278c55")) returned 1 [0146.522] GetProcessHeap () returned 0x4c0000 [0146.522] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0146.522] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.541] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0146.541] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.543] CloseHandle (hObject=0x19c) returned 1 [0146.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.2B000507D2EDB1FF6CFDC03283C68B7682D91BD41A1BB450FD607551717C3854" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.2b000507d2edb1ff6cfdc03283c68b7682d91bd41a1bb450fd607551717c3854")) returned 1 [0146.545] GetProcessHeap () returned 0x4c0000 [0146.545] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0146.545] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.574] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0146.579] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.609] CloseHandle (hObject=0x19c) returned 1 [0146.610] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-tf4134d3q69thxdem8.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-tf4134D3q69ThXdEm8.wav.E5CFC67EC4093EDADB002971E8669E5A4F9D1A058E612C2B8AF377146498B550" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-tf4134d3q69thxdem8.wav.e5cfc67ec4093edadb002971e8669e5a4f9d1a058e612c2b8af377146498b550")) returned 1 [0146.611] GetProcessHeap () returned 0x4c0000 [0146.611] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0146.611] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.654] CloseHandle (hObject=0x1b8) returned 1 [0146.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.EDB056EF26E0E9D768330BC47FF0EBCA8BD2B0134338D859EE77C41BDFD2EC14" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.edb056ef26e0e9d768330bc47ff0ebca8bd2b0134338d859ee77c41bdfd2ec14")) returned 1 [0146.657] GetProcessHeap () returned 0x4c0000 [0146.657] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0146.657] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.677] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x7200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0146.677] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.704] CloseHandle (hObject=0x1b8) returned 1 [0146.705] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0f8k7uabdrg2oklhoop.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0F8K7uAbDRg2oKlHOOp.swf.4313E870A721A3A8D99552E688357937B2E95F4FE2E148B7E3986C32A0E50736" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0f8k7uabdrg2oklhoop.swf.4313e870a721a3a8d99552e688357937b2e95f4fe2e148b7e3986c32a0e50736")) returned 1 [0146.706] GetProcessHeap () returned 0x4c0000 [0146.706] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0146.706] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.726] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0146.726] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.761] CloseHandle (hObject=0x1b8) returned 1 [0146.762] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0pb8wzh1_u354fuc5pg.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0Pb8wZh1_u354fUc5Pg.png.B0CF558A67F225AE6B985EC5A925BAAFC470828C7E8B58E0A57CE81EB977215A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0pb8wzh1_u354fuc5pg.png.b0cf558a67f225ae6b985ec5a925baafc470828c7e8b58e0a57ce81eb977215a")) returned 1 [0146.764] GetProcessHeap () returned 0x4c0000 [0146.764] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0146.764] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.784] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0146.784] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.815] CloseHandle (hObject=0x1b8) returned 1 [0146.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0w2_huzbvkk.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0w2_HuzBVKK.swf.D6755738F4819D35CFD6712C2A601F9CA4487415A0C7036F45B3BDF9A4176064" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0w2_huzbvkk.swf.d6755738f4819d35cfd6712c2a601f9ca4487415a0c7036f45b3bdf9a4176064")) returned 1 [0146.820] GetProcessHeap () returned 0x4c0000 [0146.820] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0146.820] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.838] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x5c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0146.839] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.885] CloseHandle (hObject=0x19c) returned 1 [0146.889] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a_kbh9eucowb16sjfp.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A_KbH9euCoWB16sjFP.wav.B580898F1E180AA6B297F3129A6BDA4382FA9C060B5E163AE3FCC7ADCDED4E26" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a_kbh9eucowb16sjfp.wav.b580898f1e180aa6b297f3129a6bda4382fa9c060b5e163ae3fcc7adcded4e26")) returned 1 [0146.891] GetProcessHeap () returned 0x4c0000 [0146.891] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0146.891] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.908] ReadFile (in: hFile=0x19c, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0146.908] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0146.940] CloseHandle (hObject=0x19c) returned 1 [0146.941] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\b9jhjbwd.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b9jHjBWD.docx.29873B8C6083AB4667906F4F3F27D6BD604EB9CC47EFC627B8D966B548C9AD69" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\b9jhjbwd.docx.29873b8c6083ab4667906f4f3f27d6bd604eb9cc47efc627b8d966b548c9ad69")) returned 1 [0146.942] GetProcessHeap () returned 0x4c0000 [0146.942] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0146.942] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.011] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.012] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.042] CloseHandle (hObject=0x19c) returned 1 [0147.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\clpt2zehp.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CLpT2zEHp.m4a.0C9F6D98107AF4E223D366BD3FF672136E7AE88025370063ECD4DFE849310B14" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\clpt2zehp.m4a.0c9f6d98107af4e223d366bd3ff672136e7ae88025370063ecd4dfe849310b14")) returned 1 [0147.044] GetProcessHeap () returned 0x4c0000 [0147.044] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.044] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.063] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.063] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.092] CloseHandle (hObject=0x19c) returned 1 [0147.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cn5147j.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Cn5147j.flv.60B530F0F1923D7383844FD5B4EAF01A4234B4C1523CD5F3D3D291E03B0E746F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cn5147j.flv.60b530f0f1923d7383844fd5b4eaf01a4234b4c1523cd5f3d3d291e03b0e746f")) returned 1 [0147.094] GetProcessHeap () returned 0x4c0000 [0147.094] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.094] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.115] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.115] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.144] CloseHandle (hObject=0x19c) returned 1 [0147.145] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\eo-jl0val04zbahvgf8.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eo-jl0VAL04zBAHvgF8.ots.541B7B3C9BDB6D44104BF0D526403804089B271B11597842F1DF7067CE8B5E7B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\eo-jl0val04zbahvgf8.ots.541b7b3c9bdb6d44104bf0d526403804089b271b11597842f1df7067ce8b5e7b")) returned 1 [0147.146] GetProcessHeap () returned 0x4c0000 [0147.146] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.146] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.168] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.168] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.200] CloseHandle (hObject=0x19c) returned 1 [0147.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fpo9vje.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fpO9vJe.swf.A2B96D86EA3468015E502B5DA0702FC80E10B93C4B236C6E2DD744FDBC8BDC7E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fpo9vje.swf.a2b96d86ea3468015e502b5da0702fc80e10b93c4b236c6e2dd744fdbc8bdc7e")) returned 1 [0147.202] GetProcessHeap () returned 0x4c0000 [0147.202] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.202] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.222] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x7200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.222] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.250] CloseHandle (hObject=0x19c) returned 1 [0147.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gqcma7fms.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GqCMA7FMS.avi.9A89060607DA2A8B23BBAC153D2774F409568451154CBF005BF97414740E4000" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gqcma7fms.avi.9a89060607da2a8b23bbac153d2774f409568451154cbf005bf97414740e4000")) returned 1 [0147.253] GetProcessHeap () returned 0x4c0000 [0147.253] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.253] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.315] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.315] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.376] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.406] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.431] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x4c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.431] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.477] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.477] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.507] CloseHandle (hObject=0x19c) returned 1 [0147.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jxhq0xrk.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jxhq0Xrk.avi.DDCC31D65C5684386CB4D782BB20788CEA21C99DEE385F79B41EE15A4DE37329" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jxhq0xrk.avi.ddcc31d65c5684386cb4d782bb20788cea21c99dee385f79b41ee15a4de37329")) returned 1 [0147.510] GetProcessHeap () returned 0x4c0000 [0147.510] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0147.510] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.612] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.612] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.674] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.674] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.763] WriteFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0147.767] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.787] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.787] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.872] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.930] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0147.990] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0147.990] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.027] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0148.028] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.083] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x6600, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0148.083] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.215] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0148.246] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.247] CloseHandle (hObject=0x120) returned 1 [0148.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\mpgxl_xvvu_5v.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NxdzY2\\MpGXl_XVVu_5V.docx.1EE4352514196078831B47F2495E8CBE42CC2AC157A2E40E2003FB7347290474" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nxdzy2\\mpgxl_xvvu_5v.docx.1ee4352514196078831b47f2495e8cbe42cc2ac157a2e40e2003fb7347290474")) returned 1 [0148.249] GetProcessHeap () returned 0x4c0000 [0148.249] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0148.249] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.273] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0148.274] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.301] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0148.303] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.357] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0148.358] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.415] CloseHandle (hObject=0x1b8) returned 1 [0148.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\oxsi_sgnb -ju.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\oxSI_sgNB -Ju.avi.E192E7470B4E707AB392AF60D9CA494F485F86CC83AD8B038C79D7E4B7E7FC10" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\oxsi_sgnb -ju.avi.e192e7470b4e707ab392af60d9ca494f485f86cc83ad8b038c79d7e4b7e7fc10")) returned 1 [0148.417] GetProcessHeap () returned 0x4c0000 [0148.417] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0148.417] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.468] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0148.479] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.710] WriteFile (in: hFile=0x120, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0148.712] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.765] CloseHandle (hObject=0x120) returned 1 [0148.766] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t1jgxiqappfxf.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t1jgxIqaPpFxf.mp3.A9AE9BFB8EA64037B707C69085E6683A6EE33A1ED5FF62FA5C99985D3351CE32" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t1jgxiqappfxf.mp3.a9ae9bfb8ea64037b707c69085e6683a6ee33a1ed5ff62fa5c99985d3351ce32")) returned 1 [0148.767] GetProcessHeap () returned 0x4c0000 [0148.767] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0148.767] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.824] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0148.826] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0148.977] CloseHandle (hObject=0x120) returned 1 [0148.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\udvlcvcbmlzsoln6-.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UDvlcVCbmLzsoln6-.flv.44EB432C80174698604C05F3AF868F4879EB8B8025F9270CAF5B59F941B71B56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\udvlcvcbmlzsoln6-.flv.44eb432c80174698604c05f3af868f4879eb8b8025f9270caf5b59f941b71b56")) returned 1 [0148.979] GetProcessHeap () returned 0x4c0000 [0148.979] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0148.979] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0149.308] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0149.313] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0149.396] CloseHandle (hObject=0x120) returned 1 [0149.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\utf36wt3njcmh.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\utf36wt3njCMh.mp4.F527DAFC41012AB9E694F644D808C6B0FF2AA2992489726FF6DD7268AC079E7B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\utf36wt3njcmh.mp4.f527dafc41012ab9e694f644d808c6b0ff2aa2992489726ff6dd7268ac079e7b")) returned 1 [0149.400] GetProcessHeap () returned 0x4c0000 [0149.400] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0149.400] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0149.480] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0149.482] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0149.620] CloseHandle (hObject=0x120) returned 1 [0149.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\w8uqhrtir.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w8uqhRtiR.ppt.90AFEB0337BB01584B4DBA084D15F95AA565E67436D06E356E6A6A672047F74F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\w8uqhrtir.ppt.90afeb0337bb01584b4dba084d15f95aa565e67436d06e356e6a6a672047f74f")) returned 1 [0149.622] GetProcessHeap () returned 0x4c0000 [0149.622] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0149.622] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0149.699] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0149.704] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0149.785] CloseHandle (hObject=0x120) returned 1 [0149.787] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ycsexnlvel.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yCsEXnLveL.ods.0708BB4AC0B4FE5E5587DB639D53B5C7274B41886E3DE8FAFDB1BD002C572834" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ycsexnlvel.ods.0708bb4ac0b4fe5e5587db639d53b5c7274b41886e3de8fafdb1bd002c572834")) returned 1 [0149.788] GetProcessHeap () returned 0x4c0000 [0149.788] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0149.788] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0149.875] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0149.877] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0150.015] CloseHandle (hObject=0x120) returned 1 [0150.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zo0f-qi2eeauoswg o.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZO0F-QI2EeaUOsWG O.jpg.671E7D241E84E7D3FFD7B22B172038B79292205642281E9A79F16F3CD20F3F05" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zo0f-qi2eeauoswg o.jpg.671e7d241e84e7d3ffd7b22b172038b79292205642281e9a79f16f3cd20f3f05")) returned 1 [0150.018] GetProcessHeap () returned 0x4c0000 [0150.018] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.018] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0150.051] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.053] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0150.102] CloseHandle (hObject=0x120) returned 1 [0150.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_zan1qcfg445yvu.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Zan1QCfG445yVu.avi.315D6E0FF0ECC4F1839BA7AC6303CDF43457E97F1EA6204A46FD6FF8C8E9DC35" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_zan1qcfg445yvu.avi.315d6e0ff0ecc4f1839ba7ac6303cdf43457e97f1ea6204a46fd6ff8c8e9dc35")) returned 1 [0150.104] GetProcessHeap () returned 0x4c0000 [0150.104] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.104] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0150.213] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.215] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0150.267] CloseHandle (hObject=0x120) returned 1 [0150.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\1e6jlo2awzk5na.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1e6jlo2AwZK5Na.xlsx.5A30B1C9A4AB911E84ADEA2A1AE6EBDE6759FA825E037A9AAD1A9C383B180A4E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\1e6jlo2awzk5na.xlsx.5a30b1c9a4ab911e84adea2a1ae6ebde6759fa825e037a9aad1a9c383b180a4e")) returned 1 [0150.269] GetProcessHeap () returned 0x4c0000 [0150.269] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.270] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0150.327] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x5a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.329] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0150.471] CloseHandle (hObject=0x120) returned 1 [0150.472] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ed4ncr.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ed4Ncr.docx.9C60C9111DA3FE3DADD786EEB2312FD7CBA4BF6A2A6EC29F0720A04D55A5C50C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ed4ncr.docx.9c60c9111da3fe3dadd786eeb2312fd7cba4bf6a2a6ec29f0720a04d55a5c50c")) returned 1 [0150.474] GetProcessHeap () returned 0x4c0000 [0150.474] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.474] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0150.526] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.527] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0150.555] CloseHandle (hObject=0x120) returned 1 [0150.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\icizvmn37xqp.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iCizVMn37xQp.docx.7AFFBE10BC1D018FF319D68C59AC572D96A3C14628B6749C125AA5C6530FA36A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\icizvmn37xqp.docx.7affbe10bc1d018ff319d68c59ac572d96a3c14628b6749c125aa5c6530fa36a")) returned 1 [0150.557] GetProcessHeap () returned 0x4c0000 [0150.557] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.557] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0150.590] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x4200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.591] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0150.645] CloseHandle (hObject=0x120) returned 1 [0150.646] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kosd6ahis5ag9xb2z.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KOsd6Ahis5aG9Xb2Z.xlsx.258E7B455DF56D9CD13946A401E45633B2BA3AB346D8C2C0ED8FB435DA1BE71F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kosd6ahis5ag9xb2z.xlsx.258e7b455df56d9cd13946a401e45633b2ba3ab346d8c2c0ed8fb435da1be71f")) returned 1 [0150.648] GetProcessHeap () returned 0x4c0000 [0150.648] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0150.648] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0150.745] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0150.747] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0151.151] CloseHandle (hObject=0x120) returned 1 [0151.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\odtfmtdtdiksgl.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oDtfmtDtdiKSGL.pptx.F11E0AF4A4AC130E9CC255D79B5205D20305A89C585A5CB14B47C1420A852B41" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\odtfmtdtdiksgl.pptx.f11e0af4a4ac130e9cc255d79b5205d20305a89c585a5cb14b47c1420a852b41")) returned 1 [0151.154] GetProcessHeap () returned 0x4c0000 [0151.154] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0151.154] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0151.198] WriteFile (in: hFile=0x120, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x6800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0151.203] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0151.258] CloseHandle (hObject=0x1b8) returned 1 [0151.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.FBD4A1FA20DC885C1263F95B91AD42F7184B89798BF524AF947C2B8D2E368E46" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.fbd4a1fa20dc885c1263f95b91ad42f7184b89798bf524af947c2b8d2e368e46")) returned 1 [0151.260] GetProcessHeap () returned 0x4c0000 [0151.260] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0151.260] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0151.387] WriteFile (in: hFile=0x120, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0151.389] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0151.613] CloseHandle (hObject=0x1b8) returned 1 [0151.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\dqh1d-rwav.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\DqH1D-RwAV.odt.41942855CC40B81C10DF6B96FFAB5D22D77E84F4DFEBDCB95E09482C88370903" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\dqh1d-rwav.odt.41942855cc40b81c10df6b96ffab5d22d77e84f4dfebdcb95e09482c88370903")) returned 1 [0151.616] GetProcessHeap () returned 0x4c0000 [0151.616] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0151.616] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0151.666] WriteFile (in: hFile=0x18c, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0151.668] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0151.718] WriteFile (in: hFile=0x184, lpBuffer=0x54bb14*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 1 [0151.723] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0151.975] WriteFile (in: hFile=0x124, lpBuffer=0x573b64*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30 | out: lpBuffer=0x573b64*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x553b30) returned 1 [0151.977] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.041] CloseHandle (hObject=0x124) returned 1 [0152.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\stsznb.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\Iw22pBXKxLvEur2Q\\sTsZNB.xlsx.1A019D3754D4D570B921086FADC2DE615F50A178C9364DEAB39C64769570A449" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\iw22pbxkxlveur2q\\stsznb.xlsx.1a019d3754d4d570b921086fadc2de615f50a178c9364deab39c64769570a449")) returned 1 [0152.043] GetProcessHeap () returned 0x4c0000 [0152.043] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.043] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.101] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.104] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.168] CloseHandle (hObject=0x18c) returned 1 [0152.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\kthl.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\KtHl.ots.5E9BBCFE0D54AEA74654EADC27C2A7AA5A777C2BEF145E75BFCD5B87677BEE77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\kthl.ots.5e9bbcfe0d54aea74654eadc27c2a7aa5a777c2bef145e75bfcd5b87677bee77")) returned 1 [0152.171] GetProcessHeap () returned 0x4c0000 [0152.171] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.171] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.260] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x6400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.262] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.323] CloseHandle (hObject=0x18c) returned 1 [0152.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\q0ve.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qe9vNJ9FzXmj9B4\\K Arjl\\q0ve.xlsx.0FCE411CA2FA264618A72B11027091290FCB8488F33648DCD4AF16B6F4174E5C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qe9vnj9fzxmj9b4\\k arjl\\q0ve.xlsx.0fce411ca2fa264618a72b11027091290fcb8488f33648dcd4af16b6f4174e5c")) returned 1 [0152.325] GetProcessHeap () returned 0x4c0000 [0152.325] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.325] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.359] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.361] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.396] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.397] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.447] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.449] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.511] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.513] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.605] CloseHandle (hObject=0x18c) returned 1 [0152.606] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\15uhxos.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\15UhXOS.ods.4A065471A0AC8024677CEF9ADDBABBFE08B862FA493789ECD0A6840231E76C37" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\15uhxos.ods.4a065471a0ac8024677cef9addbabbfe08b862fa493789ecd0a6840231e76c37")) returned 1 [0152.607] GetProcessHeap () returned 0x4c0000 [0152.607] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.607] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.655] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.656] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.709] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0152.710] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.823] CloseHandle (hObject=0x18c) returned 1 [0152.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\hx33cceivep89jah.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\r2rdS_PLw\\hx33cCEIveP89JAH.xls.B031E5D299639BC5FC0CD449AB2A2ED4D264D8F10E496992A666FB51C4305541" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\r2rds_plw\\hx33cceivep89jah.xls.b031e5d299639bc5fc0cd449ab2a2ed4d264d8f10e496992a666fb51c4305541")) returned 1 [0152.826] GetProcessHeap () returned 0x4c0000 [0152.826] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.826] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.866] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.867] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.929] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0152.949] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0152.978] CloseHandle (hObject=0x1b8) returned 1 [0152.978] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\u3ly.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tDyPV_9YGFbgvlp\\u3Ly.odp.62AF4BB40488934DE72F675EB403E5B03B022A4541683EE933D0EE2EAB9F463A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tdypv_9ygfbgvlp\\u3ly.odp.62af4bb40488934de72f675eb403e5b03b022a4541683ee933d0ee2eab9f463a")) returned 1 [0152.979] GetProcessHeap () returned 0x4c0000 [0152.980] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0152.980] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0153.002] ReadFile (in: hFile=0x1b8, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0153.002] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0153.071] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x4c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0153.073] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0153.113] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x2c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0153.114] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0153.165] CloseHandle (hObject=0x120) returned 1 [0153.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\wyol6z5i9f.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WyoL6z5i9f.pptx.03B2951E36CE9EDF728F857DB4C6DB97B267C7DF5E4FC2076AC10D996692F315" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\wyol6z5i9f.pptx.03b2951e36ce9edf728f857db4c6db97b267c7df5e4fc2076ac10d996692f315")) returned 1 [0153.167] GetProcessHeap () returned 0x4c0000 [0153.167] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0153.167] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0153.268] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0153.572] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0153.638] WriteFile (in: hFile=0x184, lpBuffer=0x3b580d4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0 | out: lpBuffer=0x3b580d4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b380a0) returned 0x0 [0153.645] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0153.673] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x6800, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 0x0 [0153.716] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0153.744] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0153.744] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0153.817] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0153.897] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0153.976] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0153.977] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.023] CloseHandle (hObject=0x184) returned 1 [0154.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ecci2yea.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\eCCI2YeA.m4a.4A188C79E13C9592B8669D3C0845857C786F06F29C0F511AFD8705B49C5CCA6A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ecci2yea.m4a.4a188c79e13c9592b8669d3c0845857c786f06f29c0f511afd8705b49c5cca6a")) returned 1 [0154.025] GetProcessHeap () returned 0x4c0000 [0154.025] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.025] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.053] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.054] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.128] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x6e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.128] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.199] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x2400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.199] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.208] WriteFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0154.212] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.234] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0154.234] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.264] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.266] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.349] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.351] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.413] CloseHandle (hObject=0x184) returned 1 [0154.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j1yysq1gijgrfg7nf s.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J1YysQ1gIJGrFG7NF S.m4a.4494FD68FEDA6A881CBD0CBF5F3906C2AFF5B9520622F4489A119E778A6EED56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j1yysq1gijgrfg7nf s.m4a.4494fd68feda6a881cbd0cbf5f3906c2aff5b9520622f4489a119e778a6eed56")) returned 1 [0154.416] GetProcessHeap () returned 0x4c0000 [0154.416] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.416] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.484] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x7e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.486] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.522] CloseHandle (hObject=0x184) returned 1 [0154.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kndqrb_lkb9rlegzw78p.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\KNdqRB_LKb9rLEGzw78p.m4a.D21327D772C1AAC617FC9EAE00887284173F965DBE8D4EECC94E4DBDB51EAC5B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kndqrb_lkb9rlegzw78p.m4a.d21327d772c1aac617fc9eae00887284173f965dbe8d4eecc94e4dbdb51eac5b")) returned 1 [0154.524] GetProcessHeap () returned 0x4c0000 [0154.524] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.524] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.584] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x6400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.586] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.738] CloseHandle (hObject=0x184) returned 1 [0154.739] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\m-nb0exjmdzazsml.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\M-nb0eXJMDzaZSML.mp3.6420648D667AB464C55EB548197D7DB8A68984C9245C01640F28B8E29DD8CF47" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\m-nb0exjmdzazsml.mp3.6420648d667ab464c55eb548197d7db8a68984c9245c01640f28b8e29dd8cf47")) returned 1 [0154.740] GetProcessHeap () returned 0x4c0000 [0154.740] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.740] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.789] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.791] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.887] CloseHandle (hObject=0x184) returned 1 [0154.888] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\njc4s9pob8exa9ymy_i.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\njC4S9Pob8EXa9ymY_i.mp3.72230C9D6953C457075E7D08477CF36E9114E5869002D4D939F8DAD970C28071" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\njc4s9pob8exa9ymy_i.mp3.72230c9d6953c457075e7d08477cf36e9114e5869002d4d939f8dad970c28071")) returned 1 [0154.889] GetProcessHeap () returned 0x4c0000 [0154.889] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.889] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.941] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0154.957] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0154.997] CloseHandle (hObject=0x184) returned 1 [0154.998] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ts8m.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TS8M.mp3.CDF02B09B11A0495FC9DD6EE29EC6A8DA2776B809A9E07D5A644C39FE2C2A444" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ts8m.mp3.cdf02b09b11a0495fc9dd6ee29ec6a8da2776b809a9e07d5a644c39fe2c2a444")) returned 1 [0154.999] GetProcessHeap () returned 0x4c0000 [0154.999] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0154.999] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0155.077] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0155.079] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0155.175] CloseHandle (hObject=0x184) returned 1 [0155.176] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vhaly1z4.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\vhalY1z4.m4a.8F95EA606791DEC45D435745C2379B014B4C8319D628F335385019250CD91D48" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vhaly1z4.m4a.8f95ea606791dec45d435745c2379b014b4c8319d628f335385019250cd91d48")) returned 1 [0155.177] GetProcessHeap () returned 0x4c0000 [0155.177] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0155.178] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0155.244] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0155.265] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0155.397] CloseHandle (hObject=0x184) returned 1 [0155.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\yjrsuayk6nrk.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YjrSuayk6nrk.m4a.CE2D62EE0014906D739598D3D49708D8CF6016B8D28AC4D948268A0B605AD842" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\yjrsuayk6nrk.m4a.ce2d62ee0014906d739598d3d49708d8cf6016b8d28ac4d948268a0b605ad842")) returned 1 [0155.399] GetProcessHeap () returned 0x4c0000 [0155.399] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0155.399] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0155.496] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0155.498] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0155.584] CloseHandle (hObject=0x184) returned 1 [0155.585] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bhfr.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bHFr.gif.D445302E6110372B87F4500A038B06B4952119A4E66B37257403755CF01B130D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bhfr.gif.d445302e6110372b87f4500a038b06b4952119a4e66b37257403755cf01b130d")) returned 1 [0155.586] GetProcessHeap () returned 0x4c0000 [0155.586] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0155.587] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0155.656] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0155.658] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0155.730] CloseHandle (hObject=0x184) returned 1 [0155.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ucr_k.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Ucr_k.gif.439CEACB55A7B001F0EF8B8BFEE7984F0B37DBCAAB5CEE11EA2ED340327ACE79" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ucr_k.gif.439ceacb55a7b001f0ef8b8bfee7984f0b37dbcaab5cee11ea2ed340327ace79")) returned 1 [0155.732] GetProcessHeap () returned 0x4c0000 [0155.732] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0155.732] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0155.801] WriteFile (in: hFile=0x120, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0155.803] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0155.968] CloseHandle (hObject=0x124) returned 1 [0155.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\d_txnc6.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\D_TxNc6.gif.29CB800F0C56BD59F2D67DCDE4F8700247D80742C045A54F28273E7E87BB3B21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\d_txnc6.gif.29cb800f0c56bd59f2d67dcde4f8700247d80742c045a54f28273e7e87bb3b21")) returned 1 [0155.970] GetProcessHeap () returned 0x4c0000 [0155.970] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0155.970] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.020] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.021] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.073] CloseHandle (hObject=0x124) returned 1 [0156.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\i4funuiyldnq8ece3n33.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\Gam6UBN\\I4FUnuiyLDNq8ecE3N33.bmp.A45CB5D63C7129EB3331D052706A10982B8FB5AA31EF16CC3AE0CA909ECF407A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\gam6ubn\\i4funuiyldnq8ece3n33.bmp.a45cb5d63c7129eb3331d052706a10982b8fb5aa31ef16cc3ae0ca909ecf407a")) returned 1 [0156.074] GetProcessHeap () returned 0x4c0000 [0156.074] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.074] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.109] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.111] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.188] CloseHandle (hObject=0x120) returned 1 [0156.189] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\hyjta5o3ez6iaf4op.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\hyJTA5O3eZ6IAF4Op.bmp.3262A19EDFD72DF806A6F367D9B2F2E2CDF5127A6B897FE7C4A6F75B8BB4407D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\hyjta5o3ez6iaf4op.bmp.3262a19edfd72df806a6f367d9b2f2e2cdf5127a6b897fe7c4a6f75b8bb4407d")) returned 1 [0156.190] GetProcessHeap () returned 0x4c0000 [0156.190] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.190] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.239] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.241] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.401] CloseHandle (hObject=0x18c) returned 1 [0156.402] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\10dg.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\10Dg.gif.C548F3833F8E96F8918260BC9EA4C07B511EEEACA5C6835756B3C2452E23C04F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\10dg.gif.c548f3833f8e96f8918260bc9ea4c07b511eeeaca5c6835756b3c2452e23c04f")) returned 1 [0156.403] GetProcessHeap () returned 0x4c0000 [0156.403] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.403] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.424] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.425] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.453] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.455] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.534] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.537] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.592] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.593] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.673] CloseHandle (hObject=0x19c) returned 1 [0156.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\hewj2y1gq6o.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\Hewj2Y1GQ6O.png.F1D31A5315A797035D5CA82EBDA375C276C41BF52D5CA4B79214BC50DB12CE6A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\hewj2y1gq6o.png.f1d31a5315a797035d5ca82ebda375c276c41bf52d5ca4b79214bc50db12ce6a")) returned 1 [0156.676] GetProcessHeap () returned 0x4c0000 [0156.676] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.676] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.697] ReadFile (in: hFile=0x19c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0156.697] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.727] CloseHandle (hObject=0x19c) returned 1 [0156.728] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\kpas9_w6uni.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\dmZhPX3 2DF4PZBW\\KPas9_W6unI.bmp.5BC1CD6D8AC14ACE37284DA505788B9457F95BE15A31FE33441433A8887AF62F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\dmzhpx3 2df4pzbw\\kpas9_w6uni.bmp.5bc1cd6d8ac14ace37284da505788b9457f95be15a31fe33441433a8887af62f")) returned 1 [0156.729] GetProcessHeap () returned 0x4c0000 [0156.729] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.729] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.762] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.764] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.838] CloseHandle (hObject=0x19c) returned 1 [0156.838] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\4p t0oa5awg.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\4P t0oA5awG.gif.5624B645869B3135D69707154B50D11EE3429E759D73DFF8C3D8F300D187404D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\4p t0oa5awg.gif.5624b645869b3135d69707154b50d11ee3429e759d73dff8c3d8f300d187404d")) returned 1 [0156.840] GetProcessHeap () returned 0x4c0000 [0156.840] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0156.840] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.922] WriteFile (in: hFile=0x19c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.924] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0156.997] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0156.998] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0157.107] CloseHandle (hObject=0x1b8) returned 1 [0157.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\a86hpvdze.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\P8vNB3ngVTYiwbuP\\Ih7C09LXjCNH0UwZ\\6wlUcPJLY3ZPAVew2\\a86HpvdZe.png.045EE30BCD57CE94CB24CFF972EB9B21BD88574CA2BB54380A46BE8D7C7A736F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\p8vnb3ngvtyiwbup\\ih7c09lxjcnh0uwz\\6wlucpjly3zpavew2\\a86hpvdze.png.045ee30bcd57ce94cb24cff972eb9b21bd88574ca2bb54380a46be8d7c7a736f")) returned 1 [0157.109] GetProcessHeap () returned 0x4c0000 [0157.109] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0157.109] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0157.161] WriteFile (in: hFile=0x1b8, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0157.163] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0157.297] CloseHandle (hObject=0x18c) returned 1 [0157.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\syqp4isox\\8xytguvryghyjkrzbl.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\juol4xTqVzS0BOezLm\\SyqP4isOx\\8XYTGuVrYgHYJkrZbL.jpg.34A2DECD2B3D6F0800D430CF1B0FC24F19396E2CE86BA0670E54A291135DE60F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\juol4xtqvzs0boezlm\\syqp4isox\\8xytguvryghyjkrzbl.jpg.34a2decd2b3d6f0800d430cf1b0fc24f19396e2ce86ba0670e54a291135de60f")) returned 1 [0157.300] GetProcessHeap () returned 0x4c0000 [0157.300] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0157.300] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0157.348] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0157.350] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0157.447] WriteFile (in: hFile=0x18c, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0157.576] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0157.623] CloseHandle (hObject=0x120) returned 1 [0157.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\ocbyhyd3phaffngd.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_DGkrO4j3 3\\OcbYHyD3phaFfngD.jpg.E7F6EDA291164DEF30F9C30357C05351FCF97BA406EF21CC5494DF7B7C92D56B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_dgkro4j3 3\\ocbyhyd3phaffngd.jpg.e7f6eda291164def30f9c30357c05351fcf97ba406ef21cc5494df7b7c92d56b")) returned 1 [0157.626] GetProcessHeap () returned 0x4c0000 [0157.626] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0157.626] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0157.695] CloseHandle (hObject=0x124) returned 1 [0157.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\55i6lghtt.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\55I6lGhTT.mp4.8AED37AA523ACBF06500DF4B3785C277535FF62F90440A2822BA231910C80856" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\55i6lghtt.mp4.8aed37aa523acbf06500df4b3785c277535ff62f90440a2822ba231910c80856")) returned 1 [0157.697] GetProcessHeap () returned 0x4c0000 [0157.697] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0157.698] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0157.768] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0157.778] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0157.850] CloseHandle (hObject=0x124) returned 1 [0157.852] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9jrqnp8d3dihn.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9JRQNP8d3dIHn.flv.B10D3A7CB7C926F3AB8893C177686A5D3CEF7C1F7206299DE1EEA26E3A497F5D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9jrqnp8d3dihn.flv.b10d3a7cb7c926f3ab8893c177686a5d3cef7c1f7206299de1eea26e3a497f5d")) returned 1 [0157.853] GetProcessHeap () returned 0x4c0000 [0157.853] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0157.853] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0157.933] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0157.969] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.050] CloseHandle (hObject=0x124) returned 1 [0158.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b8mbcsowcfi.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\b8mBCsoWCFI.mkv.8FB051A7CA677D4601C181C0163454E33B17CA3B13DDA5DA8B80EAA1BFA73170" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b8mbcsowcfi.mkv.8fb051a7ca677d4601c181c0163454e33b17ca3b13dda5da8b80eaa1bfa73170")) returned 1 [0158.052] GetProcessHeap () returned 0x4c0000 [0158.052] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.052] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.125] CloseHandle (hObject=0x124) returned 1 [0158.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\biylkslvs tyqidlx0.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BIYLkslvs tyqIDlX0.avi.5158D9136689813811E31C99264C0F0C1DE961C11BEAA55245520554A635AA1A" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\biylkslvs tyqidlx0.avi.5158d9136689813811e31c99264c0f0c1de961c11beaa55245520554a635aa1a")) returned 1 [0158.129] GetProcessHeap () returned 0x4c0000 [0158.129] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.129] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.165] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.167] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.243] CloseHandle (hObject=0x124) returned 1 [0158.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\govwhh0sjq5f5.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\GOVWhH0SJQ5f5.avi.FFA5CF19536108D7D44AEEC68B95370E1099D544F7560E1EB15AD35AC80B1425" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\govwhh0sjq5f5.avi.ffa5cf19536108d7d44aeec68b95370e1099d544f7560e1eb15ad35ac80b1425")) returned 1 [0158.246] GetProcessHeap () returned 0x4c0000 [0158.246] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.246] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.314] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.368] CloseHandle (hObject=0x124) returned 1 [0158.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mvsvc7siy.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MVSVc7SIy.mp4.EADC4701A813E79863D52E938AF56749C40F30007E597397569A298F4D76D60D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mvsvc7siy.mp4.eadc4701a813e79863d52e938af56749c40f30007e597397569a298f4d76d60d")) returned 1 [0158.371] GetProcessHeap () returned 0x4c0000 [0158.371] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.371] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.402] WriteFile (in: hFile=0x124, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.404] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.454] CloseHandle (hObject=0x184) returned 1 [0158.455] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\-adcn73spkonchddc.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\-aDcN73SPkoNchDDC.mkv.C508D02A5361F554786E2A24D4F8A04FE492BF7ED4FF6B34FD8C569DE7F7CC7C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\-adcn73spkonchddc.mkv.c508d02a5361f554786e2a24d4f8a04fe492bf7ed4ff6b34fd8c569de7f7cc7c")) returned 1 [0158.456] GetProcessHeap () returned 0x4c0000 [0158.456] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.456] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.494] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.498] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.574] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.576] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.714] CloseHandle (hObject=0x184) returned 1 [0158.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\jgka1oepsvs.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\JGKa1oEpsvS.swf.01F86CEBB26261B359BC90FE3158CC3C6F779B89D33C43B2829708BB60FEF40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\jgka1oepsvs.swf.01f86cebb26261b359bc90fe3158cc3c6f779b89d33c43b2829708bb60fef40e")) returned 1 [0158.716] GetProcessHeap () returned 0x4c0000 [0158.716] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0158.716] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.774] WriteFile (in: hFile=0x184, lpBuffer=0x522abc*, nNumberOfBytesToWrite=0x6400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 1 [0158.776] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0158.933] WriteFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0159.176] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0160.785] CloseHandle (hObject=0x120) returned 1 [0160.786] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\exjyex.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\ExjYex.swf.F73ABE9D767D3F13DF23A6AAB35B2C4974B96C39852EE49A5BA4B9F3B5EB6E51" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\exjyex.swf.f73abe9d767d3f13df23a6aab35b2c4974b96c39852ee49a5ba4b9f3b5eb6e51")) returned 1 [0160.787] GetProcessHeap () returned 0x4c0000 [0160.787] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0160.787] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0160.815] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0160.815] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0160.889] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x5600, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0160.889] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.008] WriteFile (in: hFile=0x18c, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x6a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0161.013] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.041] ReadFile (in: hFile=0x18c, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0161.041] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.092] CloseHandle (hObject=0x18c) returned 1 [0161.093] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\kraewd7cs3s2.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\N9YU-4QR67BlXD\\KRaEwd7cS3S2.mkv.CDB57AE168715894A95F1A324800C463316EA555EF48BD2BEEC56A678436A019" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\n9yu-4qr67blxd\\kraewd7cs3s2.mkv.cdb57ae168715894a95f1a324800c463316ea555ef48bd2beec56a678436a019")) returned 1 [0161.094] GetProcessHeap () returned 0x4c0000 [0161.094] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0161.094] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.113] ReadFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0161.123] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.151] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x5800, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0161.151] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.215] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0161.215] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.287] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0161.287] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.369] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0161.416] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.476] ReadFile (in: hFile=0x120, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0161.524] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.563] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0161.563] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.641] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x3400, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0161.641] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.716] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0161.778] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0161.808] ReadFile (in: hFile=0x120, lpBuffer=0x54bb14, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52bae0) returned 1 [0161.808] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0162.799] CloseHandle (hObject=0x120) returned 1 [0162.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\rfj-z.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PC2jgCOVtBpyatg1ezC\\RfJ-z.flv.F77185A92B64212A287C5CA85FC58AF0002C0ABBDD581248BDC34B5DB097FC16" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pc2jgcovtbpyatg1ezc\\rfj-z.flv.f77185a92b64212a287c5ca85fc58af0002c0abbdd581248bdc34b5db097fc16")) returned 1 [0162.816] GetProcessHeap () returned 0x4c0000 [0162.816] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0162.817] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0162.858] WriteFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0162.863] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0162.909] CloseHandle (hObject=0x124) returned 1 [0162.910] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\usxxvnifbdtizuls74vr.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uSXXvNIFbDtizULs74vR.swf.C01F70C02487FED6C8C8F043A09F4251354C3BC38BC54EC3508A5C796AA5E80E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\usxxvnifbdtizuls74vr.swf.c01f70c02487fed6c8c8f043a09f4251354c3bc38bc54ec3508a5c796aa5e80e")) returned 1 [0162.911] GetProcessHeap () returned 0x4c0000 [0162.911] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x553b30 | out: hHeap=0x4c0000) returned 1 [0162.911] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0163.883] WriteFile (in: hFile=0x120, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0163.884] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0163.941] ReadFile (in: hFile=0x178, lpBuffer=0x3b700ec, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500b8 | out: lpBuffer=0x3b700ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500b8) returned 1 [0163.941] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.010] ReadFile (in: hFile=0x1d0, lpBuffer=0x3b9813c, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78108 | out: lpBuffer=0x3b9813c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78108) returned 1 [0164.010] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.157] WriteFile (in: hFile=0x180, lpBuffer=0x3b4809c, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28068 | out: lpBuffer=0x3b4809c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28068) returned 0x0 [0164.347] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.424] CloseHandle (hObject=0x128) returned 1 [0164.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.E5B01ADF7D245574609B3AF4744A745D09BF84765BF01B208BF590247A9E1D4C" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms.e5b01adf7d245574609b3af4744a745d09bf84765bf01b208bf590247a9e1d4c")) returned 1 [0164.427] GetProcessHeap () returned 0x4c0000 [0164.427] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0164.430] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.486] WriteFile (in: hFile=0x1b8, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0164.488] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.493] CloseHandle (hObject=0x120) returned 1 [0164.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db.74178E44FB9C10E8DBDB9BA838D2210871D6BAC599F26123DFF6F1FC972B4B4F" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db.74178e44fb9c10e8dbdb9ba838d2210871d6bac599f26123dff6f1fc972b4b4f")) returned 1 [0164.495] GetProcessHeap () returned 0x4c0000 [0164.495] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0164.498] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.573] ReadFile (in: hFile=0x1d0, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x2e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0164.574] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.579] CloseHandle (hObject=0x1b8) returned 1 [0164.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.4D4044399C558D37882961B5002E6B9ACACAA5AD6B70147630DE73169877013C" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\index.dat.4d4044399c558d37882961b5002e6b9acacaa5ad6b70147630de73169877013c")) returned 1 [0164.726] GetProcessHeap () returned 0x4c0000 [0164.726] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0164.729] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.744] ReadFile (in: hFile=0x180, lpBuffer=0x3b700ec, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500b8 | out: lpBuffer=0x3b700ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500b8) returned 1 [0164.744] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.787] WriteFile (in: hFile=0x180, lpBuffer=0x3b700ec, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500b8 | out: lpBuffer=0x3b700ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500b8) returned 0x0 [0164.789] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.848] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0164.849] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.879] WriteFile (in: hFile=0x1b8, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0164.879] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.902] ReadFile (in: hFile=0xec, lpBuffer=0x3b4809c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28068 | out: lpBuffer=0x3b4809c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28068) returned 1 [0164.902] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.904] WriteFile (in: hFile=0xec, lpBuffer=0x3b4809c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28068 | out: lpBuffer=0x3b4809c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28068) returned 0x0 [0164.904] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.950] ReadFile (in: hFile=0x1d4, lpBuffer=0x3b9813c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78108 | out: lpBuffer=0x3b9813c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b78108) returned 1 [0164.950] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0164.955] WriteFile (in: hFile=0x154, lpBuffer=0x54bb14, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0 | out: lpBuffer=0x54bb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52bae0) returned 0x0 [0164.955] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.024] CloseHandle (hObject=0x1d0) returned 1 [0165.027] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.B429B0A62933CD39D062CB19F943B035CCCE0E139ABC3F9F548AA79E90D3C34B" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak.b429b0a62933cd39d062cb19f943b035ccce0e139abc3f9f548aa79e90d3c34b")) returned 1 [0165.028] GetProcessHeap () returned 0x4c0000 [0165.028] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0165.031] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.033] CloseHandle (hObject=0x180) returned 1 [0165.034] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.7B8E6CF5A0A184ABD2813C9764CD3DE0CAB68626E11969CD52C476D2CF0F0754" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb.7b8e6cf5a0a184abd2813c9764cd3de0cab68626e11969cd52c476d2cf0f0754")) returned 1 [0165.035] GetProcessHeap () returned 0x4c0000 [0165.035] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500b8 | out: hHeap=0x4c0000) returned 1 [0165.035] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.036] CloseHandle (hObject=0x1b8) returned 1 [0165.038] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.4AC4D68B02A930D59D5147DEAB39313E8B13D27EFF1C407012CD1DF94DE65A06" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb.4ac4d68b02a930d59d5147deab39313e8b13d27eff1c407012cd1df94de65a06")) returned 1 [0165.038] GetProcessHeap () returned 0x4c0000 [0165.038] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0165.039] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.070] ReadFile (in: hFile=0x1c0, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0165.072] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.103] ReadFile (in: hFile=0x1b8, lpBuffer=0x3b700ec, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500b8 | out: lpBuffer=0x3b700ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500b8) returned 1 [0165.106] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.137] ReadFile (in: hFile=0x180, lpBuffer=0x522abc, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0165.142] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.172] CloseHandle (hObject=0x154) returned 1 [0165.173] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.0DB5709847CD8FB33E7FBAA9D612DA16B4004C5F6CD276D0B9A78C2D04E4200C" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl.0db5709847cd8fb33e7fbaa9d612da16b4004c5f6cd276d0b9a78c2d04e4200c")) returned 1 [0165.187] GetProcessHeap () returned 0x4c0000 [0165.188] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52bae0 | out: hHeap=0x4c0000) returned 1 [0165.188] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.188] CloseHandle (hObject=0x1d4) returned 1 [0165.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.BDE32426CD647D698C8B97A2EBA989848D014046D77DCD5CC11D77068C654D38" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl.bde32426cd647d698c8b97a2eba989848d014046d77dcd5cc11d77068c654d38")) returned 1 [0165.237] GetProcessHeap () returned 0x4c0000 [0165.238] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b78108 | out: hHeap=0x4c0000) returned 1 [0165.238] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.361] ReadFile (in: hFile=0x1d8, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0165.361] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.363] WriteFile (in: hFile=0x1d8, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0165.364] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.390] WriteFile (in: hFile=0x1d4, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0165.392] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.448] CloseHandle (hObject=0x194) returned 1 [0165.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.222591E9FCB5F4C385F62F85306A72371328406258CB7BD147110522AA1FF50E" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl.222591e9fcb5f4c385f62f85306a72371328406258cb7bd147110522aa1ff50e")) returned 1 [0165.451] GetProcessHeap () returned 0x4c0000 [0165.451] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0165.451] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.546] ReadFile (in: hFile=0x194, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0165.546] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.548] WriteFile (in: hFile=0x194, lpBuffer=0x3c2007c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c00048) returned 0x0 [0165.550] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.551] WriteFile (in: hFile=0x1d4, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0165.552] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0165.782] CloseHandle (hObject=0x1d8) returned 1 [0165.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.08C345A9533CBCB89FD0CBB46E1B5DDAD10E30DF13B4EBE9D96F45F1FF79D451" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount.08c345a9533cbcb89fd0cbb46e1b5ddad10e30df13b4ebe9d96f45f1ff79d451")) returned 1 [0165.786] GetProcessHeap () returned 0x4c0000 [0165.787] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0165.787] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.249] CloseHandle (hObject=0x19c) returned 1 [0166.251] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.86DFCF04FAA834B3525619B57BACD18DD28D4DA68ABA15577796B4EDF0E08A78" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg.86dfcf04faa834b3525619b57bacd18dd28d4da68aba15577796b4edf0e08a78")) returned 1 [0166.252] GetProcessHeap () returned 0x4c0000 [0166.252] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0166.252] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.259] WriteFile (in: hFile=0x1c0, lpBuffer=0x3cba17c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 1 [0166.411] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.476] WriteFile (in: hFile=0x178, lpBuffer=0x572b5c, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x552b28 | out: lpBuffer=0x572b5c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x552b28) returned 0x0 [0166.477] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.483] ReadFile (in: hFile=0x1c0, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0166.484] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.491] WriteFile (in: hFile=0x1c0, lpBuffer=0x3cba17c, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 0x0 [0166.492] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.507] ReadFile (in: hFile=0xec, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0166.508] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.513] WriteFile (in: hFile=0xec, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0166.516] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.539] ReadFile (in: hFile=0x1b8, lpBuffer=0x3b4809c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28068 | out: lpBuffer=0x3b4809c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28068) returned 1 [0166.540] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.550] CloseHandle (hObject=0x1b8) returned 1 [0166.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.F94CB12F218AE629515E9157E8DD73A86964247CF434DAE76F3FF3CFD3A68416" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg.f94cb12f218ae629515e9157e8dd73a86964247cf434dae76f3ff3cfd3a68416")) returned 1 [0166.592] GetProcessHeap () returned 0x4c0000 [0166.592] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28068 | out: hHeap=0x4c0000) returned 1 [0166.594] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.740] ReadFile (in: hFile=0x128, lpBuffer=0x3c480cc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c28098) returned 1 [0166.740] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.793] WriteFile (in: hFile=0x128, lpBuffer=0x3c480cc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 0x0 [0166.794] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.880] ReadFile (in: hFile=0x1d8, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0166.898] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0166.936] CloseHandle (hObject=0x1b8) returned 1 [0167.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.C3FD89E7A299F2BDE4C26AD6B1D2C10B42679043074DD4A2991D3EE1C0C7682D" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat.c3fd89e7a299f2bde4c26ad6b1d2c10b42679043074dd4a2991d3ee1c0c7682d")) returned 1 [0167.035] GetProcessHeap () returned 0x4c0000 [0167.035] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0167.036] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0167.381] CloseHandle (hObject=0xec) returned 1 [0167.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.62DADB350E3A1F48F350A8271040714F314713386E5B1BE2B92672A53E4A382C" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk.62dadb350e3a1f48f350a8271040714f314713386e5b1be2b92672a53e4a382c")) returned 1 [0167.384] GetProcessHeap () returned 0x4c0000 [0167.384] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0167.384] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0167.940] ReadFile (in: hFile=0x128, lpBuffer=0x572b5c, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x552b28 | out: lpBuffer=0x572b5c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x552b28) returned 1 [0167.940] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0167.948] WriteFile (in: hFile=0x128, lpBuffer=0x572b5c*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x552b28 | out: lpBuffer=0x572b5c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x552b28) returned 1 [0167.950] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0167.950] CloseHandle (hObject=0x128) returned 1 [0167.951] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk.C1F3AF5DBA98FCAE0F40158079C71D210EFF445FBCF09655DF9CF7B13C463D49" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk.c1f3af5dba98fcae0f40158079c71d210eff445fbcf09655df9cf7b13c463d49")) returned 1 [0167.952] GetProcessHeap () returned 0x4c0000 [0167.952] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x552b28 | out: hHeap=0x4c0000) returned 1 [0167.952] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0167.967] WriteFile (in: hFile=0x190, lpBuffer=0x54ab0c*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8) returned 1 [0167.967] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0167.968] CloseHandle (hObject=0x190) returned 1 [0167.969] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk.B5F19427FC5DFABB0B7C8AACDD2F30BC2FCA1E0C771A312DC1879FEEDCE52263" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk.b5f19427fc5dfabb0b7c8aacdd2f30bc2fca1e0c771a312dc1879feedce52263")) returned 1 [0167.970] GetProcessHeap () returned 0x4c0000 [0167.970] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52aad8 | out: hHeap=0x4c0000) returned 1 [0167.970] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0167.999] CloseHandle (hObject=0x19c) returned 1 [0168.003] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.72FF7FBA0B7847DBE6CCE6F5192142EEB0A249FCF92E8ABF8AD29DA8877F1756" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.72ff7fba0b7847dbe6cce6f5192142eeb0a249fcf92e8abf8ad29da8877f1756")) returned 1 [0168.004] GetProcessHeap () returned 0x4c0000 [0168.004] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0168.005] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.007] ReadFile (in: hFile=0x18c, lpBuffer=0x3b4809c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28068 | out: lpBuffer=0x3b4809c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b28068) returned 1 [0168.007] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.009] WriteFile (in: hFile=0x18c, lpBuffer=0x3b4809c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28068 | out: lpBuffer=0x3b4809c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b28068) returned 0x0 [0168.010] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.081] ReadFile (in: hFile=0x1d8, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0168.081] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.082] WriteFile (in: hFile=0x1d8, lpBuffer=0x3c9212c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 1 [0168.084] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.084] CloseHandle (hObject=0x1d8) returned 1 [0168.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.69E5FDBCE5EEB6B2F3C392E8EAC977443F6410C66F9B46A01A670AF00B34076C" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.69e5fdbce5eeb6b2f3c392e8eac977443f6410c66f9b46a01a670af00b34076c")) returned 1 [0168.086] GetProcessHeap () returned 0x4c0000 [0168.086] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0168.086] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.121] CloseHandle (hObject=0xec) returned 1 [0168.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.4EEA3C6ACF0F5473573824852F2F602873F7F992804E134E6FE569D8559A6B69" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.4eea3c6acf0f5473573824852f2f602873f7f992804e134e6fe569d8559a6b69")) returned 1 [0168.124] GetProcessHeap () returned 0x4c0000 [0168.124] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0168.125] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.139] ReadFile (in: hFile=0x19c, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0168.140] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.173] ReadFile (in: hFile=0xec, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0168.173] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.222] WriteFile (in: hFile=0xec, lpBuffer=0x3cba17c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 0x0 [0168.223] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.259] ReadFile (in: hFile=0x184, lpBuffer=0x3b700ec, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500b8 | out: lpBuffer=0x3b700ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3b500b8) returned 1 [0168.259] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.308] WriteFile (in: hFile=0x184, lpBuffer=0x3b700ec, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500b8 | out: lpBuffer=0x3b700ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3b500b8) returned 0x0 [0168.309] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.323] CloseHandle (hObject=0x18c) returned 1 [0168.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.19B2C5CA23701EC64680B6DC661D65EE9CCA1B48330FB1DB076DB40A4E84CD78" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk.19b2c5ca23701ec64680b6dc661d65ee9cca1b48330fb1db076db40a4e84cd78")) returned 1 [0168.326] GetProcessHeap () returned 0x4c0000 [0168.326] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28068 | out: hHeap=0x4c0000) returned 1 [0168.326] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.328] CloseHandle (hObject=0x19c) returned 1 [0168.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini.06AAA68ECAB0FAA6FFFDE68EFCA50D86D4241C980CDB22475441D519774D7F60" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini.06aaa68ecab0faa6fffde68efca50d86d4241c980cdb22475441d519774d7f60")) returned 1 [0168.331] GetProcessHeap () returned 0x4c0000 [0168.331] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0168.336] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.509] ReadFile (in: hFile=0x19c, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0168.595] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.597] CloseHandle (hObject=0x184) returned 1 [0168.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.3E1D55EDB7FAC846D2FB66901C47A2C47A640980818408577E2A48469FEFE860" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3.3e1d55edb7fac846d2fb66901c47a2c47a640980818408577e2a48469fefe860")) returned 1 [0168.598] GetProcessHeap () returned 0x4c0000 [0168.598] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b500b8 | out: hHeap=0x4c0000) returned 1 [0168.598] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.601] CloseHandle (hObject=0x190) returned 1 [0168.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.F104DCF4E259131248C3AD20FCD7C9C9E44410AF0E883287E2F83FB98D4DF677" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3.f104dcf4e259131248c3ad20fcd7c9c9e44410af0e883287e2f83fb98d4df677")) returned 1 [0168.603] GetProcessHeap () returned 0x4c0000 [0168.603] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b78108 | out: hHeap=0x4c0000) returned 1 [0168.603] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.604] CloseHandle (hObject=0xec) returned 1 [0168.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.03803BA17851DE8C40B33E9BF9F65C462D763DF60D881DD12C5669376BFF8C4E" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.03803ba17851de8c40b33e9bf9f65c462d763df60d881dd12c5669376bff8c4e")) returned 1 [0168.606] GetProcessHeap () returned 0x4c0000 [0168.606] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3b28068 | out: hHeap=0x4c0000) returned 1 [0168.606] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.608] CloseHandle (hObject=0x19c) returned 1 [0168.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.692A55DE63912B8D8FC825F077AEB4893F274F02C2BF0154B29AFBECFD216C19" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.692a55de63912b8d8fc825f077aeb4893f274f02c2bf0154b29afbecfd216c19")) returned 1 [0168.610] GetProcessHeap () returned 0x4c0000 [0168.610] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0168.610] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.621] ReadFile (in: hFile=0x18c, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0168.621] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.673] WriteFile (in: hFile=0x19c, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0168.674] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.720] ReadFile (in: hFile=0xec, lpBuffer=0x3c2007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048 | out: lpBuffer=0x3c2007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c00048) returned 1 [0168.720] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.795] WriteFile (in: hFile=0x190, lpBuffer=0x3c480cc*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098 | out: lpBuffer=0x3c480cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c28098) returned 1 [0168.796] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.808] CloseHandle (hObject=0x18c) returned 1 [0168.809] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini.01A32940727E766804041C9B63B2EA42AE0405AB87C86108490529EE61D9AF28" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desktop.ini.01a32940727e766804041c9b63b2ea42ae0405ab87c86108490529ee61d9af28")) returned 1 [0168.811] GetProcessHeap () returned 0x4c0000 [0168.811] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0168.811] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.813] CloseHandle (hObject=0x19c) returned 1 [0168.814] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.004841F29E7197713E0A761DF067C1CA417DF1A5E157CE127BA1F327F7411E7A" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.004841f29e7197713e0a761df067c1ca417df1a5e157ce127ba1f327f7411e7a")) returned 1 [0168.815] GetProcessHeap () returned 0x4c0000 [0168.815] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0168.815] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.817] CloseHandle (hObject=0xec) returned 1 [0168.818] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.7433B8A163EA0D77451EFE04063D93102EF4C604E103CEFC4BEF9D6228D05960" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.7433b8a163ea0d77451efe04063d93102ef4c604e103cefc4bef9d6228d05960")) returned 1 [0168.819] GetProcessHeap () returned 0x4c0000 [0168.819] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c00048 | out: hHeap=0x4c0000) returned 1 [0168.819] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.864] CloseHandle (hObject=0x190) returned 1 [0168.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.E20B953BA942833D9C35FF7A14569A6FB25A03B4DA6BB263B8E43DA70F7D875C" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.e20b953ba942833d9c35ff7a14569a6fb25a03b4da6bb263b8e43da70f7d875c")) returned 1 [0168.866] GetProcessHeap () returned 0x4c0000 [0168.866] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c28098 | out: hHeap=0x4c0000) returned 1 [0168.866] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.869] ReadFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x502a88) returned 1 [0168.869] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.905] WriteFile (in: hFile=0x184, lpBuffer=0x522abc, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88 | out: lpBuffer=0x522abc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x502a88) returned 0x0 [0168.931] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.934] ReadFile (in: hFile=0x190, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0168.934] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0168.986] WriteFile (in: hFile=0x190, lpBuffer=0x3c9212c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 0x0 [0168.986] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0169.001] ReadFile (in: hFile=0xec, lpBuffer=0x3cba17c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c9a148) returned 1 [0169.002] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0169.037] WriteFile (in: hFile=0xec, lpBuffer=0x3cba17c, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148 | out: lpBuffer=0x3cba17c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c9a148) returned 0x0 [0169.038] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0169.086] ReadFile (in: hFile=0x19c, lpBuffer=0x54ab0c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x52aad8) returned 1 [0169.086] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0169.115] WriteFile (in: hFile=0x19c, lpBuffer=0x54ab0c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8 | out: lpBuffer=0x54ab0c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x52aad8) returned 1 [0169.116] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0169.121] CloseHandle (hObject=0x184) returned 1 [0169.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.12B725DADE7902311C2E5F5556DEB7AAB50BA11AA6A6C6D84E3A0727F9DC394F" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.12b725dade7902311c2e5f5556deb7aab50ba11aa6a6c6d84e3a0727f9dc394f")) returned 1 [0169.123] GetProcessHeap () returned 0x4c0000 [0169.123] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x502a88 | out: hHeap=0x4c0000) returned 1 [0169.123] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0169.125] CloseHandle (hObject=0x190) returned 1 [0169.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.6755466ACFCDE74A824A346808420A21E85BEE7CD17AA528245740CC1F803412" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.6755466acfcde74a824a346808420a21e85bee7cd17aa528245740cc1f803412")) returned 1 [0169.127] GetProcessHeap () returned 0x4c0000 [0169.127] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0169.127] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0169.129] CloseHandle (hObject=0xec) returned 1 [0169.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.A6E0806DD9D79CC16DF6F3E567F920F4943F9F797C87BD8908CDF8DE01DDBC36" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.a6e0806dd9d79cc16df6f3e567f920f4943f9f797c87bd8908cdf8de01ddbc36")) returned 1 [0169.131] GetProcessHeap () returned 0x4c0000 [0169.131] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c9a148 | out: hHeap=0x4c0000) returned 1 [0169.132] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0169.133] CloseHandle (hObject=0x19c) returned 1 [0169.134] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.26621963F0047FA2921172D0F51DEE1B32CB04EBAD9C04EF28AA08DE92D3890D" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.26621963f0047fa2921172d0f51dee1b32cb04ebad9c04ef28aa08de92d3890d")) returned 1 [0169.136] GetProcessHeap () returned 0x4c0000 [0169.136] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x52aad8 | out: hHeap=0x4c0000) returned 1 [0169.137] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0169.191] ReadFile (in: hFile=0xec, lpBuffer=0x3c9212c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3c720f8) returned 1 [0169.191] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0169.223] WriteFile (in: hFile=0xec, lpBuffer=0x3c9212c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8 | out: lpBuffer=0x3c9212c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3c720f8) returned 1 [0169.226] GetQueuedCompletionStatus (in: CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08) returned 1 [0169.249] CloseHandle (hObject=0xec) returned 1 [0169.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.4CF01F7C0302742DF00B48488C85F9BCBCCDE2F0827939CE6E8C08268089171A" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.4cf01f7c0302742df00b48488c85f9bcbccde2f0827939ce6e8c08268089171a")) returned 1 [0169.254] GetProcessHeap () returned 0x4c0000 [0169.254] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x3c720f8 | out: hHeap=0x4c0000) returned 1 [0169.255] GetQueuedCompletionStatus (CompletionPort=0x94, lpNumberOfBytesTransferred=0x2eefe10, lpCompletionKey=0x2eefe0c, lpOverlapped=0x2eefe08, dwMilliseconds=0xffffffff) Thread: id = 10 os_tid = 0x7e0 Thread: id = 11 os_tid = 0x5b8 Thread: id = 12 os_tid = 0xa48 Thread: id = 13 os_tid = 0xa98